Core Code
Core Code Modern Dev Handbook
DISTRIBUTED-SYSTEMS-ENGINEERING Contents
Distributed Systems Fundamentals
What Makes a System Distributed? Latency vs Throughput (Why You Can’t Optimize Both Blindly) The Partial Failure Model (The Real Enemy) The Fallacies of Distributed Computing (Production Examples) Time Is Hard: Clocks, Drift, and Ordering Network Partitions: Detection and Reality Checks CAP Theorem in Practice (What You Actually Choose) PACELC: Latency Tradeoffs Beyond CAP Backpressure vs Queueing (Where Systems Die Quietly) Failure Modes Map: Real Incidents You Will See
Data Consistency Models
Strong Consistency (Costs, When It’s Worth It) Eventual Consistency (What It Guarantees, What It Doesn’t) Causal Consistency (The Practical Middle Ground) Read-Your-Writes and Session Guarantees Monotonic Reads / Writes (User-Visible Correctness) Quorums 101: R/W, N, and What “Majority” Really Means Linearizability vs Serializability vs Strict Serializability Stale Reads: Detection, Measurement, and Guardrails Split-Brain Consistency Failures (How They Start) Designing Consistency SLOs (Correctness as an SLO)
Consensus & Coordination
Why Consensus Is Hard (FLP Intuition, No Math Pain) Raft Overview (Roles, Terms, Safety) Leader Election Patterns (And Their Failure Modes) Quorum Math (Write Safety vs Availability) Log Replication Internals (Commit Index, Match Index) Paxos Simplified (So You Can Read Docs Without Crying) Distributed Locks (Why They’re Dangerous) Zookeeper Patterns (Leader, Config, Locks) etcd Usage Patterns (Kubernetes-Style Coordination) Fencing Tokens (The Only Lock That Survives Partitions)
Replication & Data Distribution
Replication Strategies (Leader, Multi-Leader, Leaderless) Sync vs Async Replication (Latency vs Data Loss) Replication Lag: Causes, Metrics, and Mitigations Anti-Entropy (Merkle Trees, Read Repair, Hinted Handoff) Gossip Protocols (Membership, Failure Detection) Sharding Strategies (Range, Hash, Directory) Consistent Hashing (Why It’s Not Just a Ring Diagram) Rebalancing Clusters Safely (Avoid Melting Prod) Hot Partitions (Detection + Fixes) Multi-Region Data: Patterns and Tradeoffs
Messaging & Event Systems
Messaging Models (Queue vs Log vs PubSub) Delivery Semantics: At-Most-Once Delivery Semantics: At-Least-Once Exactly-Once (Where the Myth Breaks) Idempotency in Event Processing (Design Patterns) Kafka Internals (Partitions, ISR, Replication) Consumer Groups (Rebalances, Sticky Assignors) Ordering Guarantees (What You Can Actually Promise) Dead Letter Queues (Policy, Replay, Poison Pills) Event-Driven Architecture Tradeoffs (Coupling vs Debuggability)
Reliability Patterns in Distributed Systems
Retries & Exponential Backoff (Avoiding Retry Storms) Timeouts & Deadlines (Budgeting Latency) Circuit Breakers (State Machines That Save You) Bulkheads (Stop One Fire From Burning the Ship) Load Shedding (Fail Small, Not Catastrophically) Backpressure in Practice (Push vs Pull, Bounded Queues) Graceful Degradation (Feature Flags and Partial Responses) Hedged Requests (Trading Cost for Tail Latency) Chaos Engineering Basics (What to Test First) Failure Injection Testing (Safe Experiments in Prod-Like Envs)
Distributed Transactions & Sagas
Two-Phase Commit (Why It Blocks) Three-Phase Commit (Why You Still Rarely Use It) Sagas (Orchestration vs Choreography) Saga Orchestration (Central Coordinator Done Right) Saga Choreography (Emergent Workflows, Emergent Pain) Compensating Transactions (Designing Undo) Outbox Pattern (The Dual-Write Fix) Dual-Write Problem (How It Actually Fails) Idempotent Consumers (Dedup, Keys, and Storage) Transactional Messaging (What Guarantees You Can Buy)
Observability in Distributed Systems
Distributed Tracing Fundamentals (Spans, Context, Baggage) Correlation IDs (Request IDs That Survive Microservices) Trace Propagation (W3C Trace Context in Practice) Metrics in Clusters (Aggregation, Cardinality, Cost) High Cardinality Problems (How Monitoring Dies) Structured Logging at Scale (Schemas, Sampling, PII) Monitoring Quorum Health (Consensus Systems SLOs) Alert Fatigue Prevention (Signal > Noise) The Golden Signals (And What Changes in Distributed Systems) Postmortems (Blameless, Actionable, Measurable)
Performance & Scaling Strategies
Horizontal Scaling Patterns (Stateless, Stateful, Sticky) Vertical vs Horizontal Tradeoffs (Cost and Failure Domains) Autoscaling in Practice (When It Helps, When It Hurts) Tail Latency (Why p99 Runs Your Life) p99 vs Averages (SLO Math for Humans) The Thundering Herd (Cache, Locks, and Stampedes) Cache Consistency Tradeoffs (Invalidation Strategies) Distributed Rate Limiting (Token Buckets Across Nodes) Load Balancing Algorithms (RR, LC, EWMA, Hashing) Capacity Planning (Queues, Headroom, Failure Budget)
Production Incident Playbooks
Diagnosing a Network Partition (Fast Triage Checklist) Debugging Split-Brain (Symptoms, Proof, Recovery) Quorum Loss Recovery (Safe Steps, Common Traps) Runaway Retry Storm (How to Stop the Bleeding) Cascading Failure Analysis (Finding the First Domino) Replication Lag Debugging (Root Causes + Fixes) Kafka Consumer Lag Playbook (Rebalance, Throughput, Backlog) Multi-Region Outage Handling (Failover Without Data Lies) Consistency Bug Hunting (Proving “It Can’t Happen” Happened) Production Readiness Checklist (Distributed Systems Edition)

Distributed Locks (Why They’re Dangerous)

Distributed locks coordinate access to shared resources across nodes, but naive implementations cause data corruption and split-brain failures. This lesson explains safe locking patterns, fencing tokens, and production failure scenarios.
On this page

Distributed Locks: Coordination Without Corruption

Distributed locks are used to ensure that only one node performs a critical operation at a time. Examples include scheduled jobs, leader-only tasks, inventory updates, and schema migrations. While the concept appears simple, incorrect distributed locking is one of the most common sources of data corruption in production systems.

The fundamental question is not how to acquire a lock. It is how to guarantee that no two nodes believe they hold the lock simultaneously under failure conditions.

Why Distributed Locks Are Hard

In a single process, a mutex works because memory is shared and failure is deterministic. In distributed systems:

  • Nodes can crash after acquiring a lock.
  • Network partitions can isolate lock holders.
  • Clock drift affects lease expiration.
  • Retries can create duplicate lock attempts.

Without careful design, two nodes may both execute critical sections.

Locking Strategies

Consensus-Based Locks

Use a consensus system (e.g., Raft-backed store) to serialize lock ownership. Lock acquisition is recorded as a log entry committed by majority.

This provides strong safety guarantees but introduces latency equal to quorum commit time.

Lease-Based Locks

Lock is granted for a limited time (TTL). If holder fails, lease expires and others may acquire it.

Lease-based locks require careful timeout tuning and clock considerations.

Production Scenario: Double Job Execution

Symptom

A scheduled job designed to run once per hour executes twice in parallel during a network partition.

Root Cause

The lock was implemented using a single-instance in-memory store. During partition, both sides assumed leadership and acquired independent locks.

Diagnosis

  • No majority quorum enforcement.
  • No fencing tokens protecting downstream systems.
  • Lock TTL expired unexpectedly due to GC pause.

Resolution

  • Move lock state to consensus-backed store.
  • Attach fencing tokens to each lock acquisition.
  • Ensure critical resource validates fencing tokens.

The Importance of Fencing Tokens

Even with consensus-based locks, stale lock holders can cause corruption if they continue executing after losing ownership.

Fencing tokens solve this problem:

  • Each lock acquisition receives a monotonically increasing token.
  • Downstream systems reject operations with stale tokens.
  • Even if a node believes it holds the lock, outdated tokens prevent damage.

This protects against delayed messages and GC pauses.

Clock Drift and Lease Risk

Lease-based locks depend on timeouts. If clocks drift or GC pauses delay execution, a node may believe its lease is valid when it is not.

Mitigation strategies:

  • Use monotonic clocks where possible.
  • Keep lease durations short relative to expected pause times.
  • Implement fencing tokens even with leases.

Common Anti-Patterns

  • Using a single Redis instance without replication for critical locks.
  • Assuming network partitions are rare enough to ignore.
  • Relying solely on TTL expiration without fencing.
  • Ignoring idempotency in lock-protected operations.

Lock vs Idempotency

In many cases, distributed locks can be avoided by designing idempotent operations. Instead of preventing duplicates, allow safe retries.

Locks coordinate execution. Idempotency tolerates repetition. The latter is often safer and more scalable.

Operational Checklist

  • Is lock state stored in a consensus-backed system?
  • Are fencing tokens enforced by the resource being protected?
  • Is lease duration aligned with GC and network characteristics?
  • Are lock acquisition failures observable and logged?
  • Have partition scenarios been tested?

Failure Injection Test

# Distributed lock validation
1) Acquire lock on node A
2) Simulate long GC pause on node A
3) Expire lease and acquire lock on node B
4) Resume node A execution
5) Verify stale token is rejected

Key Takeaways

  • Distributed locks require majority-backed coordination for safety.
  • Lease-based locks alone are insufficient without fencing tokens.
  • Clock drift and GC pauses are real failure factors.
  • Idempotency can reduce reliance on locks.
  • Testing under partition is mandatory before production use.

Distributed locking is a coordination tool, not a shortcut. Implemented correctly, it prevents race conditions. Implemented incorrectly, it creates them.

Zookeeper Patterns (Leader, Config, Locks) →