Put Your Thinking CAP On

Transcript

1. Put Your Thinking CAP On Tomer Gabel, Wix VilniusRB, November

   2015

2. Credits Originally a talk by Yoav Abrahami (Wix) Based on

   “Call Me Maybe” by Kyle “Aphyr” Kingsbury

3. Brewer’s CAP Theorem Partition Tolerance Consistency Availability

4. Brewer’s CAP Theorem Partition Tolerance Consistency Availability Pick two! Pick

   two!

5. By Example • I want this book! – I add

   it to the cart – Then continue browsing • There’s only one copy in stock!

6. By Example • I want this book! – I add

   it to the cart – Then continue browsing • There’s only one copy in stock! • … and someone else just bought it.

7. Consistency

8. Consistency: Defined • In a consistent system: All participants see

   the same value at the same time • “Do you have this book in stock?”

9. Consistency: Defined • If our book store is an inconsistent

   system: – Two customers may buy the book – But there’s only one item in inventory! • We’ve just violated a business constraint.

10. Availability

11. Availability: Defined • An available system: – Is reachable –

    Responds to requests (within SLA) • Availability does not guarantee success! – The operation may fail – “This book is no longer available”

12. Availability: Defined • What if the system is unavailable? –

    I complete the checkout – And click on “Pay” – And wait – And wait some more – And… • Did I purchase the book or not?!

13. Partition Tolerance

14. Partition Tolerance: Defined • Partition: one or more nodes are

    unreachable • No practical system runs on a single node • So all systems are susceptible! A B C D E

15. “The Network is Reliable” • All four happen in an

    IP network • To a client, delays and drops are the same • Perfect failure detection is provably impossible1! A B drop delay duplicate reorder A B A B A B time 1 “Impossibility of Distributed Consensus with One Faulty Process”, Fischer, Lynch and Paterson

16. Partition Tolerance: Reified • External causes: – Bad network config

    – Faulty equipment – Scheduled maintenance • Even software causes partitions: – Bad network config. – GC pauses – Overloaded servers • Plenty of war stories! – Netflix – Twilio – GitHub – Wix :-) • Some hard numbers1: – 5.2 failed devices/day – 59K lost packets/day – Adding redundancy only improves by 40% 1 “Understanding Network Failures in Data Centers: Measurement, Analysis, and Implications”, Gill et al

17. “Proving” CAP

18. In Pictures • Let’s consider a simple system: – Service

    A writes values – Service B reads values – Values are replicated between nodes • These are “ideal” systems – Bug-free, predictable Node 1 V0 A Node 2 V0 B

19. In Pictures • “Sunny day scenario”: – A writes a

    new value V1 – The value is replicated to node 2 – B reads the new value Node 1 V0 A Node 2 V0 B V1 V1 V1 V1

20. In Pictures • What happens if the network drops? –

    A writes a new value V1 – Replication fails – B still sees the old value – The system is inconsistent Node 1 V0 A Node 2 V0 B V1 V0 V1

21. In Pictures • Possible mitigation is synchronous replication – A

    writes a new value V1 – Cannot replicate, so write is rejected – Both A and B still see V0 – The system is logically unavailable Node 1 V0 A Node 2 V0 B V1

22. What does it all mean?

23. The network is not reliable • Distributed systems must handle

    partitions • Any modern system runs on >1 nodes… • … and is therefore distributed • Ergo, you have to choose: – Consistency over availability – Availability over consistency

24. Granularity • Real systems comprise many operations – “Add book

    to cart” – “Pay for the book” • Each has different properties • It’s a spectrum, not a binary choice! Consistency Availability Shopping Cart Checkout

25. CAP IN THE REAL WORLD Kyle “Aphyr” Kingsbury Breaking consistency

    guarantees since 2013

26. • A document-oriented database • Availability/scale via replica sets –

    Client writes to a master node – Master replicates writes to n replicas • User-selectable consistency guarantees

27. MongoDB • When a partition occurs: – If the master

    is in the minority, it is demoted – The majority promotes a new master… – … selected by the highest optime

28. MongoDB • The cluster “heals” after partition resolution: – The

    “old” master rejoins the cluster – Acknowleged minority writes are reverted!

29. MongoDB • Let’s experiment! • Set up a 5-node MongoDB

    cluster • 5 clients write to the cluster • We then partition the cluster • … and restore it to see what happens

30. MongoDB • With write concern unacknowleged: – Server does not

    ack writes (except TCP) – The default prior to November 2012 • Results: – 6000 writes – 5700 acknowledged – 3319 survivors – 42% data loss!

31. MongoDB • With write concern acknowleged: – Server acknowledges writes

    (after store) – The default guarantee • Results: – 6000 writes – 5900 acknowledged – 3692 survivors – 37% data loss!

32. MongoDB • With write concern replica acknowleged: – Client specifies

    minimum replicas – Server acks after writes to replicas • Results: – 6000 writes – 5695 acknowledged – 3768 survivors – 33% data loss!

33. MongoDB • With write concern majority: – For an n-node

    cluster, requires at least n/2 replicas – Also called “quorum” • Results: – 6000 writes – 5700 acknowledged – 5701 survivors – No data loss

34. So what can we do? 1. Keep calm and carry

    on – As Aphyr puts it, “not all applications need consistency” – Have a reliable backup strategy – … and make sure you drill restores! 2. Use write concern majority – And take the performance hit

35. The prime suspects • Aphyr’s Jepsen tests include: – MySQL

    – PostgreSQL – Redis – ElasticSearch – Cassandra – Kafka – RabbitMQ – … and more • If you’re considering them, go read his posts • In fact, go read his posts regardless http://aphyr.com/tags/jepsen

36. Questions? Complaints?

37. WE’RE DONE HERE! Thank you for listening [email protected] @tomerg http://il.linkedin.com/in/tomergabel

    Aphyr’s “Call Me Maybe” blog posts: http://aphyr.com/tags/jepsen