Cooperative Graceful Degradation In Containerized Clouds

TL;DR

Public clouds lack cooperative, automated resilience that preserves application availability during capacity crunch. The authors introduce diagonal scaling with Criticality Tags and implement Phoenix, a planner and scheduler that reallocate capacity at the container level to maximize critical-service availability while respecting operator objectives. They provide AdaptLab, an open-source benchmarking framework, and validate the approach through CloudLab experiments and Alibaba-trace simulations, achieving up to $2\times$ critical-service availability gains and end-to-end recovery within minutes on large clusters. The work demonstrates the practicality of container-level cooperation for resilience in public clouds and outlines future extensions to stateful workloads and dynamic tagging.

Abstract

Cloud resilience is crucial for cloud operators and the myriad of applications that rely on the cloud. Today, we lack a mechanism that enables cloud operators to perform graceful degradation of applications while satisfying the application's availability requirements. In this paper, we put forward a vision for automated cloud resilience management with cooperative graceful degradation between applications and cloud operators. First, we investigate techniques for graceful degradation and identify an opportunity for cooperative graceful degradation in public clouds. Second, leveraging criticality tags on containers, we propose diagonal scaling -- turning off non-critical containers during capacity crunch scenarios -- to maximize the availability of critical services. Third, we design Phoenix, an automated cloud resilience management system that maximizes critical service availability of applications while also considering operator objectives, thereby improving the overall resilience of the infrastructure during failures. We experimentally show that the Phoenix controller running atop Kubernetes can improve critical service availability by up to $2\times$ during large-scale failures. Phoenix can handle failures in a cluster of 100,000 nodes within 10 seconds. We also develop AdaptLab, an open-source resilience benchmarking framework that can emulate realistic cloud environments with real-world application dependency graphs.

Figures (17)

• Figure 1: Table comparing features of app-level tools xu2019brownoutklein2014brownoutresilience4jhystrixgolimitergobackoffistioconsulweb-graceful1web-graceful2mail-graceful1storage-graceful1storage-graceful2storage-graceful3search-graceful1load-shedding1load-shedding2load-shedding3beyer2016sitecho2020overloadzhou2018overload, operator strategies levy2020predictivekumbhare2021prediction, DEFCON meza2023defcon and Phoenix.
• Figure 2: Diagonal Scaling. (a) Original application dependency graph (DG) with 3 microservices. (b) Diagonally scaled DG with one microservice removed. (c) Comparison of horizontal, vertical, and diagonal scaling techniques.
• Figure 3: Phoenix System Diagram
• Figure 4: Resilience objective of individual applications. For example, we say Overleaf0's resilience goal is satisfied if the served requests-per-second (RPS) of document-edits remains unaffected.
• Figure 5: Resilience schemes evaluated on a Kubernetes cluster with cluster capacity reduced to 42%. Critical service availability across microservice applications (with heterogeneous goals based on Table \ref{['tab:resilience-per-app']}) is shown. The x-axis shows the operator objectives.