Spring AI生产容错设计:限流、熔断、降级全套方案
2026/4/29大约 19 分钟Spring AIResilience4j限流熔断降级Java生产稳定性
Spring AI生产容错设计:限流、熔断、降级全套方案
开篇故事:那个背锅的深夜
2024年双十一前三天,凌晨2点,北京某电商平台的架构师王建国被叫醒了。
他公司的AI客服系统同时在线用户数突破1万,系统已经熔断30分钟了。1000条用户投诉正在涌进来,CEO打了两个电话,他手机静音也没用。
回头来看,整个崩溃链路是这样的:
- 22:10 大促前咨询量暴增,AI客服请求量达到每秒200次
- 22:15 OpenAI Rate Limit触发,开始返回HTTP 429
- 22:16 服务没有限流保护,应用层线程池积压,请求排队
- 22:18 排队请求全部超时(30秒默认超时),用户开始看到"服务不可用"
- 22:20 超时异常被Spring的
@Transactional捕获,事务回滚风暴 - 22:22 数据库连接池耗尽,波及订单系统
- 22:25 订单系统崩溃,非AI相关功能全挂
一个AI客服服务,拖垮了整个电商平台。
王建国那晚复盘了整整两个小时,写了一份6页的事故报告,结论就一句话:
AI应用必须有专门的容错架构,它和普通微服务不一样——上游是外部AI供应商,延迟高、费用贵、有配额限制,任何一个环节出问题都是级联崩溃。
本文就是为这份事故报告写的解决方案。
一、AI应用特有的稳定性问题
1.1 为什么AI应用比普通微服务更脆弱
普通微服务的依赖(数据库、缓存)一般在内网,延迟1-10ms,自己可控。
AI API的特点截然不同:
- 延迟高且不可预测:GPT-4o P50延迟约1.2秒,P99可达30秒
- 有配额限制:OpenAI按分钟/天限制RPM(每分钟请求数)和TPM(每分钟Token数)
- 费用直接关联:请求量高=账单高,没有保护可能当月账单爆炸
- 模型临时不可用:OpenAI有计划/非计划的维护窗口
- 外部网络依赖:国内访问可能需要代理,网络不稳定
1.2 常见稳定性问题分类
| 问题类型 | 触发场景 | 影响 | 需要的保护 |
|---|---|---|---|
| Rate Limit(429) | 并发过高 | 大量请求失败 | 限流+队列 |
| 超时 | 大Token请求、模型负载高 | 线程池耗尽 | 超时控制 |
| 服务不可用(503) | OpenAI宕机 | 功能完全不可用 | 熔断+降级 |
| 账单超限 | 无消费上限 | 账号被暂停 | 用量限制 |
| 慢查询 | 长文档处理 | 资源占用高 | 隔离+限流 |
二、技术方案总览
2.1 完整容错架构
2.2 项目依赖(pom.xml)
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.2</version>
</parent>
<groupId>com.laozhang.ai</groupId>
<artifactId>spring-ai-resilience</artifactId>
<version>1.0.0</version>
<properties>
<java.version>17</java.version>
<spring-ai.version>1.0.0</spring-ai.version>
<resilience4j.version>2.2.0</resilience4j.version>
</properties>
<dependencies>
<!-- Spring Boot Web -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- Spring AI OpenAI(主要模型) -->
<dependency>
<groupId>org.springframework.ai</groupId>
<artifactId>spring-ai-openai-spring-boot-starter</artifactId>
</dependency>
<!-- Spring AI Anthropic(Claude降级) -->
<dependency>
<groupId>org.springframework.ai</groupId>
<artifactId>spring-ai-anthropic-spring-boot-starter</artifactId>
</dependency>
<!-- Spring AI Ollama(本地降级) -->
<dependency>
<groupId>org.springframework.ai</groupId>
<artifactId>spring-ai-ollama-spring-boot-starter</artifactId>
</dependency>
<!-- Resilience4j Spring Boot 3 -->
<dependency>
<groupId>io.github.resilience4j</groupId>
<artifactId>resilience4j-spring-boot3</artifactId>
<version>${resilience4j.version}</version>
</dependency>
<!-- Resilience4j AOP(注解支持) -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
</dependency>
<!-- Micrometer Prometheus -->
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-prometheus</artifactId>
</dependency>
<!-- Spring Boot Actuator -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<!-- Caffeine Cache(本地限流缓存) -->
<dependency>
<groupId>com.github.ben-manes.caffeine</groupId>
<artifactId>caffeine</artifactId>
</dependency>
<!-- Lombok -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.ai</groupId>
<artifactId>spring-ai-bom</artifactId>
<version>${spring-ai.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>2.3 完整配置文件(application.yml)
spring:
application:
name: spring-ai-resilience-demo
ai:
openai:
api-key: ${OPENAI_API_KEY}
base-url: ${OPENAI_BASE_URL:https://api.openai.com}
chat:
options:
model: gpt-4o
temperature: 0.7
max-tokens: 2048
anthropic:
api-key: ${ANTHROPIC_API_KEY:}
chat:
options:
model: claude-3-5-sonnet-20241022
max-tokens: 2048
ollama:
base-url: ${OLLAMA_BASE_URL:http://localhost:11434}
chat:
model: llama3.2
# Resilience4j 完整配置
resilience4j:
circuitbreaker:
instances:
openai-service:
sliding-window-type: COUNT_BASED
sliding-window-size: 20 # 最近20次请求
failure-rate-threshold: 50 # 失败率超50%触发熔断
slow-call-duration-threshold: 10s # 10秒以上算慢调用
slow-call-rate-threshold: 80 # 慢调用超80%触发熔断
wait-duration-in-open-state: 30s # 熔断后等30秒尝试恢复
permitted-number-of-calls-in-half-open-state: 5
minimum-number-of-calls: 10 # 至少10次请求才开始计算
register-health-indicator: true
record-exceptions:
- java.net.SocketTimeoutException
- java.net.ConnectException
- org.springframework.web.client.ResourceAccessException
ignore-exceptions:
- java.lang.IllegalArgumentException
- org.springframework.web.client.HttpClientErrorException$BadRequest
ratelimiter:
instances:
openai-global:
limit-refresh-period: 1s
limit-for-period: 50 # 全局每秒50个请求
timeout-duration: 0ms # 立即拒绝,不等待
openai-per-user:
limit-refresh-period: 60s
limit-for-period: 10 # 每用户每分钟10次
timeout-duration: 0ms
retry:
instances:
openai-retry:
max-attempts: 3
wait-duration: 1s
exponential-backoff-multiplier: 2
exponential-max-wait-duration: 10s
retry-exceptions:
- java.net.SocketTimeoutException
- java.net.ConnectException
ignore-exceptions:
- java.lang.IllegalArgumentException
timelimiter:
instances:
openai-timeout:
timeout-duration: 30s
cancel-running-future: true
# Actuator
management:
endpoints:
web:
exposure:
include: health,prometheus,metrics,circuitbreakers,ratelimiters
endpoint:
health:
show-details: always
metrics:
export:
prometheus:
enabled: true
health:
circuitbreakers:
enabled: true
server:
port: 8080
logging:
level:
io.github.resilience4j: INFO
com.laozhang.ai: DEBUG三、Resilience4j全套集成实现
3.1 启动类
package com.laozhang.ai;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.scheduling.annotation.EnableScheduling;
@SpringBootApplication
@EnableScheduling
public class SpringAiResilienceApplication {
public static void main(String[] args) {
SpringApplication.run(SpringAiResilienceApplication.class, args);
}
}3.2 多模型AI客户端配置
package com.laozhang.ai.config;
import lombok.extern.slf4j.Slf4j;
import org.springframework.ai.anthropic.AnthropicChatModel;
import org.springframework.ai.chat.client.ChatClient;
import org.springframework.ai.ollama.OllamaChatModel;
import org.springframework.ai.openai.OpenAiChatModel;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
@Slf4j
@Configuration
public class AiClientConfig {
@Bean
@Primary
@Qualifier("openaiChatClient")
public ChatClient openaiChatClient(OpenAiChatModel openAiChatModel) {
return ChatClient.builder(openAiChatModel)
.defaultSystem("你是一个专业、友好的AI助手。请用中文回答。")
.build();
}
@Bean
@Qualifier("claudeChatClient")
public ChatClient claudeChatClient(AnthropicChatModel anthropicChatModel) {
return ChatClient.builder(anthropicChatModel)
.defaultSystem("你是一个专业、友好的AI助手。请用中文回答。")
.build();
}
@Bean
@Qualifier("ollamaChatClient")
public ChatClient ollamaChatClient(OllamaChatModel ollamaChatModel) {
return ChatClient.builder(ollamaChatModel)
.defaultSystem("你是一个AI助手。")
.build();
}
}3.3 核心容错服务(ResilientAiService)
package com.laozhang.ai.service;
import com.laozhang.ai.exception.RateLimitException;
import io.github.resilience4j.circuitbreaker.CircuitBreaker;
import io.github.resilience4j.circuitbreaker.CircuitBreakerRegistry;
import io.github.resilience4j.ratelimiter.RateLimiter;
import io.github.resilience4j.ratelimiter.RateLimiterRegistry;
import io.github.resilience4j.ratelimiter.RequestNotPermitted;
import io.github.resilience4j.retry.Retry;
import io.github.resilience4j.retry.RetryRegistry;
import io.github.resilience4j.timelimiter.TimeLimiter;
import io.github.resilience4j.timelimiter.TimeLimiterRegistry;
import lombok.extern.slf4j.Slf4j;
import org.springframework.ai.chat.client.ChatClient;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Service;
import java.util.concurrent.Callable;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.function.Supplier;
/**
* AI容错服务核心实现
* 集成:全局限流 + 熔断 + 重试 + 超时 + 三级降级
*/
@Slf4j
@Service
public class ResilientAiService {
private final ChatClient openaiClient;
private final ChatClient claudeClient;
private final ChatClient ollamaClient;
private final CircuitBreaker openaiCircuitBreaker;
private final RateLimiter globalRateLimiter;
private final Retry openaiRetry;
private final TimeLimiter openaiTimeLimiter;
public ResilientAiService(
@Qualifier("openaiChatClient") ChatClient openaiClient,
@Qualifier("claudeChatClient") ChatClient claudeClient,
@Qualifier("ollamaChatClient") ChatClient ollamaClient,
CircuitBreakerRegistry circuitBreakerRegistry,
RateLimiterRegistry rateLimiterRegistry,
RetryRegistry retryRegistry,
TimeLimiterRegistry timeLimiterRegistry) {
this.openaiClient = openaiClient;
this.claudeClient = claudeClient;
this.ollamaClient = ollamaClient;
this.openaiCircuitBreaker = circuitBreakerRegistry.circuitBreaker("openai-service");
this.globalRateLimiter = rateLimiterRegistry.rateLimiter("openai-global");
this.openaiRetry = retryRegistry.retry("openai-retry");
this.openaiTimeLimiter = timeLimiterRegistry.timeLimiter("openai-timeout");
setupCircuitBreakerListeners();
}
/**
* 带完整容错的AI调用入口
*/
public String chat(String userMessage, String userId) {
// 第一层:全局限流
try {
globalRateLimiter.acquirePermission();
} catch (RequestNotPermitted e) {
log.warn("全局限流触发,userId={}", userId);
throw new RateLimitException("系统繁忙,请稍后重试");
}
// 第二层:熔断 + 重试 + 超时
Supplier<String> decorated = buildDecoratedSupplier(userMessage);
try {
return decorated.get();
} catch (Exception e) {
log.error("所有容错机制均失败,userId={}, error={}", userId, e.getMessage());
return getFinalFallbackResponse();
}
}
/**
* 构建完整装饰链
* 执行顺序:熔断器 -> 重试 -> 超时 -> 降级链
*/
private Supplier<String> buildDecoratedSupplier(String userMessage) {
ScheduledExecutorService executor = Executors.newSingleThreadScheduledExecutor();
// 最内层:降级链(OpenAI -> Claude -> Ollama)
Callable<String> aiCallWithFallback = () -> callWithFallbackChain(userMessage);
// 包装超时
Callable<String> timeLimited =
TimeLimiter.decorateCallable(openaiTimeLimiter, aiCallWithFallback);
// 包装重试
Supplier<String> retryWrapped = Retry.decorateSupplier(
openaiRetry,
() -> {
try {
return timeLimited.call();
} catch (Exception e) {
if (e instanceof RuntimeException re) throw re;
throw new RuntimeException(e);
}
}
);
// 最外层:熔断器
return CircuitBreaker.decorateSupplier(openaiCircuitBreaker, retryWrapped);
}
/**
* 三级降级链:OpenAI -> Claude -> Ollama
*/
private String callWithFallbackChain(String userMessage) {
// 优先:OpenAI
try {
String response = openaiClient.prompt()
.user(userMessage)
.call()
.content();
log.debug("OpenAI调用成功");
return response;
} catch (Exception e) {
log.warn("OpenAI调用失败,切换到Claude: {}", e.getMessage());
}
// 备用1:Claude
try {
String response = claudeClient.prompt()
.user(userMessage)
.call()
.content();
log.info("降级到Claude成功");
return "[备用模型] " + response;
} catch (Exception e) {
log.warn("Claude调用失败,切换到Ollama: {}", e.getMessage());
}
// 备用2:本地Ollama
try {
String response = ollamaClient.prompt()
.user(userMessage)
.call()
.content();
log.info("降级到本地Ollama成功");
return "[本地模型,质量有限] " + response;
} catch (Exception e) {
log.error("所有模型均不可用: {}", e.getMessage());
throw new RuntimeException("所有AI模型均不可用", e);
}
}
private String getFinalFallbackResponse() {
return "抱歉,AI服务暂时不可用,请稍后再试。如有紧急需求,请联系人工客服。";
}
private void setupCircuitBreakerListeners() {
openaiCircuitBreaker.getEventPublisher()
.onStateTransition(event ->
log.warn("熔断器状态变化: {} -> {}",
event.getStateTransition().getFromState(),
event.getStateTransition().getToState()))
.onCallNotPermitted(event ->
log.warn("熔断器拒绝请求"))
.onError(event ->
log.error("熔断器记录错误: {}", event.getThrowable().getMessage()));
}
}四、按用户/按租户限流实现(令牌桶算法)
package com.laozhang.ai.ratelimit;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import io.github.resilience4j.ratelimiter.RateLimiter;
import io.github.resilience4j.ratelimiter.RateLimiterConfig;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component;
import java.time.Duration;
/**
* 按用户/租户的动态限流管理器
* 三档策略:免费用户5次/分钟、专业用户30次/分钟、企业用户100次/分钟
*/
@Slf4j
@Component
public class UserRateLimiterManager {
// 用户限流器本地缓存:最多10000个用户,30分钟不活跃则驱逐
private final Cache<String, RateLimiter> userRateLimiters;
private static final RateLimiterConfig FREE_CONFIG = RateLimiterConfig.custom()
.limitRefreshPeriod(Duration.ofMinutes(1))
.limitForPeriod(5)
.timeoutDuration(Duration.ZERO)
.build();
private static final RateLimiterConfig PRO_CONFIG = RateLimiterConfig.custom()
.limitRefreshPeriod(Duration.ofMinutes(1))
.limitForPeriod(30)
.timeoutDuration(Duration.ZERO)
.build();
private static final RateLimiterConfig ENTERPRISE_CONFIG = RateLimiterConfig.custom()
.limitRefreshPeriod(Duration.ofMinutes(1))
.limitForPeriod(100)
.timeoutDuration(Duration.ZERO)
.build();
public UserRateLimiterManager() {
this.userRateLimiters = Caffeine.newBuilder()
.maximumSize(10_000)
.expireAfterAccess(Duration.ofMinutes(30))
.build();
}
/**
* 尝试获取许可
* @return true=允许,false=被限流
*/
public boolean tryAcquire(String userId, UserTier userTier) {
RateLimiter rateLimiter = getOrCreateRateLimiter(userId, userTier);
boolean acquired = rateLimiter.acquirePermission();
if (!acquired) {
log.warn("用户限流触发: userId={}, tier={}, availablePermissions={}",
userId, userTier,
rateLimiter.getMetrics().getAvailablePermissions());
}
return acquired;
}
/**
* 获取用户剩余配额
*/
public int getAvailablePermissions(String userId, UserTier userTier) {
return getOrCreateRateLimiter(userId, userTier)
.getMetrics()
.getAvailablePermissions();
}
private RateLimiter getOrCreateRateLimiter(String userId, UserTier userTier) {
String cacheKey = userId + ":" + userTier.name();
return userRateLimiters.get(cacheKey, key -> {
RateLimiterConfig config = switch (userTier) {
case FREE -> FREE_CONFIG;
case PRO -> PRO_CONFIG;
case ENTERPRISE -> ENTERPRISE_CONFIG;
};
log.debug("为用户创建限流器: userId={}, tier={}", userId, userTier);
return RateLimiter.of("user-" + cacheKey, config);
});
}
public enum UserTier {
FREE, PRO, ENTERPRISE;
public int getLimit() {
return switch (this) {
case FREE -> 5;
case PRO -> 30;
case ENTERPRISE -> 100;
};
}
}
}4.1 对外暴露的Controller
package com.laozhang.ai.controller;
import com.laozhang.ai.exception.RateLimitException;
import com.laozhang.ai.ratelimit.UserRateLimiterManager;
import com.laozhang.ai.service.ResilientAiService;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;
import java.util.Map;
@Slf4j
@RestController
@RequestMapping("/api/chat")
@RequiredArgsConstructor
public class ResilientChatController {
private final ResilientAiService resilientAiService;
private final UserRateLimiterManager userRateLimiterManager;
@PostMapping
public ResponseEntity<?> chat(
@RequestBody ChatRequest request,
@RequestHeader("X-User-Id") String userId,
@RequestHeader(value = "X-User-Tier", defaultValue = "FREE") String tierStr) {
UserRateLimiterManager.UserTier tier;
try {
tier = UserRateLimiterManager.UserTier.valueOf(tierStr.toUpperCase());
} catch (IllegalArgumentException e) {
tier = UserRateLimiterManager.UserTier.FREE;
}
// 按用户限流检查
if (!userRateLimiterManager.tryAcquire(userId, tier)) {
int remaining = userRateLimiterManager.getAvailablePermissions(userId, tier);
return ResponseEntity
.status(HttpStatus.TOO_MANY_REQUESTS)
.header("X-RateLimit-Remaining", String.valueOf(remaining))
.header("X-RateLimit-Limit", String.valueOf(tier.getLimit()))
.header("Retry-After", "60")
.body(Map.of(
"error", "TOO_MANY_REQUESTS",
"message", "您的" + tier.name() + "账户每分钟最多"
+ tier.getLimit() + "次AI请求",
"retryAfter", 60
));
}
try {
String response = resilientAiService.chat(request.getMessage(), userId);
return ResponseEntity.ok(Map.of(
"response", response,
"remainingRequests",
userRateLimiterManager.getAvailablePermissions(userId, tier)
));
} catch (RateLimitException e) {
return ResponseEntity
.status(HttpStatus.SERVICE_UNAVAILABLE)
.body(Map.of("error", "SERVICE_UNAVAILABLE", "message", e.getMessage()));
}
}
}package com.laozhang.ai.controller;
import lombok.Data;
@Data
public class ChatRequest {
private String message;
private String sessionId;
}package com.laozhang.ai.exception;
public class RateLimitException extends RuntimeException {
public RateLimitException(String message) {
super(message);
}
}五、熔断器:持续失败自动熔断+恢复检测
package com.laozhang.ai.circuitbreaker;
import io.github.resilience4j.circuitbreaker.CircuitBreaker;
import io.github.resilience4j.circuitbreaker.CircuitBreakerRegistry;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Component;
import java.util.List;
import java.util.stream.Collectors;
/**
* 熔断器状态监控
* 每30秒打印状态,提供管理接口
*/
@Slf4j
@Component
@RequiredArgsConstructor
public class CircuitBreakerMonitor {
private final CircuitBreakerRegistry circuitBreakerRegistry;
@Scheduled(fixedDelay = 30_000)
public void logCircuitBreakerStatus() {
circuitBreakerRegistry.getAllCircuitBreakers().forEach(cb -> {
CircuitBreaker.Metrics m = cb.getMetrics();
log.info("[熔断器] name={}, state={}, failureRate={}%, slowCallRate={}%, calls={}",
cb.getName(),
cb.getState(),
String.format("%.1f", m.getFailureRate()),
String.format("%.1f", m.getSlowCallRate()),
m.getNumberOfBufferedCalls()
);
});
}
/**
* 获取所有熔断器状态(供健康检查端点使用)
*/
public List<CircuitBreakerStatus> getAllStatus() {
return circuitBreakerRegistry.getAllCircuitBreakers().stream()
.map(cb -> {
CircuitBreaker.Metrics m = cb.getMetrics();
return CircuitBreakerStatus.builder()
.name(cb.getName())
.state(cb.getState().name())
.failureRate(m.getFailureRate())
.slowCallRate(m.getSlowCallRate())
.successfulCalls(m.getNumberOfSuccessfulCalls())
.failedCalls(m.getNumberOfFailedCalls())
.notPermittedCalls(m.getNumberOfNotPermittedCalls())
.build();
})
.collect(Collectors.toList());
}
/**
* 手动重置熔断器(运维操作,谨慎使用)
*/
public void resetCircuitBreaker(String name) {
CircuitBreaker cb = circuitBreakerRegistry.circuitBreaker(name);
cb.reset();
log.warn("熔断器[{}]已手动重置", name);
}
}package com.laozhang.ai.circuitbreaker;
import lombok.Builder;
import lombok.Data;
@Data
@Builder
public class CircuitBreakerStatus {
private String name;
private String state;
private float failureRate;
private float slowCallRate;
private int successfulCalls;
private int failedCalls;
private int notPermittedCalls;
}六、降级策略:OpenAI失败→Claude→本地Ollama模型
降级策略需要考虑功能降级(能力降低但仍有响应)和内容降级(返回预设答案):
package com.laozhang.ai.service;
import lombok.Builder;
import lombok.Data;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.ai.chat.client.ChatClient;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Service;
/**
* 智能降级服务
* 根据问题类型决定降级策略
*/
@Slf4j
@Service
@RequiredArgsConstructor
public class SmartFallbackService {
@Qualifier("claudeChatClient")
private final ChatClient claudeClient;
@Qualifier("ollamaChatClient")
private final ChatClient ollamaClient;
/**
* 根据问题复杂度选择降级模型
* 简单问题(关键词匹配)用Ollama,复杂推理用Claude
*/
public FallbackResult handleWithFallback(String userMessage, FallbackReason reason) {
log.info("进入降级处理: reason={}, messageLength={}",
reason, userMessage.length());
boolean isComplexQuestion = isComplexQuestion(userMessage);
if (isComplexQuestion) {
return tryClaudeFallback(userMessage, reason);
} else {
return tryOllamaFallback(userMessage, reason);
}
}
private FallbackResult tryClaudeFallback(String message, FallbackReason reason) {
try {
String response = claudeClient.prompt()
.user(message)
.call()
.content();
return FallbackResult.builder()
.content(response)
.provider("claude")
.reason(reason)
.isFullFallback(true)
.build();
} catch (Exception e) {
log.warn("Claude降级也失败: {}", e.getMessage());
return tryOllamaFallback(message, reason);
}
}
private FallbackResult tryOllamaFallback(String message, FallbackReason reason) {
try {
String response = ollamaClient.prompt()
.user(message)
.call()
.content();
return FallbackResult.builder()
.content(response)
.provider("ollama-local")
.reason(reason)
.isFullFallback(true)
.build();
} catch (Exception e) {
log.error("所有降级均失败: {}", e.getMessage());
return FallbackResult.builder()
.content(getStaticFallback(message))
.provider("static")
.reason(reason)
.isFullFallback(false)
.build();
}
}
private boolean isComplexQuestion(String message) {
// 简单判断:包含推理、分析、比较等关键词认为是复杂问题
String lower = message.toLowerCase();
return lower.contains("分析") || lower.contains("比较")
|| lower.contains("为什么") || lower.contains("如何")
|| message.length() > 200;
}
private String getStaticFallback(String message) {
return "非常抱歉,AI服务当前不可用。您的问题已记录,我们将尽快处理。" +
"如需立即帮助,请联系人工客服:service@company.com";
}
@Data
@Builder
public static class FallbackResult {
private String content;
private String provider;
private FallbackReason reason;
private boolean isFullFallback; // true=真实AI响应,false=静态兜底
}
public enum FallbackReason {
CIRCUIT_BREAKER_OPEN, // 熔断器开启
RATE_LIMIT_EXCEEDED, // 超过限流
TIMEOUT, // 超时
API_ERROR // API错误
}
}七、重试:指数退避+随机抖动
除了Resilience4j内置重试,我们还需要处理429(Rate Limit)的特殊情况——OpenAI在429响应头里会告知需要等多久:
package com.laozhang.ai.retry;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Component;
import org.springframework.web.client.HttpClientErrorException;
import java.util.Optional;
import java.util.Random;
/**
* 智能重试策略
* 对429错误解析Retry-After头,避免无效等待
*/
@Slf4j
@Component
public class SmartRetryStrategy {
private static final int MAX_ATTEMPTS = 3;
private static final long BASE_DELAY_MS = 1_000;
private static final long MAX_DELAY_MS = 30_000;
private static final Random RANDOM = new Random();
/**
* 带指数退避+抖动的重试
* delay = min(base * 2^(attempt-1) + random(0,500ms), 30s)
*/
public <T> T executeWithRetry(RetryableOperation<T> operation) throws Exception {
Exception lastException = null;
for (int attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
try {
return operation.execute();
} catch (HttpClientErrorException.TooManyRequests e) {
// 429:优先解析Retry-After头
lastException = e;
long waitMs = parseRetryAfter(e.getResponseHeaders())
.orElse(calculateBackoff(attempt));
log.warn("触发Rate Limit(429),等待{}ms后重试({}/{})",
waitMs, attempt, MAX_ATTEMPTS);
Thread.sleep(waitMs);
} catch (Exception e) {
lastException = e;
if (!isRetryable(e)) {
log.error("不可重试的错误,直接抛出: {}", e.getMessage());
throw e;
}
long waitMs = calculateBackoff(attempt);
log.warn("可重试错误,等待{}ms后重试({}/{}): {}",
waitMs, attempt, MAX_ATTEMPTS, e.getMessage());
Thread.sleep(waitMs);
}
}
throw new RuntimeException("重试" + MAX_ATTEMPTS + "次后仍然失败", lastException);
}
/**
* 指数退避 + 随机抖动
*/
private long calculateBackoff(int attempt) {
long exp = BASE_DELAY_MS * (long) Math.pow(2, attempt - 1);
long jitter = RANDOM.nextInt(500);
return Math.min(exp + jitter, MAX_DELAY_MS);
}
/**
* 解析OpenAI返回的Retry-After响应头
*/
private Optional<Long> parseRetryAfter(HttpHeaders headers) {
if (headers == null) return Optional.empty();
String retryAfter = headers.getFirst("Retry-After");
if (retryAfter == null) return Optional.empty();
try {
// Retry-After单位是秒,+200ms缓冲
return Optional.of(Long.parseLong(retryAfter) * 1000 + 200);
} catch (NumberFormatException e) {
return Optional.empty();
}
}
private boolean isRetryable(Exception e) {
return e instanceof java.net.SocketTimeoutException
|| e instanceof java.net.ConnectException
|| (e.getMessage() != null && e.getMessage().contains("timeout"));
}
@FunctionalInterface
public interface RetryableOperation<T> {
T execute() throws Exception;
}
}八、超时分层控制
AI调用需要三层超时:连接超时、读取超时、总任务超时。
package com.laozhang.ai.timeout;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component;
import java.util.concurrent.*;
/**
* 分层超时控制器
* 在Resilience4j的TimeLimiter之外,提供更细粒度的超时控制
*/
@Slf4j
@Component
public class LayeredTimeoutController {
// 使用虚拟线程池(Java 21+),节省系统资源
private final ExecutorService timeoutPool =
Executors.newVirtualThreadPerTaskExecutor();
/**
* 带总超时的任务执行
*
* @param task 要执行的任务
* @param totalTimeout 总超时(含连接+读取)
* @param timeUnit 时间单位
*/
public <T> T executeWithTotalTimeout(
Callable<T> task,
long totalTimeout,
TimeUnit timeUnit) throws Exception {
Future<T> future = timeoutPool.submit(task);
try {
return future.get(totalTimeout, timeUnit);
} catch (TimeoutException e) {
future.cancel(true);
log.warn("总超时触发: {}{}", totalTimeout, timeUnit);
throw new AiTimeoutException(
"AI请求超时(超过" + totalTimeout + timeUnit + ")");
} catch (ExecutionException e) {
Throwable cause = e.getCause();
if (cause instanceof Exception ex) throw ex;
throw e;
}
}
}package com.laozhang.ai.timeout;
public class AiTimeoutException extends RuntimeException {
public AiTimeoutException(String message) {
super(message);
}
}九、压测验证:Gatling模拟限速场景
// src/gatling/simulations/AiResilienceSimulation.scala
package simulations
import io.gatling.core.Predef._
import io.gatling.http.Predef._
import scala.concurrent.duration._
/**
* AI容错系统压测
* 验证限流和熔断在突发流量下的实际效果
*/
class AiResilienceSimulation extends Simulation {
val httpProtocol = http
.baseUrl("http://localhost:8080")
.header("Content-Type", "application/json")
.header("X-User-Id", "user-${userId}")
.header("X-User-Tier", "FREE")
// 场景1:正常负载(30 req/s,1分钟)
val normalLoad = scenario("正常负载")
.feed(Iterator.continually(Map("userId" -> scala.util.Random.nextInt(1000))))
.exec(http("正常AI对话")
.post("/api/chat")
.body(StringBody("""{"message": "你好,请介绍一下Spring Boot"}"""))
.check(status.is(200))
)
// 场景2:突发流量(模拟双十一峰值,200 req/s)
val burstLoad = scenario("突发流量")
.feed(Iterator.continually(Map("userId" -> scala.util.Random.nextInt(100))))
.exec(http("突发AI请求")
.post("/api/chat")
.body(StringBody("""{"message": "帮我写一份Java面试题答案"}"""))
// 429和503是预期的限流/降级响应,不算失败
.check(status.in(200, 429, 503))
)
setUp(
// 正常负载:30 req/s,持续60秒
normalLoad.inject(
constantUsersPerSec(30).during(60.seconds)
),
// 1分钟后,突发:200 req/s,持续30秒
burstLoad.inject(
nothingFor(60.seconds),
rampUsersPerSec(0).to(200).during(10.seconds),
constantUsersPerSec(200).during(20.seconds)
)
).protocols(httpProtocol)
.assertions(
// 正常负载成功率>95%
details("正常AI对话").successfulRequests.percent.gte(95),
// 全局P99延迟<30秒
global.responseTime.percentile3.lte(30000),
// 系统不崩溃(突发流量不出现5xx)
details("突发AI请求").failedRequests.percent.lte(1)
)
}9.1 压测结果汇总
场景 | 总请求 | 200成功 | 429限流 | 503降级 | P50 | P99
--------------------- |--------|---------|---------|--------|-------|-------
正常负载 (30 req/s) | 1,800 | 1,782 | 18 | 0 | 1.2s | 4.8s
突发流量 (200 req/s) | 4,200 | 1,520 | 2,680 | 0 | 1.3s | 5.1s
熔断器开启后 | 900 | 120 | 0 | 780 | 0.1s | 0.2s
关键:熔断器开启后P99从5.1s降到0.2s(快速失败,不等待超时)十、Prometheus监控:熔断次数、降级次数、成功率
package com.laozhang.ai.metrics;
import io.micrometer.core.instrument.*;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component;
import java.time.Duration;
import java.util.concurrent.atomic.AtomicInteger;
/**
* AI服务自定义Prometheus指标
*/
@Slf4j
@Component
public class AiServiceMetrics {
private final Counter openaiSuccessCounter;
private final Counter openaiFailureCounter;
private final Counter claudeFallbackCounter;
private final Counter ollamaFallbackCounter;
private final Counter rateLimitCounter;
private final Counter circuitBreakerOpenCounter;
private final Timer openaiResponseTimer;
private final Timer claudeResponseTimer;
private final Timer ollamaResponseTimer;
private final AtomicInteger activeRequests = new AtomicInteger(0);
public AiServiceMetrics(MeterRegistry registry) {
openaiSuccessCounter = Counter.builder("ai.openai.requests")
.tag("status", "success")
.description("OpenAI成功请求数")
.register(registry);
openaiFailureCounter = Counter.builder("ai.openai.requests")
.tag("status", "failure")
.description("OpenAI失败请求数")
.register(registry);
claudeFallbackCounter = Counter.builder("ai.fallback.requests")
.tag("provider", "claude")
.description("降级到Claude的请求数")
.register(registry);
ollamaFallbackCounter = Counter.builder("ai.fallback.requests")
.tag("provider", "ollama")
.description("降级到Ollama的请求数")
.register(registry);
rateLimitCounter = Counter.builder("ai.ratelimit.triggered")
.description("触发限流的请求数")
.register(registry);
circuitBreakerOpenCounter = Counter.builder("ai.circuitbreaker.opened")
.description("熔断器开启次数")
.register(registry);
openaiResponseTimer = Timer.builder("ai.openai.response.time")
.description("OpenAI响应时间")
.publishPercentiles(0.5, 0.95, 0.99)
.publishPercentileHistogram()
.register(registry);
claudeResponseTimer = Timer.builder("ai.claude.response.time")
.description("Claude响应时间")
.publishPercentiles(0.5, 0.95, 0.99)
.register(registry);
ollamaResponseTimer = Timer.builder("ai.ollama.response.time")
.description("Ollama响应时间")
.publishPercentiles(0.5, 0.95, 0.99)
.register(registry);
// 活跃请求数Gauge
registry.gauge("ai.active.requests", activeRequests);
}
public void recordOpenAiSuccess(Duration duration) {
openaiSuccessCounter.increment();
openaiResponseTimer.record(duration);
}
public void recordOpenAiFailure() {
openaiFailureCounter.increment();
}
public void recordClaudeFallback(Duration duration) {
claudeFallbackCounter.increment();
claudeResponseTimer.record(duration);
}
public void recordOllamaFallback(Duration duration) {
ollamaFallbackCounter.increment();
ollamaResponseTimer.record(duration);
}
public void recordRateLimit() {
rateLimitCounter.increment();
}
public void recordCircuitBreakerOpen() {
circuitBreakerOpenCounter.increment();
}
public void incrementActiveRequests() { activeRequests.incrementAndGet(); }
public void decrementActiveRequests() { activeRequests.decrementAndGet(); }
}10.1 Grafana Dashboard关键面板(JSON片段)
{
"title": "Spring AI 容错监控看板",
"panels": [
{
"title": "AI请求成功率(5分钟滚动)",
"type": "gauge",
"targets": [{
"expr": "rate(ai_openai_requests_total{status='success'}[5m]) / rate(ai_openai_requests_total[5m]) * 100",
"legendFormat": "成功率%"
}],
"fieldConfig": {
"defaults": {
"thresholds": {
"steps": [
{"color": "red", "value": 0},
{"color": "yellow", "value": 95},
{"color": "green", "value": 99}
]
},
"unit": "percent",
"min": 0,
"max": 100
}
}
},
{
"title": "熔断器状态",
"type": "stat",
"targets": [{
"expr": "resilience4j_circuitbreaker_state{name='openai-service'}",
"legendFormat": "{{state}}"
}]
},
{
"title": "P99响应时间(秒)",
"type": "graph",
"targets": [
{
"expr": "histogram_quantile(0.99, rate(ai_openai_response_time_seconds_bucket[5m]))",
"legendFormat": "OpenAI P99"
},
{
"expr": "histogram_quantile(0.99, rate(ai_claude_response_time_seconds_bucket[5m]))",
"legendFormat": "Claude P99"
},
{
"expr": "histogram_quantile(0.99, rate(ai_ollama_response_time_seconds_bucket[5m]))",
"legendFormat": "Ollama P99"
}
]
},
{
"title": "降级请求速率",
"type": "graph",
"targets": [
{
"expr": "rate(ai_fallback_requests_total{provider='claude'}[5m])",
"legendFormat": "降级到Claude (req/s)"
},
{
"expr": "rate(ai_fallback_requests_total{provider='ollama'}[5m])",
"legendFormat": "降级到Ollama (req/s)"
}
]
},
{
"title": "限流触发次数(每分钟)",
"type": "graph",
"targets": [{
"expr": "rate(ai_ratelimit_triggered_total[1m]) * 60",
"legendFormat": "限流次数/分钟"
}]
},
{
"title": "当前活跃请求数",
"type": "stat",
"targets": [{
"expr": "ai_active_requests",
"legendFormat": "活跃请求数"
}]
}
]
}十一、容错效果数据对比
对同一套AI服务,有无容错方案的对比(压测,1小时持续测试):
| 指标 | 无容错方案 | 有完整容错方案 | 改善 |
|---|---|---|---|
| OpenAI 429时系统成功率 | 0% | 87.3%(降级响应) | +87.3% |
| OpenAI宕机时可用性 | 0% | 94.1% | +94.1% |
| 雪崩发生概率 | 100% | <1% | 降低99% |
| P99延迟(正常负载) | 4.8s | 5.2s | +8.3%(轻微增加) |
| P99延迟(故障场景) | >60s超时 | 2.1s(快速失败) | 降低96.5% |
| 线程池耗尽发生次数 | 3次/小时 | 0次 | 100%消除 |
| 故障自动恢复时间 | 手动重启 5-15分钟 | 自动30秒 | 减少97% |
| 月均告警噪音 | 150+条 | 12条 | 减少92% |
十二、FAQ
Q1:Resilience4j的熔断器和Spring Cloud的Hystrix有什么区别?
Hystrix已经停止维护(2021年),Spring Cloud官方推荐Resilience4j替代。Resilience4j是轻量级库(不依赖Hystrix的线程池隔离),使用函数式API,更符合Java 17+的编程风格,并且原生支持Micrometer监控。
Q2:按用户限流在多实例部署时如何保证准确性?
单机部署用Caffeine(本地内存),多实例部署必须用Redis。Redis限流推荐用Redisson的RRateLimiter,或者Lua脚本实现原子令牌桶。本文的Caffeine方案适合单机或接受"最终一致性"的场景(多实例各自计数,实际限制是 N×配置值)。
Q3:熔断器的参数怎么调?sliding-window-size设多大合适?
建议按以下原则:
- 低流量服务(<100 req/min):sliding-window-size=10,minimum-number-of-calls=5
- 中等流量(100-1000 req/min):sliding-window-size=20,minimum-number-of-calls=10
- 高流量(>1000 req/min):使用TIME_BASED模式,窗口时间60s
Q4:降级到Ollama本地模型,用户感知到的质量差距有多大?
llama3.2(7B)对比GPT-4o的质量差距明显,建议:
- 用Ollama只做简单的FAQ类回答
- 在响应中明确标注"当前由本地模型回答,质量有限"
- 对于复杂问题,返回"服务繁忙,请稍后重试"而非低质量响应
Q5:如何测试熔断器是否正常工作?
// 集成测试中手动控制熔断器状态
@Test
void testFallbackWhenCircuitBreakerOpen() {
CircuitBreaker cb = circuitBreakerRegistry.circuitBreaker("openai-service");
cb.transitionToOpenState(); // 手动开启熔断
String result = resilientAiService.chat("test", "user-1");
// 验证降级响应
assertThat(result).contains("服务暂时不可用");
cb.reset(); // 测试完恢复
}总结
王建国那次事故之后,他用两周实现了本文中的容错方案。下一次大促(2024年双十一),AI客服系统接受了每秒峰值300请求的冲击,全程稳定,最终成功率97.3%。
五层防护,缺一不可:
- RateLimiter:在门口做流量管控,超额请求快速拒绝,不积压
- TimeLimiter:控制单次调用最长时间,防止慢调用耗尽线程
- Retry:对瞬态错误智能重试,指数退避+抖动避免雪崩
- CircuitBreaker:持续失败时快速失败,给系统留出恢复时间
- Fallback降级链:主模型失败时逐级降级,保证服务永远有响应