When Worst is Best in Distributed Systems Design

WHEN
WORST
IS BEST Peter Bailis
Stanford CS

@pbailis

in distributed
systems
design StrangeLoop 2015
25 September, St. Louis

View Slide

What if we designed computer
systems for worst case scenarios?

View Slide

Cluster provisioning: 7.3B simultaneous users
many idle resources!

View Slide

Hardware: chips for the next Mars rover
hugely expensive packaging!

View Slide

Hardware: chips for the next Mars rover
hugely expensive packaging!
Security: all our developers are malicious
expensive code deployment!

View Slide

Designing for
the worst case

often penalizes
the average case

View Slide

Designing for the worst case
often penalizes the average case
Average
case

performance
Worst case performance

View Slide

Designing for the worst case
often penalizes the average case
Average
case

performance
Worst case performance
???
this talk

View Slide

This talk: When can designing for
the worst case improve the
average case?
Structure
Distributed systems and the network

Beyond the network

Lessons

View Slide

Almost every non-trivial application today is (or is
becoming) distributed
Distributed Systems Matter
Distribution happens over a network

View Slide

Almost every non-trivial application today is (or is
becoming) distributed
Corollary:
Almost every non-trivial application today needs to
worry about the network
Distributed Systems Matter
Distribution happens over a network

View Slide

Networks make design hard
Many things can go wrong:

View Slide

Networks make design hard
Many things can go wrong:
Packets may be delayed
Packets may be dropped
Sometimes called an asynchronous network

View Slide

any replica can respond to any request
Handling Worst-Case Net Behavior
availability addresses delays, drops:

View Slide

if our system is available,
then even when network is ﬁne,

we still don’t have to talk!

View Slide

if our system is available,
then even when network is ﬁne,

we still don’t have to talk!
NO
COORDINATION

View Slide

Coordination-free systems
What if we don’t have to talk?

View Slide

Coordination-free systems:

1.) Enable inﬁnite scale-out

View Slide

A B C D E F G H
DISTRIBUTED TRANSACTIONS (EC2)
1 2 3 4 5 6 7
Number of Items per Transaction
Throughput (txns/s)
Number of Servers (Items) Accessed per Transaction

View Slide

A B C D E F G H
IN-MEMORY
LOCKING
COORDINATED
1 2 3 4 5 6 7
Throughput (txns/s)

View Slide

A B C D E F G H
IN-MEMORY
LOCKING
COORDINATED
1 2 3 4 5 6 7
Throughput (txns/s)
LOG SCALE!
-398x

View Slide

A B C D E F G H
IN-MEMORY
LOCKING
1 2 3 4 5 6 7
Throughput (txns/s)
COORDINATED
COORDINATION-FREE
-398x

View Slide



2.) Improve throughput


View Slide

133.7+ ms
RTT

View Slide

133.7+ ms
RTT
85.1+ ms
RTT

View Slide




3.) Ensure low latency

4.) Guarantee “always on" response

View Slide






View Slide

But wait! What about CAP?!?!
• CAP Thm.: Famous result from Eric Brewer, Inktomi
• Takeaway (+ related results): properties like serializability
require unavailability (or require coordination)
• Common (incorrect) conclusion: availability is too
expensive, only matters during failures, so forget about it

View Slide

But wait! What about CAP?!?!
• CAP Thm.: Famous result from Eric Brewer, Inktomi
• Takeaway (+ related results): properties like serializability
require unavailability (or require coordination)
• Common (incorrect) conclusion: availability is too
expensive, only matters during failures, so forget about it
surprise: many useful guarantees don’t
require coordination (or unavailability)!

View Slide

“Worst” is a Design Tool
legacy implementations: designed for single-
node context, use coordination
research question: what if we built systems that
didn’t have to coordinate?
result: new designs that avoid coordination unless
strictly necessary
Example: Coordination-Avoiding Databases

View Slide

Simple Example: Read Committed
legacy implementation: lock records during access
research question: is coordination necessary?
goal: never read from uncommitted transactions

View Slide

Simple Example: Read Committed
legacy implementation: lock records during access
research question: is coordination necessary?
result: no! for example, buﬀer writes until commit

result: OOM speedups over classic implementations
goal: never read from uncommitted transactions
VLDB 2014, SIGMOD 2015

View Slide






View Slide





Accounting for worst case improves average case

View Slide

Punchline: Distributed Systems & Networks
• Systems that behave well during network faults can
behave better in non-faulty environments too
• With good designs, popular guarantees from today’s
RDBMSs can beneﬁt! (see also Martin’s talk, 11AM Sat)
• Research on coordination-avoiding systems highlights
potential for huge speedups (see bailis.org)
• Keywords: CRDTs, I-conﬂuence, RAMP, HAT, Bloom^L

View Slide

average case?
Structure

Beyond the network

Lessons

View Slide

Replication for fault tolerance
can increase request capacity
Replication helps Capacity

View Slide

Fail-over helps (Dev)Ops

View Slide

If services can
auto-fail-over…
can kill processes:

to perform upgrades

to manage stragglers

to revoke resources
Fail-over helps (Dev)Ops

View Slide

99.9th %ile latency: 100ms
avg latency: 1.2ms
YOUR
SERVICE
HERE
Tail Latency in (Micro)services

View Slide

avg latency: 1.2ms
YOUR
SERVICE
HERE
10ms

View Slide

avg latency: 1.2ms
YOUR
SERVICE
HERE
10ms
1.09ms

View Slide


View Slide

front-end avg. latency: 64ms
at 100x fan-out,

View Slide

at 100x fan-out,
99.9th %ile latency: 100ms 10ms

View Slide

at 100x fan-out,
6.7ms
99.9th %ile latency: 100ms 10ms

View Slide

YOUR SERVICE’S
CORNER CASE
MAY BE ITS
CONSUMER’S
AVERAGE CASE

View Slide

Universal Design

View Slide

View Slide

There is also a strong business case for accessibility.
Accessibility overlaps with other best practices such as mobile web
design, device independence, multi-modal interaction, usability,
design for older users, and search engine optimization (SEO).

Case studies show that accessible websites have better search
results, reduced maintenance costs, and increased audience reach,
among other beneﬁts.

View Slide

x
f(x)
When “Best” Is Brittle
Idealized function
Optimum

View Slide

x
f(x)
Idealized function
Optimum
Less well-behaved
x
f(x)
Optimum

View Slide

x
f(x)
Idealized function
Optimum
Less well-behaved
x
f(x)
Optimum
Missed the target

View Slide

x
f(x)
Idealized function
Optimum
Less well-behaved
x
f(x)
Optimum
Missed the target
“Stable”
solution

View Slide

x
f(x)
Idealized function
Optimum
Less well-behaved
x
f(x)
Optimum
Missed the target
“Stable”
solution
Robust Optimization studies ﬁnding the stable solution

View Slide

average case?
Structure

Beyond the network

Lessons

View Slide

average case?

View Slide

When does this apply?
When corner cases are common
When environmental conditions are variable
When “normal” isn’t what we think
average case?

View Slide

DEFINING
“NORMAL”
DEFINES OUR
DESIGNS

View Slide

“Worst” raises tough questions

View Slide

Cluster provisioning:
what’s our scale-out strategy?

View Slide

Hardware:
what happens during bit ﬂips? do we need ECC?

View Slide

Hardware:
what happens during bit ﬂips? do we need ECC?
Security:
how to do we manage internal data accesses?

View Slide

EXAMINE
YOUR
BIASES

View Slide

Reasoning about worst-case scenarios
can be a powerful design tool
Key to coordination avoiding distributed
systems designs
Can often improve performance and
robustness, also combat bias
@PBAILIS // bailis.org

View Slide

Special thanks to

David Andersen, Ali Ghodsi, Joe Hellerstein, Eddie Kohler,
Phil Levis, Alex Miller, Oscar Moll, Barzan Mozafari, Ion
Stoica, Eugene Wu, Jean Yang, Matei Zaharia

View Slide

Reasoning about worst-case scenarios
can be a powerful design tool
Key to coordination avoiding distributed
systems designs
Can often improve performance and
robustness, also combat bias
@PBAILIS // bailis.org

View Slide

When Worst is Best in Distributed Systems Design

When Worst is Best in Distributed Systems Design

pbailis

More Decks by pbailis

Other Decks in Technology

Featured

Transcript