混沌工程與故障注入實戰

混沌工程與故障注入實戰

前言

在當今高度分佈式的雲原生架構中，系統的複雜性呈指數級增長。傳統的測試方法只能驗證系統在正常情況下的行為，但無法保證系統在面對各種故障場景時能夠保持穩定。混沌工程（Chaos Engineering）作為一種新興的工程實踐，通過在生產環境中主動引入故障來發現系統的薄弱環節，從而提高系統的韌性和可靠性。Netflix是最早推行混沌工程的公司，其開源的Chaos Monkey工具至今仍是業界標杆。本文將深入探討混沌工程的核心理念、在Spring Boot應用中的實踐方法、故障注入工具的使用，以及如何構建完善的韌性測試策略。

混沌工程核心理念

什麼是混沌工程

混沌工程是一種在系統上进行實驗的學科，目的是建立對系統抵禦現實世界中混亂情況能力的信心。這種方法的核心思想是：與其等待故障發生後被動應對，不如主動在受控環境中製造故障，提前發現並修復潛在問題。

混沌工程與傳統測試的區別在於：傳統測試是確定性的，它驗證系統在預期條件下的行為；而混沌工程是不確定的，它探索系統在非預期條件下的表現。混沌工程不僅發現已知的問題，更重要的是發現那些我們不知道的問題。

混沌工程實驗流程： 1. 定義穩態（Define Steady State） ↓ 2. 假設（Form Hypothesis） ↓ 3. 設計實驗（Design Experiment） ↓ 4. 執行實驗（Execute Experiment） ↓ 5. 觀察結果（Observe Results） ↓ 6. 分析影響（Analyze Impact） ↓ 7. 關閉實驗（Stop Experiment） ↓ 8. 改進系統（Improve System）

混沌工程原則

Netflix提出的混沌工程原則為業界提供了重要的指導方針：

穩態假設（Steady State Hypothesis）：在開始實驗前，必須定義什麼是系統的「正常」行為。只有建立了這個基線，才能判斷故障是否對系統造成了影響。

多樣化真實事件（Simulate Real World Events）：注入的故障應該模擬真實世界中可能發生的問題，如網絡延遲、服務器宕機、磁盤滿等。

生產環境實驗（Production Experiments）：只有生產環境才能真正反映系統的實際表現。但在生產環境中實驗需要非常謹慎，確保有完善的回滾機制。

最小化影響範圍（Minimize Blast Radius）：每次實驗都應該只影響最小的用戶群體，並確保可以快速恢復。

自動化實驗（Automate Experiments）：將實驗自動化，定期執行，持續監控系統韌性。

Spring Boot故障注入實踐

Chaos Monkey for Spring Boot

Chaos Monkey for Spring Boot是專為Spring Boot應用設計的故障注入工具，它提供了多種故障注入方式：

<dependencies> <dependency> <groupId>de.cognicrypt</groupId> <artifactId>chaos-monkey-spring-boot</artifactId> <version>3.0.0</version> </dependency> </dependencies> spring: chaos: monkey: enabled: true endpoint: enabled: true custom-actuator-endpoint-key: chaos-monkey watcher: active: true controller: true rest-controller: true service: true repository: false component: true assaults: latency-assault: enabled: true latency-range-min: 1000 latency-range-max: 5000 exception-assault: enabled: true exception-type: java.lang.RuntimeException exceptions: [] kill-application-assault: enabled: false memory-assault: enabled: false memory-fill-level: 50 cpu-assault: enabled: false cpu-load-range: 50

自定義故障注入器

@Component @Slf4j public class CustomChaosEngine { private final Map<String, FaultStrategy> faultStrategies = new ConcurrentHashMap<>(); private volatile boolean enabled = true; @PostConstruct public void init() { faultStrategies.put("timeout", new TimeoutFaultStrategy()); faultStrategies.put("circuit-breaker", new CircuitBreakerFaultStrategy()); faultStrategies.put("data-corruption", new DataCorruptionFaultStrategy()); faultStrategies.put("rate-limiter", new RateLimiterFaultStrategy()); } public <T> Mono<T> injectFault(Mono<T> original, String faultType, int probability) { if (!enabled || !shouldInjectFault(probability)) { return original; } FaultStrategy strategy = faultStrategies.get(faultType); if (strategy == null) { log.warn("Unknown fault type: {}", faultType); return original; } return original .delayElement(Duration.ofMillis(50)) .transform(mono -> strategy.apply(mono)); } private boolean shouldInjectFault(int probability) { return ThreadLocalRandom.current().nextInt(100) < probability; } public void setEnabled(boolean enabled) { this.enabled = enabled; } } public interface FaultStrategy { <T> Publisher<T> apply(Publisher<T> original); } @Component @Slf4j public class TimeoutFaultStrategy implements FaultStrategy { @Override public <T> Publisher<T> apply(Publisher<T> original) { return Mono.timeout(original.flatMap(t -> Mono.just(t)), Duration.ofMillis(100)) .onErrorResume(TimeoutException.class, e -> { log.info("Timeout fault injected"); return Mono.error(new ServiceTimeoutException("服務響應超時")); }); } } @Component @Slf4j public class CircuitBreakerFaultStrategy implements FaultStrategy { private final CircuitBreakerRegistry registry = CircuitBreakerRegistry.ofDefaults(); @Override public <T> Publisher<T> apply(Publisher<T> original) { CircuitBreaker breaker = registry.circuitBreaker("chaos-breaker"); return Mono.fromCallable(() -> original) .transform(breaker) .onErrorResume(e -> { log.info("Circuit breaker fault injected: {}", e.getMessage()); return Mono.error(new ServiceUnavailableException("服務暫不可用")); }); } } @Component @Slf4j public class DataCorruptionFaultStrategy implements FaultStrategy { @Override public <T> Publisher<T> apply(Publisher<T> original) { return Flux.from(original) .map(item -> { if (ThreadLocalRandom.current().nextBoolean()) { log.info("Data corruption fault injected"); throw new DataCorruptionException("數據損壞"); } return item; }); } } @Component @Slf4j public class RateLimiterFaultStrategy implements FaultStrategy { private final AtomicInteger requestCount = new AtomicInteger(0); private final int maxRequests; private volatile Instant windowStart; public RateLimiterFaultStrategy() { this.maxRequests = 10; this.windowStart = Instant.now(); } @Override public <T> Publisher<T> apply(Publisher<T> original) { Instant now = Instant.now(); if (Duration.between(windowStart, now).getSeconds() > 60) { requestCount.set(0); windowStart = now; } if (requestCount.incrementAndGet() > maxRequests) { log.info("Rate limiter fault injected"); return Mono.error(new RateLimitExceededException("請求頻率超限")); } return original; } }

Netflix Chaos Monkey配置

完整配置示例

spring: application: name: chaos-monkey-demo chaos: monkey: enabled: true endpoint: enabled: true port: 8088 custom-actuator-endpoint-key: /actuator/chaosmonkey assaults: latency-assault: enabled: true latency-range-min: 2000 latency-range-max: 8000 probability-range: 30 exception-assault: enabled: true exceptions: - class: java.lang.RuntimeException message: "Chaos Monkey Exception" - class: org.springframework.web.client.HttpServerErrorException message: "Service temporarily unavailable" probability-range: 10 kill-application-assault: enabled: false memory-assault: enabled: true memory-fill-level: 60 aggressive-fill-level: 80 duration-in-seconds: 30 cpu-assault: enabled: true cpu-load-range: 70 duration-in-seconds: 15 thread-sleep-assault: enabled: true sleep-range-min: 1000 sleep-range-max: 3000 watchers: controller: true rest-controller: true service: true repository: false component: true async: false

通過REST API控制故障注入

@RestController @RequestMapping("/chaos") public class ChaosController { private final ChaosMonkeyService chaosMonkeyService; private final ChaosSettings settings; @Autowired public ChaosController(ChaosMonkeyService chaosMonkeyService, ChaosSettings settings) { this.chaosMonkeyService = chaosMonkeyService; this.settings = settings; } @GetMapping("/status") public ResponseEntity<Map<String, Object>> getStatus() { Map<String, Object> status = new HashMap<>(); status.put("enabled", settings.isEnabled()); status.put("assaults", getAssaultStatus()); status.put("watchers", getWatcherStatus()); return ResponseEntity.ok(status); } @PostMapping("/enable") public ResponseEntity<String> enableChaos() { chaosMonkeyService.enable(); return ResponseEntity.ok("Chaos Monkey enabled"); } @PostMapping("/disable") public ResponseEntity<String> disableChaos() { chaosMonkeyService.disable(); return ResponseEntity.ok("Chaos Monkey disabled"); } @PostMapping("/assaults/latency") public ResponseEntity<String> configureLatencyAssault( @RequestParam int minLatency, @RequestParam int maxLatency, @RequestParam int probability) { settings.getAssaults().getLatencyAssault().setEnabled(true); settings.getAssaults().getLatencyAssault().setLatencyRangeMin(minLatency); settings.getAssaults().getLatencyAssault().setLatencyRangeMax(maxLatency); settings.getAssaults().getLatencyAssault().setProbabilityRange(probability); return ResponseEntity.ok("Latency assault configured"); } @PostMapping("/assaults/exception") public ResponseEntity<String> configureExceptionAssault( @RequestParam String exceptionClass, @RequestParam String message, @RequestParam int probability) { ExceptionAssaultConfig exceptionConfig = settings.getAssaults().getExceptionAssault(); exceptionConfig.setEnabled(true); exceptionConfig.setExceptionType(exceptionClass); exceptionConfig.getExceptions().clear(); exceptionConfig.getExceptions().add(ExceptionConfig.builder() .className(exceptionClass) .message(message) .build()); exceptionConfig.setProbabilityRange(probability); return ResponseEntity.ok("Exception assault configured"); } @PostMapping("/assaults/memory") public ResponseEntity<String> configureMemoryAssault( @RequestParam int fillLevel, @RequestParam int durationSeconds) { MemoryAssaultConfig memoryConfig = settings.getAssaults().getMemoryAssault(); memoryConfig.setEnabled(true); memoryConfig.setMemoryFillLevel(fillLevel); memoryConfig.setDurationInSeconds(durationSeconds); return ResponseEntity.ok("Memory assault configured"); } private Map<String, Boolean> getAssaultStatus() { AssaultProperties assaults = settings.getAssaults(); Map<String, Boolean> status = new HashMap<>(); status.put("latency", assaults.getLatencyAssault().isEnabled()); status.put("exception", assaults.getExceptionAssault().isEnabled()); status.put("memory", assaults.getMemoryAssault().isEnabled()); status.put("cpu", assaults.getCpuAssault().isEnabled()); status.put("kill", assaults.getKillApplicationAssault().isEnabled()); return status; } private Map<String, Boolean> getWatcherStatus() { WatcherProperties watchers = settings.getWatcher(); Map<String, Boolean> status = new HashMap<>(); status.put("controller", watchers.isController()); status.put("restController", watchers.isRestController()); status.put("service", watchers.isService()); status.put("repository", watchers.isRepository()); return status; } }

故障注入測試腳本

JMeter故障場景測試

<?xml version="1.0" encoding="UTF-8"?> <jmeterTestPlan version="1.2" properties="5.0"> <hashTree> <TestPlan guiclass="TestPlanGui" testclass="TestPlan" testname="Chaos Engineering Test"> <stringProp name="TestPlan.thread_group_count">50</stringProp> <stringProp name="TestPlan.ramp_time">10</stringProp> </TestPlan> <hashTree> <ThreadGroup guiclass="ThreadGroupGui" testclass="ThreadGroup" testname="Normal Operations"> <stringProp name="ThreadGroup.num_threads">20</stringProp> <stringProp name="ThreadGroup.ramp_time">5</stringProp> </ThreadGroup> <hashTree> <HTTPSamplerProxy guiclass="HttpTestSampleGui" testclass="HTTPSamplerProxy" testname="Normal API Call"> <stringProp name="HTTPSampler.domain">api.example.com</stringProp> <stringProp name="HTTPSampler.path">/api/v1/products</stringProp> <stringProp name="HTTPSampler.method">GET</stringProp> </HTTPSamplerProxy> </hashTree> <ThreadGroup guiclass="ThreadGroupGui" testclass="ThreadGroup" testname="Latency Injection"> <stringProp name="ThreadGroup.num_threads">10</stringProp> <stringProp name="ThreadGroup.ramp_time">2</stringProp> <boolProp name="ThreadGroup.delayedStart">true</boolProp> </ThreadGroup> <hashTree> <HTTPSamplerProxy guiclass="HttpTestSampleGui" testclass="HTTPSamplerProxy" testname="API Call Under Latency"> <stringProp name="HTTPSampler.domain">api.example.com</stringProp> <stringProp name="HTTPSampler.path">/api/v1/orders</stringProp> <stringProp name="HTTPSampler.method">POST</stringProp> <timeToWait>15000</timeToWait> </HTTPSamplerProxy> </hashTree> <ThreadGroup guiclass="ThreadGroupGui" testclass="ThreadGroup" testname="Partial Failure"> <stringProp name="ThreadGroup.num_threads">20</stringProp> <stringProp name="ThreadGroup.ramp_time">3</stringProp> </ThreadGroup> <hashTree> <HTTPSamplerProxy guiclass="HttpTestSampleGui" testclass="HTTPSamplerProxy" testname="API Call with Errors"> <stringProp name="HTTPSampler.domain">api.example.com</stringProp> <stringProp name="HTTPSampler.path">/api/v1/payments</stringProp> <stringProp name="HTTPSampler.method">POST</stringProp> </HTTPSamplerProxy> <hashTree> <ResponseAssertion guiclass="AssertionGui" testclass="ResponseAssertion" testname="Allow 500 Errors"> <collectionProp name="Asserion.test_strings"> <stringProp name="0">500</stringProp> <stringProp name="1">502</stringProp> <stringProp name="2">503</stringProp> </collectionProp> <stringProp name="Assertion.custom_error_message">Service unavailable during chaos</stringProp> </ResponseAssertion> </hashTree> </hashTree> </hashTree> </hashTree> </jmeterTestPlan>

Kubernetes環境故障注入

使用PowerfulSeal進行故障注入

# powerfulseal-config.yaml inventory: hosts: - name: production connection: host: ${KUBERNETES_API_SERVER} ssh-port: 22 user: ${SSH_USER} key_path: /root/.ssh/id_rsa sudo: true kubectl: true context: production scenarios: - name: "Kill random pods" description: "Kill random pods to test resilience" steps: - kubectl: cmd: ["get", "pods", "-n", "default", "-o", "json"] filter: "$.items[*].metadata.name" register: "pods" - choose: from: "pods" pick: 1 register: "target_pod" - kubectl: cmd: ["delete", "pod", "${target_pod}", "-n", "default", "--force"] on: - always - name: "Network partition simulation" description: "Block network traffic to test partition handling" steps: - choose: hosts: - name: worker1 - name: worker2 pick: 1 register: "target_host" - shell: cmd: ["iptables", "-A", "INPUT", "-j", "DROP"] on: - "${target_host}" pause: 30 - name: "CPU stress test" description: "Stress CPU on random nodes" steps: - shell: cmd: ["stress-ng", "--cpu", "4", "--timeout", "60s"] on: - all

監控與觀察

故障實驗觀測點

@Service @Slf4j public class ChaosExperimentObserver { private final MeterRegistry meterRegistry; private final AtomicInteger activeExperiments = new AtomicInteger(0); private final List<ExperimentResult> results = new CopyOnWriteArrayList<>(); @Autowired public ChaosExperimentObserver(MeterRegistry meterRegistry) { this.meterRegistry = meterRegistry; Gauge.builder("chaos.experiments.active", activeExperiments, AtomicInteger::get) .description("Number of active chaos experiments") .register(meterRegistry); } public void startExperiment(String experimentName) { activeExperiments.incrementAndGet(); log.info("Starting chaos experiment: {}", experimentName); Timer timer = meterRegistry.timer("chaos.experiment.duration", "experiment", experimentName); timer.record(() -> { try { executeExperiment(experimentName); } finally { activeExperiments.decrementAndGet(); } }); } private void executeExperiment(String experimentName) { Instant start = Instant.now(); try { switch (experimentName) { case "network-latency": testNetworkLatency(); break; case "service-failure": testServiceFailure(); break; case "database-connection": testDatabaseConnection(); break; case "memory-pressure": testMemoryPressure(); break; default: log.warn("Unknown experiment: {}", experimentName); } results.add(new ExperimentResult(experimentName, start, Instant.now(), true, null)); meterRegistry.counter("chaos.experiments.success", "experiment", experimentName).increment(); } catch (Exception e) { results.add(new ExperimentResult(experimentName, start, Instant.now(), false, e)); meterRegistry.counter("chaos.experiments.failure", "experiment", experimentName).increment(); log.error("Experiment {} failed", experimentName, e); } } public List<ExperimentResult> getResults() { return new ArrayList<>(results); } @Getter @AllArgsConstructor public static class ExperimentResult { private String experimentName; private Instant startTime; private Instant endTime; private boolean success; private String errorMessage; public Duration getDuration() { return Duration.between(startTime, endTime); } } }

最佳實踐

混沌工程成熟度模型

混沌工程成熟度級別： Level 1: 初始階段 - 了解混沌工程概念 - 進行手動故障測試 - 沒有監控和自動化 Level 2: 定義基線 - 定義關鍵業務指標 - 建立正常行為基線 - 記錄故障場景 Level 3: 自動化實驗 - 自動化故障注入 - 自動化結果收集 - 與CI/CD集成 Level 4: 生產實驗 - 生產環境故障注入 - 完善的回滾機制 - 定期演練 Level 5: 持續改進 - 遊戲日（Game Day） - 跨團隊協作 - 持續優化系統韌性

總結

混沌工程是提升系統韌性的重要實踐，它幫助團隊在故障發生之前發現並修復潛在問題。通過本文的學習，我們掌握了在Spring Boot應用中實施混沌工程的方法，包括Chaos Monkey配置、自定義故障注入器、Kubernetes環境故障注入以及監控觀測機制。需要強調的是，混沌工程是一項需要謹慎對待的實踐，在生產環境中實施前必須確保有完善的監控、回滾和溝通機制。通過持續的故障注入演練，團隊可以不斷提升系統的韌性，為用戶提供更加穩定可靠的服務。