The Architect

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

Appearance

Volume 2: The Distributed Hairball

Core Theme: Splitting the system brought forth the nightmare of a web-like dependency; uncontrollable cascading failures forced the protagonist to look for true, isolated compartments (Cells). Time Span: 2005 - 2014

Chapter 12: The Ruthless Backhoe and the Split-Brain

May 2012. Kansas, Central United States. A roaring Komatsu backhoe.

Ever since the 2004 Silicon Valley macro-blackout (Chapter 10) burned GenesisSoft's heart to ash, Silas Horn had developed severe post-traumatic stress disorder (PTSD) regarding "physical single points of failure."

To guarantee Wall Street that Hello World would remain online forever, Silas approved a massive budget to build a giant data center of the exact same scale on the East Coast, in Ashburn, Virginia (the largest data center hub in the US).

"If California sinks into the Pacific," Silas spat as he addressed countless investors at the annual conference, "the East Coast data center will take over all traffic within a single second! This is the world's greatest Active-Active/Master-Master cross-region disaster recovery!"

The architecture sounded unbelievably sexy. The California data center and the Virginia data center were separated by nearly 4,000 kilometers of the North American continent. Each of these two data centers possessed its own independent microservice gateways and primary database nodes. When a user on the West Coast posted something, the data was written in California; when an East Coast user liked a post, the data was written in Virginia. Then, these two massive databases engaged in frantic Bidirectional Replication in mere milliseconds, via a dedicated, hyper-speed underground fiber optic line spanning the United States.

In Simon Li's synesthesia vision, these two data centers, thousands of miles apart, appeared like the left and right hemispheres of a human brain. That high-speed optical fiber traversing the continent was the corpus callosum connecting the two hemispheres. Through this thick, luminescent nerve, the left and right brains shared a common memory.

Yet, to Simon, this architecture that Silas praised to the heavens exuded an incredibly bizarre and dangerous aura.

"You are letting two emperors, separated by four thousand kilometers, simultaneously share absolute processing power over this continent," Simon had warned Silas. "As long as that fiber optic cable is intact and they can still pass messages to each other, the empire will remain in peace. But what if one day they can no longer hear each other's heartbeat?"

"Impossible," Silas waved a hand dismissively. "That is Level 3 Communications' highest grade, military-level backbone fiber! It's buried three meters underground!"

The laws of physics, however, specialize in humbling arrogance.

May 14, 2012, 2:00 PM (PST). Redmond War Room.

Kansas, an obscure small town. A careless backhoe operator for an outsourced construction crew, attempting to lay down a sewer pipe, dug his bucket ruthlessly into the earth.

Snap. Accompanied by a deeply muffled sound of physical severance, that 144-core, military-grade backbone fiber—carrying 20% of North America's cross-continent internet traffic—was cut clean in two.

Ten thousand miles away in Redmond, the giant screen in the War Room split down the middle without any warning.

Ear-piercing sirens drowned out all conversation.

"What happened?!" Silas, taking a sip of water, nearly choked.

"The database in the California data center is reporting that they've completely lost the Heartbeat of the Virginia data center!" Dave, the Director of Operations, hammered away at his keyboard, staring at a screen filled with red Timeout errors. "California's monitoring system has determined that the East Coast Virginia cluster... has entirely gone down!"

"What about the monitoring in Virginia?!"

"Wait... I'm connecting to Virginia via the satellite backup link," Dave's face turned deathly pale. "Virginia's monitoring system is reporting... a loss of California's heartbeat! Virginia has determined that the West Coast California cluster... has entirely gone down!"

A dead silence fell over the War Room.

Simon Li closed his eyes. An indescribable tearing sensation struck the crown of his head. In his synesthetic vision, the thick "corpus callosum" connecting the middle of that colossal, semi-transparent digital brain had been savagely severed with a single slice.

The most terrifying scenario had just unfolded. The brain's left hemisphere (California) and right hemisphere (Virginia) were both still very much alive and healthy. But, they couldn't hear each other's heartbeats anymore.

This was the most dreaded nightmare in distributed systems—a Network Partition.

"Initiate the Auto-Failover mechanism!" Silas reacted extremely fast. This incredibly expensive script was designed precisely to handle the death of one side.

"It's... it's already automatically initiated..." Dave's voice was shaking.

"Great!" Silas breathed a sigh of relief. "Since California thinks Virginia is dead, California should take over all the network traffic; Virginia will do the same. We won't experience even a single second of downtime, right?"

"You idiot!!!"

Simon snapped his eyes open and slammed his fist onto the main console, nearly shattering the keyboard, his eyes bloodshot with rage.

"Don't you get it?! California thinks Virginia is dead, so California's code forced itself to become the sole Primary node for the entire network! It is unconditionally accepting write requests from all users within its perimeter!" Simon pointed at the data streams on the big screen representing Virginia. "But Virginia also thinks California is dead! Virginia's code also promoted itself to the sole Primary, and it's frantically accepting write requests from East Coast users!"

Simon's voice echoed with bone-chilling coldness through the massive War Room. "These two data centers, both currently alive, have completely lost communication. They are altering data completely independently of each other! This is schizophrenia! This is—Split-Brain!"

Silas froze. "Split-Brain... what does that do?"

"It creates two mutually incompatible parallel universes."

Simon pointed at a real user's data on the monitoring dashboard.

"Look at this user, his name is Bob. He currently has 100 dollars in his account. A minute ago, Bob in New York (connected to the Virginia data center) used that 100 dollars to buy a monthly game subscription. Because the fiber in the middle is cut, the Virginia data center deduced his balance down to 0. But this deduction record cannot be synced to the California data center. Right now, Bob in the California data center still has a balance of $100. Even worse, Bob's wife in Los Angeles (connected to the California data center) just logged into the same account and withdrew that $100 in cash! The California data center also deducted the balance to 0!"

Because in these two completely isolated parallel universes, they both maintained full Availability; they both determined that their recent transactions were completely legal!

"The moment the fiber is repaired..." Simon turned his head, looking at Silas, whose face was completely drained of color. "The two universes will be stitched back together. When California tries to send the withdrawal record to Virginia, and Virginia tries to send the purchase record to California... where did that 100 dollars actually go? Who is right? Who is wrong?"

Silas was plunged into an icy abyss.

In the monolithic era, even if a database deadlocked, it would never lie. But now, in the system's pursuit of "zero downtime" Availability (A), at the exact moment the physical fiber broke (P), it stabbed the most sacred system Consistency (C) fatally in the back.

It lied. It created a million conflicting dirty records.

Four hours later. The engineering crew in Kansas, dripping in cold sweat, spliced the severed fiber optic cable back together. Cross-continent communication in North America was restored. The exact microsecond bidirectional synchronization reconnected.

The alarms did not clear. Instead, they erupted into an unprecedented, agonizing shriek!

"Conflict! Fatal data conflict!" the DBA practically cried out. "Unique Key Violations! Balances dropping into the negative! Because the bidirectional sync threads encountered 1.5 million dirty records that couldn't be merged, the underlying synchronization engine declared itself broken and has completely Halted!"

"How could this ever be stitched back together?" Simon stared at the screen filled with crimson error messages. That schizophrenic brain was forcefully stitched up, but the left and right hemispheres had completely different memories of the past four hours. The system had fallen into a state far more terrifying than a pure outage—an untrustable dirty state.

Because they didn't want to lose four hours of revenue, they traded it for 1.5 million dirty records that required human eyes to manually verify which was real and which was fake. The finance and customer service departments would face a living hell for the next three months.

A deathly stillness, like being at a funeral, permeated the War Room.

"There is no software that can defend against this, is there?" Silas slumped defeatedly onto the sofa.

"No. Because you were trying to defeat physics with mathematics." Simon walked up to the whiteboard and coldly wrote down three massive English letters: C, A, P.

This was the meat grinder that would later be formalized by Eric Brewer at UC Berkeley, the theorem that drove countless distributed engineers to despair—the CAP Theorem.

"C, Consistency. The consistency of data." "A, Availability. The availability of the service." "P, Partition Tolerance. Tolerance to network partitioning (which means the fiber breaking)."

Simon slammed his marker against the whiteboard. "In a distributed system, P (the network cable breaking) is an uncontrollable objective physical fact! As long as your data centers span across physical space, the cables will inevitably be bitten by rats, severed by backhoes, or burned out in fiber switches."

"When P happens, the system is sliced in two. You can only choose one, and exactly one, between C and A!"

Simon pointed at Silas. "Just now, you chose A (Availability). You let two disconnected data centers continue serving customers. The result? You completely lost C (Consistency). A million schizophrenic, conflicting data entries were generated across the network. The subsequent cost of cleaning up that dirty data will bankrupt you!"

Silas swallowed hard. "Then what if... what if we wanted to preserve C (Consistency) back then?"

"Then the sacrifice you make would be equally brutal." Simon's gaze was as sharp as a knife. "If you want to keep the data absolutely consistent, the moment the fiber breaks, the systems on both sides must instantly and agonizingly kill themselves. They must refuse all modification requests from all users in the United States (sacrificing A, becoming unavailable) until the fiber is fixed."

Either embrace dirty data (Split-Brain), or embrace a massive outage.

"Is there no third path in this distributed swamp?" Silas pulled at his hair in despair. "Must we face this lose-lose scenario every time a network cable breaks?"

"There is."

Simon turned back to the whiteboard. He erased the two dots representing the "West Coast" and "East Coast". Then, right in the center of the whiteboard, he drew a third dot.

"A vote between two people will always result in a 1:1 tie. That is the physical root cause of Split-Brain." "To defeat schizophrenia," a fanatic passion for ultimate architecture burned in Simon's eyes, "we must grant this distributed empire true democracy."

"Odd numbers, a Quorum, and the most primitive separation of powers."

Only by introducing a third observer (even if it stores no data and only has voting rights) could they solve this. When the cable breaks, only the data center that can ping this "third party" and secure [2 votes] (a majority quorum) is deemed the legitimate Primary node. The data center that unfortunately becomes an isolated island (holding only 1 vote) will be forcibly stripped of its write permissions under the unbreakable laws of mathematics, and must tragically "off itself."

This was exactly the dawn of the ultimate solution for Volume 2, the prelude to the great consensus algorithms of the future (like Paxos/Raft).

Architecture Decision Record (ADR) & Post-Mortem

Document ID: PM-2012-05-14 Severity: SEV-0 (Cross-region cluster split-brain, leading to massive dirty data and reconciliation disaster) Lead: Simon Li (Principal Engineer)

1. What Happened? A construction crew severed the main physical backbone fiber connecting the West Coast and East Coast Active-Active data centers. This caused the two Primary clusters, previously in bidirectional sync, to lose heartbeat awareness of each other. The cluster degradation scripts severely miscalculated, and both sides simultaneously promoted themselves to absolute Primary. The system experienced a catastrophic Split-Brain. During the 4 hours of network disconnection, both regions independently accumulated over 1.5 million mutually exclusive transaction logs. After the fiber was restored, the underlying sync threads encountered a Massive Unique Key Violation when attempting to merge, causing a complete halt of the entire database.

2. Root Cause Analysis (5 Whys)

  • Why 1: Why didn't the system stop when the cable broke, resulting in an outcome worse than downtime? Because when the network partition occurred, the system incorrectly chose AP (sacrificing Consistency for Availability), leading to independent concurrent writes.
  • Why 2: Why did both data centers become Primary nodes? Because the automated failover mechanism based on an "Even-Node Cluster" has a fatal blind spot. When Node A cannot see Node B, A cannot determine whether B has died or if simply the network cable between A and B has been cut.
  • Why 3: Why couldn't A determine this? Due to the absence of a global arbitrator or a third party. Two nodes cannot form an "absolute truth" of more than half. They each hold 1 vote, and upon disconnection, fell into the most extreme 1v1 deadlock.
  • Why 4: Why did the database halt immediately upon sync restoration? The physical foundation of a Relational Database Management System (RDBMS) relies strictly on sequence and strong constraints. It does not possess the magical, intelligent conflict-merging abilities of a CRDT (Conflict-free Replicated Data Type) or Git. The collision directly triggered the underlying crash sequence protection.

3. Action Items & Architecture Decision Record (ADR)

  • Workaround: Disable the bidirectional sync threads. Manually reassign hundreds of senior engineers and financial staff to examine the 1.5 million dirty records row by row based on timestamps and business logic, leading to months of account reconciliation and customer compensation.
  • Long-term Fix:
    • ADR-012: Deprecate the even-node high availability cluster. Mandate the introduction of odd-numbered nodes and the Quorum mechanism.
    • We will establish a third, lightweight Witness Node in Texas, located in the central United States.
    • Across the entire network, a node can only be recognized as a legitimate Primary if it secures "Total Nodes / 2 + 1" votes (i.e., at least 2 votes). The next time the backbone network drops, the isolated island will be forcibly stripped of its write access (downgraded to Read-Only or taken offline to guarantee C) because it cannot secure the vote from the Texas witness, thereby elegantly and ruthlessly killing the "schizophrenia" at a mathematical level.

4. Blast Radius & Trade-offs The blind pursuit of 100% High Availability led to the complete collapse of data correctness; this is a lesson written in blood in the distributed era. Thus, we profoundly realize that as long as underlying database writes are involved, it is far better to endure downtime, get scolded, and issue refunds (sacrificing A) than to let the system secretly write mutually exclusive fake data in the dark (sacrificing C).

Architect's Note: Bridging the Past and Modern System Design

1. The Ruthless Meat Grinder of the CAP Theorem (Brewer's Theorem) This forms the foundational basis of every advanced distributed systems interview and system design.

  • C (Consistency): The data you write in one data center must be read identically in another; there can be zero lag or discrepancy.
  • A (Availability): Every time you click "submit," even if the system has a chance of returning the response slowly, it absolutely must not throw an error and tell you "I'm not doing this."
  • P (Partition Tolerance): Even if the network cable between two machines is bitten by a rat, the system as a whole must continue operating.

The cruelty of physics dictates that: due to the speed of light limits (300,000 kilometers per second) and hardware degradation, P (Network Partition) is inevitable and cannot be avoided. Therefore, when an architect designs a system, they are not selecting two out of three in CAP. Instead, with P cemented as a prerequisite, they must agonizingly choose one or the other between C and A:

  • Choose CP, Drop A: Network cable broke? To guarantee the data you see is absolutely flawless, my two data centers will just shut their doors! No service! (Finance, payments, and core ledger systems must do this).
  • Choose AP, Drop C: Network cable broke? To make money, both data centers will bite the bullet and independently accept users! Conflicts? Have the programmers stay up all night writing scripts or using merging algorithms to clean up the mess later! (Early social media feeds, webpage browsing, and non-life-threatening systems can do this).

2. Split-Brain and the Curse of Even-Numbered Nodes The most fatal mistake made by any company dipping its toes into distributed systems is buying two glossy servers for "High Availability Active-Active." This is a massive taboo. In an isolated standoff between two machines, once connection is lost, both think they are King. This triggers the terrifying "Split-Brain Dual Writes" seen in this chapter. When configuring high availability for modern distributed core components (whether it's the later ZooKeeper, etcd [the foundation of Kubernetes], or Redis Sentinel), the ironclad rule is that they must come in odd numbers (3, 5, or 7). This introduces the concept of Quorum (majority voting) in computer science: If 3 people are disconnected into a 1 vs 2 split because of a broken cable, the lonely node holding only 1 vote will realize it is in the minority. The system will automatically strip away its crown, forcing it to commit suicide or shut up. The rule of odd numbers and majority consensus is the greatest mathematical weapon for extracting singular truth from chaotic physical networking.