MDDPro: Model-Driven Dependability Provisioning in Enterprise Distributed Real-time and Embedded Systems Sumant Tambe* Jaiganesh Balasubramanian Aniruddha Gokhale Thomas Damiano Vanderbilt University, Nashville, TN, USA Contact : *sutambe@dre. vanderbilt. edu International Service Availability Symposium (ISAS) 2007 May 21 -22, 2007, University of New Hampshire, Durham, New Hampshire, USA This work is supported by subcontracts from LMCO & BBN
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Component-based Enterprise DRE Systems § Characteristics of component-based enterprise DRE systems § Applications composed of one or more “operational string” of services or systems of systems § Simultaneous Qo. S (Availability, Time Critical) requirements § Dynamic (re)-deployment of components into operational strings § Examples of Enterprise DRE systems § Advanced air-traffic control systems § Continuous patient monitoring systems Goal: Simplify and automate Fault. Tolerance provisioning in the DRE systems 2
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Fault-Tolerance Design Considerations in DRE Systems § Per-component concern – choice of implementation § Depends of resources, compatibility with other components in assembly § § Availability concern – what is the degree of redundancy? What replication styles to use? Does it apply to whole assembly? Failure recovery concern – what is the unit of failover? State synchronization concerns – What is data-sync rate? Deployment concern – how to place components? Minimize failure risk to the system 3
ISAS 2007 Sumant Tambe, et. al MDDPro: MDE-based Dependability Tangled Fault-Tolerance Concerns § § § Design-time Deployment-time Run-time 4 Implementation determines replication style and vice-versa Replication degree affects resources and deployment Replication style determines state synchronization style Availability of domain artifacts determines deployment Significant sources of variability that affect end-to-end Qo. S (performance + availability) Separation of Concerns using higher level abstractions is the key
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Model-Driven Engineering – A Promising Approach § Higher level of abstraction than third generation programming languages § Modeling each concern separately alleviates system complexity § § Deployment model Component assembly model System structural model Different Qo. S models Complex § e. g. , Fault-tolerance § Generative and model transformation techniques to weave in appropriate glue code 5 System
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Fault-tolerance Modeling Abstractions in MDDPro CQML (Component Qo. S Modeling Language) A DSML in the Co. SMIC tool suite § § § Fail-over Unit (FOU): Abstracts away details of granularity of protection (e. g. , Component, Assembly, App-string) Replica Group (RPG): Abstracts away faulttolerance policy details (e. g. , Active/passive replication, rate and topology of statesynchronization) Shared Risk Group (SRG): Captures associations related to failure risk. (e. g. , shared power supply among processors, shared LAN) Interpreter (component placement constraint solver): Encapsulates an algorithm for componentnode assignment based on replica distance metric 6 Protection granularity concerns State-synchronization concerns Component Placement constraints Replica Distance Metric
ISAS 2007 Sumant Tambe, et. al MDDPro: MDE-based Dependability Fault-Tolerance Model in CQML (Component Qo. S Modeling Language) § A graphical Qo. S modeling language on top of a system composition language (e. g. , PICML) § Enhances system structure with Qo. S annotations (e. g. , FOUs for granularity of protection) § A FOU itself is a model and captures heartbeat frequency and replication groups § A Replication group captures per component replication style, data synchronization rate 7
ISAS 2007 Sumant Tambe, et. al MDDPro: MDE-based Dependability Fail-over Unit Example Primary Component R “Client” IO ry ma ri p A container/component server B container/component server C container/component server Primary FOU se y ar nd co R IO A’ Replica Component B’ container/component server Replica FOU 8 C’ container/component server
ISAS 2007 Sumant Tambe, et. al MDDPro: MDE-based Dependability Shared Risk Group Example Data. Center 1_SRG Rack 1_SRG Shelf 1_SRG Blade 30 Rack 2_SRG Shelf 2_SRG Blade 34 Ship_SRG Blade 29 Data. Center 2_SRG Node 1 (blade 31) Shelf 1_SRG Blade 33 Blade 36 9 Node 2 (blade 32)
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Formulation of Replica Placement Problem Define N orthogonal vectors, one for each of the distance values computed for the N components (with respect to a primary) and vectorsum these to obtain a resultant. Compute the magnitude of the resultant as a representation of the composite distance captured by the placement . 1. Compute the distance from each of the replicas to the primary for a placement. 2. Record each distance as a vector, where all vectors are R 2 orthogonal. 3. Add the vectors to obtain a resultant. P 4. Compute the magnitude of the resultant. R 3 5. Use the resultant in all comparisons (either among R 1 placements or against a threshold) 6. Apply a penalty function to the composite distance (e. g. pair wise replica distance or uniformity) 10
ISAS 2007 Sumant Tambe, et. al MDDPro: MDE-based Dependability Component Placement Example using SRGs Ship_SRG Data. Center 1_SRG Rack 2_SRG Node 1 (blade 31) Composite Distance Shelf 1_SRG Blade 30 Replica 1 Shelf 2_SRG Blade 34 Blade 29 Replica 3 Data. Center 2_SRG Shelf 1_SRG Blade 33 Primary Blade 36 Replica 2 11 Node 2 (blade 32)
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability FT Modeling & Generative Steps 1. Model components and application strings in PICML 2. Model Fail Over Units (FOUs) and Shared Risk Groups (SRGs) 3. Determine deployment of primary components GME/PICML Model Information Domain, Deployment, SRG, and FOU FT Interpreter model injection Replica Placement Algorithm Augmented Deployment Plan 4. Interpreter automatically injects 5. replicas and associated CCM IOGRs 5. Distance-based constraint algorithm determines replica placement in deployment descriptors. 12
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Fault-Tolerance Model in CQML (1/2) Replica = 3 Min Distance = 4 13
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Shared Risk Group Model in CQML Shared Risk Group 1 14
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Generative Capabilities for Provisioning FT § § § Automatic Injection of replicas § Augmentation of deployment plan based on number of replicas Automatic Injection of FT infrastructure components § E. g. Collocated “heartbeat” (HB) component with every protected component. Automatic Injection of connection meta-data § Specialized connection setup for protected components (e. g. Interoperable Group References IOGR) HB Container Mx. N 15
ISAS 2007 Sumant Tambe, et. al MDDPro: MDE-based Dependability Example of Automated Heartbeat Component Injection Primary Component A B C container/component server OR IOGR prim HB HB HB I ary “client” intra-FOU heartbeat FPC Collocated heartbeat component Primary FOU periodic FPC heartbeat Connection Injection Replica Component R IO y ar nd co se FPC HB HB HB A’ B’ container/component server Replica FOU 16 C’ container/component server
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Future Work § § Developing advanced constraint solver algorithms to incorporate multiple dimensions of constraints in component placement decision (e. g. resources, communication latency) Optimizing the number of generated heartbeat components for collocated, protected application components. Enhancing the DSL and the tools to capture the configurability required by the new Lightweight RT/FT CORBA specification. § e. g. Enhancing the model interpreter to support a wide spectrum of established fault-tolerance mechanisms Enhancing working prototypes and evaluating them in representative DRE systems 17 HB Container Configurable FT Infrastructure
Sumant Tambe, et. al ISAS 2007 MDDPro: MDE-based Dependability Concluding Remarks § Model-Driven Engineering separates dependability concerns from other system development concerns § Separation of concerns helps alleviate system complexity § Model-based generative capabilities “compile” FT infrastructure (e. g. heartbeat components and connections) during model interpretation time and synthesize meta-data Tools available for download from www. dre. vanderbilt. edu/cosmic www. dre. vanderbilt. edu/CIAO 18
Sumant Tambe, et. al ISAS 2007 Questions? 19 MDDPro: MDE-based Dependability
Скачать презентацию MDDPro Model-Driven Dependability Provisioning in Enterprise Distributed Real-time
cc96c11d9c249215ff9de003f3e811d5.ppt