The Architect

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

English

简体中文
Español
Français
Deutsch
日本語
한국어
Português

Appearance

Book Two: The Distributed Hairball

Core Theme: Splitting up the architecture brought the nightmare of mesh-like dependencies. Uncontrollable cascading failures force the protagonist to seek true isolation cabins (Cells). Time Span: 2005 - 2014

Chapter 13: Screams in the Echo Chamber

December 24, 2012. Christmas Eve.

The streets of Redmond were covered in thick snow, and the warm lights of Christmas trees shone through the windows of every household. However, in the War Room of GenesisSoft's Building 113, the atmosphere was completely out of tune with the holiday peace.

Silas Horn, wearing an immaculate custom suit and holding a glass of eggnog, smiled with satisfaction as he watched the climbing traffic curves on the large monitoring screen.

"A perfect Christmas Eve." Silas pointed at the big screen. "Hello World V13.0 is running like a freshly oiled Swiss watch. Simon, you have to admit that completely abandoning that obsolete monolithic architecture and embracing hundreds of Microservices was the most correct decision we've ever made."

Simon Li sat at the console in the corner, not touching the hot cocoa on his desk. His eyes were glued to the massive, intricate network topology map on the screen.

After years of frantic decoupling, the backend of Hello World had evolved into a massive Directed Acyclic Graph (DAG) composed of over a hundred microservices. User service, messaging service, friend recommendation service, image rendering service... They were like a giant spider web, engaging in extremely dense mesh-like calls with one another via lightweight HTTP APIs.

"It is agile, yes," Simon frowned slightly, "but these mesh-like dependencies also make the system's blast radius highly unpredictable. Silas, microservices are like a group of exceptionally smart children, but if they lack unified disaster drills, their clever instincts during a panic will often kill everyone."

"You worry too much, Simon." Dave, the Director of Operations, patted Simon's shoulder. "We've added the most rigorous 'automatic fault tolerance mechanisms' on the front-end API Gateway and load balancers. If a downstream microservice times out without a response, the gateway will automatically disconnect and initiate a Retry within milliseconds. The system has incredibly strong self-healing capabilities."

Simon shook his head without a word. In a distributed system, so-called "self-healing" is often just a poison pill coated in sugar.

8:00 PM, the Christmas Eve traffic peak arrives.

Families across America, having finished their Christmas dinners, picked up their phones and computers to log into the Hello World platform and post greetings filled with strong festive cheer.

The system's TPS (Transactions Per Second) broke through 300,000. Under the gateway's dispatching, over a hundred microservices were spinning at full speed. Everything looked completely flawless.

But in Simon Li's synesthesia vision, an extremely subtle, discordant noise shattered the otherwise symphony-like roar of the server room.

The sound was like someone gently clearing their throat in a massive glass echo chamber.

"What's happening?" Simon immediately sat up straight, his hands gripping the keyboard.

"N... no major issue." Dave stared at an inconspicuous monitoring dashboard in the bottom right corner of the screen. "It's just that our 'user avatar thumbnail rendering service' on the page is getting a bit slow to respond."

To add to the festive atmosphere, the marketing department had requested that a tiny Christmas hat be added to the corner of every user's avatar. To save time, the development team directly called an extremely slow external third-party image processing API for dynamic synthesis.

Due to the massive surge in network traffic on Christmas, that poor third-party API couldn't handle it. The original 50-millisecond response time was dragged out to 2 seconds, even 5 seconds. Responses were timing out.

"It doesn't matter." Silas drank a sip of eggnog nonchalantly. "Even if all the thumbnails crash and the avatars just show a red X, it won't affect users posting. Let it be."

Theoretically, Silas was right. But in the face of Dave's proud "gateway self-healing mechanism," the laws of physics staged the most ludicrous and terrifying reversal.

"Ahem—!" In Simon's synesthesia world, that initial throat-clearing suddenly turned into an anxious shout.

When the Gateway layer called the "avatar service" and waited 2 seconds to no avail, the rigid gateway code thought: "Oh, it might just be a minor network jitter. I need to Retry once!"

And so, the gateway unhesitatingly fired identical requests at the "avatar service" again. At this time, the "avatar service's" previous request was still sitting there, bitterly waiting for the third-party API to return. Its thread pool was already stretched to the limit, and now a new request was stuffed in, instantly doubling its load!

Subsequently, it wasn't just the gateway retrying. Because the microservices were mesh-dependent, the "messaging service" also timed out while calling the "avatar service." The "messaging service" also had "automatically retry 3 times on failure" written into its code.

"Ahhhhhhhh—!!!"

Screams began to overlap in the echo chamber.

One genuine external timeout request was retried by the gateway into 3; these 3 requests hit the messaging service, which also retried 3 times each, becoming 9; hitting even lower-level services, they became 27!

"Alarm!! Alarm!! The network-wide load is exploding exponentially!" Dave's coffee cup smashed onto the floor as he looked at the big screen in horror.

The originally healthy 300,000 TPS, within a short ten seconds, completely unaffected by any real external user growth, went into a nuclear fission-like chain reaction internally, wildly surging directly to 5 million internal calls!

"Hacker attack?! DDoS?!" Silas yelled hysterically.

"No! Silas, look clearly! This is our system attacking itself!" Simon closed his eyes in despair, feeling as if his entire brain had been stuffed into a sealed glass cabin where noise was constantly being amplified.

In his synesthesia vision, this was not a foreign invasion. This was like in an extremely crowded plaza, where one person (the avatar service) accidentally fell down. The person next to him (the gateway), trying to save him, shouted, "Someone fell over!" As a result, this sentence was infinitely replicated and amplified through the crowd, ultimately evolving into a panic of millions of people violently shoving and wildly trampling each other!

Those over a hundred originally perfectly healthy microservices, because they were blindly retrying each other in the mesh topology, had their memory crammed full of massive repetitive requests, and the Tomcat thread pools were instantly exhausted!

Retry Storm (Cascading Failure)!

"Bang! Bang! Bang!" In the server room, due to CPU overload and OOM (Out of Memory), the microservice nodes started crashing en masse.

"Users can't post! The homepage is a 503! The payment service is down too!" Dave wailed in despair.

It was just an extremely marginal, originally inconsequential third-party image API slowing down. But because of the blind retries lacking self-restraint in the microservice network, the resulting Cascading Failure was like a flame rapidly burning down a fuse, instantly blowing up the entire armory.

"What brought down our system wasn't traffic..." Simon gritted his teeth, enduring the pain in his mind that felt like shattering glass. "It was the system's overactive survival instinct!"

Silas was ashen-faced. "Then shut down the servers! Reboot!"

"It's useless! The moment you reboot, the backlogged retry traffic in the gateway will instantly kill the newly upright machines again!" Simon's hands turned into a blur over the keyboard. "The way to stop a panic stampede isn't to widen the plaza, and especially not to let everyone keep calling for help."

"We must let the person who fell down die, immediately and cleanly."

Simon pulled up the core configuration center. His eyes revealed the cold, ruthless decisiveness of an L6 senior architect.

To stop a cascading failure, the only way was to introduce a physics-style fuse mechanism.

In the call interceptors of all the microservices across the entire network, he forcefully deployed an emergency patch command named Circuit Breaker.

"Dave, keep an eye on the failure rate of the 'avatar service'!" Simon shouted.

"The failure rate has already exceeded 50%!"

"Good! Trip the breaker!"

Simon slammed the Enter key heavily.

In the synesthesia world, within that mesh structure frantically transmitting screams out of panic, a thick fuse leading to the "avatar service" snapped with a crisp 'pop,' cleanly severing (Open state).

This was the most elegant "Fail-Fast".

When the gateway attempted to request the "avatar service" again, this newly deployed circuit breaker blocked it directly in memory, coldly stating: "No matter how many times you try, it's already dead. I will not allow you to waste anymore time and threads calling it. Stop retrying immediately, and give me a default degraded red X icon directly back to the front-end (Fallback)!"

No more endless waiting, no more blind retries. The gateway's threads were immediately released to handle the truly important posting and browsing requests.

The screams dissipated instantly. The echo chamber returned to peace.

The vicious internal overlapping requests that had skyrocketed to 5 million, in the precise microsecond the circuit breaker opened, was like being snipped mid-air by a giant pair of scissors, plummeting straight down back to a healthy 300,000.

"It's recovering... The core paths are recovering..." Dave slumped in his chair, wiping the cold sweat from his face.

On the large screen, the homepage lit up again. The users' avatars had indeed all turned into ugly red crosses (or default gray silhouettes), but they were pleasantly surprised to find that the posting, liking, and billing functions were all incredibly smooth.

No one cares about a missing Christmas hat when they are eager to announce "Hello World" to the world.

Watching the stabilized system, Silas let out a long breath of foul air and slumped helplessly next to Simon: "Simon, I thought retrying was for the system's own good."

"In the monolithic era, retrying was a virtue. But in the microservices era of horizontal scaling and mesh dependencies, mindless retrying is the most potent poison."

On the whiteboard, Simon drew a state machine for a circuit breaker (Closed -> Open -> Half-Open), and then circled it heavily.

"You have to learn to fail gracefully (Graceful Degradation). Don't try to hide that rotting plank underneath. If it's broken, openly throw an error to protect the main road. This is called Circuit Breaking."

"But what if we really have to retry? Like to avoid momentary network jitters?" Dave asked with lingering fear.

"Then add time as a penalty." Simon wrote a mathematical formula next to it, "We need to use Exponential Backoff. First failure, wait 1 second then try; second failure, wait 2 seconds; third time wait 4 seconds, 8 seconds... Forcing a retry will only make an already congested channel even more jammed."

In the ocean of microservices belonging to the future, fault tolerance and self-preservation mechanisms became the first absolute necessity for survival.

The high-dimensional probe etched this arduous step of human civilization regarding "cascading failure avoidance" deep into the bottom grooves of compute.

However, the nightmare of microservices was not over. If the hell of synchronous calls was a "retry storm," then when architects tried to use "asynchronous queues" to decouple these heavy dependencies— A monster called the "Poison Pill" was waiting quietly for its prey in the abyss of Kafka.

Architecture Decision Record (ADR) & Post-Mortem

Document ID: PM-2012-12-24 Severity: SEV-1 (Microservice Avalanche, Global Slowdown/Outage) Lead: Simon Li (Principal Engineer)

1. What happened? During the peak traffic of Christmas Eve, due to the introduction of an extremely slow external third-party image processing API, a non-core business "avatar thumbnail rendering service" experienced a severe response delay. Front-end gateways and upstream services triggered the "automatic retry on failure mechanism," causing internal network requests to multiply exponentially, instantly maxing out the thread pools of all services, and triggering a massive network-wide timeout and OOM.

2. 5 Whys Root Cause Analysis

  • Why 1: Why did all microservices crash? Because the Tomcat / underlying thread pools of each service were exhausted.
  • Why 2: Why were the thread pools exhausted? Facing an internal request concurrency of tens of millions, threads were deadlocked waiting for responses from an extremely slow downstream service (the avatar service).
  • Why 3: Why did the internal requests suddenly surge tenfold or more out of thin air? Because every node on the microservice call chain executed stateless, fixed-frequency retries. A single external genuine request was amplified several times, even dozens of times.
  • Why 4: Why did retries become poison? In the mesh-like dependencies of a DAG (Directed Acyclic Graph), unrestrained retries lacking a global perspective trigger a multiplier effect, forming a Retry Storm. This is the most tragic internal self-attack (stampede event) in a distributed system.
  • Why 5: Why was a fragile external API allowed to drag down the whole system? Due to a lack of service degradation and fault isolation drills. The system didn't know how to "cut off the tail to survive" during a partial failure, but instead tried to protect a dead tree, ultimately uprooting everything.

3. Action Items & Architecture Decision Record (ADR)

  • Temporary Workaround: Urgently deployed a global interceptor to forcibly sever all call requests to the "avatar service" and return a default image placeholder (Fallback).
  • Architecture Refactoring (Long-term Fix):
    • ADR-013: Mandatory introduction of the Circuit Breaker Pattern in all inter-service RPC calls.
    • When a downstream service's error rate or P99 latency exceeds a set threshold (e.g., continuous large-scale failures lasting several seconds), the circuit breaker state switches from Closed to Open, immediately intercepting subsequent requests to that node and Failing-Fast, stopping the waste of precious threads on the local node.
    • Standardized Backoff Strategy: Completely ban blind fixed-frequency retries globally. If retry logic must be retained, it must and can only use an Exponential Backoff with Jitter algorithm.

4. Blast Radius & Trade-offs Microservices untied the system's coupling at the physical level but wove a net that is much more likely to backfire at the logical and network levels. In the face of complex cascading failures, "embracing failure" and "cutting off an arm to save the body" is the only rule to stop the blast radius of a single point from spreading globally.

Architect's Note: Bridging Past and Present System Design

1. Cascading Failure and the Fragility of Distributed Systems A monolithic system is like a solid lead cue ball; you drop it, and it's hard to break. A microservice cluster is like a castle made of hundreds of exquisitely crafted dominoes. In this castle, if the fall of any edge domino (like this chapter's external thumbnail API) is not intervened upon, the immense pushing force of retries will amplify it, eventually causing the entire castle to avalanche. This is the classic big-tech "Cascading Failure."

2. Defensive Nuke 1: Circuit Breaker Software engineering is actually always stealing ideas from the physical world. The term "circuit breaker" comes from the electrical fuse box in your home. When the current load is abnormal, your home's fuse will snap "pop" to protect your TV and refrigerator from burning down. In modern microservices (like Java's Spring Cloud / Netflix Hystrix, or Resilience4j, and Service Meshes like Istio), we do exactly the same thing: If we discover that 50% of the interface calls to the points service in the past minute have timed out and error'd, the system will "trip" this thread. All subsequent requests, without even sending out a network packet, will directly throw an error in the frontend gateway's memory or go through fallback logic (like providing a default value). This is called "Fail-Fast to Release Resources."

3. Defensive Nuke 2: Exponential Backoff with Jitter When you try to reconnect to a broken database, if your code says "retry every 1 second," you are actually amassing an army. Because if tens of thousands of machines are doing the same thing, even if the database has just recovered, it will be knocked flat again by this "extremely coordinated" ten-thousand-concurrency charge, which is known as the Thundering Herd problem. The legitimate industrial practice is: if it fails, the first time you wait 100 milliseconds, the second time 200 milliseconds, the third time 400 milliseconds, and the Nth time $N^2$ milliseconds. This is called "exponential backoff," providing the underlying system with a breathing window for self-recovery. In more advanced implementations, a random number (Jitter) is added to this wait time so that different machines don't launch their retries at the exact same microsecond, entirely dispersing the terrifying concurrency peak. This is not only the baseline for survival in distributed architectures but also the standard discipline of modern cloud-native systems.