1. What is Sentinel

Sentinel is a defense system for distributed systems. With traffic as the entry point, the system is protected by means of dynamically set flow control and service circuit breaker, and the user experience after service rejection is enhanced through service degradation.

According to the official documentation, Sentinel has the following characteristics:

  • Rich application scenarios: Sentinel has undertaken the core scenarios of Alibaba’s double Eleven traffic drive in the past 10 years, such as SEC killing (i.e., burst traffic control within the range of system capacity), message peaking and valley filling, real-time fusing of downstream unavailable applications, etc.
  • Complete real-time monitoring: Sentinel also provides real-time monitoring capabilities. From the console, you can see a summary of the performance of a single machine-by-second data, or even a cluster of less than 500 machines, for accessing the application.
  • Extensive Open source ecosystem: Sentinel provides out-of-the-box integration modules with other open source frameworks/libraries, such as Spring Cloud, Dubbo, and gRPC. You can quickly access Sentinel by introducing the appropriate dependencies and simple configuration.
  • Sophisticated SPI extension points: Sentinel provides easy-to-use, sophisticated SPI extension points. You can quickly customize logic by implementing extension points. For example, customize rule management and adapt data sources.

2. Basic concept of Sentinel

  • Resource: Resource can be code blocks, methods (common methods, interfaces), etc. After defining them as resources and defining traffic limiting rules, they can be used in conjunction with Sentinel

  • Rules: Rules set around the real-time status of resources, including flow control rules, circuit breaker degradation rules, and system protection rules. All rules can be dynamically adjusted in real time.

  • Slot slots: There are seven types of Slot slots defined in Sentinel. Sentinel uses fixed call order between slots to achieve flow limiting because the latter slots may depend on the calculation results of the previous slots. Although the execution order of each Slot in the Sentinel Slot chain is fixed, it is not absolutely impossible to change. Sentinel extends ProcessorSlot as an SPI interface, making SlotChain scalable. Users can customize slots and arrange the order between them.

  • Entry: Indicates whether to pass traffic limiting

  • Node Node: DefaultNode= link Node, which can collect the data of a resource on the invoked link. ClusterNode= ClusterNode that collects global data of a resource. StatisticNode= Base node, whose data structure has a sliding window structure of second/minute level; EntranceNode= Entry node, containing some entry data.

  • Context: Context is the Context in which operations are performed on resources. Each resource operation must belong to a Context. If no Context is specified in the code, a default Context with name sentinel_default_context is created. A Context life cycle can contain multiple resource operations. The last resource in the Context lifecycle cleans up the Conetxt on exit(), which means that the Context lifecycle is over.


3. Main functions of Sentinel

3.1 Flow Control

Flow control is a common concept in network transmission, which is used to adjust the sending data of network packets. However, from the perspective of system stability, there are also a lot of considerations on the speed of processing requests. Requests arriving at any time are often random and uncontrollable, and the processing capacity of the system is limited. We need to control the flow according to the processing capacity of the system. Sentinel, as a dispatcher, can adjust random requests to fit as needed, as shown in the following figure:

Flow control has the following angles:

  • Resource invocation relationship, such as resource invocation link, resource and resource relationship;
  • Performance metrics, such as QPS, thread pool, system load, etc.
  • Control effects, such as direct current limiting, cold start, queuing, etc.

Sentinel is designed to give you the freedom to choose the Angle of control and combine it flexibly to achieve the desired effect.

3.2 Fuse downgrade

3.2.1 What is circuit breaker Downgrade

In addition to flow control, the timely fusing of unstable factors in the call link is also one of Sentinel’s missions. Due to the complexity of invocation relationships, if a resource in the invocation link is unstable, requests may pile up, leading to cascading errors.

The principle of Sentinel and Hystrix is the same: when a resource is detected to be unstable in the invocation link, such as a long response time or a high proportion of exceptions, the invocation of this resource is restricted to make the request fail quickly and avoid the cascading failure of other resources.

3.2.2 Fuse downgrading design concept

Sentinel and Hystrix have taken radically different approaches to their limitations.

Hystrix isolates dependencies (corresponding to resources in the Sentinel concept) by means of thread pool isolation. The benefit of doing this is to achieve the most complete isolation between resources. The disadvantage is that in addition to increasing the cost of thread switching (too many thread pools result in too many threads), there is also a need to allocate thread pool sizes for each resource up front.

Sentinel approaches this problem in two ways:

  • Limit by the number of concurrent threads

Unlike the resource pool isolation approach, Sentinel reduces the impact of unstable resources on other resources by limiting the number of concurrent threads for resources. Not only is there no thread switching wastage, you don’t need to pre-allocate the size of the thread pool. When a resource is unstable, such as a long response time, the direct effect on the resource is a gradual accumulation of threads. When the number of threads accumulates to a certain number on a particular resource, new requests for that resource are rejected. The stacked thread completes its task before continuing to receive requests.

  • Degrade resources by response time

In addition to controlling the number of concurrent threads, Sentinel can quickly degrade unstable resources through response time. If the response time of a dependent resource is too long, all access to the resource is denied until the specified time window expires.

3.2.3 System adaptive protection

Sentinel also provides adaptive protection at the system dimension. Avalanche prevention is an important part of system protection. When system load is high, if you continue to let requests in, the system may crash and fail to respond. In a clustered environment, the network load balancer will forward the traffic that should be carried by this machine to other machines. If other machines are also in an edge state, the increased traffic will cause that machine to crash and the cluster to become unavailable.

Sentinel provides a protection mechanism to balance incoming traffic with the load of the system and ensure that the system can handle the most requests within its capacity.


4.Sentinel working mechanism

  • Provide adaptive or display apis for mainstream frameworks to define resources that need to be protected, and provide facilities to perform real-time statistics on resources and call link analysis.
  • Traffic is controlled based on preset traffic limiting rules and real-time resource statistics. Sentinel also provides an open interface for defining and changing rules.
  • Sentinel provides a real-time monitoring system through the Dashboard module, allowing you to quickly understand the current status of the system.

5 Reference Materials

For the convenience of readers, the content of this article is extracted from the official Sentinel document. The source code and use of Sentinel will be introduced in detail later. For more information about Sentinel’s core advantages, please refer to the official Sentinel document:

Github.com/alibaba/Sen…