Making the Impossible Impossible: Improving Reliability by Preventing Classes of Problems

Making the Impossible

Impossible

Improving Reliability by

Preventing Classes

of Problems @ChrisSinjo
Impossible

View Slide

Hi

View Slide

Hi

Greetings

View Slide

@ChrisSinjo

View Slide

Infra Engineer

View Slide

View Slide

Making the Impossible

Impossible

Improving Reliability by

Preventing Classes

of Problems @ChrisSinjo
Impossible

View Slide

We are at

SREcon

View Slide

We likely share:

- Job titles
 
- Skills

- Ways of thinking

View Slide

Common ground/

"Best practices"

View Slide

Some ideas have
outsized

impact

View Slide

In SRE: SLOs

(Service Level Objectives)

View Slide

A refresher:

Measuring the performance
of a service as a percentage
of successful operations

View Slide

Successful requests

Total requests
Example: HTTP requests
x 100
≥ 99.9%

View Slide

So why am I here
today?

View Slide

View Slide

The perils of success

View Slide

The way we measure

shapes

The way we think

View Slide

The way we think

shapes

The solutions we explore

View Slide

SLOs encourage

percentage

thinking

View Slide

Instances go unhealthy

‑

Add health checks &

route traf
fi
c away

View Slide

Regional network issues

‑

Serve from multiple
regions

View Slide

Rare slow requests

‑

Add timeouts to protect
majority of traf
fi
c

View Slide

Successful requests

Total requests
Example: HTTP requests
x 100
≥ 99.9%

View Slide

Reliability is a

percentage

game

View Slide

We can

stack the odds

in our favour

View Slide

Not all solutions
 
look the
 
same

View Slide

Not all solutions
 
are about
 
percentages

View Slide

Some solutions
prevent problems
entirely

View Slide

Today's talk:

- Another lens for reliability

- Examples in the wild
 
- How to spot problems of
this shape

View Slide

This is not:

- An attack on SLOs
 
- One-size-
fi
ts all solution

- Possible if you can't edit
software

View Slide

Examples:

- State machines

- Type systems & memory
safety
 
- Database migrations

View Slide

Examples:

- State machines

- Memory safety
 
 

View Slide

Example 1

State

machines

View Slide

View Slide

Collect from customer

‑

Pay out to merchant

View Slide

Payment

💸

View Slide

Payment

💸
Created

Submitted

Collected

Paid out

Failed

View Slide

Simple model
id description state
1 Laptop submitted
2 Phone collected
3
Unused domain

renewal
collected

View Slide

Simple model
1 Laptop collected
2 Phone collected
3
Unused domain

renewal
collected

View Slide

Simple model
1 Laptop paid_out
2 Phone collected
3
Unused domain

renewal
collected

View Slide

Simple model
1 Laptop submitted
2 Phone collected
3
Unused domain

renewal
collected

View Slide

Simple model
1 Laptop failed
2 Phone collected
3
Unused domain

renewal
collected

View Slide

View Slide

Submitted ➡ Failed

Collected ➡ Failed?

View Slide

Submitted ➡ Failed

Paid out ➡ Failed?

View Slide

We want some

restrictions

View Slide

class Payment

def fail()

state = "failed"
State restriction pseudocode

View Slide

class Payment

def fail()

if state == "submitted"

state = "failed"

else

raise "Cannot fail from state: #{state}"

View Slide

class Payment

def submit()

if state == "created"

state = "submitted"

else

raise "Cannot submit from state: #{state}"

View Slide

Payment

💸
Created

Submitted

Collected

Paid out

Failed

View Slide

Payment

💸
Created

Submitted

Collected

Payout submitted

Paid out

Failed

View Slide

class Payment

def fail()

if state in ["submitted", "payout_submitted"]

state = "failed"

else

raise "Cannot fail from state: #{state}"

View Slide

An

ad-hoc

mess

View Slide

Bugs 📈

Maintenance 📈

View Slide

Computer
Science has an
answer

View Slide

We can use a

state machine

View Slide

State machine:

- A set of states

- A set of allowed transitions
between those states

View Slide

class Payment

states(["created", "submitted", ...])

allow_transition("created", "submitted")

allow_transition("submitted", "collected")

allow_transition("submitted", "failed")

...
State machine pseudocode

View Slide

Created Collected Paid out
Failed
Submitted

View Slide

class Payment





...

View Slide

Error: cannot transition from
"paid out" to "failed"

View Slide

class Payment





...

View Slide

class Payment





allow_transition("failed", "submitted")

...

View Slide

Created Collected Paid out
Failed
Submitted

View Slide

Often
dismissed:
 
"Too academic"

View Slide

https://github.com/gocardless/statesman

View Slide

Make the problem

impossible

View Slide

Example 2

Memory

safety

View Slide

Not here to sell
you

Rust

View Slide

Something we

often

take for granted

View Slide

But
fi
rst,

some C

View Slide

char *ptr = malloc(SIZE);

do_stuff(ptr);

free(ptr);
Memory allocation in C

View Slide

char *ptr = malloc(SIZE);

do_stuff(ptr);

free(ptr);

// Many lines more code

do_other_stuff(ptr);
Use-after-free in C

View Slide

Unde
fi
ned
behaviour

(You don't know what your program will do)

View Slide

Unde
fi
ned
behaviour

(An attacker might be able to abuse it)

View Slide

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=use+after+free+2022
A non-scienti
fi
c study

View Slide

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41849
A non-scienti
fi
c study

View Slide

You don't know
which one will
be serious

View Slide

The assertion that
we can simply code
better is nonsense

View Slide

Something we

often

take for granted

View Slide

Garbage

collected

languages

View Slide

def main()

name = "Chris"

greet(name)

def greet(name)

puts("Hello #{name}")

Garbage collection pseudocode

View Slide

def main()

name = "Chris"

greet(name)

def greet(name)


Falls out of scope

View Slide

The computer

does it

for you

View Slide

Garbage collection

is outrageously
successful

View Slide

Java

Go

Ruby

Python

JavaScript

C#

Haskell

Lisp

PHP

Erlang

View Slide

But what
about...

View Slide

You don't

always want a
runtime

View Slide

View Slide

Stuck with

manual memory

management

View Slide

Until...

View Slide

View Slide

Okay so

hear me out

View Slide

Ownership &

borrow-checking

View Slide

Tl;dr:

Every value in memory
has at most one owner

View Slide

def main()

name = "Chris"

greet(name)

def greet(name)



View Slide

fn main() {

let name = String::from("Chris");

greet(name);

}

fn greet(name: String) {

println!("Hello {}", name);

}
Rust greetings

View Slide

fn main() {


greet(name);

}



}
Rust greetings
Owner transferred

View Slide

fn main() {


greet(name);

}



}
Rust greetings
Falls out of scope
Owner transferred

View Slide

Owner out-of-scope

‑

Value dropped

View Slide

fn main() {


greet(name);

say_goodbye(name);

}



}
Rust greetings
Compiler error

View Slide

fn main() {


greet(&name);

say_goodbye(name);

}

fn greet(name: &String) {


}
Rust greetings
Borrow

View Slide

No

manual memory

management

View Slide

The computer

does it

for you

View Slide

No

GC

View Slide

View Slide

Make the problem

impossible

View Slide

Example 3

Database

migrations

View Slide

MySQL

(but also true in Postgres)

View Slide

-- Create a table

CREATE TABLE payments (

id int NOT NULL,

...

)

-- Realise `int` isn't large enough (232)

-- You're going to run out of IDs

ALTER TABLE payments MODIFY id bigint;

View Slide

-- Create a table

CREATE TABLE payments (

id int NOT NULL,

...

)

-- Realise `int` isn't large enough (232)

-- You're going to run out of IDs

Blocks all

other queries

View Slide

🕵
The migrations

reviewer

View Slide

Add a new column

or

Recreate the table

View Slide

View Slide

🕵
The migrations

reviewer

View Slide

😰
The migrations

reviewer

View Slide

🕵 🕵 🕵
The migrations

reviewers

View Slide

😰 😰 😰
The migrations

reviewers

View Slide

It doesn't

scale

View Slide

and it's still

not enough

View Slide

Seemingly innocuous

ALTER TABLE payments ADD COLUMN refunded boolean;

View Slide

But can

still

be dangerous

View Slide

-- Slow transaction

START TRANSACTION;

SELECT * FROM payments;

-- Forces this to queue

ALTER TABLE payments ADD COLUMN refunded boolean;

-- Which blocks these

SELECT * FROM payments WHERE id = 123;

View Slide

View Slide

Tl;dr:

- MySQL-compatible

- Scalability (sharding)
 
- High-availability

View Slide

View Slide

VReplication

A stream of changes

View Slide

Delete
Insert
Update

View Slide


View Slide

id (int) description
1 Laptop
2 Phone

View Slide

id (bigint) description
1 Laptop
2 Phone

View Slide

1 Laptop
1 Laptop
2 Phone

View Slide

1 Laptop
1 Laptop
2 Phone
3 Unused domain

renewal

View Slide

1 Laptop
2 Phone
1 Laptop
2 Phone
3 Unused domain

renewal

View Slide

1 Laptop
2 Phone
3 Unused domain

renewal
1 Laptop
2 Phone
3 Unused domain

renewal

View Slide

1 Laptop
2 Phone
3 Unused domain

renewal
1 Laptop
2 Phone
3 Unused domain

renewal
User queries (via proxy)

View Slide

Fully-online

schema

migrations

View Slide

😰 😰 😰
The migrations

reviewers

View Slide

People doing

their actual job

😀 😀 😀

View Slide

Make the problem

impossible

View Slide

Examples

View Slide

View Slide

Take aways:

- Complementary technique

- You have to write software
 
- It's not easy to spot

View Slide

SLOs

are alive

and well

View Slide

Percentage

solutions

are too

View Slide

Percentage
solutions

View Slide

A

complementary

technique

View Slide

View Slide

https://gocardless.com/blog/fear-free-postgresql-migrations-for-rails/

View Slide

Take aways:


 

View Slide

No code
changes

View Slide

This is

not

one of them

View Slide

Sometimes
BIG

Sometimes small

View Slide

Not everyone
can build a

database

View Slide

https://github.com/gocardless/statesman

View Slide

Maybe
someone
already solved it

View Slide

Take aways:


 

- But there are some tells

View Slide

🕵
The migrations

reviewer

View Slide

View Slide

🙄
Smug internet
 
comments

View Slide

View Slide

🙄
Smug internet
 
comments

View Slide

Examples:

- State machines

- Memory safety
 
 
Add more
unit tests
Write
better C
Just hire

View Slide

Smug comments:

- State machines

- Memory safety
 
 
Write
better C
Just hire

View Slide

Smug comments:

- State machines

- Memory safety
 
 
Add more
unit tests
Write
better C
Just hire

View Slide

Smug comments:

- State machines

- Memory safety
 
 
Add more
unit tests
Write
better C
Just hire

a DBA

View Slide

There's
probably more
to it

View Slide

The assertion that
we can simply code
better is nonsense

View Slide

We

can

do better

View Slide

Thank you
✌❤
@ChrisSinjo

@planetscaledata

View Slide

Image credits
• Poker Winnings - slgckgc - CC-BY - https://www.
fl
ickr.com/photos/slgc/42157896194/

• Thinking Face - Twemoji - CC-BY - https://github.com/twitter/twemoji

• Ferris (Extra-cute) - Unof
fi
cial Rust mascot - Copyright waived - https://rustacean.net/

• A350 Board - Mark Turnauckas - CC-BY - https://www.
fl
ickr.com/photos/marktee/
17118767669/

• Play - Annie Roi - CC-BY - https://www.
fl
ickr.com/photos/annieroi/4421442720/

View Slide

Image credits
• White jigsaw puzzle with missing piece - Marco Verch Professional Photographer - CC-BY
- https://www.
fl
ickr.com/photos/30478819@N08/50605134766/

• Hedge maze - claumoho - CC-BY - https://
fl
ickr.com/photos/claudiah/3929921991/

• photo_1405_20060410 - Robo Android - CC-BY - https://www.
fl
ickr.com/photos/
49140926@N07/6798304070/

• Gears - Mustang Joe - Public Domain - https://www.
fl
ickr.com/photos/mustangjoe/
20437315996/

View Slide

Questions?
✌❤
@ChrisSinjo

@planetscaledata

View Slide

Making the Impossible Impossible: Improving Reliability by Preventing Classes of Problems

Making the Impossible Impossible: Improving Reliability by Preventing Classes of Problems

Chris Sinjakli

More Decks by Chris Sinjakli

Other Decks in Programming

Featured

Transcript