thenpropagatestheeffectsofthatfailurethroughoutthecom-ponentassembly.S - PDF document

thenpropagatestheeffectsofthatfailurethroughoutthecom-ponentassembly.Sincethispropagationisareconguration,itmayinducefurtherfailuresthatareprocessedidentically.Oncetheimpactsofallfailureshavebeenpropagated,themanagedsystemisarchitecturallyconsistent,whichmeansthatitcanbesafelyintrospectedandfurtherrecongured.Importantly,thismeansthatanadministratororanautonomictoolcansafelyintrospectthisarchitectureanddecidehowtobestrepairtheoccurredfailures.Theremainingofthepaperisstructuredasfollows.Sec-tionIIdiscussescomponentmodels.InSectionsIIIandIV,wedetailourrecongurationprotocolintheabsenceoffailures,whileSectionVisdevotedtotherobustversionoftheprotocol.SectionVIevaluatestheproposedprotocol.FinallywediscussrelatedworksinSectionVIIandweconcludeinSectionVIII.II.COMPONENTMODELThissectionbrieyrecallsthegrowingconsensusamongstcomponentmodels[8][9][10][25]regardingtheconceptofacomponent,itslifecycle,anditsdependencies,aswellastherecongurabilityofacomponentassembly.Acomponentisasoftwareentitythatdenesasetofexportsandimports.Exportsdescribeservicesthatthecomponentiswillingtoprovidewhileimportsdescribeservicesthatitrequirestofunctionproperly.Hence,acomponentassemblycanbeshapedbywiringimportstoexports.Importsaregiveneitheramandatoryoroptionalsemantics;whileoptionalimportsmaybewiredorunwiredatanytimeduringthelifetimeofacomponent,mandatoryimportsshouldbewiredbeforeacomponentisstarted.Inotherwords,tobefullyfunctional,acomponentmusthaveallitsmandatoryimportswiredtoexports.Themainrecongurationoperationsthatareprovidedarethefollowing.RecongurationoperationsCONSTRUCT/DESTRUCTcomponentsWIRE/UNWIREcomponentsSTART/STOPcomponentsEachcomponentimplementsalltheserecongurationop-erationsinacomponent-specicmannerbutfollowingarecongurationcontractincludingarecongurationgrammarandarchitecturalinvariants.Therecongurationgrammar,asdepictedinFigure1,speciesinwhichorderandinwhichconditionsarecongurationoperationmaybeinvoked.Thisgrammarreliesonthreemainlifecyclestatesforacomponent:STOPPED,STARTED,andFAILED.Whenrstconstructed,acomponentisintheSTOPPEDstate,meaningitisnotfunctionalyet.AcomponentmayreachtheSTARTEDstateonceitisresolved,i.e.,onceallitsmandatoryimportsarewired.Acomponentmayfailatanytime,reachingtheFAILEDstate.Oncefailed,acomponentmayberemovedfromtheassembly.Architecturalinvariants,denedbelow,constrainthear-chitectureofacomponentassemblythatcorrespondstothe Fig.1.Recongurationgrammardescriptionofwhichcomponentcomposetheassembly,whataretheirlifecyclestatesandhowtheyarewiredtogether.Morepreciselly,architecturalinvariantscorrelatethecomponentslifecyclewiththesemanticsoftheirimports(optionalvsmandatory).Theseinvariantsdeneanarchitecturallyconsis-tentassemblyofcomponents,meaninganassemblythatcanbesafelyintrospectedandreconguredbyanadministratororanautonomictool.Theyarenottobeconfusedwithhigher-levelinvariantsthatcaptureapplication-specicanddomain-specicknowledge.Forinstance,application-specicinvariantsmightstatethatanapplicationonlyworksifallcomponentsarestarted,orthatcertaincomponentsmaybestoppedandtheapplicationisstilloperational.Hence,anarchitecturally-consistentassemblymightnotbefunctionalfromanoverallapplicationperspective,butitisrecongurableinordertore-establishafunctionalassembly.Denition1.Architecturalinvariants(I1)Allstartedcomponentshavealltheirmandatoryimportswired.(I2)Allstartedcomponentsarewiredonlytostartedcompo-nents.(I3)Therearenowiresto/fromfailedordestructedcompo-nents(I4)Therearenocyclesthroughmandatoryimports1.Therecongurationgrammaralongwiththearchitecturalinvariantsdenetherecongurationcontractthatenablescom-ponentdeveloperstoapproachthedesignofacomponentasaFiniteStateMachine.Forinstance,oncestarted,acomponenthastheguaranteethatallitsmandatoryimportshavebeenwired.Reversely,anycomponentwillbestoppedbeforeitsmandatoryimportsareunwired.Thiscontractisthereforethecornerstoneofcomponentdesign,helpingdeveloperstomasterthedifcultchallengeofdesigningcomponentsthatcanbedynamicallyrecongured.NotationInthesequel,weuselettersc;dtorangeovercomponents,andv;wtorangeoverwires.Awirewlinksanimportiofacomponentctoanexporteofanothercomponentc0;wedenotethesource(c)byw:srcandthedestination(c0)byw:dst.Wealsouseletterotorangeoverrecongurationoperations,whichweseparateintodownoperations:stop(c),1Thisisawidely-acceptedlimitationamongstcomponentmod-els[8][9][10][25]. Fig.4.OrderingtoobtainanICStions,producingtheSaturatedApplyDownSet(SADS).Therstruletranslatesanunwiredgoalintothecorrespondingunwireoperationbutalsogeneratesastoppedgoalifthewiretoberemovedismandatory—thusenforcingtheinvari-ant(I1).Thesecondruletranslatesastoppedgoalonacomponentcintothecorrespondingstopoperationbutalsogeneratesadditionalgoalstopreservetheinvariant(I2).Thethirdruletranslatesadestructedgoalintothecorrespondingdestructoperationbutalsogeneratesunwiredgoalsforallwiresconnectedtoorfromthedestructedcomponent—thuspreservingtheinvariant(I3).Notethatthispropagationalwaysterminates;theonlycasewherethealgorithmcouldloopiswhentryingtostopacomponentbelongingtoacycleofmandatorywires,whichispreciselyforbiddenbytheinvariant(I4).ThenourprotocolobtainsarstICSbyorderingtheoperationsintheSADSsuchastorespecttherecongurationgrammar,asdepictedinFigure4.Furthermore,thestopoperationsarealsoorderedastorespecttheinvariant(I2).ApplyingthisICSonthemanagedsystemendstherstdownphaseofthecommit.NotethattoapplyanICSonthemanagedsystem,thenecessaryquiescencemustbeestablishedatthelevelofthecomponentruntime[17].Thesecondphaseofthecommitisconcernedwithupoperations.ToobtaintheApplyUpSet(AUS),itisnecessarytoprocessanupdiffbetweenthecurrentarchitecturethathasjustevolvedthroughdownoperations,andtheunchangedtargetarchitecture.Notethatthisupdiffmayonlybecom-putedafterthedowndiffhasbeencomputedandsaturated,asthesaturationmayforcesadditionnaldownoperationstobeprocessed,whichwillrequirealargersetofupoperationstoreachthetargetarchitecture.TheAUSobtainedfromtheupdiffissaturatedbydenitionsincearchitecturalinvariantsdonotrequireanypropagationregardingupoperations.ThisAUSneedstobeorderedintoanICS,usingtheorderingalgorithm(Figure4).Furthermore,asitwasthecaseforstopoperations,startoperationsarealsoorderedastorespectinvariant(I2).ApplyingthisICSendsthesecondupphaseofthecommit.Puttingitalltogether,thetwophasesofthecommitaresummarizedbelow,explainingthealgorithmgiveninListing1:1)DownPhase.OurprotocolrstcomputestheADSbyprocessingadiffbetweenthecurrent(AC)andtarget(AT)architectures,saturatestheADSintotheSADS, commit(AC,AT)f //Recongurethearchitecture(AC)ofthemanagedsystem //tomatchthetargetarchitecture(AT) assert(consistent(AC)&&consistent(AT)); ADS,AUS:setsofrecongurationgoals SADS,SAUS:setsofrecongurationoperations ICS:sequenceofrecongurationoperations //downphase ADS=diff down(AC,AT); SADS=propagate(AC,ADS);//seepropagationrules ICS=order(AC,SADS);//seeFigure4 A0C=apply(AC,ICS); //upphase AUS=diff up(A0C,AT); ICS=order(AT,AUS);//seeFigure4 A00C=apply(A0C,ICS); assert(isomorph(A00C,AT)); return(A00C); g Listing1.CommitalgorithmorderstheSADSintoanICS,andnallyappliesthatICSonthemanagedsystem,whichevolvesittoanewcurrentarchitectureA0C.2)UpPhase.OurprotocolcomputestheAUSbyprocess-ingadiffbetweenA0CandAT,ordersthisAUSintoanICS,andappliesthisICSonthemanagedsystemwiththearchitectureA0C,whichevolvesittoanewcurrentarchitectureA00C.Attheendofthecommit,thearchitectureofthemanagedsystem(A00C)isisomorphictothedesiredtargetarchitecture(AT),andthesystemhasbeenreconguredthroughtwoICS.Weconcludethissectionwithanillustrativeexample.ConsiderthemanagedsystemwiththecurrentarchitectureACfromFigure5,withfourstartedcomponentsd,c,c1,andc2,mandatorywireswfromdtocandw1fromctoc1,andanoptionalwirevfromc1toc(invariant(I4)holdssinceitconcernsonlymandatorywires).TakeATastargetarchitecture,wherethewirew1isnowreplacedbyamandatorywirew2fromctoc2. AC dw// cw166 c1vvv c2 AT dw// c w2)) c1vvv c2 A0C dw// c c1 c2 Fig.5.Exampleofarecongurationsession Fig.6.TypicalclusteredWebarchitecturerepresentsadatabaseserver.Allimportsinthearchitecturearemandatory.1)DeploymentScenario:TherstmanagementtaskistheinitialdeploymentoftheWebserver.TheadministratorstartswithaninitialcurrentarchitecturethatisemptyandshapesthedesiredtargetarchitecturedepictedinFigure6(a).Whentheadministratorcommitsthesession,therecongurationwillresultinthedeploymentoftheoverallsystem.ThedownphaseofourprotocolcomputesanemptyApplyDownSetsincethecurrentarchitectureofthemanagedsystemisempty.Theupphaseofourprotocol(seeListing1)computesthefollowingApplyUpSet:ApplyUpSet/commitalgorithmconstruct:T1,T2,DB1wire:(T1,DB1),(T2,DB1)start:T1,T2,DB1construct:A1,A2wire:(A1,T1),(A2,T2)start:A1,A2OurprotocolthenordersthisApplyUpSetintothefollow-ingICS:ICS/commitalgorithmconstruct:A1,A2,T1,T2,DB1wire:(A1,T1),(A2,T2),(T1,DB1),(T2,DB1)start:DB1,T1,T2,A1,A2Withoutfailures,theapplyofthisICSresultsinthedeploymentofthedesiredclusteredWebserver.Let'snowforceafailuretooccuruponwiringTomcattothedatabasesystem(e.g.,wire(T1,DB1)).Theadministratormaychoosetosuspendtherecongurationsession,knowingthattheresultingsystemisconsistentandrecongurable.Inthisparticularinstance,theadministratorwouldprobablyprefertousetheRoll-ForwardPolicy(RFP commitalgorithminListing3)becauseisolatedfailuresduringadeploymentusuallydonotjustifytorollbacktheentiredeployment.TheRoll-Forwardpolicyexecutestherecover currentalgo-rithm(Listing2)thataccountsforthefailureoftheTomcatinstanceT1andproducesthefollowingICS:fail(T1).Indeed,propagatingthefailureofT1hasnoeffectssincenocompo-nentswerewiredtoT1atthetimeitfailed. Fig.7.TargetarchitecturewithtwodatabasesThentheRoll-Forwardpolicyexecutestherecover targetalgorithm(Listing3)thataccountsforthefailureofT1inthetargetarchitecture.T1ismarkedasfailed,whichpropagatesinisolatingT1(failedpropagationrule).RemovingmandatorywirestoT1propagatesintostoppingcomponentsdependingonthesewires(unwiredpropagationrule).Ultimately,thisproducesthefollowingICS:stop(A1),unwire(A1,T1),fail(T1),leadingtothetargetarchitecturethatisdepictedinFigure6(b).Committingthisrecoveredtargetarchitectureallowstogetamanagedsystemthatisrunningdespiteapartialfailureduringitsdeployment.Moreover,itisconsistentandthusreadytobereconguredagain.2)SizingScenario:Weconsideraddinganewdatabaseserver(DB2)andbalancingtheTomcatserversoverthetwodatabaseservers,asdepictedinFigure7.BeinggiventhecurrentandtargetarchitecturesofFigure7,ourprotocolcomputesthefollowingApplyDownSetandApplyUpSet:ApplyDownSet-unwire:(T2,DB1)ApplyUpSet-construct:DB2-start:DB2-wire:(T2,DB2)Then,throughpropagationandordering,ourprotocolgen-eratestheICSgivenbelowwhichisalongerICSbecausetheunwire(T2,DB1)propagatesastopoperationonboththeTomcatandApachecomponents.Theyarealsolongerbecauseofthelargerupsettoreachthetargetarchitecture.Indeed,sincetheprotocoljuststoppedaTomcatandanApachethatarenotstoppedinthetargetarchitecture,thedifffortheupphasewillproducetheextrastartoperationsneeded.DownICS-stop:A2,T2-unwire:(T2,DB1)UpICS-construct:DB2-wire:(T2,DB2)-start:DB2,T2,A2Withoutfailure,therecongurationachievessizinguptheclusteredWebserver.Let'snowforcearstfailurethatoccursonthestartonDB2.Therecover currentalgorithmcomputesthefollowingICS:unwire(T2,DB2),fail(DB2). inthispaper,application-specicconstraintsdonotrequiretobeincrementallypreservedduringareconguration,theyonlyneedtobepreservedbythetargetarchitecture.Inotherwords,application-specicconstraintsintendtoshapefunc-tionalarchitectureswhilearchitecturalconstraintsguaranteerecongurablearchitectures.Mostoftheaboveframeworksdidnotpublishanyde-tailsontheirrecongurationprotocol,withthenoticeableexceptionof[21].Theirprotocolordersrecongurationopera-tionsfollowing[17],onlyconsideringoptionalwiresbetweencomponents—achoicethatisconsistentwiththeirunderlyingcomponentplatform[22].Regardingfailures,onlyafewframeworks[13][14][19]publishedaboutfault-tolerance,alladvocatingarollbackstrategybasedontheuseofinverserecongurationoperations;adesignthatonlysupportsasinglefailureperreconguration.[2]discussesfailuresoccurringduringrecoveryandstatesthatitisahardchallengeforautonomicsystems.However,thepaperonlypresentsearlyideas,suggestingthatcomponentdependenciescanbeusedtoplanthepropagationoftheimpactsoffailuresthroughoutacomponentassembly.Thepaperalsosuggeststhatrecoveryshouldbestructuredasaxpoint,butdoesnotgiveanydetails.Inparticular,noalgorithmsaredescribed.TheRAPIDwareproject[28]isanothercomponentframe-workthatsharessimilaritieswithourproposal.Itproposesaformalmodel[18]toverifythatduringandafterrecon-gurations,thesystemremainsincorrectstatesintermsofarchitecturalandbehavioralinvariants.As[19],itproposesarecongurationprocessthathandlesfailuresthatappearatcommittimethroughinverseoperations.Finally,inapriorwork[7],werelatedourvericationexperienceofanearlierversionoftherecongurationpro-tocol.ThefocusofthepaperwastheformalvericationofourprotocolusingtheCADPtoolbox[12],onlybrieyintroducingourprotocolasanexampleofavericationprocessofinteresttothecommunityofformalmethods.Thepaperonlysketchedourprotocol,includingthenotionofICSanditsassociatedorderingalgorithm(depictedinFig4).Incontrast,thepresentedpaperdiscussesthecompleteprotocolatlength,includingitsdetaileddesignanddetailedalgorithms.Inparticular,weacknowledgeforthersttimethenovelorderingofoperationsbasedonfoursteps:architecturaldiff,saturate,order,andapply.Moreover,thispaperalsoreportsonprovingtheprotocolratherthanverifyingit,providingon-linethecompletespecicationinCoq.Finally,thispaperincludesanevaluationoftheprotocol.VIII.CONCLUSIONThispapersummarizedthegrowingconsensusofmod-erncomponentmodelsandthecorrespondingrecongurationcontract:recongurationgrammarandarchitecturalinvariants.ItproposedarecongurationprotocolbasedontheconceptofIncrementallyConsistentSequences(ICS),ensuringthatanyrecongurationincrementallyrespectsthisrecongurationcontract.Theproposedprotocolresistsanynumberoffailuresduringthereconguration,alwaysproducinganarchitecturallyconsistentassemblyofcomponentsthatcanbesafelyintro-spectedandfurtherrecongured.Inthatregards,weproposedtwoadvancedrecoverypolicies,theRoll-BackwardpolicythatrollsbackafailedrecongurationandtheRoll-Forwardpolicythatpushestowardsthedesiredtargetarchitecture,bothpoliciesgoingasfaraspossible,failurepermitting.WefullyspeciedourprotocolandproveditcorrectusingtheCoqproofassistantandweevaluateditscomplexity(linearwithrespecttothecomplexityofthedesiredreconguration).ACKNOWLEDGEMENTSTheworkdescribedinthispaperwaspartiallysupportedbyFSNprojectOpenCloudWare.REFERENCES[1]Coqformalisationandcerticationofthepresentedrecongurationalgorithms,http://sardes.inrialpes.fr/pous/rrca/.[2]N.Arshad,D.Heimbigner,andA.L.Wolf.Dealingwithfailuresduringfailurerecoveryofdistributedsystems.SIGSOFTSoftw.Eng.Notes,30:1–6,May2005.[3]N.Bencomo,P.Grace,C.A.Flores-Cort´es,D.Hughes,andG.S.Blair.Genie:supportingthemodeldrivendevelopmentofreective,component-basedadaptivesystems.InProc.ICSE'08,2008.[4]Y.BertotandP.Cast´eran.InteractiveTheoremProvingandProgramDevelopment.Coq'Art:TheCalculusofInductiveConstructions.TextsinTheoreticalComputerScience.Springer,2004.[5]G.S.Blair,N.Bencomo,andR.B.France.Models@run.time.IEEEComputer,42(10):22–27,2009.[6]SaraBouchenak,FabienneBoyer,BenoitClaudel,NoelDePalma,OlivierGruber,andSylvainSicard.Fromautonomictoself-selfbehaviors:Thejadeexperience.TAAS,6(4):28,2011.[7]F.Boyer,O.Gruber,andG.Salaun.SpecifyingandVerifyingaRobustRecongurationProtocolwithLOTOSNT/CADP.In17thInt.Symp.onFormalMethods(FM'11),2011.[8]E.Bruneton,T.Coupaye,M.Leclercq,V.Qu´ema,andJ.B.Stefani.TheFractalComponentModelanditsSupportinJava.Software–PracticeandExperience(SP&E),36(11-12):1257–1284,September2006.[9]G.Coulson,G.S.Blair,M.Clarke,andN.Parlavantzas.Thedesignofacongurableandrecongurablemiddlewareplatform.DistributedComputing,15(2):109–126,2002.[10]C.Escofer,R.S.Hall,andP.Lalanda.ipojo:anextensibleservice-orientedcomponentframework.InIEEEInt.Conf.onServicesCom-puting(SCC2007),2007.[11]J.Floch,S.Hallsteinsen,E.Stav,F.Eliassen,K.Lund,andE.Gjorven.Usingarchitecturemodelsforruntimeadaptability.Software,IEEE,23(2):62–70,march-april2006.[12]H.Garavel,R.Mateescu,F.Lang,andW.Serwe.CADP2006:AToolboxfortheConstructionandAnalysisofDistributedProcesses.InProc.CAV'07,pages158–162.Springer,2007.[13]J.C.Georgas,A.vanderHoek,andR.N.Taylor.Architecturalruntimecongurationmanagementinsupportofdependableself-adaptivesoft-ware.InWorkshoponArchitectingDependableSystems,WADS'05,2005.[14]A.Gomes,TadeuA.,T.Batista,A.Joolia,andG.Coulson.Architectingdependablesystemsiv.chapterArchitectingdynamicrecongurationindependablesystems,pages237–261.Springer-Verlag,Berlin,Heidel-berg,2007.[15]A.Joolia,T.Batista,G.Coulson,A.Tadeu,andA.Gomes.A.t.a.:Mappingadlspecicationstoanefcientandrecongurableruntimecomponentplatform.InIEEE/IFIPConferenceonSoftwareArchitecture(WICSA'05),2005.[16]J.S.KimandD.Garlan.Analyzingarchitecturalstyles.J.ofSystemsandSoftware,83(7):1216–1235,2010.[17]J.KramerandJ.Magee.Theevolvingphilosophersproblem:Dynamicchangemanagement.IEEETrans.SoftwareEng.,16(11):1293–1306,1990.[18]S.S.KulkarniandK.N.Biyani.Correctnessofcomponent-basedadaptation.In7thInt.Symp.onComponent-BasedSoftwareEngineering(CBSE'04),2004.