04 Availability Ra - Zohoiau-tnb.zohosites.com/files/04 Availability_Ra.pdf · 2015. 11. 14. ·...
Transcript of 04 Availability Ra - Zohoiau-tnb.zohosites.com/files/04 Availability_Ra.pdf · 2015. 11. 14. ·...
Chapter Outline
• What is Availability? • Availability General Scenario • Tactics for Availability
What is Availability?• Availability refers to a property of software
that it is there and ready to carry out its task when you need it to be.
• This is a broad perspective and encompasses what is normally called reliability.
• Availability builds on reliability by adding the notion of recovery (repair).
• Fundamentally, availability is about minimizing service outage time by mitigating faults.
a Discussion on
Availability, Reliability , and Dependability
4
Availability: The ratio of the time a unit is capable of being used during a given interval.
MTBFMean time between failures (MTBF) is the predicted elapsed time between failures of a system during operation. MTBF can be calculated as the average time between failures of a system. In MTBF model assumes the failed system is immediately repaired (MTTR).MTBF defined as: total time in service / number of failures
MTTFMean Time to Failure (MTTF) is the length of time a device or other product is expected to last in operation. MTTF is one of many ways to evaluate the reliability of pieces of hardware or other technology.
Difference between MTTF and MTBF: MTBF is used for products than that can be repaired and returned to use, MTTF is used for non-repairable products. When MTTF is used as a measure, repair is not an option.
MTTR
Mean Time To Repair (MTTR) orMean time to recovery (MTTR)
the average time required to repair a failed component.
Failure Rate (λ): number of failures/total time in service
A piece of equipment can be available but not reliable.
For example the machine is down 6 minutes every hour.
Availability=90%
Reliability =Less than 1 hour
Generally speaking a reliable machine has high availability but an available machine may or may not be very reliable.
MDTMean Down Time (MDT) is the average time that a system is non-operational.
Mean Down Time key factors:1. SYSTEM FAILURE
1. Fault detection and isolation. 3. Parts Procurement. 4. System Repair.
2. SCHEDULED DOWNTIME 1. Preventive Maintenance.(e.g., checking oil in a car engine) 2. System Upgrade. 3. Calibration. 4. Other administrative actions
What is Availability?
Dependability
Dependability: is a measure of a system's :
✴Availability
✴Reliability
✴Maintainability
Availability General ScenarioPortion of Scenario
Possible Values
Source Internal/external: people, hardware, software, physical infrastructure
Stimulus Fault: omission, crash, incorrect timing, incorrect responseArtifact System’s processors, communication channels, persistent storage, processes
Environment Normal operation, startup, shutdown, repair mode, degraded operation, overloaded operation
Response Prevent the fault from becoming a failure Detect the fault: • log the fault • notify appropriate entities (people or systems) Recover from the fault • disable source of events causing the fault • be temporarily unavailable while repair is being effected • fix or mask the fault/failure or contain the damage it causes • operate in a degraded mode while repair is being effected
Response Measure
Time or time interval when the system must be available Availability percentage (e.g. 99.999%) Time to detect the fault Time to repair the fault Time or time interval in which system can be in degraded mode Proportion (e.g., 99%) or rate (e.g., up to 100 per second) of a certain class of faults that the system prevents, or handles without failing
Availability General Scenarioa note on fault classes
Sample Concrete Availability Scenario
• The heartbeat monitor determines that the server is nonresponsive during normal operations. The system informs the operator and continues to operate with no downtime.
Goal of Availability Tactics
Goal of Availability Tactics• A failure occurs when the system no longer
delivers a service consistent with its specification – this failure is observable by the system’s actors.
• A fault (or combination of faults) has the potential to cause a failure.
• Availability tactics enable a system to endure faults so that services remain compliant with their specifications.
• The tactics keep faults from – becoming failures or – at least bound the effects of the fault and make
repair possible.
Availability Tactics
Availability Tactics
Detect Faults (1/9)• Ping/echo: asynchronous request/response
message pair exchanged between nodes, used to determine reachability and the round-trip delay through the associated network path.
• Monitor: a component used to monitor the state of health of other parts of the system. A system monitor can detect failure or congestion in the network or other shared resources, such as from a denial-of-service attack.
• Heartbeat: a periodic message exchange between a system monitor and a process being monitored.
Detect Faults (2/9)• Timestamp: used to detect incorrect
sequences of events, primarily in distributed message-passing systems.
• Sanity Checking: checks the validity or reasonableness of a component’s operations or outputs; typically based on a knowledge of the internal design, the state of the system, or the nature of the information under scrutiny.
• Condition Monitoring: checking conditions in a process or device, or validating assumptions made during the design.
Detect Faults (3/9)• Voting: to check that replicated components
are producing the same results.
–The most common realization of this tactic is referred to
as triple modular redundancy (TMR), which employs three
components that do the same thing, each of which
receives identical inputs, and forwards their output to
voting logic, used to detect any inconsistency among the
three output states. – Comes in various flavors: replication, functional
redundancy, analytic redundancy.
Detect Faults (4/9) (Voting tactics)
– Replication : the components are exact clones of each
other. Having multiple copies of identical components can
be effective in protecting against random failures of
hardware, but this cannot protect against design or
implementation errors, in hardware or software, because
there is no form of diversity embedded in this tactic.
– Functional redundancy is a form of voting
intended to address the issue of common-mode
failures (design or implementation faults) in
hardware or software components. Here, the
components must always give the same output
given the same input, but they are diversely
designed and diversely implemented.
Detect Faults (5/9) (Voting tactics)
• Analytic redundancy permits not only diversity among components' private sides, but also diversity among the components' inputs and outputs. This tactic is intended to tolerate specification errors by using separate requirement specifications. In embedded systems, analytic redundancy also helps when some input sources are likely to be unavailable at times.
– Example: avionics programs have multiple ways to compute aircraft altitude, such as using barometric pressure, the radar altimeter, and geometrically using the straight line distance and look-down angle of a point ahead on the ground. The voter mechanism used with analytic redundancy needs to be more sophisticated than just letting majority rule or computing a simple average. It may have to understand which sensors are currently reliable or not, and it may be asked to produce a higher-fidelity value than any individual component can, by blending and smoothing individual values over time.
Detect Faults (6/9) (Voting tactics)
Detect Faults (7/9)• Exception Detection: detection of a
system condition that alters the normal flow of execution, e.g. system exception, parameter fence, parameter typing, timeout.
Detect Faults (8/9) (Exception Detection tactics)
• System exceptions include faults such as divide by zero, bus and address faults, illegal
program instruction, and so forth. • parameter fence incorporates a priori data pattern (such as OxDEADBEEF) placed
immediately after any variable-length parameters of an object. This allows for runtime
detection of overwriting the memory allocated for the object's variable-length
parameters. • Parameter typing employs a base class that defines functions that add, find, and iterate
over type-length-value (TLV) formatted message parameters. Derived classes use the
base class functions to implement functions that provide parameter typing according to
each parameter's structure. Use of strong typing to build and parse messages results in
higher availability than implementations that simply treat messages as byte buckets.
• Timeout: raises an exception when a component detects that it or another component
has failed to meet its timing constraints. For example, a component awaiting a response
from another component can raise an exception if the wait time exceeds a certain value.
• Self-test: procedure for a component to test itself for correct operation. These may involve employing some of the techniques found in condition monitoring, such as checksums.
Detect Faults (9/9)
Availability Tactics
Recover from Faults (Preparation & Repair 1/5)
A note: Protection group: a group of nodes where one or more nodes are “active,” with the remainder serving as redundant spares.
• Active Redundancy (hot spare): all nodes in a protection group receive and process identical inputs in parallel, allowing redundant spares to maintain synchronous state with the active nodes. – The simple case of one active node and one
redundant spare node is commonly referred to as 1+1 ("one plus one") redundancy.
• Passive Redundancy (warm spare): only the active members of the protection group process input traffic; one of their duties is to provide the redundant spares with periodic state updates.
passive redundancy provides a solution that achieves a balance between the more highly available but more compute-intensive and expensive active redundancy tactic and the less available but significantly less complex cold spare tactic.
Recover from Faults (Preparation & Repair 2/5)
• Spare (cold spare): redundant spares of a protection group remain out of service until a fail-over occurs, at which point a power-on-reset procedure is initiated on the redundant spare prior to its being placed in service.
Recover from Faults (Preparation & Repair 3/5)
Recover from Faults (Preparation & Repair 4/5)
• Exception Handling: dealing with the exception by reporting it or handling it, potentially masking the fault by correcting the cause of the exception and retrying.
• Rollback: revert to a previous known good state, referred to as the “rollback line”.
• Software Upgrade: in-service upgrades to executable code images in a non-service-affecting manner.
Recover from Faults (Preparation & Repair 5/5)
• Retry: where a failure is transient retrying the operation may lead to success.
• Ignore Faulty Behavior: ignoring messages sent from a source when it is determined that those messages are spurious.
• Degradation: maintains the most critical system functions in the presence of component failures, dropping less critical functions.
• Reconfiguration: reassigning responsibilities to the resources left functioning, while maintaining as much functionality as possible.
Availability Tactics
Recover from Faults (Reintroduction 1/2)
• Shadow: operating a previously “failed” or “in-service upgraded” component in a “shadow mode” for a predefined time prior to reverting the component back to an active role.
• State Resynchronization: partner to active redundancy and passive redundancy where state information is sent from active to standby components.
• Non-stop Forwarding (NSF): functionality is split into supervisory and data. – For example in a router design: If a supervisor fails, a router
continues forwarding packets along known routes while protocol information is recovered and validated.
• Escalating Restart: recover from faults by varying the granularity of the component(s) restarted and minimizing the level of service affected.
– For example, consider a system that supports four levels of restart, as follows: • Level 0: having the least impact on services, employs passive redundancy, where all
child threads of the faulty component are killed and recreated. In this way, only data associated with the child threads is freed and reinitialized.
• Level 1: frees and reinitializes all unprotected memory. • Level 2: frees and reinitializes all memory, both protected and unprotected, forcing
all applications to reload and reinitialize. • Level 3: would involve completely reloading and reinitializing the executable image
and associated data segments.
Support for the escalating restart tactic is particularly useful for the concept of graceful degradation, where a system is able to degrade the services it provides while maintaining support for mission-critical or safety-critical applications.
Recover from Faults (Reintroduction 2/2)
Availability Tactics
Prevent Faults (1/5)• Re m o v a l F r o m S e r v i c e ( s o f t w a r e
rejuvenation): temporarily placing a system component in an out-of-service state for the purpose of mitigating potential system failures.
– For example taking a component of a system out of service and resetting the component in order to scrub latent faults such as memory leaks before the accumulation of faults affects service (resulting in system failure).
• Transactions: . Systems targeting high-availability services leverage transactional semantics to ensure that asynchronous messages exchanged between distributed components are atomic, consistent, isolated, and durable. These four properties are called the "ACID properties." The most common realization of the transactions tactic is "two-phase commit" (a.k.a. 2PC) protocol. This tactic prevents race conditions caused by two processes attempting to update the same data item..
Prevent Faults (2/5)
• Predictive Model: monitor the state of health of a process to ensure that the system is operating within nominal parameters; take corrective action when conditions are detected that are predictive of likely future faults. – The operational performance metrics monitored
are used to predict the onset of faults for example: • session establishment rate (in an HTTP server), • message queue length statistics, and so on. • maintaining statistics for process state (in service, out
of service, under maintenance, idle)
Prevent Faults (3/5)
Prevent Faults (4/5)• Exception Prevention: preventing system
exceptions from occurring by masking a fault, or preventing it via smart pointers, abstract data types, wrappers.
• Smart pointers prevent exceptions by doing bounds checking on pointers, and by ensuring that resources are automatically deallocated when no data refers to it. In this way resource leaks are avoided.
• Increase Competence Set: designing a component to handle more cases—faults—as part of its normal operation.
– For example, consider two components: • a component that assumes it has access to a shared resource might throw an
exception if it discovers that access is blocked.
• Another component might simply wait for access, or return immediately with an
indication that it will complete its operation on its own the next time it does have
access.
• In this example, the second component has a larger competence set than the first.
Prevent Faults (5/5)
Summary• Availability refers to the ability of the
system to be available for use when a fault occurs.
• The fault must be recognized (or prevented) and then the system must respond.
• The response will depend on the criticality of the application and the type of fault – can range from “ignore it” to “keep on going
as if it didn’t occur.”
Summary• Tactics for availability are categorized into
detect faults, recover from faults and prevent faults.
• Detection tactics depend on detecting signs of life from various components.
• Recovery tactics are retrying an operation or maintaining redundant data or computations.
• Prevention tactics depend on removing elements from service or limiting the scope of faults.
• All availability tactics involve the coordination model.