Original URL: https://www.theregister.co.uk/2014/02/07/microsoft_autopilot_feature/

Inside Microsoft's Autopilot: Nadella's secret cloud weapon

Redmond man spills the beans on Microsoft's top-secret software

By Jack Clark in San Francisco

Posted in The Channel, 7th February 2014 11:59 GMT

Exclusive Satya Nadella may have just taken the reins as Microsoft's chief executive, but he's already intimately familiar with one of the company's key internal tools to let it compete with Amazon and Google: a complex software system named Autopilot.

Autopilot is the system that lets Microsoft knit together millions of servers and hundreds and hundreds of petabytes of data into a great, humming lake of compute and storage capacity. Without Autopilot, Nadella's former divisions of Server and Tools, Online Services, Search and Advertizing, and Cloud and Enterprise, would have performed poorly and been less reliable.

Gaining access to Autopilot, Windows Azure's general manager Mike Neil told The Reg, is like being handed "the keys to a multi-billion dollar car."

Microsoft rarely talks publicly about Autopilot, and has only published two official documents about it: a now-outdated academic paper in 2007 titled Autopilot: Automatic Data Center Management, and a 2013 web page describing how Autopilot's development team were given an "Outstanding Technical Achievement" award for their work on the system.

Part of the reason Autopilot has never been talked about much – until now – is that its presence jars with Microsoft's marketing goal of claiming that everything it uses to run its cloud can be bought by Joe Public.

To distributed-systems cognoscenti aware of the idiosyncratic, complex needs of huge IT estates, that claim was always an odd one, and now we know why: yes, Microsoft uses a vast amount of its own commercial software internally to run its cloud, but "the vast majority" of applications running in Microsoft data centers ultimately sit on top of the Autopilot system.

"Autopilot software now completely automates the entire server operational lifecycle, from power on and OS installation, to fault detection and repair, to power cycling and vendor RMA," explains Microsoft. "The [Autopilot] team can take a bow for a quietly effective operation that has profoundly transformed Internet-scale services at Microsoft."

It also helps assign resources to applications, schedule when jobs should run, gathers information from millions of computers to give up-to-the-minute capacity utilization information, and forms the underlay of other even more-secret technologies, such as the exabyte-scale COSMOS data analysis engine that sits beneath services such as Bing, Xbox Live, and Windows Azure.

Finally, Autopilot has gone hand-in-hand with a redesign of Microsoft's data center hardware, which has seen the company move away from buying high-end gear from traditional vendors, and to designing its own commodity-style cut-down servers – these computers were declassified in January when Microsoft contributed their designs to Facebook's Open Compute Project.

In other words – if Microsoft's servers are puppets, Autopilot is the unseen puppeteer that animates both them and the stage they dance upon.

Neil compares Autopilot to a 747 jet: "It's a big, complex, honking thing," he told us, explaining that the system is designed "to take load off of the [data center sysadmin] pilot, so the pilot can concentrate on more important things."

One of Autopilot's main jobs is handling low-level infrastructure provisioning.

When Microsoft wants to add capacity to its global fleet of "10 to 100" data centers, it typically does so by loading in a shipping container stuffed with around 10,000 nodes, dubbed in Microsoft parlance an "ITPAC". Once these machines are connected to the data center's power grid, Autopilot is the system that checks that all the new servers are configured correctly and that the network works well, and helps link them to the rest of the system.

"Autopilot deploys and manages the OS image for the host as well as managing the applications that are deployed" Neil explains. "The agent comes along with the OS image and part of that is our SDN solution. The SDN solution manages both east-west and north-south traffic, and our topology gives us great cross-sectional bandwidth and path redundancy."

Once the servers have been brought into Microsoft's global network of "over a million servers," Autopilot helps manage them as well.

If a server fails, then Autopilot has a "self-healing" capability that can prevent a cluster-scale brownout, he said. "Things are going to fail all the time – Autopilot can take remediation actions for you to address failures. There's a bunch of auto-healing autonomic behavior in the system – you don't have to trim the flaps."

Autopilot also has a sophisticated scheduling component as well, which – to stretch the aeronautical metaphor a wee bit further – lets it play the role of an air traffic controller for the innumerable large and small workloads flying in and out of Microsoft's global pool of computers.

Juggler, puppeteer, plate-spinner, watchdog

Scheduling involves juggling different applications so as to provide guaranteed performance for tier-one applications – Azure workloads from paying customers, for example – while "compressing" lower-priority workloads – batch processing jobs for internal Microsoft projects, for example – to create capacity.

"If you think about an operating system on a computer, you're doing preemptive scheduling – running multiple apps and timeslicing into the environment," Neil says. "In this we're working through the bin packing problem – it's a very classic problem, no easy answer to it – an NP-hard issue."

Neil wasn't able to give further information on the precise characteristics of Autopilot's scheduler, but a recent academic paper by Microsoft Research indicates the company is planning to introduce a way to more efficiently schedule compressible workloads in an automated manner. (There's also evidence that Microsoft's internal multi-exabyte "COSMOS" store uses a scripting language called "SCOPE" for analytics-specific scheduling.)

This scheduling component means that Autopilot, along with being a puppeteer, is also a plate-spinner.


Autopilot: the first software the servers in this ITPAC will meet when they arrive at a Microsoft data center

And just like systems in use at Google (Borg and its successor Omega), and Twitter (Mesos), Autopilot's complexity makes it behave more like a skilled yet uncommunicative colleague than a subserviant system.

"The thing you have to get comfortable with is you're relinquishing a lot of control to this system and allowing it to do the right thing for you, and trusting it – it may take steps you don't know about," Neil says. "These systems are so large that no one person is keeping track. That's what the system is designed to do – take care of the details."

Autopilot also gathers large amounts of data to help Microsoft analyze its own infrastructure and identify probblems.

"We have all the information about processor loading, memory loading," explains Neil. "A common thing that people don't sort of grok is that you have a physical machine and it has a set of capabilities, and it's really the first one you run out of that's important. You might have an application that runs out of memory first, so understanding that allows us to optimize for choke points."

Though the service includes things such as usage metrics around CPU, memory, network, disk, and so on, Neil says "we have learned that having an end-to-end test path that is continuously monitored gives a much better result. So as an example, we can do a search query, verify we get a valid result, and look at the latency of that result to see if it is within our expected bounds. We call these watchdogs. These can trigger automated remediation or cause us to roll back a partial deployment to a previous version."

In this way, it apparently differs from Google's systems, which are thought to gather more detailed metrics via an advanced technology named CPI2 that lets Google isolate performance issues on single tasks running on single processors and selectively throttle them.

The power Autopilot gives Microsoft is vast, as it helps increase the efficiency with which the company harnesses its billions of dollars worth of computers. As Microsoft shifts to being a "devices and services" company under cloud-expert Nadella, the importance of Autopilot will only grow over time as Redmond seeks to lash more of its digital universe together. With Autopilot, Neil thinks Microsoft has "the operating system for this new cloud world."

We're sure Nadella hopes the same. ®