Trusting In The Cloud: A Call For Post-Mortem As Facebook Loses Notification Settings

notification_settingsI first read about Facebook having lost some users’ notification settings on TechCrunch four days ago. This was worrisome to me, but I got sick over the weekend and didn’t have a chance to write about it. Then I got my very own email from Facebook telling me the same: they’ve lost my notification settings and if I’d be so kind as to reset them, and that they apologized for the inconvenience.

Facebook needs to publish a public post-mortem on this, as soon as humanly possible. When any data disappears from the cloud, no matter how innocuous, it calls into consideration serious questions of trust and competence. I’ve trusted Facebook for a long time. The engineers who have built it have done an amazing job at making sure things scale brilliantly, at cobbling together various pieces of technology and contributing their own back to the community to make the site highly available and without many of the horrible growing pains MySpace experienced, when Tom would send a message telling everyone bulletins will be down and to please not email him.

Read More »

Posted in: Rants

Amazon Explains S3 Outage: Gossip Kills

Amazon has released a rather comprehensive write-up on their post-mortem analysis of why Amazon S3 went down last week. The S3 servers use a gossiping protocol to determine system states, including what servers are available and the status of the nodes across the network.

A single bit corrupted in several of these gossips such that they were still intelligible but reflecting inaccurate data about the system state. These propagated through the network (much like a virus, really) and caused most of the servers to spend most of their time gossiping or failing to complete the gossip; if the gossip doesn’t complete, the server can’t/won’t send its data.

While Amazon MD5 checksums data in containers to ensure its integrity as its being transmitted, they weren’t doing this on their gossips. They’ve since established several new practices to attempt to ensure that a problem like this won’t cause a failure across the entire system, including better failure handling with gossips and faster restoration when nodes do go down.

They end their missive simply enough, owning up in a way I give them credit for:

Though we’re proud of our operational performance in operating Amazon S3 for almost 2.5 years, we know that any downtime is unacceptable and we won’t be satisfied until performance is statistically indistinguishable from perfect.

“Statistically indistinguishable from perfect” is a rather poetic phrase, and I’d like to think we strive for that over at Synapse Studios. But my stats-masters programmer would just mock me.

Read their full statement here.

Posted in: Tech News