Tweet
Tweet

Slide 1

Slide 1 text

@markhibberd Breaking Point Building Scalable, Resilient APIs

Slide 2

Slide 2 text

“A common mistake that people make when trying to design something completely foolproof was to underestimate the ingenuity of complete fools.” Douglas Adams -! Mostly Harmless (1992)

Slide 3

Slide 3 text

How Did We Get Here

Slide 4

Slide 4 text

THE API

Slide 5

Slide 5 text

THE API

Slide 6

Slide 6 text

THE API

Slide 7

Slide 7 text

THE API

Slide 8

Slide 8 text

THE API

Slide 9

Slide 9 text

THE API

Slide 10

Slide 10 text

THE API

Slide 11

Slide 11 text

THE API

Slide 12

Slide 12 text

THE API G

Slide 13

Slide 13 text

THE API G

Slide 14

Slide 14 text

THE API G

Slide 15

Slide 15 text

THE API G

Slide 16

Slide 16 text

THE API G

Slide 17

Slide 17 text

THE API G

Slide 18

Slide 18 text

THE API G

Slide 19

Slide 19 text

THE API G $ $ $ $

Slide 20

Slide 20 text

THE API G $ $ $ $

Slide 21

Slide 21 text

THE API G $ $ $ $

Slide 22

Slide 22 text

failure is inevitable

Slide 23

Slide 23 text

How Systems Fail

Slide 24

Slide 24 text

“You live and learn. At any rate, you live.” Douglas Adams -! Mostly Harmless (1992)

Slide 25

Slide 25 text

The Crash one

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Systems Never Fail Cleanly

Slide 31

Slide 31 text

Cascading Failures two

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

OCTOBER 27, 2012 ! Bug triggers Cascading Failures Causes Major Amazon Outage ! https://aws.amazon.com/message/680342/

Slide 39

Slide 39 text

At 10:00AM PDT Monday, a small number of Amazon Elastic Block Store (EBS) volumes in one of our five Availability Zones in the US-East Region began seeing degraded performance, and in some cases, became “stuck”

Slide 40

Slide 40 text

Can Be Triggered By As Little As A Performance Issue

Slide 41

Slide 41 text

Don’t Listen To Programmers, Performance Matters

Slide 42

Slide 42 text

(well, at least asymptotics matter)

Slide 43

Slide 43 text

A Failure is Indistinguishable from a Slow Response

Slide 44

Slide 44 text

Chain Reactions three

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

12.5%

Slide 47

Slide 47 text

14.3%

Slide 48

Slide 48 text

17%

Slide 49

Slide 49 text

17% 100k req/s 12.5k >>> 14.3k >>> 17k req/s

Slide 50

Slide 50 text

17% 100k req/s 12.5k >>> 14.3k >>> 17k req/s 4.5% extra traffic means a 36% load increase on each server

Slide 51

Slide 51 text

25% 100k req/s 12.5% extra traffic means a 300% load increase on each server 12.5k >>> 14.3k >>> 17k >>> 50k req/s

Slide 52

Slide 52 text

Capacity Skew four

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

JUNE 11, 2010 ! A Perfect Storm.....of Whales Heavy Loads Causes Series of Twitter Outages During World Cup http://engineering.twitter.com/2010/06/perfect-stormof-whales.html

Slide 58

Slide 58 text

Since Saturday, Twitter has experienced several incidences of poor site performance and a high number of errors due to one of our internal sub-networks being over-capacity.

Slide 59

Slide 59 text

Self Denial of Service five

Slide 60

Slide 60 text

Clients Server

Slide 61

Slide 61 text

Clients Server

Slide 62

Slide 62 text

Clients Server

Slide 63

Slide 63 text

Clients Server

Slide 64

Slide 64 text

Clients Server

Slide 65

Slide 65 text

a very painful experience ! The Quiet Time

Slide 66

Slide 66 text

critical licensing service, 100 million + active users a day, millions of $$$. ! A couple of “simple” services. Thick clients, non- updatable, load-balanced on client.

Slide 67

Slide 67 text

server client

Slide 68

Slide 68 text

/call server client on-demand

Slide 69

Slide 69 text

/call server client on-demand

Slide 70

Slide 70 text

/call server client /check on-demand periodically

Slide 71

Slide 71 text

/call server client /check on-demand periodically

Slide 72

Slide 72 text

/call server client /check on-demand periodically /check2 /check2z /v3check

Slide 73

Slide 73 text

/call server client /check on-demand periodically /check2 /check2z /v3check

Slide 74

Slide 74 text

/call server /check /check2 /check2z /v3check

Slide 75

Slide 75 text

System Collusion six

Slide 76

Slide 76 text

No content

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

No content

Slide 79

Slide 79 text

NOVEMBER 14, 2014 ! Link Imbalance Mystery Issue Causes Metastable Failure State ! https://code.facebook.com/posts/1499322996995183/solving-the-mystery-of-link-imbalance-a-metastable- failure-state-at-scale/

Slide 80

Slide 80 text

Bonded Link Should Evenly Utilise Each Network Pipe

Slide 81

Slide 81 text

multiple causes for imbalance

Slide 82

Slide 82 text

systems couldn’t correct themselves

Slide 83

Slide 83 text

individually each component was behaving correctly

Slide 84

Slide 84 text

Temporary Latency To Db Caused Skew Connection Pool Started Favouring Overloaded Link

Slide 85

Slide 85 text

failure is not clean

Slide 86

Slide 86 text

Incident Reports Are For You and Your Customers

Slide 87

Slide 87 text

A Good Incident Report, Helps Others Learn From Your Mistake, And Ensures You Really Understand What Went Wrong

Slide 88

Slide 88 text

1. Summary & Impact 2. Timeline 3. Root Cause 4. Resolution and Recovery 5. Corrective and Preventative Measures 5 Steps To A Good Incident Report https://sysadmincasts.com/episodes/20-how-to-write-an-incident-report-postmortem

Slide 89

Slide 89 text

How To Control Failure

Slide 90

Slide 90 text

“Anything that happens, happens. ! Anything that, in happening, causes something else to happen, causes something else to happen. ! Anything that, in happening, causes itself to happen again, happens again. ! It doesn’t necessarily do it in chronological order, though.” Douglas Adams -! Mostly Harmless (1992)

Slide 91

Slide 91 text

Timeouts one

Slide 92

Slide 92 text

Other Systems Will Always Be Your Most Vulnerable Failure Modes

Slide 93

Slide 93 text

Never Make a Network Call, or Go to Disk, Without a Timeout

Slide 94

Slide 94 text

Pay Particular Attention to Reusable & Pooled Resources

Slide 95

Slide 95 text

Backoff Requests That Time Out

Slide 96

Slide 96 text

Heartbeats two

Slide 97

Slide 97 text

If You Know Something Is Failing, Fail Fast

Slide 98

Slide 98 text

{ “name”: 123, “version”: “mth”, “stats”: {…}, “status”: “ok” } /status

Slide 99

Slide 99 text

No content

Slide 100

Slide 100 text

No content

Slide 101

Slide 101 text

No content

Slide 102

Slide 102 text

No content

Slide 103

Slide 103 text

No content

Slide 104

Slide 104 text

No content

Slide 105

Slide 105 text

No content

Slide 106

Slide 106 text

Circuit Breakers three

Slide 107

Slide 107 text

No content

Slide 108

Slide 108 text

No content

Slide 109

Slide 109 text

No content

Slide 110

Slide 110 text

{ “id”: 123, “username”: “mth”, “profile”: { “bio”: “…” “image”: “…” }, “friends”: [ 191, 1 ] }

Slide 111

Slide 111 text

{ “id”: 123, “username”: “mth”, “profile”: { “bio”: “…” “image”: “…” }, “friends”: [ 191, 1 ] }

Slide 112

Slide 112 text

{ “id”: 123, “username”: “mth”, “profile”: { “bio”: “…” “image”: “…” } }

Slide 113

Slide 113 text

Requires Co-Ordination to Manage Degradation Of Service

Slide 114

Slide 114 text

Partitioning four

Slide 115

Slide 115 text

No content

Slide 116

Slide 116 text

traffic Spike

Slide 117

Slide 117 text

traffic Spike

Slide 118

Slide 118 text

traffic Spike

Slide 119

Slide 119 text

No content

Slide 120

Slide 120 text

No content

Slide 121

Slide 121 text

traffic Spike

Slide 122

Slide 122 text

traffic Spike

Slide 123

Slide 123 text

survives another day

Slide 124

Slide 124 text

Partitioning Can Also Be Performed Within Services Via Limited Thread & Resource Pools

Slide 125

Slide 125 text

multiple types of request /shout /download

Slide 126

Slide 126 text

multiple types of request /shout /download

Slide 127

Slide 127 text

multiple types of request /shout /download fast

Slide 128

Slide 128 text

multiple types of request /shout /download fast slow

Slide 129

Slide 129 text

multiple types of request /shout /download fast really really slow

Slide 130

Slide 130 text

multiple types of request /shout /download

Slide 131

Slide 131 text

multiple types of request /shout /download

Slide 132

Slide 132 text

multiple types of request /shout /download

Slide 133

Slide 133 text

Backpressure five

Slide 134

Slide 134 text

Fail One Request, Instead of Failing All Requests

Slide 135

Slide 135 text

No content

Slide 136

Slide 136 text

Measure And Signal Slow Requests

Slide 137

Slide 137 text

Upstream Drops Requests To Allow For Recovery

Slide 138

Slide 138 text

Taper Limits

Slide 139

Slide 139 text

Taper Limits

Slide 140

Slide 140 text

Taper Limits 200k Db Requests

Slide 141

Slide 141 text

Taper Limits 200k Db Requests 50k Server Requests

Slide 142

Slide 142 text

Taper Limits 200k Db Requests 50k Server Requests 45k Proxy Requests

Slide 143

Slide 143 text

failure can be mitigated

Slide 144

Slide 144 text

No content

Slide 145

Slide 145 text

How To Prevent Failure

Slide 146

Slide 146 text

“A beach house isn't just real estate. It's a state of mind.” Douglas Adams -! Mostly Harmless (1992)

Slide 147

Slide 147 text

one Testing

Slide 148

Slide 148 text

the testing you probably don’t want to do is the testing you need to do most

Slide 149

Slide 149 text

Speed Scalability Stability

Slide 150

Slide 150 text

tools help charles proxy ipfw / pf netem monitoring tools simian army ab / siege

Slide 151

Slide 151 text

two Measure Everything

Slide 152

Slide 152 text

every result computed should have traceability back to the code & data

Slide 153

Slide 153 text

gather metadata for everything that touches a request

Slide 154

Slide 154 text

services: { auth: {…} ! ! ! }

Slide 155

Slide 155 text

services: { auth: {…}, profile: {…}, recommend: {…} ! }

Slide 156

Slide 156 text

services: { auth: {…}, profile: {…}, recommend: {…}, friends: {…} }

Slide 157

Slide 157 text

services: { auth: {…}, profile: {…}, recommend: {…}, friends: {…} } { version: {…}, stats: {…}, source: {…} }

Slide 158

Slide 158 text

statistics work, measurements over time will find errors

Slide 159

Slide 159 text

! deviation: … percentiles: 90: 95: histogram: 20x: 121 30x: 12 40x: 13 50x: 121311313

Slide 160

Slide 160 text

statistics work, we can use them to automate corrective actions

Slide 161

Slide 161 text

three Production In Development

Slide 162

Slide 162 text

production quality data automation of environments lots of testing

Slide 163

Slide 163 text

production quality data automation of environments lots of testing Rather Old Hat

Slide 164

Slide 164 text

four Development in Production

Slide 165

Slide 165 text

yes, really. i want to ship your worst, un-tried, experimental code to production

Slide 166

Slide 166 text

@ambiata we deal with ingesting and processing lots of data 100s TB / per day / per customer scientific experiment and measurement is key experiments affect users directly researchers / non-specialist engineers produce code

Slide 167

Slide 167 text

query /chord

Slide 168

Slide 168 text

query /chord {id: ab123} datastore ;chord

Slide 169

Slide 169 text

query /chord {id: ab123} datastore ;chord report ;result

Slide 170

Slide 170 text

query /chord {id: ab123} datastore ;chord report ;result /chord/ab123 client

Slide 171

Slide 171 text

split environments

Slide 172

Slide 172 text

query /chord {id: ab123}

Slide 173

Slide 173 text

query /chord {id: ab123} production:live

Slide 174

Slide 174 text

/chord {id: ab123} production:live proxy query

Slide 175

Slide 175 text

/chord {id: ab123} production:exp proxy query

Slide 176

Slide 176 text

/chord {id: ab123} production:* proxy query query

Slide 177

Slide 177 text

implemented through machine level acls experiment live control

Slide 178

Slide 178 text

implemented through machine level acls experiment live control write read

Slide 179

Slide 179 text

implemented through machine level acls experiment live control

Slide 180

Slide 180 text

implemented through machine level acls experiment live control write read

Slide 181

Slide 181 text

implemented through machine level acls experiment live control write read

Slide 182

Slide 182 text

checkpoints

Slide 183

Slide 183 text

query /chord {id: ab123} datastore ;chord report ;result /chord/ab123 client x x

Slide 184

Slide 184 text

query /chord {id: ab123} datastore ;chord report ;result /chord/ab123 client x x

Slide 185

Slide 185 text

query /chord {id: ab123} datastore ;chord report ;result /chord/ab123 client x x

Slide 186

Slide 186 text

query /chord {id: ab123} datastore ;chord report ;result x x behaviour change through in production testing

Slide 187

Slide 187 text

query /chord {id: ab123} datastore ;chord report ;result /chord/ab123 client x x

Slide 188

Slide 188 text

deep implementation, intra- and inter- process crosschecks

Slide 189

Slide 189 text

tandem deployments

Slide 190

Slide 190 text

/chord {id: ab123} production:* proxy query query x x

Slide 191

Slide 191 text

/chord {id: ab123} production:* proxy query query x x

Slide 192

Slide 192 text

/chord {id: ab123} production:* proxy query query x x

Slide 193

Slide 193 text

staged deployments

Slide 194

Slide 194 text

No content

Slide 195

Slide 195 text

/chord {id: ab123} production:* proxy query query x x

Slide 196

Slide 196 text

/chord {id: ab123} production:* proxy query x

Slide 197

Slide 197 text

/chord {id: ab123} production:* proxy query x

Slide 198

Slide 198 text

No content

Slide 199

Slide 199 text

No content

Slide 200

Slide 200 text

No content

Slide 201

Slide 201 text

No content

Slide 202

Slide 202 text

failure is inevitable

Slide 203

Slide 203 text

failure is not clean

Slide 204

Slide 204 text

failure can be mitigated

Slide 205

Slide 205 text

No content

Slide 206

Slide 206 text

Unmodified. CC BY 2.0 (https://creativecommons.org/licenses/by/2.0/)! https://www.flickr.com/photos/timothymorgan/75288582/! https://www.flickr.com/photos/timothymorgan/75288583/! https://www.flickr.com/photos/timothymorgan/75294154/! https://www.flickr.com/photos/timothymorgan/75593155/! https://www.flickr.com/photos/timothymorgan/75593155/