<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Sre on Azarudeen.com</title><link>http://azarudeen.com/tags/sre/</link><description>Recent content in Sre on Azarudeen.com</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Wed, 01 Jul 2015 10:00:00 +0530</lastBuildDate><atom:link href="http://azarudeen.com/tags/sre/index.xml" rel="self" type="application/rss+xml"/><item><title>The SRE Book Era: Error Budgets Meet Cascading Failure</title><link>http://azarudeen.com/posts/03-jul-2015-to-sep-2016-the-sre-book-era/</link><pubDate>Wed, 01 Jul 2015 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/03-jul-2015-to-sep-2016-the-sre-book-era/</guid><description>&lt;h1 id="the-sre-book-era-jul-2015--sep-2016"&gt;The SRE Book Era (Jul 2015 – Sep 2016)&lt;/h1&gt;
&lt;p&gt;Google published &lt;em&gt;Site Reliability Engineering&lt;/em&gt; in April 2016 and handed the
industry a shared vocabulary: SLOs, error budgets, toil, and a whole chapter on
postmortem culture. Meanwhile, the period&amp;rsquo;s biggest incidents were masterclasses
in cascading failure — systems that fell over not from the initial fault, but
from their own recovery behavior.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AWS DynamoDB, September 20, 2015&lt;/strong&gt; — The canonical cascading-failure
postmortem (&lt;a href="https://aws.amazon.com/message/5467D2/"&gt;aws.amazon.com/message/5467D2&lt;/a&gt;).
A network disruption caused storage servers to re-request membership metadata
simultaneously; the metadata service, already near capacity from a new index
feature, couldn&amp;rsquo;t serve the herd; retries made it worse. DynamoDB&amp;rsquo;s outage
cascaded into EC2, SQS, and CloudWatch in us-east-1. Action items — capacity
headroom, longer timeouts, segmented retries — read like a distributed-systems
syllabus.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Salesforce NA14, May 2016&lt;/strong&gt; — A database failure plus a failed failover left
a major instance degraded for nearly a day, with some data unrecoverable.
It pushed &amp;ldquo;your SaaS vendor&amp;rsquo;s DR plan is your DR plan&amp;rdquo; into procurement
conversations.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Southwest Airlines (July 2016) and Delta (August 2016)&lt;/strong&gt; — Back-to-back
airline meltdowns from single-point-of-failure infrastructure (a failed router;
a datacenter power incident) cancelling thousands of flights. Boards started
asking about technical debt.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Telstra, 2016&lt;/strong&gt; — A string of national mobile outages in Australia, one
triggered by a single node being taken offline incorrectly, normalized the
telco postmortem press release.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Retry storms became a named enemy.&lt;/strong&gt; The DynamoDB writeup made &amp;ldquo;metastable
failure&amp;rdquo; patterns mainstream years before the academic term: exponential backoff,
jitter, circuit breakers, and load shedding moved from Netflix blog posts into
default library behavior (and into everyone&amp;rsquo;s action items).&lt;/p&gt;</description></item><item><title>Shared Fate: Heartbleed, Mass Reboots, and the Limits of Cloud Trust</title><link>http://azarudeen.com/posts/02-apr-2014-to-jun-2015-shared-fate-in-the-cloud/</link><pubDate>Tue, 01 Apr 2014 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/02-apr-2014-to-jun-2015-shared-fate-in-the-cloud/</guid><description>&lt;h1 id="shared-fate-in-the-cloud-apr-2014--jun-2015"&gt;Shared Fate in the Cloud (Apr 2014 – Jun 2015)&lt;/h1&gt;
&lt;p&gt;This window is when the industry learned that moving to the cloud means sharing
your provider&amp;rsquo;s fate — their hypervisor patches, their config rollouts, and
their operators&amp;rsquo; keystrokes. It&amp;rsquo;s also when security incidents started being
written up with the same discipline as availability incidents.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Heartbleed, April 2014&lt;/strong&gt; — The OpenSSL bug that forced mass certificate
rotation across the internet. Its real operational lesson: almost nobody had
an inventory of where TLS terminated, so &amp;ldquo;patch and rotate&amp;rdquo; took weeks.
Shellshock (September 2014) repeated the drill for bash.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Joyent, May 2014&lt;/strong&gt; — An operator running a routine update &lt;strong&gt;rebooted an
entire data center&amp;rsquo;s worth of customer systems&lt;/strong&gt; with one command. Joyent&amp;rsquo;s
postmortem was admirably direct: the problem wasn&amp;rsquo;t the operator, it was that
the tooling &lt;em&gt;allowed&lt;/em&gt; a datacenter-wide target with no confirmation. A textbook
blameless writeup.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS Xen reboot, September 2014&lt;/strong&gt; — AWS rebooted a large fraction of EC2
instances to patch a Xen vulnerability before disclosure. Customers who had
followed the &amp;ldquo;design for instance failure&amp;rdquo; gospel (Netflix, famously) sailed
through; those who hadn&amp;rsquo;t discovered pet servers the hard way.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Microsoft Azure Storage, November 2014&lt;/strong&gt; — A performance fix was rolled out
&lt;strong&gt;globally, skipping the staged &amp;ldquo;flighting&amp;rdquo; process&lt;/strong&gt;, and an infinite loop in
the blob frontends took down storage across regions. Microsoft&amp;rsquo;s postmortem
admitted the human deviation from their own rollout policy — one of the most
cited config-change postmortems ever.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;NYSE, United Airlines, and the WSJ — July 8, 2015&lt;/strong&gt; — Three unrelated
same-day outages that the public assumed were connected. A lesson in how
reliability failures become news cycles.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Configuration change became the leading villain.&lt;/strong&gt; The Azure writeup
crystallized a pattern that dominates postmortems to this day: the code was
fine; the &lt;em&gt;rollout&lt;/em&gt; of a config flag was the failure. &amp;ldquo;All deploys are staged,
no exceptions, including configuration&amp;rdquo; started appearing in action items.&lt;/p&gt;</description></item><item><title>The Blameless Awakening: How Postmortems Became Engineering Culture</title><link>http://azarudeen.com/posts/01-jan-2013-to-mar-2014-the-blameless-awakening/</link><pubDate>Tue, 01 Jan 2013 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/01-jan-2013-to-mar-2014-the-blameless-awakening/</guid><description>&lt;h1 id="the-blameless-awakening-jan-2013--mar-2014"&gt;The Blameless Awakening (Jan 2013 – Mar 2014)&lt;/h1&gt;
&lt;p&gt;In early 2013, the public postmortem was still a novelty. Most companies treated
outages as PR problems to be minimized, not learning opportunities to be shared.
By the spring of 2014, that had visibly changed — and this 15-month window is
where the modern postmortem culture took root.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Microsoft Azure, February 2013&lt;/strong&gt; — A worldwide Azure Storage outage caused by
an &lt;strong&gt;expired SSL certificate&lt;/strong&gt;. The lesson — certificate lifecycle management is
an operational discipline, not a checkbox — still gets relearned every year.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google, August 2013&lt;/strong&gt; — Google went dark for roughly 2–5 minutes, and global
internet traffic reportedly dropped ~40%. The first mainstream glimpse of how
concentrated the web had become.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Amazon.com, August 2013&lt;/strong&gt; — A ~30-minute outage of the retail site, widely used
to popularize &amp;ldquo;downtime costs $X per minute&amp;rdquo; math in reliability business cases.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;NASDAQ &amp;ldquo;Flash Freeze,&amp;rdquo; August 2013&lt;/strong&gt; — A three-hour trading halt traced to a
software flaw in the Securities Information Processor, showing that finance&amp;rsquo;s
bespoke infrastructure had the same failure modes as web systems.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;HealthCare.gov, October 2013&lt;/strong&gt; — Not a cloud outage but the era&amp;rsquo;s defining
systems failure: a big-bang launch with no load testing, no incremental rollout,
and no operational ownership. Its rescue by a small team of web-industry
engineers seeded what later became the US Digital Service — and became the
canonical argument for DevOps practices in government and enterprise.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. &amp;ldquo;Blameless&amp;rdquo; went from Etsy blog post to industry norm.&lt;/strong&gt; John Allspaw&amp;rsquo;s
writing on blameless postmortems and Etsy&amp;rsquo;s open-sourced &lt;strong&gt;Morgue&lt;/strong&gt; tool (their
internal postmortem tracker) gave teams both the philosophy and the software.
The core idea — engineers closest to the failure have the most information, and
punishing them destroys that information — started appearing in conference talks
everywhere.&lt;/p&gt;</description></item></channel></rss>