Agile, Lean, Rugged - The Paper Edition

Transcript

1. Keynote ✨ ✨ ✨ ✨

2. The Paper Edition! ! " # $ %♥ ' !

   " # $ %♥ ' ! " # $ %♥ ' ! " ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " $ % ♥ ' ! " # $ %♥ ' ! " # $ % # $ %♥ ♥ ' ! " $ ! " # $ %♥ ' ! ! " ' ! " % # $ %♥ ' ♥ $ %♥ Agile, Lean, Rugged

3. First .Introductions

4. @Randommood Ines Sombra

5. @adriancolyer Adrian Colyer

6. The Rules Only 5 minutes per paper Foundation ! Frontier

   A challenge! No Cheating!

7. A paper tour of Agile

8. Foundation !

9. We disdain old software

10. “The only systems that don’t get changed are those that

    are so bad nobody wants to use them”

11. When software gets older

12. Design for change Embrace modularity & information hiding Stress clarity

    & documentation Amputate disease-ridden parts Plan for eventual replacement Preventative medicine

13. Frontier

14. What do we want? We want agile Development Testing and

    verification Delivery and we want agility of operations too!

15. Facebook Scuba Data lives in server’s heap

16. The problem with state Restarting a database clears its memory

    Reading 120GB of data from disk takes about 3 hours per server (8 per machine) Even with orchestrated restarts & partial queries total of ~12 hours to restart a fleet Operationally expensive & slow!

17. “When we shutdown a server for a planned upgrade, we

    know that the memory state is good… so we decided to decouple the memory’s lifetime from the process’s lifetime“

18. 2-3 minutes per server Fleet restarts < 1 hour now!

19. A paper tour of Lean

20. Foundation !

21. Which system is better?

22. Single-minded pursuit of scalability is the wrong goal

23. Common wisdom Effective scaling is evidence of solid system building

    Why does this happen? McSherry et al. Any system can scale arbitrarily well with a sufficient lack of care in its implementation

24. ! " # $ %♥ ' ! " # $

    %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " $ % ♥ ' ! " # $ %♥ ' ! " # $ % # $ %♥ ♥ ' ! " $ ! " # $ %♥ ' ! ! " ' ! " % # $ %♥ ' ♥ $ %♥ # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " $ % ♥ ' ! " # $ %♥ ' ! " # $ % # $ %♥ ♥ ' ! " $ ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " $ % ♥ ' ! " # $ %♥ ' ! " # $ % # $ %♥ ♥ ' ! " $ ! " # $ %♥ ' ! ! " ' ! " % # $ %♥ ' ♥ $ %♥ # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " $ % ♥ ' ! " # $ %♥ ' ! " # $ % # $ %♥ ♥ ' ! " $ COST Configuration that outperforms a single thread COST of a system is the hardware platform (number of cores) required before the platform outperforms a competent single threaded implementation
25. None

26. “If you’re building a system, make sure it’s better than

    your laptop. If you’re using a system, make sure it’s better than your laptop” McSherry

27. Frontier

28. None
29. None

30. Sampling works!

31. Error bounds & confidence

32. Don’t ask wasteful questions

33. A paper tour of Rugged

34. Foundation !

35. Strategies to enhance ruggedness in the presence of failures Better

    way to think about system availability Ruggedness as availability

36. Harvest: fraction of the complete result Yield: fraction of answered

    queries

37. Yield as response ruggedness Close to uptime (% requests answered

    successfully) but more useful because it directly maps to user experience Failure during high & low traffic generates different yields. Uptime misses this Focus on yield rather than uptime

38. Harvest as quality of response From Coda Hale’s “You can’t

    sacrifice partition tolerance” Server A Server B Server C Baby Animals Cute X 66% harvest

39. #1: Probabilistic Availability Graceful harvest degradation under faults Randomness to

    make the worst-case & average-case the same Replication of high-priority data for greater harvest control Degrading results based on client capability

40. #2 Decomposition & Orthogonality Decomposing into subsystems independently intolerant to

    harvest degradation (fail by reducing yield). But app can continue if they fail Only provide strong consistency for the subsystems that need it Orthogonal mechanisms (state vs functionality)

41. Frontier

42. Ruggedness via verification Formal Methods Testing TOP-DOWN FAULT INJECTORS, INPUT

    GENERATORS BOTTOM-UP LINEAGE DRIVEN FAULT INJECTORS WHITE / BLACK BOX WE KNOW (OR NOT) ABOUT THE SYSTEM HUMAN ASSISTED PROOFS SAFETY CRITICAL (TLA+, COQ, ISABELLE) MODEL CHECKING PROPERTIES + TRANSITIONS (SPIN, TLA+) LIGHTWEIGHT FM BEST OF BOTH WORLDS (ALLOY, SAT)

43. ! " # $ %♥ ' ! " # $

    %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " $ % ♥ ' ! " # $ %♥ ' ! " # $ % # $ %♥ ♥ ' ! " $ ! " # $ %♥ ' ! ! " ' ! " % # $ %♥ ' ♥ $ %♥ # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " $ % ♥ ' ! " # $ %♥ ' ! " # $ % # $ %♥ ♥ ' ! " $ ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " $ % ♥ ' ! " # $ %♥ ' ! " # $ % # $ %♥ ♥ ' ! " $ ! " # $ %♥ ' ! ! " ' ! " % # $ %♥ ' ♥ $ %♥ # $ %♥ ' ! " # $ %♥ ' ! " # $ %♥ ' ! " $ % ♥ ' ! " # $ %♥ ' ! " # $ % # $ %♥ ♥ ' ! " $ MOLLY: Lineage Driven Fault Injection Reasons backwards from correct system outcomes & determines if a failure could have prevented it MOLLY only injects the failures it can prove might affect an outcome

44. Ruggedness with MOLLY “Without explicitly forcing a system to fail,

    you have no confidence that it will operate correctly in failure modes” Caitie McCaffrey’s pearls of wisdom Verifier Programmer

45. MOLLY helps us undestand failure

46. “Presents a middle ground between pragmatism and formalism, dictated by

    the importance of verifying fault tolerance in spite of the complexity of the space of faults”

47. Now let’s .Wrap things

48. Agile Lean Rugged tl;dr - foundations A scalable system may

    not be a lean system Pursuing scalability out of context can be COSTly Designing for change is designing for success Think about availability in terms of yield and harvest Graceful degradation is a design outcome ! !

49. Agile Lean Rugged tl;dr - Frontiers Asking the wrong question

    is wasteful Think about what is truly needed Use approximations State can be challenging Saving state in shared memory allows us to restart DB processes faster Reasoning backwards from correct system output helps us determine the execution failures that prevent it from happening

50. Join your local PWL and read The Morning Paper! github.com/Randommood/GotoLondon2015

    Papers are a lot of fun!

51. ✨ ✨ DRANKS!