Svend Frolund

FAB: building distributed enterprise disk arrays from commodity components

This paper describes the design, implementation, and evaluation of a Federated Array of Bricks (FAB), a distributed disk array that provides the reliability of traditional enterprise arrays with lower cost and better scalability. FAB is built from a collection of bricks, small storage appliances containing commodity disks, CPU, NVRAM, and network interface cards. FAB deploys a new majority-voting-based algorithm to replicate or erasure-code logical blocks across bricks and a reconfiguration algorithm to move data in the background when bricks are added or decommissioned. We argue that voting is practical and necessary for reliable, high-throughput storage systems such as FAB. We have implemented a FAB prototype on a 22-node Linux cluster. This prototype sustains 85MB/second of throughput for a database workload, and 270MB/second for a bulk-read workload. In addition, it can outperform traditional master-slave replication through performance decoupling and can handle brick failures and recoveries smoothly without disturbing client requests.

Quality-of-service specification in distributed object systems

Traditional object-oriented design methods deal with the functional aspects of systems, but they do not address quality-of-service (QoS) aspects, such as reliability, availability, performance, security and timing. However, deciding which QoS properties should be provided by individual system components is an important part of the design process. Different decisions are likely to result in different component implementations and system structures. Thus, decisions about component-level QoS should commonly be made at design time, before the implementation is begun. Since these decisions are an important part of the design process, they should be captured as part of the design. We propose a general quality-of-service specification language, which we call QML. In this paper we show how QML can be used to capture QoS properties as part of designs. In addition, we extend UML, the de facto standard object-oriented modelling language, to support the concepts of QML. QML is designed to integrate with object-oriented features, such as interfaces, classes and inheritance. In particular, it allows specification of QoS properties through refinement of existing QoS specifications. Although we exemplify the use of QML to specify QoS properties within the categories of reliability and performance, QML can be used for specification within any QoS category - QoS categories are user-defined types in QML. Sometimes, QoS characteristics and requirements change dynamically due to changing user preferences, or changes in the environment. For such situations static specification is insufficient. To allow for dynamic systems that change and evolve over time, we provide a QoS specification runtime representation. This representation enables systems to create, manipulate and exchange QoS information, and thereby negotiate and adapt to changing QoS requirements and conditions.

A Language Framework for Multi-Object Coordination

We have developed language support for the expression of multi-object coordination. In our language, coordination patterns can be specified abstractly, independent of the protocols needed to implement them. Coordination patterns are expressed in the form of constraints that restrict invocation of a group of objects. Constraints are defined in terms of the interface of the objects being invoked rather than their internal representation. Invocation constraints enforce properties, such as temporal ordering and atomicity, that hold when invoking objects in a group. A constraint can permanently control access to a group of objects, thereby expressing an inherent access restriction associated with the group. Furthermore, a constraint can temporarily enforce access restrictions during the activity of individual clients. In that way, constraints can express specialized access schemes required by a group of clients.

Deconstructing paxos

The celebrated Paxos algorithm of Lamport implements a fault-tolerant deterministic service by replicating it over a distributed message-passing system. This paper presents a deconstruction of the algorithm by factoring out its fundamental algorithmic principles within two abstractions: an eventual leader election and an eventual register abstractions. In short, the leader election abstraction encapsulates the liveness property of Paxos whereas the register abstraction encapsulates its safety property. Our deconstruction is faithful in that it preserves the resilience and efficiency of the original Paxos algorithm in terms of stable storage logs, message complexity, and communication steps. In a companion paper, we show how to use our abstractions to reconstruct powerful variants of Paxos.

A Linguistic Framework for Dynamic Composition of Dependability Protocols

We present a language framework for describing dependable systems which emphasizes modularity and composition. Dependability and functionality aspects of an application may be described separately providing a separation of design concerns. Futhermore, the dependability protocols of an application may be constructed bottom-up as simple protocols that are composed into more complex protocols. Composition makes it easier to reason about dependability and supports the construction of general reusable dependability schemes. A significant aspect of our language framework is that dependability protocols may be loaded into a running application and installed dynamically. Dynamic installation makes it possible to impose additional dependability protocols on a server as clients with new dependability demands are integrated into a system. Similarly, if a given dependability protocol is only necessary during some critical phase of execution, it may be installed during that period only.

Abstraction and modularity mechanisms for concurrent computing

The Actor model programming language concept, which provides basic building blocks for a wide variety of computational structures, is reviewed. The Actor model unifies objects and concurrency. Actors are autonomous, distributed, concurrently executing objects that can send each other messages asynchronously. The Actor models communication abstractions and object-oriented design are discussed. Three mechanisms for developing modular and reusable components for concurrent systems are also discussed. The mechanism are synchronizers, modular specifications of resource management policies, and protocol customization of dependability.<<ETX>>

e-Transactions: end-to-end reliability for three-tier architectures

A three-tier application is organized as three layers: human users interact with front-end clients (e.g., browsers), middle-tier application servers (e.g., Web servers) contain the business logic of the application, and perform transactions against back-end databases. Although three-tier applications are becoming mainstream, they usually fail to provide sufficient reliability guarantees to the users. Usually, replication and transaction-processing techniques are applied to specific parts of the application, but their combination does not provide end-to-end reliability. The aim of this paper is to provide a precise specification of a desirable, yet realistic, end-to-end reliability contract in three-tier applications. The paper presents the specification in the form of the Exactly-Once Transaction (e-Transaction) abstraction: an abstraction that encompasses both safety and liveness properties in three-tier environments. It gives an example implementation of that abstraction and points out alternative implementations and tradeoffs.

Inheritance of Synchronization Constraints in Concurrent Object-Oriented Programming Languages

We analyse how inheritance of synchronization constraints should be supported. The conclusion of our analysis is that inheritance of synchronization constraints should take the form of incrementally more restrictive constraints for derived subclasses. Our conclusion is based on the view that combinations of behavior in object-oriented languages yield subclasses that extend superclass behavior. We give a notation for describing synchronization constraints. In our notation, synchronization constraints can be inherited and aggregated. We present a number of examples that illustrate the fundamental concepts captured by our notation. Synchronization constraints are described as restrictions that apply to invocation of methods. Application of restrictions is pattern-based, which allows the same restriction to apply to multiple methods and multiple restrictions to apply to the same method.

A decentralized algorithm for erasure-coded virtual disks

A federated array of bricks is a scalable distributed storage system composed from inexpensive storage bricks. It achieves high reliability with low cost by using erasure coding across the bricks to maintain data reliability in the face of brick failures. Erasure coding generates n encoded blocks from m data blocks (n > m) and permits the data blocks to be reconstructed from any m of these encoded blocks. We present a new fully decentralized erasure-coding algorithm for an asynchronous distributed system. Our algorithm provides fully linearizable read-write access to erasure-coded data and supports concurrent I/O controllers that may crash and recover. Our algorithm relies on a novel quorum construction where any two quorums intersect in m processes.

Implementing E-transactions with asynchronous replication

This paper describes a distributed algorithm that implements the abstraction of e-Transaction: a transaction that executes exactly-once despite failures. Our algorithm is based on an asynchronous replication scheme that generalizes well-known active-replication and primary-backup schemes. We devised the algorithm with a three-tier architecture in mind: the end-user interacts with front-end clients (e.g., browsers) that invoke middle-tier application servers (e.g., web servers) to access back-end databases. The algorithm preserves the three-tier nature of the architecture and introduces a very acceptable overhead with respect to unreliable solutions.