A d d d b lAutomating data dependability

Dr. Kimberly KeetonISM 158: Business Information StrategygyApril 20, 2010kimberly.keeton@hp.com

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

Problems happen…pp

High Natural disaster — fire, flood, adverse weather

nt

Security breach — hackerMan made disaster — terrorism, malicious damage

Denial of service attack

Hardware failure

per i

ncid

en Virus attackUser/administrator error Software failure

Power failure

Impa

ct p

Network failure

Application failure

Power failure

LowPlanned downtime

2 20 April 2010

LowHighLow Relative frequency

Impact of problemsp p• Data unavailability is expensive – downtime costs/hr:

− Brokerage operations $6,450,000g− Credit card authorization $2,600,000− Ebay (1 outage 22 hours) $ 225,000

Amazon com $ 180 000− Amazon.com $ 180,000− Package shipping services $ 150,000− Home shopping channel $ 113,000− Catalog sales center $ 90,000− Airline reservation center $ 89,000− Cellular service activation $ 41 000Cellular service activation $ 41,000Source: InternetWeek 4/3/2000 + Fibre Channel: A Comprehensive Introduction, R. Kembel 2000, p.8. ”...based

on a survey done by Contingency Planning Research.“

• Data loss is expensive 100 MB $1M ll ll

3 20 April 2010

• Data loss is expensive – 100 MB == $1M (source: Gallup poll)

Impact of data unavailabilityp y

Exponential onsRevenue:

Direct loss, compensatory increase

$ Bi

lli

Direct loss, compensatory payment, lost future revenues, billing losses and investment losses

Damaged reputation

Financial performance

Productivity/ employees

Productivity:Number employee x impacted x hours out = ? $

Impa

ct

reputation

$ M

illio

ns

Constant increase

Ti

Direct financial/ customer

Damaged reputation:Customers, competitors gain advantage, suppliers, financial markets, business

Minutes DaysTimepartners

Financial performance:Revenue recognition, cash flow credit rating stock

Downtime

5 20 April 2010

Indirect impact of downtime can be far more severe and unpredictable

flow, credit rating, stock price, regulatory fines

Anatomy of a failureRecovery metricsRecovery metrics

updates

Recovery Time(duration of outage)

updates

normal operation operation

crash!

Recovery Point

operation continues

(e.g., at 2nd site)

Recovery Point(go back to when?)

timeRPO = max allowedi t ti

100%

availability

recovery-point time (data loss) RTO = max

outage timeallowed

6 20 April 2010

time0%outageallowed

Not all applications are created equalNot all applications are created equalRequirements Category

Business Process Typical Data Form

RTO: min-1 hrRPO: < 30 min

RTO: < 8 hrRPO: < 4 hr

RTO, RPO: < 24 hr

Business ProcessinggData Base

Decision Support

Collaborative Email

IT InfrastructureFile

Web Infrastructure

Scientific/EngineeringVaries by

applicationApplication Development

10 20 April 2010

other

Data protection techniquesData protection techniques

local copy (mirror)

nearby remote copy

primarycopy

partial copy (snapshot)

tape-librarybackup copy

distantremote

continuous data (CDP)

vault: offsite

11 20 April 2010

remote copy

protection (CDP) tape storage

Determining the right solutionOutlay costs Penalty costsOverall costs =

outlays + penalties

Minimize ll

Cost

Spend more, Spend less,

overall costs

Spend more, lose less

p ,lose more

Reco er time Reco er point

12 20 April 2010

Recovery time, Recovery point

Today’s approachy pp• Best practices

− Manual, ad hoc design techniquesT l f d d l− Templates for standard solutions

• Insufficient tools for Insufficient tools for − Evaluating dependability provided by a candidate solution− Examining wide range of candidate designs

Translating b siness req irements into design recommendations− Translating business requirements into design recommendations

• Result− Current solutions are likely conservative (and hence too costly)− Only qualitative understanding of solution dependability

13 20 April 2010

Data dependability overviewData dependability overviewCharacterize goals and failure consequences in financial terms

Formulate data dependability questions as optimization problems

Problem inputs1. Business objectives

penalty rates2. Threats

dependability assessments

failure types

dependability designs

Optimization engine

Modelsrecovery

schedules• workloads• disk arrays• mirroring• tape backup Model cost and dependability

15 20 April 2010

• spare resources Model cost and dependability properties of common data protection

and recovery techniques

Topics to coverTopics to cover• Problem and motivation• Data protection techniques refresher−Backup−Online point-in-time copies−Continuous data protection

/−Remote replication/mirroring

• Research in automating data dependability• Summary

16 20 April 2010

BackupBackup• What?

R d l d − Read-only copy on separate media, representing recovery point in past

• Why?y− To permit time-travel recovery (e.g., before mistake or virus

infection)− To create archival copyo c ea e a c va copy− To enable cheap disaster recovery from offsite vault

• How?− Full vs. partial backups− File vs. block-level backup− Tape-based vs. disk-based architectures

17 20 April 2010

Tape based vs. disk based architectures

Full vs partial backupsFull vs. partial backups• Full backup

− Copy everything backup− Copy everything backup− Restoration is straightforward− Large resource requirements (server, network, tapes)

• Incremental backup• Incremental backup− Cumulative incremental: copy data that’s changed since last full

backup− Differential incremental: copy data that’s changed since last

f ll/ l b kpy g

full/incremental backup− Massive reduction in data moved/copied− Requires more complicated restoration

F ll b k h l i i l h diff i l • Full backup, then cumulative incremental, then one or more differential incrementals

• Most backup schedules employ a combination− Full backup over weekend daily cumulative incrementals during

18 20 April 2010

− Full backup over weekend, daily cumulative incrementals during week

What gets backed upWhat gets backed up• File-level backup

A h f l f l b b k d − Any change to file causes entire file to be backed up− Open files often require special handling software− Pro: simplifies backup and recoveryp p y− Con: small changes to large files result in large backups

• Block-level backupf− Only back up blocks that change in a file

− Requires additional client-side processing to discover changed blocks

− Pro: reduced size of backup data− Con: client processing increases backup and restore complexity

19 20 April 2010

Tape-based backupTape-based backup• Pros:

L w t th di k b d lt ti− Lower costs than disk-based alternatives− Media can be stored offsite for disaster recovery, compliance− Established process

• Cons:− Performance

• Best performance achieved only through streaming and multiplexingp y g g p g• Single file restore operations may be slow

− Device sharing (complex schedules, potential for resource conflicts)− Reliability of devices and mediay

• Robots (and drives) may suffer mechanical failures• Media must be periodically replaced

− Risk of tape loss, incompatibility

25 20 April 2010

p , p y

Disk-based backupDisk-based backup• Benefits:

− Performance− Performance• Online disk storage means faster backups and restores possible• Aggregate performance possible without tape multiplexing

− Reliabilityy• Inherent RAID protection• No robots, so mechanical failure less likely

• Virtual tape libraries (VTL) − Basic idea: virtual disk system that emulates tape library, drives

and media− Can be used to create tape backup for offsite storage− Benefit: requires only incremental changes to existing environment

26 20 April 2010

Online point-in-time copiesOnline point-in-time copies• What?

Di k b d "i t t " th t t d t t ifi i t i − Disk-based "instant copy" that captures data at a specific point in time

− May be read-only or read-writeWhy?• Why?− Allows for complete backup/restore, with very short outages− Provides basis for zero downtime backup− May permit restoration of individual files (depending on

implementation)− Allows for time travel recovery (may be more limited than backup)

d f d− Provides support for data repurposing• How?

− Full or partial point-in-time copies

27 20 April 2010

p p p

Full point-in-time copiesFull point-in-time copies• Also known as split mirrors and clones

d k l l d f d• Basic idea: keep multiple RAID-1 (mirrored) sets of data− Freeze content of one set by ceasing RAID-1 operations

• Can be done by variety of sources• Can be done by variety of sources− Host-based logical volume manager− Fabric-based virtualizer or logical volume manager− Array-based functions

• Frozen copy is independent of current copy for contentB tt f i l ti t l f f il− Better performance isolation, tolerance for failure

• Resynchronization requires explicit copying of data

28 20 April 2010

Partial (differential) point-in-time copiesPartial (differential) point-in-time copies• Also known as snapshots

d k h h• Basic idea: track "changes" to the primary copy− “Change" disks + primary disks provide PiT copy

• Can be done by variety of sources: file system disk array• Can be done by variety of sources: file system, disk array• Several approaches, each with performance impact:

− Copy on write (CoW): copy old data before update in placepy ( ) py p p− Redirect on write (RoW): new updates stored in journal− Write anywhere (WA): non-overwrite updates to virtual blocks;

maps for “now” and “snapshots”maps for now and snapshots

• Implications of leveraging main copy:− Less storage consumption than full PiT copies

29 20 April 2010

− Can’t use for disaster recovery

Continuous data protection (CDP)Continuous data protection (CDP)• What?

C ll d h d − Capture all updates as they occur, not just discrete points in time− Store protected copy in secondary location

• Why?Why?− To provide very fine granularities of recovery points

• How?− May be block-, file- or application-based− Very resource-intensive, so period of protection may be limited

34 20 April 2010

Remote replication/mirroringRemote replication/mirroring• What?

l bl k l k d ff−File or block replication across network to different location

−Provides up-to-date copy at a different location p py• Why?−To permit application failover and failback after site

di tdisaster−To migrate data or distribute content between locations−To permit remote backupTo permit remote backup

• How?−Synchronous or asynchronous protocols

36 20 April 2010

y y p

Synchronous remote replicationSynchronous remote replication• Basic idea−Each update is applied at both local and remote site

before acknowledgment to local hostProvides completely up to date replica−Provides completely up-to-date replica

• IssuesInterconnect must be provisioned to handle write bursts − Interconnect must be provisioned to handle write bursts

−Speed of light latency means only appropriate for regional distancesg

−Must resynchronize mirrors after network partition

37 20 April 2010

Asynchronous remote replicationAsynchronous remote replication• Basic idea

A k l d h f l l d d− Acknowledge write to host after local copy updated− Batch together writes within an interval− Apply update batch atomically at remote sitepp y p y

• Implications− Remote copy lags local copy slightly

f f− Overwrites will reduce amount of data to be transferred− Interconnect bandwidth provisioned based on desired RPO− Not limited geographicallyg g p y− Must resynchronize mirrors after network partition

38 20 April 2010

Topics to coverTopics to cover• Problem and motivation• Data protection techniques refresher• Research in automating data dependabilityg p y−Dependability evaluation−Dependability design−Recovery scheduling

• Summary

40 20 April 2010

Data dependability overviewData dependability overviewCharacterize goals and failure consequences in financial terms

Problem inputs1. Business objectives

penalty rates2. Threats

Formulate data dependability questions as optimization problems

failure types

dependability assessments

Models

Optimization engine

dependability designs

• workloads• disk arrays• mirroring• tape backup

recoveryschedules

Model cost and dependability

41 20 April 2010

• spare resources Model cost and dependability properties of common data protection

and recovery techniques

Managing data by business value: penalty ratespenalty rates

failureStringent requirements

$/hour

sec min hr day weekweek day hr min sec

Relaxed requirements

• Recovery time objective (RTO):

RTORPOyy

Data outage penalty rateData loss penalty rate

y j ( )− How long before the system is back up?

• Recovery point objective (RPO): h d h d d− How much recent data can the system discard?

• Penalty rate model− Data loss penalty rate ($/hour)

42 20 April 2010

Data loss penalty rate ($/hour)− Data outage penalty rate ($/hour)

Modeling data protection techniques[Keeton and Merchant DSN2004][Keeton and Merchant – DSN2004]

• Primary copy of data is protected by one or more Level 0: primary copy protected by one or more secondary point-in-time copies

• Techniques create, retain and

Level 0: primary copy

Level 1: d

diskarray

qpropagate copies− Parameters for frequency of

copies, time to create copies,

secondary copy

near online disk

remote mirror

p pretention

• Model copies as hierarchyIncreasing levels:L l i

… near-online disk (snapshots)

Increasing levels:− larger retention capacity − longer recovery latencies− less frequent PiT copies

Level i

offline tape (vault)

near-line tape

43 20 April 2010

less frequent PiT copiesoffline tape (vault)

Dependability assessment case studyDependability assessment case study• Research workgroup file server application

f l l−Business requirements: financial penalty rates• Downtime penalty rate: $50,000 / hour• Recent data loss penalty rate: $50,000 / hourp y , /

−Workload characteristics: light to moderate usage• Data capacity: 1.4 TB• Average access rate: 1028 KB / sec• Average access rate: 1028 KB / sec• Average update rate: 799 KB / sec• Peak:average update ratio: 10X

D l d 317 KB / • Daily unique update rate: 317 KB / sec

• Questions to answer:Does existing solution meet goals?

44 20 April 2010

−Does existing solution meet goals?−What if we changed the configuration to . . . ?

Case study: backup and vaultingCase study: backup and vaultingPrimary building/site

Shared spare site

Secondary site

Tape vaultPrimary array

remotevaulting

Storage-areanetwork

Host Host

Tape lib

Tape lib

primary copy Disk

arraytape

array vaultingnetwork

• Baseline: split mirrors every 12 hours, weekly full backup (48 hr backup window), monthly remote vaulting

split mirror backup

) y g• Weekly vault: baseline, except weekly remote vaulting• Weekly vault, F+I: weekly vault, plus daily incremental backups (12 hr backup

window)• Weekly vault daily F: weekly vault except daily full backups (12 hr backup

45 20 April 2010

Weekly vault, daily F: weekly vault, except daily full backups (12 hr backup window)

Case study: remote mirroringCase study: remote mirroringPrimary building/site

Secondary sitePrimary

arrayStorage-area

network

Host Host

Tape lib

primary copy Disk

array

remote mirror

• AsyncB mirror, 1 link: asynchronous remote mirroring with y , y g1min windows, 1 network link

• AsyncB mirror, 10 links: asynchronous remote mirroring with 1min windows, 10 links

46 20 April 2010

w w dows, 0 s

Recovery behaviorRecovery behavior• Primary array failure • Site disaster

5

6

7

5

6

7

AsyncB mirror, 1 link

AsyncB mirror, 10 links

2

3

4

2

3

4

Weekly vaultWeekly vault, F+I

Weekly vault, daily F

0

1

-1500 -1000 -500 0 500

0

1

-250 -200 -150 -100 -50 0 50

Weekly vault

Baseline

Recovery point (hr) Recovery time (hr)

Recovery point (hr) Recovery time (hr)

47 20 April 2010

Financial ramificationsFinancial ramifications

18

20

$) Penalty costs (loss)

12

14

16

mill

ions

$ Penalty costs (outage)Outlay costs

8

10

12

cost

s (m

2

4

6

Ove

rall

0

2

Baseline Weeklyvault

Weeklyvault F+I

Weeklyvault daily

AsyncBmirror 1

AsyncBmirror 10

48 20 April 2010

vault vault, F+I vault, dailyF

mirror, 1link

mirror, 10links

Storage configuration

Automated dependability designs [Keeton, et al. – FAST2004], [Gaonkar, et al. – DSN2006]

alty

rate

ur

)

Central BankWeb

server

(500,500K)(50M,5M)

utag

e pe

na($

/hou

Consumer banking

Student Company

(500,500) (500K,500)(50M,50K)

Ou

Data loss penalty rate($/hour)

Studentaccounts

Company Docs

($/hour)• What is best storage design to meet business requirements?• Experimental design

− Penalty rates for five different industry segments− Same workload ([cello2002])− Annualized outlay costs one site disaster per year

April 20, 2010 49

− Annualized outlay costs, one site disaster per year− Solver determines best design

Automated dependability designs

alty

rate

ur

)

Central BankWeb

server

(500,500K)(50M,5M)

utag

e pe

na($

/hou

Consumer banking

Student Company

(500,500) (500K,500)(50M,50K)

Ou

Data loss penalty rate($/hour)

Studentaccounts

Company Docs

Industry segment Automated design choice

Student accts Backup + 12-hr win + no spares

($/hour)

Company docs Async + recovery + no sparesWeb server Batched async + failoverC b ki S + f il

April 20, 2010 51

Consumer banking Sync + failoverCentral bank Sync + failover

Design choice cost breakdown

70%80%90%

100%

rall

cost

s $301K $426K $506K $562K $603K

30%40%50%60%70%

on to

ove

r

0%10%20%30%

Student Company Web server Consumer Central bankCon

trib

utio

Studentaccounts

Companydocuments

Web server Consumerbanking

Central bank

Industry segment

C

Primary Array Outlays Mirroring Outlays Backup OutlaysSpare Resources Outlays Data Unavailability Penalties Data Loss Penalties

• Low penalty rates (student accounts, company docs): − Non-trivial penalty component ; outlays for more aggressive solutions

Spare Resources Outlays Data Unavailability Penalties Data Loss Penalties

April 20, 2010 52

Non trivial penalty component ; outlays for more aggressive solutions outweigh penalties

Design choice cost breakdown

70%80%90%

100%

rall

cost

s $301K $426K $506K $562K $603K

30%40%50%60%70%

on to

ove

r

0%10%20%30%

Student Company Web server Consumer Central bankCon

trib

utio

Studentaccounts

Companydocuments

Web server Consumerbanking

Central bank

Industry segment

C

Primary Array Outlays Mirroring Outlays Backup OutlaysSpare Resources Outlays Data Unavailability Penalties Data Loss Penalties

• Moderate penalty rates (web server, consumer banking): − Mirroring outlays dominate

Spare Resources Outlays Data Unavailability Penalties Data Loss Penalties

April 20, 2010 53

Mirroring outlays dominate− These outlays are less than penalties for less aggressive solutions

Design choice cost breakdown

70%80%90%

100%

rall

cost

s $301K $426K $506K $562K $603K

30%40%50%60%70%

on to

ove

r

0%10%20%30%

Student Company Web server Consumer Central bankCon

trib

utio

Studentaccounts

Companydocuments

Web server Consumerbanking

Central bank

Industry segment

C

Primary Array Outlays Mirroring Outlays Backup OutlaysSpare Resources Outlays Data Unavailability Penalties Data Loss Penalties

• High penalty rates (central bank):− Non-trivial data outage penalty for aggressive solution

Spare Resources Outlays Data Unavailability Penalties Data Loss Penalties

April 20, 2010 54

Non trivial data outage penalty for aggressive solution

Design space exploration50 000 000

5 000 000 /hr)

5 000 000

500 000

y ra

te ($

/

Batched async

mirror Sync

mirror

50 000

e pe

naltymirror

5 000

500 ta o

utag

e

Backup

Failover

Reconstruct500

Dat

00 0

00

00 0

00

00 0

00

50 0

00

5 00

0

500

Async mirror

April 20, 2010 55

50 0

0

5 00505

Data loss penalty rate ($/hr)

Design overall (outlay + penalty) costs

1200

1400

1 200

1 400Web serverC t l b k

600

800

10001 000

600

800 Overall cost Student accounts

Company docs

Central bank

158

1580

5800

0

200

400400

200

Data loss

(k$)

Consumer bank

1580

1580

0015

8000

000

000

11580

15800

158000

1580000

15800000

Data loss

penalty rate ($/hr)

April 20, 2010 56

1580

0 158580 0

Data outage

penalty rate ($/hr)

Recovering data systems [Keeton, et al. - EuroSys2006][ y ]

site2

array3 array4

site1

array2array1

Restore from mirror

failover

failback

array3 array4array2array1

C DW SB

C DW SB

CB W D S

acku

p

link1

l k

svr6servers

svr2 svr4svr3 svr5svr1

C W D SBre fr

om b

a

link2vault1library1

B C W D S B C W D S

Res

tor

= primary copy = application = secondary copy

Restorefrom vault

58 20 April 2010

p y py pp y py

• Goal: choose alternatives and recovery schedule that minimize total penalties over all workloads

Modeling recovery time: recovery schedulingscheduling• How to recover dependable storage system post-disaster?

Which copy to recover each failed application?− Which copy to recover each failed application?− How to schedule resources among competing demands?

• Recovery graphs describe potential recovery strategiesy g p p y g

Reprovision F ilb k A & A b kR t t R t t L lReprovision Failback App &mirroring

App, backup& mirroring

Restart mirroring

Restart backup

Localapp

Remote appFailover

• Apply optimization to determine best solution− Choose recovery strategies and recovery schedule that minimize total

64 20 April 2010

Choose recovery strategies and recovery schedule that minimize total penalties over all workloads

Describing the problem formallyg p y• Objective

− Common currency: penalty costs for downtime, loss of recent y p y ,data, and vulnerability to subsequent failures

− Minimize total penalty costs over all workloads

• Decisions • Decisions − Select a recovery path (alternative)− Schedule for jobs in selected paths

• Constraints− Exactly one recovery path is chosen for each workload

J b ti ti fi h d t i t− Job execution satisfies recovery graph precedence constraints− Job consumes resources while it is being executed− Job scheduling satisfies resource capacity constraints

66 20 April 2010

Optimal recovery schedulep y

Commercial Bankk

Failover mirror

Recovery pathScheduleWorkload

Consumer BankWeb server

Restore mirrorRestore backup

Outage (time) Penalty costsCommercial Bank

Consumer BankWeb Server

Outage (time)$5.0 M$1.6 M

$12.2 M

Penalty costs

Remote server 100% 0%

Network 20%21% 71% 81% 50%

100% 0%

7% 7%Tape library 3% 8%5%

15% 8%Local array 1 Failed 12%12%

68 20 April 2010

Lessons learnedLessons learned• Financial business requirements allow optimization

l h b l d• Formal optimization techniques can be applied− Mixed Integer Program (MIP) formulations provide optimal solution

for small problemsp− Heuristics needed to solve larger problems− MIP useful for understanding problem structure

I t d t ll ti i h ll i• Input data collection is challenging− Use storage management tools to automatically discover− Build templates of common scenariosp

• Storage is important start, but users ultimately care about application and business process dependability

69 20 April 2010

SummarySummary• Data unavailability and loss is very expensive

M t h i f t ti d t• Many techniques for protecting data− Backup, online point-in-time copies, remote replication,

etc.• Understanding right techniques to use requires

holistic approachh d d d b l• Our approach to automating data dependability

− Characterize business requirements in financial termsM d l d d bilit f d t t ti d − Model dependability of data protection and recovery techniques

− Formulate scheduling, design questions as optimization bl

71 20 April 2010

problems

For more informationFor more information…•Background on data protection techniques:

N A lSNIA tutorials−Michael Fishman, “Introduction to Data Protection: Backup

t T Di k d B d”to Tape, Disk and Beyond”− Jason Iehl and Andreas Schwegman, “Trends in Data

Protection and Restoration Technologies”g

• Available from Available from http://www.snia.org/education/tutorials

72 20 April 2010

For more informationFor more information…• Research in automating data dependability:

“D i i f di ” K K C S D B J Ch − “Designing for disasters,” K. Keeton, C. Santos, D. Beyer, J. Chase and J. Wilkes, Proc. 3rd Conference on File and Storage Technologies (FAST), March 2004.

− “A framework for evaluating storage system dependability ” K Keeton A framework for evaluating storage system dependability, K. Keeton and A. Merchant, Proc. Intl. Symposium on Dependable Systems and Networks (DSN), June 2004.

− “On the road to recovery: restoring data after disasters,” K. Keeton, D B E B A M h t C S t d A Zh P f D. Beyer, E. Brau, A. Merchant, C. Santos and A. Zhang. Proc. of ACM European Systems Conference (EuroSys), Leuven, Belgium, April 2006.

− “Designing dependable storage solutions for shared application es g g depe dab e s o age so u o s o s a ed app ca o environments,” S. Gaonkar, K. Keeton, A. Merchant, and W. Sanders. Proc. of Intl. Conf. on Dependable Systems and Networks (DSN) , Philadelphia, PA, June 2006.

A il bl f htt // h l h /SSP/ /

73 20 April 2010

• Available from http://www.hpl.hp.com/SSP/papers/