Curated topic

sre

Posts tagged with sre

PlanetScale Tech BlogMar 30, 2026

High memory usage in Postgres is good, actually

Why it matters: Engineers often misinterpret high memory as a failure state. Distinguishing between beneficial caching and dangerous RSS pressure prevents unnecessary hardware scaling and helps teams correctly diagnose performance bottlenecks and OOM risks in database clusters.

High memory usage in Postgres is often desirable as the system uses RAM to cache data, significantly reducing slow disk I/O operations.
Postgres relies on two caching layers: the internal shared_buffers pool and the standard Linux OS page cache for frequently accessed data.
Memory is divided into reclaimable cache (active/inactive) and Resident Set Size (RSS), which is non-reclaimable process memory.
High RSS, rather than total memory usage, is the primary indicator of memory pressure and potential Out of Memory (OOM) risks.
RSS growth is driven by per-connection overhead, catalog bloat, and memory-intensive operations like sorts and hashes defined by work_mem.
Connection pooling with tools like PgBouncer is the most effective way to reduce RSS by limiting the number of active backend processes.

#data #sre

Read original

Cloudflare BlogMar 27, 2026

How we use Abstract Syntax Trees (ASTs) to turn Workflows code into visual diagrams

Why it matters: Visualizing code-based workflows is difficult due to dynamic logic like loops and parallel promises. Using ASTs to generate diagrams provides critical observability into complex durable executions, helping engineers debug and verify logic whether written by humans or AI agents.

Cloudflare Workflows now automatically generates visual diagrams for every deployment to improve observability of complex logic.
Unlike declarative workflow engines using YAML or JSON, Cloudflare uses Abstract Syntax Trees (ASTs) to statically derive graphs from dynamic JavaScript/TypeScript code.
The visualizer tracks Promise and await relationships to accurately represent parallel execution versus sequential blocking steps.
Diagrams are generated at deploy time by fetching bundled scripts and traversing an intermediate graph of WorkflowEntrypoints.
The underlying architecture uses a Durable Object engine to manage execution and dynamic dispatch to trigger user workers.
The system handles minified code from various bundlers like esbuild and rspack to extract step relationships and flow control.

#dist #sre

Read original

GitHub EngineeringMar 26, 2026

What’s coming to our GitHub Actions 2026 security roadmap

Why it matters: CI/CD pipelines are prime targets for supply chain attacks. GitHub's roadmap moves to secure-by-design infrastructure, providing engineers with deterministic dependencies, granular policy controls, and real-time observability to protect sensitive code and credentials.

Introducing workflow-level dependency locking to ensure deterministic, auditable CI/CD runs with cryptographic commit SHA verification.
Transitioning to immutable releases for the Actions ecosystem to prevent malicious code propagation via mutable tags and branches.
Implementing policy-driven execution via GitHub rulesets to centrally manage workflow triggers and allowed event types.
Enhancing credential security with scoped, least-privileged tokens to limit the blast radius of compromised CI environments.
Deploying real-time observability through an optional agent on runners to detect suspicious processes and unauthorized network activity.
Enforcing network boundaries to restrict egress traffic, preventing data exfiltration from CI/CD runners during execution.

#security #sre

Read original

Cloudflare BlogMar 26, 2026

A one-line Kubernetes fix that saved 600 hours a year

Why it matters: Default Kubernetes volume management can cause massive downtime for stateful apps with many small files. Understanding fsGroupChangePolicy is crucial for SREs to prevent recursive ownership checks from blocking pod startups and wasting hundreds of engineering hours.

Atlantis restarts were taking 30 minutes due to a large number of files on the Persistent Volume (PV) causing inode exhaustion and slow mounts.
Kubernetes defaults to recursively changing ownership (chgrp -R) of all files in a volume if fsGroup is specified in the securityContext.
For volumes with millions of files, this recursive check becomes a significant bottleneck, leading to context deadline exceeded errors in kubelet.
The issue was diagnosed by analyzing kubelet systemd logs rather than standard pod events, which failed to show the underlying volume mounting delay.
The fix involved setting fsGroupChangePolicy to OnRootMismatch, which only triggers ownership changes if the root directory's permissions don't match.
This one-line configuration change reduced restart times from 30 minutes to under 2 minutes, saving approximately 600 hours of engineering time annually.

#sre #security

Read original

PlanetScale Tech BlogMar 26, 2026

Stripe Projects partnership: Provision PlanetScale Postgres and MySQL databases from the Stripe CLI

Why it matters: This partnership simplifies infrastructure management by centralizing database provisioning and billing within the Stripe CLI. It addresses workflow fragmentation and provides a standardized way for developers and AI agents to handle credentials and payments across service providers.

PlanetScale is a launch partner for Stripe Projects, a new developer preview for centralizing tool provisioning and billing.
Engineers can now provision fully managed MySQL or Postgres databases directly from the Stripe CLI without leaving the terminal.
The integration simplifies credential management by allowing users to sync database connection strings directly to local .env files.
Stripe Projects aims to standardize the provisioning and credential handoff process, specifically addressing gaps highlighted by AI coding agents.
The workflow reduces context switching between dashboards and manual payment entry for infrastructure services.

#data #finops #sre

Read original

Dropbox Tech BlogMar 25, 2026

Reducing our monorepo size to improve developer velocity

Why it matters: Monorepo bloat directly impacts developer velocity and CI efficiency. This article highlights how Git's internal delta compression heuristics can fail at scale, providing a blueprint for diagnosing and fixing repository growth issues before hitting platform limits like GitHub's 100GB cap.

Dropbox reduced its server monorepo size from 87GB to 20GB, a 77% reduction that cut clone times from over an hour to under 15 minutes.
The repository was approaching GitHub's 100GB hard limit, creating operational risk and slowing down CI/CD pipelines.
Investigation revealed that Git's default delta compression heuristic, which only checks the last 16 characters of a file path, was failing on i18n files.
Because language codes appeared early in the directory structure, Git failed to pair similar translation files for efficient diffing, causing massive storage bloat.
The optimization significantly improved developer velocity by reducing the overhead of fresh clones for new environments and automated testing jobs.

#sre #culture

Read original

Salesforce EngineeringMar 24, 2026

How Automated Release Approvals Slashed Deployment Latency to Seconds Across 800 Releases

Why it matters: Manual release processes create bottlenecks and increase risk. Luminary demonstrates how a deterministic control plane can automate complex readiness checks, slashing deployment latency from days to seconds while ensuring reliability across deeply interdependent microservices.

Salesforce developed Luminary, a centralized release control plane that replaces manual human-gated approvals with deterministic automation for over 100 services.
The platform programmatically validates production readiness by evaluating SLO availability, PagerDuty configurations, and FIT (Failure Injection Testing) results in real-time.
Automated dependency validation ensures that upstream and downstream service health is verified before code promotion, preventing cascading failures in interdependent ecosystems.
By integrating with Slack and Argus telemetry, Luminary reduced release latency from hours or days to mere seconds, facilitating over 800 automated releases.
The system orchestrates the entire lifecycle, including Git tagging and work item creation, scaling velocity with system health rather than reviewer capacity.

#sre #dist

Read original

PlanetScale Tech BlogMar 24, 2026

Enhanced tagging in Postgres Query Insights

Why it matters: This update allows engineers to attribute database load to specific application contexts like users or background jobs. By balancing granular visibility with cardinality management, it provides actionable performance data without overwhelming telemetry infrastructure.

Postgres Query Insights now includes tag metadata in aggregated summaries, moving beyond individual notable query logs.
Tags are implemented using specially formatted SQL comments, allowing application-level context like controllers or jobs to be tracked.
The system emits separate aggregate messages for unique tag combinations to enable precise performance attribution for metrics like total execution time.
To prevent telemetry volume explosions, a cardinality reduction strategy collapses high-cardinality tags into a wildcard value when limits are exceeded.
Cardinality monitoring is applied per query pattern, ensuring that one high-cardinality tag doesn't degrade visibility for the rest of the database.

#data #sre

Read original

PlanetScale Tech BlogMar 23, 2026

Behind the scenes: How Database Traffic Control works

Why it matters: This feature prevents database brownouts by proactively blocking expensive queries before they consume resources. It uses historical execution data and planner costs to predict impact, ensuring high-priority traffic remains stable during unexpected load spikes.

Database Traffic Control is a Postgres extension feature that mitigates overload by intercepting and blocking expensive SQL queries before they execute.
The system utilizes Postgres hooks, specifically ExecutorRun, to evaluate queries against configured budgets for concurrency and resource consumption.
It employs a leaky-bucket rate limiter to manage capacity, ensuring that cumulative query costs do not exceed defined thresholds.
Cost prediction is achieved by multiplying the Postgres planner's estimated cost by a dynamic coefficient derived from exponential moving averages of historical CPU time.
Unlike statement timeouts or cgroups, this proactive approach saves server resources by preventing the execution of low-priority or high-cost queries entirely.

#sre #data

Read original

GitHub EngineeringMar 23, 2026

GitHub expands application security coverage with AI‑powered detections

Why it matters: This bridges security gaps in infrastructure-as-code and scripts that traditional static analysis misses. By integrating AI-driven detections and automated fixes into the PR workflow, engineers can resolve vulnerabilities faster and maintain high security standards without leaving their tools.

GitHub is introducing AI-powered security detections to complement CodeQL's deep semantic static analysis.
The new system expands security coverage to ecosystems like Shell/Bash, Dockerfiles, Terraform (HCL), and PHP.
Detections are integrated directly into the pull request workflow, surfacing risks like SQL injection and insecure crypto early.
Copilot Autofix provides review-ready remediation suggestions, reducing average resolution time from 1.29 hours to 0.66 hours.
Internal testing across 170,000 findings resulted in over 80% positive developer feedback.
The hybrid detection model is part of GitHub's agentic platform, aiming to evolve toward deeper AI-augmented analysis.

#security #mlp #sre

Read original

Page 5 of 23

Prev 1...3 4 5 6 7...23 Next