Core Code
Core Code Modern Dev Handbook
DISTRIBUTED-SYSTEMS-ENGINEERING Contents
Distributed Systems Fundamentals
What Makes a System Distributed? Latency vs Throughput (Why You Can’t Optimize Both Blindly) The Partial Failure Model (The Real Enemy) The Fallacies of Distributed Computing (Production Examples) Time Is Hard: Clocks, Drift, and Ordering Network Partitions: Detection and Reality Checks CAP Theorem in Practice (What You Actually Choose) PACELC: Latency Tradeoffs Beyond CAP Backpressure vs Queueing (Where Systems Die Quietly) Failure Modes Map: Real Incidents You Will See
Data Consistency Models
Strong Consistency (Costs, When It’s Worth It) Eventual Consistency (What It Guarantees, What It Doesn’t) Causal Consistency (The Practical Middle Ground) Read-Your-Writes and Session Guarantees Monotonic Reads / Writes (User-Visible Correctness) Quorums 101: R/W, N, and What “Majority” Really Means Linearizability vs Serializability vs Strict Serializability Stale Reads: Detection, Measurement, and Guardrails Split-Brain Consistency Failures (How They Start) Designing Consistency SLOs (Correctness as an SLO)
Consensus & Coordination
Why Consensus Is Hard (FLP Intuition, No Math Pain) Raft Overview (Roles, Terms, Safety) Leader Election Patterns (And Their Failure Modes) Quorum Math (Write Safety vs Availability) Log Replication Internals (Commit Index, Match Index) Paxos Simplified (So You Can Read Docs Without Crying) Distributed Locks (Why They’re Dangerous) Zookeeper Patterns (Leader, Config, Locks) etcd Usage Patterns (Kubernetes-Style Coordination) Fencing Tokens (The Only Lock That Survives Partitions)
Replication & Data Distribution
Replication Strategies (Leader, Multi-Leader, Leaderless) Sync vs Async Replication (Latency vs Data Loss) Replication Lag: Causes, Metrics, and Mitigations Anti-Entropy (Merkle Trees, Read Repair, Hinted Handoff) Gossip Protocols (Membership, Failure Detection) Sharding Strategies (Range, Hash, Directory) Consistent Hashing (Why It’s Not Just a Ring Diagram) Rebalancing Clusters Safely (Avoid Melting Prod) Hot Partitions (Detection + Fixes) Multi-Region Data: Patterns and Tradeoffs
Messaging & Event Systems
Messaging Models (Queue vs Log vs PubSub) Delivery Semantics: At-Most-Once Delivery Semantics: At-Least-Once Exactly-Once (Where the Myth Breaks) Idempotency in Event Processing (Design Patterns) Kafka Internals (Partitions, ISR, Replication) Consumer Groups (Rebalances, Sticky Assignors) Ordering Guarantees (What You Can Actually Promise) Dead Letter Queues (Policy, Replay, Poison Pills) Event-Driven Architecture Tradeoffs (Coupling vs Debuggability)
Reliability Patterns in Distributed Systems
Retries & Exponential Backoff (Avoiding Retry Storms) Timeouts & Deadlines (Budgeting Latency) Circuit Breakers (State Machines That Save You) Bulkheads (Stop One Fire From Burning the Ship) Load Shedding (Fail Small, Not Catastrophically) Backpressure in Practice (Push vs Pull, Bounded Queues) Graceful Degradation (Feature Flags and Partial Responses) Hedged Requests (Trading Cost for Tail Latency) Chaos Engineering Basics (What to Test First) Failure Injection Testing (Safe Experiments in Prod-Like Envs)
Distributed Transactions & Sagas
Two-Phase Commit (Why It Blocks) Three-Phase Commit (Why You Still Rarely Use It) Sagas (Orchestration vs Choreography) Saga Orchestration (Central Coordinator Done Right) Saga Choreography (Emergent Workflows, Emergent Pain) Compensating Transactions (Designing Undo) Outbox Pattern (The Dual-Write Fix) Dual-Write Problem (How It Actually Fails) Idempotent Consumers (Dedup, Keys, and Storage) Transactional Messaging (What Guarantees You Can Buy)
Observability in Distributed Systems
Distributed Tracing Fundamentals (Spans, Context, Baggage) Correlation IDs (Request IDs That Survive Microservices) Trace Propagation (W3C Trace Context in Practice) Metrics in Clusters (Aggregation, Cardinality, Cost) High Cardinality Problems (How Monitoring Dies) Structured Logging at Scale (Schemas, Sampling, PII) Monitoring Quorum Health (Consensus Systems SLOs) Alert Fatigue Prevention (Signal > Noise) The Golden Signals (And What Changes in Distributed Systems) Postmortems (Blameless, Actionable, Measurable)
Performance & Scaling Strategies
Horizontal Scaling Patterns (Stateless, Stateful, Sticky) Vertical vs Horizontal Tradeoffs (Cost and Failure Domains) Autoscaling in Practice (When It Helps, When It Hurts) Tail Latency (Why p99 Runs Your Life) p99 vs Averages (SLO Math for Humans) The Thundering Herd (Cache, Locks, and Stampedes) Cache Consistency Tradeoffs (Invalidation Strategies) Distributed Rate Limiting (Token Buckets Across Nodes) Load Balancing Algorithms (RR, LC, EWMA, Hashing) Capacity Planning (Queues, Headroom, Failure Budget)
Production Incident Playbooks
Diagnosing a Network Partition (Fast Triage Checklist) Debugging Split-Brain (Symptoms, Proof, Recovery) Quorum Loss Recovery (Safe Steps, Common Traps) Runaway Retry Storm (How to Stop the Bleeding) Cascading Failure Analysis (Finding the First Domino) Replication Lag Debugging (Root Causes + Fixes) Kafka Consumer Lag Playbook (Rebalance, Throughput, Backlog) Multi-Region Outage Handling (Failover Without Data Lies) Consistency Bug Hunting (Proving “It Can’t Happen” Happened) Production Readiness Checklist (Distributed Systems Edition)

Compensating Transactions (Designing Undo)

Compensating transactions undo previously completed local transactions in distributed workflows. This lesson explains logical rollback, idempotency requirements, compensation ordering, and production failure scenarios.
On this page

Compensating Transactions: Logical Rollback in Distributed Systems

Compensating transactions are operations designed to undo the effects of previously completed local transactions in a distributed workflow. Unlike database rollbacks, which revert changes atomically within a single transaction boundary, compensations are separate operations executed after the fact.

They are the foundation of the Saga pattern and other eventual consistency strategies.

Why Compensation Exists

In distributed systems:

  • Global atomic transactions are expensive or unavailable.
  • Services commit changes independently.
  • Failures may occur after partial progress.

Since we cannot roll back globally, we must reverse logically.

Example: Order Workflow

Original steps:

  1. Create order.
  2. Reserve inventory.
  3. Charge payment.

If payment fails, compensations may be:

  • Release inventory.
  • Cancel order.

Each compensation must restore business consistency.

Compensation Is Not Physical Undo

Compensation does not revert database state to its exact prior form. Instead, it applies a new business action that semantically reverses the effect.

  • Refund instead of delete payment record.
  • Release reservation instead of deleting reservation entry.
  • Mark order canceled instead of deleting order.

This preserves auditability and traceability.

Idempotency Is Mandatory

Compensations must be idempotent because:

  • Retries are common in distributed systems.
  • Event delivery may be at-least-once.
  • Orchestrators may replay after crash recovery.

Executing compensation multiple times must not corrupt state.

Ordering of Compensations

Compensations must execute in reverse order of original steps.

Original: A -> B -> C
Failure at C
Compensation: undo B -> undo A

Reversing order prevents dependency violations.

Production Scenario: Incomplete Compensation

Symptom

Inventory is released, but order remains active.

Root Cause

Compensation for order cancellation failed silently due to timeout. No retry logic implemented.

Diagnosis

  • Saga state shows partial compensation.
  • No alert for failed compensation step.
  • No idempotency key for compensation execution.

Resolution

  • Implement retry with backoff for compensations.
  • Add monitoring for incomplete compensation sequences.
  • Persist compensation status transitions.

Compensation Failure Handling

Compensation itself may fail. Strategies include:

  • Retry with exponential backoff.
  • Escalate to manual intervention queue.
  • Trigger secondary corrective workflow.

Never assume compensation always succeeds.

Long-Running Compensation Risks

Some compensations involve external systems:

  • Payment refund via third-party gateway.
  • Shipment cancellation with logistics provider.
  • Notification reversal emails.

These actions may not be fully reversible. Design must account for business realities.

Observability Requirements

  • Compensation execution rate.
  • Compensation failure rate.
  • Average compensation latency.
  • Stuck compensation detection.
  • Manual intervention queue size.

Compensation visibility is as important as forward workflow visibility.

Failure Injection Test

# Compensation validation
1) Execute multi-step workflow
2) Force failure at step N
3) Observe compensation order
4) Inject compensation timeout
5) Verify retry and recovery behavior
6) Confirm final business state consistency

Common Anti-Patterns

  • No compensation defined for irreversible steps.
  • Compensation not idempotent.
  • No monitoring of compensation failures.
  • Silent failure of compensating actions.
  • Deleting records instead of marking logical reversal.

Operational Checklist

  • Is every saga step paired with compensation?
  • Are compensations idempotent and retry-safe?
  • Are compensation states persisted durably?
  • Is compensation failure alerting configured?
  • Is reverse execution order enforced?

Key Takeaways

  • Compensating transactions logically reverse distributed actions.
  • They replace atomic rollback in Saga-based systems.
  • Idempotency is non-negotiable.
  • Compensation must be observable and retry-safe.
  • Business correctness matters more than technical reversal.

Compensating transactions are the safety net of distributed workflows. They transform partial failure from irreversible damage into recoverable state transitions. In production-grade systems, compensation logic must be as carefully engineered as forward execution.

Outbox Pattern (The Dual-Write Fix) →