Beruflich Dokumente
Kultur Dokumente
Ken Birman
Ken Birman
3
Researcher in high assurance computing since joining Cornell in 1982 (PhD U.C. Berkeley). Currently Cornells N. Rama Rao Professor of Computer Science. ACM Fellow, Winner of IEEE Tsutomu Kanai Award Built the distributed software infrastructure used for a decade by the New York Stock Exchange, and still used in the French Air Traffic Control System, the US Navy AEGIS and several other mission-criticial systems. Contact information at http://www.cs.cornell.edu/ken
Client platform: browsers and apps, which are programs that exploit a stripped-down browser API Internet transports the data Data centers run web services that produce the pages we see, stream videos, etc
7/11/2013
The client system is vulnerable to loss of connectivity, compromise by downloaded code and infection by viruses and worms. The Internet layer is potentially unreliable
The mapping of domain names to IP addresses is very complex (consequence of cloud need to steer traffic) Network reliability is much lower than it needs to be Much too easy to snoop on traffic or attack connections
Nobody gets hurt, but perhaps the system reports that it has gone offline
Then do everything practical to enhance reliability, consistency, security, other needed properties Today: Focus on the web services running on the cloud data center
The Web Services infrastructure can fail or reconfigure abruptly, forcing the client to reconnect
In the race to offer the fastest possible services to the largest possible number of clients todays cloud often gives up on other assurance properties
Required
A single system needs to tell multiple kinds of assurance stories and not all in the same way An mHealth application:
Needs to reassure the user that it is trustworthy Needs to help the developer make the right choices Must implement complex protocols correctly Must be a good citizen on the cloud data center
12
7/11/2013
Governed by Kirchoffs Law Power enters at every generator, exits at every load Hierarchical structure:
Well need to monitor power loads, frequency, current in real-time, reliably and securely Use this data to estimate the state of the grid and to predict its evolution over time Use those predictions to plan control actions: increase/decrease generation, borrow reactive power from neighboring regions, adapt pricing, etc Ultimately the grid will become a new kind of network. But must also be safe, efficient, and secure against both mishaps and even attack!
California: Repeated episodes of market manipulation aimed at increasing profits for companies such as Enron that speculate on pricing Multi-state and multi-national rolling outages
Causes turmoil for air traffic, ground traffic, telephone outages Will smartness also make grid more fragile? Risk of CyberAttacks?
Suppose that a cloud control system speaks with two voices In physical infrastructure settings, consequences can be very costly
Canadian 50KV bus going offline
Suppose that a cloud control system speaks with two voices In physical infrastructure settings, consequences can be very costly
Canadian 50KV bus going offline
Bang!
7/11/2013
Example 2: mHealth
To make it smart we need to monitor at a massive scale and use that to initiate control actions But for this to be safe, we need more that fast response and elasticity
We also need security (so that attackers cant take the grid down) ... and consistency (as we just saw) ... and fault-tolerance (since power systems often experience failures of various kinds)
A term for everything outside the doctors office (but might be linked to electronic health records) Goal is to make your life better and healthier
Encourage activity Discourage poor nutrician choices Help patients with chronic conditions manage their complex medical devices and medications Offer caregivers a window into health so that the patient can maintain independence
21
Mrs. Marsh has been dizzy. Her stomach is upset and she hasnt been eating well, yet her blood sugars are high.
Medication station tracks, dispenses pills Integrated glucose monitor and Insulin pump receives instructions wirelessly
Lets stop the oral diabetes medication and increase her insulin, but well need to monitor closely for a week
Cloud Infrastructure
Home healthcare application
Consistency: Even if accessed by multiple users concurrently, the data looks like a single database
This sounds like it should obviously be true, but when the data is spread over multiple computers, if they dont coordinate their actions, consistency can easily violated For example, perhaps machine 1 shows updates machine 2 never saw. Perhaps machine 3 sees all the updates but has the order confused. Each of these cases can cause serious inconsistencies.
Durability: Even if system components crash and then recover later, data will not be lost.
Updates confuse things: before the update occurs, clearly it isnt durable After the update is finished, it must have durable effect Question to pose: exactly when did it need to be durable?
Usual
answer: If the effect of an update survives a crash, then the update itself should also survive the crash
7/11/2013
Scalability
25 26
As we make the system larger, perforance remains good It needs to be able to support large numbers of clients and run on large numbers of cloud computing systems Fast response: Queries shouldnt delay for long. Updates should have rapid effect on the data.
Todays cloud systems work well in all of these ways but without providing strong guarantees except in certain very specialized cases, like Googles new Spanner database Our challenge: can normal people who arent in the Google spanner development team also create trustworthy cloud computing solutions?
mHealth summary
27 28
The needs of the system vary depending on what part of the system we focus on
In our example, some aspects need durability in the sense of a logged database update, while others might accept durability through in-memory replication This illustrates one of many such tradeoffs
If we had more time we could identify a number of additional issues of this kind
Examples: Hadoop (a version of MapReduce), Zookeeper, Graphlab, Pregel, Vowpal Wabbit, global file systems like GFS, etc. In this short class we will focus on process group tools and will use Isis2 as our main example.
At very large scale, either a thing is extremely fast, or unacceptably slow So everything we do must be shaped by speed!
High assurance is not an option if the solution would be dramatically slower For example, the cloud computing community avoids databases.
30
They founded the NoSQL movement (storage, but not as strong as a SQL database) for this reason.
7/11/2013
Top priority: delay until a client receives a reply Critical path traces actions that contribute to this delay
Update the monitoring and alarms criteria for Mrs. Marsh as follows
Service instance
When we replicate information but want to be sure the data wont be lost, critical path extends into the replicas
Update the monitoring and alarms criteria for Mrs. Marsh as follows
Service instance
Critical path
Response delay seen by end-user would include Internet latencies Response delay seen by end-user would include Internet latencies
Critical path
Confirmed
Confirmed
Critical path
When we build complex systems it is hard to imagine how they will behave when we run them By thinking about the critical performance-limiting paths, we can focus our attention on specific elements and not think about the whole system By avoiding delays on the critical path, we bring benefits to the whole system!
The cars have autonomy but they depend on data from the cloud and would have a much harder challenge if that data couldnt be trusted Todays online banking systems are growing, but as they happens, more and more security issues arise Chemical refineries, manufacturing plants, ...
Banking systems
Process control
36
And beyond that we might have other assurance properties that a particular use case doesnt need The challenge will be to analyze each application, and then to translate its needs into cloud solutions
7/11/2013
There are many ways to replicate information But it becomes tricky if the data or even the service evolves over time.
Replication of changing data can leave a confusing mess if a request encounters stale versions. In some situations these errors can harm the client. In others, they could cause security violations.
Theory of Consistency
A consistent distributed system will often have many components, but users observe behavior indistinguishable from that of a single-component reference system. Our power system example illustrated a form of inconsistency
Canadian 50KV bus going offline
Fischer, Lynch and Patterson: FLP theorem proves that any correct fault-tolerant protocol strong enough to solve consensus (a form of agreement) can also wedge in the event of certain sequences of failures. But those sequences turn out to be very rare. Brewers CAP theorem posits that you can only have two from {Consistency, Availability and Partition Tolerance}. But the proof holds only for a service running in a WAN, not for one in a single data center.
Bang!
In todays lecture we wont drill down But in lecture 4 we will look more closely at these theoretical questions
Mathematics is a valuable tool for cloud computing By making a correspondance of computing ideas to mathematics we can reason more rigorously Yet we will also find that some of the existing theory has limitations of its own
7/11/2013
Isis2 System
44
43
A prebuilt technology that automates many of the hard tasks involved in replicating services and the data on which they depend Targets cloud computing settings Available in open-source from isis2.codeplex.com
Isis2 System
45 46
C# library (but callable from any .NET language) offering replication techniques for cloud computing developers Based on a model that fuses virtual synchrony and state machine replication models Research challenges center on creating protocols that function well despite cloud events
Elasticity (sudden scale changes) Potentially heavily loads High node failure rates Concurrent (multithreaded) apps
Long scheduling delays, resource contention Bursts of message loss Need for very rapid response times Community skeptical of assurance properties
Formal model permits us to achieve correctness Isis2 is too complex to use formal methods as a development too, but does facilitate debugging (model checking) Think of Isis2 as a collection of modules, each with rigorously stated properties
Isis2 implementation needs to be fast, lean, easy to use Developer must see it as easier to use Isis2 than to build from scratch Seek great performance under cloudy conditions Forced to anticipate many styles of use
First sets up group Join makes this entity a member. State transfer isnt shown Then can multicast, query. Runtime callbacks to the delegates as events arrive Easy to request security (g.SetSecure), persistence Consistency model dictates the ordering aseen for event upcalls and the assumptions user can make
First sets up group Join makes this entity a member. State transfer isnt shown Then can multicast, query. Runtime callbacks to the delegates as events arrive Easy to request security (g.SetSecure), persistence Consistency model dictates the ordering seen for event upcalls and the assumptions user can make
}; g.Handlers[UPDATE] += delegate(string s, double v) { Values[s] = v; }; g.Handlers[LOOKUP] += delegate(string s) { g.Reply(Values[s]); }; g.Join(); g.Send(UPDATE, Harry, 20.75);
}; g.Handlers[UPDATE] += delegate(string s, double v) { Values[s] = v; }; g.Handlers[LOOKUP] += delegate(string s) { g.Reply(Values[s]); }; g.Join(); g.Send(UPDATE, Harry, 20.75);
7/11/2013
First sets up group Join makes this entity a member. State transfer isnt shown Then can multicast, query. Runtime callbacks to the delegates as events arrive Easy to request security (g.SetSecure), persistence Consistency model dictates the ordering seen for event upcalls and the assumptions user can make
First sets up group Join makes this entity a member. State transfer isnt shown Then can multicast, query. Runtime callbacks to the delegates as events arrive Easy to request security (g.SetSecure), persistence Consistency model dictates the ordering seen for event upcalls and the assumptions user can make
}; g.Handlers[UPDATE] += delegate(string s, double v) { Values[s] = v; }; g.Handlers[LOOKUP] += delegate(string s) { g.Reply(Values[s]); }; g.Join(); g.Send(UPDATE, Harry, 20.75); List<double> resultlist = new List<double>(); nr = g.Query(ALL, LOOKUP, Harry, EOL, resultlist);
}; g.Handlers[UPDATE] += delegate(string s, double v) { Values[s] = v; }; g.Handlers[LOOKUP] += delegate(string s) { g.Reply(Values[s]); }; g.Join(); g.Send(UPDATE, Harry, 20.75);
Concept: A multi-query
First sets up group Join makes this entity a member. State transfer isnt shown Then can multicast, query. Runtime callbacks to the delegates as events arrive Easy to request security (g.SetSecure), persistence Consistency model dictates the ordering seen for event upcalls and the assumptions user can make
Our lookup is
}; g.Handlers[UPDATE] += delegate(string s, double v) { Values[s] = v; }; g.Handlers[LOOKUP] += delegate(string s) { g.Reply(Values[s]); }; g.Join(); g.Send(UPDATE, Harry, 20.75);
p q r s t
Time:0 102030 40
First sets up group Join makes this entity a member. State transfer isnt shown Then can multicast, query. Runtime callbacks to the delegates as events arrive Easy to request security, persistence, tunnelling on TCP... Consistency model dictates the ordering seen for event upcalls and the assumptions user can make
5060 70
}; g.Handlers[UPDATE] += delegate(string s, double v) { Values[s] = v; }; g.Handlers[LOOKUP] += delegate(string s) { g.Reply(Values[s]); }; g.SetSecure(myKey); g.Join(); g.Send(UPDATE, Harry, 20.75);
Checkpoints can also be used to save group state during periods when all members are inactive
7/11/2013
Isis2 Summary
To replicate data maintained by the members in memory To replicate actions taken on an external service such as a replicated database To ensure that all replicas are configured the same way
To coordinate the processing of requests and load-balance To offer a way to parallelize processing by having each group member do part of the work Fault-tolerance via a backup scheme
A library that you can invoke from a normal program written in a normal way It does the work of creating groups and sending multicasts and ensuring that the consistency model will be enforced The developer just tells it what to do.
She thinks about a parallel distributed application. Virtual synchrony eliminates many hard problems
SafeSend and Send are two of the protocol components hosted over what we call the large-scale properties sandbox. The sandbox addresses issues like flow control, security, etc. All protocols share and benefit from those properties
Isis2 user object Isis2 user object Isis2 user object
Other group members
This is a good question to ask In fact we could focus on any of a number of other technologies, including other multicast products
Membership Oracle The SandBox itself is mostly composed of convergent protocols that use probabilistic methods Isis2 library Flow Control Group instances and multicast protocols Group membership Reliable Sending Fragmentation Platform Security Group Security TCP tunnels (overlay)
Dr. Multicast
Views
But Isis2 is open source and specifically designed for cloud settings. (Also, Ken built it!)
These systems are complex, especially if you want to run on platforms like EC2 By using Isis2 you inherit 30 years of research on how to make it work
59
Segment V: Performance
Can Isis2 applications achieve the kinds of scalable performance and elasticity required in large cloud deployments?
Lets look again at our mHealth example We want the best possible performance but we also want to be sure that the application is safe for this kind of use
We need consistency, yet also need snappy response and elasticity, especially in the monitoring component After all, it continuously monitors huge numbers of patients. What limits scalability?
10
7/11/2013
Speed of updates
61 62
Isis2 offers several ways to do updates (we will visit them more carefully later) They have big performance implications But speed can have more than one definition!
As a developer, youll want to use the fastest option that is still safe in your setting
... Hence will need to understand how each works ... and how fast each solution will be
Latency ops/second
Latency: Delay before external user sees action Ops/second: total throughput
For most purposes systems like Isis2 offer basic performance of about 1000 ops/second But by grouping requests into batches of ~50/request, services that can support ~50,000 ops/second are feasible Building them is challenging, but we wont focus on that engineering topic in these lectures
Send scales best, but SafeSend with in-memory (rather than disk) logging and small numbers of acceptors isnt terrible.
The spread of latencies is much better (tighter) with Send: the 2-phase SafeSend protocol is sensitive to scheduling delays
Flush is fairly fast if we only wait for acks from 3-5 members, but slow if we wait for all members. Isis2 lets developer set the threshold.
11
7/11/2013
When building a system such as this we need to look at performance but also at steady behavior Heres an example of a problem we ran into when doing the experiments I just showed you As well see, Isis2 had an instability. We think weve fixed it but it illustrates an important point
The fastest solutions have weaker guarantees Using them safely involves understanding these properties in order to decide whether they are good enough for the desired purpose
But there are subtle issues we dont have time to discuss in todays lecture. We will revisit tomorrow.
We made a timeline picture from left to right One node (the bottom one) sends multicasts The others log the time of receipt We graphed the delay, sorted from slowest (top) to fastest (bottom) delays Heres what we saw
At first the system was fast: even the slowest nodes at the top had short delays But within a few multicasts they slowed down Then something resets them and they speed up
We tracked it down to a problem with garbage collection in our system Modifying that protocol helped smooth things out
12
7/11/2013
Tools like Isis2 enable us to build cloud-scale replication based services with strong guarantees But today, at least, they demand a lot from the developer, who needs to really understand the choices and their implications As Isis2 evolves, this problem will be reduced: the system will eventually automate many decisions, including picking the right update primitives for you
77
Segment V: Conclusions
Weve scratched the surface but there is much more to be explored Cornells high assurance researchers are creating solutions for tomorrows demanding applications
Cloud computing, today, isnt very friendly to high assurance applications This is a problem because those applications are increasingly forced to migrate to the cloud for reasons of cost, scalability or just because the cloud is the dominant paradigm today But we can already use tools like Isis2 to solve these problems and as they become easier to work with, the community able to build these solutions will grow
13
7/11/2013
With Isis2 we can easily create programs that run on cloud platforms like EC2 or even Android mobile
They form into groups and coordinate or replicate data or actions via group primitives The concept is powerful and easily visualized
The word on the street is that cloud computing will rule but that the cloud cant do high assurance But the word in the hallways at Cornell differs!
We see Isis2 as our proof-by-demonstration that it can be done Even so, the engineering challenge remains enormous
But tuning and doing sophisticated fault-tolerance remains challenging. In the remaining lectures we will explore these issues
Learning more
81 82
Learning more
Stay in the class. Well show you how! Download the Isis2 system from isis2.codeplex.com
You can access the users manual The code itself (currently v2.xxx, a very stable release) And we maintain a discussion and issues board there
14