由 Michael Nygard 在其[书中](https://pragprog.com/book/mnee/release-it)普及的断路器模式,能够阻止应用重复的尝试执行可能失败的请求。这允许系统继续运行,而不用等待那些错误被修复,也不用浪费 CPU 循环,因为它已经识别到该错误是持续性的。断路器模式也使系统能够检测出错误是否已被修复。如果问题已经被修复,系统能够重新调用该操作。
关闭:来自应用的请求直接路由到对应的操作。代理维护一个计数器来记录最近失败的次数。如果一个操作失败,该计数器加一。如果最近失败的次数在指定时间段内超过一个阈值,代理被设定到 开启 状态。同时,代理启动一个计时器,当计时器超时后,代理被设定到 半开状态。
半开:允许少量的请求通过代理调用该操作。如果请求成功,系统假定之前引起操作失败的错误已被修复,断路器设定到 关闭状态(且将失败计数器重置)。如果任何请求失败,断路器便假定之前的错误依旧存在,然后把状态重新置为打开,重启超时计时器,并为系统恢复该错误设定更长的恢复时间。
半开 状态有助于使恢复中的系统避免遭受突发的大量请求。在服务恢复过程中,它可能只能支撑有限数量的请求,直至恢复完全完成。在恢复过程中接收大量请求,可能会使服务超时,甚至再次失败。
在上图中,关闭状态下使用的计数器是基于时间的,它会自动定期重置。这能够使断路器避免因偶发性失败而切换到失败状态。失败阈值设定使断路器只有在指定的时间内失败的次数达到了指定值后才切换到失败状态。半开状态下使用的计数器用来记录请求成功的次数。当连续成功的请求数量超过一个指定值后,断路器将切换到 关闭状态。如果任一调用失败,断路器将直接进入打开状态,下次进入半开状态的时候,成功计数器将被清零。
断路器模式为在从错误中恢复的系统提供稳定性,同时降低对性能的影响。它通过快速驳回可能失败的请求来降低系统响应时间。如果每次断路器切换状态时都触发一个时间,则可以用来监视断路器保护部分的系统状态,或在断路器切换到 打开状态时为管理员提供报警。
异常的类型。请求可能由于各种原因而失败,其中一些导致的问题可能比其他更严重。例如,请求可能由于外部服务宕机而失败从而中断数分钟,或者由于服务过载而导致超时。断路器可能能够检测异常的类型从而使用不同的策略。例如,如果要把断路器设定到 开状态,超时类型到错误次数的阈值要比系统完全不可用的阈值要高很懂。
测试失败的操作。在开的状态下,除了用计数器来决定何时切换到半开状态,断路器还可以启用一个定时任务来周期性 ping 远端服务来判断该服务是否已可以访问。可以采用尝试调用之前失败的服务的形式,或调用远端服务提供的专门用来测试服务状态的操作,如健康状况健康模式 所描述的那样。
一个服务可能在限流时返回 HTTP 429(太多的请求),或者在服务当前不可用时返回 HTTP 503(服务不可用)。HTTP 返回信息中可能包含了额外信息,比如下次重试的间隔时间等。
- 阻止应用访问一个很可能失败的共享的远程服务或资源。
- 访问本地资源,比如内存中的数据结构。在这个场景中,使用断路器将为你的系统带来额外的开销。
- 用来替代业务逻辑中的异常处理。
在 web 应用中,页面是根据外部服务获得的数据计算生成的。如果系统设定较少的缓存策略,大多数页面点击都会调用一次服务。从 web 应用到服务的请求可以设定超时时间(通常是60秒),如果服务在这段时间内未响应,页面的逻辑将认为服务不可用并抛出异常。
The CircuitBreaker
class maintains state information about a circuit breaker in an object that implements the ICircuitBreakerStateStore
interface shown in the following code.
interface ICircuitBreakerStateStore
CircuitBreakerStateEnum State { get; }
Exception LastException { get; }
DateTime LastStateChangedDateUtc { get; }
void Trip(Exception ex);
void Reset();
void HalfOpen();
bool IsClosed { get; }
The State
property indicates the current state of the circuit breaker, and will be either Open, HalfOpen, or Closed as defined by the CircuitBreakerStateEnum
enumeration. The IsClosed
property should be true if the circuit breaker is closed, but false if it's open or half open. The Trip
method switches the state of the circuit breaker to the open state and records the exception that caused the change in state, together with the date and time that the exception occurred. The LastException
and the LastStateChangedDateUtc
properties return this information. The Reset
method closes the circuit breaker, and the HalfOpen
method sets the circuit breaker to half open.
The InMemoryCircuitBreakerStateStore
class in the example contains an implementation of the ICircuitBreakerStateStore
interface. The CircuitBreaker
class creates an instance of this class to hold the state of the circuit breaker.
The ExecuteAction
method in the CircuitBreaker
class wraps an operation, specified as an Action
delegate. If the circuit breaker is closed, ExecuteAction
invokes the Action
delegate. If the operation fails, an exception handler calls TrackException
, which sets the circuit breaker state to open. The following code example highlights this flow.
public class CircuitBreaker
private readonly ICircuitBreakerStateStore stateStore =
private readonly object halfOpenSyncObject = new object ();
public bool IsClosed { get { return stateStore.IsClosed; } }
public bool IsOpen { get { return !IsClosed; } }
public void ExecuteAction(Action action)
if (IsOpen)
// The circuit breaker is Open.
... (see code sample below for details)
// The circuit breaker is Closed, execute the action.
catch (Exception ex)
// If an exception still occurs here, simply
// retrip the breaker immediately.
// Throw the exception so that the caller can tell
// the type of exception that was thrown.
private void TrackException(Exception ex)
// For simplicity in this example, open the circuit breaker on the first exception.
// In reality this would be more complex. A certain type of exception, such as one
// that indicates a service is offline, might trip the circuit breaker immediately.
// Alternatively it might count exceptions locally or across multiple instances and
// use this value over time, or the exception/success ratio based on the exception
// types, to open the circuit breaker.
The following example shows the code (omitted from the previous example) that is executed if the circuit breaker isn't closed. It first checks if the circuit breaker has been open for a period longer than the time specified by the local OpenToHalfOpenWaitTime
field in the CircuitBreaker
class. If this is the case, the ExecuteAction
method sets the circuit breaker to half open, then tries to perform the operation specified by the Action
If the operation is successful, the circuit breaker is reset to the closed state. If the operation fails, it is tripped back to the open state and the time the exception occurred is updated so that the circuit breaker will wait for a further period before trying to perform the operation again.
If the circuit breaker has only been open for a short time, less than the OpenToHalfOpenWaitTime
value, the ExecuteAction
method simply throws a CircuitBreakerOpenException
exception and returns the error that caused the circuit breaker to transition to the open state.
Additionally, it uses a lock to prevent the circuit breaker from trying to perform concurrent calls to the operation while it's half open. A concurrent attempt to invoke the operation will be handled as if the circuit breaker was open, and it'll fail with an exception as described later.
if (IsOpen)
// The circuit breaker is Open. Check if the Open timeout has expired.
// If it has, set the state to HalfOpen. Another approach might be to
// check for the HalfOpen state that had be set by some other operation.
if (stateStore.LastStateChangedDateUtc + OpenToHalfOpenWaitTime < DateTime.UtcNow)
// The Open timeout has expired. Allow one operation to execute. Note that, in
// this example, the circuit breaker is set to HalfOpen after being
// in the Open state for some period of time. An alternative would be to set
// this using some other approach such as a timer, test method, manually, and
// so on, and check the state here to determine how to handle execution
// of the action.
// Limit the number of threads to be executed when the breaker is HalfOpen.
// An alternative would be to use a more complex approach to determine which
// threads or how many are allowed to execute, or to execute a simple test
// method instead.
bool lockTaken = false;
Monitor.TryEnter(halfOpenSyncObject, ref lockTaken);
if (lockTaken)
// Set the circuit breaker state to HalfOpen.
// Attempt the operation.
// If this action succeeds, reset the state and allow other operations.
// In reality, instead of immediately returning to the Closed state, a counter
// here would record the number of successful operations and return the
// circuit breaker to the Closed state only after a specified number succeed.
catch (Exception ex)
// If there's still an exception, trip the breaker again immediately.
// Throw the exception so that the caller knows which exception occurred.
if (lockTaken)
// The Open timeout hasn't yet expired. Throw a CircuitBreakerOpen exception to
// inform the caller that the call was not actually attempted,
// and return the most recent exception received.
throw new CircuitBreakerOpenException(stateStore.LastException);
To use a CircuitBreaker
object to protect an operation, an application creates an instance of the CircuitBreaker
class and invokes the ExecuteAction
method, specifying the operation to be performed as the parameter. The application should be prepared to catch the CircuitBreakerOpenException
exception if the operation fails because the circuit breaker is open. The following code shows an example:
var breaker = new CircuitBreaker();
breaker.ExecuteAction(() =>
// Operation protected by the circuit breaker.
catch (CircuitBreakerOpenException ex)
// Perform some different action when the breaker is open.
// Last exception details are in the inner exception.
catch (Exception ex)