| |
| ▲ | logifail 3 hours ago | parent | next [-] | | > All these monitoring rules are of the format "when 500 errors > baseline for x minutes". Otherwise you'd have monitoring alerts every second. So it is normal for users to already see errors before github officially counts it as an outage. Is it true that official service status pages are updated automatically? | | |
| ▲ | baby_souffle 2 hours ago | parent [-] | | > it true that official service status pages are updated automatically? Depends. Typically no because there’s an art to crafting the actual message around impact… but sometimes yes it is automated |
| |
| ▲ | hnlmorg 4 hours ago | parent | prev | next [-] | | You'd expect them to be monitoring more than just the HTTP response codes from user requests for precisely this reason. If the first they hear of an outage is when user requests start to fail, then that's a failure in their monitoring as well. But effective monitoring is harder than people assume. | | |
| ▲ | re-thc a minute ago | parent | next [-] | | > But effective monitoring is harder than people assume. Who says public status page equals internal monitoring. They likely know faster than you. Whether they post it publicly is a different issue (hint: SLA penalties, news impacting stock etc) | |
| ▲ | dncornholio 3 hours ago | parent | prev [-] | | > If the first they hear of an outage is when user requests start to fail, then that's a failure in their monitoring as well. Isn't that what monitoring actually is? The issue seems to be in their testing, not monitoring. | | |
| ▲ | hnlmorg 3 hours ago | parent [-] | | No, monitoring for HTTP response code is a subset of observability and not one that generally gives you the best insights into which subsystems are misbehaving nor why. There are synthetic tests, where you can generate API request calls or even simulate an entire user journey. These allow you to control the user agent, the payloads, and thus you know anything errors back are actual errors. These are triggered by the observability platform (think like running a cron-job) and thus you're not tied to user activity to see when problems arise. There are other metrics outside of HTTP response codes too. Think like free RAM, CPU usage, disk space, etc. This is just naming some obvious ones because these types of metrics are generally bespoke to the type of application your monitoring. And with these types of monitors, you'd not just have an alert when things have failed, but ideally have alerts when an irregular trend is showing that things are likely to fail too. This latter type of monitors helps you get ahead of the problem before it become customer facing. Then you have more traditional stuff like logs. This will also be bespoke to the application. But you'd expect errors in logs to get surfaced quickly. Assuming Github have good hygiene in what's being logged. Tie that up with APMs, RUM, and other goodies like that and you'll have diagnostics to investigate issues when they appear. (this is just a super high level view of observability too) | | |
| ▲ | lokar 3 hours ago | parent [-] | | Even a synthetic probe needs a few failures to trigger an alert. You should not alert on cpu, ram, etc | | |
| ▲ | hnlmorg 2 hours ago | parent [-] | | > Even a synthetic probe needs a few failures to trigger an alert. It doesn't "need" that. That just how most people set it up because it’s an easy sane default that allows for network jitter without inexperienced engineers thinking about different conditions triggering different types of responses. If you’re measuring internal APIs from an observablity solution that’s has nodes already inside you’re network enclave, then there is a strong argument for alerting early. > You should not alert on cpu, ram, etc That’s not true to say as an absolute statement. And a generalisation it heavily depends on the system your monitoring and how it behaves under pressure. But in any case, I wasn’t suggesting CPU alerts were the end goal. I said: > these types of metrics are generally bespoke to the type of application your monitoring. Ie you’ll use metrics but those metrics will be highly specific. The CPU examples were an illustration as to what a “metric” is (it might seem obvious but not everyone is an expert) but the point was HTTP response codes aren't the only types of metrics one should be capturing and watching. | | |
| ▲ | lokar 2 hours ago | parent [-] | | Ah, yes, I misunderstood. And I have seen cases where a direct CPU alert makes sense, but 99 times out of 100 times I see it, it's nothing but trouble. Worse, I tend to see the cpu alert when there are no end to end synthetic alerts, 500 alerts, queue depth alerts, etc. If your requests are fast and cheap, you can probe frequently relative to your goals, but often that's not really possible (think, long SQL queries, or scheduling a container/pod). There you need several datapoints, or possible fewer augmented with other signals. | | |
| ▲ | hnlmorg an hour ago | parent [-] | | Yeah very true. Talking about long SQL queries, I quite like throwing CPU alerts on database servers. They'll be a low priority alert (ie no out of hours "pagers") so just something that goes into a slack channel. But they're a good indicator of when developers have poorly optimized SQL, or the DB schema is poorly defined (eg missing indexes), or the DB server itself is poorly sized. This wouldn't be something you'd expect to need in production and definitely not something you'd rely on as a notice of a production outage. But it is an example of one of those 1% occasions where a CPU alert does add value to the overall observability of the application. But this also ties into your excellent point about how you'd use CPU and other data points to build a picture of what's happening in your application. | | |
| ▲ | lokar an hour ago | parent [-] | | Oh, I was thinking about it as the person running SQL as a service. People run queries that go on for days.... idle CPU is often wasted CPU |
|
|
|
|
|
|
| |
| ▲ | echelon 5 hours ago | parent | prev | next [-] | | In a high performance service with good maintenance and upkeep, you page for all 500s. A noisy pager forces the team to fix the 500s. Maybe the Github Actions infrastructure isn't run like that. edit: my oncall rotation notified on all 500s, 24/7, not just rates - https://news.ycombinator.com/item?id=48279262 | | |
| ▲ | Doohickey-d 5 hours ago | parent | next [-] | | Im curious about this: because in my experience (working on smaller services though), a small number of errors is always there, as a "baseline". Recently there was this: https://news.ycombinator.com/item?id=47252971 "10% of Firefox crashes are caused by bitflips" Which makes me think a small amount of random issues which happen even though nothing is broken, is normal everywhere. Especially once move things around on a network, there's potential for a lot more random errors. | | |
| ▲ | bobthepanda 3 hours ago | parent | next [-] | | It’s where monitoring for 9s is more important at that scale than absolute errors. So long as degradation is graceful or retried it should not be a massive problem. It does require constant tuning and adjustment though. | |
| ▲ | KPGv2 4 hours ago | parent | prev [-] | | Bitflips are something that can happen in consumer-grade RAM, so that tracks (and it's comforting that wayward cosmic rays are a substantial reason for an application's crashes!), but on enterprise servers, they will run ECC RAM that is very resistant to bit flips. This is why data hoarders who have NASes with lots of space insist on running their servers with ECC RAM despite it being significantly more expensive. Because bit flips, for all intents and purposes, cannot happen. The RAM itself detects and corrects for them. I wouldn't expect bit flips to be a significant contributor to enterprise problems. | | |
| ▲ | Anon1096 4 hours ago | parent | next [-] | | Bitflips specifically may not be; things like network issues, noisy neighbors, row/rack/host maintenance (leading to a downed and migrated host) absolutely are things that happen at high frequency at scale and cause your background level of errors to be more than 0. | |
| ▲ | maccard 4 hours ago | parent | prev [-] | | You've completely missed the point - It's not about bitflips it's about errors that are outside the scope of what's fixable. |
|
| |
| ▲ | TheDong 5 hours ago | parent | prev | next [-] | | Do you know of a single service at a single company that actually does that? I know all of Gmail, every GCE service I can think of, every AWS service I can think of, Amazon.com, Netflix, and Github all do not page on just a single 500. I know none of those are particularly "high performance" though. Curious where your experience is coming from. | | |
| ▲ | CBLT 4 hours ago | parent | next [-] | | I've been oncall for a different G service that nearly paged on every error. It used the standard error budget tooling, but on hundreds of user buckets because the engineering around locality-specific configuration was... suspect. Many of these buckets had single-digits user. If a user was on their phone and lost signal, I was paged. Very poor oncall experience. | |
| ▲ | theta_d 3 hours ago | parent | prev | next [-] | | The sub-service at IBM cloud I worked on had an insanely small error budget such that pages were nearly constant. On call was hell week until a few of us insisted on fixing the issues. The "few" of us were contractors. The employees seemed more than willing to just let the pages continue. | | |
| ▲ | alexfoo 38 minutes ago | parent [-] | | Some companies pay more if people are paged. It can create a perverse incentive not to fix problems or, in extreme cases, to watch things going wrong, waiting for the page, and then being ready to fix it straight away. |
| |
| ▲ | echelon 4 hours ago | parent | prev [-] | | I worked at a large fintech moving billions of dollars in volume a day. I had a fairly long tenure, where I maintained multiple key services in critical online payments flow. Authentication, authorization, core business and risk data, as well as some cross-cutting control plane stuff, etc. You needed one or more of our services to take a payment, serve any request from the employee dashboard - pretty much everything hit our services. The entire company ground to a halt without my team. We paged for every single 500. In instances where a particular class of 500 was spurious or not worth fixing, we would leave it acked or mark it as noise. But typically we'd just put in a fix as soon as possible so we didn't page. Our graceful shutdown and traffic shaping stack was great, but occasionally we'd get a few pages during deploys or failovers. Oncall was typically not bad, but when it did get bad it was terrible. I've been involved in huge outages that cost hundreds of millions of dollars. Usually it was the fault of multiple teams having compounding runaway failures rather than one service or bug in particular. It's inexcusable to have a customer's payments not go through. We engineered around resilience. We had strict five nines SLAs and p99 targets and evaluated our adherence with even the smallest partial outage. Hundreds of other services depended on ours, and downstream impacts were huge, so we had to keep a tight ship. We didn't have "business hours"-only paging either as our platform was available globally, including a heavy install base in Asia. | | |
| ▲ | sunrunner 4 hours ago | parent [-] | | > We paged for every single 500. Assuming the existence of some kind of network (with zero guarantee of 100% reliability), how does this work in practice? Is each 500 treated as an event that needs investigation, even if the result of that would end up as 'a router dropped something from an internal buffer but the transaction as a whole was re-tried by a parent so the service itself recovered'? | | |
| ▲ | LPisGood 3 hours ago | parent | next [-] | | A reliability engineer from Jane Street gave a great talk about this, five nine’s of correctness in reporting, etc isn’t enough for the SEC. https://youtu.be/zR9PpXWsKFQ | |
| ▲ | eithed 3 hours ago | parent | prev [-] | | Client network timeout shouldn't result in 500. With 408 and retry you should, dependent on the business criteria, get either an upsert (transaction is retried) or 422 (validation that given entry already exists). Even if it's "DB in datacenter I tried to save to was hit by meteor" event, you can cater for this not to result in 500 (ie - DB unreachable, retry in a couple of minutes); the question is if you want to. |
|
|
| |
| ▲ | compumike 3 hours ago | parent | prev | next [-] | | Re: "page for all 500s": there's a world of difference between "page me with a critical alert at 3am" and "notify me on Monday morning when my normal workday starts". At the extremes: If my DB health check endpoint is returning 500s for N consecutive checks over M minutes, yeah, please wake me up at 3am! If one user hit a weird edge case in form validation and got a one-off 500, please don't! We can fix that on Monday. Not always easy to distinguish those clearly or configure those business hours rules, but for my team at https://heyoncall.com/ that is the goal -- otherwise your team burns out fast. Waking up someone at 3am has a real cost, so you better be sure it's worth it. | | |
| ▲ | wasmitnetzen 3 hours ago | parent [-] | | Shouldn't Github be large enough to not have anyone on-call, but just rotate the responsible team around the world? | | |
| ▲ | alexfoo 41 minutes ago | parent | next [-] | | One team can't troubleshoot AND FIX every possible subsystem, so you just end up with lots (growing to hundreds) of people "on-call" anyway. As others have said, follow-the-sun type models do exist, usually staffed by people in their normal working hours (EMEA, Americas, APAC) but this means you've still got to cover the weekend and public holidays (which there are a lot of when you factor in plenty of different countries). Where you need a quick response you can have a core ops/noc team that looks at things with lower thresholds and shorter windows, and their job is to do the initial triage and then page the appropriate team earlier than they would have been alerted by their own alert thresholds/monitoring. Actually clicking the button to change the status on a public status page is a whole different topic that becomes very political in certain companies. | |
| ▲ | bobthepanda 3 hours ago | parent | prev [-] | | At least when I worked at a Bigcorp a lot of that was being cut to save costs. | | |
| ▲ | lokar an hour ago | parent [-] | | I've worked in large orgs where we could (at at some times did) have around the world rotations. They don't work well. It've very hard to maintain real team cohesion, and you end up with really superficial operations. People tend not to dig in really deep, find good fixes, etc. Lots of superficial bandages. |
|
|
| |
| ▲ | hvb2 3 hours ago | parent | prev | next [-] | | > A noisy pager forces the team to fix the 500s. I'm sure you're not in ops. Or in a dev org of a service with decent request rates. What you're asking for is a service to fail silently. There's no way a service with a decent request rate to have 0 500s. Not when it still sees development. A 50 year old bank API? Maybe... | |
| ▲ | awithrow 5 hours ago | parent | prev | next [-] | | that is absolutely not the case for any system of size and scale. that would just burn out the on-call team and not result in improvements. Error rates/budgets are used instead. | | |
| ▲ | hnlmorg 4 hours ago | parent [-] | | It depends what you're monitoring. If it's response codes from user generated queries, then I'd agree with you. But if it is synthetic queries sent from the monitoring platform, then you control the user agent, payload, and endpoints. So any failed requests are a symptom of a misconfiguration and/or failure that should be investigated. Albeit not necessarily as a P1 priority. |
| |
| ▲ | rhyperior 3 hours ago | parent | prev | next [-] | | You only do this when you’re trying to use incident management as a hammer to make a point to somebody whom you have otherwise failed to convince to fix something through persuasive argument. Ie, it’s punitive. | |
| ▲ | swiftcoder 3 hours ago | parent | prev | next [-] | | Yeah, no, nobody runs cloud services like that. At AWS most alarms required failures in 3 consecutive 5 minute periods. Critical things could be on 3 consecutive 1 minute windows - but that alarm starts a 15 minute escalation for the oncall engineer to check in, and they have to validate the issue isn't a false alarm before updating the status page would even be considered | |
| ▲ | jordemort 4 hours ago | parent | prev [-] | | forget it, Jake; it’s Azure |
| |
| ▲ | registeredcorn 2 hours ago | parent | prev [-] | | I'm not arguing with what you're saying, but it does make me wonder: What exactly is the point of the status page, if "it is normal for users to already see errors before GitHub officially counts it as an outage"? Is it more so to have something to link to for managers who aren't using the service have a pretty bar to look at and feel like they are "doing something"? Or is it more of a kind of a way to prevent confirming what you already suspect to be true. E.g. "Huh. Me and Jim are seeing problems. How about you Tom? Oh wait, crud. The service page is confirming it's down now. Never mind! Who wants coffee?!" | | |
| ▲ | filleduchaos an hour ago | parent [-] | | There is oddly enough a middle ground between "zero errors whatsoever" and "outage". |
|
|
