Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

12th factor: disposability (sliced off of processes)

  • Loading branch information...
commit af0180abc960f72ba5717335300db364e7f11ff1 1 parent 8e7f6e8
Adam Wiggins authored June 05, 2011
2  content/admin-processes.md
Source Rendered
... ...
@@ -1,4 +1,4 @@
1  
-## XI. Admin processes
  1
+## XII. Admin processes
2 2
 ### One-off admin/management tasks
3 3
 
4 4
 The [process formation](/concurrency) represents the array of processes that are used to do the app's regular business (such as handling web requests) as it runs.  Separately, developers will often wish to do one-off administrative or maintenance tasks for the app, such as:
2  content/dev-prod-parity.md
Source Rendered
... ...
@@ -1,4 +1,4 @@
1  
-## IX. Dev/prod parity
  1
+## X. Dev/prod parity
2 2
 ### Parity between development and production
3 3
 
4 4
 Historically, there is a substantial gap between development (a developer making live edits to a local [deploy](/codebase) of the app) and production (a running deploy of the app accessed by end users).  This is a gap in time: a developer may work on code that doesn't go to production for days, weeks, or even months.  It's a gap in personnel: developers write code, ops engineers deploy it.  And it's a gap in environments: a developer may be using Nginx, SQLite, and OS X, while the production deploy uses Apache, MySQL, and Linux.
14  content/disposability.md
Source Rendered
... ...
@@ -0,0 +1,14 @@
  1
+## IX. Disposability
  2
+### Fast startup and graceful shutdown maximize robustness
  3
+
  4
+The twelve-factor app's [processes](/processes) are architected to be stopped and started at a moment's notice, facilitating fast elastic scaling and rapid deployment of [code](/codebase) or [config](/config) changes.  This is a key element in ensuring robustness of a production deployment.
  5
+
  6
+Processes shut down gracefully when they receive a [SIGTERM](http://en.wikipedia.org/wiki/SIGTERM) signal from the process manager.  For a web process, graceful shutdown is achieved by ceasing to listen on the service port (thereby refusing any new requests), allowing any current requests to finish, and then exiting.  Implicit in this model is that HTTP requests are short (no more than a few seconds), or in the case of long polling, the client is written to seamlessly attempt a reconnect in the case of losing the long-poll connection.
  7
+
  8
+For a worker process, graceful shutdown is achieved by returning the current job to the work queue.  For example, on RabbitMQ the worker can send a `NACK`; on Beanstalkd, the job is returned to the queue automatically whenever a worker disconnects.  Lock-based systems such as Delayed Job need to be sure to release their lock on the job record.  Implicit in this model is that all jobs are [reentrant](http://en.wikipedia.org/wiki/Reentrant_%28subroutine%29), which typically is achieved by wrapping the results in a transaction, or making the operation [idempotent](http://en.wikipedia.org/wiki/Idempotence).
  9
+
  10
+In this model, minimizing startup time of any individual app process is desirable.  Ideally, a process takes a few seconds from the time the launch command is executed until the process is up and ready to receive requests or jobs.  But even a large app should try to keep its startup to to no more than 30 seconds.  Briefer startup time provides more agility for deploys, code changes, scaling up; and it aids robustness, because the process manager can more easily move processes to new physical machines when warranted.
  11
+
  12
+Processes should also be robust against sudden death, in the case of a failure in the underlying hardware.  While this is a much less common occurrence than a graceful shutdown with `SIGTERM`, it can still happen.  Use of a robust queueing backend (such as Beanstalkd) that returns jobs to the queue when clients disconnect or time out, can make all the difference here.  Either way, a twelve-factor app is architected to handle unexpected, non-graceful terminations.  [Crash-only design](http://lwn.net/Articles/191059/) takes this concept to its [logical extreme](http://couchdb.apache.org/docs/overview.html).
  13
+
  14
+
2  content/logs.md
Source Rendered
... ...
@@ -1,4 +1,4 @@
1  
-## X. Logs
  1
+## XI. Logs
2 2
 ### Logs are event streams
3 3
 
4 4
 *Logs* provide visibility into the behavior of a running app.  While they are sometimes written to a file on disk, this is only an output format - not the essence of what logs really are.
14  content/processes.md
Source Rendered
... ...
@@ -1,5 +1,5 @@
1 1
 ## VI. Processes
2  
-### Stateless, disposable processes handle application logic
  2
+### Stateless processes handle application logic
3 3
 
4 4
 The business logic of an app happens in the app code.  This code gets executed in the execution environment as one or more *processes*.
5 5
 
@@ -13,15 +13,3 @@ Asset packagers (such as [Jammit](http://documentcloud.github.com/jammit/) or [d
13 13
 
14 14
 Some web systems rely on "sticky sessions" - that is, caching user session data in memory of the app's process and expecting future requests from the same visitor to be routed to the same process.  Sticky sessions are a violation of twelve-factor and should never be used or relied upon.  Session state is a good candidate for a datastore that offers time-expiration, such as Memcached or Redis.
15 15
 
16  
-#### Processes are disposable
17  
-
18  
-Processes should be architected to be stopped and started at a moment's notice, facilitating fast elastic scaling and rapid deployment of code or config changes.  This is a key element in ensuring robustness of a production deployment.
19  
-
20  
-Processes should be prepared to shut down gracefully at any time on receiving a [SIGTERM](http://en.wikipedia.org/wiki/SIGTERM) signal from the process manager.  For a web process, graceful shutdown is achieved by ceasing to listen on the service port (thereby refusing any new requests), allowing any current requests to finish, and then exiting.  Implicit in this model is that HTTP requests are short (no more than a few seconds), or in the case of long polling, the client is written to seamlessly attempt a reconnect in the case of losing the long-poll connection.
21  
-
22  
-For a worker process, graceful shutdown is achieved by returning the current job to the work queue.  For example, on RabbitMQ the worker can send a `NACK`; on Beanstalkd, the job is returned to the queue automatically whenever a worker disconnects.  Lock-based systems such as Delayed Job need to be sure to release their lock on the job record.  Implicit in this model is that all jobs are [reentrant](http://en.wikipedia.org/wiki/Reentrant_%28subroutine%29), which typically is achieved by wrapping the results in a transaction, or making the operation [idempotent](http://en.wikipedia.org/wiki/Idempotence).
23  
-
24  
-Developers should attempt to keep process startup time low.  Ideally, it should only take a few seconds from the time the launch command is executed until the process is up and ready to receive requests or jobs.  But even a large app should try to keep its startup to to no more than 30 seconds.  Briefer startup time provides more agility for deploys, code changes, scaling up; moreover, it helps robustness, because the process manager can more easily move processes to new physical machines when warranted.
25  
-
26  
-Processes should also be robust against sudden death, in the case of a failure in the underlying hardware.  While this is a much less common occurrence than a graceful shutdown with `SIGTERM`, it can still happen.  Use of a robust queueing backend (such as Beanstalkd) that returns jobs to the queue when clients disconnect or time out, can make all the difference here.  Either way, a twelve-factor app is architected to handle unexpected, non-graceful terminations.  [Crash-only design](http://lwn.net/Articles/191059/) takes this concept to its [logical extreme](http://couchdb.apache.org/docs/overview.html).
27  
-
11  content/toc.md
Source Rendered
@@ -17,7 +17,7 @@ The Twelve Factors
17 17
 ### Strict separation of build stage and run stage
18 18
 
19 19
 ## [VI. Processes](/processes)
20  
-### Stateless, disposable processes handle application logic
  20
+### Stateless processes handle application logic
21 21
 
22 22
 ## [VII. Port binding](/port-binding)
23 23
 ### Services exported via port binding
@@ -25,11 +25,14 @@ The Twelve Factors
25 25
 ## [VIII. Concurrency](/concurrency)
26 26
 ### Scale up via the process model
27 27
 
28  
-## [IX. Dev/prod parity](/dev-prod-parity)
  28
+## [IX. Disposability](/disposability)
  29
+### Fast startup and graceful shutdown maximize robustness
  30
+
  31
+## [X. Dev/prod parity](/dev-prod-parity)
29 32
 ### Parity between development and production
30 33
 
31  
-## [X. Logs](/logs)
  34
+## [XI. Logs](/logs)
32 35
 ### Logs are event streams
33 36
 
34  
-## [XI. Admin processes](/admin-processes)
  37
+## [XII. Admin processes](/admin-processes)
35 38
 ### One-off admin/management tasks
2  web.rb
@@ -5,7 +5,7 @@
5 5
   erb :home
6 6
 end
7 7
 
8  
-TOC = %w(codebase dependencies config backing-services build-release-run processes port-binding concurrency dev-prod-parity logs admin-processes)
  8
+TOC = %w(codebase dependencies config backing-services build-release-run processes port-binding concurrency disposability dev-prod-parity logs admin-processes)
9 9
 
10 10
 get '/:factor' do |factor|
11 11
   halt 404 unless TOC.include?(factor)

0 notes on commit af0180a

Please sign in to comment.
Something went wrong with that request. Please try again.