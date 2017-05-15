Ready to get started building your own reliable messaging system? Check out this preview chapter from the upcoming book, Reactive Systems Architecture.

Availability and fault tolerance are two desirable and often crucial architectural characteristics for building large scale, distributed reactive systems. However, not having them in place can spell a catastrophe for these systems and the business value they generate. For example, Amazon’s S3 outage in February was estimated to cost companies in the S&P 500 index $150 million . A similar financial loss was estimated for Delta airlines last August after a 5-hour outage resulted in grounding around 2000 flights .

With that said, these two architectural characteristics don’t come for free because a distributed environment inherently introduces new complexities, including concurrency, time, order, message delivery, network latency, consistency, failures or deployment. Let’s take a look at how to implement a reliable messaging system with availability and fault tolerance built in as well as introduce the correct mindset for reasoning about these key system design characteristics.

Building production-ready, reliable, resilient and highly available systems

Reliable messaging systems are built when loss of data, or just temporary unavailability of service, may result in financial loss for the business or even life-threatening conditions. It is common in many industries, including banking, finance, e-commerce, healthcare, security, social media or video streaming, and is becoming the standard practice for serious businesses.

In a large scale system, network nodes and other components may fail independently. Companies often assume such failures won’t happen or that manual interventions and fixes are sufficient. Failures will happen. Pretending they won’t only sets the wrong mindset. Although modern hardware and redundancy reduce the number of failures, Google, Amazon or Microsoft cloud still experience them frequently . And to make matters worse, many widely used distributed systems don't always handle failures correctly, resulting in data loss, reading uncommitted data and other issues .

Figure 1: Secure messaging system components

Fortunately, modern DevOps, infrastructure automation, site reliability engineering, and distributed system engineering practices can be used to architect, build, and verify large scale cloud-native or on-premise systems and promote them to be ready for the harsh reality of production. Figure 1 shows the components of a messaging system used by security agencies to achieve real-time, secure, fault tolerant, and especially always available service. It uses Akka, Kafka, Cassandra, Zookeeper, and Solr, each offering different features, guarantees, and fitting a different use case in the system. A skillful combination of their attributes achieves the overall desired properties of the system.

In this example, client devices are responsible for reliable delivery of Protobuf serialized and CoAP transported messages to Kafka via a Gateway. Kafka topics are partitioned by user ranges to maintain relative message ordering. Kafka also fulfils an important role from a reliability and durability perspective: the client is responsible for delivering messages to Kafka, but after the delivery is acknowledged, it can forget the message and the message immediately becomes the system’s responsibility. The system then guarantees delivery by utilizing acknowledgements, retries, timeouts and the selective progress of offset in Kafka.

Each cluster node starts a Kafka consumer in the same consumer group so messages are only consumed once (apart from failure scenarios) and forwarded to a sharded Akka user service. Sharded User and Device actors mimic the current state of the user or device respectively, act as a consistency boundary and can use the knowledge about user and device state to apply business logic such as sending messages back to the physical device via WebSocket as a response to the other user’s actions or events in the system. Heartbeat messages are used to keep the WebSocket open and User and Device shadow actors loaded in memory while the client is active. Chat service actors act as a single writer to linearize concurrent histories, define total order of processed operations, and guarantee certain invariants using Akka Cluster Sharding or Cluster Singleton instances.

What’s more, the Cassandra database is meant to be scalable, but most importantly it’s a highly available distributed datastore with tunable consistency designed to withstand even a datacenter failure. The ZooKeeper cluster is used for consistent distributed coordination such as unique ID generation or leader election. And finally, Solr, a search platform based on Apache Lucene, integrated well with the Cassandra database, is used for analytics and reporting.

System guarantees through mindset and thorough engineering practices

Figure 2: Example of a system using partitioning and replication across three availability zones and two regions in AWS cloud and the consequence of an availability zone failure

The above system uses powerful techniques that help to ensure consistency, availability and resiliency in large scale distributed systems (especially under failure scenarios). Some of these techniques include replication, partitioning, planning for node, network or even datacenter failures (see Figure 2), chaos testing, selecting and guaranteeing consistency level and ordering, reliable delivery (see Figure 3, below), failure control patterns, multi-step operation failure handling, self-healing, bulkheading, isolation, coordination avoidance or observability through distributed logging and tracing.

However, to be able to build such a reliable system, the primary goal of an organization needs to be to set the correct mindset during software development--failures and all possible scenarios must be explicitly considered, embraced and the solutions understood, rigorously implemented and verified.

Figure 3: Reliable delivery solution schema and potential failures marked by red cross

Cases that are not explicitly handled still exist—the decisions just become implicit. Consider the following examples: an implicit out of memory error instead of explicit consideration of bounded queue and back-pressure; an implicit data loss during network partition instead of explicit design of consistency and delivery guarantees; an implicit denial of service instead of explicit design of replication or partial service; implicit hidden failures in the system instead of explicit understanding of the system via monitoring, structured distributed logging and tracing; or an implicit unhandled exception instead of explicit error handling.

Default decisions sometimes turn out to be reasonable, but in the majority of cases they don’t and may eventually cause catastrophic failures. Furthermore, many of these problems are extremely difficult to notice, find, replicate and fix, because they may not manifest themselves for months or only under specific asynchronous failure or concurrent conditions. And that may as well be at the worst possible moment, under heavy load during a major event for your business. Your organization absolutely needs guarantees that this will not happen.

Conclusion

Availability and fault tolerance are often business-critical attributes of a software system, but unfortunately, in many cases, they are neglected or simply not built into the system due to imperfect software development practices. Failures will inevitably happen and may have major consequences for your organization.

The sample chapter from my forthcoming book, Reactive Systems Architecture, describes in further detail the software engineering techniques and concepts that help to embrace system failures and handle them without impacting the business. It also dives deeper into the importance of the mindset necessary to develop production-ready systems in an organization. It explains not only the theory, but focuses on real world examples from requirements to implementation and verification of the desired system properties.

This post is part of a collaboration between O’Reilly and Cake Solutions. See our statement of editorial independence.

1 Hersher, R. NPR. (2017). Retrieved May 2, 2017, from http://www.npr.org/sections/thetwo-way/2017/03/03/518322734/amazon-and-the-150-million-typo.

2 Isidore, C. CNN. (2016). Retrieved May 2, 2017, from http://money.cnn.com/2016/09/07/technology/delta-computer-outage-cost/.

3 Bailis, P., & Kingsbury, K. (2016). The Network is Reliable: An informal survey of real-world communications failures. Acmqueue, 12, 7.

4 Kingsbury, K. Aphyr. (2016). Retrieved February 14, 2017, from https://aphyr.com/.