The Architect

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

Appearance

Volume 2: The Distributed Hairball

Core Theme: Splitting brought the nightmare of web-like dependencies, and uncontrollable cascading failures forced the protagonist to seek true isolation cells (Cells). Time Span: 2005 - 2014

Chapter 11: The Zombie Horses of a Superstar

2008, Redmond. Big Tech's "Dogfooding".

Ever since the fire that burned down the Silicon Valley data center (Chapter 10), GenesisSoft embarked on the long and grueling journey of evolving towards a distributed architecture. But in this process, they fell into the most notorious traditional political quagmire of large Silicon Valley tech giants—"Dogfooding".

By this time, Silas Horn had been promoted to Vice President (VP). Not only did he control the consumer-facing (C-end) Hello World social business, but he also highly coveted the extremely lucrative "Wall Street enterprise and government market."

In order to pitch the company's self-developed enterprise middleware to those old-school financial institutions, Silas issued a cold, absolute order: The C-end Hello World, which had already been split into dozens of modules, must fully integrate with the heavyweight product that the Enterprise Division spent 30 million dollars building—the Genesis Enterprise Service Bus (Genesis ESB).

This meant making the most profitable C-end business act as a live "guinea pig" for their own B-end (business-facing) middleware.

In the War Room, the atmosphere was highly tense.

"We don't need this monster!" Simon Li pointed at the 3D architecture diagram of the ESB on the big screen, emblazoned with GenesisSoft's four-color logo, his eyes cold. "Four years ago (Chapter 9), we suffered a massive loss on a 'super node'! The center providing IP addresses died, and the entire network was paralyzed! Since then, all microservices cache IP routing locally on each machine. We have decentralized the Control Plane, so why do you now want to stuff a behemoth into the Data Plane?!"

An enterprise-level architect beside him adjusted his glasses and arrogantly retorted: "Simon, that super node four years ago was just a 'phone book' for looking up IPs. But Genesis ESB is an incredibly intelligent 'simultaneous interpreter and customs officer'! Your dozens of C-end modules won't need to parse each other's data themselves. You just package the data into highly compliant SOAP XML containing hundreds of namespaces and send it to the bus, and the bus will automatically help you intercept attacks, translate formats, and deliver it accurately. This is the centralized security that Wall Street loves most!"

"That's Wall Street's snail-paced network!" Simon slammed his hand onto the holographic projection screen. "When the phone book went down, services could still bravely communicate requests based on local caches (Chapter 9 rule). But if you set up this 'customs toll booth' that has to inspect every single piece of luggage on the physical channel where all microservices talk to each other, the moment it dies, or if it can't parse fast enough, the entire empire won't be able to transmit even a single byte of data!"

"Simon, this is the board's strategy," Silas interrupted him coldly. "We must prove GenesisSoft's enterprise-grade load-bearing capacity to Wall Street. Integrate it. That is an order."

Two months later, 3:00 AM on the eve of Black Friday.

The arrogance of the tech giant was dealt a harsh slap out of reality by the laws of physics.

The cause of the disaster was absurdly simple: A new junior programmer, to meet a marketing department requirement, quietly added four deeply nested business tags into the already incredibly long, foot-binding-like SOAP XML protocol of the "Post Recommendation Service."

The new code was rolled out in a canary release. When the massive influx of complex XML containing the new tags poured into the centralized Genesis ESB, Simon Li jolted awake from his sleep.

In his world of Synesthesia, that golden central bus didn't look like a highway at all. Instead, it looked like a massively bloated stomach convulsing in agony.

Faced with unknown nesting levels of XML, the rigid enterprise-grade ESB, to ensure absolute data compliance, initiated deep recursive backtracking of regular expressions!

"Alert! The bus CPU is instantly locked at 100% due to an XML parsing storm engine overload!" The on-call engineer's scream pierced the night sky.

"System initiating Full GC (Garbage Collection)! The ESB's TCP buffers are completely jammed due to Backpressure!"

Snap. A terrifying silence. The golden central node on the big screen collapsed.

The fifty-plus business services that had been processing posts and chats for tens of millions of users just a second ago were instantly blinded, trapped as if in a bomb shelter. All their external requests were entirely blocked at the entrance of the ESB's giant stomach.

The entire network's throughput plummeted to zero within five seconds.

"To hell with enterprise compliance! To hell with dogfooding!" Simon rushed into the War Room in his pajamas, shoved aside the panicked on-call engineer, and forced his way into the cluster substrate using his supreme override command as an L6 Architect.

"What are you doing?!" Silas roared over the phone. "The Enterprise Division will send you to the internal tribunal!"

"If establishing a dictatorial translator in the center of the network only brings total site annihilation, then we completely shatter it!" Simon's eyes were bloodshot as he frantically typed on the keyboard.

"All split services! Immediately abandon that disgusting, compute-heavy internal XML protocol! Bypass the central bus completely and execute via side channels!" Simon turned around and wrote fiercely on the whiteboard with a red marker—a core philosophy that would completely dominate the internet microservices industry for the next decade:

Smart Endpoints and Dumb Pipes.

"Let services communicate directly using the lowest-level HTTP protocol! Pass all data in the simplest plain text (JSON)! The network pipes are only responsible for carrying bytes; whoever receives the data uses their own CPU to parse it! Take responsibility for yourselves!"

That night was one of agonizing beauty. GenesisSoft engineers wrote routing scripts overnight, brutally ripping the heavy ESB out of the C-end architecture.

After shedding the heavy baggage of the central bus and switching to lightweight JSON, the reconnected microservices, entirely freed from layers of translation and interception in the middle, saw their call speeds explode tenfold. The system was as if stripped of hundreds of pounds of lead weights, officially ushering in the lightning-fast era of pure Microservices.

Two years later. Valentine's Day, 2010.

The fully microservice-oriented, extremely agile Hello World had evolved into a social behemoth with terrifying throughput. To handle high-concurrency queries, Simon Li placed a memory fortress with extreme throughput capacity in front of the fragile relational database (MySQL)—the Redis distributed cache cluster.

"Simon, our system is astonishingly fast right now. As long as any hot data is read once, it stays in Redis. Whether ten million or a hundred million people hit it next, they are instantly returned via the ultra-fast HTTP channel, completely bypassing the slow underlying database," Dave said smugly, holding his coffee.

"Yes, agile pipes coupled with ultra-fast memory—that is the charm of having no central node," Simon nodded.

At 1:00 PM, pop superstar Lady Gaga posted a selfie containing exactly 11 characters. "Hello World, my little monsters."

The entire internet practically exploded. Over three million fanatical fans swarmed in instantly, frantically refreshing the page hundreds of thousands of times per second, trying to grab the top comment spots.

In the network channels devoid of central bus congestion, the millions of concurrent hits charged unobstructed, smashing directly into the Redis cache tier. The cache layer perfectly absorbed the impact; the underlying MySQL was like it was fast asleep, its CPU load lazily resting at 5%.

The War Room even popped a bottle of champagne. Right up until 11:59:59 PM.

Simon's stomach suddenly contracted with catastrophic, unprovoked agony. This wasn't the suffocation of network congestion; it was a very real, physical sensation of trampling. It was as if ten million completely unbridled zombie horses instantly shattered a glass explosion-proof door without any resistance, rolling over an undefended slum.

"Alert!! The underlying core MySQL primary database has crashed!!" the on-call DBA roared frantically, spilling half a glass of champagne all over the console.

"What?!" Dave lunged at the keyboard. "How could MySQL have any traffic?! Wasn't all the traffic blocked by the Redis layer above?!"

"It's gone!" The DBA stared desperately at the big screen. "The primary database's active connection count was drained in 0.01 seconds! The CPU spiked straight to 100% and is completely deadlocked at this very moment! Our most critical user primary DB was insta-killed!"

Total network outage. Hundreds of millions of regular users dropped offline collectively due to this sudden lock-up at the bottom layer.

Simon felt a heavy blow to his heart. This was the terrifying backlash of microservices abandoning central control. They were light, agile, and lightning-fast. But once that bulletproof vest (the cache) ruptured, this lightning-fast concurrency transformed into the deadliest blade, stabbing the underlying heart full of holes in a single millisecond.

"Did Redis crash? Why couldn't it block the traffic?" Simon's brain worked furiously, teeth gritted.

"N... no! Redis is still more than half idle!" Dave's voice trembled. "But... just a second ago, the hot memory key for Gaga's post that caused the ten-million-hit tsunami... vanished into thin air!"

Cache Stampede!

A flash of realization hit Simon like lightning. "What was the TTL (Time-To-Live) on that post?"

A pale young engineer from the development team nearby stammered, "It's... to prevent old data from staying resident, it's hardcoded by default. When any dynamic post is stored in Redis, its life countdown is precisely set to 12 hours. Once the time is up, the system automatically expires and deletes it..."

The truth was absurdly cold.

Twelve hours ago, Gaga posted. Millions of fans started frantically refreshing. Every ultra-fast API call smashed against the safe bulletproof glass. Twelve hours later, midnight sharp. The incredibly ruthless high-dimensional physics clock, like a merciless mole, pushed the "invalidate" button right on time.

The system removed its own bulletproof glass.

In that extremely fatal millisecond, there were one hundred thousand highly concurrent requests—which had no choke-valve queuing mechanism because the ESB was stripped away—arriving at their respective microservice layers simultaneously.

These one hundred thousand unacquainted thread codes found the cache empty (Cache Miss). According to the logical Cache-Aside pattern, if there's a miss, they are supposed to bypass the cache and dive down to the bottom layer to fetch the truth.

And so, one hundred thousand agile "sentinels" swarmed the slow MySQL, launching highly expensive, identical, concurrent full-table queries without any restraint!

A hundred thousand concurrent requests! No one intercepting in the middle, no one lining up for tickets! The whole network went down, simply because an 11-character cache expired.

A cleanup mechanism initially meant to keep data fresh was amplified into a nuclear bomb that leveled the server room under this wildly running microservice volume.

"Quick! Restart the primary database! Hurry up and write a forced script to inject that damn post back into Redis!" Dave prepared to pull the main breaker.

"Don't touch it!" Simon grabbed Dave's wrist, his eyes burning. "Because there's no central bus, all the traffic is sitting at the various gateway endpoints with mouths wide open. The moment you restart and restore communication, these hundreds of thousands of un-timed-out waiting threads will pounce again like zombies! It'll crash on boot, a total infinite loop!"

This was the deepest despair in the distributed hairball. When you grant nodes infinite freedom, and when the herd falls into a fanatical stampede, no one on the outside can stop them anymore.

"Since there is no central empire to maintain order, we must use the most primitive chain to weld them shut from inside the code."

Simon opened the entry gateway code where the whole network pulled data, accessing the highest-privilege terminal. In this extremely critical junction, he forcibly embedded an incredibly ancient, almost savage memory logic from the OS base layer—the Mutex Lock.

This was the prototype of the ancient divine weapon that would later save countless Silicon Valley tech giants from the brink of disaster—Singleflight.

A minute later, the microservice code containing the blockade restriction was deployed to all stateless containers on the front line.

Simon took a deep breath. "Open the primary DB connections."

As the primary DB switch was flipped, a new wave of a hundred-thousand-scale flood, generated by furious users furiously clicking, crashed into all the microservices at the application layer once again. As expected, before the glass was restored, they found the cache still empty.

The first "horse" (Request No. 1) arrived. It extremely smartly applied to the cluster for a "unique voucher lock" engraved with that post's ID. It got the key and leisurely walked into the bottom channel to execute a slow query taking tens of milliseconds.

Within those few tens of milliseconds, the remaining 99,999 frenzied requests arrived roaring. They too wanted to enter the channel and crush the primary DB.

"Bang!"

The hundred-thousand-scale high-speed micro-calls hit a cold, digital iron door built by Simon's code in unison. The Singleflight mechanism ruthlessly told them: "Sorry, the only key named 'Fetch data from the database' was taken by your big brother in the very first second. He's already down there running the errand for the whole village. So right now, except for him, the remaining 99,999 processes—all of you, stay in your memory slots, shut up, and Wait!"

A miracle descended. The ten-million-scale stampede event that tried to tear the database alive a second ago was collectively paused at every endpoint.

Facing a massive hundred-thousand-scale tsunami capable of destroying a city, what was the actual troop pressure felt by the underlying MySQL primary DB? It was pitifully: 1.

Fifty milliseconds later, the first request walked out holding the piping hot underlying data, casually placing it in the Redis lobby. Then, with a click, it unlocked that suspending lock for the whole village in memory.

Those sheep that had been held back, flushed red outside the iron door, instantly revived! They realized they didn't even need to line up for the primary DB anymore. With extreme joy, they copied the data directly from the Redis lobby and instantly returned it to the tens of millions of anxiously refreshing netizens.

A disaster capable of a chain reaction that could destroy the entire server room was forcibly reduced to a lightweight O(1) operation.

"It's alive... the green curve is bouncing back!" Dave collapsed weakly into his swivel chair, completely drenched in sweat. "TPS breaking all-time highs."

"An incredibly thrilling defense battle, Simon," Silas, on a business trip in New York, heard the news of victory and once again restored his merchant's arrogance. "It seems whether it's splitting services or adding locks to suspend them, as long as we know how to combine them, this is our silver bullet for running rampant."

Simon straightened his back, staring at the big screen where countless glowing lines of microservices were forced to connect tightly and suspend, waiting for each other because of the "Mutex."

"Silas, there are no silver bullets in this world. This is just the most expensive form of drinking poison to quench thirst," Simon's voice revealed a bone-chilling cold. "We abandoned the fatal weakness of the center in exchange for the absolute speed of across the network. Today, to prevent the system from being trampled to death by this absolute speed, we were forced to create cross-suspensions in memory at the endpoints."

"When these selfish little endpoints multiply, when mutexes and waits weave into a massive, impenetrable web..." Simon paused, a flash of despair in his eyes, "Their obsession with pinching each other will eventually trap and kill this entire colossal body."

In this highly free yet trap-laden swamp, when microservices attempt to cross cities or even oceans— A "despair pathogen" capable of tearing apart physical space and causing the left and right hemispheres of the entire empire's brain to slaughter each other (Network Partition and Split-Brain) was poised to strike violently in the next physical fault line.

Architecture Decision Record (ADR) & Post-Mortem

Document ID: PM-2010-02-14 Incident Level: SEV-1 (ESB outage and primary DB brief stampede cascade alert) Lead: Simon Li (Principal Engineer)

1. What happened? This post-mortem covers two major architectural selection crises spanning two years. First, to implement "non-internet" standards, we introduced a centralized ESB (Enterprise Service Bus). This led to an OOM outage due to regex backtracking when facing deeply nested, malformed XML, paralyzing the entire network. Second, two years after discarding the ESB to embrace pure, decentralized microservices, although the system was incredibly fast, a hot key from a celebrity triggered a precise TTL expiration, unleashing a massive Cache Stampede. Devoid of any centralized throttling or queuing, hundreds of thousands of high-frequency micro-concurrent queries momentarily crushed the connection pool of the underlying primary database.

2. 5 Whys Root Cause Analysis

  • Why 1: Why was the death of the core single point different this time from the super node in Chapter 9? The center in Chapter 9 was the Control Plane (only responsible for distributing IP coordinates); losing the map made us blind, but thanks to memory shadows (caches), we barely survived. This time, the ESB was the Data Plane central interceptor; it was the customs toll booth handling all actual transmission and parsing. Once it OOMed out of heavy XML payload, it killed the physical transmission links entirely, resulting in a much more fatal blast radius.
  • Why 2: After abandoning the bus for disorderly extreme speed, why was the database instantly shattered? Having lost the central hub (the ESB, though slow, naturally acted as a queuing block and rate limiter), all the concurrency thrust directly to the bottom layer like tens of millions of unsheathed blades.
  • Why 3: Why didn't the cache block the blades? Because that crucial riot shield (the Redis hot key) automatically expired at an extremely unlucky yet perfectly rule-compliant timestamp (TTL=12h). The stateless requests faced a vacuum period of "Cache Miss".
  • Why 4: Why did the system go into a complete avalanche deadlock over a brief vacuum period? In a microservice network lacking global awareness and coordinated constraints, the one hundred thousand instances that discovered the miss all made the same stupid decision: concurrently hitting the extremely slow relational DB, causing a catastrophic scramble for resource contention at an $O(N)$ level.

3. Action Items & Architecture Decision Record (ADR)

  • ADR-011A: Purge the massive SOA central gateway overload, delegate power to the endpoints. Abolish the expensive and bloated centralized SOAP translation and business logic processing. Strictly implement "Smart Endpoints, Dumb Pipes". Return to the lightest HTTP/JSON, untie the single-point restrictions, and push all business validation logic down to the various split endpoints for self-digestion.
  • ADR-011B: Use locks as a boundary against stampedes—Implement Singleflight. As compensation for abandoning the central queuing mechanism, we must impose application-layer fine-grained Mutexes targeting all hot entry points that trigger a Cache Miss, aligning them via Identifiers. Force all instantaneous flood peaks into a model where "only one person is let through, and the rest are suspended in safe memory waiting for the first flier's resulting copy." Forcibly capping the damage coefficient to the deepest part of the system at exactly $1$.

4. Blast Radius & Trade-offs To escape the traditional heavy SOA where "one node dies, the whole family ascends," we embraced the distributed hairball of microservices. But the extreme freedom of a parallel architecture left us exposed to horrifying trampling at the data source. The Mutex suspension solution we eventually had to adopt, while saving the ultimate foundation (keeping MySQL from being crushed), has planted a severe hidden danger: hundreds and thousands of "suspended zombie processes" that could devour and exhaust the native memory of the endpoints themselves under ultra-high concurrency. The web of microservices is becoming incredibly entangled and complex.

Architect's Note: Bridging Past and Present System Design

1. "Service Registry" and "Service Bus" are two different things This is the pitfall modern junior to mid-level programmers most easily fall into when facing system upgrades. Some architects love stuffing various middleware into a system. The node that died because a rat chewed the wire in Chapter 9 is called a Service Registry (like today's Nacos/Consul/ZooKeeper). It is a directory system, only responsible for dispatching routes, so when it dies, "the microservices barely survive for a few minutes on instinct by checking the yellow pages." But in this chapter, Silas bought an ESB (Enterprise Service Bus, represented by old-school BizTalk or Mule). It is a central traffic hub and chief translator. Not only does it take over routing, but it also unpacks your data. Big Tech realized that the moment the payload contains nested logic, the regex CPU consumption will crash the bus, and when it dies, the entire channel dies. Thus, modern microservices have entirely abandoned it, marching toward the ultimate revolution of end-to-end decoupled communication.

2. The Three Musketeers of Distributed Caching (System Design Purgatory) The thrilling defensive battle in the latter half of this chapter is the exact prototype of the classic triple-kill that top-tier internet companies can never avoid:

  • Cache Avalanche: A massive batch of data is set with the exact same expiration time (e.g., midnight today). The moment midnight strikes, the dam vanishes, and countless monsters of different classes rush into the primary DB.
  • Cache Penetration: Hackers attack a user ID that definitely doesn't exist. Because there's no such data, we couldn't possibly cache it either. As a result, every request continuously penetrates straight through and hits vulnerable parts of the database. (Defense: Store a fake data like ID=NULL directly in Redis, or use a Bloom Filter).
  • Cache Stampede (Hot Key Failure): The real culprit in this chapter. Millions of people line up to snap up or refresh a superstar. The very microsecond that superstar's Key expires. Tens of thousands of minions of a single type converge on one point and instantly puncture the primary DB's main artery.

3. "Singleflight" — The Breastplate of the Concurrency Era The technique Simon Li uses at the end of the chapter—using hard logic to pin the redundant crowd to their seats in a wildly running, centerless network—is precisely the built-in defensive divine skill in all sorts of modern cloud-native, high-concurrency frameworks—such as the official Go package golang.org/x/sync/singleflight. Its underlying philosophy is exquisitely beautiful: Since the database can't handle it, why let ten thousand of you fetch the exact same data? Send your big boss to do the grunt work, fetch it once, and build the cache; the remaining 99,999 of you stay put right there in memory (Block). Trading a 50-millisecond block for an un-melted main engine is the delicate balance found in extreme architecture.