SLIDE 1
Without Resilience Nothing Else Matters
Jonas Bonér
CTO TypEsafe @jbonerWithout Resilience Nothing Else Matters
Jonas Bonér
CTO TypEsafe @jbonerWithout Resilience Nothing Else Matters Jonas Bonr CTO TypEsafe - - PowerPoint PPT Presentation
Without Resilience Nothing Else Matters Jonas Bonr CTO TypEsafe - - PowerPoint PPT Presentation
Without Resilience Nothing Else Matters Jonas Bonr CTO TypEsafe @jboner Without Resilience Nothing Else Matters Jonas Bonr CTO TypEsafe @jboner But it aint how hard youre hit; its about how hard you can get hit, and keep
SLIDE 2
SLIDE 3
“But it ain’t how hard you’re hit; it’s about how hard you can get hit, and keep moving forward. How much you can take, and keep moving forward. That’s how winning is done.”
- Rocky Balboa
SLIDE 4
“But it ain’t how hard you’re hit; it’s about how hard you can get hit, and keep moving forward. How much you can take, and keep moving forward. That’s how winning is done.”
- Rocky Balboa
This is Fault Tolerance
SLIDE 5
Resilience is Beyond Fault Tolerance
SLIDE 6
Resilience
“The ability of a substance or
- bject to spring back into shape.
The capacity to recover quickly from difficulties.”
- Merriam Webster
SLIDE 7
Antifragility
“Antifragility is beyond resilience and
- robustness. The resilient resists shock and
stays the same; the antifragile gets better.”
- Nassem Nicholas Taleb
SLIDE 8
“We can model and understand in isolation. But, when released into competitive nominally regulated societies, their connections proliferate, their interactions and interdependencies multiply, their complexities mushroom. And we are caught short.”
- Sidney Dekker
SLIDE 9
We Need to Study Resilience in Complex Systems
SLIDE 10
Complicated System
SLIDE 11
Complicated System
SLIDE 12
Complex System
SLIDE 13
Complex System
SLIDE 14
Complex System
SLIDE 15
Complicated ≠ Complex
SLIDE 16
“Counterintuitive. That’s [Jay] Forrester’s word to describe complex systems. Leverage points are not intuitive. Or if they are, we intuitively use them backward, systematically worsening whatever problems we are trying to solve.”
- Donella Meadows
SLIDE 17 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
SLIDE 18 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary
Operating at the Edge of Failure
SLIDE 19 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary Unacceptable Workload Boundary
Operating at the Edge of Failure
SLIDE 20 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary
Operating at the Edge of Failure
SLIDE 21 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary Unacceptable Workload Boundary Operating Point Accident Boundary
Operating at the Edge of Failure
SLIDE 22 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary
Operating at the Edge of Failure
SLIDE 23 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary Unacceptable Workload Boundary
FAILURE
Accident Boundary
Operating at the Edge of Failure
SLIDE 24 Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary
‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
SLIDE 25 Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary Management Pressure Towards Economic Efficiency
‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
SLIDE 26 Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary Management Pressure Towards Economic Efficiency Gradient Towards Least Effort
‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
SLIDE 27 Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary Management Pressure Towards Economic Efficiency Gradient Towards Least Effort
‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
SLIDE 28 Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary Management Pressure Towards Economic Efficiency Gradient Towards Least Effort Counter Gradient For More Resilience
‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
SLIDE 29 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary
Operating at the Edge of Failure
SLIDE 30 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary Error Margin Marginal Boundary
Operating at the Edge of Failure
SLIDE 31 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary Error Margin Marginal Boundary
Operating at the Edge of Failure
SLIDE 32 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Economic Failure Boundary Unacceptable Workload Boundary Accident Boundary Error Margin Marginal Boundary
Operating at the Edge of Failure
SLIDE 33 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Accident Boundary Marginal Boundary
Operating at the Edge of Failure
SLIDE 34 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Marginal Boundary
?
Operating at the Edge of Failure
SLIDE 35 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
Accident Boundary Marginal Boundary SLIDE 36 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
Accident Boundary Marginal Boundary SLIDE 37 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
Accident Boundary Marginal Boundary SLIDE 38 ‘‘Going solid’’: a model of system dynamics and consequences for patient safety - R Cook, J Rasmussen Resilience in complex adaptive systems: Operating at the Edge of Failure - Richard Cook - Talk at Velocity NY 2013
Operating at the Edge of Failure
Accident Boundary Marginal Boundary SLIDE 39
Embrace Failure
SLIDE 40
Resilience in Social Systems
SLIDE 41
Dealing in Security
Understanding vital services, and how they keep you safe
1 INDIVIDUAL 6 ways to die 3 sets of essential services 7 layers of PROTECTION
Dealing in Security - Mike Bennet, Vinay Gupta SLIDE 42
7 Principles for Building Resilience in Social Systems
- 1. Maintain diversity & Redundancy
- 2. Manage connectivity
- 3. Manage slow variables & feedback
- 4. Foster complex adaptive systems thinking
- 5. Encourage learning
- 6. Broaden participation
- 7. Promote polycentric governance
SLIDE 43
Resilience in Biological Systems
SLIDE 44
Meerkats
Puppies! Now that I’ve got your attention, complexity theory - Nicolas Perony, TED talk SLIDE 45
What We Can Learn From Biological Systems
- 1. Feature Diversity and redundancy
- 2. Inter-Connected network structure
- 3. Wide distribution across all scales
- 4. Capacity to self-adapt & self-organize
SLIDE 46
“Animals show extraordinary social complexity, and this allows them to adapt and respond to changes in their environment. In three words, in the animal kingdom, simplicity leads to complexity which leads to resilience.”
- Nicolas Perony
SLIDE 47
Resilience in Computer Systems
SLIDE 48
SLIDE 49
“Complex systems run in degraded mode.” “Complex systems run as broken systems.”
- richard Cook
SLIDE 50
Resilience is by Design
Photo courtesy of FEMA/Joselyne Augustino SLIDE 51
We Need to Manage Failure
SLIDE 52
“Post-accident attribution to a ‘root cause’ is fundamentally wrong: Because overt failure requires multiple faults, there is no isolated ‘cause’ of an accident.”
- richard Cook
SLIDE 53
There is No Root Cause
SLIDE 54
Crash Only Software
Crash-Only Software - George Candea, Armando FoxStop = Crash Safely Start = Recover Fast
SLIDE 55
Recursive Restartability
Turning the Crash-Only Sledgehammer into a Scalpel
Recursive Restartability: Turning the Reboot Sledgehammer into a Scalpel - George Candea, Armando Fox SLIDE 56
Services need to accept NO for an answer
SLIDE 57
Classification
- f State
- Static Data
- Scratch Data
- Dynamic Data
- Recomputable
- not recomputable
SLIDE 58
Classification
- f State
- Static Data
- Scratch Data
- Dynamic Data
- Recomputable
- not recomputable
Critical
SLIDE 59
Traditional State Management
Object Critical state that needs protection Client Thread boundary SLIDE 60
Traditional State Management
Object Critical state that needs protection Client Thread boundary SLIDE 61
Traditional State Management
Object Critical state that needs protection Client Thread boundary SLIDE 62
Traditional State Management
Object Critical state that needs protection Client Thread boundary Synchronous dispatch Thread boundary SLIDE 63
Traditional State Management
Object Critical state that needs protection Client Thread boundary Synchronous dispatch Thread boundary SLIDE 64
Traditional State Management
Object Critical state that needs protection Client Thread boundary Synchronous dispatch Thread boundary ? SLIDE 65
Traditional State Management
Object Critical state that needs protection Client Thread boundary Synchronous dispatch Thread boundary ?Utterly broken
SLIDE 66
“Accidents come from relationships not broken parts.”
- Sidney dekker
SLIDE 67
Requirements for a
Sane Failure Mode
- 1. Contained
- 2. Reified—as messages
- 3. Signalled—Asynchronously
- 4. Observed—by 1-N
- 5. Managed
Failures need to be
SLIDE 68
Bulkhead Pattern
SLIDE 69
Bulkhead Pattern
SLIDE 70
Bulkhead Pattern
SLIDE 71
Enter Supervision
SLIDE 72
Enter Supervision
SLIDE 73
The Vending Machine Pattern
SLIDE 74
Think Vending Machine
Coffee Machine Programmer SLIDE 75
Think Vending Machine
Coffee Machine Programmer Inserts coins SLIDE 76
Think Vending Machine
Coffee Machine Programmer Inserts coins Add more coins SLIDE 77
Think Vending Machine
Coffee Machine Programmer Inserts coins Gets coffee Add more coins SLIDE 78
Think Vending Machine
Programmer Coffee Machine SLIDE 79
Think Vending Machine
Programmer Inserts coins Coffee Machine SLIDE 80
Think Vending Machine
Programmer Inserts coins Out of coffee beans error Coffee Machine SLIDE 81
Think Vending Machine
Programmer Inserts coins Out of coffee beans errorWRONG
Coffee Machine SLIDE 82
Think Vending Machine
Programmer Inserts coins Coffee Machine SLIDE 83
Think Vending Machine
Programmer Inserts coins Out of coffee beans failure Coffee Machine SLIDE 84
Think Vending Machine
Programmer Service Guy Inserts coins Out of coffee beans failure Coffee Machine SLIDE 85
Think Vending Machine
Programmer Service Guy Inserts coins Out of coffee beans failure Adds more beans Coffee Machine SLIDE 86
Think Vending Machine
Programmer Service Guy Inserts coins Gets coffee Out of coffee beans failure Adds more beans Coffee Machine SLIDE 87
Think Vending Machine
Service Client SLIDE 88
Think Vending Machine
Service Client Request SLIDE 89
Think Vending Machine
Service Client Request Response SLIDE 90
Think Vending Machine
Service Client Request Response Validation Error SLIDE 91
Think Vending Machine
Service Client Request Response Validation Error Application Failure SLIDE 92
Think Vending Machine
Service Client Supervisor Request Response Validation Error Application Failure SLIDE 93
Think Vending Machine
Service Client Supervisor Request Response Validation Error Application Failure Manages Failure SLIDE 94
SLIDE 95
Error Kernel Pattern
Onion-layered state & Failure management
Making reliable distributed systems in the presence of software errors - Joe Armstrong On Erlang, State and Crashes - Jesper Louis Andersen SLIDE 96
Onion Layered State Management
Object Critical state that needs protection Client Thread boundary SLIDE 97
Onion Layered State Management
Object Critical state that needs protection Client Thread boundary SLIDE 98
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Thread boundary SLIDE 99
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Thread boundary SLIDE 100
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Thread boundary SLIDE 101
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Supervision Thread boundary SLIDE 102
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Supervision Thread boundary SLIDE 103
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Supervision Thread boundary SLIDE 104
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Supervision Thread boundary SLIDE 105
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Supervision Thread boundary SLIDE 106
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Supervision Thread boundary SLIDE 107
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Supervision Thread boundary SLIDE 108
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Supervision Thread boundary SLIDE 109
Onion Layered State Management
Error Kernel Object Critical state that needs protection Client Supervision Supervision Thread boundary SLIDE 110
Maintain Diversity and Redundancy
SLIDE 111
Maintain Diversity and Redundancy
SLIDE 112
The Network is Reliable
SLIDE 113
The Network is Reliable
NAT
SLIDE 114
Strong Consistency
Is the wrong default
SLIDE 115
We need Systems that are Decoupled IN
Time and Space
SLIDE 116
Resilient Protocols
Depend on
Asynchronous Communication Eventual Consistency
SLIDE 117
Resilient Protocols
- are tolerant to
- Message loss
- Message reordering
- Message duplication
Depend on
Asynchronous Communication Eventual Consistency
SLIDE 118
Resilient Protocols
- are tolerant to
- Message loss
- Message reordering
- Message duplication
- Embrace ACID 2.0
- Associative
- Commutative
- Idempotent
- Distributed
Depend on
Asynchronous Communication Eventual Consistency
SLIDE 119
Testing
SLIDE 120
What can we learn from Arnold?
SLIDE 121
What can we learn from Arnold?
SLIDE 122
What can we learn from Arnold? Blow things up
SLIDE 123
Shoot Your App Down
SLIDE 124
Pull the Plug
…and see what happens
SLIDE 125
SLIDE 126
Executive Summary
SLIDE 127
“Complex systems run in degraded mode.” “Complex systems run as broken systems.”
- richard Cook
SLIDE 128
Resilience is by Design
Photo courtesy of FEMA/Joselyne Augustino SLIDE 129
Thank
You
SLIDE 130
Thank
You
SLIDE 131
References
Antifragile: Things That Gain from Disorder - http://www.amazon.com/Antifragile-Things-that-Gain-Disorder-ebook/dp/B009K6DKTS Drift into Failure - http://www.amazon.com/Drift-into-Failure-Components-Understanding-ebook/dp/B009KOKXKY How Complex Systems Fail - http://web.mit.edu/2.75/resources/random/How%20Complex%20Systems%20Fail.pdf Leverage Points: Places to Intervene in a System - http://www.donellameadows.org/archives/leverage-points-places-to-intervene-in-a-system/ Going Solid: A Model of System Dynamics and Consequences for Patient Safety - http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1743994/ Resilience in Complex Adaptive Systems: Operating at the Edge of Failure - https://www.youtube.com/watch?v=PGLYEDpNu60 Dealing in Security - http://resiliencemaps.org/files/Dealing_in_Security.July2010.en.pdf What is resilience? An introduction to social-ecological research - http://www.stockholmresilience.org/download/ 18.10119fc11455d3c557d6d21/1398172490555/SU_SRC_whatisresilience_sidaApril2014.pdf Applying resilience thinking: Seven principles for building resilience in social-ecological systems - http://www.stockholmresilience.org/download/ 18.10119fc11455d3c557d6928/1398150799790/SRC+Applying+Resilience+final.pdf Puppies! Now that I’ve got your attention, Complexity Theory - https://www.ted.com/talks/ nicolas_perony_puppies_now_that_i_ve_got_your_attention_complexity_theory How Bacteria Becomes Resistant - http://www.abc.net.au/science/slab/antibiotics/resistance.htm Towards Resilient Architectures: Biology Lessons - http://www.metropolismag.com/Point-of-View/March-2013/Toward-Resilient-Architectures-1-Biology- Lessons/ Crash-Only Software - https://www.usenix.org/legacy/events/hotos03/tech/full_papers/candea/candea.pdf Recursive Restartability: Turning the Reboot Sledgehammer into a Scalpel - http://roc.cs.berkeley.edu/papers/recursive_restartability.pdf Out of the Tar Pit - http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.93.8928 Bulkhead Pattern - http://skife.org/architecture/fault-tolerance/2009/12/31/bulkheads.html Making Reliable Distributed Systems in the Presence of Software Errors - http://www.erlang.org/download/armstrong_thesis_2003.pdf On Erlang, State and Crashes - http://jlouisramblings.blogspot.be/2010/11/on-erlang-state-and-crashes.html Akka Supervision - http://doc.akka.io/docs/akka/snapshot/general/supervision.html Release It!: Design and Deploy Production-Ready Software - https://pragprog.com/book/mnee/release-it Hystrix - https://github.com/Netflix/Hystrix Akka Circuit Breaker - http://doc.akka.io/docs/akka/snapshot/common/circuitbreaker.html Reactive Streams - http://reactive-streams.org Akka Streams - http://doc.akka.io/docs/akka-stream-and-http-experimental/1.0/scala/stream-introduction.html RxJava - https://github.com/ReactiveX/RxJava Feedback Control for Computer Systems - http://www.amazon.com/Feedback-Control-Computer-Systems-Philipp/dp/1449361692 Simian Army - https://github.com/Netflix/SimianArmy Gatling - http://gatling.io Akka MultiNode Testing - http://doc.akka.io/docs/akka/snapshot/dev/multi-node-testing.html SLIDE 132