Curated topic

sre

Posts tagged with sre

GitHub EngineeringMay 7, 2026

Improving token efficiency in GitHub Agentic Workflows

Why it matters: Optimizing agentic workflows is critical for managing CI/CD costs. By moving data retrieval out of the LLM reasoning loop and pruning unused tool schemas, engineers can significantly reduce token consumption and latency without sacrificing agent performance.

Implemented an API proxy to capture normalized token usage data across different agent frameworks including Claude and Copilot CLI.
Deployed automated Auditor and Optimizer workflows to identify usage anomalies and propose specific code-level optimizations.
Reduced context overhead by pruning unused Model Context Protocol (MCP) tool registrations, saving 8-12 KB of schema per call.
Shifted data-fetching operations from LLM tool calls to deterministic GitHub CLI commands to minimize reasoning steps and round-trips.
Developed an Effective Tokens (ET) metric to normalize costs across different models and account for prompt caching benefits.

#finops #mlp #sre

Read original

Cloudflare BlogMay 7, 2026

How Cloudflare responded to the “Copy Fail” Linux vulnerability

Why it matters: This vulnerability highlights how performance optimizations in kernel memory management can introduce critical security flaws. It demonstrates the importance of automated patching pipelines and LTS kernel maintenance in protecting large-scale infrastructure from local privilege escalation.

CVE-2026-31431 ('Copy Fail') is a Linux kernel local privilege escalation vulnerability targeting the AF_ALG socket family and AEAD crypto modules.
The exploit leverages the splice() system call to pass page cache references into kernel scatterlists, enabling out-of-bounds writes to shared memory.
Attackers can overwrite the page cache of setuid-root binaries like /usr/bin/su with arbitrary shellcode to gain root access.
Cloudflare avoided impact due to its automated kernel release pipeline, which integrates upstream LTS security patches weeks before public disclosure.
The vulnerability was fixed by reverting a 2017 performance optimization that allowed unsafe in-place memory operations in the algif_aead module.

#security #sre

Read original

PlanetScale Tech BlogMay 7, 2026

Problem solving with PlanetScale Insights

Why it matters: Database performance bottlenecks are often opaque in complex applications. PlanetScale Insights provides granular, percentile-based visibility and actionable metrics like rows-read-to-returned ratios, enabling engineers to quickly identify and fix unoptimized queries and missing indexes.

PlanetScale Insights provides real-time performance monitoring for Postgres and Vitess/MySQL databases, offering visibility into query latency and resource usage.
Latency percentiles (p50, p95, p99, p99.9) help engineers distinguish between median performance and outliers caused by lock contention or cold caches.
The 'Rows read/returned' metric serves as a primary indicator for missing indexes, highlighting queries that scan excessive data for minimal results.
Advanced search filters allow developers to isolate unindexed queries, specific table usage, or patterns exceeding specific latency thresholds.
Integrated LLM-based query summarization translates complex ORM-generated SQL into plain English to simplify debugging.
The dashboard correlates query volume with latency to help differentiate between application traffic spikes and inherent query inefficiencies.

#data #sre

Read original

GitHub EngineeringMay 6, 2026

Validating agentic behavior when “correct” isn’t deterministic

Why it matters: As AI agents move to autonomous 'computer use,' traditional testing causes brittle pipelines. Engineers need validation frameworks that handle non-determinism to ensure agents are reliable without halting production due to incidental environmental noise.

Traditional deterministic testing fails for AI agents because they use non-linear, multi-path execution to achieve goals.
Environmental noise like network lag often triggers false negatives in rigid assertion-based or record-and-replay testing frameworks.
Engineers should shift to a "Trust Layer" that focuses on essential milestones and logical outcomes rather than specific step sequences.
Agent behavior is categorized into essential states, optional variations, and convergent paths to distinguish success from incidental noise.
This framework allows for more robust CI/CD pipelines when deploying agentic systems in production environments.

#mlp #sre

Read original

Cloudflare BlogMay 6, 2026

When DNSSEC goes wrong: how we responded to the .de TLD outage

Why it matters: DNSSEC failures at the TLD level can cause massive internet outages. Understanding mitigation strategies like 'serve stale' and Negative Trust Anchors is crucial for SREs and network engineers to maintain availability during upstream cryptographic failures.

DENIC published incorrect DNSSEC signatures for the .de TLD, causing validating resolvers to return SERVFAIL for millions of domains.
DNSSEC ensures data integrity through a chain of trust; a failure at the TLD level breaks validation for all child zones.
Cloudflare utilized 'serve stale' (RFC 8767) to continue providing cached records past their TTL, mitigating immediate user impact.
The incident caused a massive spike in query volume as clients repeatedly retried failed DNS requests.
Cloudflare implemented Negative Trust Anchors (NTA) per RFC 7646 to temporarily bypass validation for the .de zone while the registry fixed the issue.

#sre #security

Read original

Airbnb EngineeringMay 5, 2026

Monitoring reliably at scale

Why it matters: Observability must be more reliable than the systems it monitors. By breaking circular dependencies in compute and networking, engineers ensure visibility remains during critical outages, preventing 'dark' dashboards when they are needed most for recovery.

Airbnb identified circular dependencies where their metrics pipeline relied on the same infrastructure it was designed to monitor.
They isolated observability workloads onto dedicated Kubernetes clusters to reduce shared failure domains while retaining managed infrastructure benefits.
The team bypassed the shared Istio service mesh for telemetry, building a custom Envoy-based Layer 7 ingress to handle high-volume metrics independently.
Decoupling networking prevents telemetry spikes from impacting business traffic and ensures metrics delivery during service mesh failures.
They implemented meta-monitoring via external 'dead man's switches' to ensure the observability stack remains healthy and functional.

#sre #dist

Read original

Slack EngineeringMay 5, 2026

From SSH to REST: A Security-Driven Modernization of Slack’s EMR Data Pipelines

Why it matters: This migration demonstrates how to eliminate stateful, insecure SSH dependencies in large-scale data platforms. It shows a path toward better reliability, finer audit granularity, and modern infrastructure like Spark on Kubernetes by adopting stateless REST-based orchestration.

Slack migrated 700+ data pipeline jobs from SSH-based submission to a REST-based architecture across 8 regions with zero downtime.
The legacy SSH pattern caused resource contention on EMR master nodes and created 'zombie' jobs when network connections dropped.
The team utilized YARN Distributed Shell to wrap arbitrary CLI commands and MapReduce jobs into a REST-compatible format via the YARN API.
Custom Airflow operators were developed to abstract the submission protocol, allowing a seamless transition for data engineers.
Eliminating SSH dependencies unblocked critical infrastructure goals, including Spark on Kubernetes and enhanced network isolation via child accounts.

#data #security #sre

Read original

PlanetScale Tech BlogMay 5, 2026

On benchmarking

Why it matters: Proper benchmarking is critical for making informed infrastructure decisions. Without rigorous controls for network latency, hardware parity, and workload modeling, results are often biased, leading to poor architectural choices and unexpected production performance issues.

Benchmarking requires a separate client and server to avoid resource contention, but network latency between them must be accounted for to prevent skewed results.
Hardware parity is essential; comparing different CPU generations or cloud instance types can lead to misleading performance advantages.
Workload characteristics, such as read/write ratios and data distribution (Uniform vs. Zipfian), significantly impact I/O wait times and cache efficiency.
Open-loop benchmarks are more realistic for production simulation as they maintain a fixed request pace regardless of database response speed.
Closed-loop benchmarks can suffer from coordinated omission, hiding tail latency issues by pausing request generation during database stalls.
Performance should be measured using both throughput (QPS) and latency percentiles (p50, p95, p99) to capture a complete system profile.

#data #sre #culture

Read original

Cloudflare BlogMay 1, 2026

Code Orange: Fail Small is complete. The result is a stronger Cloudflare network

Why it matters: This initiative demonstrates how large-scale platforms can mitigate global outages by treating configuration as code, implementing progressive rollouts, and ensuring emergency access remains independent of the primary network infrastructure. It's a blueprint for high-availability systems.

Introduced Snapstone, a new internal system for health-mediated, progressive configuration rollouts with automated rollback capabilities.
Implemented 'fail stale' and 'fail open/close' strategies across critical services to ensure traffic delivery even during configuration failures.
Adopted customer cohort segmentation for system updates, deploying changes to less critical segments first to minimize blast radius.
Enhanced 'break glass' procedures by establishing emergency access pathways independent of Cloudflare’s own Zero Trust infrastructure.
Standardized risk reviews and operational patterns to prevent configuration drift and ensure long-term infrastructure resilience.

#sre #dist #security

Read original

Netflix Tech BlogMay 1, 2026

State of Routing in Model Serving

Why it matters: This article demonstrates how to build a scalable ML platform that decouples model innovation from client applications. It provides a blueprint for managing complex routing, A/B testing, and high-throughput inference (1M+ RPS) in a distributed microservices environment.

Netflix's centralized ML serving platform manages over 1 million requests per second across hundreds of model types and versions.
Models are defined as self-contained workflows that encapsulate pre-processing, feature computation, and scoring, rather than simple inference functions.
The Switchboard service acts as a custom gRPC proxy layer that decouples client microservices from model sharding and infrastructure changes.
Routing logic is integrated with Netflix's experimentation platform to support A/B testing, shadow modes, and canary rollouts without client-side updates.
A standardized API abstraction allows client services to provide simple context (e.g., UserId) while the platform handles data fetching and model selection.
The architecture ensures high availability and rapid iteration by shielding clients from frequent Virtual IP (VIP) address changes and model-to-cluster mapping.

#mlp #dist #sre

Read original

Page 4 of 27

Prev 1 2 3 4 5 6...27 Next