ev <html>
<head>
<title>Fall 2001- 
       CS514 Fault-tolerant Distributed Computer Systems -
       Programming Assignment, Phase&nbsp;V</title>
</head>
<body>
<h2>Phase&nbsp;V:  Agreement and Reconfiguration</h2>
<P>
<h4>Due: 8:00am Thursday, Dec. 6.</h4>
<P>
<STRONG>
General Instructions.
</STRONG>
Students are required to work together in teams.
You may work in the team you used for an earlier phase or you may form a new team.
An assignment submitted on behalf of a "team" having fewer than 3 or
more than 5 students will receive a grade of F.
All members of the team are responsible for understanding the entire
assignment.
<P>
This assignment builds on Phase IV.
Feel free to use any team's solutions to that phase as the basis for your
solution to this phase.
<P>
No late assignments will be accepted.
<P>
<em>Academic Integrity</em>.  Collaboration between groups is
prohibited and will be treated as a violation of the University's
academic integrity code.

<h4>Background:  Eliminating Simplifications</h4>

The solution to phase IV involved two significant
simplifications---one explicit and one implicit.
<UL>
<LI>The explicit simplification was the use of a naive broadcast algorithm
in place of an agreement protocol.
<P>
<LI>The implicit simplification was to ignore the possibility that failed
processors restart.
</UL>
This assignment targets those simplifications.
It gives you an opportunity to program an agreement protocol
and to program a state machine recovery protocol.
Among other things, extending the state-machine protocols you built in phase IV
will give insights into the virtues of well-chosen interfaces software interfaces.
Note, you are expected to <STRONG>extend</STRONG> what you (or some other group)
submitted for phase IV---<STRONG>you should not modify abstractions or code that is
unrelated to the agreement protocol or processor restart/recovery.</STRONG>


<h4>What to Build</h4>
The assumptions for this phase are the same as for the previous one:
<UL>
<LI>Processor failures are benign (i.e. failstop) and not Byzantine.
<LI>Benign ranch GUI failures <STRONG>are</STRONG> possible.
<LI>Each communication channel is bidirectional.
<LI>Communication channels are reliable and FIFO.
<LI>Every bank branch is directly connected to every other.  Thus, the network topology
is a completely connected graph (i.e., with N*(N-1) bi-directional edges).
</UL>
<STRONG>
Agreement Protocol for Failstop Processors.
</STRONG>
Program  the fail-stop reliable broadcast
protocol discussed in class,
and replace the naive broadcast routine that simulates an agreement protocol
in your phase IV solution.
Here are some pointers to descriptions of that fail-stop reliable broadcast protocol:
<UL>
<LI>
A somewhat technical derivation appears in
<A HREF="fault_tolerant.ps">Fault-tolerant Broadcasts</A>
<LI>
An informal discussion appears in section 4.2 of
<A HREF="nap_practical_fault.ps">NAP: Practical Fault-Tolerance for Itinerant Computations</A>
</UL>
For additional credit, feel free to implement a Byzantine agreement protocol.
Note that to do this,
you will have to make some synchrony assumptions about message delivery delays and
clock skews.
Depending on which
Byzantine Agreement protocol you choose, you may also have to arrange for each host
to have a public/private key pair---feel free to assume that these keys are pre-loaded
and don't ever have to be changed.
<P><P>
<STRONG>
Processor Restarts.
</STRONG>
"Recovery code" is executed following the repair of a faulty branch server.
Phase IV ignored this;
it's now time to write that recovery code.
Your recovery code should reconstruct the state of the branch server for the local
branch and for all branch server replicas that were being executed and failed
along with it.
<P>
For testing your system,
it's probably a good idea to extend the branch GUI with some additional status indicators
to signal which replicas at that branch are operational, which are executing recovery code,
and which are halted (due to failures).
<P><P>
<STRONG>
State Machine Reconfiguration.
</STRONG>
An extremely flexible implementation
of replicated state machines
would provide a new management interface (accessible through a new GUI) that allows
state machine replicas on any host to be terminated and allows new state
machine replicas to be started on any host.
The <tt>CONFIG</tt> file now is interpreted as defining
the initial configuration for the system, and
subsequent actions by system administrators (over this new interface) cause other
configurations to exist.
<P>
Such a new management interface will get additional credit;
we will be evaluating both the new interface, what it permits and doesn't permit,
and how the new interface is integrated into existing system components (e.g., branch GUI).
A good design for accomplishing system reconfiguration
will build as much as possible on existing functionality.
For example,
terminating a server replica is not very different from a fail-stop failure
and starting a server replica is not very different from restarting a server replica
when a failed host is restarted.
<P>
A new GUI is not the only way to leverage the new management interface.
One might also employ a configuration management process to instigate configuration
changes.
This process, for example,
would start state-machine replicas in response to host failures
so that the total number of replicas for each state machine remains near some preferred
level.
This configuration management process instigates action in response to
processor failures and restarts.
Credit will be awarded for sensible implementations of such functionality.
<P>
<P>
<STRONG>
Submission Procedure.
</STRONG>
Create a directory containing the files you wish us to grade.
Call this directory xxxxx0,
where xxxxx is the Cornell network id
of the team member whose net id is alphabetically smallest of your team.
Then copy this directory to the following folder:
<P>
<tt>\\Goose\courses\cs514-fall01\proj05.submit</tt>
<P>
Don't be disturbed by warnings informing you that the file cannot be accessed
after it has been copied.
<P>
Should you wish to revise your submission after you have copied it to our folder,
then simply correct the files and re-copy the entire directory---but this
time use the name xxxxx1.
Revisions to that should be named xxxxx2,
and so on.
We will grade only the largest-numbered file of a series.
No late submissions will be accepted.
<P>
Your directory should contain the following files (at least):
<DL>
<DD>
<tt>TEAM</tt> which contains the names (and net-ids) for all team members.
Also, for each team member give a 1 or 2 paragraph description of the tasks
this team member performed and the number of hours this required.
<P>
<DD>
<tt>README</tt> which contains
<UL>
<LI>The names and a description of the contents for the other files in the directory.
<LI>Instructions for installing, compiling, and running your software on our
    system.
<LI>A tutorial that the grader can follow to start your software and to convince
    himself that your system implements the required functionality.  Expect the grader
    to spend at most 10 minutes on this task.
</UL>
<P>
<DD>
<tt>LOGIC</tt> which contains
a brief description of the specific protocols that were implemented.
<P>
<DD>
<tt>CONFIG</tt> which contains a description of the numbers and locations of
state machine replicas.
<P>
<DD>
<P>
<DD>
JAVA source file that contain the Java source needed to compile and test your system.
</DL>
<P>
<STRONG>
Grading.
</STRONG>
Your grade will be based on the following elements:
<UL>
<LI>
Is your agreement protocol correctly implemented.
<LI>
Does your server recovery scheme work.
<LI>
How easy is it to follow the <tt>README</tt> file installation
and sample-execution script?
<LI>
Is the source code easy to understand and does it exhibit good structure?
</UL>
<P>
</body>
</html>