This document discusses architectural safety measures for distributed systems using Akka. It begins by introducing Akka and how it can be used to implement timeouts, circuit breakers, bulkheads and other patterns for handling failures in distributed systems. It then covers specific Akka features like actors, supervisors and clustering that provide tools for building resilient distributed architectures.

1. Copyright © 2017 TIS Inc. All rights reserved.
Preparing for distributed
system failures using Akka
2017.2.25 Scala Matsuri
Yugo Maede
@yugolf

2. Copyright © 2017 TIS Inc. All rights reserved. 2
Who am I?
TIS Inc.
provides “Reactive Systems Consulting Service”
@yugolf
https://twitter.com/okapies/status/781439220330164225
- support PoC projects
- review designs
- review codes
etc
リアクティブシステムのコンサルティングサービ
スをやっています

3. Copyright © 2017 TIS Inc. All rights reserved.
3
Todayʼs Topics
What are Architectural Safety
Measures in distributed system?
How to realize them with Akka
分散システムに考慮が必要な安全対策
Akkaでどうやるか？

4. Copyright © 2017 TIS Inc. All rights reserved. 4
Microservices mean
distributed systems
from Monolith to Microservices
マイクロサービス、
すなわち、分散システム

5. Copyright © 2017 TIS Inc. All rights reserved. 5
"Mooreʼs law is dead"
means
"distributed systems are
the beginning"
limitation of CPU performance
ムーアの法則の終焉、
すなわち、分散システムの幕開け

6. Copyright © 2017 TIS Inc. All rights reserved.
confront with distributed system
6
Building large-scale systems
requires distributed systems
分散システムなしにはビジネスの成功はない

7. Copyright © 2017 TIS Inc. All rights reserved. 7
- increasing the number of server means
increasing failure points
- face new enemies "network"
サーバが増えれば障害点も増える
ネットワークという新たな敵の出現
building distributed system is not easy

8. Copyright © 2017 TIS Inc. All rights reserved.
Architectural Safety Measures
8
define Cross-Functional Requirements
- availability
- response time and latency
機能横断要件を定義しましょう
可⽤性と応答時間／遅延

9. Copyright © 2017 TIS Inc. All rights reserved.
systems based on failure
9
- needs Antifragile Organizations
- needs systems based on failure
アンチフラジャイルな組織と障害を前提とした
システムが必要

10. Copyright © 2017 TIS Inc. All rights reserved.
Architectural Safety Measures need
10
timeout
bulkhead
circuit breaker
...
タイムアウト、隔壁、サーキットブレーカー、…

11. Copyright © 2017 TIS Inc. All rights reserved.
Akka is here
11
Akka has tools to deal with
distributed system failures
Akkaには分散システムに関わる障害に対処する
ためのツールが備わっている

12. Copyright © 2017 TIS Inc. All rights reserved.
Akka Actor
12
participant
Actor processes messages in order of arrival
$30
host
アクターはメッセージを到達順に処理
シンプルに⾮同期処理を実装可能
$10
$10
$10
status
$10 $10 $10
mailbox

13. Copyright © 2017 TIS Inc. All rights reserved.
Supervisor Hierarchy
13
let it crash
スーパーバイザーが⼦アクターを監視し障害制
御などを⾏う
supervisor
child actorchild actor
supervise
signal failure
- restart
- resume
- stop
- escalate

14. Copyright © 2017 TIS Inc. All rights reserved.
timeout
14

15. Copyright © 2017 TIS Inc. All rights reserved.
request-response needs timeout
15
request
response
応答が遅かったり、返ってこないこともある
☓

16. Copyright © 2017 TIS Inc. All rights reserved.
message passing
16
!
tell(fire and forget)を使う
askの場合はタイムアウトを適切に設定
?
1s
tell(fire and forget)
ask

17. Copyright © 2017 TIS Inc. All rights reserved.
timeout configuration
17
import akka.pattern.ask
import akka.util.Timeout
import system.dispatcher
implicit val timeout = Timeout(5 seconds)
val response = kitchen ? KitchenActor.DripCoffee(count)
response.mapTo[OrderCompleted] onComplete {
case Success(result) =>
log.info(s"success: ${result.message}")
case Failure(e: AskTimeoutException) =>
log.info(s"failure: ${e.getMessage}")
case Failure(t) =>
log.info(s"failure: ${t.getMessage}")
}
askのタイムアウト設定

18. Copyright © 2017 TIS Inc. All rights reserved. 18
送信先に問題があった場合は？
?
1s
if a receiver has a problem

19. Copyright © 2017 TIS Inc. All rights reserved. 19
supervisor
never return failure to sender
障害の事実を送信元に返さない
if a receiver has a problem
- restart
- resume
- stop
- escalate

20. Copyright © 2017 TIS Inc. All rights reserved. 20
timeout!
レスポンスが返ってこないためタイムアウトが
必要
?
1s
if a receiver has a problem
☓

21. Copyright © 2017 TIS Inc. All rights reserved.
implements of ask pattern 1/2
21
def ?(message: Any)(implicit timeout: Timeout, sender: ActorRef
= Actor.noSender): Future[Any] = internalAsk(message, timeout, sender)
private[pattern] def internalAsk(message: Any, timeout: Timeout, sender: ActorRef):
Future[Any] = actorSel.anchor match {
case ref: InternalActorRef ⇒
if (timeout.duration.length <= 0)
Future.failed[Any](
new IllegalArgumentException(s"""Timeout length must not be negative, question
not sent to [$actorSel]. Sender[$sender] sent the message of type "$
{message.getClass.getName}"."""))
else {
val a = PromiseActorRef(ref.provider, timeout,
targetName = actorSel, message.getClass.getName, sender)
actorSel.tell(message, a)
a.result.future
}
case _ ⇒ Future.failed[Any](new IllegalArgumentException(s"""Unsupported recipient
ActorRef type, question not sent to [$actorSel]. Sender[$sender] sent the message of
type "${message.getClass.getName}"."""))
}
?
internalAsk

22. Copyright © 2017 TIS Inc. All rights reserved. 22
akka.pattern.PromiseActorRef
def apply(provider: ActorRefProvider, timeout: Timeout, targetName: Any,
messageClassName: String, sender: ActorRef = Actor.noSender): PromiseActorRef = {
val result = Promise[Any]()
val scheduler = provider.guardian.underlying.system.scheduler
val a = new PromiseActorRef(provider, result, messageClassName)
implicit val ec = a.internalCallingThreadExecutionContext
val f = scheduler.scheduleOnce(timeout.duration) {
result tryComplete Failure(
new AskTimeoutException(s"""Ask timed out on
[$targetName] after [${timeout.duration.toMillis} ms].
Sender[$sender] sent message of type "$
{a.messageClassName}"."""))
}
result.future onComplete { _ ⇒ try a.stop() finally f.cancel() }
a
}
スケジューラを設定し時間がくれば
AskTimeoutException送信
implements of ask pattern 2/2

23. Copyright © 2017 TIS Inc. All rights reserved.
circuit breaker
23

24. Copyright © 2017 TIS Inc. All rights reserved.
a receiver is down
24
問い合わせたいサービスがダウンしていること
もある

25. Copyright © 2017 TIS Inc. All rights reserved.
response latency will rise
25
100ms
1s
normal
abnormal(timeout=1s)
レスポンス劣化
過負荷により性能劣化が拡⼤

26. Copyright © 2017 TIS Inc. All rights reserved.
apply circuit breaker
26
サーキットブレーカ でダウンしているサービス
には問い合わせをしないように
circuit breaker

27. Copyright © 2017 TIS Inc. All rights reserved.
what is circuit breaker
27
https://martinfowler.com/bliki/CircuitBreaker.html
⼀定回数の失敗を繰り返す
と接続を抑⽌
Once the failures reach a certain
threshold, the circuit breaker trips

28. Copyright © 2017 TIS Inc. All rights reserved.
circuit breaker has three statuses
28
http://doc.akka.io/docs/akka/current/common/circuitbreaker.html
Closed：メッセージ送信可能
Open ：メッセージ送信不可

29. Copyright © 2017 TIS Inc. All rights reserved.
decrease the latency
29
無駄な問い合わせをやめてレイテンシを発⽣さ
せないようにする
100ms
x ms
normal
abnormal(timeout=1s)
1s
Open
Close

30. Copyright © 2017 TIS Inc. All rights reserved.
apply circuit breaker: implement
30
val breaker =
new CircuitBreaker(
context.system.scheduler,
maxFailures = 5,
callTimeout = 10.seconds,
resetTimeout = 1.minute).onOpen(notifyMeOnOpen())
http://doc.akka.io/docs/akka/current/common/circuitbreaker.html
def receive = {
case "dangerousCall" =>
breaker.withCircuitBreaker(Future(dangerousCall)) pipeTo sender()
}
５回失敗するとOpenになり、１分間はメッセー
ジを送信させない

31. Copyright © 2017 TIS Inc. All rights reserved.
block threads
31
ブロッキング処理があるとスレッドが枯渇しレ
イテンシが伝播
blockingblocking
threads threads

32. Copyright © 2017 TIS Inc. All rights reserved.
prevention of propagation
32
異常サービスを切り離すことで、問題が上流へ
伝播しない
blockingblocking
threads threads

33. Copyright © 2017 TIS Inc. All rights reserved.
CAP trade-off
33
return old information
vs
don't return anything
just do my work
vs
need synchronize with others
cache
push
- read
- write
古い情報を返してもよいか？
他者との同期なしで問題ないか？

34. Copyright © 2017 TIS Inc. All rights reserved.
rate limiting
34
rate
limiter
同じクライアントからの集中したリクエストか
ら守る
no more than
100 requests in any 3 sec interval

35. Copyright © 2017 TIS Inc. All rights reserved.
bulkhead
35

36. Copyright © 2017 TIS Inc. All rights reserved.
Even if there is damage next door, are you OK?
36
無関係なお隣さんがダウンしたとき、影響を被
る不運な出来事

37. Copyright © 2017 TIS Inc. All rights reserved.
bulkhead blocks the damage
37
スレッドをブロックするアクターと影響を受け
るアクターの間に隔壁
threadsthreads
blocking

38. Copyright © 2017 TIS Inc. All rights reserved.
isolating the blocking calls to actors
38
val blockingActor = context.actorOf(Props[BlockingActor].
withDispatcher(“blocking-actor-dispatcher”),
"blocking-actor")
class BlockingActor extends Actor {
def receive = {
case GetCustomer(id) =>
// calling database
…
}
}
ブロッキングコードはアクターごと分離してリ
ソースを共有しない

39. Copyright © 2017 TIS Inc. All rights reserved.
the blocking in Future
39
Future{
// blocking
}
ブロックするFutureによりディスパッチャが枯
渇
threads

40. Copyright © 2017 TIS Inc. All rights reserved. 40
http://www.slideshare.net/ktoso/zen-of-akka#44
デフォルトディスパッチャを利⽤した場合
using the default dispatcher

41. Copyright © 2017 TIS Inc. All rights reserved. 41
ブロッキング処理を分離
threadsthreads
Future{
// blocking
}
isolating the blocking Future

42. Copyright © 2017 TIS Inc. All rights reserved. 42
http://www.slideshare.net/ktoso/zen-of-akka#44
using a dedicated dispatcher
専⽤ディスパッチャの利⽤

43. Copyright © 2017 TIS Inc. All rights reserved.
CQRS:Command and Query Responsibility Segregation
43
コマンドとクエリを分離する
write
read
command
query

44. Copyright © 2017 TIS Inc. All rights reserved.
cluster
44

45. Copyright © 2017 TIS Inc. All rights reserved.
hardware will fail
45
If there are 365 machines failing once
a year, one machine will fail a day
Wouldn't a machine break even when
it's hosted on the cloud?
1年に1回故障するマシンが365台あれば平均毎
⽇1台故障する

46. Copyright © 2017 TIS Inc. All rights reserved.
availability of AWS
46
例：AWSの可⽤性検証サイト
https://cloudharmony.com/status-of-compute-and-storage-and-cdn-and-dns-for-aws

47. Copyright © 2017 TIS Inc. All rights reserved.
preparing for failure of hardware
47
- minimize single point of failure
- allow recovery of State
単⼀障害点を最⼩化
状態を永続化

48. Copyright © 2017 TIS Inc. All rights reserved.
Cluster
monitor each other by sending heartbeats
48
node1
node2
node3
node4
クラスタのメンバーがハートビートを送り合い
障害を検知

49. Copyright © 2017 TIS Inc. All rights reserved.
recovery states
49
Cluster
永続化しておいたイベントをリプレイすること
で状態の復元が可能
persist
replay
node1
node2
node3
node4
events
state
akka-persistence

50. Copyright © 2017 TIS Inc. All rights reserved.
the database may be down or overloaded
50
永続化機能の障害未復旧時に闇雲にリトライし
ない
persist
replay
node3
node4
replay
replay
db has not started yet

51. Copyright © 2017 TIS Inc. All rights reserved.
BackoffSupervisor
51
http://doc.akka.io/docs/akka/current/general/supervision.html#Delayed_restarts_with_the_BackoffSupervisor_pattern
3秒後、6秒後、12秒後、…の間隔でスタートを
試みる
val childProps = Props(classOf[EchoActor])
val supervisor = BackoffSupervisor.props(
Backoff.onStop(
childProps,
childName = "myEcho",
minBackoff = 3.seconds,
maxBackoff = 30.seconds,
randomFactor = 0.2 // adds 20% "noise" to vary the intervals slightly
))
system.actorOf(supervisor, name = "echoSupervisor")
increasing intervals of 3, 6, 12, ...

52. Copyright © 2017 TIS Inc. All rights reserved.
split brain resolver
52

53. Copyright © 2017 TIS Inc. All rights reserved.
Cluster
node1
node2
node3
node4
In the case of network partitions
53
ネットワークが切れることもある

54. Copyright © 2017 TIS Inc. All rights reserved.
node1
node4
Cluster1 Cluster2
using split brain resolver
54
クラスタ間での⼀貫性維持のためSplit brain
resolverを適⽤
node2
node3
node5
split brain resolver

55. Copyright © 2017 TIS Inc. All rights reserved.
strategy 1/4: Static Quorum
55
quorum-size = 3
クラスタ内のノード数が⼀定数以上の場合⽣存
node2
node1
node4
node3
node5
Which can survive?
- If the number of nodes is quorum-size or more

56. Copyright © 2017 TIS Inc. All rights reserved.
strategy 2/4: Keep Majority
56
ノード数が50％より多い場合に⽣存
node2
node1
node4
node3
node5
Which can survive?
- If the number of nodes is more than 50%

57. Copyright © 2017 TIS Inc. All rights reserved.
strategy 3/4: Keep Oldest
57
最古のノードが⾃グループに含まれている場合
に⽣存
node2
node4
node3
node5
Which can survive?
- If contain the oldest node
node1
oldest

58. Copyright © 2017 TIS Inc. All rights reserved.
strategy 4/4: Keep Referee
58
特定のノードが含まれている場合に⽣存
node2
node4
node3
node5
node1
Which can survive?
- If contain the given referee node
address = "akka.tcp://system@node1:port"

59. Copyright © 2017 TIS Inc. All rights reserved. 59
SBR is included
in Lightbend Reactive Platform
https://github.com/TanUkkii007/akka-cluster-custom-downing
http://doc.akka.io/docs/akka/rp-current/scala/split-brain-resolver.html
Lightbend Reactive Platform
akka-cluster-custom-downing
SBRはLightbend Reactive Platformで提供され
ています

60. Copyright © 2017 TIS Inc. All rights reserved.
idempotence
60
冪等性

61. Copyright © 2017 TIS Inc. All rights reserved.
Failed to receive ack message
61
Order(coffee,1)
Order(coffee,1)
ackを受信できずメッセージを再送すると２重注
⽂してしまう
coffee please!
becomes a duplicate order by resending the message

62. Copyright © 2017 TIS Inc. All rights reserved.
idempotence
62
メッセージを複数回受信しても問題ないように
冪等な設計で⼀貫性を維持
Order(id1, coffee, 1)
Order(id1, coffee, 1)
coffee, please!
applying it multiple times is not harmful

63. Copyright © 2017 TIS Inc. All rights reserved.
summary
63

64. Copyright © 2017 TIS Inc. All rights reserved.
summary
64
- Microservices mean distributed systems
- define Cross-Functional Requirements
- design for failure
障害は発⽣するものなので、受け⼊れましょう

65. Copyright © 2017 TIS Inc. All rights reserved.
summary
65
timeout
circuit breaker
bulkhead
cluster
backoff
split brain resolver ...
by using Akka
Akkaは分散システムの障害に対処するための
ツールキットを備えています

66. Copyright © 2017 TIS Inc. All rights reserved.
reference materials
66
- Building Microservices
- Reactive Design Patterns
- Reactive Application Development
- Effective Akka
- http://akka.io/

67. Copyright © 2017 TIS Inc. All rights reserved. 67
https://gitter.im/akka-ja/akka-doc-ja
https://github.com/akka-ja/akka-doc-ja/
akka.io翻訳協⼒者募集中！！
Gitterにジョインしてください。
now translating

68. THANK YOU