Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

19
MDDPro: Model-Driven Dependability Provisioning in Enterprise Distributed Real-time and Embedded Systems Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano Vanderbilt University, Nashville, TN, USA Contact : [email protected] This work is supported by subcontracts from LMCO & BBN International Service Availability Symposium (ISAS) 2007 May 21-22, 2007, University of New Hampshire, Durham, New Hampshire, USA

description

MDDPro: Model-Driven Dependability Provisioning in Enterprise Distributed Real-time and Embedded Systems. Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano Vanderbilt University, Nashville, TN, USA Contact : *[email protected]. - PowerPoint PPT Presentation

Transcript of Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

Page 1: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

MDDPro: Model-Driven DependabilityProvisioning in Enterprise Distributed Real-time

and Embedded Systems

Sumant Tambe*

Jaiganesh Balasubramanian

Aniruddha Gokhale

Thomas Damiano

Vanderbilt University, Nashville, TN, USA

Contact : [email protected]

This work is supported by subcontracts from LMCO & BBN

International Service Availability Symposium (ISAS) 2007

May 21-22, 2007, University of New Hampshire, Durham, New Hampshire, USA

Page 2: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

2

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Component-based Enterprise DRE Systems Characteristics of component-based

enterprise DRE systems Applications composed of one or

more “operational string” of services or systems of systems

Simultaneous QoS (Availability, Time Critical) requirements

Dynamic (re)-deployment of components into operational strings

Examples of Enterprise DRE systems Advanced air-traffic control systems Continuous patient monitoring systemsDetector1

Detector2

Planner3 Planner1

Error Recovery

Effector1

Effector2

Config

LEGEND

Receptacle

Event Sink

Event Source

Facet

Goal: Simplify and automate Fault-Tolerance provisioning in the DRE

systems

Page 3: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

3

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Fault-Tolerance Design Considerations in DRE Systems

C1 C2 C3 C4 C5

Per-component concern – choice of implementation Depends of resources, compatibility with other components in assembly

Failure recovery concern – what is the unit of failover? Availability concern – what is the degree of redundancy? What replication

styles to use? Does it apply to whole assembly? State synchronization concerns – What is data-sync rate? Deployment concern – how to place components? Minimize failure risk to the

system

Failover Unit

C1C1

C1C1

Page 4: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

4

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Tangled Fault-Tolerance Concerns

Separation of Concerns using higher

level abstractions is the key

Implementation determines replication style and vice-versa

Replication degree affects resources and deployment

Replication style determines state synchronization style

Availability of domain artifacts determines deployment

Significant sources of variability that affect end-to-end QoS (performance + availability)

Design-time Deployment-time Run-time

Page 5: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

5

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Model-Driven Engineering – A Promising Approach Higher level of abstraction

than third generation programming languages

Modeling each concern separately alleviates system complexity Deployment model Component assembly model System structural model Different QoS models

e.g., Fault-tolerance

Generative and model transformation techniques to weave in appropriate glue code

Complex System

Page 6: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

6

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Fault-tolerance Modeling Abstractions in MDDPro

Fail-over Unit (FOU): Abstracts away details of granularity of protection (e.g., Component, Assembly, App-string)

Replica Group (RPG): Abstracts away fault-tolerance policy details (e.g., Active/passive replication, rate and topology of state-synchronization)

Shared Risk Group (SRG): Captures associations related to failure risk. (e.g., shared power supply among processors, shared LAN)

Protection granularity concerns

State-synchronization concerns

Component Placement constraints

Replica Distance Metric

Interpreter (component placement constraint solver): Encapsulates an algorithm for component-node assignment based on replica distance metric

CQML (Component QoS Modeling Language)

A DSML in the CoSMIC tool suite

Page 7: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

7

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Fault-Tolerance Model in CQMLCQML (Component QoS

Modeling Language) A graphical QoS modeling

language on top of a system composition language (e.g., PICML)

Enhances system structure with QoS annotations (e.g., FOUs for granularity of protection)

A FOU itself is a model and captures heartbeat frequency and replication groups

A Replication group captures per component replication style, data synchronization rate

Page 8: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

8

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

container/component servercontainer/component server“Client” primary IO

R

Primary FOUPrimary FOU

A B C

Fail-over Unit Example

container/component servercontainer/component server container/component servercontainer/component server

Replica FOUReplica FOU

A’ B’ C’

secondary IOR

container/component servercontainer/component server container/component servercontainer/component server container/component servercontainer/component server

Primary Component

Replica Component

Page 9: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

9

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

DataCenter1_SRGDataCenter1_SRG DataCenter2_SRGDataCenter2_SRG

Rack1_SRGRack1_SRG Rack2_SRGRack2_SRG Node1Node1(blade31)(blade31)

Node2Node2(blade32)(blade32)

Shelf1_SRGShelf1_SRG Shelf2_SRGShelf2_SRG

Blade30Blade30

Ship_SRGShip_SRG

Blade34Blade34 Blade29Blade29

Shelf1_SRGShelf1_SRG

Blade36Blade36Blade33Blade33

Shared Risk Group Example

Page 10: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

10

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

R1

P

R2

R3

Define N orthogonal vectors, one for each of the distance values computed for the N components (with respect to a primary) and vector-sum these to obtain a resultant.  Compute the magnitude of the resultant as a representation of the composite distance captured by the placement . 

Formulation of Replica Placement Problem

1. Compute the distance from each of the replicas to the primary for a placement. 

2. Record each distance as a vector, where all vectors are orthogonal.

3. Add the vectors to obtain a resultant.4. Compute the magnitude of the resultant.5. Use the resultant in all comparisons (either among

placements or against a threshold) 6. Apply a penalty function to the composite distance (e.g. pair

wise replica distance or uniformity)

Page 11: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

11

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Node2Node2(blade32)(blade32)

Shelf1_SRGShelf1_SRG

Ship_SRGShip_SRG

Blade34Blade34 Blade36Blade36

Composite Composite DistanceDistance

Blade30Blade30

Node1Node1(blade31)(blade31)

DataCenter2_SRGDataCenter2_SRGDataCenter1_SRGDataCenter1_SRG

Rack1_SRGRack1_SRG Rack2_SRGRack2_SRG

Shelf1_SRGShelf1_SRGShelf2_SRGShelf2_SRG

Blade29Blade29 Blade33Blade33

Component Placement Example using SRGs

Replica1

Replica2

Replica3

Primary

Page 12: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

12

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

5. Distance-based constraint algorithm determines replica placement in deployment descriptors.

GME/PICMLGME/PICML

1. Model components and application strings in CQML2. Model Fail Over Units (FOUs) and Shared Risk Groups (SRGs)3. Determine deployment of primary components

4. Interpreter automatically injectsreplicas and associated CCM IOGRs

FT Modeling & Generative Steps

Model Model InformationInformation

Domain, Deployment,

SRG, and FOU injection

Replica Placement Algorithm

modelFT InterpreterFT Interpreter

Augmented Augmented Deployment Deployment

PlanPlan

Page 13: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

13

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Fault-Tolerance Model in CQML

Replica = 3Min Distance = 4

Page 14: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

14

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Shared Risk Group Model in CQML

Shared Risk Group 1

Page 15: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

15

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Generative Capabilities for Provisioning FT

Automatic Injection of replicas Augmentation of

deployment plan based on number of replicas

Automatic Injection of FT infrastructure components E.g. Collocated “heartbeat”

(HB) component with every protected component.

Automatic Injection of connection meta-data Specialized connection

setup for protected components (e.g. Interoperable Group References IOGR)

C1

C1C1C1C1

HB

Container

M x N

Page 16: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

16

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

container/component servercontainer/component server

FPCFPC

“client”

periodic FPC heartbeat

primary IOR

Primary FOUPrimary FOU

A

HB

container/component servercontainer/component server

Bcontainer/component servercontainer/component server

C

container/component servercontainer/component server

Replica FOUReplica FOU

A’container/component servercontainer/component server

B’container/component servercontainer/component server

C’

secondary IOR

IOG

R

FPCFPC

HB HB

intra-FOU heartbeat

HBHB HB

Example of Automated Heartbeat Component Injection

Primary Component

Replica Component

Collocated heartbeat

component

ConnectionInjection

Page 17: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

17

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Future Work Developing advanced constraint solver

algorithms to incorporate multiple dimensions of constraints in component placement decision (e.g. resources, communication latency)

Optimizing the number of generated heartbeat components for collocated, protected application components.

Enhancing the DSL and the tools to capture the configurability required by the new availability specifications e.g., Lightweight RT/FT CORBA Spec. e.g., SAF AIS Spec.

Enhancing working prototypes and evaluating them in representative DRE systems

HB

Container

C1C1C1C1

Configurable FT Infrastructure

Page 18: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

18

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Concluding Remarks

Model-Driven Engineering separates dependability concerns from other system development concerns

Separation of concerns helps alleviate system complexity

Productivity increase at model interpretation time using automatic generation of FT infrastructure (e.g. heartbeat components and connections)

Tools available for download fromwww.dre.vanderbilt.edu/cosmicwww.dre.vanderbilt.edu/CIAO

Page 19: Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano

19

Sumant Tambe, et. al MDDPro: MDE-based DependabilityISAS 2007

Questions?