Resilient distributed systems with Netflix Hystrix

Oleksiy Dyagilev
Lead Software Engineer

View Slide

o
o
o

View Slide

consider amazon.com

View Slide

View Slide

AUGUST 19, 2013
amazon.com
around 1 p.m. Pacific time
for 45 mins estimated cost
$117,882 .
http://venturebeat.com/2013/08/19/amazon-website-down/

View Slide

HTTP session
XAP in-memory
datagrid
App container (jetty,
tomcat, etc)
Spring Session Filter
tomcat, etc)
network call: read, write
session object
one of our production use cases

View Slide

View Slide

misconfiguration
bursty traffic
software bugs
hardware issues

View Slide

XAP in-memory
datagrid
tomcat, etc)
tomcat, etc)
power failure
misconfiguration
firmware bugs
topology changes
cable damage
malicious traffic

View Slide

if application depends on 30 services where each has 99.99% uptime
(4.3 mins downtime/month)
It’s uptime is 99.9930 = 99.7%
(2.1 hours downtime/month)

View Slide

View Slide

o preventing any single dependency from using all container(Tomcat, etc) user threads
o shedding load and failing fast instead of queueing
o providing fallbacks wherever feasible to protect users from failure
o Real-time metrics and monitoring

View Slide

View Slide

public class CommandHelloWorld extends HystrixCommand {
private final String name;
public CommandHelloWorld(String name) {
super(HystrixCommandGroupKey.Factory.asKey("ExampleGroup"));
this.name = name;
}
@Override
protected String run() {
// a real example would do work like a network call here
return "Hello " + name + "!";
}
}
@Test
public void testExecute() {
assertEquals("Hello World!", new CommandHelloWorld("World").execute());
}

View Slide

public class CommandHelloFailure extends HystrixCommand {
private final String name;
public CommandHelloFailure(String name) {
super(HystrixCommandGroupKey.Factory.asKey("ExampleGroup"));
this.name = name;
}
@Override
protected String run() {
throw new RuntimeException("this command always fails");
}
@Override
protected String getFallback() {
return "Hello Failure " + name + "!";
}
}
@Test
public void testSynchronous() {
assertEquals("Hello Failure World!", new CommandHelloFailure("World").execute());
}

View Slide

public class GetSessionHystrixCommand extends ConfigurableHystrixCommand {
private static Logger log = LoggerFactory.getLogger(GetSessionHystrixCommand.class);
private final String sessionId;
private final GetSessionCommand getSessionCommand;
public GetSessionHystrixCommand(String id, RestExecutionContext context, CommandSettings settings) {
super(XAP_SESSION_COMMAND, settings);
this.sessionId = id;
this.getSessionCommand = new GetSessionCommand(id, context);
}
@Override
protected XapSession run() throws Exception {
try {
return getSessionCommand.execute();
} catch (Exception exception) {
log.error("Failed to get session", exception);
throw exception;
}
}
@Override
protected ExpiringSession getFallback() {
log.error("Falling back on getting session due to {}", getExecutionEvents());
return FailoverSession.create(sessionId);
}
}
production code

View Slide

View Slide

Primary
datagrid
tomcat, etc)
sacrificing consistency to availability
Secondary
datagrid
WAN replication
fallback

View Slide

Primary
datagrid
tomcat, etc)
sacrificing consistency to availability
Secondary
datagrid
WAN replication
fallback
You might not need this If the entire
infrastructure replicated in another DC

View Slide

View Slide

http://martinfowler.com/bliki/CircuitBreaker.html

View Slide

View Slide

.execute()

View Slide

.execute()
Circuit-
breaker
open?

View Slide

.execute()
Circuit-
breaker
open?
Thread
pool
rejected
?
no

View Slide

.execute()
Circuit-
breaker
open?
.run()
Thread
pool
rejected
?
no no

View Slide

.execute()
Circuit-
breaker
open?
.run()
Thread
pool
rejected
?
execution
fails?
no no

View Slide

.execute()
Circuit-
breaker
open?
.run()
Thread
pool
rejected
?
execution
fails?
timeout
no no
no

View Slide

.execute()
Circuit-
breaker
open?
.run()
Return result
of run()
Thread
pool
rejected
?
execution
fails?
timeout
no no
no
no

View Slide

.execute()
Circuit-
breaker
open?
.run()
.getFallback()
Return result
of run()
Thread
pool
rejected
?
execution
fails?
timeout
no no
yes, short-circuit yes, reject
yes
yes
no
no

View Slide

.execute()
Circuit-
breaker
open?
.run()
.getFallback()
Return result
of run()
Thread
pool
rejected
?
execution
fails?
timeout
Fallback
successful
?
no no
yes
yes
no
no

View Slide

.execute()
Circuit-
breaker
open?
.run()
.getFallback()
Return result
of fallback()
Return result
of run()
Thread
pool
rejected
?
execution
fails?
timeout
Fallback
successful
?
no no
yes
yes
yes no
no

View Slide

.execute()
Circuit-
breaker
open?
.run()
.getFallback()
Return result
of fallback()
Return
exception
Return result
of run()
Thread
pool
rejected
?
execution
fails?
timeout
Fallback
successful
?
no no
yes
yes
yes no
no
no

View Slide

Future s = new CommandHelloWorld("Bob").queue();
Observable s = new CommandHelloWorld("Bob").observe();

View Slide

View Slide

With
60 requests/second
At the
90thpercentile there is a cost of
3ms
At the
99thpercentile there is a cost of
9ms

View Slide

View Slide

o Resilience can be a strong requirement
o Distributed systems are complex
o Isolate your dependencies
o It’s not only about microservices, but very applicable there
o Circuit Breaker is your friend
o Monitoring is a must
o Use

View Slide

View Slide

Resilient distributed systems with Netflix Hystrix

Resilient distributed systems with Netflix Hystrix

Oleksii Diagiliev

More Decks by Oleksii Diagiliev

Other Decks in Programming

Featured

Transcript