Technology

From a technology viewpoint, you can look at resiliency in terms of making sure that our program doesn’t crash. Ensuring that it can handle errors gracefully, and not fall over in a blaze of glory (and stack traces) leaving your users at best bewildered, and at worst in danger. It can also encompass our hardware. Can you tolerate a single machine unexpectedly powering off? Or should you invest in servers with redundant power supplies and networking to ensure they are less likely to fail?

With the advent of the cloud, things have shifted. Aspects around managing individual machines may no longer be under your direct control, instead you’ll have to consider which of a myriad of cloud products will deliver what you need.

Later in this chapter I’ll show you the specific challenges that distributed systems introduce, which cause us to take into considerations concepts like timeouts and retries and more, topics which I will spend a lot of time on in this book. Before that though you have to expand our horizons somewhat. What about the people who actually build, operate and use the systems you create?

Social

As a software developer, it can be tempting to try and just focus on the act of coding, to the exclusion of other “noise”. Dedicating our focus to algorithms, data structures, network protocols or other technical implementation details takes focus, commitment, and time. Unfortunately, it takes only a cursory examination of how things fail to realize that this is not only a naive view, it can even be dangerous.

For example, an environment where the act of raising safety concerns is discouraged or even punished will lead to issues that could have been caught before impacting users. The country or industry sector you operate in might require that systems are built in certain ways to comply with local legislation or compliance.

Different types of users will have different expectations about the systems they use. The impact of failures can also be starkly different - an information display in a shopping mall crashing and serving up a stack trace isn’t great, but it’s not as bad as a self-driving car accelerating when it should brake.

This of course also deals very neatly with the refrain that you should “keep politics out of technology”. Once you understand that our systems are influenced by the people who build and use the software, the culture they operate in, and the wider societal context, you see that this statement doesn’t really make much sense. For example I worked with a Nordic government agency who were basing their technology on Kubernetes hosted on Azure. They were avoiding the use of Azure-specific technologies, which was creating some challenges as they ended up having to do more work themselves. But they were aware that the political winds could change, and that an earlier decision to allow them to use a public cloud vendor could be reversed by a change in government policy.

It can be difficult to get a grasp on what societal aspects are in play when considering resiliency, especially if you have spent most of your career focusing on technical concerns. Later in this chapter, I will introduce a couple of models that can help provide some structure around these ideas and help you understand where you need to focus your time if you are to deliver truly resilient systems.

How Distributed Systems Can Fail (Us)

But really, this is all a rather dry description of what a distributed system is. It doesn’t really communicate what it’s like to own and operate. As a result, I turn yet again to my favorite definition of what a distributed system is:

A distributed system is one in which the failure of a computer you didn’t even know existed can render your own computer unusable.

Leslie Lamport

This quote gets to the heart of the interesting ways in which distributed systems can fail. I’ve had machines vanish on me (in one case caused by the wrong servers being packed up and shipped from the east coast of the US to the west). Network cables can be served, by accident or on purpose⁷. DNS misconfiguration can stop whole swathes of websites from working, such as the recent outage of the .ru top level domain⁸.

Distributed systems may well be a necessity, but their nature as an interconnected system of independent machines often just exposes them to more sources of failure.

Essentially though, the vast array of failure modes that you can encounter with a distributed system - and the above list just scratches the surface - come down to two fundamental rules that apply to any distributed system.

Two Golden Rules Of Distributed Systems

I’ve found that there really are two fundamental rules that any distributed system is governed by. They are:

1. You cannot beam information instantaneously between two points

2. Sometimes you can’t reach the thing you want to talk to

These rules will influence so much of how you think about building more resilient systems, and you’ll encounter them in different forms throughout the book. Before that however, let’s briefly explore these two rules to better understand the problems they create.

The Hexagonal Model For Sociotechnical systems

A model I’ve found useful when trying to grasp the realities of the sociotechnical system breaks things down into a hexagonal model¹³ shown in Figure 1-3. Whilst this model is designed to help understand any generic sociotechnical system¹⁴, this book relates specifically to building and running a distributed system. Therefore I have interpreted the model through that lens.

Figure 1-3. A hexagonal model for Sociotechnical Systems from Davis et al. (2014)

The hexagonal model breaks down the idea of a sociotechnical system into 6 discrete concepts:

People

The people doing the work and using the software (developers and users).

Culture

The social environment in which the work is done. For example some cultures might be more risk adverse than others, or might ignore the input from people in marginalized groups

Goals

The incentives for the people creating, operating, and using the system

Technology

The software being written and the supporting tools being used

Infrastructure

Generically this relates to the physical infrastructure at play. This could extend to buildings and roads for example, but in this context will more likely cover computing hardware, networks, power generation etc.

Processes

The mechanisms put in place which guide how the work is done - this could include your preferred style of software development, for example Scrum or Six Sigma.

People, culture and goals are the societal aspects, whereas technology, infrastructure and processes are on the technical side of things. All of this sits within a wider ecosystem of influences over which you will have limited to zero ability to control:

Financial/Economic Circumstances

Your company could be flush from a cash injection from a new investor, or could be operating against the backdrop of a national recession. Or perhaps a global pandemic?

Regulatory Frameworks

Rules and regulations that might apply to the industry you work in. For example adhering to the Payment Card Industry when handling credit cards, or regulations like General Data Protection Regulation (GDPR) for companies operating in the EU.

Stakeholders

This would as a minimum include the people the system is being built for, but could include a wider range of interested parties.

A change to any one of these elements will have a knock-on impact elsewhere. For example, a culture where people are empowered to make local decisions might result in a proliferation of tools being used (technology). Targets which aim for low levels of bugs may result in the people building the software not wanting to report issues when they arise (goals).

I’ll explore this interplay throughout the book. For example I’ll look at culture in terms of the importance of establishing a blame-free environment to encourage information sharing, and how moving away from rigid processes can empower people to build more resilient systems. I will also take you on a deep dive into the technical side of things, looking at failure modes for our hardware (infrastructure), or stability patterns for our code to handle situations like timeouts or services being unreachable (technology).

Robustness

Robustness is the concept whereby you put mitigations in place to deal with expected problems. From the technical viewpoint, you have a whole host of issues that you might expect. A machine can fail, a network connection can timeout, a process might be unavailable. You can improve the robustness of your architecture in a number of ways to deal with these problems, such as automatically spinning up a replacement host, performing retries, or handling failure of a given microservice in a graceful manner.

Robustness goes beyond the technical though. It can apply to people. If you have a single person on call for your software, what happens if that person gets sick, or isn’t reachable at the time of an incident? Potential solutions to this problem might be to have a backup on-call person, or a well documented playbook.

Wood’s definition of robustness requires prior knowledge — you are putting measures into place to deal with things you expect to go wrong. This knowledge could be based on foresight — you could draw on your understanding of the computer system you are building, its supporting services, and your people to consider what might go wrong. But robustness can also come from hindsight—you may improve the robustness of your system after something you didn’t expect happens. Perhaps you never considered the fact that your global filesystem could become unavailable, or perhaps you underestimated the impact of your customer service representatives not being available outside working hours.

One of the challenges around improving the robustness of our system is that as you increase the robustness of our application, you introduce more complexity to our system which can be the source of new issues. Consider moving your microservice architecture to Kubernetes as you want it to make it easier to run your microservice workloads. You may have improved some aspects of the robustness of your application as a result, but you’ve also introduced new potential pain points such as the fact you’ll likely need more infrastructure to run Kubernetes itself, or that extensive training will likely be needed to understand how to manage and use it. As such, any attempt to improve the robustness of an application has to be considered, not just in terms of a simple cost/benefit analysis of the initial work being done, but also in terms of whether or not you are prepared for the more complex system you end up with.

A significant part of this book will be dedicated to putting into place various mitigations for the known issues that can occur with distributed systems.

Rebound

How well your system can recover — rebound — from disruption is a key part of building a resilient system. All too often I see people focusing their time and energy into trying to eliminate the possibility of an outage, only to be totally unprepared once an outage actually occurs. By all means do your best to protect against the bad things that you think might happen — improving your system’s robustness — but you also have to be honest and understand that as your system grows in scale and complexity, eliminating any potential problem becomes unsustainable.

You can improve our ability to rebound from an incident by putting processes into place in advance. For example:

• Having backups in place to better recover in the aftermath of data loss (assuming your backups are tested of course!)

• Write and maintain a playbook that you can run through in the wake of a system outage to help resolve known issues

• Clearly define roles and responsibilities for what happens when an incident occurs, so everyone knows who the point person will be and how the incident response process will work

Trying to think clearly about how to handle an outage while the outage is going on is going to be problematic due to the inherent stress and chaos of the situation. Having an agreed plan of action in place in anticipation of this sort of problem occurring can help you better rebound.

Graceful Extensibility

No plan survives first contact with the enemy.

Helmuth von Moltke (heavily paraphrased)

With rebound and robustness, you are primarily dealing with the expected. You are putting mechanisms in place to deal with problems that you can foresee. But what happens when you are surprised? If you aren’t prepared for surprise, prepared for the fact that our expected view of the world might be wrong, you end up with a brittle system. As you approach the limits of what you expect our system to be able to handle, things fall apart. How many companies were ready for the implication of a global pandemic, and the lockdowns that followed?

Flatter organizations — where responsibility is distributed across the organization, rather than held centrally — will often be better prepared to deal with surprise. When the unexpected occurs, if people are restricted in what they have to do, if they have to adhere to a strict set of rules, their ability to deal with surprise will be critically curtailed.

Often, in a drive to optimize our system, you can as an unfortunate side effect increase the brittleness of our system. Take automation as an example. Automation is fantastic — it allows us to do more with the people you have, but it can also allow us to reduce the people you have, as more can be done with automation. This reduction in staff can be concerning, though. Automation can’t handle surprise — our ability to gracefully extend our system, to handle surprise, comes from having people in place with the right skills, experience, flexibility and responsibility, to handle these situations as they arise.

Sustained Adaptability

Sustained Adaptability speaks to the ability of the system to continually evolve and improve. Sustained adaptability requires us to not be complacent. As David Woods puts it in the aforementioned “Four concepts” paper:

“No matter how good we have done before, no matter how successful we’ve been, the future could be different, and we might not be well adapted. We might be precarious and fragile in the face of that new future.”

David Woods

That you haven’t yet suffered from a catastrophic outage doesn’t mean that it cannot happen. You need to challenge yourself to make sure that you are constantly adapting what you do as an organization to ensure future resiliency. Topics I’ll explore later in the book such as effective post-mortems and chaos engineering can be key tools in helping create a learning organization that can adapt as needed.

Sustained adaptability often requires a more holistic view of the system to see where changes need to be made. This is, paradoxically, where a drive towards smaller, autonomous teams with increased local, focused, responsibility can end up with you losing sight of the bigger picture. As I’ll explore in <<???>>, there is a balancing act between global and local optimization when it comes to organizational dynamics, and that balance isn’t static.

Creating a culture which prioritizes creating an environment where people can share information freely, without fear of retribution, is vital to encourage learning in the wake of an incident. Having the bandwidth to really examine these surprises, and extract the key learnings requires time, energy and people — all things that will reduce the resources available to you to deliver features in the short term. Deciding to embrace sustained adaptability is partly about finding the balancing point between short term delivery and longer term adaptability.

To work towards sustained adaptability means that you are looking to discover what you don’t know. This requires continuing investment, not one off transactional activities — the term “sustained” is vital here. It’s about making sustained adaptability a core part of your organizational strategy and culture.