- cross-posted to:
- hackernews
- cross-posted to:
- hackernews
I’ve never run a big system like this, but like the lead character in the story, I always figured exponential backoff would be enough. Turns out there’s more.
I’ve never run a big system like this, but like the lead character in the story, I always figured exponential backoff would be enough. Turns out there’s more.
tl;dr:
That’s their core issue. They were never able to process requests fast enough, and the moment there was any delay it all came down like a house of cards. If you’re already running at 100%, yeah no shit you’re going to have problems if anything changes even slightly.
Further, it doesn’t seem like retries backed off enough, or maybe should have just given up eventually.
The writing style also made it kind of hard to follow. Technical articles work better when they’re not written like a children’s story, but with technical writing.
Hmm… I’d say that was an obvious example to cause the situation, the real point was exposing the more subtle problems with feedback loops.
What happens if the server in question was at 80% capacity, and due to hardware faults, that leads to 100% utilization? Can you reconfigure your services if there’s a cascading overload through enough of the system without actually adding to the system load? What do you do about the fact that these loops gets ever more powerful and sudden the larger the system?
The author seemed to be suggesting that we carefully consider how to avoid open feedback loops, and build stability in. This article clued me in that stability problems can be borne from “industry standard” advice if you don’t carefully think about it.
Ideally, you’d limit your resource utilization to always leave enough of a buffer that your management tools can run. But even if that’s not the case, you should also be able to disable incoming traffic so that your servers stop even seeing the requests. Or you can just plain destroy and recreate with a new version.
But none of that addresses the fact that your retrying clients are basically DDoSing you. That can be mitigated by your WAF filtering requests so that only a fraction are passed to the server, as mentioned in the article, but preferably you’d just scale up to handle the load, or fix your clients to retry less frequently so that they don’t DDoS you with retries. Even a large number of clients shouldn’t be retrying so frequently that it overwhelms your system. Even if you’re selling Taylor Swift tickets, where millions of clients are hammering you, you can scale horizontally to at least implement a queue for users so they’re not hitting refresh every time they get a blank screen.
All of what you’re saying seems correct. I think this is more of a meta discussion, on how (in this case) retries, even with exponential back off, aren’t a solution by themselves when you look at the system overall. There are interesting hidden caveats to any common solutions, this is one I personally wasn’t aware of.
Practically, adding a timeout budget so that the clients themselves just error out (forcing a manual refresh) sorta accomplishes the same as what you’re positing.