mddpro: model-driven dependability provisioning in enterprise distributed real-time and embedded...
TRANSCRIPT
MDDPro: Model-Driven DependabilityProvisioning in Enterprise Distributed Real-time
and Embedded Systems
Sumant Tambe*
Jaiganesh Balasubramanian
Aniruddha Gokhale
Thomas Damiano
Vanderbilt University, Nashville, TN, USA
Contact : [email protected]
This work is supported by subcontracts from LMCO & BBN
International Service Availability Symposium (ISAS) 2007
May 21-22, 2007, University of New Hampshire, Durham, New Hampshire, USA
2
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Component-based Enterprise DRE Systems Characteristics of component-based
enterprise DRE systems Applications composed of one or
more “operational string” of services or systems of systems
Simultaneous QoS (Availability, Time Critical) requirements
Dynamic (re)-deployment of components into operational strings
Examples of Enterprise DRE systems Advanced air-traffic control systems Continuous patient monitoring systemsDetector1
Detector2
Planner3 Planner1
Error Recovery
Effector1
Effector2
Config
LEGEND
Receptacle
Event Sink
Event Source
Facet
Goal: Simplify and automate Fault-Tolerance provisioning in the DRE
systems
3
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Fault-Tolerance Design Considerations in DRE Systems
C1 C2 C3 C4 C5
Per-component concern – choice of implementation Depends of resources, compatibility with other components in assembly
Availability concern – what is the degree of redundancy? What replication styles to use? Does it apply to whole assembly?
Failure recovery concern – what is the unit of failover? State synchronization concerns – What is data-sync rate? Deployment concern – how to place components? Minimize failure risk to the
system
Failover Unit
4
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Tangled Fault-Tolerance Concerns
Separation of Concerns using higher
level abstractions is the key
Implementation determines replication style and vice-versa
Replication degree affects resources and deployment
Replication style determines state synchronization style
Availability of domain artifacts determines deployment
Significant sources of variability that affect end-to-end QoS (performance + availability)
Design-time Deployment-time Run-time
5
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Model-Driven Engineering – A Promising Approach Higher level of abstraction
than third generation programming languages
Modeling each concern separately alleviates system complexity Deployment model Component assembly model System structural model Different QoS models
e.g., Fault-tolerance
Generative and model transformation techniques to weave in appropriate glue code
Complex System
6
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Fault-tolerance Modeling Abstractions in MDDPro
Fail-over Unit (FOU): Abstracts away details of granularity of protection (e.g., Component, Assembly, App-string)
Replica Group (RPG): Abstracts away fault-tolerance policy details (e.g., Active/passive replication, rate and topology of state-synchronization)
Shared Risk Group (SRG): Captures associations related to failure risk. (e.g., shared power supply among processors, shared LAN)
Protection granularity concerns
State-synchronization concerns
Component Placement constraints
Replica Distance Metric
Interpreter (component placement constraint solver): Encapsulates an algorithm for component-node assignment based on replica distance metric
CQML (Component QoS Modeling Language)
A DSML in the CoSMIC tool suite
7
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Fault-Tolerance Model in CQMLCQML (Component QoS
Modeling Language) A graphical QoS modeling
language on top of a system composition language (e.g., PICML)
Enhances system structure with QoS annotations (e.g., FOUs for granularity of protection)
A FOU itself is a model and captures heartbeat frequency and replication groups
A Replication group captures per component replication style, data synchronization rate
8
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
container/component servercontainer/component server“Client” primary IO
R
Primary FOUPrimary FOU
A B C
Fail-over Unit Example
container/component servercontainer/component server container/component servercontainer/component server
Replica FOUReplica FOU
A’ B’ C’
secondary IOR
container/component servercontainer/component server container/component servercontainer/component server container/component servercontainer/component server
Primary Component
Replica Component
9
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
DataCenter1_SRGDataCenter1_SRG DataCenter2_SRGDataCenter2_SRG
Rack1_SRGRack1_SRG Rack2_SRGRack2_SRG Node1Node1(blade31)(blade31)
Node2Node2(blade32)(blade32)
Shelf1_SRGShelf1_SRG Shelf2_SRGShelf2_SRG
Blade30Blade30
Ship_SRGShip_SRG
Blade34Blade34 Blade29Blade29
Shelf1_SRGShelf1_SRG
Blade36Blade36Blade33Blade33
Shared Risk Group Example
10
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
R1
P
R2
R3
Define N orthogonal vectors, one for each of the distance values computed for the N components (with respect to a primary) and vector-sum these to obtain a resultant. Compute the magnitude of the resultant as a representation of the composite distance captured by the placement .
Formulation of Replica Placement Problem
1. Compute the distance from each of the replicas to the primary for a placement.
2. Record each distance as a vector, where all vectors are orthogonal.
3. Add the vectors to obtain a resultant.4. Compute the magnitude of the resultant.5. Use the resultant in all comparisons (either among
placements or against a threshold) 6. Apply a penalty function to the composite distance (e.g. pair
wise replica distance or uniformity)
11
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Node2Node2(blade32)(blade32)
Shelf1_SRGShelf1_SRG
Ship_SRGShip_SRG
Blade34Blade34 Blade36Blade36
Composite Composite DistanceDistance
Blade30Blade30
Node1Node1(blade31)(blade31)
DataCenter2_SRGDataCenter2_SRGDataCenter1_SRGDataCenter1_SRG
Rack1_SRGRack1_SRG Rack2_SRGRack2_SRG
Shelf1_SRGShelf1_SRGShelf2_SRGShelf2_SRG
Blade29Blade29 Blade33Blade33
Component Placement Example using SRGs
Replica1
Replica2
Replica3
Primary
12
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
5. Distance-based constraint algorithm determines replica placement in deployment descriptors.
GME/PICMLGME/PICML
1. Model components and application strings in PICML2. Model Fail Over Units (FOUs) and Shared Risk Groups (SRGs)3. Determine deployment of primary components
4. Interpreter automatically injectsreplicas and associated CCM IOGRs
FT Modeling & Generative Steps
Model Model InformationInformation
Domain, Deployment,
SRG, and FOU injection
Replica Placement Algorithm
modelFT InterpreterFT Interpreter
Augmented Augmented Deployment Deployment
PlanPlan
13
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Fault-Tolerance Model in CQML (1/2)
Replica = 3Min Distance = 4
14
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Shared Risk Group Model in CQML
Shared Risk Group 1
15
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Generative Capabilities for Provisioning FT
Automatic Injection of replicas Augmentation of
deployment plan based on number of replicas
Automatic Injection of FT infrastructure components E.g. Collocated “heartbeat”
(HB) component with every protected component.
Automatic Injection of connection meta-data Specialized connection
setup for protected components (e.g. Interoperable Group References IOGR)
C1
C1C1C1C1
HB
Container
M x N
16
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
container/component servercontainer/component server
FPCFPC
“client”
periodic FPC heartbeat
primary IOR
Primary FOUPrimary FOU
A
HB
container/component servercontainer/component server
Bcontainer/component servercontainer/component server
C
container/component servercontainer/component server
Replica FOUReplica FOU
A’container/component servercontainer/component server
B’container/component servercontainer/component server
C’
secondary IOR
IOG
R
FPCFPC
HB HB
intra-FOU heartbeat
HBHB HB
Example of Automated Heartbeat Component Injection
Primary Component
Replica Component
Collocated heartbeat
component
ConnectionInjection
17
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Future Work Developing advanced constraint solver
algorithms to incorporate multiple dimensions of constraints in component placement decision (e.g. resources, communication latency)
Optimizing the number of generated heartbeat components for collocated, protected application components.
Enhancing the DSL and the tools to capture the configurability required by the new Lightweight RT/FT CORBA specification. e.g. Enhancing the model interpreter to
support a wide spectrum of established fault-tolerance mechanisms
Enhancing working prototypes and evaluating them in representative DRE systems
HB
Container
C1C1C1C1
Configurable FT Infrastructure
18
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Concluding Remarks
Model-Driven Engineering separates dependability concerns from other system development concerns
Separation of concerns helps alleviate system complexity
Model-based generative capabilities “compile” FT infrastructure (e.g. heartbeat components and connections) during model interpretation time and synthesize meta-data
Tools available for download fromwww.dre.vanderbilt.edu/cosmicwww.dre.vanderbilt.edu/CIAO
19
Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007
Questions?