The Architect

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

Appearance

Chapter 09: Ghost of the Supernode

August 2004, Redmond, sweltering heat.

That blob of XML mud, forcibly stuffed into the database in Chapter 8 to evade table locks, acted like a tumor, massively draining the application servers' compute power. To support the increasingly bloated business logic and thousands of expensive XML parses, Silas Horn applied for a record-breaking budget from the board and purchased a thousand servers in one go.

GenesisSoft's development team also swelled from dozens to over a hundred people. Everyone was racking their brains, frantically committing code to the application named Hello World.

Finally, the Monolith architecture was completely burst at the seams, both physically and organizationally.

"Every time someone changes a line of code, the whole project takes half an hour to recompile! Yesterday an intern wrote an infinite loop in the 'Comments' module, and it unexpectedly dragged down the threads of the 'Payment' module to death!" the development lead complained despairingly in the War Room.

Simon Li knew the time had come to carve up the behemoth.

He led the first "Great Schism" in GenesisSoft's history. Wielding his blade, he chopped the originally massive monolithic application into forty to fifty small, independent services: User Service, VIP Service, Payment Service, Image Distribution Service...

This was the dawn of early Service-Oriented Architecture (SOA, the prototype of Microservices).

"This looks much cleaner." Silas looked at the dozens of circled, independent modules on the whiteboard. "Now, the VIP team's code will never drag down the Payment team again. But Simon, these fifty services scattered across thousands of machines, how do they know each other's IP addresses? What if a machine breaks and changes to a new IP?"

"They don't need to memorize them." In the exact center of the whiteboard, Simon drew a giant, sparkling crown, and connected all the services to this crown with dashed lines.

"I've introduced a Supernode (Service Registry)."

Simon explained, "This Supernode is like the traffic hub dispatcher for the entire empire. When the 'Payment Service' comes online, it reports to the Supernode: 'I am Payment, my IP is 10.0.5.12'. When the 'Comments Service' wants to call the 'Payment Service', it doesn't look for the destination directly, it asks the Supernode: 'Where is the Payment Service, please?' The Supernode then tells it the correct IP address."

"Brilliant!" Silas praised. "This way we can plug and unplug servers at any time, without ever having to manually modify the tedious IPs in configuration files again!"

This "dynamic highway map" operated perfectly for the first three months after going live. The thousands of micro-services across the network functioned under the Supernode's command like a highly coordinated swarm of bees.

Until that muggy afternoon in August.

2:15 PM, disaster struck without warning.

Simon was holding a glass of iced coffee when an extremely bizarre "click" echoed violently deep in his mind.

It wasn't the roar of an exploding server, nor the howling of a maxed-out CPU. In the world of his Synesthesia, the sound was like the main breaker being suddenly pulled down in a noisy, gigantic opera house.

The music stopped, the lights went out. Absolute deathly stillness.

"Alert! Site-wide TPS dropped to zero in three seconds!" Dave, the Operations Lead, let out a piercing scream. "All businesses are returning 503 errors! Users can't log in! Can't post comments!"

"Hacked again? Or is the database locked up again?!" Silas, who had just fallen asleep on the sofa, bounced straight up in shock.

Enduring the extreme sense of weightlessness brought on by his synesthesia, Simon swept his eyes rapidly over the main monitoring screen. But the sight he saw was ten thousand times more absurd than a database lock-up.

On the big screen, the CPUs of the thousands of servers deploying the micro-services were all comfortably below 1% load, and memory was extremely abundant. The underlying core databases were also in a perfectly healthy, completely idle state.

"There's no hardware problem whatsoever." Dave tapped his keyboard in disbelief. "I just manually pinged the 'Payment Service', it replied instantly! I can even connect to its API directly. It's alive and kicking!"

"If all the services are alive, why won't the webpage open?!" Silas furiously grabbed his own tie.

"Because they've gone blind."

Simon's voice carried a trace of bone-chilling cold. In the high-dimensional vision of his synesthesia, he finally saw this terrifying picture clearly.

Those fifty micro-arrays (microservices) were originally like prosperous islands. But at this moment, the invisible silk threads (addressing routing links) connecting these islands had been brutally, entirely severed. The Comments Service wanted to find the Payment Service, but it simply didn't know its coordinates.

Thousands of healthy processes were trapped in the black boxes of their respective physical memory, screaming each other's names madly into the endless void. But they were like astronauts opening their mouths in space—unable to emit any sound.

Simon locked his gaze dead center on the server room topology map. The crown representing the "Supernode" had now turned an ashen, dead black.

"Check the G-04 rack! The Supernode has lost contact!" Simon issued the command to Dave.

Dave grabbed his walkie-talkie. Two minutes later, the on-site server room inspector sent back a blood-spitting report.

"It was a rat... Simon! A damn rat bit through the power cord of the core switch on the G-04 rack! The two Supernode servers acting as primary-backup redundancy just happened to both be on that rack! They lost power!"

"What?!" Silas almost fainted. "Just because a rat died and two crappy machines that don't process any user data powered down, our thousands of living servers have all turned into mere decorations?!"

"Yes." Simon slumped into his chair, feeling the greatest irony in the entire architectural world.

In this overly clever SOA architecture, Simon had made a classic and fatal mistake: letting the Control Plane kill the Data Plane.

Those microservice clusters (the Data Plane) obviously possessed extremely massive computing power, obviously capable of handling hundreds of thousands of concurrent requests. But just because the "phone book" (the Control Plane Supernode) that recorded their coordinates was burned out, this well-equipped million-strong army instantly turned into a crowd of blind men trampling each other in the dark.

"The controller of the system became the terminator of the system," Simon murmured to himself.

In true distributed theory, this is absolutely forbidden. Once the routing and registration center goes down, the system can "fail to discover new machines", but it must never "forget the old machines it has already contacted."

"Now is not the time for reflection!" Silas roared, interrupting Simon's train of thought. "NASDAQ closes in two hours! Restore the system for me! Get the Supernode rebooted immediately!"

"It's too late!" Dave yelled in panic. "Because the Supernode went down, thousands of microservices are frantically launching retries to find the Supernode at a rate of 10,000 times per second! Even if we power the G-04 rack immediately, the microsecond the Supernode turns on, it will be beaten into a vegetative state by the DDoS triggered by these millions of retry requests! (Historically known as the Thundering Herd effect)"

A deadlock.

Without the Supernode, the microservices cannot work. If the microservices do not stop calling, the Supernode cannot restart.

This was equivalent to the situation where the transportation map of the entire empire existed only in the brain of one person—the "Supernode". Now this person had fainted, and hundreds of millions of people nationwide were crowded around his hospital bed, shaking him violently, making it impossible for him to wake up.

"Forcefully cram the transportation map into everyone's brain."

A flash of violence flashed in Simon's eyes. This was the barbaric solution of an L5 architect backed into a corner.

He typed an extremely wild Shell script on the keyboard.

Since the Supernode couldn't get up, he was going to bypass those paralyzed microservice logics via the operating system's underlying SSH channel.

"Dave, extract that static mapping table (Local Host File) containing the latest IPs of all microservices from last night's local backup!" Simon spoke extremely fast. "I'm going to use SSH to violently push this boring, hard-coded static table directly into the local memory of the operating systems of those five thousand servers!"

Simon was executing a concept: Client-side Local Caching fallback.

A few minutes later, the Enter key was hit hard.

At that moment, although the central "Supernode" remained in a state of death, a yellowing "old map" suddenly appeared inside the local black boxes of the five thousand microservices.

The Comments Service no longer asked the Supernode for help; it looked up the Payment Service's coordinates from ten hours ago directly in its own mind (local cache), and tentatively sent out a probe packet.

In the synesthesia vision, the broken silk threads began to reconnect. Although this map was extremely outdated, although if a server crashed now they wouldn't be able to detect it, at this moment, the blind men finally touched each other's hands.

The TPS weakly pulse from 0, like an ECG recovering, jumping to five hundred, one thousand, thirty thousand!

The empire revived. Not relying on the Emperor (the central node), but relying on old maps printed and distributed to the entire army.

Cheers of surviving a disaster erupted in the War Room. Silas collapsed directly onto the floor, panting heavily.

Only Simon remained staring fixedly at the monitoring screens, a cold, bitter smile playing at the corners of his mouth.

In the far-off night sky, the high-dimensional probe was silently writing all these parameters into the interstellar logs. Earhlings were trying to master distributed systems. But they were extremely naïve.

Simon realized that the so-called "Supernode" was essentially a Single Point of Failure (SPOF) possessing absolute power.

In future architectures, the secret of "knowing where everyone is" absolutely could not belong to just one person. It had to be radically democratized. There must be a group of nodes distributed across different physical server rooms, co-maintaining this imperial transportation map through some extremely rigorous mathematical voting mechanism. Even if a few nodes were burned by fire, the surviving nodes could still piece together the truth.

That was the call for future distributed consensus algorithms (like the predecessors of Paxos / ZooKeeper).

But before that, Simon had to face the ultimate punishment dealt by the laws of physics on centralized architecture. The death knell of Volume I was about to strike its heaviest blow in Chapter 10. All software tricks would instantly turn to ashes in the face of an irresistible physical power outage.

Architecture Decision Record (ADR) & Post-Mortem

Document ID: PM-2004-08-20 Incident Tier: SEV-0 (Disintegration of Global Transaction Network) Lead: Simon Li (Senior SDE)

1. Incident Phenomenon (What happened?) A rat in the server room bit through the power of a rack, causing two servers acting as the "microservice registration center (Supernode)" to turn off unexpectedly. Thousands of underlying business microservices with 100% health instantly fell into "snow blindness", unable to address each other, dropping network-wide TPS to zero.

2. 5 Whys Root Cause Analysis (Root Cause)

  • Why 1: Why did all requests fail? Because all microservices were unable to resolve the IP addresses of upstream services.
  • Why 2: Why couldn't they resolve IPs? Because their sole addressing dependency—the central Supernode (Service Registry)—went offline.
  • Why 3: Why did the entire system crash when the central node went offline? Because microservice callers (Clients) did not implement a Local Cache mechanism for service addresses locally. Every request strongly relied on real-time feedback from the control node.
  • Why 4: Why does the Data Plane stop working when the Control Plane dies? This is an extremely fatal design flaw: the availability of the Control Plane (responsible for management and routing) should never become blocks the Data Plane (the part that actually processes user traffic).
  • Why 5: Why did the Supernodes lose power simultaneously? The primary and backup nodes were deployed horizontally on the same physical rack or powered by the same switch, lacking deployment isolation of "Anti-affinity" in the physical topology.

3. Solutions & Architecture Decisions (Action Items & ADR)

  • Workaround: Wrote a script to violently push the service address mapping table as static files (Hosts) into the local operating systems of all microservices, forcibly bypassing the Supernode to restore internal communication.
  • Long-term Fix:
    • ADR-009: The Data Plane is forbidden from strongly depending on the Control Plane. Introduce Fat Client caching mechanisms.
    • All microservice callers (Consumers) must cache the most recently successfully acquired service routing table in local memory. When the registration center crashes, services must continue flying blind based on "muscle memory (local stale cache fallback)", ensuring the static stability of the existing topology.
    • Eliminate the single Supernode: Initiate pre-research on decentralized service discovery protocols. Control nodes must be dispersed across different physical racks, relying on election mechanisms to maintain state consistency.

4. Blast Radius & Trade-offs Microservices (SOA), while dividing computational pressure, created a massive and fragile web of interdependencies. Due to the introduction of a centralized service registration mechanism, the blast radius of 50 small modules that could potentially fail independently was reversely consolidated into 100%. As long as the hub is paralyzed, no matter how strong the decentralized computing power is, it's just a pile of loose sand.

Architect's Note: Bridging Past and Present System Design

1. The Biggest Minefield in Microservices: Control Plane Murdering the Data Plane In modern cloud-native and microservice architectures, one of the most critical concepts is the physical isolation between the "Control Plane" and the "Data Plane".

  • Control Plane: is the "General Staff" of the system, like the Supernode in this chapter, or modern counterparts like the APIServer managing a Kubernetes cluster, or Istio's Pilot. They are responsible for issuing orders, telling microservices where to find people and how to route.
  • Data Plane: are the "soldiers" doing the work, like users' business code, Nginx proxies, or Envoy sidecars. They are responsible for the actual HTTP data transportation. The top architectural iron rule is: If the General Staff is blown up, the frontline soldiers must never stop shooting. In other words, if the service registration center (like Consul/Nacos) crashes, or if the Kubernetes Master node dies, the existing calls between your business microservices must absolutely not be interrupted because of it. They must continue to run relying on snapshots cached at the memory layer (Static Stability); at worst, they "cannot discover new machines," but they cannot "lose existing memory." What Simon Li encountered back then was exactly a textbook-level disaster violating this iron rule.

2. From Fragile Single Points to Highly Available Distributed Registration Centers (ZooKeeper / etcd) Simon realized that "one Supernode holding the global map" was extremely dangerous. This exact realization was the dawn of all modern distributed coordination components. In major companies today, a single machine is never used as a service registration center. We introduce ZooKeeper, etcd, or Consul. The core soul of these components is based on Distributed Consensus Algorithms (like Paxos or Raft): They are usually deployed with 3 or 5 machines, dispersed across different racks or even server rooms. Only when over half of the nodes (a Quorum) are alive and reach a consensus can this "imperial transportation map" be modified. If a rat dies biting off one machine's network cable, the remaining 4 machines will instantly detect it, elect a new leader (Leader Election), and stabilize the empire's communication within milliseconds. Eliminating the central single point and locking consensus with mathematical algorithms—this is the ultimate stepping stone into the distributed chapters of Volume II.