• Allow clients to synchronize their activities and agree on basic information about their environment Help developers deal with coarse-‐grained sync, in particular leader election
/ls/foo/wombat/pouch ls: the Chubby common prefix, stands for “lock service” foo: the name of the chubby cell (resolves to one or more servers via DNS lookup) /wombat/pouch: interpreted within named cell
node has only one name (no links) Nodes may be permanent or ephemeral • Ephemeral deleted if no client has them open ACLs inherited from parent on creation
content generation number lock generation number ACL generation number Handles • Obtained when a node is opened. Sequence number to tell master which generation created it, mode info to tell who has handle open
distributed systems A holds a lock L, issues request W, then fails B acquires L (because A fails), performs actions W arrives (out-‐of-‐order) after B’s actions Solution #1: backward compatible Lock server will prevent other clients from getting the lock if a lock become inaccessible or the holder has failed “Draining the queue” of unprocessed events before someone else can acquire the lock Solution #2: sequencer A lock holder can obtain a sequencer from Chubby It attaches the sequencer to any requests that it sends to other servers The other servers can verify the sequencer information
against the server’s Chubby cache or, if the server does not wish to maintain a session with Chubby, the most recent sequencer that the server has observed” Wha?
write-‐ through cache When node is changed, modification is blocked while master invalidates data in all caches During invalidation, master treats node as uncachable Caching protocol invalidates cached data on a change, never updates it
the response until the client’s lease is close to expiring, then allowing it to return to the client with the new lease Client initiates new KeepAlive immediately upon receiving previous reply Also used to transmit events! This ensures that clients can’t maintain a session without acknowledging cache invalidation Handling behavior during what might be a “disconnect” from the master is done via a grace period
the master fails over, because re-‐establishing sessions and redoing all the things the clients do on reconnect is a pain in the ass So the client can’t do NEW work, but it doesn’t close its session, either
Code needs to be specially structured for use with consensus protocols Service enables code to have correct distributed locking without having to rewrite the whole damn thing
primary or partitioning data dynamically, you often need to advertise what the state is Supporting the storage and fetching of small quantities of data is useful! You can do it with DNS but DNS TTL is kind of a pain in the ass
make decisions, which means they have to have replicas, which means HA Having HA in the service means the client can make safe decisions even when it does not have its own majority!
require costly recovery procedures Coarse-‐grained locks should survive system failure If you want fine-‐grained locking, implement your own lock service using Chubby to coordinate blocks of lock groups to lock servers
provided sessions don’t drop Extremely sensitive to performance of local Chubby cache Server overloads above 90,000 sessions or due to client spam Scaling depends on reducing communication
in front of it Java compatibility? PROXY! (ok not exactly but close enough) Name service? PROXY! Proxy: • Trusted process that passes requests from other clients to a Chubby cell Layer of indirection, allows different langs, different constraints, more load per cell
scale via TTL • 3000 servers communicating with each other with 60s TTL requires 150K lookups per second Chubby can handle more, but also name resolution doesn’t need Chubby-‐level preciseness • Add a proxy designed for name lookups!
write loops that constantly retry failed commands They will try to use this as a data storage system They think that a lock server makes for good pub/sub messaging
don’t think about failure probabilities. They don’t understand distributed systems. They blindly follow APIs, don’t read the documentation carefully. They write bugs. They don’t predict the future very well.
shared core architecture is hard Developers can and will fsck everything up Having fundamental insights and making decision up front about what you are and are not building helps you to create something great