Automatic Reliability Testing for Cluster Management Controllers

Xudong Sun; Wenqing Luo; Jiawei Tyler Gu; Aishwarya Ganesan; Ramnatthan Alagappan; Michael Gasch; Lalith Suresh; Tianyin Xu

Automatic Reliability Testing for Cluster Management Controllers

Xudong Sun, Wenqing Luo, Jiawei Tyler Gu, Aishwarya Ganesan, Ramnatthan Alagappan, Michael Gasch, Lalith Suresh, Tianyin Xu

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Modern cluster managers like Borg, Omega and Kubernetes rely on the state-reconciliation principle to be highly resilient and extensible. In these systems, all cluster-management logic is embedded in a loosely coupled collection of microservices called controllers. Each controller independently observes the current cluster state and issues corrective actions to converge the cluster to a desired state. However, the complex distributed nature of the overall system makes it hard to build reliable and correct controllers - we find that controllers face myriad reliability issues that lead to severe consequences like data loss, security vulnerabilities, and resource leaks. We present Sieve, the first automatic reliability-testing tool for cluster-management controllers. Sieve drives controllers to their potentially buggy corners by systematically and extensively perturbing the controller's view of the current cluster state in ways it is expected to tolerate. It then compares the cluster state's evolution with and without perturbations to detect safety and liveness issues. Sieve's design is powered by a fundamental opportunity in state-reconciliation systems - these systems are based on state-centric interfaces between the controllers and the cluster state; such interfaces are highly transparent and thereby enable fully-automated reliability testing. To date, Sieve has efficiently found 46 serious safety and liveness bugs (35 confirmed and 22 fixed) in ten popular controllers with a low false-positive rate of 3.5%.

Original language	English (US)
Title of host publication	Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022
Publisher	USENIX Association
Pages	143-159
Number of pages	17
ISBN (Electronic)	9781939133281
State	Published - 2022
Event	16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022 - Carlsbad, United States Duration: Jul 11 2022 → Jul 13 2022

Publication series

Name	Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022

Conference

Conference	16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022
Country/Territory	United States
City	Carlsbad
Period	7/11/22 → 7/13/22

ASJC Scopus subject areas

Computer Networks and Communications
Hardware and Architecture
Information Systems

Library availability

Discover UIUC Full Text

Cite this

Sun, X., Luo, W., Gu, J. T., Ganesan, A., Alagappan, R., Gasch, M., Suresh, L., & Xu, T. (2022). Automatic Reliability Testing for Cluster Management Controllers. In Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022 (pp. 143-159). (Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022). USENIX Association.

Automatic Reliability Testing for Cluster Management Controllers. / Sun, Xudong; Luo, Wenqing; Gu, Jiawei Tyler et al.
Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022. USENIX Association, 2022. p. 143-159 (Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Sun, X, Luo, W, Gu, JT, Ganesan, A , Alagappan, R, Gasch, M, Suresh, L & Xu, T 2022, Automatic Reliability Testing for Cluster Management Controllers. in Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022. Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022, USENIX Association, pp. 143-159, 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022, Carlsbad, United States, 7/11/22.

@inproceedings{d1f62dc819f143cda60ac22fc5b54e87,

title = "Automatic Reliability Testing for Cluster Management Controllers",

abstract = "Modern cluster managers like Borg, Omega and Kubernetes rely on the state-reconciliation principle to be highly resilient and extensible. In these systems, all cluster-management logic is embedded in a loosely coupled collection of microservices called controllers. Each controller independently observes the current cluster state and issues corrective actions to converge the cluster to a desired state. However, the complex distributed nature of the overall system makes it hard to build reliable and correct controllers - we find that controllers face myriad reliability issues that lead to severe consequences like data loss, security vulnerabilities, and resource leaks. We present Sieve, the first automatic reliability-testing tool for cluster-management controllers. Sieve drives controllers to their potentially buggy corners by systematically and extensively perturbing the controller's view of the current cluster state in ways it is expected to tolerate. It then compares the cluster state's evolution with and without perturbations to detect safety and liveness issues. Sieve's design is powered by a fundamental opportunity in state-reconciliation systems - these systems are based on state-centric interfaces between the controllers and the cluster state; such interfaces are highly transparent and thereby enable fully-automated reliability testing. To date, Sieve has efficiently found 46 serious safety and liveness bugs (35 confirmed and 22 fixed) in ten popular controllers with a low false-positive rate of 3.5%.",

author = "Xudong Sun and Wenqing Luo and Gu, {Jiawei Tyler} and Aishwarya Ganesan and Ramnatthan Alagappan and Michael Gasch and Lalith Suresh and Tianyin Xu",

note = "We thank the anonymous reviewers and our shepherd, Ran-jita Bhagwan, for their insightful comments. We thank Mar-cos Aguilera, Sujata Banerjee, Mihai Budiu, Jon Howell, Rob Johnson, Matthew Lentz, Darko Marinov, Davanum Srinivas, Chaitanya Bhandari, Yinfang Chen, Lilia Tang, and Shuai Wang for valuable feedback and discussions that helped shape this work. We thank all the controller developers who engaged with us and reviewed our reports and patches. This work was funded in part by NSF SHF-1816615, CNS-2130560, CNS-2145295, and a VMware Research Gift.; 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022 ; Conference date: 11-07-2022 Through 13-07-2022",

year = "2022",

language = "English (US)",

series = "Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022",

publisher = "USENIX Association",

pages = "143--159",

booktitle = "Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022",

}

TY - GEN

T1 - Automatic Reliability Testing for Cluster Management Controllers

AU - Sun, Xudong

AU - Luo, Wenqing

AU - Gu, Jiawei Tyler

AU - Ganesan, Aishwarya

AU - Alagappan, Ramnatthan

AU - Gasch, Michael

AU - Suresh, Lalith

AU - Xu, Tianyin

N1 - We thank the anonymous reviewers and our shepherd, Ran-jita Bhagwan, for their insightful comments. We thank Mar-cos Aguilera, Sujata Banerjee, Mihai Budiu, Jon Howell, Rob Johnson, Matthew Lentz, Darko Marinov, Davanum Srinivas, Chaitanya Bhandari, Yinfang Chen, Lilia Tang, and Shuai Wang for valuable feedback and discussions that helped shape this work. We thank all the controller developers who engaged with us and reviewed our reports and patches. This work was funded in part by NSF SHF-1816615, CNS-2130560, CNS-2145295, and a VMware Research Gift.

PY - 2022

Y1 - 2022

N2 - Modern cluster managers like Borg, Omega and Kubernetes rely on the state-reconciliation principle to be highly resilient and extensible. In these systems, all cluster-management logic is embedded in a loosely coupled collection of microservices called controllers. Each controller independently observes the current cluster state and issues corrective actions to converge the cluster to a desired state. However, the complex distributed nature of the overall system makes it hard to build reliable and correct controllers - we find that controllers face myriad reliability issues that lead to severe consequences like data loss, security vulnerabilities, and resource leaks. We present Sieve, the first automatic reliability-testing tool for cluster-management controllers. Sieve drives controllers to their potentially buggy corners by systematically and extensively perturbing the controller's view of the current cluster state in ways it is expected to tolerate. It then compares the cluster state's evolution with and without perturbations to detect safety and liveness issues. Sieve's design is powered by a fundamental opportunity in state-reconciliation systems - these systems are based on state-centric interfaces between the controllers and the cluster state; such interfaces are highly transparent and thereby enable fully-automated reliability testing. To date, Sieve has efficiently found 46 serious safety and liveness bugs (35 confirmed and 22 fixed) in ten popular controllers with a low false-positive rate of 3.5%.

AB - Modern cluster managers like Borg, Omega and Kubernetes rely on the state-reconciliation principle to be highly resilient and extensible. In these systems, all cluster-management logic is embedded in a loosely coupled collection of microservices called controllers. Each controller independently observes the current cluster state and issues corrective actions to converge the cluster to a desired state. However, the complex distributed nature of the overall system makes it hard to build reliable and correct controllers - we find that controllers face myriad reliability issues that lead to severe consequences like data loss, security vulnerabilities, and resource leaks. We present Sieve, the first automatic reliability-testing tool for cluster-management controllers. Sieve drives controllers to their potentially buggy corners by systematically and extensively perturbing the controller's view of the current cluster state in ways it is expected to tolerate. It then compares the cluster state's evolution with and without perturbations to detect safety and liveness issues. Sieve's design is powered by a fundamental opportunity in state-reconciliation systems - these systems are based on state-centric interfaces between the controllers and the cluster state; such interfaces are highly transparent and thereby enable fully-automated reliability testing. To date, Sieve has efficiently found 46 serious safety and liveness bugs (35 confirmed and 22 fixed) in ten popular controllers with a low false-positive rate of 3.5%.

UR - http://www.scopus.com/inward/record.url?scp=85141074754&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85141074754&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85141074754

T3 - Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022

SP - 143

EP - 159

BT - Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022

PB - USENIX Association

T2 - 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022

Y2 - 11 July 2022 through 13 July 2022

ER -

Automatic Reliability Testing for Cluster Management Controllers

Abstract

Publication series

Conference

ASJC Scopus subject areas

Library availability

Related links

Fingerprint

Cite this