Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fault Tolerance in a High Volume, Distributed System

Ben Christensen
June 27, 2012
Programming
5
460

Fault Tolerance in a High Volume, Distributed System

Presentation given at LinkedIn in February 2012 about how the Netflix API achieves fault tolerance.

Ben Christensen

June 27, 2012
Tweet

More Decks by Ben Christensen

See All by Ben Christensen
Applying Reactive Programming with RxJava at GOTO Chicago 2015
benjchristensen
27
6k
Applying RxJava to Existing Applications at Philly ETE 2015
benjchristensen
30
6.5k
Resilient by Design at React SF 2014
benjchristensen
12
4k
Reactive Programming with Rx at QConSF 2014
benjchristensen
35
5.7k
Reactive Streams with Rx at JavaOne 2014
benjchristensen
32
5.6k
Reactive Programming with Rx at NYTimes
benjchristensen
18
3.8k
Reactive Service Levels at React London 2014
benjchristensen
21
2.4k
Evolution of the Netflix API - QCon SF 2013
benjchristensen
14
4.1k
RxJava: Reactive Extensions for Scala
benjchristensen
5
1.5k

Other Decks in Programming

See All in Programming
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
370
"config" ってなんだ? / What is "config"?
okashoi
0
220
Rails と人魚の話/rails-and-mermaid
sanfrecce_osaka
0
100
Front-end application development, Symfony-style(s)
dunglas
2
1.9k
Build with AI 2024 Seoul - 제로부터 시작하는 Flutter with Gemini 생활 - 박제창
itsmedreamwalker
0
200
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
130
StreamlitとTerraformでデータカタログを作った話
gussan0223
0
310
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
220
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
240
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
350
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
180
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
120

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
1
3.4k
No one is an island. Learnings from fostering a developers community.
thoeni
14
2.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
154
14k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990
YesSQL, Process and Tooling at Scale
rocio
163
13k
GraphQLとの向き合い方2022年版
quramy
31
12k
Web Components: a chance to create the future
zenorocha
305
41k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k

Transcript

  1. Fault Tolerance in a High Volume, Distributed System Ben Christensen

    Software Engineer – API Platform at Netflix @benjchristensen http://www.linkedin.com/in/benjchristensen 1

  2. Dozens of dependencies. One going down takes everything down. 99.99%30

    = 99.7% uptime 0.3% of 1 billion = 3,000,000 failures 2+ hours downtime/month even if all dependencies have excellent uptime. Reality is generally worse. 2

  3. 3

  4. 4

  5. 5

  6. No single dependency should take down the entire app. Fail

    fast. Fail silent. Fallback. Shed load. 6

  7. Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker

    7

  8. Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker

    8

  9. Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker

    9

  10. TryableSemaphore executionSemaphore = getExecutionSemaphore(); // acquire a permit if (executionSemaphore.tryAcquire())

    { try { return executeCommand(); } finally { executionSemaphore.release(); } } else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback(); } Semaphores (Tryable): Limited Concurrency 10

  11. TryableSemaphore executionSemaphore = getExecutionSemaphore(); // acquire a permit if (executionSemaphore.tryAcquire())

    { try { return executeCommand(); } finally { executionSemaphore.release(); } } else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback(); } Semaphores (Tryable): Limited Concurrency if (executionSemaphore.tryAcquire()) { } else { } 11

  12. TryableSemaphore executionSemaphore = getExecutionSemaphore(); // acquire a permit if (executionSemaphore.tryAcquire())

    { try { return executeCommand(); } finally { executionSemaphore.release(); } } else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback(); } Semaphores (Tryable): Limited Concurrency if (executionSemaphore.tryAcquire()) { } else { return getFallback(); } 12

  13. Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker

    13

  14. try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the

    property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior throw new RejectedExecutionException("Rejected command because thread-pool queueSize is at rejection threshold."); } ... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command); } catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback(); } Separate Threads: Limited Concurrency 14

  15. try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the

    property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior throw new RejectedExecutionException("Rejected command because thread-pool queueSize is at rejection threshold."); } ... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command); } catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback(); } Separate Threads: Limited Concurrency if (!threadPool.isQueueSpaceAvailable()) { throw new RejectedExecutionException } } catch (RejectedExecutionException e) { } 15

  16. try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the

    property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior throw new RejectedExecutionException("Rejected command because thread-pool queueSize is at rejection threshold."); } ... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command); } catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback(); } Separate Threads: Limited Concurrency if (!threadPool.isQueueSpaceAvailable()) { throw new RejectedExecutionException } } catch (RejectedExecutionException e) { return getFallback(); } 16

  17. Separate Threads: Timeout public K get() throws CancellationException, InterruptedException, ExecutionException

    { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime); // retrieve the fallback return getFallback(); } } Override of Future.get() 17

  18. Separate Threads: Timeout public K get() throws CancellationException, InterruptedException, ExecutionException

    { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime); // retrieve the fallback return getFallback(); } } Override of Future.get() try { return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { } } 18

  19. Separate Threads: Timeout public K get() throws CancellationException, InterruptedException, ExecutionException

    { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime); // retrieve the fallback return getFallback(); } } Override of Future.get() try { return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { return getFallback(); } } 19

  20. Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker

    20

  21. if (circuitBreaker.allowRequest()) { return executeCommand(); } else { // short-circuit

    and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback(); } Circuit Breaker 21

  22. if (circuitBreaker.allowRequest()) { return executeCommand(); } else { // short-circuit

    and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback(); } Circuit Breaker if (circuitBreaker.allowRequest()) { } else { } 22

  23. if (circuitBreaker.allowRequest()) { return executeCommand(); } else { // short-circuit

    and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback(); } Circuit Breaker if (circuitBreaker.allowRequest()) { } else { return getFallback(); } 23

  24. Netflix uses all 4 in combination 24

  25. 25

  26. Tryable semaphores for “trusted” clients and fallbacks Separate threads for

    “untrusted” clients Aggressive timeouts on threads and network calls to “give up and move on” Circuit breakers as the “release valve” 26

  27. 27

  28. 28

  29. 29

  30. Benefits of Separate Threads Protection from client libraries Lower risk

    to accept new/updated clients Quick recovery from failure Client misconfiguration Client service performance characteristic changes Built-in concurrency 30

  31. Drawbacks of Separate Threads Some computational overhead Load on machine

    can be pushed too far ... Benefits outweigh drawbacks when clients are “untrusted” 31

  32. 32

  33. Visualizing Circuits in Realtime (generally sub-second latency) Video available at

    https://vimeo.com/33576628 33

  34. Rolling 10 second counter – 1 second granularity Median Mean

    90th 99th 99.5th Latent Error Timeout Rejected Error Percentage (error+timeout+rejected)/ (success+latent success+error+timeout+rejected). 34

  35. Netflix DependencyCommand Implementation 35

  36. Netflix DependencyCommand Implementation 36

  37. Netflix DependencyCommand Implementation 37

  38. Netflix DependencyCommand Implementation 38

  39. Netflix DependencyCommand Implementation 39

  40. Netflix DependencyCommand Implementation 40

  41. Netflix DependencyCommand Implementation Fallbacks Cache Eventual Consistency Stubbed Data Empty

    Response 41

  42. Netflix DependencyCommand Implementation 42

  43. Netflix DependencyCommand Implementation 43

  44. Rolling Number Realtime Stats and Decision Making 44

  45. Request Collapsing Take advantage of resiliency to improve efficiency 45

  46. Request Collapsing Take advantage of resiliency to improve efficiency 46

  47. 47

  48. Fail fast. Fail silent. Fallback. Shed load. 48

  49. Questions & More Information Fault Tolerance in a High Volume,

    Distributed System http://techblog.netflix.com/2012/02/fault-tolerance-in-high-volume.html Making the Netflix API More Resilient http://techblog.netflix.com/2011/12/making-netflix-api-more-resilient.html Ben Christensen @benjchristensen http://www.linkedin.com/in/benjchristensen 49