1 / 126

November 13 th , 2017 Prof. Ion Stoica cs162.eecs.Berkeley

CS162 Operating Systems and Systems Programming Lecture 22 TCP Flow Control, Distributed Decision Making, RPC. November 13 th , 2017 Prof. Ion Stoica http://cs162.eecs.Berkeley.edu. General’s Paradox. Constraints of problem: Two generals, on separate mountains

jeanr
Download Presentation

November 13 th , 2017 Prof. Ion Stoica cs162.eecs.Berkeley

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS162Operating Systems andSystems ProgrammingLecture 22TCP Flow Control, Distributed Decision Making,RPC November13th, 2017 Prof. Ion Stoica http://cs162.eecs.Berkeley.edu

  2. General’s Paradox • Constraints of problem: • Two generals, on separate mountains • Can only communicate via messengers • Messengers can be captured • Problem: need to coordinate attack • If they attack at different times, they all die • If they attack at same time, they win • Named after Custer, who died at Little Big Horn because he arrived a couple of days too early

  3. 11 am ok? Yes, 11 works So, 11 it is? Yeah, but what if you Don’t get this ack? General’s Paradox • Can messages over an unreliable network be used to guarantee two entities do something simultaneously? • Remarkably, “no”, even if all messages get through • No way to be sure last message gets through!

  4. Two-Phase Commit • Since we can’t solve the General’s Paradox (i.e. simultaneous action), let’s solve a related problem • Distributed transaction: Two or more machines agree to do something, or not do it, atomically • Two-Phase Commit protocol: Developed by Turing Award winner Jim Gray (first Berkeley CS PhD, 1969)

  5. Two-Phase Commit Protocol • Persistentstable logon each machine: keep track of whether commit has happened • If a machine crashes, when it wakes up it first checks its log to recover state of world at time of crash • Prepare Phase: • The global coordinator requests that all participants will promise to commit or rollback the transaction • Participants record promise in log, then acknowledge • If anyone votes to abort, coordinator writes "Abort"in its log and tells everyone to abort; each records "Abort"in log • Commit Phase: • After all participants respond that they are prepared, then the coordinator writes "Commit"to its log • Then asks all nodes to commit; they respond with ACK • After receive ACKs, coordinator writes "Got Commit"to log • Log used to guarantee that all machines either commit or don’t

  6. 2PC Algorithm • One coordinator • N workers (replicas) • High level algorithm description: • Coordinator asks all workers if they can commit • If all workers reply “VOTE-COMMIT”, then coordinator broadcasts “GLOBAL-COMMIT” Otherwise coordinator broadcasts “GLOBAL-ABORT” • Workers obey the GLOBALmessages • Use a persistent, stable log on each machine to keep track of what you are doing • If a machine crashes, when it wakes up it first checks its log to recover state of world at time of crash

  7. Detailed Algorithm Coordinator Algorithm Worker Algorithm • Coordinator sends VOTE-REQto all workers • Wait for VOTE-REQ from coordinator • If ready, send VOTE-COMMIT to coordinator • If not ready, send VOTE-ABORT to coordinator • And immediately abort • If receive VOTE-COMMIT from all N workers, send GLOBAL-COMMIT to all workers • If doesn’t receive VOTE-COMMITfrom all N workers, sendGLOBAL-ABORTto all workers • If receive GLOBAL-COMMITthen commit • If receive GLOBAL-ABORT then abort

  8. Failure Free Example Execution coordinator GLOBAL-COMMIT VOTE-REQ worker 1 worker 2 VOTE-COMMIT worker 3 time

  9. State Machine of Coordinator • Coordinator implements simple state machine: INIT Recv: START Send: VOTE-REQ WAIT Recv: all VOTE-COMMIT Send: GLOBAL-COMMIT Recv: VOTE-ABORT Send: GLOBAL-ABORT ABORT COMMIT

  10. State Machine of Workers INIT Recv: VOTE-REQ Send: VOTE-ABORT Recv: VOTE-REQ Send: VOTE-COMMIT READY Recv: GLOBAL-ABORT Recv: GLOBAL-COMMIT ABORT COMMIT

  11. Dealing with Worker Failures • Failure only affects states in which the coordinator is waiting for messages • Coordinator only waits for votes in “WAIT” state • In WAIT, if doesn’t receive N votes, it times out and sends GLOBAL-ABORT INIT Recv: START Send: VOTE-REQ WAIT Recv: VOTE-ABORT Send: GLOBAL-ABORT Recv: VOTE-COMMIT Send: GLOBAL-COMMIT ABORT COMMIT

  12. Example of Worker Failure timeout coordinator GLOBAL-ABORT INIT VOTE-REQ worker 1 VOTE-COMMIT WAIT worker 2 ABORT COMM worker 3 time

  13. Dealing with Coordinator Failure • Worker waits for VOTE-REQ in INIT • Worker can time out and abort (coordinator handles it) • Worker waits for GLOBAL-* message in READY • If coordinator fails, workers must BLOCK waiting for coordinator to recover and send GLOBAL_* message INIT Recv: VOTE-REQ Send: VOTE-ABORT Recv: VOTE-REQ Send: VOTE-COMMIT READY Recv: GLOBAL-ABORT Recv: GLOBAL-COMMIT ABORT COMMIT

  14. Example of Coordinator Failure #1 coordinator INIT VOTE-REQ timeout worker 1 READY VOTE-ABORT timeout worker 2 ABORT COMM timeout worker 3

  15. Example of Coordinator Failure #2 coordinator INIT restarted VOTE-REQ worker 1 READY VOTE-COMMIT GLOBAL-ABORT worker 2 ABORT COMM block waiting for coordinator worker 3

  16. Durability • All nodes use stable storage to store current state • stable storage is non-volatile storage (e.g. backed by disk) that guarantees atomic writes. • Upon recovery, it can restore state and resume: • Coordinator aborts in INIT, WAIT, or ABORT • Coordinator commits in COMMIT • Worker aborts in INIT, ABORT • Worker commits in COMMIT • Worker asks Coordinator in READY

  17. Blocking for Coordinator to Recover • A worker waiting for global decision can ask fellow workers about their state • If another worker is in ABORT or COMMIT state then coordinator must have sent GLOBAL-* • Thus, worker can safely abort or commit, respectively • If another worker is still in INIT state then both workers can decide to abort • If all workers are in ready, need to BLOCK(don’t know if coordinator wanted to abort or commit) INIT Recv: VOTE-REQ Send: VOTE-ABORT Recv: VOTE-REQ Send: VOTE-COMMIT READY Recv: GLOBAL-ABORT Recv: GLOBAL-COMMIT ABORT COMMIT

  18. Distributed Decision Making Discussion (1/2) • Why is distributed decision making desirable? • Fault Tolerance! • A group of machines can come to a decision even if one or more of them fail during the process • Simple failure mode called “failstop” (different modes later) • After decision made, result recorded in multiple places

  19. Distributed Decision Making Discussion (2/2) • Undesirable feature of Two-Phase Commit: Blocking • One machine can be stalled until another site recovers: • Site B writes "prepared to commit"record to its log, sends a "yes"vote to the coordinator (site A) and crashes • Site A crashes • Site B wakes up, check its log, and realizes that it has voted "yes"on the update. It sends a message to site A asking what happened. At this point, B cannot decide to abort, because update may have committed • B is blocked until A comes back • A blocked site holds resources (locks on updated items, pages pinned in memory, etc) until learns fate of update

  20. PAXOS • PAXOS: An alternative used by Google and others that does not have this blocking problem • Develop by Leslie Lamport (Turing Award Winner) • What happens if one or more of the nodes is malicious? • Malicious: attempting to compromise the decision making

  21. Lieutenant Attack! Attack! Attack! Attack! Retreat! Lieutenant Attack! Attack! Retreat! General Attack! Lieutenant Malicious! Byzantine General’s Problem • Byazantine General’s Problem (n players): • One General and n-1 Lieutenants • Some number of these (f) can be insane or malicious • The commanding general must send an order to his n-1 lieutenants such that the following Integrity Constraints apply: • IC1: All loyal lieutenants obey the same order • IC2: If the commanding general is loyal, then all loyal lieutenants obey the order he sends

  22. General General Attack! Attack! Attack! Retreat! Lieutenant Lieutenant Lieutenant Lieutenant Retreat! Retreat! Request Distributed Decision Byzantine General’s Problem (con’t) • Impossibility Results: • Cannot solve Byzantine General’s Problem with n=3 because one malicious player can mess up things • With f faults, need n > 3f to solve problem • Various algorithms exist to solve problem • Original algorithm has #messages exponential in n • Newer algorithms have message complexity O(n2) • One from MIT, for instance (Castro and Liskov, 1999) • Use of BFT (Byzantine Fault Tolerance) algorithm • Allow multiple machines to make a coordinated decision even if some subset of them (< n/3 ) are malicious

  23. Summary • TCP flow control • Ensures a fast sender does not overwhelm a slow receiver • Receiver tells sender how many more bytes it can receive without overflowing its buffer (i.e., AdvertisedWindow) • The ack(nowledgement) contains sequence number N of next byte the receiver expects, i.e., receiver has received all bytes in sequence up to and including N-1 • Two-phase commit: distributed decision making • First, make sure everyone guarantees they will commit if asked (prepare) • Next, ask everyone to commit

  24. Byzantine Techniques II Presenter: Georgios Piliouras Partly based on slides by Justin W. Hart & Rodrigo Rodrigues

  25. Papers • Practical Byzantine Fault Tolerance. Miguel Castro et. al. (OSDI 1999) • BAR Fault Tolerance for Cooperative Services. Amitanand S. Aiyer, et. al. (SOSP 2005)

  26. Motivation • Computer systems provide crucial services client server

  27. Problem • Computer systems provide crucial services • Computer systems fail • natural disasters • hardware failures • software errors • malicious attacks client server Need highly-available services

  28. client server Replication unreplicated service

  29. client server Replication unreplicated service replicated service client server replicas • Replication algorithm: • masks a fraction of faulty replicas • high availability if replicas fail “independently”

  30. Assumptions are a Problem • Replication algorithms make assumptions: • behavior of faulty processes • synchrony • bound on number of faults • Service fails if assumptions are invalid

  31. Assumptions are a Problem • Replication algorithms make assumptions: • behavior of faulty processes • synchrony • bound on number of faults • Service fails if assumptions are invalid • attacker will work to invalidate assumptions Most replication algorithms assume too much

  32. Contributions • Practical replication algorithm: • weak assumptions  tolerates attacks • good performance • Implementation • BFT: a generic replication toolkit • BFS: a replicated file system • Performance evaluation BFS is only 3% slower than a standard file system

  33. Talk Overview • Problem • Assumptions • Algorithm • Implementation • Performance • Conclusions

  34. Bad Assumption: Benign Faults • Traditional replication assumes: • replicas fail by stopping or omitting steps

  35. client server replicas attacker replaces replica’s code Bad Assumption: Benign Faults • Traditional replication assumes: • replicas fail by stopping or omitting steps • Invalid with malicious attacks: • compromised replica may behave arbitrarily • single fault may compromise service • decreased resiliency to malicious attacks

  36. client server replicas attacker replaces replica’s code BFT Tolerates Byzantine Faults • Byzantine fault tolerance: • no assumptions about faulty behavior • Tolerates successful attacks • service available when hackercontrols replicas

  37. Byzantine-Faulty Clients • Bad assumption: client faults are benign • clients easier to compromise than replicas

  38. Byzantine-Faulty Clients • Bad assumption: client faults are benign • clients easier to compromise than replicas • BFT tolerates Byzantine-faulty clients: • access control • narrow interfaces • enforce invariants attacker replaces client’s code server replicas Support for complex service operations is important

  39. Bad Assumption: Synchrony • Synchrony  known bounds on: • delays between steps • message delays • Invalid with denial-of-service attacks: • bad replies due to increased delays • Assumed by most Byzantine fault tolerance

  40. Asynchrony • No bounds on delays • Problem: replication is impossible

  41. Asynchrony • No bounds on delays • Problem: replication is impossible Solution in BFT: • provide safety without synchrony • guarantees no bad replies

  42. Asynchrony • No bounds on delays • Problem: replication is impossible Solution in BFT: • provide safety without synchrony • guarantees no bad replies • assume eventual time bounds for liveness • may not reply with active denial-of-service attack • will reply when denial-of-service attack ends

  43. Talk Overview • Problem • Assumptions • Algorithm • Implementation • Performance • Conclusions

  44. clients replicas Algorithm Properties • Arbitrary replicated service • complex operations • mutable shared state • Properties (safety and liveness): • system behaves as correct centralized service • clients eventually receive replies to requests • Assumptions: • 3f+1 replicas to tolerate f Byzantine faults (optimal) • strong cryptography • only for liveness: eventual time bounds

  45. Algorithm State machine replication: • deterministic replicas start in same state • replicas execute same requests in same order • correct replicas produce identical replies client replicas

  46. Algorithm State machine replication: • deterministic replicas start in same state • replicas execute same requests in same order • correct replicas produce identical replies client replicas Hard: ensure requests execute in same order

  47. Ordering Requests Primary-Backup: • View designates the primary replica • Primary picks ordering • Backups ensure primary behaves correctly • certify correct ordering • trigger view changes to replace faulty primary client replicas primary backups view

  48. Rough Overview of Algorithm • A client sends a request for a service to the primary client replicas primary backups

  49. Rough Overview of Algorithm • A client sends a request for a service to the primary • The primary mulicasts the request to the backups client replicas primary backups

  50. Rough Overview of Algorithm • A client sends a request for a service to the primary • The primary mulicasts the request to the backups • Replicas execute request and sent a reply to the client client replicas primary backups

More Related