Circuit Breaker

Why are they used?

A circuit breaker is used to provide stability and prevent cascading failures in distributed systems. These should be used in conjunction with judicious timeouts at the interfaces between remote systems to prevent the failure of a single component from bringing down all components.

As an example, we have a web application interacting with a remote third party web service.
Let's say the third party has oversold their capacity and their database melts down under load.
Assume that the database fails in such a way that it takes a very long time to hand back an error to the third party web service. This in turn makes calls fail after a long period of time. Back to our web application, the users have noticed that their form submissions take much longer seeming to hang. Well the users do what they know to do which is use the refresh button, adding more requests to their already running requests. This eventually causes the failure of the web application due to resource exhaustion. This will affect all users, even those who are not using functionality dependent on this third party web service.

Introducing circuit breakers on the web service call would cause the requests to begin to fail-fast, letting the user know that something is wrong and that they need not refresh their request. This also confines the failure behavior to only those users that are using functionality dependent on the third party, other users are no longer affected as there is no resource exhaustion. Circuit breakers can also allow savvy developers to mark portions of the site that use the functionality unavailable, or perhaps show some cached content as appropriate while the breaker is open.

The Akka library provides an implementation of a circuit breaker called @apidoc[CircuitBreaker] which has the behavior described below.

What do they do?

• During normal operation, a circuit breaker is in the Closed state:

  • Exceptions or calls exceeding the configured callTimeout increment a failure counter
  • Successes reset the failure count to zero
  • When the failure counter reaches a maxFailures count, the breaker is tripped into Open state

• While in Open state:

  • All calls fail-fast with a @apidoc[CircuitBreakerOpenException]
  • After the configured resetTimeout, the circuit breaker enters a Half-Open state

• In Half-Open state:

  • The first call attempted is allowed through without failing fast
  • All other calls fail-fast with an exception just as in Open state
  • If the first call succeeds, the breaker is reset back to Closed state and the resetTimeout is reset
  • If the first call fails, the breaker is tripped again into the Open state (as for exponential backoff circuit breaker, the resetTimeout is multiplied by the exponential backoff factor)

• State transition listeners:

  • Callbacks can be provided for every state entry via @apidoconOpen {scala="#onOpen(callback:=%3EUnit):akka.pattern.CircuitBreaker" java="#addOnOpenListener(java.lang.Runnable)"}, @apidoconClose {scala="#onClose(callback:=%3EUnit):akka.pattern.CircuitBreaker" java="#addOnCloseListener(java.lang.Runnable)"}, and @apidoconHalfOpen {scala="#onHalfOpen(callback:=%3EUnit):akka.pattern.CircuitBreaker" java="#addOnHalfOpenListener(java.lang.Runnable)"}
  • These are executed in the @scaladocExecutionContext provided.

• Calls result listeners:

  • Callbacks can be used eg. to collect statistics about all invocations or to react on specific call results like success, failures or timeouts.
  • Supported callbacks are: @apidoconCallSuccess {scala="#onCallSuccess(callback:Long=%3EUnit):akka.pattern.CircuitBreaker" java="#addOnCallSuccessListener(java.util.function.Consumer)"}, @apidoconCallFailure {scala="#onCallFailure(callback:Long=%3EUnit):akka.pattern.CircuitBreaker" java="#addOnCallFailureListener(java.util.function.Consumer)"}, @apidoconCallTimeout {scala="#onCallTimeout(callback:Long=%3EUnit):akka.pattern.CircuitBreaker" java="#addOnCallTimeoutListener(java.util.function.Consumer)"}, @apidoconCallBreakerOpen {scala="#onCallBreakerOpen(callback:=%3EUnit):akka.pattern.CircuitBreaker" java="#addOnCallBreakerOpenListener(java.lang.Runnable)"}.
  • These are executed in the @scaladocExecutionContext provided.

Examples

Initialization

Here's how a named @apidoc[CircuitBreaker] is configured with the name data-access:

• 5 maximum failures
• a call timeout of 10 seconds
• a reset timeout of 1 minute

@@snip application.conf { #config }

The circuit breaker is created on first access with the same name, subsequent lookups will return the same circuit breaker instance. Looking up the circuit breaker and using it looks like this:

Scala : @@snip CircuitBreakerDocSpec.scala { #circuit-breaker-initialization }

Java : @@snip DangerousJavaActor.java { #circuit-breaker-initialization }

Future & Synchronous based API

Once a circuit breaker actor has been initialized, interacting with that actor is done by either using the Future based API or the synchronous API. Both of these APIs are considered Call Protection because whether synchronously or asynchronously, the purpose of the circuit breaker is to protect your system from cascading failures while making a call to another service.

In the future based API, we use the @scala[@scaladocwithCircuitBreaker]@java[@javadoccallWithCircuitBreakerCS] which takes an asynchronous method (some method wrapped in a @scala[@scaladocFuture]@java[@javadocCompletionState]), for instance a call to retrieve data from a service, and we pipe the result back to the sender. If for some reason the service in this example isn't responding, or there is another issue, the circuit breaker will open and stop trying to hit the service again and again until the timeout is reached.

Scala : @@snip CircuitBreakerDocSpec.scala { #circuit-breaker-usage }

Java : @@snip CircuitBreakerDocTest.java { #circuit-breaker-usage }

The Synchronous API would also wrap your call with the circuit breaker logic, however, it uses the @scala[@scaladocwithSyncCircuitBreaker]@java[@javadoccallWithSyncCircuitBreaker] and receives a method that is not wrapped in a @scala[Future]@java[CompletionState].

The CircuitBreaker will execute all callbacks on the default system dispatcher.

Control failure count explicitly

By default, the circuit breaker treats @javadocException as failure in synchronized API, or failed @scala[@scaladocFuture]@java[@javadocCompletionState] as failure in future based API. On failure, the failure count will increment. If the failure count reaches the maxFailures, the circuit breaker will be opened. However, some applications may require certain exceptions to not increase the failure count. In other cases one may want to increase the failure count even if the call succeeded. Akka circuit breaker provides a way to achieve such use cases: @scala[@scaladocwithCircuitBreaker and @scaladocwithSyncCircuitBreaker]@java[@javadoccallWithCircuitBreaker, @javadoccallWithSyncCircuitBreaker and @javadoccallWithCircuitBreakerCS].

All methods above accept an argument defineFailureFn

Type of defineFailureFn: @scala[@scaladocTry[T] => @scaladocBoolean]@java[@javadocBiFunction[@javadocOptional[T], @javadocOptional[@javadocThrowable], @javadocBoolean]]

@scala[This is a function which takes in a @scaladocTry[T] and returns a @scaladocBoolean. The @scaladocTry[T] correspond to the @scaladocFuture[T] of the protected call.] @java[The response of a protected call is modelled using @javadocOptional[T] for a successful return value and @javadocOptional[@javadocThrowable] for exceptions.] This function should return true if the result of a call should increase the failure count, or false to not affect the count.

Scala : @@snip CircuitBreakerDocSpec.scala { #even-no-as-failure }

Java : @@snip CircuitBreakerDocTest.java { #even-no-as-failure }

Low level API

Instead of looking up a configured circuit breaker by name, it is also possible to construct it in the source code:

Scala : @@snip CircuitBreakerDocSpec.scala { #manual-construction }

Java : @@snip CircuitBreakerDocTest.java { #manual-construction }

This also allows for creating the circuit breaker with a specific execution context to run its callbacks on.

The low-level API allows you to describe the behavior of the @apidocCircuitBreaker in detail, including deciding what to return to the calling @apidocActor in case of success or failure. This is especially useful when expecting the remote call to send a reply. @apidocCircuitBreaker doesn't support Tell Protection (protecting against calls that expect a reply) natively at the moment. Thus, you need to use the low-level power-user APIs, @apidocsucceed {scala="#succeed():Unit" java="#succeed()"} and @apidocfail {scala="#fail():Unit" java="#fail()"} methods, as well as @apidocisClosed {scala="#isClosed:Boolean" java="#isClosed()"}, @apidocisOpen {scala="#isOpen:Boolean" java="#isOpen()"}, @apidocisHalfOpen {scala="#isHalfOpen:Boolean" java="#isHalfOpen()"} to implement it.

As can be seen in the examples below, a Tell Protection pattern could be implemented by using the @apidocsucceed {scala="#succeed():Unit" java="#succeed()"} and @apidocfail {scala="#fail():Unit" java="#fail()"} methods, which would count towards the @apidocCircuitBreaker counts. In the example, a call is made to the remote service if the breaker is closed or half open. Once a response is received, the @apidocsucceed {scala="#succeed():Unit" java="#succeed()"} method is invoked, which tells the @apidocCircuitBreaker to keep the breaker closed. On the other hand, if an error or timeout is received we trigger a @apidocfail {scala="#fail():Unit" java="#fail()"}, and the breaker accrues this failure towards its count for opening the breaker.

Scala : @@snip CircuitBreakerDocSpec.scala { #circuit-breaker-tell-pattern }

Java : @@snip CircuitBreakerDocTest.java { #circuit-breaker-tell-pattern }

@@@ note

This example always makes remote calls when the state is HalfOpen. Using the power-user APIs, it is your responsibility to judge when to make remote calls in HalfOpen.

@@@