Rebooting Microreboot: Architectural Support for Safe, Parallel Recovery in Microservice Systems

TL;DR

This paper presents a safe, parallel microreboot architecture for microservice systems, separating planning from actuation and using a microkernel for validation, significantly improving safety during recovery.

Contribution

It introduces a three-agent architecture with a typed ISA and microkernel to enable safe, online recovery boundary inference and transactionally validated remediation plans.

Findings

Recovery-group inference runs in 21 ms at P99 on industrial traces.

Typed actuation reduces agent-caused harm by 95% in simulation.

Recovery safety is prioritized over speed, with minimal harm achieved online.

Abstract

Microreboot enables fast recovery by restarting only the failing component, but in modern microservices naive restarts are unsafe: dense dependencies mean rebooting one service can disrupt many callers. Autonomous remediation agents compound this by actuating raw infrastructure commands without safety guarantees. We make microreboot practical by separating planning from actuation: a three-agent architecture (diagnosis, planning, verification) proposes typed remediation plans over a seven-action ISA with explicit side-effect semantics, and a small microkernel validates and executes each plan transactionally. Agents are explicitly untrusted; safety derives from the ISA and microkernel. To determine where restart is safe, we infer recovery boundaries online from distributed traces, computing minimal restart groups and ordering constraints. On industrial traces (Alibaba, Meta) and DeathStarBench with fault injection, recovery-group inference runs in 21 ms at P99; typed actuation reduces agent-caused harm by 95% in simulation and achieves 0% harm online. The primary value is safety, not speed: LLM inference overhead increases TTR for services with fast auto-restart.