Design of a Stateful system for Robust Deployment and Observability

Transcript

1. Design of a Stateful system for Robust Deployment and Observability

   SREcon22 Asia/Pacific 7–9 December, 2022 Kazuki Higashiguchi, @hgsgtk Sr. Site Reliability Engineer A Better Way to Manage Stateful Systems:

2. What this talk is about Lessons learned from a project

   building and operating a stateful WebSocket server Design considerations of stateful systems maintaining long-living states Implement zero-downtime automated deployment pipeline Deployment Observability Make invisible internal states inside of an app observable Topic Technique

3. Case study - E2E test automation service for web apps

   Build tests easily with no-code Cross-browser testing Parallel execution

4. Case study - Primary infrastructure components • Web server ◦

   Management console (e.g., create/edit test scenarios, run tests, view test results) • Test execution engine (Worker) ◦ Facilitate test executions, persist test results data • Test execution environment (Device farm) ◦ Browsers and devices running tests • Connect server / client ◦ Establish a secure bidirectional tunnel connection with customers’ private networks

5. Case study - Test execution journey

6. Case study - A stateful system in Autify

7. Case study - States in Connect server 1. Use WebSocket

   to establish a bidirectional tunnel connection (Session) a. Long-living connection between Connect server and Connect client 2. Proxy server to transfer requests (Test Connection) from Device farm a. Proxy HTTP(S) requests over Session

8. Robust Deployment Design of a stateful system for… Automated zero-downtime

   deployment for a stateful system

9. Why zero-downtime? Actively developed High stability is required Zero-downtime Automation

   Blue-Green Deployment Rolling Update Background • Go application developed by Autify • Frequently deployed into production • Used by customers right now to test applications on their private networks • Reliable test execution infrastructure is essential for our business Solution • To keep deployment frequency • Minimal errors • To make this stateful system reliable …etc

10. A failure story - with a Blue-Green deployment A stateful

    server is running in Blue environment… Prepare Green Switch a router so incoming requests go to Green Terminate Blue Keep Blue running for a while Steps in a typical Blue-Green deployment

11. 1. Prepare Green 2. Switch a router incoming requests go

    to Green 3. Keep Blue running for a while 4. Terminate Blue Start a new Blue-Green deployment… A failure story - with a Blue-Green deployment

12. Terminating a busy Blue server causes test execution errors A

    failure story - with a Blue-Green deployment

13. How to avoid errors during deployment Terminating Blue servers causes

    errors Prepare Green Switch a router so incoming requests go to Green Terminate Blue Keep Blue running for a while Confirm if Blue is ready to terminate Solution - Verification step to confirm if Blue is ready to terminate Symptom Why? Blue server is not ready to terminate if it has busy states internally Until Blue becomes ready

14. Candidates to see if Blue is ready to terminate Log

    monitoring Infrastructure metrics Watch CPU usage, Network I/O, etc • +1 Help to understand and measure how apps are behaving • -1 Just an event measured at some point. Not real-time status of app See internal states inside of app • +1 Single source of truth • +1 Real-time data • -1 Effort to design and implement codes to make apps observable • -1 Mixed causes other than app • -1 Difficult to see what the application is currently doing Possible solutions Effectiveness Get data about internal states via app Search for application logs

15. Design tips for making stateful apps observable (1) • e.g.,

    “GET /metrics” • Similar patterns, Health Endpoint pattern • Easy to use from external programs HTTP endpoint to show metrics of internal states

16. Design tips for making stateful apps observable (2) • To

    build metrics of internal states anytime • e.g., Store metadata of ongoing states in-memory • It should be considered at an earlier stage to avoid a huge rewrite Design stateful app to be able to see necessary details in each state

17. Verification steps to confirm if Blue is ready to terminate

    If the number of sessions is 0, it is ready • Server-1: Not ready to terminate • Server-2: Ready to terminate Get metrics of internal states via API Determine if each server is ready to terminate

18. Still not enough to address long-living states Happy path Unhappy

    path Until Blue become ready Prepare Green Switch a router so incoming requests go to Green Terminate Blue Keep Blue running for a while Confirm if Blue is ready to terminate Steps in Blue-Green deployment Every session in a blue server shuts down when starting a deployment. Deployment finishes successfully. Every session in a blue server keeps running. We’ve waited for hours, but Blue is not ready to terminate yet…

19. Any ways to address unhappy path? Long-living existing sessions makes

    terminations of Blue wait for a long time Symptom Why? Each session keeps living until a client disconnects a WebSocket connection Prepare Green Switch a router so incoming requests go to Green Terminate Blue Keep Blue running for a while Confirm if Blue is ready to terminate Shut down idle sessions in Blue Solution - Shut down idle sessions in Blue Until Blue become ready Until Blue becomes ready to terminate

20. Shut down idle sessions in Blue - 1st step Get

    metrics of internal states via API Determine if each session is idle Shut down idle sessions Clients reconnect to Green Get detailed metrics of each session via API

21. Shut down idle sessions in Blue - 2nd step Get

    metrics of internal states via API Determine if each session is idle Shut down idle sessions Clients reconnect to Green Implement the business logic to determine if each session is idle a. If no Test Connection, it is idle b. Else, it is busy (must not be shut down) Busy (5 test conns) Idle (0 test conns)

22. Shut down idle sessions in Blue - 3rd step Implement

    HTTP endpoint to control internal states • Deployment process sends requests “DELETE /sessions” to close sessions • Server accept requests and closes idle sessions Shu down idle sessions by calling API to control each session

23. Shut down idle sessions in Blue - 4th step Clients

    reconnect to Green following by the router navigation Client application should have an automatic reconnection • In case a server is replaced

24. Succeeded to address unhappy path 1st 2nd 3rd Shut down

    idle sessions in Blue • Existing clients can now be safely directed to the Green in sequence ◦ It is easier to find the safe time to disconnect on a per-session basis than on a per-server basis • Deployment time has been mitigated

25. Implementation with AWS Prepare Green Switch a router so incoming

    requests go to Green Terminate Blue Keep Blue running for a while Confirm if Blue is ready to terminate Steps in Blue-Green deployment Shut down idle sessions in Blue Develop in-house deployment pipeline • No managed AWS service was a fit AWS Step Functions*1 and Lambda • +1 Serverless • +1 Fully customizable • -1 Takes time to build *1 AWS Step Functions is a visual workflow service helping developers to build automated processes

26. Deployment workflow with AWS Step Functions Prepare Green Switch a

    router incoming requests go to Green Shut down idle sessions in Blue Confirm if Blue is ready to terminate Keep Blue running for a while Terminate Blue

27. Lessons we learned • Long-living states make it difficult to

    terminate an old server safely • Blue-Green deployment with two steps controlling internal states ◦ 1. Shut down idle states (Sessions; WebSocket conns) ◦ 2. Verify Blue servers are ready to terminate before terminating them • Design a stateful app to be observable and be able to control its internal states since an earlier stage • Pros/Cons ◦ +1 Zero-downtime, no errors during deployment ◦ +1 Mitigate deployment time by shutting down idle states gradually ◦ -1 Time to build a deployment pipeline

28. Observability Design of a stateful system for… A measure of

    how well you can understand and explain any situation your system can get into, no matter how novel or bizarre.

29. A difficult question to answer in stateful systems (1) How

    can we see the actual usage of each stateful server? • Meaningful data is inside of internal states • e.g., The number of test connections each server addresses in its internal state Low Visibility Difficult questions Solution Custom metrics visualizing internal states Cause • Inside of app is invisible from external • Not persistent

30. Custom metrics to overview inside of a stateful app •

    Get metrics data via API to show metrics of internal states • Record as a custom metrics ◦ e.g., DataDog custom metrics from datadog-agent • Visualize meaningful data inside of an app ◦ E.g., number of test connections -> how busy each server is • Set alerts ◦ Define what makes a metric health versus unhealthy

31. A difficult question to answer in stateful systems (2) Can

    you search all events and user requests related to a suspicious state? • Logic to handle internal states would be complex and core part of app • e.g., Session “A” seems to be disconnected at unintentional timing. Is it ok? Difficult to search from each state • No searchable key by default Searchable logs and traces by each state identifier Difficult questions Solution Cause

32. Searchable logs by each state level {“ts”: “...”, "level": "info",

    "session_id": "ssid-1", "msg": "..."} {“ts”: “...”, "level": "info", "session_id": "ssid-2", "msg": "..."} {“ts”: “...”, "level": "warn", "session_id": "ssid-1", "msg": "...’"} {“ts”: “...”, "level": "info", "session_id": "ssid-1", "test_conn_id": "id-1", "msg": "..."} {“ts”: “...”, "level": "info", "session_id": "ssid-1", "test_conn_id": "id-2", "msg": "..."} {“ts”: “...”, "level": "info", "session_id": "ssid-2", "test_conn_id": "id-1", "msg": "..."} {“ts”: “...", "level": "info", "session_id": "ssid-1", "msg":"..."} | jq 'map(select( .session_id == "ssid-1" ))' | jq 'map(select( .test_conn_id == "id-1" ))' • Likely to be uniquely identifiable ◦ e.g., Session_id > test_conn_id • Structured logging • Add an identifier of state to the key of log entries ◦ e.g., session_id, test_conn_id Techniques Effect

33. Traces - OSS case study - Selenium Grid 4 @tags.session_id=”sess

    ion_id” Tag: @session_id • Selenium Grid 4 ◦ A server that makes it easy to run tests in parallel on multiple machines ◦ Instrumented with tracing using OpenTelemetry • Add a state identifier into span attributes *1 • Traces can be searched by “session_id” ◦ (WebDriver) Session id is a unique identifier to handle a browser for testing Techniques *1 Key-value pairs providing additional information about each span

34. Traces - Custom Instrumentation to search for traces @tags.session_id=”session_id” @tags.test_conn_id=”test_conn_id”

    Provide context into spans by adding an identifier of states into span tags Traces have contexts pointing internal states

35. Lessons we learned • Building a robust deployment makes us

    to consider observability of stateful systems ◦ Solutions for building a robust deployment can be used to build metrics data • Improve metrics, logs, and traces in case something unknown happens around the core stateful part Questions? >>> @hgsgkt Kazuki Higashiguchi

36. HTTP Tunneling over WebSocket Appendix A https://speakerdeck.com/hgsgtk/http-tunneling-in-go

37. HTTP Tunnel with CONNECT method 1. Client sends CONNECT request

    2. Gateway opens TCP connection to the server 3. Gateway returns HTTP ready message to the client 4. Start bidirectional communication of raw packets of data Quoted from HTTP: The Definitive Guide / 8.5 Tunnels

38. HTTP Tunneling over WebSocket HTTP(S) Client HTTP(S) Server WebSocket server

    WebSocket client WebSocket Conn WebSocket Conn TCP Conn TCP Conn $ curl -Lv -x http://websocket-server https://target.local WebSocket server and WebSocket client jointly act as a proxy(gateway). https://target.local http://websocket-server streaming streaming
39. None

40. WebSocket server tells the address of destination to WebSocket client.

    WebSocket client open a TCP connection to the destination server.

41. Bidirectional message over an established WebSocket connection.

42. Infrastructure patterns of routing stateful servers Appendix B

43. Load balancing with Sticky session +1 Simple +1 Little or

    no implementation required Infrastructure patterns of routing stateful servers Another API tell clients the addr +1 Address flexible server requirements (e.g., enterprise customer) +1 Each server has its own URL, making reconnection easy 1 2

44. If one session is busy in more long term… Appendix

    C

45. 1st 2nd N Shut down idle sessions in Blue Theoretically,

    if a single session is used forever and uninterruptedly, the solution “Shut down idle sessions in Blue” will not be sufficient. Unhappy path again if one session is busy more long term…

46. A possible design Make the network route redundant by having

    two sessions at the same time 1 2 3

47. A possible design: Pros/Cons • Faster deployment even when some

    sessions are busy for a long time Pros Cons • More complex design and error handling ◦ Lots of edge cases (e.g., network interruption) Our current decision: Go with the original design • Browser automation does not always make network requests (e.g., scrolling, find an element) • Enough easy to find the safe time to disconnect on a per-session • Even if this becomes necessary, the original design will still need to be

48. Infrastructure patterns between browsers and proxies Appendix D

49. • Proxy address is specified at startup ◦ Changing addresses

    after startup is tricky. Modern browsers’ specification ./Google\ Chrome --no-sandbox --proxy-server={proxy-host}:{proxy-port} e.g., Chrome

50. Infrastructure design patterns 1 Browser Proxy 2 Browser Local Proxy

    Proxy 3 Browser Load Balancer Proxy +1 Straightforward -1 No way to switch a proxy server after launching a browser Pros/Cons +1 Can switch a target proxy by a local proxy behavior -1 Communicating address changes to the Local proxy could be complicated +1 Can switch a target proxy by load balancing -1 It depends on the URL of the load balancer itself. Proxy Proxy

51. Supplementary materials Appendix X

52. Open Page Network request during browser operation - Simple A

    test Scenario with a simple web application Input Form Find Element Assert Request by JavaScript Connect server Conn Conn Test Connection lives until closed. E.g., • Close TCP sessions • Keep-Alive timeout

53. Start WebSocket Connection Network request during browser operation - WebSocket

    Action Action Close App Connect server wss://srecon22-example.autify.com… Conn Close A frontend application using WebSocket

54. References • HTTP Tunneling in Go by Kazuki Higashiguchi, Autify

    • Book “Observability Engineering” by Charity Majors, Liz Fong-Jones, George Miranda • Book “Operations Anti-Patterns, DevOps Solutions” by Jeffery Smith • Book “Practical Monitoring” By Mike Julian • Observability Whitepaper by CNCF TAG for Observability • Observability in Selenium Grid by Selenium • Blue Green Deployment by martinfowler.com