Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Systems CS

Published byRosamund Knight Modified over 5 years ago

Similar presentations

Presentation on theme: "Distributed Systems CS"— Presentation transcript:

1 Distributed Systems CS 15-440
Fault Tolerance- Part I Lecture 22, November 21, 2016 Mohammad Hammoud

2 Today… Last 5 Sessions: Programming Models Today’s Session:
Fault Tolerance – Part I General background Process resilience and failure detection Announcements: P4 is due on Nov 30 by midnight Final exam is on Thursday, Dec 8th from 1:30PM to 4:30PM at Room 1190 (all topics are included; it will be open books, open notes)

3 Discussion on Fault Tolerance
Objectives Discussion on Fault Tolerance Recovery from failures Atomicity and distributed commit protocols Process resilience, failure detection and reliable multicasting General background on fault tolerance

4 Intended Learning Outcomes
Considered: a reasonably critical and comprehensive perspective. Thoughtful: Fluent, flexible and efficient perspective. Masterful: a powerful and illuminating ILO5 Explain how a distributed system can be made fault tolerant ILO5.1 Describe dependable systems, different types of failures, and failure masking by redundancy ILO5.2 Explain how process resilience can be achieved in a distributed system ILO5.3 Describe the five different classes of failures that can occur in RPC systems ILO5.4 Explain different schemes of reliable multicasting, scalability in reliable multicasting, the atomic multicast problem, the distributed commit problem, and virtual synchrony ILO5.5 Describe when and how the state of a distributed system can be recorded and recovered ILO5 ILO5.1 ILO5.2 ILO5.3 ILO5.4 ILO5.5

5 A General Background Basic Concepts Failure Models
Failure Masking by Redundancy

6 A General Background Basic Concepts Failure Models
Failure Masking by Redundancy

7 Failures, Due to What? Failures can happen due to a variety of reasons: Hardware faults Software bugs Operator errors Network errors/outages A system is said to fail when it cannot meet its promises

8 Failures in Distributed Systems
A characteristic feature of distributed systems that distinguishes them from centralized systems is the notion of partial failures A partial failure may happen when a component in a distributed system fails This failure may affect the proper operation of other components, while at the same time leaving yet other components unaffected

9 Goal and Fault-Tolerance
An overall goal in distributed systems is to construct the system in such a way that it can automatically recover from partial failures Fault-tolerance is the property that enables a system to continue operating properly in the event of failures For example, TCP is designed to allow reliable two-way communication in a packet-switched network, even in the presence of communication links which are imperfect or overloaded Tire punctured. Car stops. Tire punctured, recovered and continued.

10 Faults, Errors and Failures
Transient Intermittent Permanent A system is said to be fault tolerant if it can provide its services even in the presence of faults

11 Fault Tolerance Requirements
A robust fault tolerant system entails: No single point of failure Fault isolation/containment Availability of reversion modes

12 Dependable Systems Being fault tolerant is strongly related to what is called a dependable system A system is said to be highly available if it will be most likely working at a given instant in time A highly-reliable system is one that will most likely continue to work without interruption during a relatively long period of time Availability Reliability A Dependable System Safety Maintainability If a system temporarily fails to operate correctly, nothing catastrophic happens How easy a failed system can be repaired

13 A General Background Basic Concepts Failure Models
Failure Masking by Redundancy

14 Failure Models Type of Failure Description Type of Failure Description
Crash Failure A server halts, but was working correctly until it stopped Omission Failure Receive Omission Send Omission A server fails to respond to incoming requests A server fails to receive incoming messages A server fails to send messages Timing Failure A server’s response lies outside the specified time interval Response Failure Value Failure State Transition Failure A server’s response is incorrect The value of the response is wrong The server deviates from the correct flow of control Byzantine Failure A server may produce arbitrary responses at arbitrary times Type of Failure Description Crash Failure A server halts, but was working correctly until it stopped Omission Failure Receive Omission Send Omission A server fails to respond to incoming requests A server fails to receive incoming messages A server fails to send messages Timing Failure A server’s response lies outside the specified time interval Response Failure Value Failure State Transition Failure A server’s response is incorrect The value of the response is wrong The server deviates from the correct flow of control Byzantine Failure A server may produce arbitrary responses at arbitrary times Type of Failure Description Crash Failure A server halts, but was working correctly until it stopped Omission Failure Receive Omission Send Omission A server fails to respond to incoming requests A server fails to receive incoming messages A server fails to send messages Timing Failure A server’s response lies outside the specified time interval Response Failure Value Failure State Transition Failure A server’s response is incorrect The value of the response is wrong The server deviates from the correct flow of control Byzantine Failure A server may produce arbitrary responses at arbitrary times Type of Failure Description Crash Failure A server halts, but was working correctly until it stopped Omission Failure Receive Omission Send Omission A server fails to respond to incoming requests A server fails to receive incoming messages A server fails to send messages Timing Failure A server’s response lies outside the specified time interval Response Failure Value Failure State Transition Failure A server’s response is incorrect The value of the response is wrong The server deviates from the correct flow of control Byzantine Failure A server may produce arbitrary responses at arbitrary times Type of Failure Description Crash Failure A server halts, but was working correctly until it stopped Omission Failure Receive Omission Send Omission A server fails to respond to incoming requests A server fails to receive incoming messages A server fails to send messages Timing Failure A server’s response lies outside the specified time interval Response Failure Value Failure State Transition Failure A server’s response is incorrect The value of the response is wrong The server deviates from the correct flow of control Byzantine Failure A server may produce arbitrary responses at arbitrary times Type of Failure Description Crash Failure A server halts, but was working correctly until it stopped Omission Failure Receive Omission Send Omission A server fails to respond to incoming requests A server fails to receive incoming messages A server fails to send messages Timing Failure A server’s response lies outside the specified time interval Response Failure Value Failure State Transition Failure A server’s response is incorrect The value of the response is wrong The server deviates from the correct flow of control Arbitrary Failure A server may produce arbitrary responses at arbitrary times Type of Failure Description Crash Failure A server halts, but was working correctly until it stopped Omission Failure Receive Omission Send Omission A server fails to respond to incoming requests A server fails to receive incoming messages A server fails to send messages Timing Failure A server’s response lies outside the specified time interval Response Failure Value Failure State Transition Failure A server’s response is incorrect The value of the response is wrong The server deviates from the correct flow of control Byzantine Failure A server may produce arbitrary responses at arbitrary times Type of Failure Description Crash Failure A server halts, but was working correctly until it stopped Omission Failure Receive Omission Send Omission A server fails to respond to incoming requests A server fails to receive incoming messages A server fails to send messages Timing Failure A server’s response lies outside the specified time interval Response Failure Value Failure State Transition Failure A server’s response is incorrect The value of the response is wrong The server deviates from the correct flow of control Byzantine Failure A server may produce arbitrary responses at arbitrary times Type of Failure Description Crash Failure A server halts, but was working correctly until it stopped Omission Failure Receive Omission Send Omission A server fails to respond to incoming requests A server fails to receive incoming messages A server fails to send messages Timing Failure A server’s response lies outside the specified time interval Response Failure Value Failure State Transition Failure A server’s response is incorrect The value of the response is wrong The server deviates from the correct flow of control Byzantine Failure A server may produce arbitrary responses at arbitrary times

15 A General Background Basic Concepts Failure Models
Failure Masking by Redundancy

16 Faults Masking by Redundancy
The key technique for masking faults is to use redundancy Usually, extra bits are added to allow recovery from garbled bits Information Usually, extra equipment are added to allow tolerating failed hardware components Usually, extra processes are added to allow tolerating failed processes Redundancy Software Hardware Time Usually, an action is performed, and then, if required, it is performed again

17 Triple Modular Redundancy
If one is faulty, the final result will be incorrect A circuit with signals passing through devices A, B, and C, in sequence If 2 or 3 of the inputs are the same, the output is equal to that input An example of hardware redundancy Each device is replicated 3 times and after each stage is a triplicated voter

18 Discussion on Fault Tolerance
Objectives Discussion on Fault Tolerance Recovery from failures Atomicity and distributed commit protocols Process resilience, failure detection and reliable multicasting General background on fault tolerance

19 Process Resilience and Failure Detection

20 Process Resilience and Failure Detection
Let us concentrate now on how fault tolerance can actually be achieved in distributed systems The topics we will discuss include: How can we provide protection against process failures? Process Groups Reaching an agreement within a process group How to detect failures?

21 Process Resilience The key approach to tolerating a faulty process is to organize several identical processes into a group If one process in a group fails, hopefully some other process can take over Caveats: A process can join a group or leave one during system operation A process can be a member of several groups at the same time P P When a message is sent to a group, all members of the group should receive it. Mechanisms are needed for managing groups and group membership. Groups are roughly analogous to social organizations.

22 Flat Versus Hierarchical Groups
An important distinction between different groups has to do with their internal structure Mechanisms are needed for managing groups and group membership. Groups are roughly analogous to social organizations. Flat Group: (+) Symmetrical (+) No single point of failure (-) Decision making is complicated Hierarchical Group: (+) Decision making is simple (-) Asymmetrical (-) Single point of failure

23 K-Fault-Tolerant Systems
A system is said to be k-fault-tolerant if it can survive faults in k components and still meet its specifications How can we achieve a k-fault-tolerant system? This would require an agreement protocol applied to a process group If components fail silently, then having k + 1 of them is enough to provide k-fault-tolerance. If components exhibit Byzantine failures, a minimum of 2k + 1 of them are needed to achieve k-fault-tolerance.

24 Agreement in Faulty Systems
A process group typically requires reaching an agreement in: Electing a coordinator Deciding whether or not to commit a transaction Dividing tasks among workers Synchronization Communication and processes could be: Perfect Reaching an agreement is often straightforward Not perfect Reaching an agreement is typically not easy

25 Agreement in Faulty Systems
The goal is two-fold: Have all non-faulty processes reach consensus on some issue Establish that consensus within a finite number of steps Usually, different assumptions about the underlying system necessitate different solutions: Synchronous vs. asynchronous systems Bounded vs. unbounded communication delays Ordered vs. unordered message delivery Unicasting vs. multicasting message transmissions

26 Agreement in Faulty Systems
Reaching a distributed agreement is only possible in the following circumstances: Message Ordering Unordered Ordered Process Behavior Synchronous Bounded Communication Delay Unbounded Asynchronous Unicast Multicast Message Transmission

27 Agreement in Faulty Systems
In practice, many distributed systems assume that: Processes behave asynchronously Message transmission is unicast Communication delays are unbounded Message delivery is ordered (& reliable) The agreement problem has been originally studied by Lamport [Lamport et al. (1982)] It is referred to as the Byzantine Agreement Problem

28 The Byzantine Agreement Problem
Lamport assumes: Processes are synchronous Messages are unicast and ordered Communication delay is bounded There are N processes, where each process i will provide a value vi to the others There are at most k faulty processes The goal of Byzantine agreement is that consensus is reached on the value for the non-faulty processes only.

29 The Byzantine Agreement Problem
Lamport’s Assumptions: Message Ordering Unordered Ordered Process Behavior Synchronous Bounded Communication Delay Unbounded Asynchronous Unicast Multicast Message Transmission The goal of Byzantine agreement is that consensus is reached on the value for the non-faulty processes only. Lamport suggests that each process i constructs a vector V of length N, such that if process i is non-faulty, V[i] = vi. Otherwise, V[i] is undefined

30 The Byzantine Agreement Problem
Case I: N = 4 and k = 1 Step3: Every process passes its vector to every other process Step1: Each process sends its value to the others Step2: Each process collects values received in a vector 1 Got (1, 2, y, 4) (a, b, c, d) (1, 2, z, 4) 2 Got (1, 2, x, 4) (e, f, g, h) (1, 2, z, 4) 1 1 2 1 Got(1, 2, x, 4) 2 Got(1, 2, y, 4) 3 Got(1, 2, 3, 4) 4 Got(1, 2, z, 4) 2 1 2 4 2 1 x 4 Got (1, 2, x, 4) (1, 2, y, 4) (i, j, k, l) y 4 3 4 4 z Faulty process

31 The Byzantine Agreement Problem
Step 4: Each process examines the ith element of each of the newly received vectors If any value has a majority, that value is put into the result vector If no value has a majority, the corresponding element of the result vector is marked UNKNOWN 1 Got (1, 2, y, 4) (a, b, c, d) (1, 2, z, 4) The algorithm reaches an agreement 2 Got (1, 2, x, 4) (e, f, g, h) (1, 2, z, 4) 4 Got (1, 2, x, 4) (1, 2, y, 4) ( i, j, k, l) Result Vector: (1, 2, UNKNOWN, 4) Result Vector: (1, 2, UNKNOWN, 4) Result Vector: (1, 2, UNKNOWN, 4)

32 The Byzantine Agreement Problem
Case II: N = 3 and k = 1 Step3: Every process passes its vector to every other process Step1: Each process sends its value to the others Step2: Each process collects values received in a vector 1 1 2 1 Got (1, 2, y) (a, b, c) 2 Got (1, 2, x) (d, e, f) 1 Got(1, 2, x) 2 Got(1, 2, y) 3 Got(1, 2, 3) 2 1 2 1 x y 3 Faulty process

33 The Byzantine Agreement Problem
Step 4: Each process examines the ith element of each of the newly received vectors If any value has a majority, that value is put into the result vector If no value has a majority, the corresponding element of the result vector is marked UNKNOWN The algorithm has failed to produce an agreement 1 Got (1, 2, y) (a, b, c) 2 Got (1, 2, x) (d, e, f) Result Vector: (UNKOWN, UNKNOWN, UNKNOWN) Result Vector: (UNKOWN, UNKNOWN, UNKNOWN)

34 Concluding Remarks on the Byzantine Agreement Problem
Lamport et al. (1982) proved that in a system with k faulty processes, an agreement can be achieved only if 2k+1 correctly functioning processes are present, for a total of 3k+1 An agreement is possible only if more than two-thirds of the processes are working properly Fisher et al. (1985) proved that when ordering of messages cannot be guaranteed to be delivered within a known, finite time, no agreement is possible even if only ONE process is faulty Arbitrarily slow processes are indistinguishable from crashed ones.

35 Discussion on Fault Tolerance
Objectives Discussion on Fault Tolerance Recovery from failures Atomicity and distributed commit protocols Process resilience, failure detection and reliable multicasting General background on fault tolerance

36 Process Failure Detection
Before we properly mask failures, we generally need to detect them For a group of processes, non-faulty members should be able to decide who is still a member and who is not Two main policies: Processes actively send “are you alive?” messages to each other (i.e., pinging each other) Processes passively wait until messages come in from different processes Second bullet: in other words we need to be able to detect when a member has failed.

37 Timeout Mechanism To detect failures, a timeout mechanism is typically involved, whereby you can: Specify a timer After a period of time, if no response is received, trigger a timeout and act accordingly Caveat: Due to unreliable networks, simply stating that a process has failed because it does not return an answer to a ping message may be wrong! First sub-bullet: (i.e., quite easy to generate false positives). Last bullet: The FUSE system is an example.

38 Failure Considerations
There are various issues that need to be taken into account when designing a failure detection subsystem: Failure detection can be done as a side-effect of regularly exchanging information with neighbors (e.g., gossip-based information dissemination) A failure detection subsystem should ideally be able to distinguish network failures from node failures When a member failure is detected, how should other non-faulty processes be informed First sub-bullet: (i.e., quite easy to generate false positives). Last bullet: Talk about the FUSE system.

39 Example: FUSE [Dunagan et al. 2004]
In FUSE, processes can be joined in a group that spans a WAN The group members create a spanning tree that is used for monitoring member failures An active (pinging) policy is used where a single node failure is rapidly promoted to a group failure notification Ping Ping Ping Second bullet: in other words we need to be able to detect when a member has failed. A A B B C Ping Ping ACK Ping E E F F D D Failed Member Alive Member

40 Next Class Discussion on Fault Tolerance Fault-Tolerance- Part II
Recovery from failures Atomicity and distributed commit protocols Process resilience, failure detection and reliable multicasting General background on fault tolerance Fault-Tolerance- Part II

41 Thank You!

Download ppt "Distributed Systems CS"

Similar presentations

Fault Tolerance. Basic System Concept Basic Definitions Failure: deviation of a system from behaviour described in its specification. Error: part of.

Fault Tolerance. Basic System Concept Basic Definitions Failure: deviation of a system from behaviour described in its specification. Error: part of.
Chapter 8 Fault Tolerance

Chapter 8 Fault Tolerance
1 CS 194: Distributed Systems Process resilience, Reliable Group Communication Scott Shenker and Ion Stoica Computer Science Division Department of Electrical.

1 CS 194: Distributed Systems Process resilience, Reliable Group Communication Scott Shenker and Ion Stoica Computer Science Division Department of Electrical.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
Computer Science Lecture 17, page 1 CS677: Distributed OS Last Class: Fault Tolerance Basic concepts and failure models Failure masking using redundancy.

Computer Science Lecture 17, page 1 CS677: Distributed OS Last Class: Fault Tolerance Basic concepts and failure models Failure masking using redundancy.
Chapter 7 Fault Tolerance Basic Concepts Failure Models Process Design Issues Flat vs hierarchical group Group Membership Reliable Client.

Chapter 7 Fault Tolerance Basic Concepts Failure Models Process Design Issues Flat vs hierarchical group Group Membership Reliable Client.
Distributed Systems CS 15-440 Fault Tolerance- Part I Lecture 13, Oct 17, 2011 Majd F. Sakr, Mohammad Hammoud andVinay Kolar 1.

Distributed Systems CS Fault Tolerance- Part I Lecture 13, Oct 17, 2011 Majd F. Sakr, Mohammad Hammoud andVinay Kolar 1.
Last Class: Weak Consistency

Last Class: Weak Consistency
Computer Science Lecture 16, page 1 CS677: Distributed OS Last Class:Consistency Semantics Consistency models –Data-centric consistency models –Client-centric.

Computer Science Lecture 16, page 1 CS677: Distributed OS Last Class:Consistency Semantics Consistency models –Data-centric consistency models –Client-centric.
Composition Model and its code. bound:=bound+1.

Composition Model and its code. bound:=bound+1.
Distributed Algorithms – 2g1513 Lecture 9 – by Ali Ghodsi Fault-Tolerance in Distributed Systems.

Distributed Algorithms – 2g1513 Lecture 9 – by Ali Ghodsi Fault-Tolerance in Distributed Systems.
Chap 15. Agreement. Problem Processes need to agree on a single bit No link failures A process can fail by crashing (no malicious behavior) Messages take.

Chap 15. Agreement. Problem Processes need to agree on a single bit No link failures A process can fail by crashing (no malicious behavior) Messages take.
Fault Tolerance. Basic Concepts Availability The system is ready to work immediately Reliability The system can run continuously Safety When the system.

Fault Tolerance. Basic Concepts Availability The system is ready to work immediately Reliability The system can run continuously Safety When the system.
V1.7Fault Tolerance1. V1.7Fault Tolerance2 A characteristic of Distributed Systems is that they are tolerant of partial failures within the distributed.

V1.7Fault Tolerance1. V1.7Fault Tolerance2 A characteristic of Distributed Systems is that they are tolerant of partial failures within the distributed.
Chapter 11 Fault Tolerance. Topics Introduction Process Resilience Reliable Group Communication Recovery.

Chapter 11 Fault Tolerance. Topics Introduction Process Resilience Reliable Group Communication Recovery.
Introduction to Fault Tolerance By Sahithi Podila.

Introduction to Fault Tolerance By Sahithi Podila.
Fault Tolerance Chapter 7. Goal An important goal in distributed systems design is to construct the system in such a way that it can automatically recover.

Fault Tolerance Chapter 7. Goal An important goal in distributed systems design is to construct the system in such a way that it can automatically recover.
PROCESS RESILIENCE By Ravalika Pola. outline: Process Resilience  Design Issues  Failure Masking and Replication  Agreement in Faulty Systems  Failure.

PROCESS RESILIENCE By Ravalika Pola. outline: Process Resilience  Design Issues  Failure Masking and Replication  Agreement in Faulty Systems  Failure.
Fault Tolerance (2). Topics r Reliable Group Communication.

Fault Tolerance (2). Topics r Reliable Group Communication.
Fundamentals of Fault-Tolerant Distributed Computing In Asynchronous Environments Paper by Felix C. Gartner Graeme Coakley COEN 317 November 23, 2003.

Fundamentals of Fault-Tolerant Distributed Computing In Asynchronous Environments Paper by Felix C. Gartner Graeme Coakley COEN 317 November 23, 2003.

Similar presentations

Ads by Google