Practical Chaos Engineering: Breaking things on purpose to make them more resilient against failure

© 2019, Amazon Web Services, Inc. or its affiliates. All
rights reserved. Practical Chaos Engineering: Breaking things on purpose to make them more resilient against failure Adrian Hornsby Principal Evangelist Amazon Web Services

rights reserved. Failures are a given and everything will eventually fail over time. Werner Vogels CTO – Amazon.com “ “

rights reserved. Building confidence through testing Unit testing of components: • Tested in isolation to ensure function meets expectations. Functional testing of integrations: • Each execution path tested to assure expected results. Is it enough???

rights reserved.

rights reserved. GameDay at Amazon Creating Resiliency Through Destruction https://www.youtube.com/watch?v=zoz0ZjfrQ9s

rights reserved. Chaos Engineering https://github.com/Netflix/SimianArmy

rights reserved. Chaos engineering is NOT about breaking things randomly without a purpose, chaos engineering is about breaking things in a controlled environment and through well- planned experiments in order to build confidence in your application to withstand turbulent conditions.

rights reserved. Break your systems on purpose. Find out their weaknesses and fix them before they break when least expected.

Operations Infrastructure Application Software

rights reserved. https://aws.amazon.com/wellarchitected

rights reserved. https://medium.com/@adhorn

rights reserved. STEADY STATE HYPOTHESIS RUN EXPERIMENT VERIFY IMPROVE Phases of Chaos Engineering

rights reserved. What is steady state? • ”normal” behavior of your system https://www.elastic.co/blog/timelion-tutorial-from-zero-to-hero

rights reserved. What is steady state? • ”normal” behavior of your system • Business + Ops Metric https://medium.com/netflix-techblog/sps-the-pulse-of-netflix-streaming-ae4db0e05f8a

rights reserved. What if…? “What if this load balancer breaks?” “What if Redis becomes slow?” “What if a host on Cassandra goes away?” ”What if latency increases by 300ms?” ”What if the database stops?” Make it everyone’s problem!

rights reserved. Failure injection • Start small & build confidence • Application level • Host level • Resource attacks (CPU, memory, …) • Network attacks (dependencies, latency, …) • AZ attack • Region attack • People attack

rights reserved. Benefits of Failure Injection - Practicing failure contingency. - Understanding of the effects of real world failures. - Understanding the efficacy of the fault tolerance mechanisms. - Removing designs faults in the fault tolerance mechanisms. - Understanding the effectiveness of your observability. - Understanding the blast-radius of failures and help reduce it. - Understanding the weak links in the design – especially single points of failures. - Understanding failure propagation between system component. Learn to avoid cascading effect. - …

rights reserved. Blast radius • How many customers? • What functionality? • How many locations?

rights reserved. Rules of thumbs Have an emergency STOP or a good exit plan! Careful with state that can’t be rolled back (corrupt or incorrect data)

rights reserved. Quantifying the result of the experiment • Time to detect? • Time for notification? And escalation? • Time to public notification? • Time for graceful degradation to kick-in? • Time for self healing to happen? • Time to recovery – partial and full? • Time to all-clear and stable?

rights reserved. PostMortems – COE (Correction of Errors) The 5 WHYs Outage Because of … Because of … Because of … Because of …

rights reserved. More questions to ask • Can you clarify if there were any preceding events? • Why would they believe acting in this way was the best course of action to deliver the desired outcome? • Is there another failure mode that could present here? • What decisions or events prior to this made this work before? • Why stop there – are there places to dig deeper that could shine a light more on this? • Did others step in to help, to advise, or to intercede?

rights reserved. DON’T blame people!!!

rights reserved. Rules to remember! There is no isolated ‘cause’ of an accident.

Services, Inc. or its affiliates. All rights reserved. Blocks DNS resolution $ iptables -I OUTPUT -p udp -d <DNS server IP> --dport 53 -j DROP Get the DNS: $ cat /etc/resolv.conf search eu-west-1.compute.internal nameserver 172.31.0.2 $ dig showme.mynameserver.xyz

Services, Inc. or its affiliates. All rights reserved. Other fun things to do • Fill up disk • Network packet loss (using traffic-shaping) • Network packet corruption (using traffic-shaping) • Kills random processes • Detach (force) all EBS volumes • Mess with /etc/hosts

rights reserved. https://github.com/Netflix/SimianArmy Set of scheduled agent: • shuts down services randomly • slows down performances • checks conformity • breaks an entire region • Integrates with spinnaker (CI/CD)

rights reserved. ToxiProxy • HTTP API • Build for Automated testing in mind • Not for production environment • Fast • Toxics for: • Timeouts, latency, connections and bandwidth limitation, etc.. • CLI • Stable and well tested (used for 3 years at Shopify) • Open Source: https://github.com/Shopify/toxiproxy

rights reserved. https://atscaleconference.com/videos/resiliency-testing-with-toxiproxy/

rights reserved. https://github.com/asobti/kube-monkey

rights reserved. Pumba https://github.com/alexei-led/pumba/

rights reserved. https://blog.thundra.io/chaos-test-your-lambda-functions-with-thundra

rights reserved. APIs J

rights reserved. Fault Injection Queries for Amazon Aurora SQL commands issued to simulate: • A crash of the master instance or an Aurora Replica • A failure of an Aurora Replica • A disk failure • Disk congestion https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Managing.FaultInjectionQueries.html

rights reserved. Fault Injection Queries for Amazon Aurora SQL commands issued to simulate: • A crash of the master instance or an Aurora Replica • A failure of an Aurora Replica • A disk failure • Disk congestion ALTER SYSTEM SIMULATE percentage_of_failure PERCENT DISK FAILURE [ IN DISK index | NODE index ] FOR INTERVAL quantity { YEAR | QUARTER | MONTH | WEEK | DAY | HOUR | MINUTE | SECOND };

rights reserved. ❯ aws lambda put-function-concurrency --function-name <value> -- reserved-concurrent-executions 0

Injecting Chaos to AWS Lambda $ pip install chaos-lambda

https://github.com/adhorn/aws-lambda-chaos-injection

rights reserved. The Chaos Toolkit • Simplifying Adoption of Chaos Engineering • An Open API to Chaos Engineering • Open source extensions for • Infrastructure/Platform Fault Injections • Application Fault Injections • Observability • Integrates easily into CI/CD pipelines

rights reserved.

rights reserved. Injecting Chaos to Amazon EC2 using AWS System Manager https://medium.com/@adhorn/injecting-chaos-to-amazon-ec2-using-amazon-system-manager-ca95ee7878f5

https://github.com/adhorn/chaos-ssm-documents

SSM Run (send) Command $ aws ssm send-command --document-name "cpu-stress"
--document-version "1" --targets '[{"Key":"InstanceIds","Values":[ " i-094c8367024633d96 ","i-04d0976f9fb658c23"]}]’ --parameters '{"duration":["60"],"cpu":["0"]}’ --timeout-seconds 600 --max-concurrency "50" --max-errors "0" --output-s3-bucket-name "adhorn-chaos-ssm-output" --region eu-west-1

rights reserved. Big challenges to chaos engineering • Chaos Engineering won’t make your system more robust, People will. • Chaos Engineering won’t replace __all__ the rest (test, quality, …) • Chaos Engineering is NOT the only way to learn from failure • Rollbacks are HARD because of state. • Your systems will continue to fail, sorry.

rights reserved. Big challenges to chaos engineering Mostly Cultural • no time or flexibility to simulate disasters. • teams already spending all of its time fixing things. • can be very political. • might force deep conversations. • deeply invested in a specific technical roadmap (micro-services) that chaos engineering tests show is not as resilient to failures as originally predicted.

rights reserved. Changing culture takes time! Be patient…

rights reserved. Thank you! Adrian Hornsby https://medium.com/@adhorn adhorn

Practical Chaos Engineering: Breaking things on purpose to make them more resilient against failure

Practical Chaos Engineering: Breaking things on purpose to make them more resilient against failure

More Decks by Adrian Hornsby

Other Decks in Technology

Featured

Transcript