The document discusses chaos engineering principles, particularly in serverless architectures, emphasizing the importance of controlled experiments to enhance system resilience against failures. It outlines a step-by-step approach for conducting these experiments, including defining steady states, hypothesizing outcomes, injecting realistic failures, and analyzing results. Key practices include effective communication, careful timing, and assessing the impacts of various failures to improve system robustness.

1. APPLYING PRINCIPLES
to SERVERLESSt
a
b
chaos engineering
of
A
E
S
of

2. Yan Cui
http://theburningmonk.com
@theburningmonk

3. history of Smallpox
est. 400K deaths per year in 18th Century Europe.
earliest evidence of disease in 3rd Century BC Egyptian Mummy

4. history of Smallpox
est. 400K deaths per year in 18th Century Europe.
earliest evidence of disease in 3rd Century BC Egyptian Mummy
1798
first vaccine developed
Edward Jenner

5. 1798
first vaccine developed
1980
history of Smallpox
Edward Jenner
WHO certified
global eradication
est. 400K deaths per year in 18th Century Europe.
earliest evidence of disease in 3rd Century BC Egyptian Mummy

7. Vaccination is the most effective method of
preventing infectious diseases

8. stimulates the immune system to recognize
and destroy the disease before contracting
the disease for real

9. Chaos Engineering
controlled experiments to help us learn about
our system’s behaviour and build confidence in
its ability to withstand turbulent conditions

13. it’s about building confidence,
NOT breaking things

14. I’m gonna inject
you with a deadly
disease now

15. http://principlesofchaos.org

16. STEP 1. define “Steady State”
aka. what does normal, working
condition looks like?

17. this is not a
steady state

18. STEP 2.
hypothesize steady state will
continue in both control group
& the experiment group
ie. you should have a reasonable degree of
confidence the system would handle the failure
before you proceed with the experiment

19. explore unknown unknowns
away from production

20. treat production with the
care it deserves

21. the goal is NOT,
to actually hurt production

22. If you know the system would break,
and you did it anyway…
then it’s NOT a chaos experiment.
It’s called being IRRESPONSIBLE.

24. STEP 3.
inject realistic failures
e.g. server crash, network error,
HD malfunction, etc.

25. https://github.com/Netflix/SimianArmy

26. https://github.com/Netflix/SimianArmy http://oreil.ly/2tZU1Sn

28. STEP 4.
disprove hypothesis
i.e. look for difference with steady state

29. if a WEANESS is uncovered,
improve it before the behaviour
manifests in the system at large

30. Chaos Engineering
controlled experiments to help us learn about
our system’s behaviour and build confidence in
its ability to withstand turbulent conditions

32. Chaos Engineering
controlled experiments to help us learn about
our system’s behaviour and build confidence in
its ability to withstand turbulent conditions

33. communication

34. ensure everyone knows what you’re doing

35. ensure everyone knows what you’re doing
NO surprises!

36. communication
Timing

37. run experiments during office hours

38. avoid important dates

39. communication
Timing
contain Blast radius

40. smallest change that allows
you to detect a signal that
steady state is disrupted

41. rollback at the first sign of
TROUBLE!

42. communication
Timing
contain Blast radius

43. Don’t try to run before you
know how to walk.

44. by Russ Miles @russmiles
source https://medium.com/russmiles/chaos-engineering-for-the-business-17b723f26361

45. chaos monkey kills an
EC2 instance
latency monkey induces
artificial delay in APIs
chaos gorilla kills an
AWS Availability Zone
chaos kong kills an
entire AWS region

48. there is no server…

49. there is no server…
that you can kill

52. there are more inherent chaos and
complexity in a Serverless architecture

53. smaller units of deployment
and A LOT more of them!

54. more difficult to harden
around boundaries
serverful
serverless

55. ?
SNS
Kinesis
CloudWatch
Events
CloudWatch
LogsIoT
DynamoDB
S3 SES

56. ?
SNS
Kinesis
CloudWatch
Events
CloudWatch
LogsIoT
DynamoDB
S3 SES
more intermediary services,
and greater variety too

57. ?
SNS
Kinesis
CloudWatch
Events
CloudWatch
LogsIoT
DynamoDB
S3 SES
more intermediary services,
and greater variety too
each with its own set of
failure modes

58. serverful
serverless
more configurations,
more opportunities for misconfiguration

59. more unknown failure modes in
infrastructure that we don’t control

60. often there’s little we can do when an
outage occurs in the platform

61. improperly tuned timeouts

62. missing error handling

63. missing fallback when downstream is unavailable

64. LATENCY INJECTION

65. STEP 1. define “Steady State”
aka. what does normal, working
condition looks like?

66. what metrics do you monitor?

67. 9X-percentile latency
error count
yield (% of requests completed)
harvest (completeness of results)

68. STEP 2.
hypothesize steady state will
continue in both control group
& the experiment group
ie. you should have a reasonable degree of
confidence the system would handle the failure
before you proceed with the experiment

69. API Gateway

70. consider the effect of cold-starts
& API Gateway overhead

71. use short timeout for API calls

72. the goal of a timeout strategy is to give HTTP
requests the best chance to succeed,
provided that doing so does not cause the
calling function itself to err

73. fixed timeout are tricky to get right…

74. fixed timeout are tricky to get right…
too short and you don’t
give requests the best
chance to succeed

75. fixed timeout are tricky to get right…
too long and you run the
risk of letting the request
timeout the calling function

76. and it gets worse when you make multiple
API calls in one function…

79. set the request timeout based on the
amount of invocation time left

84. log the timeout incident with
as much context as possible
e.g. timeout value, correlation IDs,
request object, …

85. report custom metrics

89. be mindful when you sacrifice precision for
availability, user experience is the king

90. STEP 3.
inject realistic failures
e.g. server crash, network error,
HD malfunction, etc.

91. where to inject latency?

92. hypothesis:
function has appropriate timeout on its HTTP
communications and can degrade gracefully
when these requests time out

94. should also be applied to 3rd parties
services we depend on, e.g. DynamoDB

96. what’s the blast radius?

97. http client
public-api-a
http client
public-api-b
internal-api

98. hypothesis:
all functions have appropriate timeout on
their HTTP communications to this internal
API, and can degrade gracefully when
requests are timed out

101. large blast radius, risky..

103. could be effective when used away from
production environment, to weed out
weaknesses quickly

104. not priming developers to
build more resilient systems

105. development

106. development
production

107. Priming (psychology):
Priming is a technique whereby exposure to one
stimulus influences a response to a subsequent
stimulus, without conscious guidance or intention.
It is a technique in psychology used to train a
person's memory both in positive and negative ways.

110. make dev environments better resemble the
turbulent conditions you should realistically
expect your system to survive in production

111. hypothesis:
the client app has appropriate timeout on
their HTTP communication with the server,
and can degrade gracefully when requests
are timed out

116. STEP 4.
disprove hypothesis
i.e. look for difference with steady state

117. how to inject latency?

118. static weaver (e.g. AspectJ, PostSharp),
or dynamic proxies

119. https://theburningmonk.com/2015/04/design-for-latency-issues/

120. manually crafted wrapper library

126. configured in SSM Parameter Store

128. no injected latency

130. with injected latency

132. factory wrapper function
(think bluebird’s promisifyAll function)

138. ERROR INJECTION

139. failures are INEVITABLE

140. the only way to truly know your system’s
resilience against failures is to test it
through controlled experiments

144. vaccinate your serverless
architecture against failures

145. Yan Cui
http://theburningmonk.com
@theburningmonk

146. @theburningmonk
theburningmonk.com
github.com/theburningmonk