Presentation is loading. Please wait.

Presentation is loading. Please wait.

Undo for Recovery: Approaches and Models Aaron Brown UC Berkeley ROC Group.

Published byWesley Lawrence Modified over 7 years ago

Similar presentations

Presentation on theme: "Undo for Recovery: Approaches and Models Aaron Brown UC Berkeley ROC Group."— Presentation transcript:

1 Undo for Recovery: Approaches and Models Aaron Brown UC Berkeley ROC Group

2 2 Motivation Human operator error is a major cause of system failures –systems are not tolerant of human error during system administration Undo effectively tolerates human error –recovery-based: repairs unanticipated mistakes –familiar model: ubiquitous in productivity applications Undo has “fringe benefits” –makes sysadmin’s job easier, improving maintainability –enables trial-and-error learning –helps shift recovery burden from sysadmin to users –helps recover from more than just human error »SW/HW failure, security breaches, virus infections,...

3 3 An Undo paradigm ROC Undo combines time travel with repair The Three R’s of Undo –Rewind: roll system state backwards in time –Repair: fix latent or active errors »automatically or via human intervention –Replay: roll system state forward, replaying user interactions lost during rewind »we assume a service model with well-defined user actions All three steps are critical –rewind enables undo –repair lets user/administrator fix problems –replay preserves updates, propagates fixes forward Let’s talk about what undo should look like

4 4 Undo examples: email Coarse-grained Undo –roll back OS or app. upgrade without losing user data –revert system-wide configuration changes –“go back in time” to retroactively install virus filter on email server; effects of virus are squashed on redo Fine-grained Undo –undo deletion of a user, mailbox, or email message –reverse changes to a user’s profile or filtering rules –maybe even unsend mail (?) Undo paradigm must support both granularities esp. if changes unknown Make sure to talk about replay in these examples!

5 5 Challenges in 3R paradigm Handling externalized events –externalized event: event visible outside of system »example: user downloads/reads email message »example: user forwards email message over the Internet –undo can invalidate externalized events »repair can cause events to change/disappear on replay »result: inconsistency between system and external env’t –solutions depend on acceptable level of inconsistency »human users willing to accept inconsistency in some apps »issue compensating or explanatory events »delay execution of externalized events for an undo window »convert external to internal by expanding system boundary

6 6 Challenges in 3R paradigm (2) Integrated coarse- and fine-grained undo –coarse-grained undo best handled by physical logging –fine-grained undo best handled by logical logging –best: hybrid system with physical logging for Rewind and logical logging for Replay »caveat: limits full 3R semantics to logically-logged system state; allows simple undo/redo of unmonitored state i.e., redo of unmonitored state won’t propagate repairs Managing state dependencies –Rewind/Repair cycle can invalidate logged events –Replay system must understand dependencies between logged state and state touched during repair

7 7 Towards system models for undo Goal: abstract model for undo-capable system –template for constructing undoable services –needed to analyze generality and limitations of undo Model components –state entities –state update events (analogue of transactions) –event queues and logs –untracked system changes Assumptions –storage layer that supports bidirectional time-travel »via non-overwriting FS, snapshots, etc. Email as example application

8 8 Simple model –Analysis +simple, easy to implement, easier to trust, most general –huge overhead for fine-grained undo operations –serialization bottleneck at single queue/log –difficult to distinguish different users’ events Entire system is one state entity Email Service State - user state - mailboxes - application - operating system Time-travel storage Email delivery (SMTP) User updates (IMAP) synch. untracked changes

9 9 Hierarchical model System composed of multiple state entities –each state entity supports undo as in simple model –state entities join hierarchically to give multiple granularities of undo –Analysis +multiple undo granularities reduces overhead, bottlenecks +distributed undo possible –greater complexity; tricky to coordinate different layers Email delivery (SMTP) User updates (IMAP) untracked changes Time- travel store User 1 state TT store User 2 state TT store useruser muxmux virus filter Email Service State

10 10 Status Refining system model for undo –hierarchical seems best bet, but many issues to solve –feedback welcome! Learning about real-world email systems –to help calibrate the undo model –working with Sun/iPlanet Messaging Server team »likely will get source code access Continuing maintainability benchmarking work –helps illustrate what kinds of things need undo Preparing for proof-of-concept implementation –in the context of iPlanet Messaging Server

Download ppt "Undo for Recovery: Approaches and Models Aaron Brown UC Berkeley ROC Group."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Fabián E. Bustamante, Winter 2006 Recovery Oriented Computing Embracing Failure A. B. Brown and D. A. Patterson, Embracing failure: a case for recovery-

Fabián E. Bustamante, Winter 2006 Recovery Oriented Computing Embracing Failure A. B. Brown and D. A. Patterson, Embracing failure: a case for recovery-
Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
High Availability Group 08: Võ Đức Vĩnh50703006 Nguyễn Quang Vũ50703033.

High Availability Group 08: Võ Đức Vĩnh Nguyễn Quang Vũ
Recovery 10/18/05. Implementing atomicity Note, when a transaction commits, the portion of the system implementing durability ensures the transaction’s.

Recovery 10/18/05. Implementing atomicity Note, when a transaction commits, the portion of the system implementing durability ensures the transaction’s.
Keith Burns Microsoft UK Mission Critical Database.

Keith Burns Microsoft UK Mission Critical Database.
Overview Distributed vs. decentralized Why distributed databases

Overview Distributed vs. decentralized Why distributed databases
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Transactions and Recovery

Transactions and Recovery
Implementing High Availability

Implementing High Availability
Module 8 Implementing Backup and Recovery. Module Overview Planning Backup and Recovery Backing Up Exchange Server 2010 Restoring Exchange Server 2010.

Module 8 Implementing Backup and Recovery. Module Overview Planning Backup and Recovery Backing Up Exchange Server 2010 Restoring Exchange Server 2010.
Overview SAP Basis Functions. SAP Technical Overview Learning Objectives What the Basis system is How does SAP handle a transaction request Differentiating.

Overview SAP Basis Functions. SAP Technical Overview Learning Objectives What the Basis system is How does SAP handle a transaction request Differentiating.
H-1 Network Management Network management is the process of controlling a complex data network to maximize its efficiency and productivity The overall.

H-1 Network Management Network management is the process of controlling a complex data network to maximize its efficiency and productivity The overall.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
1 Motivation Goal: Create and document a black box e-mail availability benchmark Improving dependability requires that we quantify the ROC-related metrics.

1 Motivation Goal: Create and document a black box availability benchmark Improving dependability requires that we quantify the ROC-related metrics.
IT:Network:Applications Fall 2009.  Running one “machine” inside another “machine”  OS in Virtual machines sees ◦ CPU(s) ◦ Memory ◦ Disk ◦ USB ◦ etc.

IT:Network:Applications Fall  Running one “machine” inside another “machine”  OS in Virtual machines sees ◦ CPU(s) ◦ Memory ◦ Disk ◦ USB ◦ etc.
Distributed File Systems Concepts & Overview. Goals and Criteria Goal: present to a user a coherent, efficient, and manageable system for long-term data.

Distributed File Systems Concepts & Overview. Goals and Criteria Goal: present to a user a coherent, efficient, and manageable system for long-term data.
Database Systems: Design, Implementation, and Management Ninth Edition

Database Systems: Design, Implementation, and Management Ninth Edition
Introduction to Systems Analysis and Design Trisha Cummings.

Introduction to Systems Analysis and Design Trisha Cummings.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Similar presentations

Ads by Google