I’ve never run a big system like this, but like the lead character in the story, I always figured exponential backoff would be enough. Turns out there’s more.

  • catloaf@lemm.ee
    link
    fedilink
    English
    arrow-up
    14
    ·
    edit-2
    2 months ago

    tl;dr:

    Each request takes exactly one second to process, and a new request arrives every second

    That’s their core issue. They were never able to process requests fast enough, and the moment there was any delay it all came down like a house of cards. If you’re already running at 100%, yeah no shit you’re going to have problems if anything changes even slightly.

    Further, it doesn’t seem like retries backed off enough, or maybe should have just given up eventually.

    The writing style also made it kind of hard to follow. Technical articles work better when they’re not written like a children’s story, but with technical writing.

    • RubberElectrons@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      Hmm… I’d say that was an obvious example to cause the situation, the real point was exposing the more subtle problems with feedback loops.

      What happens if the server in question was at 80% capacity, and due to hardware faults, that leads to 100% utilization? Can you reconfigure your services if there’s a cascading overload through enough of the system without actually adding to the system load? What do you do about the fact that these loops gets ever more powerful and sudden the larger the system?

      The author seemed to be suggesting that we carefully consider how to avoid open feedback loops, and build stability in. This article clued me in that stability problems can be borne from “industry standard” advice if you don’t carefully think about it.

      • catloaf@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        Ideally, you’d limit your resource utilization to always leave enough of a buffer that your management tools can run. But even if that’s not the case, you should also be able to disable incoming traffic so that your servers stop even seeing the requests. Or you can just plain destroy and recreate with a new version.

        But none of that addresses the fact that your retrying clients are basically DDoSing you. That can be mitigated by your WAF filtering requests so that only a fraction are passed to the server, as mentioned in the article, but preferably you’d just scale up to handle the load, or fix your clients to retry less frequently so that they don’t DDoS you with retries. Even a large number of clients shouldn’t be retrying so frequently that it overwhelms your system. Even if you’re selling Taylor Swift tickets, where millions of clients are hammering you, you can scale horizontally to at least implement a queue for users so they’re not hitting refresh every time they get a blank screen.

        • RubberElectrons@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          All of what you’re saying seems correct. I think this is more of a meta discussion, on how (in this case) retries, even with exponential back off, aren’t a solution by themselves when you look at the system overall. There are interesting hidden caveats to any common solutions, this is one I personally wasn’t aware of.

          Practically, adding a timeout budget so that the clients themselves just error out (forcing a manual refresh) sorta accomplishes the same as what you’re positing.