Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Aerospace Engineering

TDDD36 Secure Mobile Systems Systems Software Lecture 5: Dependability & Replication

advertisement 
Overview
TDDD36
Secure Mobile Systems
Systems Software
Lecture 5: Dependability & Replication
Simin Nadjm-Tehrani
Real-time Systems Laboratory
Department of Computer and Information Science
Linköping University
Project course TDDD36
Systems Software module
28 pages
Autumn 2012
Last lecture:
• distributed systems are hard to design
with guaranteed services when failures
are considered
This lecture:
• we will have a closer look at failures and
related concepts
• We will look at replication as a common
means of achieving fault tolerance
Project course TDDD36
Systems Software module
2 of 28
Autumn 2012
Project course TDDD36
Systems Software module
4 of 28
Autumn 2012
Booking an aerobics pass
Microsoft OLE DB Provider for ODBC
Drivers error '80040e31'
[MySQL][ODBC 3.51 Driver][mysqld5.0.27-community-nt]Table
'.\kdk_se\foreningsinfo' is marked
as crashed and should be repaired
/eKop\funktioner.asp, line 114
Project course TDDD36
Systems Software module
3 of 28
Autumn 2012
Känner ni igen detta?
Google’s 100 min outage
September 2, 2009:
A small fraction of Gmail’s servers were
taken offline to perform routine
upgrades.
“We had slightly underestimated the
load which some recent changes
(ironically, some designed to improve
service availability) placed on the
request routers .”
Project course TDDD36
Systems Software module
5 of 28
Autumn 2012
Project course TDDD36
Systems Software module
6 of 28
Autumn 2012
1
Dependability
• How do things go wrong?
• Why?
• What can we do about it?
What is dependability?
Property of a computing system which
allows reliance to be justifiably placed on
the service it delivers.
[[Avizienis et al.]]
• Basic notions in dependable systems
and replication for fault tolerance
The ability to avoid service failures that
are more frequent or more severe than
is acceptable.
(sv. Pålitliga datorsystem)
Project course TDDD36
Systems Software module
7 of 28
Autumn 2012
Project course TDDD36
Systems Software module
8 of 28
Autumn 2012
Reliability
Attributes of dependability
IFIP WG 10.4 definitions:
• Safety: absence of harm to people and
environment
• Availability: the readiness for correct
service
• Integrity: absence of improper system
alterations
• Reliability: continuity of correct service
• Maintainability: ability to undergo
modifications and repairs
Project course TDDD36
Systems Software module
9 of 28
Autumn 2012
[Sv. Tillförlitlighet]
Means that the system (functionally)
behaves as specified, and does it
continually over measured intervals of
time.
Typical measure in aerospace: 10-9
Another way of putting it: MTTF - One
failure in 109 flight hours.
Project course TDDD36
Systems Software module
Availability
• Not to be confused with reliability...
Once upon a time…
• We could trust that some services were
available and reliable
–
–
–
–
• How to measure availability?
Project course TDDD36
Systems Software module
10 of 28
Autumn 2012
11 of 28
Autumn 2012
Police and Rescue services
Banking sector
T l
Telecommunications
i ti
…
Project course TDDD36
Systems Software module
12 of 28
Autumn 2012
2
26 January 2007
• The Royal Bank of Scotland, which also
owns NatWest, has apologised after its
cashpoint, online, and telephone
banking systems all crashed.
• Stockholm: The police telephone system
stopped working at 2 a.m. and was not
back to working state until 7 a.m.
• Both the emergency number and several
local exchanges were out of order
• Happened when the telecom operator was
installing an updated answering machine
Project course TDDD36
Systems Software module
2 June 2007
13 of 28
Autumn 2012
• A spokeswoman said: "We are very
sorry, and we're working to sort it out."
Project course TDDD36
Systems Software module
20 August 2007
• The network outage was caused by
"massive restart of [its] user's
computers across the globe within a
very short timeframe after a routine
software update.
update "
• Resulted in a high number of log-in
requests, leading to what Skype calls a
"chain reaction."
Project course TDDD36
Systems Software module
15 of 28
Autumn 2012
14 of 28
Autumn 2012
Faults, Errors & Failures
• Fault: a defect within the system or a
situation that can lead to failure
• Error: manifestation (symptom) of the
fault - an unexpected behaviour
• Failure: system not performing its
intended function
Project course TDDD36
Systems Software module
Examples
• Year 2000 bug
• Bit flips in hardware due to cosmic
radiation in space
• Loose wire
• Air craft retracting its landing gear while
on ground
16 of 28
Autumn 2012
Means to achieve
… dependability according to [IFIP 10.4]:
1.
2.
3.
4.
Fault
Fault
Fault
Fault
prevention
removal
tolerance
forecasting
Effects in time:
Permanent/ transient/ intermittent
Project course TDDD36
Systems Software module
17 of 28
Autumn 2012
Project course TDDD36
Systems Software module
18 of 28
Autumn 2012
3
Fault  Error  Failure
• Goal of system verification and
validation is to eliminate faults
• Fault detection
– By program or its environment
Some will
remain…
• Fault tolerance using redundancy
– software
– hardware
– Data
• Goal of hazard/risk analysis is to focus
on important faults
• Fault containment by architectural
decisions
• Goal of fault tolerance is to reduce
effects of errors if they appear eliminate or delay failures
Project course TDDD36
Systems Software module
On-line fault management
19 of 28
Autumn 2012
Project course TDDD36
Systems Software module
Redundancy
20 of 28
Autumn 2012
Static or Dynamic
From D. Lardner: Edinburgh Review, year 1824:
”The most certain and effectual check upon errors
which arise in the process of computation is to
cause the same computations to be made by
separate andd independent
i d
d computers*;
* andd this
hi
check is rendered still more decisive if their
computations are carried out by different
methods.”
Static redundancy:
• Used all the time (whether an error has
appeared or not), just in case…
Dynamic redundancy:
• Used only when the error appears and
specifically aids the treatment
* people who compute
Project course TDDD36
Systems Software module
21 of 28
Autumn 2012
Project course TDDD36
Systems Software module
Server replication models
22 of 28
Autumn 2012
State consistency
• Primary backup:
• Primary backup
• Active replication
– Every response to clients is preceded by an
update to all servers and their
acknowledgement
• Active replication:
– Typically via a reliable multicast
– Some ordering requirement (FIFO, ...)
X
• States of backups (or active replicas)
should be the same when a replica
failure takes place
: Denotes a replica group
Project course TDDD36
Systems Software module
23 of 28
Autumn 2012
Project course TDDD36
Systems Software module
24 of 28
Autumn 2012
4
Group view
• All servers are notified about a crashing
server at the same “logical” time
defined by the order of received
messages
Project course TDDD36
Systems Software module
25 of 28
Autumn 2012
Supporting fault tolerance
• Server replication in larger groups
requires complex lower layer services
(like group membership, multicast,
order processing)
Middleware!
• Guaranteeing state consistency in
presence of failures is difficult (needs
proofs about those underlying protocols)
and requires synchrony assumptions
Project course TDDD36
Systems Software module
26 of 28
Autumn 2012
Checkpointing
To the client
Client request
Checkpointing
request
q
Backup
Logging
Application
Server
Server
Questions?
Q
Request
replies
Challenge: to checkpoint often enough but
not too often
Project course TDDD36
Systems Software module
27 of 28
Autumn 2012
Project course TDDD36
Systems Software module
28 of 28
Autumn 2012
5
Related documents
Topic 2 year cycle ks1 and 2
Topic 2 year cycle ks1 and 2
CURRICULUM NEWSLETTER FOR PARENTS
CURRICULUM NEWSLETTER FOR PARENTS
Backdrop Plan
Backdrop Plan
New Curriculum 2014 Keystage 2 Cycle
New Curriculum 2014 Keystage 2 Cycle
A-Level-Geography-Overview
A-Level-Geography-Overview
Download
advertisement