Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 patterns for more resilient applications

Uwe Friedrichsen
July 07, 2022
Technology
2
2.4k

10 patterns for more resilient applications

This slide deck is meant to motivate and support developers to build more resilient software solutions.

It starts with a very brief motivation why software engineers need to care about resilient software design and cannot leave this topic to the ops department anymore (if you still have one) as most IT departments did it in the past.

Then, the slide deck provides a little resilience patterns starter's toolbox including a few code examples. The goal of this toolbox is explicitly _not_ to show any fancy resilience measures. Instead it collects and organizes a set of patterns, most developers already know, but usually do not pay enough attention to. This way, it helps to lower the hurdle to create more resilient applications because developers can start immediately to use these patterns.

Of course the voice track (including some more hints) is missing. But I hope, this slide deck still is useful for you.

Uwe Friedrichsen

July 07, 2022
Tweet

More Decks by Uwe Friedrichsen

See All by Uwe Friedrichsen
Beyond the saga pattern
ufried
1
330
Where do we go from here? – Mastering the changed needs of architectural work
ufried
1
290
The future is already here – Mastering the challenges of the coming years
ufried
0
430
The reusability fallacy
ufried
2
750
Patterns of sustainability - Going green in IT
ufried
1
940
Resilient software design - The past, the present and the future
ufried
0
220
Digital products are different! Are they?
ufried
0
100
Road-movie architectures
ufried
1
1.2k
Becoming a cloud native ... genuinely!
ufried
2
500

Other Decks in Technology

See All in Technology
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
390
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
530
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
390
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
0
130
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
350
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
500
長期運用プロジェクトでのMySQLからTiDB移行の検証
colopl
2
840
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
240
反実仮想機械学習とは何か
usaito
PRO
11
4.3k
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
5
480
本当のAWS基礎
toru_kubota
0
510

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Documentation Writing (for coders)
carmenintech
60
3.9k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Unsuck your backbone
ammeep
663
57k
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
Side Projects
sachag
451
41k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k

Transcript

  1. 10 patterns for more resilient applications A gentle start into

    resilient software design Uwe Friedrichsen – codecentric AG – 2014-2022

  2. Uwe Friedrichsen Works @ codecentric https://twitter.com/ufried https://www.speakerdeck.com/ufried https://ufried.com/

  3. What is that “resilience” thing?

  4. re·sil·ience (rĭ-zĭl′yəns) n. 1. The ability to recover quickly from

    illness, change, or misfortune; buoyancy. 2. The property of a material that enables it to resume its original shape or position after being bent, stretched, or compressed; elasticity. American Heritage® Dictionary of the English Language, Fifth Edition. Copyright © 2016 by Houghton Mifflin Harcourt Publishing Company. Published by Houghton Mifflin Harcourt Publishing Company. All rights reserved. https://www.thefreedictionary.com/resilience

  5. What does it mean for IT systems?

  6. re·sil·ience (of IT systems) n. The ability of a system

    to handle unexpected situations • without the user noticing it (ideal case) • with a graceful degradation of service and quick recovery to normal operations (non-ideal case) The cautious attempt to provide a useful definition for resilience in the context of software systems. No copyright attached, but also no guarantee that this definition is sufficient for all relevant purposes.

  7. Can’t we just leave it to ops as we did

    it in the past?

  8. What is the problem? Let ops run our software on

    some HA infrastructure or alike and everything will be fine.

  9. Sorry, not that easy anymore

  10. But why?

  11. For a single, monolithic, isolated system this might indeed work,

    but …

  12. (Almost) every system is a distributed system. -- Chas Emerick

    http://www.infoq.com/presentations/problems-distributed-systems

  13. The software you develop and maintain is most likely part

    of a (big) distributed system landscape

  14. Distributed systems in a nutshell

  15. Everything fails, all the time. -- Werner Vogels

  16. Failures in distributed systems ... • Crash failure • Omission

    failure • Timing failure • Response failure • Byzantine failure

  17. ... lead to a variety of effects … • Lost

    messages • Incomplete messages • Duplicate messages • Distorted messages • Delayed messages • Out-of-order message arrival • Partial, out-of-sync local memory • ...

  18. ... turning seemingly simple issues into very hard ones Time

    & Ordering Leslie Lamport "Time, clocks, and the ordering of events in distributed systems" Consensus Leslie Lamport ”The part-time parliament” (Paxos) CAP Eric A. Brewer "Towards robust distributed systems" Faulty processes Leslie Lamport, Robert Shostak, Marshall Pease "The Byzantine generals problem" Consensus Michael J. Fischer, Nancy A. Lynch, Michael S. Paterson "Impossibility of distributed consensus with one faulty process” (FLP) Impossibility Nancy A. Lynch ”A hundred impossibility proofs for distributed computing"

  19. Embracing distributed systems • Distributed systems introduce non-determinism regarding •

    Execution completeness • Message ordering • Communication timing • You will be affected by this at the application level • Don’t expect your infrastructure to hide all effects from you • Better know how to detect if it hit you and how to respond

  20. Okay, I buy it. But how do I start?

  21. Let us start simple … * * which often improves

    the situation amazingly much

  22. Let us create our starter’s toolbox

  23. Resilience starter’s toolbox

  24. Accessing other systems

  25. Resilience starter’s toolbox Accessing other systems (downstream)

  26. from urllib3 import PoolManager URL = <…> http = PoolManager()

    r = http.request('GET’, URL) https://github.com/urllib3/urllib3

  27. Failure type Resilience starter’s toolbox Brittle connection (omission failure) Slow

    response (timing failure) Accessing other systems (downstream) Wrong response (response failure) No response (crash failure) The other system does not respond at all The other system does not respond reliably It takes too long until the other system responds The other system responds, but the response is not okay

  28. Detection Resilience starter’s toolbox No response (crash failure) Brittle connection

    (omission failure) Failure type Slow response (timing failure) Accessing other systems (downstream) Wrong response (response failure) Error checking

  29. Error checking • Most basic error detection pattern • Yet

    too often neglected • Multiple implementation variants • Exception handling (Java, C++, …) • Return code checking (C, …) • Extra error return value (Go, …) • Thorough error checking tends to make code harder to read

  30. Detection Resilience starter’s toolbox No response (crash failure) Brittle connection

    (omission failure) Failure type Slow response (timing failure) Accessing other systems (downstream) Wrong response (response failure) Error checking Timeout

  31. Timeout • Preserve responsiveness independent of downstream latency • Essential

    error detection pattern • Crucial if using synchronous communication • Also needed if using asynchronous request/response style • Good library support in most programming languages

  32. Detection Resilience starter’s toolbox No response (crash failure) Brittle connection

    (omission failure) Failure type Slow response (timing failure) Accessing other systems (downstream) Wrong response (response failure) Error checking Timeout Circuit breaker

  33. Circuit breaker • Probably most often cited resilience pattern •

    Extension of the timeout pattern • Takes downstream unit offline if calls fail multiple times • Can be used for most failure types • Crash failures, omission failure, timing failures • Many implementations available

  34. Adding error and timeout detection

  35. from urllib3 import PoolManager URL = <…> http = PoolManager()

    r = http.request('GET’, URL) https://github.com/urllib3/urllib3

  36. from concurrent.futures import ThreadPoolExecutor, TimeoutError from urllib3 import PoolManager from

    urllib3.exceptions import HTTPError URL = 'http://httpbin.org/delay/2' def get_url(http, url): return http.request('GET', url) http = PoolManager() with ThreadPoolExecutor(max_workers=1) as executor: future = executor.submit(get_url, http, URL) try: r = future.result(timeout=0.5) except TimeoutError: print('Request timed out') future.cancel() except HTTPError: print('An error occurred') else: print('Received:', r.data)

  37. from urllib3 import PoolManager from urllib3.exceptions import HTTPError URL =

    'http://httpbin.org/delay/2' http = PoolManager() try: r = http.request('GET', URL, timeout=0.5) except HTTPError: print('An error occurred or request timed out') else: print('Received:', r.data)

  38. Detection Resilience starter’s toolbox No response (crash failure) Brittle connection

    (omission failure) Failure type Slow response (timing failure) Accessing other systems (downstream) Wrong response (response failure) Error checking Timeout Response value checking Circuit breaker

  39. Response value checking • As obvious as it sounds, yet

    often neglected • Protection from broken/malicious return values • Especially do not forget to check for Null values • Quite good library support • But often do not cover all checks needed • Consider specific data types

  40. Response w/o redundancy Resilience starter’s toolbox No response (crash failure)

    Brittle connection (omission failure) Failure type Detection Slow response (timing failure) Error checking Timeout Response value checking Accessing other systems (downstream) Wrong response (response failure) Retry Circuit breaker

  41. Retry • Basic recovery pattern for downstream calls • Recover

    from omission or other transient errors • Limit retries to minimize extra load on an overloaded resource • Limit retries to avoid recurring errors • Some library support available

  42. Response w/o redundancy Resilience starter’s toolbox No response (crash failure)

    Brittle connection (omission failure) Failure type Detection Slow response (timing failure) Error checking Timeout Response value checking Accessing other systems (downstream) Wrong response (response failure) Retry Circuit breaker Backup request

  43. Backup request • Send request to multiple workers (usually with

    some delay) • Use quickest reply and discard all other responses • Prevents latent responses (or at least reduces probability) • Requires redundancy – trades resources for availability also see: J. Dean, L. A. Barroso, “The tail at scale”, Communications of the ACM, Vol. 56 No. 2

  44. Response w/o redundancy Resilience starter’s toolbox No response (crash failure)

    Brittle connection (omission failure) Failure type Detection Slow response (timing failure) Error checking Timeout Response value checking Accessing other systems (downstream) Wrong response (response failure) Retry Caching Circuit breaker Backup request

  45. Caching • Re-use responses from prior calls to downstream resources

    • Can bridge temporary unavailability of resources • Use with caution • Requires extra resources to store cached data • Leaves you with potentially stale data and all consistency issues associated with it • Good tool and library support

  46. Response w/o redundancy Resilience starter’s toolbox No response (crash failure)

    Brittle connection (omission failure) Failure type Detection Slow response (timing failure) Error checking Timeout Response value checking Accessing other systems (downstream) Wrong response (response failure) Retry Fallback Caching Circuit breaker Backup request

  47. Fallback • Execute an alternative action if the original action

    fails • Basis for most mitigation patterns • Widespread simple variants • Fail silently: silently ignore error and continue processing • Default value: return predefined default value if error occurs • Note that fallback action is a business decision

  48. Adding retry and fallback

  49. from urllib3 import PoolManager from urllib3.exceptions import HTTPError URL =

    'http://httpbin.org/delay/2' http = PoolManager() try: r = http.request('GET', URL, timeout=0.5) except HTTPError: print('An error occurred or request timed out') else: print('Received:', r.data)

  50. from urllib3 import PoolManager from urllib3.exceptions import HTTPError URL =

    'http://httpbin.org/delay/2' http = PoolManager() def get_url(http, url): try: r = http.request('GET', url, timeout=0.5) except HTTPError: return None # None means something went wrong else: return r.data d = get_url(http, URL) if d is None: d = get_url(http, URL) # Retry once if d is None: d = 42 # Execute fallback print('Received:’, d)

  51. from urllib3 import PoolManager from urllib3.exceptions import HTTPError URL =

    'http://httpbin.org/delay/2' http = PoolManager() try: r = http.request('GET', URL, timeout=0.5, retries=1) except HTTPError: d = 42 # Execute fallback else: d = r.data print('Received:', d)

  52. Response w/ redundancy Response w/o redundancy Resilience starter’s toolbox No

    response (crash failure) Brittle connection (omission failure) Failure type Detection Slow response (timing failure) Error checking Timeout Response value checking Accessing other systems (downstream) Wrong response (response failure) Retry Fallback Caching Failover Circuit breaker Backup request

  53. Failover • Used if simpler recovery measures fail or take

    too long • Many implementation variants available • Good support on the infrastructure level • Recovery and state replication usually not covered • Mind the business case • Requires redundancy – trades resources for availability • Added costs need to justify added value

  54. Response w/ redundancy Response w/o redundancy Resilience starter’s toolbox No

    response (crash failure) Brittle connection (omission failure) Failure type Detection Slow response (timing failure) Error checking Timeout Response value checking Accessing other systems (downstream) Wrong response (response failure) Retry Fallback Caching Failover Custom response Circuit breaker Postel’s law Backup request

  55. Remember Postel’s law “Be conservative in what you do, be

    liberal in what you accept from others” (Often reworded as: “Be conservative in what you send, be liberal in what you accept”) see also: https://en.wikipedia.org/wiki/Robustness_principle

  56. Being accessed by other systems

  57. Being accessed by other systems (upstream) Resilience starter’s toolbox No

    response (crash failure) Brittle connection (omission failure) Failure type Detection Response w/o redundancy Slow response (timing failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Accessing other systems (downstream) Response w/ redundancy Wrong response (response failure) Custom response Circuit breaker Postel’s law Backup request

  58. from fastapi import FastAPI app = FastAPI() @app.get("/square/{number}") def read_square(number):

    n = int(number) return {"result": n*n} https://fastapi.tiangolo.com/

  59. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Wrong response (response failure) Custom response Circuit breaker Postel’s law The request parameters are not okay The other systems send too many requests Backup request

  60. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Wrong response (response failure) Custom response Circuit breaker Postel’s law Request parameter checking Backup request

  61. Request parameter checking • As obvious as it sounds, yet

    often neglected • Protection from broken/malicious request parameters • Especially do not forget to check for Null values • Quite good library support • But often do not cover all checks needed • Consider specific data types

  62. Adding parameter checking

  63. from fastapi import FastAPI app = FastAPI() @app.get("/square/{number}") def read_square(number):

    n = int(number) return {"result": n*n} https://fastapi.tiangolo.com/

  64. from fastapi import FastAPI, Path app = FastAPI() @app.get("/square/{number}") def

    read_square(number: int = Path(..., gt=0, lt=100)): return {"result": number*number}

  65. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Wrong response (response failure) Custom response Monitoring Circuit breaker Postel’s law Request parameter checking Backup request

  66. Monitoring • Indispensable when running distributed systems • Good tool

    support available • Usually needs application-level support for best performance • Application-level and business-level metrics • Should be combined with self-healing measures • Alarms should only be sent if self-healing fails

  67. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Monitoring Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Request parameter checking Wrong response (response failure) Custom response Shed load Circuit breaker Postel’s law Backup request

  68. Shed load • Limit load to keep throughput of resource

    acceptable • Reject (shed) requests (“rate limiting”) • Best shed load at periphery • Minimize impact on resource itself • Good tool support available • Usually requires monitoring data to watch load of resource • Try not to break ongoing multi-request sessions

  69. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Monitoring Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Request parameter checking Wrong response (response failure) Custom response Shed load Share load Circuit breaker Postel’s law Backup request

  70. Share load • Share load between resources to keep throughput

    good • Use if additional resources for load sharing can be used • Can be implemented statically or dynamically (“auto-scaling”) • Very good tool support available • Minimize synchronization needed between resources • Synchronization needs kill scalability

  71. Useful complementing patterns

  72. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Complement Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Shed load Share load Monitoring Idempotency Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Request parameter checking Wrong response (response failure) Custom response Circuit breaker Postel’s law Monitoring Backup request

  73. Idempotency • Non-idempotent calls become very complicated if they fail

    • Idempotent calls can be repeated without problems • Always return the same result • Do not trigger any cumulating side-effects • Reduces coupling between nodes • Simplifies responding to most failure types a lot • Very fundamental resilience and scalability pattern

  74. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Complement Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Shed load Share load Monitoring Idempotency Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Request parameter checking Wrong response (response failure) Custom response Temporal decoupling Circuit breaker Postel’s law Monitoring Backup request

  75. Temporal decoupling • Request, processing and response are temporally decoupled

    • Simplifies responding to timing failures a lot • Not necessary to recover from failures within caller’s response time expectations • Functional design issue • Technology only augments it • Enables simpler and more robust communication types • E.g., batch processing

  76. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Complement Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Shed load Share load Monitoring Idempotency Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Request parameter checking Wrong response (response failure) Custom response Temporal decoupling Circuit breaker Quorum based reads & writes Postel’s law Monitoring Backup request

  77. Quorum-based reads and writes • Became popular with the rise

    of NoSQL databases • Useful pattern for distributed, replicated data stores • Relaxes consistency constraints while writing • Detects inconsistencies due to a (temporally) failed prior write • Not a replacement for response value checking • Not to be confused with ACID transactions

  78. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Complement Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Shed load Share load Monitoring Idempotency Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Request parameter checking Wrong response (response failure) Custom response Temporal decoupling Circuit breaker Quorum based reads & writes Postel’s law Graceful startup Monitoring Backup request

  79. Graceful startup • Implement graceful startup mode • Wait until

    all required resources and services are available before switching to runtime mode • Makes application startup order interchangeable • Crucial for quick recovery after bigger failures • Simple and powerful, but often neglected pattern

  80. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Complement Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Shed load Share load Monitoring Idempotency Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Request parameter checking Wrong response (response failure) Custom response Temporal decoupling Circuit breaker Quorum based reads & writes Postel’s law Graceful startup Monitoring Fail fast Backup request

  81. Fail fast • “If you know you’re going to fail,

    you better fail fast” • Usually implemented in front of costly actions • Saves time and resources by avoiding foreseeable failures • Useful in normal operations mode • Can be counterproductive in startup mode

  82. What can we delegate to the infrastructure level?

  83. Resilience starter’s toolbox No response (crash failure) Brittle connection (omission

    failure) Failure type Detection Response w/o redundancy Complement Slow response (timing failure) Wrong request (response failure) Error checking Timeout Fallback Caching Failover Retry Response value checking Shed load Share load Monitoring Idempotency Accessing other systems (downstream) Being accessed by other systems (upstream) Overload (timing failure) Response w/ redundancy Request parameter checking Wrong response (response failure) Custom response Temporal decoupling Circuit breaker Quorum based reads & writes Postel’s law Graceful startup Monitoring Fail fast Coarse-grained Generic Needs application-level metrics and interaction Coarse-grained Backup request

  84. But that is still a lot to implement

  85. But what should be the alternative?

  86. Should we let the application crash whenever something goes wrong?

  87. Always keep in mind …

  88. The question is no longer, if failures will hit you

    The only question left is, when and how bad they will hit you

  89. Thus, look for library and framework support … but do

    the work!

  90. Everyone loves resilient applications

  91. Wrap-up

  92. Wrap-up • Distribution makes resilient software design mandatory • Failures

    will hit you at the application level • The starter’s toolbox • Delegate to the infrastructure what is possible • ... but consider the limitations • Look for library and framework support
  93. None

  94. Recommended readings Release It! Design and Deploy Production-Ready Software, Michael

    Nygard, 2nd edition, Pragmatic Bookshelf, 2018 Patterns for Fault Tolerant Software, Robert S. Hanmer, Wiley, 2007 Distributed Systems – Principles and Paradigms, Andrew Tanenbaum, Marten van Steen, 3rd Edition, 2017, https://www.distributed-systems.net/index.php/books/ds3/ On Designing and Deploying Internet-Scale Services, James Hamilton, 21st LISA Conference 2007 Site Reliability Engineering, Betsy Beyer et al., O’Reilly, 2016

  95. Uwe Friedrichsen Works @ codecentric https://twitter.com/ufried https://www.speakerdeck.com/ufried https://ufried.com/