1. © 2013 A. Haeberlen, Z. Ives Internet Basics Faults & Failures 1

2. Below HTTP: Routing 2

3. The Internet The Internet consists of tens of thousands of interconnected networks Routers and switches forward the data from one network link to the next Request and response travel along a path through these networks (usually, but not always the 'shortest' path) 3 Server in USA Google PTCL Cogent AT&T Level 3 Router Switch Networks Individual network link Path Client in Leads

4. Packet switching Communication consists of packets Each packet traverses the path independently No dedicated connection like in the telephone network Packets are relatively small (typically up to 1,500 bytes) Why is this a good idea? 4 Google UPenn Cogent AT&T Level 3 Server in California Client

5. IP addresses How do routers know where to send a packet? Each machine is assigned an IP address Machines in the same network are given similar addresses, usually from an IP range Each packet has a source and a destination address Each router has a forwarding table that maps ranges to links over which packets in that range should be sent 5 Google UPenn Cogent AT&T Level 3 173.194.34.104 158.130.53.72 ? 4 Bit 0 Bit 31 Source IP Destination IP (data) Indicates this is an IPv4 packet

6. A A A A IP routing Networks exchange routing information If a connection or router fails, this information is updated Result: Global reachability. Any machine on the Internet can (in principle) communicate with any other machine. 6 L L M M I I J J N N E E K K G G C C B B D D F F H H I know how to get to A Networks

7. Path properties: Bottleneck capacity How fast can we send data on our path? Limited by the bottleneck capacity 7 Server Client Bottleneck

8. Path properties: Propagation delay Speed of light: 299 792 458 m/s Latency matters! 8 [ahae@ds01 ~]$ traceroute www.mpi-sws.org traceroute to www.mpi-sws.org (139.19.1.156), 30 hops max, 60 byte packets 1 SUBNET-46-ROUTER.seas.UPENN.EDU (158.130.46.1) 1.744 ms 2.134 ms 2.487 ms 2 158.130.21.34 (158.130.21.34) 5.327 ms 5.395 ms 5.649 ms 3 isc-uplink-2.seas.upenn.edu (158.130.128.2) 5.671 ms 5.825 ms 6.175 ms 4 external3-core1.dccs.UPENN.EDU (128.91.9.2) 6.007 ms 6.283 ms 6.362 ms 5 external-core2.dccs.upenn.edu (128.91.10.1) 6.830 ms 6.990 ms 7.080 ms 6 local.upenn.magpi.net (216.27.100.73) 7.250 ms 3.429 ms 3.533 ms 7 remote.internet2.magpi.net (216.27.100.54) 4.487 ms 3.002 ms 2.925 ms 8 198.32.11.51 (198.32.11.51) 90.557 ms 90.806 ms 91.028 ms 9 so-6-2-0.rt1.fra.de.geant2.net (62.40.112.57) 97.403 ms 97.473 ms 97.766 ms 10 dfn-gw.rt1.fra.de.geant2.net (62.40.124.34) 98.834 ms 98.890 ms 99.043 ms 11 xr-fzk1-te2-3.x-win.dfn.de (188.1.145.50) 100.627 ms 101.034 ms 101.387 ms 12 xr-kai1-te1-1.x-win.dfn.de (188.1.145.102) 103.985 ms 104.383 ms 104.528 ms 13 xr-saa1-te1-1.x-win.dfn.de (188.1.145.97) 103.636 ms 103.903 ms 104.139 ms 14 kr-0unisb.x-win.dfn.de (188.1.234.38) 103.983 ms 103.746 ms 103.853 ms 15 mpi2rz-hsrp2.net.uni-saarland.de (134.96.6.28) 104.469 ms 104.355 ms 104.491 ms [ahae@ds01 ~]$ ~6,270km (one way) Round-trip time

9. Path properties: Queueing delay What if we send packets too quickly? Router stores the packets in a queue until it can send them Consequence : End-to-end delay increases Where does this matter? What if the router runs out of queue space? Packets are dropped and lost 9

10. TCP Transmission Control Protocol (TCP) provides abstraction of a reliable stream of bytes Ensures packets are delivered to application in correct order Retransmits lost packets Tracks available capacity and prevents packets from being sent too fast (congestion control) Prevents sender from overwhelming the receiver (flow control) 10 1 2 3 4 IP 124 Sender Receiver TCP Data packets ACK 1ACK 2 Acknowledgments 3

11. TCP congestion control How fast should the sender send? Problem: Available capacity not known (and can vary) Solution: Congestion control Maintain a congestion window of max #packets in flight Slow start: Exponential increase until threshold Increase cwnd by one packet for each incoming ACK Congestion avoidance: Additive increase, multiplicative decrease (AIMD) 11 Congestion window (cwnd) Time -50% "Slow start" phase (actually fast!) ssthresh packet loss

12. Recap: The Internet in 30 minutes What is the Internet? Tens of thousands of interconnected networks Technology: Packet switching (not like telephone network!) How does the network matter to applications? Propagation delay  Good to be physically close to customer Bottlenecks  Transfer speed is limited Queueing delays, loss, reordering  Delay can vary Network can partition  Problem for consistency/availability Some of these can be taken care of by TCP 12

13. What Can Go Wrong? 13

14. Complications in wide-area networks Communication is slower, less reliable Latencies are higher, more variable Bottleneck capacity is lower Packet loss, reordering, queueing delays Faults are more common Broken or malfunctioning nodes Network partitions 14

15. Faults and failures Terminology: Fault: Some component is not working correctly Failure: System as a whole is not working correctly 15 X=5 Set X:=5 X=5 What is X? X=5 What is X? X=5 X=3 What is X? X=3 Fault (masked) Faults causing failure Correct

16. Faults in distributed systems What could possibly go wrong? Node loses power Hard disk fails Administrator accidentally erases data Administrator configures node incorrectly Software bug triggers Network overloaded, drops lots of packets Hacker breaks into some of the nodes Disgruntled employee manipulates node Fire breaks out in data center where node resides Police confiscates node because of illegal activity... 16

17. Common misconceptions about faults "Faults are rare exceptions" NO! At scale, faults are occurring all the time Stopping the system while handling the fault is NOT an option - system needs to continue despite the fault "Faulty machines always stop/crash" NO! There are many types of faults with different effects If your system is designed to handle only crash faults and another type of fault occurs, things can become very bad 17

18. Types of faults Crash faults Node simply stops Examples: OS crash, power loss Rational behavior Owner manipulates node to increase profit Example: Lying about performance to get a sale Byzantine faults Arbitrary - faulty node could do anything (stop, tamper with data, tell lies, attack other nodes, send spam, spy on user...) Example: Node compromised by a hacker, data corruption, hardware defect... 18

19. Example Byzantine fault 19 http://status.aws.amazon.com/s3-20080720.html

20. Correlated faults A single problem can cause many faults Overloaded machine crashes, increases load on other machines  domino effect Bug is triggered in a program that is used on lots of machines Hacker manages to break into many computers due to a shared vulnerability Machines may be connected to the same power grid, cooled by the same A/C, managed by the same admin... 20

21. Recap: Faults and failures Faults happen all the time Hardware malfunction, software bug, manipulation, hacker break-ins, misconfiguration,... NOT a rare occurrence at scale - must design system to handle them All faults are NOT independent crash faults Faults can be correlated Rational and Byzantine faults are real Three common fault models: Crash fault model: Faulty machines simply stop Rational model: Machines manipulated by selfish owners Byzantine fault model: Faulty machines could do anything 21

22. So what can we do? 22

23. What can we do? Prevention and avoidance Example: Prevent crashes with software verification Detection Example: Cross-check network's route announcements with other information to see whether it is lying, and hold it accountable if it is (e.g., sue for breach of contract) Masking Example: Store replicas of the data on multiple nodes; if data is lost or corrupted on one of them, we still have the other copies 23

24. Masking faults with replication Alice can store her data on both servers Bob can get the data from either server A single crash fault on a server does not lead to a failure Availability is maintained 24 Server A Server B Alice Bob

25. Problem: Maintaining consistency What if multiple clients are accessing the same set of replicas? Requests may be ordered differently by different replicas Result: Inconsistency! 25 Server A Server B Alice Bob X:=5 X:=7 X:=5 X:=7

26. Types of consistency Strong consistency After an update completes, any subsequent access will return the updated value Weak consistency Updated value not guaranteed to be returned immediately, only after some conditions are met (inconsistency window) Eventual consistency A specific type of weak consistency If no new updates are made to the object, eventually all accesses will return the last updated value 26

27. Example: Storage system Scenario: Replicated storage We have N nodes that can store data Data contains a monotonically increasing timestamp To write a value: Pick W replicas and write the value to each, using a fresh timestamp (say, the current wallclock time) To read a value: Pick R replicas and read the value from each Return the value with the highest timestamp If any replicas had a lower timestamp, send them the newer value 27 X=3 v1 X=5 v2 X=2 v4 X=5 v2 Replica

28. Consensus Replicas need to agree on a single order in which to execute client requests How can we do this? Does the specific order matter? Problem: What if some replicas are faulty? Crash fault: Replica does not respond; no progress (bad) Byzantine fault: Replica might tell lies, corrupt order (worse) Solution: Consensus protocol Paxos (for crash faults), PBFT (for Byzantine faults) Works as long as no more than a certain fraction of the replicas are faulty (PBFT: one third) 28

29. How do consensus protocols work? Idea: Correct replicas 'outvote' faulty ones Clients send requests to each of the replicas Replicas coordinate and each return a result Client chooses one of the results, e.g., the one that is returned by the largest number of replicas If a small fraction of the replicas returns the wrong result, or no result at all, they are 'outvoted' by the other replicas 29

30. What If the Network Breaks? 30

31. Network partitions Network can partition Hardware fault, router misconfigured, undersea cable cut,... Result: Gobal connectivity is lost What does this mean for the properties of our system? 31 Server A Server B What if this link breaks? Alice Bob

32. Recap: Consistency and partitions Use replication to mask limited # of faults Can achieve strong consistency by having replicas agree on a common request ordering Even non-crash faults can be handled, as long as there are not too many of them (typical limit: 1/3) Partition tolerance, availability, consistency? Can't have all three (CAP theorem) For some services, need to drop one (usually availability) If service works with weaker consistency guarantees, such as eventual consistency, can get a compromise (BASE) Example: Shopping cart 32

33. Cloud Computing 33

34. History: The early days Cloud computing: A new term for a concept that has been around since the 1960s Who invented it? No agreement. Some candidates: John McCarthy (Stanford professor and inventor of Lisp; proposed the 'service bureau' model in 1961) J.C.R. Licklider (contributed key ideas to ARPANET; published a memo on the "Intergalactic Computer Network" in 1963) Douglas Parkhill (published a book on "The Challenge of the Computer Utility" in 1966) 34

35. History: Becoming a cloud provider Early 2000s: Phenomenal growth of web services Many large Internet companies deploy huge data centers, develop scalable software infrastructure to run them Due to economies of scale, these companies were now able to run computation very cheaply 35 TechnologyCost in medium DC (~1,000 servers) Cost in large DC (~50,000 servers) Ratio Network$95 per Mbit/sec/month$13 per Mbit/sec/month7.1 Storage$2.20 per GByte/month$0.40 per GByte/month5.7 Administration~140 servers/admin>1,000 servers/admin7.1 Source: James Hamilton's Keynote, LADIS 2008

36. History: Incentives Idea: Use your existing data center to provide cloud services Why is this a good idea? Make a lot of money Price advantage of 3x-7x  Can offer services much cheaper than medium-size company and still make profit Leverage existing investment New revenue stream at low incremental cost (example: many Amazon AWS technologies were initially developed for Amazon's internal operations) 36

37. History: Incentives (continued) Attack an incumbent Company with requisite datacenter may want to establish a 'beach head' before a '800 pound gorilla' emerges Leverage existing customer relationships IT service organizations like IBM Global Services have extensive customer relationships; provide anxiety-free migration path to existing customers Become a platform Example: Facebook's initiative to enable plug-in applications is a great fit for cloud computing 37

38. History: The pioneers Jul 2002: Amazon Web Services launched Third-party sites can search and display products from Amazon's web site, add items to Amazon shopping carts Mar 2006: Amazon S3 launched Innovative 'pay-per-use' pricing model, which is now the standard in cloud computing Cheaper than many small/medium storage solutions: $0.15/GB/month of storage, $0.20/GB/month for traffic Amazon no longer a pure retailer, entering technology space Aug 2006: EC2 launched Core computing infrastructure becomes available 38

39. History: Wide-spread adoption Apr 2008: Google App Engine launched Same building blocks Google uses for its own applications: Bigtable and GFS for storage, automatic scaling and load balancing,... Nov 2009: Windows Azure Beta launched Becomes generally available in 21 countries in Feb 2010 Microsoft’s online services are gradually transitioning to Azure Dec 2013: Google Compute Engine launched Provides lower level support vs. App Engine, gives full set of services Dramatically lower prices, quickly matched by AWS and Azure 39

40. One Set of Cloud Services: Amazon Web Services 40

41. AWS Documentation http://aws.amazon.com/documentation/ 41

42. Why Amazon AWS and not others? Amazon is only one of several cloud providers Others include Microsoft Azure, Google Cloud Engine / App Engine,... There is no common standard (yet) Initially, MS and Google supported PaaS Gradually each has grown to support both IaaS and PaaS AWS is PaaS/IaaS with a broad menu of choices So we had to pick one specific provider Amazon AWS is going to be used for the rest of this class Amazon's only involvement is providing free AWS cycles/storage Everything we do on AWS has an equivalent on Azure and GCE/GAE 42

43. What is Amazon AWS? Amazon Web Services (AWS) provides a number of different services, including: Amazon Elastic Compute Cloud (EC2) Virtual machines for running custom software Amazon Simple Storage Service (S3) Simple key-value store, accessible as a web service Amazon DynamoDB Distributed “NoSQL” database, one of several in AWS Amazon Elastic MapReduce Scalable MapReduce computation Amazon Mechanical Turk (MTurk) A 'marketplace for work' Amazon CloudFront Content delivery network... 43 Used for the projects

44. Setting up an AWS account 44 aws.amazon.com Sign up for an account on aws.amazon.com You need to choose an username and a password These are for the management interface only Your programs will use other credentials (RSA keypairs, access keys,...) to interact with AWS

45. AWS credentials Why so many different types of credentials? 45 Sign-in credentials X.509 certificates EC2 key pairs Access keys AWS web site and management console Command-line tools SOAP APIs REST APIs Connecting to an instance (e.g., via ssh)

46. The AWS management console Used to control many AWS services: For example, start/stop EC2 instances, create S3 buckets... 46

47. REST and SOAP How do your programs access AWS? Via the REST or SOAP protocols Example: Launch an EC2 instance, store a value in S3,... Simple Object Access protocol (SOAP) Not as simple as the name suggests XML-based, extensible, general, standardized, but also somewhat heavyweight and verbose Increasingly deprecated (e.g., for SimpleDB and EC2) Representational State Transfer (REST) Much simpler to develop than SOAP Web-specific; lack of standards 47

48. Example: REST 48 https://sdb.amazonaws.com/?Action=PutAttributes &DomainName=MyDomain &ItemName=Item123 &Attribute.1.Name=Color&Attribute.1.Value=Blue &Attribute.2.Name=Size&Attribute.2.Value=Med &Attribute.3.Name=Price&Attribute.3.Value=0014.99 &AWSAccessKeyId= &Version=2009-04-15 &Signature=[valid signature] &SignatureVersion=2 &SignatureMethod=HmacSHA256 &Timestamp=2010-01-25T15%3A01%3A28-07%3A00 Success f6820318-9658-4a9d-89f8- b067c90904fc 0.0000219907 Sample requestSample response Source: http://awsdocs.s3.amazonaws.com/SDB/latest/sdb-dg.pdf Invoked method Parameters Credentials Response elements

49. Example: SOAP 49 <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:SOAP-ENC='http://schemas.xmlsoap.org/soap/encoding/' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema'> a1 2 a2 4 domain1 eID001 2009-04-15 4c68e051-fe45-43b2-992a- a24017ffe7ab 0.0000219907 Sample request Sample response Source: http://awsdocs.s3.amazonaws.com/SDB/latest/sdb-dg.pdf

50. Amazon Compute Cloud (EC2) 50

51. What is Amazon EC2? Infrastructure-as-a-Service (IaaS) You can rent various types of virtual machines by the hour In your VMs, you can run your own (Linux/Windows) programs Examples: Web server, search engine, movie renderer,... 51 http://aws.amazon.com/ec2/#pricing (9/11/2013) 68.4 GB memory 8 virtual cores (3.25 CU each) 1690 GB storage 'high' I/O 1.7 GB memory 1 virtual core (1 CU each) 160GB storage 'moderate' I/O

52. Oh no - where has my data gone? EC2 instances do not have persistent storage Data survives stops & reboots, but not termination So where should I put persistent data? Elastic Block Store (EBS) 1 Ideally, use an AMI with an EBS root (Amzon's default AMI has this property) 52 If you store data on the virtual hard disk of your instance and the instance fails or you terminate it, your data WILL be lost! 1 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

53. Amazon Machine Images 1 When I launch an instance, what software will be installed on it? Software is taken from an Amazon Machine Image (AMI) Selected when you launch an instance Essentially a file system that contains the operating system, applications, and potentially other data Lives in S3 How do I get an AMI? Amazon provides several generic ones, e.g., Amazon Linux, Fedora Core, Windows Server,... You can make your own You can even run your own custom kernel (with some restrictions) 53 1 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

54. Security Groups 1 Basically, a set of firewall rules Can be applied to groups of EC2 instances Each rule specifies a protocol, port numbers, etc... Only traffic matching one of the rules is allowed through Sometimes need to explicitly open ports 54 Instance Evil attacker Legitimate user (you or your customers) 1 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

55. Regions and Availability Zones 1 Where exactly does my instance run? No easy way to find out - Amazon does not say Instances can be assigned to regions Currently 9 availble: US East (Northern Virginia), US West (Northern California), US West (Oregon), EU (Ireland), Asia/Pacific (Singapore), Asia/Pacific (Sydney), Asia/Pacific (Tokyo), South America (Sao Paulo), AWS GovCloud Important, e.g., for reducing latency to customers Instances can be assigned to availability zones Purpose: Avoid correlated fault Several availability zones within each region 55 1 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

56. Network pricing AWS does charge for network traffic Price depends on source and destination of traffic Free within EC2 and other AWS services in same region (e.g., S3) Remember: ISPs are typically charged for upstream traffic 56 http://aws.amazon.com/ec2/#pricing (9/11/2013)

57. Instance types So far: On-demand instances Also available: Reserved instances One-time reservation fee to purchase for 1 or 3 years Usage still billed by the hour, but at a considerable discount Also available: Spot instances Spot market: Can bid for available capacity Instance continues until terminated or price rises above bid 57 Source: http://aws.amazon.com/ ec2/reserved-instances/

58. Service Level Agreement 58 http://aws.amazon.com/ec2-sla/ (9/11/2013; excerpt) 4.38h downtime per year allowed

59. What is Elastic Block Store (EBS)? Persistent storage Unlike the local instance store, data stored in EBS is not lost when an instance fails or is terminated Should I use the instance store or EBS? Typically, instance store is used for temporary data 59 Instance EBS storage

60. Volumes EBS storage is allocated in volumes A volume is a 'virtual disk' (size: 1GB - 1TB) Basically, a raw block device Can be attached to an instance (but only one at a time) A single instance can access multiple volumes Placed in specific availability zones Why is this useful? Be sure to place it near instances (otherwise can't attach) Replicated across multiple servers Data is not lost if a single server fails Amazon: Annual failure rate is 0.1-0.5% for a 20GB volume 60

61. EC2 instances with EBS roots EC2 instances can have an EBS volume as their root device ("EBS boot") Result: Instance data persists independently from the lifetime of the instance You can stop and restart the instance, similar to suspending and resuming a laptop You won't be charged for the instance while it is stopped (only for EBS) You can enable termination protection for the instance Blocks attempts to terminate the instance (e.g., by accident) until termination protection is disabled again Alternative: Use instance store as the root You can still store temporary data on it, but it will disappear when you terminate the instance You can still create and mount EBS volumes explicitly 61

62. Time Snapshots You can create a snapshot of a volume Copy of data in the volume at the time snapshot was made Only the first snapshot makes a full copy; subsequent snapshots are incremental What are snapshots good for? Sharing data with others DBpedia snapshot ID is "snap-882a8ae3" Access control list (specific account numbers) or public access Instantiate new volumes Point-in-time backups 62

63. Pricing You pay for... Storage space: $0.10 per allocated GB per month I/O requests: $0.10 per million I/O requests S3 operations (GET/PUT) Charge is only for actual storage used Empty space does not count 63

64. Creating an EBS volume 64 Needs to be in same availability zone as your instance! DBpedia snapshot ID Create volume

65. Mounting an EBS volume Step 1: Attach the volume Step 2: Mount the volume in the instance 65 mkse212@vm:~$ ec2-attach-volume -d /dev/sda2 -i i-9bd6eef1 vol-cca68ea5 ATTACHMENT vol-cca68ea5 i-9bd6eef1 /dev/sda2 attaching mkse212@vm:~$ mkse212@vm:~$ ssh ec2-user@ec2-50-17-64-130.compute-1.amazonaws.com __| __|_ ) Amazon Linux AMI _| ( / Beta ___|\___|___| See /usr/share/doc/system-release-2011.02 for latest release notes. :-) [ec2-user@ip-10-196-82-65 ~]$ sudo mount /dev/sda2 /mnt/ [ec2-user@ip-10-196-82-65 ~]$ ls /mnt/ dbpedia_3.5.1.owl dbpedia_3.5.1.owl.bz2 en other_languages [ec2-user@ip-10-196-82-65 ~]$

66. Detaching an EBS volume Step 1: Unmount the volume in the instance Step 2: Detach the volume 66 mkse212@vm:~$ ec2-detach-volume vol-cca68ea5 ATTACHMENT vol-cca68ea5 i-9bd6eef1 /dev/sda2 detaching mkse212@vm:~$ [ec2-user@ip-10-196-82-65 ~]$ sudo umount /mnt/ [ec2-user@ip-10-196-82-65 ~]$ exit mkse212@vm:~$

67. Plan for today A brief history of cloud computing Introduce one specific commercial cloud Amazon Web Services (AWS) Elastic Compute Cloud (EC2) Elastic Block Storage (EBS) Other services: Mechanical Turk, CloudFront,... Next time: S3 and SimpleDB 67 NEXT

68. AWS Import/Export Import/export large amounts of data to/from S3 buckets via physical storage device Mail an actual hard disk to Amazon (power adapter, cables!) Signature file for authentication Discussion: Is this the Right Way to be shipping data, or should we rather be using a network? 68 MethodTime Internet (20Mbps)45 days FedEx1 day Time to transfer 10TB [AF10]

69. Mechanical Turk (MTurk) A crowdsourcing marketplace Requesters post small jobs (HIT - Human Intelligence Task), offer small rewards ($0.01-$0.10) 69 https://www.mturk.com/mturk/ (9/23/2010 1:58am)

70. CloudFront Content distribution network Caches S3 content at edge locations for low-latency delivery Some similarities to other CDNs like Akamai, Limelight,... 70

71. Plan for today A brief history of cloud computing Introduce one specific commercial cloud Amazon Web Services (AWS) Elastic Compute Cloud (EC2) Elastic Block Storage (EBS) Other services: Mechanical Turk, CloudFront,... Next time: S3 and SimpleDB 71 NEXT

72. Stay tuned Next time you will learn about: Cloud storage 72