Curated topic

sre

Posts tagged with sre

PlanetScale Tech BlogNov 4, 2025

Why it matters: This release future-proofs Vitess by adopting MySQL 8.4 as the default and enhances operational reliability through refined metrics and recovery controls. It simplifies monitoring by removing legacy APIs while providing a safer path for horizontal scaling and database upgrades.

Vitess 23.0.0 updates the default MySQL version to 8.4.6 for both Docker images and VTGate advertisements.
New observability metrics include TransactionsProcessed for VTGate and SkippedRecoveries for VTOrc to improve debugging.
Several legacy metrics and API endpoints, such as QueriesProcessed and aggregated-discovery-metrics, have been removed.
VTOrc now supports dynamic control of EmergencyReparentShard-based recoveries and stricter Consul authentication requirements.
Managed MySQL configurations now default to caching-sha2-password for improved security.
Upgrading from MySQL 8.0 to 8.4 via the Vitess Operator requires a specific four-step sequence involving innodb_fast_shutdown=0.

#data #sre #dist

Read original

PlanetScale Tech BlogNov 3, 2025

$50 PlanetScale Metal

Why it matters: This update lowers the barrier to entry for high-performance, dedicated database hardware, making enterprise-grade latency accessible to startups. Decoupling compute from storage enables more cost-effective resource allocation for specific workload profiles.

PlanetScale introduced a new $50/month entry tier for its high-performance Metal database clusters on AWS and GCP.
New granular storage options allow users to scale CPU and memory independently from disk size for better resource optimization.
The M-class clusters utilize ARM vCPUs, ranging from 1/8 vCPU with 1GB RAM up to 2 vCPUs with 16GB RAM.
All M-class clusters include unlimited I/O, providing consistent performance and high QPS as applications grow.
Smaller Metal sizes are currently generally available for Postgres, with Vitess support expected to follow.

#data #finops #sre

Read original

PlanetScale Tech BlogNov 3, 2025

Report on our investigation of the 2025-10-20 incident in AWS us-east-1

Why it matters: This report highlights the importance of control and data plane separation and the operational challenges of network partitions. It demonstrates how proactive capacity management and manual failover strategies can mitigate upstream cloud provider outages and capacity constraints.

A control plane outage occurred due to upstream AWS DynamoDB and STS failures, though the data plane remained stable due to static stability design.
Capacity constraints in AWS us-east-1 prevented launching new EC2 instances, threatening Vitess clusters that rely on diurnal autoscaling.
Engineers mitigated capacity issues by bin-packing vtgate processes more tightly and pausing non-essential instance terminations and backups.
Partial network partitions across availability zones disrupted replication and query routing, necessitating manual database reparenting to healthier zones.
The incident emphasized the need for better resilience against SaaS dependencies like SSO and more robust multi-AZ strategies for network partitions.

#sre #dist #data

Read original

Microsoft Azure BlogOct 31, 2025

Resiliency in the cloud—empowered by shared responsibility and Azure Essentials

Why it matters: This article is important for engineers because it outlines a clear framework and tools within Azure to proactively design, implement, and validate highly resilient cloud systems, ensuring minimal downtime and robust recovery strategies.

Cloud resiliency, distinct from reliability, is critical for rapid recovery from outages and ensuring business continuity in a digital-first era.
The shared responsibility model clarifies that Microsoft provides platform reliability (infrastructure, SLAs), while customers are responsible for solution resiliency (architecture, deployments, disaster recovery).
Building resiliency into cloud solutions from the start involves zone-redundant architectures and multi-region deployments for critical workloads.
Azure Essentials offers a unified approach, integrating tools and guidance like the Well-Architected Framework and Cloud Adoption Framework.
It provides actionable assessments, integrated tools such as Azure Chaos Studio for validation, Azure Monitor for monitoring, and Microsoft Defender for Cloud for security.

#sre #dist

Read original

Cloudflare BlogOct 31, 2025

BGP zombies and excessive path hunting

Why it matters: BGP zombies and excessive path hunting disrupt Internet routing, leading to packet loss, increased latency, and network instability. Understanding these phenomena is crucial for network engineers to maintain reliable and efficient global connectivity.

BGP zombies are routes that remain active in the Internet's Default-Free Zone despite being withdrawn, causing traffic misdirection and operational issues.
These zombies typically arise from slow BGP route processing, software bugs, or missed prefix withdrawals.
Path hunting is the process where BGP routers search for the best path after a more-specific prefix is withdrawn, falling back to a less-specific one.
The Minimum Route Advertisement Interval (MRAI) intentionally delays BGP updates, extending the duration of path hunting and increasing the chance of zombies.
Zombies can lead to packets being trapped in loops or taking inefficient routes, impacting network performance and reliability.
Cloudflare observes BGP zombies affecting BYOIP on-demand customers using Magic Transit.

#sre #dist

Read original

Cloudflare BlogOct 31, 2025

Go and enhance your calm: demolishing an HTTP/2 interop problem

Why it matters: This article highlights how subtle misconfigurations in standard libraries (like Go's HTTP/2 client) can lead to critical interop issues and trigger network defenses, emphasizing the need for deep understanding of protocol implementations.

HTTP/2 misconfigurations can lead to denial-of-service attacks like PING floods, triggering defenses such as Cloudflare's ENHANCE_YOUR_CALM GOAWAY frame.
An internal microservice communication issue was traced to a Go standard library HTTP/2 client sending excessive PINGs, causing connection closures.
The problem stemmed from a subtle interaction between Go's http.Transport PingTimeout and ReadIdleTimeout settings, leading to continuous PINGs.
Debugging required "on the wire" analysis using packet captures or GODEBUG=http2debug=2 logging to identify the client's actual behavior.
Proper configuration, ensuring PingTimeout is longer than ReadIdleTimeout or disabled when ReadIdleTimeout handles liveness, is crucial to prevent such HTTP/2 PING floods.

#sre #dist #security

Read original

GitHub EngineeringOct 30, 2025

Measuring what matters: How offline evaluation of GitHub MCP Server works

Why it matters: This article details GitHub's robust offline evaluation pipeline for its MCP Server, crucial for ensuring LLMs like Copilot accurately select and use tools. It highlights how systematic testing and metrics prevent regressions and improve AI agent reliability in complex API interactions.

GitHub's MCP (Model Context Protocol) Server enables LLMs to interact with APIs and data, forming the basis for Copilot workflows.
Minor changes to MCP tool descriptions or configurations significantly impact an LLM's ability to select correct tools and pass arguments.
An automated offline evaluation pipeline is crucial for validating changes, preventing regressions, and improving LLM tool-use performance.
The pipeline utilizes curated benchmarks containing natural language inputs, expected tools, and arguments to test model-MCP pairings.
The evaluation process comprises three stages: fulfillment (recording model invocations), evaluation (computing metrics), and summarization (reporting).
Key evaluation metrics focus on both correct tool selection (using accuracy, precision, recall, and F1-score) and accurate argument provision.

#mlp #sre

Read original

Cloudflare BlogOct 29, 2025

So long, and thanks for all the fish: how to escape the Linux networking stack

Why it matters: This article details advanced Linux networking challenges when pushing performance boundaries. It highlights how low-level kernel interactions can cause subtle but critical issues, requiring custom solutions to ensure reliable, high-performance network services.

Cloudflare developed "soft-unicast" to share IP subnets across data centers, requiring machines to manage numerous IP/source-port combinations for outgoing connections.
Traditional Linux networking stack tools like iptables and Netfilter's conntrack module presented significant challenges for soft-unicast due to complexity and unexpected interactions.
A custom service, "SLATFATF" (fish), was created to manage soft-unicast IP packet proxying and address leasing, aiming to reduce firewall workload.
A critical issue arose from the collision between Netfilter's conntrack table and kernel socket binding, where conntrack could silently rewrite source ports of TCP sockets, breaking connections.
This collision meant that a socket's source address might not match the actual IP packet's source, leading to connection failures and timeouts.
The final solution for WARP involved terminating TCP connections within the server and proxying them to local sockets with correct soft-unicast addresses, bypassing problematic packet rewriting.

#dist #sre

Read original

Cloudflare BlogOct 29, 2025

Helping protect the 2025 Moldova elections

Why it matters: This article demonstrates the critical role of robust cybersecurity infrastructure in protecting democratic processes from sophisticated state-sponsored cyberattacks. It highlights the effectiveness of advanced DDoS mitigation in maintaining online service availability during high-stakes events.

Cloudflare provided critical cybersecurity support to the Moldovan Central Election Commission (CEC) during the 2025 parliamentary elections amidst foreign interference and digital threats.
Leveraging its Athenian Project expertise, Cloudflare rapidly onboarded CEC websites and deployed mitigation strategies within a week.
On election day, the CEC faced over twelve hours of concentrated, high-volume DDoS attacks, with peaks exceeding 324,000 requests per second.
Cloudflare's automated defenses successfully mitigated over 898 million malicious requests, ensuring the CEC website remained accessible and online.
A broader campaign targeted other Moldovan democracy, media, and civic websites with hundreds of millions of malicious requests.
Moldovan authorities confirmed the successful neutralization of these attacks, attributing the uninterrupted service to Cloudflare's protection.

#security #sre #dist

Read original

Cloudflare BlogOct 28, 2025

A framework for measuring Internet resilience

Why it matters: This framework helps engineers understand and quantify network resilience, moving beyond abstract concepts to actionable metrics. It provides insights into securing routing, diversifying infrastructure, and building more robust systems to prevent catastrophic outages.

Internet resilience is the measurable ability of a network ecosystem to maintain diverse, secure routing paths and rapidly restore connectivity after disruptions, beyond just uptime.
The Internet's decentralized structure means local decisions by Autonomous Systems (ASes) collectively determine global resilience, emphasizing diverse and secure interconnections.
Resilience requires a multi-layered approach: diverse physical infrastructure, robust network routing hygiene (BGP, RPKI, ROV), and application-level optimizations like CDNs.
Route hygiene, particularly RPKI and Route Origin Validation, is crucial for securing BGP routing against hijacks and leaks, preventing widespread outages.
The article proposes a data-driven framework to quantify Internet resilience using public data, aiming to foster a more reliable and secure global network.

#dist #security #sre

Read original

Page 11 of 17

Prev 1...9 10 11 12 13...17 Next