Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon Explains Why S3 Went Down

Posted by timothy on from the not-mere-sluttiness dept.

Angostura writes "Amazon has provided a decent write-up of the problems that caused its S3 storage service to fail for around 8 hours last Sunday. It providers a timeline of events, the immediate action take to fix it (they pulled the big red switch) and what the company is doing to prevent re-occurrence. In summary: A random bit got flipped in one of the server state messages that the S3 machines continuously pass back and forth. There was no checksum on these messages, and the erroneous information was propagated across the cloud, causing so much inter-server chatter that no customer work got done."

19 of 114 comments (clear)

  1. for want of a nail ... by thrillseeker · · Score: 4, Interesting

    a single bit?! I think there are some serious design deficiencies ...

    1. Re:for want of a nail ... by Daimanta · · Score: 5, Funny

      It was the evil bit...

      --
      Knowledge is power. Knowledge shared is power lost.
    2. Re:for want of a nail ... by Ctrl-Z · · Score: 4, Informative

      Thank you Capt. Obvious. A single bit is enough to cause a cascading failure, and someone overlooked this instance. It's not the first time, nor will it be the last. See New York City blackout of 1977, The Crash of the AT&T Network in 1990, et al.

      --
      www.timcoleman.com is a total waste of your time. Never go there.
    3. Re:for want of a nail ... by iamhassi · · Score: 4, Funny

      FTA:
      "On Sunday, we saw a large number of servers that were spending almost all of their time gossiping and a disproportionate amount of servers that had failed while gossiping. With a large number of servers gossiping and failing while gossiping, Amazon S3 wasn't able to successfully process many customer requests."

      sounds like a restaurant, gossiping servers were failing to process customer requests

      --
      my karma will be here long after I'm gone
  2. Re:They need more Erlang. by nacturation · · Score: 5, Insightful

    They need to start using Erlang more. It's designed specifically for building highly-distributed, concurrent systems that must scale to millions of transactions per minute. So it's a natural fit between Erlang and what Amazon is trying to offer with their S3 service.

    I think Erlang's cool and all, but it's not the magical bullet that will solve this. It's still possible to have information corrupted during message passing between processes in Erlang (say, as the result of an intermittently failing network switch) as it is in any language.
     

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  3. haha by msauve · · Score: 4, Informative

    For those who don't know what you're referring to, like the AC who commented: search in this for "evil bit".

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  4. Other companies could learn from this... by Manip · · Score: 5, Insightful

    Other large businesses could learn a lot from Amazon's example.

    How often do you have the problem really explained to you, an apology, and a reasonable set of changes to stop it occurring again?

    Most businesses would never explain the root of any problem. They simply list "hardware issues." And they NEVER say sorry anymore - supposedly it opens them up to more liability or something.

    If I was an Amazon customer I would be happy with their explanation and apology even if obviously the downtime is still an issue.

    1. Re:Other companies could learn from this... by Anonymous Coward · · Score: 5, Funny

      Other companies could learn something from this, unfortunately they won't be able to do anything similar as Amazon has patented the process of explaining technological problems to customers.

    2. Re:Other companies could learn from this... by Alpha830RulZ · · Score: 4, Insightful

      The words may not be there, but there is a pretty clear message there for me to see that they are not happy or smug about this event, and are agreeing with the consumer that this shouldn't have happened, and won't happen again if they can help it. That's enough for me.

      And I'm actually one of their consumers, compared to some of the dilletantes here. We use S3 and EC2 to manage training and demo instances of our software, and are pretty pleased so far.

      --
      I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
  5. Re:Lost time? by Anpheus · · Score: 4, Informative

    Read "the system's state cleared" as "we turned everything off" and they proceeded to turn every server on one by one until around 3PM when the EU location was complete and not showing any symptoms.

  6. It was a design defect by j.+andrew+rogers · · Score: 4, Informative

    It has been generally well-known for a number of years now that any time you have a large cluster you cannot count on hardware checksums to catch every bit flip that may occur during copies and transmission, particularly with consumer hardware which has many internal paths with no checksums at all. Google learned this the hard way, like the supercomputing people before them, and now like Amazon after Google. And some of the better database engines also do their own internal software checksums as well to catch uncaught errors introduced as the data gets copied across the silicon, disks, and network -- it is one way they get their very high uptime and low failure rate.

    It does not reflect well on the software community that most people *still* do not know to do this for very large scale system designs. The performance cost of doing a software CRC on your data every time it is moved around is low enough that it is generally worth it these days. If your system is large enough, the probability of getting bitten by this approaches unity. Very fast implementations of Adler-32 and other high-performance checksum algorithms are widely available online.

    1. Re:It was a design defect by James+Youngman · · Score: 4, Interesting

      Adler-32 wouldn't be a great choice. It's fast but it's weak for short messages and I've seen it fooled by multi-bit errors on large messages too.

      See Koopman's paper 32-bit cyclic redundancy codes for Internet applications for some better ideas.

    2. Re:It was a design defect by James+Youngman · · Score: 4, Interesting

      I've seen Adler-32 fail twice, so your assumption of "a few times per millennium" doesn't seem to work for me (I'm under 40). In fact in those cases it was even stacked on top of at least one other checksum mechanism, too.

      One of the problems with it is poor spreading of the input bits into s2. There are other algorithms which don't have that weakness but don't (IIRC) cost any more to compute.

  7. Re:They need more Erlang. by edsousa · · Score: 5, Insightful

    This message is written by one that writes real parallel, distributed and concurrent code (they are not all the same):
    Erlang or any other functional language will not account for lack of good design. If you have a good design with the right concerns you can implement in Java, C, Fortran, ASM and if done right, it will work.
    I'm sick of hear "Erlang is THE solution". It is not. Good design and implementation practices are.

  8. It's quite an old story - see RFC789 by anti-NAT · · Score: 5, Interesting

    Vulnerabilities of Network Control Protocols: An Example, published in January 1981.

    What do they say about those who ignore history?

    --
    The Internet's nature is peer to peer - 20050301_cs_profs.pdf
    1. Re:It's quite an old story - see RFC789 by Gazzonyx · · Score: 4, Funny

      [...]
      What do they say about those who ignore history?

      I think it was, they're doomed to reimplement it... poorly. Or was that Unix? ;)

      --

      If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

  9. Re:...make lemonade. by Sique · · Score: 4, Interesting

    I see you completely miss the point of the proof. I know that you can minimize the impact of a bit error by checksums, and that you can improve reliability by adding redundance. But what is the consequence of error detection? Normally the protocol then asks for resending the message. But how do you (as the sender) know that the message finally arrived correctly? You wait for an aknowledgement. But what if the aknowledgement gets lost or scrambled? You add redundancy in the handshaking. But how does redundancy help reliability? You can ask for a resend due to detected errors etc.pp.

    Your protocol never finds an end because it has to secure the correctness of the security of the correctness of the security...

    --
    .sig: Sique *sigh*
  10. Re:...make lemonade. by spinkham · · Score: 4, Insightful

    No, I mean favoring speed and computational simplicity over error detection.
    It is often a valid trade off. For example, most filesystems do not validate the stored data at all for size and computational reasons. As hard drives and arrays get bigger, that trade of no longer makes much sense, and most all new filesystems being designed have hash based error detection built in at some level.
    Good design takes experience. There aren't that many systems like S3 that have been built in the past, and there are many tricky decisions to be made. No system gets it all correct out of the gate.

    --
    Blessed are the pessimists, for they have made backups.
  11. Re:ECC memory, anyone? by Maxmin · · Score: 4, Informative

    ECC can only correct 1-bit errors. It can't correct 2-bit errors (only detect them) and can't even detect nor correct 3-bit (or more) errors.

    No, that's just one kind of memory system. There are a number of designs, and recovery also depends on the kind of error. IIRC, one design is somewhat similar to the CD Red Book spec, in that the bits for a given byte are distributed around - a physical byte is composed of bits all from different memory locations. If part or all of one byte goes bad, the rest of the bits and the parity code are unchanged, and the affected bytes can be reconstructed.

    Also like Red Book CDs are multiply redundant memory systems, with -just what it sounds like- multiple copies of each byte, and the memory controller arbitrates differences. CDs effectively contain three copies of the data, striped and parity encoded. That's how scratched CDs can still operate error-free (sometimes.) The space shuttle's computer systems are relatively fault-tolerant - multiple redundant computers all running the same programs and data, with a fourth computer evaluating the output of the other computers, looking for failures.

    Where there's a will, there's a way, but the will in the mainstream x86 server industry to build truly fault-tolerant computers is slim. It's a specialty, and that makes it very expensive. Stratus, for example, makes a line of fault-tolerant servers, with some of the fail-over in hardware, so they make their 99.999% uptime claim (about 5 minutes downtime per year.)

    "Five nines" is a claim I've heard from most top-dollar *nix hosting companies, but have *never* experienced - it's generally been hours of downtime per year. Not even their network infrastructure gets close to 99.999% uptime! Cadillac prices, but downtime contingency planning is all up to the client, even with "managed hosting." They all suck.

    --
    O lord, bless this thy holy hand grenade, that with it thou mayest blow thine enemies to tiny bits, in thy mercy.