Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lightning Strikes Amazon's Cloud (Really)

Posted by ScuttleMonkey on from the better-than-ball-lightning-in-the-cage dept.

The Register has details on a recent EC2 outage that is being blamed on a lightning strike that zapped a power distribution unit of the data center. The interruption only lasted around 6 hours, but the irony should last much longer. "While Amazon was correcting the problem, it told customers they had the option of launching new server instances to replace those that went down. But customers were also able to wait for their original instances to come back up after power was restored to the hardware in question."

42 of 109 comments (clear)

  1. Irony? by Anonymous Coward · · Score: 5, Insightful

    Isn't cloud computing supposed to tackle such instances?

    1. Re:Irony? by evanbd · · Score: 5, Funny

      Perhaps that's the problem. I think lightning rods are supposed to be more coppery than irony.

    2. Re:Irony? by log0n · · Score: 3, Insightful

      The irony is that a cloud was struck by lightning. Lightning usually comes from clouds.

      Sometimes we all need to tone back the nerd a bit :)

    3. Re:Irony? by drinkypoo · · Score: 2, Funny

      Sometimes we all need to tone back the nerd a bit :)

      What? Get out. *points*

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Irony? by MadnessASAP · · Score: 3, Funny

      Well as it just so happens most lightning is ground to cloud or cloud to cloud with very little cloud to ground.

      My nerdiness goes up to 11 by the way.

      --
      I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
  2. Who covers the cost? by Anonymous Coward · · Score: 2, Interesting

    Naive question: Are data centers usually insured for the cost of hardware replacement and/or loss of revenue in a situation like this?

    1. Re:Who covers the cost? by TheLink · · Score: 2, Insightful

      What if they insured with AIG?

      Who covers the cost then? :)

      --
  3. Well, now that that's over with.... by Anonymous Coward · · Score: 2, Funny

    There's nothing to worry about, because as we all know, Lightning never strikes twice.

    Yay for savings on the surge protectors!

    1. Re:Well, now that that's over with.... by Lord+Fury · · Score: 3, Funny

      It's only that lightning never strikes only twice. There's nothing stopping you from getting hit more than twice

      http://en.wikipedia.org/wiki/Roy_Sullivan

  4. Lightning once striked our office building. by QuietLagoon · · Score: 3, Interesting
    Our computer room was down for three days as a result. Amazon's six hour downtime looks like a big improvement.
    .

    I have to wonder if those who are critical of Amazon here have ever experienced a direct lightning strike? I doubt it.

    1. Re:Lightning once striked our office building. by xrayspx · · Score: 5, Insightful

      I'm thinking critically because Amazon, EMC, VMWare, etc bill The Cloud as a mystical place where you throw your shit and then it's universally available 100%. Nothing bad happens in The Cloud.

      So what's the deal with having all copies of these VMs in one datacenter? That's not very The Cloud of them. Maybe they should replicate all of EC2 to GFS. Would The Cloud win then?

      Customers being given the option of redeploying their VMs or waiting an unspecified period of time until The Cloud is back online isn't The Cloud we were promised.

      /cloud

      --
      I like music
    2. Re:Lightning once striked our office building. by Logic+and+Reason · · Score: 3, Insightful

      I'm thinking critically because Amazon, EMC, VMWare, etc bill The Cloud as a mystical place where you throw your shit and then it's universally available 100%. Nothing bad happens in The Cloud.

      No, they don't. You're either being disingenuous, or idiotic.

      So what's the deal with having all copies of these VMs in one datacenter? That's not very The Cloud of them.

      So you expect Amazon to somehow be running the same VM simultaneously on multiple machines? The point of EC2 is that you have machine images prepared in advance, which you can launch at any time to instantiate a new, ready-to-go VM. The VMs themselves are obviously still running on actual machines, which are (surprise!) still vulnerable to things like lightning strikes and other random hardware failures.

      If a few minutes downtime when something like that happens is unacceptable, then you should be running multiple machines in different availability zones-- which is exactly what you'd be doing in a more traditional environment. EC2 just makes it easier to do this in a flexible way. Yes, you pay for that privilege, but it's clearly worth it to some people.

    3. Re:Lightning once striked our office building. by Achromatic1978 · · Score: 4, Informative

      No, they don't. You're either being disingenuous, or idiotic.

      "Amazon EC2 provides developers the tools to build failure resilient applications and isolate themselves from failure scenarios."

      "you can protect your applications from failure of a single location"

    4. Re:Lightning once striked our office building. by Anonymous Coward · · Score: 3, Interesting

      Three days is lucky. My very first job (many, many moons ago) was at a company which had a few 5, 10 and 15 meter SATCOM dishes outside. One fall night, a set of severe T-storms rolled through around 2 am, and lightning struck the SAT farm. Nearly knocked me out of my NOC chair where I was fighting to stay awake, and I swore something big had exploded outside.

      Turns out, one of the SAT dishes had not been properly grounded, and the current surged through the SATNET into our internal networks. Several mid-range systems, network gear, LAN pc's, modems, etc were fried. Console terminals were also, and if I'd been typing instead of fighting sleep, I would have been crispy.

      The next several days were spent replacing the instantly fried gear. But initially unaffected systems started having serious glitches show up over the next few weeks. My guess is that Amazon may have this same problem.

    5. Re:Lightning once striked our office building. by fluffy99 · · Score: 2, Interesting

      I'm thinking critically because Amazon, EMC, VMWare, etc bill The Cloud as a mystical place where you throw your shit and then it's universally available 100%. Nothing bad happens in The Cloud.

      No, they don't. You're either being disingenuous, or idiotic.

       

      Per http://aws.amazon.com/ec2/#highlights, Amazon is promising "Reliable Amazon EC2 offers a highly reliable environment where replacement instances can be rapidly and predictably commissioned. The service runs within Amazons proven network infrastructure and datacenters. The Amazon EC2 Service Level Agreement commitment is 99.95% availability for each Amazon EC2 Region.

      The irony here is that 6 hours in a year is 99.93% so they've already blown it for the year.

       

      So what's the deal with having all copies of these VMs in one datacenter? That's not very The Cloud of them.

      If it's only one instance running, its kinda hard to run it in multiple datacenters. They might be running clustering within a datacenter, but that can still be taken down by a power outages affecting multiple servers. As pointed out earlier, you can have instances in multiple datacenters (zones as they call it) if you're willing to pay for it.

    6. Re:Lightning once striked our office building. by sumdumass · · Score: 4, Interesting

      I have to wonder if those who are critical of Amazon here have ever experienced a direct lightning strike? I doubt it.

      Just so people know, this can be a real bitch.

      I took a direct lightning strike at one site I work with that entered the corner of the building, traveled down the inside wall leaving a scorch mark on two levels and into the basement where all the servers and switches were located. The lightening then traveled through the electrical service main lines to an encased transformer located in the parking lot next door causing it to explode with enough force that is shattered the windows of the bank building next door and a door panel was found on a rood about a block away. It appears that one half of the electrical system was grounded properly through a specific ground rod and the other half was tied into the plumbing that ran inches away from the lightning rod grounds. When they purchased the building, they didn't redo all the electrical on the side of the building that wasn't remodeled and that way of grounding was normal.

      We lost 3 of the 5 servers instantly and couldn't keep the other two stable. Both switches were down, 20 of the 44 workstations along with the tape backup machine, copiers, and networked printers were completely dead when we got there. The entire building had a lightning/surge protector with battery backup and natural gas generator on the mains so they weren't too concerned over in house specific protections. Only the systems with UPS on them directly survived with the exceptions of the servers which I'm not sure if they died from the lightning strike or from getting soaked by the fire sprinklers that was set off by the strike. (surprisingly, there was no fire).

      It took us two days at almost 20 hours a day among 5 people with a lot of borrowing from other sites, about 20 trips to five or six computer stores in the surrounding counties, and a generator to come back on line and be operational again. We even had a make shift phone system in place while waiting on a new Avaya to come in. We did this all before the electric company got the transformer replaced and service back on. Until we replaced the other machines that were thought not to be effected, we experienced all sorts of weird behavior on the network and I'm still not confident with the cabling even though it passed the testing. Of course I didn't run the certification so it might just be me not trusting others.

      If you get a direct strike, you might as well count on replacing everything in a production environment. When I say direct strike, I mean evidence it actually hit the building and not something down the road and traveled to the building. It will be easier and cheaper in the long run. Now, I have as part of the catastrophe plan, a means to replace every computer and component on the network at one time just to be safe. If it wasn't for two other sites having the same tape drives, we would have had to wait a week for a replacement to come in and start the data recovery process. Thank god for off-site tape storage.

    7. Re:Lightning once striked our office building. by lena_10326 · · Score: 2, Insightful

      The irony here is that 6 hours in a year is 99.93% so they've already blown it for the year.

      A region consists of multiple datacenters. 99.93% would be for 1 datacenter, not the region.

      --
      Camping on quad since 1996.
    8. Re:Lightning once striked our office building. by dhall · · Score: 3, Insightful

      "Amazon EC2 provides developers the tools to build failure resilient applications and isolate themselves from failure scenarios."

      Let's highlight the words that needs emphasis.

      "provides", "developers", "tools"

      As to whether the developers use them or not isn't always automatic.

      "you can protect your applications from failure of a single location"

      "can"

      Highly available does not meant fault tolerance. The latter allows an application to continue functioning after a component failure. Regardless of the snake oil that has been thrown around, there is no silver bullet that can automagically enable application to be multi-node aware with no chance of deadlock or data corruption. You need to program for this. Again, tools are provided, but that doesn't mean everyone will use them. So in the absense of a fault tolerant application, the cloud provides high availability.

  5. God here... by Deus.1.01 · · Score: 5, Funny

    Is the message clear?

    -RMS

    --
    My -1 Troll is actually a +1 funny. And my -1 flame is actually a +1 insightfull.
  6. What irony? by MrMista_B · · Score: 3, Insightful

    What irony?

    Maybe I'm just tired, but I'm not sure what irony is being referred to by the poster.

    1. Re:What irony? by mail2345 · · Score: 5, Funny

      I think the poster means popular irony, not irony as it actually means. Popular irony is like getting a fly in your white wine. Regular irony is not wearing your tin foil hat on the one day someone actually does beam thoughts into your brain.

    2. Re:What irony? by ZorbaTHut · · Score: 4, Funny

      In Soviet Russia, clouds get hit by lightning?

      Yeah, it's sorta weak, but that's what they were going for.

      --
      Breaking Into the Industry - A development log about starting a game studio.
    3. Re:What irony? by Anonymous Coward · · Score: 2, Insightful

      That a computing technology that was supposed to be largely immune to damage of individual "nodes" in the cloud could be taken down by lightning hitting a single point?

    4. Re:What irony? by Anonymous Coward · · Score: 5, Funny

      Regular irony is not wearing your tin foil hat on the one day someone actually does beam thoughts into your brain.

      Nope. You've still got it wrong... That's still Morissette irony.

    5. Re:What irony? by quanticle · · Score: 5, Insightful

      Perhaps they were referring to the irony of Amazon's EC2 being affected by one of the very natural disasters it advertises protection against.

      Its rather like an "unsinkable" vessel going down on her maiden voyage.

      --
      We all know what to do, but we don't know how to get re-elected once we have done it
    6. Re:What irony? by Anonymous Coward · · Score: 5, Funny

      The real irony here is that tinfoil hats are actually required in order to beam thoughts into your head...

  7. Inconcievable! by binaryspiral · · Score: 5, Insightful

    While everyone is talking up the cloud and how resilient it is... this is just yet another example to never put all your eggs in one basket. If your service is so damn important that it can't go down - have it hosted in two places.

    Notice, Amazon.com didn't go down... :)

    1. Re:Inconcievable! by Anonymous Coward · · Score: 2, Interesting

      I don't see how cloud hosting is somehow incompatible with hosting in two places.

    2. Re:Inconcievable! by nine-times · · Score: 4, Informative

      Well it does seem like it was pretty resilient:

      While Amazon was correcting the problem, it told customers they had the option of launching new server instances to replace those that went down.

      So basically a set of servers went down, and it took down the particular instances running on those servers. Customers were still able to take the same exact image and start new instances-- it sounds like immediately. Now sure, it'd be nice if they worked out some kind of automatic clustering and failover to take care of this sort of thing for you, but when my server goes down with my dedicated host, I don't have the option to start up a new host immediately with the same exact configuration.

    3. Re:Inconcievable! by jcnnghm · · Score: 2, Informative

      EC2 instances don't contain instance data. The GP is correct. State data is generally stored on S3, on shared storage, or using their db interface.

      --
      You don't make the poor richer by making the rich poorer. - Winston Churchill
  8. Do any of you know how they survived? by mr_stinky_britches · · Score: 4, Interesting

    Do any of you know how an instance could survive a power outage? Surely every operation is written out to disk before it's performed..so how did they design it?

    --
    Censorship is obscene. Patriotism is bigotry. Faith is a vice. Slashdot 2.0 sucks.
    1. Re:Do any of you know how they survived? by ShadowRangerRIT · · Score: 2, Informative

      UPS, or backup generator, or some other equivalent system that gives just enough power for a clean shut down. I've seen blades with built-in UPS (possibly not even a battery, just a capacitor) that exists solely to sync to disk in the event of a power loss.

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
    2. Re:Do any of you know how they survived? by KahabutDieDrake · · Score: 4, Informative

      You've never actually worked with enterprise class gear have you? It's standard for most of the servers and all of the data storage to have capacitance/battery backups for just such an emergency.

      Typically, the raid controller will have enough on board capacity to clear it's write cache before losing power entirely. While the drive array will be connected to a decent UPS that can hold for at least a few minutes. Meanwhile, the server itself will also likely be connected to the same UPS, or a different one.

      The real question at hand is, were the UPS between the power distribution node and the server, or were they on the other side of the distribution node, and therefore worthless in a case like this? I've seen both configurations, but the latter is rarer. Not because of this particular case, but because of efficiency concerns.

      If there was a failure of design, it was most likely in the building wiring itself. The building was clearly not properly grounded against lightning strikes, as if it was, the surge would never have hit the internal wiring. It might have kicked the building off the grid for a time, but it should never have reached a power distribution node. Although it's likely the outcome would be similar if not identical.

    3. Re:Do any of you know how they survived? by RsG · · Score: 5, Insightful

      I'm reading between the lines here (it doesn't actually say this in TFA), but it sounds like this was a direct hit. Not an outage, which is a different beast.

      A UPS is about as useful in this instance as antibiotics against a virus - it's a solution to a different problem. Surge protectors don't help much either, not unless the strike was a fairly mild and/or remote one. You could switch over to a disconnected UPS system every time there's a thunderstorm on the horizon, but that seems needlessly complicated and expensive.

      That being said, the GP referred to an outage, so you've quite correctly answered his question; it's just the wrong question to ask in this instance. And of course I could be misreading (or Amazon could be misrepresenting) the exact nature of the failure - if it were a regular outage, none of the above would apply.

      --
      Erotic is when you use a feather. Exotic is when you use the whole chicken.
    4. Re:Do any of you know how they survived? by sirsnork · · Score: 4, Informative

      RAID Controllers have batteries so they can remember whats in the cache (for about 48hours), not so they can write that data out to disks befoer they power off. When power is returned and thr disks come back up the cache is flushed before any other action, thereby keeping the array in one piece

      --

      Normal people worry me!
    5. Re:Do any of you know how they survived? by drinkypoo · · Score: 2, Insightful

      You could switch over to a disconnected UPS system every time there's a thunderstorm on the horizon, but that seems needlessly complicated and expensive.

      Actually, that's NOT a bad idea at all. If you used fiber to the rack and you had big ugly relays that would open the connections, it might be a useful strategy in lightning country. It shouldn't be too hard to detect when lightning is striking nearby, and open the contacts. You would definitely need to do it per-rack at minimum though, because having a battery in every system is an ecological nightmare.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  9. **typo** should be: is NOT written out by mr_stinky_britches · · Score: 2, Informative

    **typo** should be: is NOT written out

    Sorry about that.

    --
    Censorship is obscene. Patriotism is bigotry. Faith is a vice. Slashdot 2.0 sucks.
  10. Re:Lightning once striked my friends house. by Kotoku · · Score: 5, Funny

    In the civilized world, we just call those "walk through holes" doors.

    --
    AnimePapers.org: Anime Wallpapers Handled With Care
  11. Re:It evidently did by kasperd · · Score: 2, Informative

    Only one of Amazon's two zones went down so a well designed cloud app shouldn't have failed.

    If you want to guarantee data integrity and consistent data between your instances, then you cannot tolerate one out of two going down. Byzantine agreement protocols can tolerate less than one third failures, so you would actually need four to tolerate one failure.

    --

    Do you care about the security of your wireless mouse?
  12. Having taken weather and climate 101... by turing_m · · Score: 2, Funny

    This is clearly a case of cloud-to-cloud lightning.

    --
    If I have seen further it is by stealing the Intellectual Property of giants.
  13. Re:It evidently did by friedo · · Score: 2, Informative

    Only one of Amazon's two zones went down

    There are two regions (US and EU) each with several availability zones (US currently has four.) The AZ's are designed to be isolated from one another. This outage affected one AZ in the US region.

    If you are doing load balancing across instances in multiple AZ's (or even using Amazon's own Elastic Load Balancing and Auto-Scaling features) you would have been fine, since this is exactly the kind of problem they're designed to handle.

  14. speaking of lightning and electronics. by stine2469 · · Score: 3, Interesting

    Back in the late 80's, I worked as network admin at a university.   Most of the buildings on campus where relatively old, but I only had recurring problems in one of them.   The building that held the English and History departments had an Equinox LM-48 in a cabinet in the back of a typing lab.   One Monday morning we got a call that no-one in the building could get online.   I checked the DS-15 port in the data center, and sure enough, no link, so I walked over to the lab and met the assistant dean who had the keys to let me in.  When he unlocked the door, we both knew something was wrong because we could both smell the fried electronics... When I disconnected the LM-48 and picked it up,  we could both hear what turned out to be pieces of serial chips rattling around inside the case.    I replaced the unit with a spare and took the dead one back to my office.  When I opened it up, I could see a couple (don't remember how many) of the chips had been blown up.   Looking back, I probably had enough information to determine which PCs weren't grounded by which chips blew up, but that didn't occur to me then.   About a month or so later, the same thing happened, but it happened on a week-night and when I heard the thunder, I knew I had just lost the replacement unit.   Unfortunatlely, this was at 1am or so and I did not have keys to the English department.... So at 7am the next morning, when the assistant dean showed up, I was sitting outside his office with another replacement.   He said something like "...the storm last night..." and I just nodded.

    I don't remember the final resolution of the problem, but I do remember that from the 2nd strike until the problem was solved, every time I heard thunder I would run to the English building and with my newly assigned key, run upstairs and disconnect the rj-21 fanout cables.   I would then leave a note on the English dept office informing them that they'd need to plug them in the in a.m.    One evening, I didn't make it.  I heard thunder and bolted for the English dept... I had my key in the buildings' outside door when lightning struck the building...and I knew I was too late.  When I got upstairs, I could smell burnt electronics....

    Probably at the same time as this was going on for me, my dad, who was a large-scale CSE had similar problems.   I don't know how much 16-port line-cards for the system that he was supporting cost, but one day he had to replace eight or nine of them.   The next day, UPS delivered two cases of copper-fiber-copper serial surge suppressors and he scheduled to install them.  I don't think that site had problems after that.