Slashdot Mirror

← Back to Stories (view on slashdot.org)

Making Facebook Self Healing

Posted by Soulskill on from the resistance-is-futile dept.

New submitter djeps writes "I used to achieve some degree of automated problem resolution with Nagios Event Handler scripts and RabbitMQ, but Facebook has done it on a far larger scale than my old days of sysadmin. Quoting: 'When your infrastructure is the size of Facebook's, there are always broken servers and pieces of software that have gone down or are generally misbehaving. In most cases, our systems are engineered such that these issues cause little or no impact to people using the site. But sometimes small outages can become bigger outages, causing errors or poor performance on the site. If a piece of broken software or hardware does impact the site, then it's important that we fix it or replace it as quickly as possible. ... We had to find an automated way to handle these sorts of issues so that the human engineers could focus on solving and preventing the larger, more complex outages. So, I started writing scripts when I had time to automate the fixes for various types of broken servers and pieces of software.'"

43 of 74 comments (clear)

  1. Complexity arising from simplicity by Psychotria · · Score: 2, Insightful

    We had to find an automated way to handle these sorts of issues so that the human engineers could focus on solving and preventing the larger, more complex outages.

    This seems backwards to me. Surely the "larger, more complex outages" are caused by an accumulation of, or interaction between, the smaller, less complex problems/situations. If all of the smaller problems are well understood and dealt with, then those more complex problems should not arise. I think it's dangerous to assume that because the smaller problems can be transiently resolved by a script with minimal human intervention that the more complex problems need less exploration. Sure, scripts to handle the less complex issues are great, but this should not shift the focus of the human engineers to "focus on solving and preventing complex outages"; solving those often (always?) means solving the less complex issues.

    1. Re:Complexity arising from simplicity by aiken_d · · Score: 5, Insightful

      I disagree. Larger outages in an infrastructure like Facebook's are only rarely an accumulation of smaller issues. Think about it: what's a more likely scenario for a major site-wide issue, thousands of web servers whose hard drives die simultaneously, or a flapping route caused by a configuration issue on a router?

      Think of it like our body: every day, you suffer thousands of tiny injuries and insults that your autoimmune system and skin deal with and that you never know about. This frees you up to drive yourself to the doctor if you notice a lingering cough or to call the ambulance if you sever a limb. You wouldn't argue against an immune system because it might hide larger issues from conscious attention, would you?

      --
      If I wanted a sig I would have filled in that stupid box.
    2. Re:Complexity arising from simplicity by mclearn · · Score: 3, Informative

      TFA specifically uses an example of a failed hard drive to describe the workflow. You can see that a failed hard drive is something small, easily diagnosable, and -- in the greater scheme of things -- easily fixable.

      Now, if you recall what happened with AWS in April, they had a low-bandwidth management network that all of a sudden had all primary EBS API traffic shunted to it. This was caused by a human flipping a network switch when they shouldn't have. Something like this is not something that happens all the time, has little, if any diagnosable features, is not well-defined to have a proper workflow attached to it, and needs human engineers to correct. This is an example of a complex, large-scale problem.

      Read the article, it's actually quite interesting.

    3. Re:Complexity arising from simplicity by Anthony+Mouse · · Score: 1

      Larger outages in an infrastructure like Facebook's are only rarely an accumulation of smaller issues. Think about it: what's a more likely scenario for a major site-wide issue, thousands of web servers whose hard drives die simultaneously, or a flapping route caused by a configuration issue on a router?

      Sometimes. But for example, suppose you have a fail-over setup so that if one machine falls over, its work units or clients are automatically transferred to another machine. You're very proud of yourself until you get a damaged work unit or client which is capable of causing the machine processing it to fall over, and then it gets transferred all around to every server and causes a cascade failure until 30 seconds later all of your servers have crashed.

      And sometimes you do get simultaneous "independent" failures of both hardware and software because of a common cause. Suppose you have a load spike during a nationwide heatwave and the ambient temperature in most of your data centers gets up to 85 degrees Fahrenheit, which is just within design specifications for your facilities but it had never happened before. You might very well see a rash of disk or power supply failures then.

    4. Re:Complexity arising from simplicity by hardtofindanick · · Score: 3, Insightful

      It seems to me like you are creating hypothetical scenarios of total failure. Most of the practical failure scenarios can be handled gracefully when you have facebook's resources under your command. After all they are not sending men to Mars. We have studied and now well understand distributed database problems for more than 30 years. There is pretty much nothing technologically interesting about Facebook (and Twitter for that matter).

      The sad part is someone writes his ramblings and puts a flow chart or two and it becomes a story on /.

    5. Re:Complexity arising from simplicity by TinyManCan · · Score: 1

      Now, if you recall what happened with AWS in April, they had a low-bandwidth management network that all of a sudden had all primary EBS API traffic shunted to it. This was caused by a human flipping a network switch when they shouldn't have. Something like this is not something that happens all the time, has little, if any diagnosable features, is not well-defined to have a proper workflow attached to it, and needs human engineers to correct. This is an example of a complex, large-scale problem.

      I wonder when this army of automated-problem-fixing engines will encounter a corner case its masters never considered and how it will react.

      I give the ops guys at Facebook a lot of credit for managing such a gigantic workload with just a (relatively) few, very smart, people. Amazon also has a lot of smart people who have been working on EBS (in one form or another) since before Facebook was founded. These systems just interact in unpredictable ways when they get out of their comfort zone.

      Systems so complicated they require self-managing management systems are going to have some interesting failure modes, to say the least.

    6. Re:Complexity arising from simplicity by Thanster · · Score: 1

      Here's a real one that defeated a modern multi-path network not so long ago, constructed with WAN paths over some antiquated link encryptors. it seems that there was an undocumented (at least to the end user) "drop all keys" bit sequence. Now being a link encryptor this was parsed for within the flowing data stream, now one day an unassuming jpeg file attached to an email just by absolute chance (the bit sequence didn't have a lot of entropy to it) contained this bit-sequence, - instant denial of service attack as each link dropped, network re-converged and the still extant tcp connection between mail servers resent the offending packet until the site in question had completely isolated itself from the network. (that was a real doozer to figure out what had happened!)

  2. NOOOOOO!! by Baloroth · · Score: 4, Funny

    How are we supposed to kill it if it's self-healing? Now it will never die!

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    1. Re:NOOOOOO!! by deniable · · Score: 1

      Head shot. It's the only way to be sure.

    2. Re:NOOOOOO!! by smellotron · · Score: 1

      Now it will never die!

      Fire and acid, my friend.

    3. Re:NOOOOOO!! by zawarski · · Score: 1

      Nuke it from orbit. That's the only way to be sure.

    4. Re:NOOOOOO!! by piripiri · · Score: 2

      Double tap for safety.

    5. Re:NOOOOOO!! by martin-boundary · · Score: 1

      Chinese auto-immune hacking disease?

    6. Re:NOOOOOO!! by rvw · · Score: 1

      How are we supposed to kill it if it's self-healing? Now it will never die!

      Wait until Microsoft buys it, then give it another year or two...

    7. Re:NOOOOOO!! by acidradio · · Score: 1

      Maybe Facebook is really the Skynet that we learned about in the Terminator movies. I fear the day that it becomes self-aware.

    8. Re:NOOOOOO!! by cr0nj0b · · Score: 1

      How are we supposed to kill it if it's self-healing? Now it will never die!

      Make sure the halon system is not computer controlled.
      Kill internet connections to all sites at the same time, so they cant send out an SOS
      Then kill the power

  3. Routing around the faulty components by izomiac · · Score: 1

    We had to find an automated way to handle these sorts of issues so that the human engineers could focus on solving and preventing the larger, more complex outages.

    Given how glitchy Facebook was in the past, I can't help but be reminded of this comic.

    1. Re:Routing around the faulty components by Raenex · · Score: 1

      And amusingly enough, the SMBC site is down now, so I can't reach your link.

    2. Re:Routing around the faulty components by perryizgr8 · · Score: 1

      amazingly, smbc has been down for hours now. i've never seen any site go down for so long.

      --
      Wealth is the gift that keeps on giving.
  4. Every generation wants to re-invent the wheel. by tqk · · Score: 1

    I was rolling out Big Brother Network Monitor a decade ago. It was well capable of doing this.

    Today, I'd use an RDB that stored output from perl:DBI cronjobs running on each machine, and another job that checked the db and made sure all that ought to be happening had reported in successfully recently. Anything that hadn't would trigger an email to someone to look into it.

    Easy to develop, implement, extend, and maintain.

    No, I don't want to connect to FB just to read the article. Post it somewhere else if you want it read.

    --
    "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
    1. Re:Every generation wants to re-invent the wheel. by maxwell+demon · · Score: 1

      Dear Facebook, if you start recursively monitoring your monitoring software, pretty soon you won't be able to run anything.

      At which time the process will message: "Mission accomplished."

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Every generation wants to re-invent the wheel. by Anonymous Coward · · Score: 1

      Today, I'd use an RDB that stored output from perl:DBI cronjobs running on each machine, and another job that checked the db and made sure all that ought to be happening had reported in successfully recently. Anything that hadn't would trigger an email to someone to look into it.

      You'd re-invent Nagios, but worse?

    3. Re:Every generation wants to re-invent the wheel. by tqk · · Score: 1

      Objections noted, but I'm unconvinced any are show-stoppers.

      Writing into a shared database via cronjobs on different boxes has a few implications:
      -the credentials do share write access to the database - if not per user account, then per permission. You usually don't give each host its own table to log into ...

      Why? I would give each host its own table, or perhaps a small block of machines one table. This is hardly going to be a vast blob of data going back and forth here. Besides, it doesn't all have to go into one db, nor one db on one machine. Hell, it could be a db on each machine with exports scp'd to a central log server (or ten).

      If a single box is misbehaving (i.e. the hostname "got lost"), you'll end up searching for that box forever - unless you also started logging hostname and IP address, both retrieved via the SQL connection and not as cronjob output.

      That makes no sense to me. No, I've never worked anywhere that had 30k hosts on-line, but simple documentation practices scale. Yeesh. Hostname:location:IP Address:... would make a very small db entry, considering the binary blobs rdbs are comfortable handling these days.

      -Servers need to be NTP-synchronized - which on the other hand results in all of those cronjobs connecting to your shared database at the same time ...

      Get real! Of course you don't have them try to do that.

      -When your cron daemon dies ...

      Oh come on. Now I know you're just making stuff up.

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
  5. Sounds like a good place to work by Maow · · Score: 3, Interesting

    Facebook is an amazing place to work for many reasons but I think my favorite part of the job is that engineers like me are encouraged to come up with our own ideas and implement them. Management here is very technical and there is very little bureaucracy, so when someone builds something that works, it gets adopted quickly. Even though Facebook is one of the biggest websites in the world it still feels like a start-up work environment because there's so much room for individual employees to have a huge impact.

    Like building infrastructure? Facebook is hiring infrastructure engineers. Apply here.

    Damn, if I weren't so adverse to soul crushing rejection, I'd apply.

    This guy was insightful and informative, so I believe what is quoted above.

    And I'm surprised: I figured Facebook would be either more bureaucratic (like MS) or kinda dickishly autocratic (like Zuckerberg is rumoured to be).

    1. Re:Sounds like a good place to work by hedwards · · Score: 1

      If the site is often broken and randomly changing, this would probably be why. You do want people experimenting and finding fixes, but if you don't have any coordination going on that's just as bad.

    2. Re:Sounds like a good place to work by The+O+Rly+Factor · · Score: 1

      Having a multibillion dollar company pretend they are still a Stanford startup is kind of like trying to pilot an oil tanker as if it were a 30 horsepower inflatable boat. Hence, you get situations like that godawful instant message...thing that takes up a quarter of your screen and disallows you to see contacts that are actually online.

      But HEY! At least our employees feel like they are empowered and important and we still get to have a fuseball table in the conference room, right? I truly cannot take a company like facebook seriously when I see tours of their facilities and their infrastructure engineers are walking around in volcom t-shirts and skateboard shoes.

    3. Re:Sounds like a good place to work by russotto · · Score: 1

      I truly cannot take a company like facebook seriously when I see tours of their facilities and their infrastructure engineers are walking around in volcom t-shirts and skateboard shoes.

      And the T-shirts and the shoes interfere with the job exactly how? Suits (or just dress shirts) and wingtips do NOT increase efficiency one iota.

    4. Re:Sounds like a good place to work by evilviper · · Score: 1

      And I'm surprised: I figured Facebook would be either more bureaucratic (like MS) or kinda dickishly autocratic (like Zuckerberg is rumoured to be).

      I've seen what happens when a startup gets big, and I don't have good things to say about it.

      Lack of bureaucracy is often code for the lunatics taking over and running the asylum... Think, no standards, no processes, no training for new hires (and there are, of course, lots of them) and just nobody in-charge or enforcing, anything. That kind of havock is great for the sociopaths, but makes it very hard for the adults to manage to keep everything holding together with toothpicks and bubblegum, particularly when every new guy makes the same damn stupid mistakes, because they're so "empowered" and management is hands-off and won't enforce the most basic standards.

      I've seen both sides of the coin, and while both are terrible at their extreme, I'd rather err on the side of a little too-much management and standards.

      Of course this is an extreme generalization. There is the perfect balance in there, somewhere, and facebook is swimming in enough money that they certainly COULD have gotten things right, but I'm inclined to believe it's a lot more like the out-of-control overgrown startups I've seen than anyone would like to admit...

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    5. Re:Sounds like a good place to work by The+O+Rly+Factor · · Score: 1

      The same way that people who get themselves pierced and tattooed up who then wonder why nobody will hire them as an investment banker. It's all about presentation: if your company looks like its being managed by a bunch of 15 year olds, then I'm just going to assume that it is being managed by a bunch of 15 year olds. But hey, stick it to the man, trying to put us down with his suits and business casual and looking presentable for clients and whatnot, right?

    6. Re:Sounds like a good place to work by ghee22 · · Score: 1

      Totally. I'll never take this guy seriously. Jeans and a black turtleneck? Suit up!

      --
      "Persistence is annoying success." - ghee22 11:28:1999 - 10:53:PM
    7. Re:Sounds like a good place to work by russotto · · Score: 1

      I'm sure Facebook, Google, and other companies where you're as likely to see a skateboard as a suit are crying into their corporate beers over whether you take them seriously. As for investment bankers, I do know someone who is pierced and tatooed and works for an Wall Street trading firm.

      Of course, if we're going by dress, you really have to consider the position. The casual appearance you describe is the hallmark of the programmer... who in their right mind would hire a programmer in a suit? That'd be like hiring a Unix guru without a ponytail!

  6. WOW by PopeScott · · Score: 1

    Auto ticketed errors, I am Amazed. If you did not detect sarcasm, please enter a problem ticket. You don't think that shit's automated do you?

  7. Assisted Suicide by Frosty+Piss · · Score: 1

    I was thinking more in terms of "assisted suicide".

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Assisted Suicide by 32771 · · Score: 1

      I thought of renaming it to Palliabook, but then look what I found at Wikipedia:

      "Palliative care (from Latin palliare, to cloak) is a specialized area ..."

      I guess Cloakbook would also be correct.

      --
      Je me souviens.
  8. Re:Upstart? by marmotte · · Score: 1

    I guess upstart was written by the Winklevoss twins.

  9. Re:Upstart? by FooBarWidget · · Score: 2

    Did you even read the article? It talks about things like broken hard drives.

  10. Re:One script writer equals one hundred MCPs by inglorion_on_the_net · · Score: 1

    "Today, the FBAR service is developed and maintained by two full time engineers, but according to the most recent metrics, itâ(TM)s doing the work of approximately 200 full time system administrators"

    Which doesn't really tell anyone anything. Who expresses amount of work done in terms of number of full time workers? In case anyone had failed to get the message, the above shows that such a metric isn't very useful. Perhaps the message here is that 2 really effective people can do the work of 200 not so effective people - but that has been known for a long time. Still, the more this message is spread, the better.

    --
    Please correct me if I got my facts wrong.
  11. Google and Facebook can fail more freely by Coward+Anonymous · · Score: 1

    Part of the reason Facebook and Google can "self heal" is because failures are mostly not noticeable by end users. If a Facebook or Google machine fails, unless you are getting a 404 or a service failure message there is little to no way for you to know that the web page you have been served up is wrong, partial or out of date. This failure ambiguity provides a lot of leeway on the methods and speed required to fix a failure.

    For most other services where there is a definite correct and incorrect output - like file systems or financial services - a broken service has immediate impact and fixing it is much harder.

  12. Self Healing, my foot by justcauseisjustthat · · Score: 1

    How come friends keep disappearing only to request again, saying I dropped them. Either it's buggy or broke....

  13. They do it very differently by brunes69 · · Score: 2

    From the sounds of this article, Facebook and Google go about this VERY differently.

    The Facebook way, it seems, is that every node in the infrastructure is possibly important. So they write and maintain all these healing scripts to deal with problems like broken processes or failed hard drives.

    Google goes about the same problem in a very different way. Google's system is architected such that no node is important. Everything is massively parallel and redundant - such that you could take and destroy any server, any set of servers, even an entire data centre and blow it up with a bomb, and side from performance issues, no one would notice.

    From an admin's point of view - I would much prefer Google's system. Something doesn't look right on a box? Yank it out TOTALLY, put in a new one, investigate some other time.

  14. Suggested change... by Gription · · Score: 1, Offtopic

    I would like to suggest a subtle change to the posting system: Make it so the first post on any article cannot be done as "Anonymous Coward".

    I know Slashdot has a tradition of being a "free-for-all, run through a blender" but I don't think there has ever been an AC first post that has ever been anything but either:
    - So lame that you wonder how a person manages to survive such a terminal case of lack of personality or creativity... or
    - There is no real reason it couldn't have been posted under a login.

    Stupidity really should be viciously stamped out but if we can use automated steps to reduce the "background stupid" we can then focus more energy on more invasive cases of dumb.

  15. Re:Golden Girls! by mr_mischief · · Score: 1

    s/cosmonaut/confidant/

    Maybe You have confused Zuckerberg with Guy Laliberté or Mark Shuttleworth. Or perhaps with Richard Branson, who builds space tourism vehicles.

    The song, however, has nothing to do with space travelers.

  16. Re:Not Impressed by turbidostato · · Score: 1

    "Facebook devotes over 100 physical servers to every 35,000 users. That is incredibly inefficient"

    Absolutly yes! If they only managed to serve 350 users per server, that, that would be a neat thing.