A bit more context there since you might wonder why customers can cause Sev1’s.
Well, I work for a Database Technology company and we provide a managed service offering. This managed service offering has SLA’s that essentially enforce a 5 minute response time for any “urgent” issue.
Well, a common urgent issue is that the customer suddenly wants to load in a bunch of new data without informing us which causes the cluster to stop accepting write loads.
It’s to the point where most if not all urgent pages result in some form of scaling of the cluster.
Since this is a customer driven behavior, there is no real ability to plan for it - and since these particular customers have special requirements (and thus, less ability to automate scaling operations), I’m unsure if there is any recourse here.
It’s to the point that it doesn’t even feel like an SRE team anymore - we should just instead be called “On-demand scaling agents”. Since we’re constantly trying to scale ahead of our customers.
All in all, I’m starting to feel like this is a management/sales level issue that I cannot possibly address. If we’re selling this managed service offering as essentially “magic” that can be scaled whenever they need then it seems like we’re being setup for failure at the organizational level. Not to mention, not being smart about costs behind scaling and factoring that into these contracts.
So, fellow SRE’s have you had to have this conversation with a larger org? What works for something like this? What doesn’t? Should I just seek greener pastures at this point?
P.S. - Posted c/Programming due to lack of a c/SRE
It’s difficult to answer without a better understanding on your customers’ workloads and how those trigger your outages. There’s a bunch of valid angles from which to look at this.
If your product consistently buckles under customer workloads that they paid to be able to run, it sounds like you have either an underprovisioning or an overcommitment problem.
If you accept customer workload spikes that you don’t have the resources to serve but would be able to process if they were more spread over time, it sounds like you have an admission control problem.
If it’s a matter of adding resources to respond to customer activity spikes and you just have to do it manually, it sounds like you have an automation problem.
If your pager load is becoming such that you can’t do project work to address whichever ones of the above are relevant to you, it’s time to hand the pager back to devs. If you don’t have the institutional authority to hand back the pager to devs, it sounds like you have a management problem.
It is definitely an under provisioning problem. But that under provisioning problem is caused by the customers usually being very very stingy about what they are willing to spend. Also, to be clear, it isn’t buckling. It is doing exactly The thing it was designed to do. Which is to stop writes to the DB since there is no disk space left. And before this time, it’s constantly throwing warnings to the end user. Usually these customers tend to ignore those errors until they reach this stop writes state.
In fact, we just had to give an RCA to the c-suite detailing why we had not scaled a customer when we should have, but we have a paper trail of them refusing the pricing and refusing to engage.
We get the same errors, and we usually reach out via email to each of these customers to help project where their data is going and scale appropriately. More frequently though, they are adding data at such a fast clip that them not responding for 2 hours would lead them directly into the stop writes status.
This has led us to guessing what our customers are going to end up at. Oftentimes being completely wrong and eating to scale multiple times.
Workload spikes are the entire reason why our database technology exists. That’s the main thing we market ourselves as being able to handle (provided you gave the DB enough disk and the workload isn’t sustained for a long enough to fill the discs.)
There is definitely an automation problem. Unfortunately, this particular line of our managed services will not be able to be automated. We work with special customers, with special requirements, usually fortune 100 companies that have extensive change control processes. Custom security implementations. And sometimes even no access to their environment unless they flip a switch.
To me it just seems to all go back to management/c-suite trying to sell a fantasy version of our product and setting us up for failure.
Ok I’m starting to understand where you’re coming from now! It sounds like the leaders are happy for humans to do the work of increasing capacity on-demand rather than tackle the engineering challenges in handling workload spikes. The priority is to appease customers who are from well-known, “impressive”, well-paying (maybe not?) companies. Does that sound sorta right?
Can you not add an ingest throttle / queue before the writes hit the DB? But sounds like a management problem to me honestly
Definitely sounds like mostly a marketing/support/customer success engagement failure. Also sounds like someone in marketing wrote your SLAs, and that they need to be rewritten to something that’s based on actual data (specifically, the scale-up time of your cluster’s cloud provider + spin up time for whatever you’re running + some margin).
If it’s possible to do, and it causes a user experience issue, especially one as jarring as “stop accepting writes” you should start adding rate limits and validate inputs with rate limits expressed to the user before they hit the error rate.
To me you should already be sanitising input anyway, and this would just be part of that logic. If a user is trying to upload more than x it warns (with link to documentation of the limit). If user has gone past the rate limits, then error.
I’m not a sre or dev, just a sysadmin though. Users expect guard rails. If it’s possible, it’s permitted.
Probably not feasible in our case. We sell our DB tech based on the sheer IOPS it’s capable of. It already alerts the user if the write-cache is full or the replication cache is backing up too.
The problem is, at full tilt, a 9 node cluster can take on over 1GB/s in new data. This is fine if the customer is writing over old records and doesn’t require any new space. It’s just that it’s more common that Mr. customer added a new microservice and didn’t think through how much data it requires. Thus causing rapid increase in DB disk space or IOPs that the cluster wasn’t sized for.
We do have another product line in the works (we call it DBaaS) and that can autoscale because it’s based on clearly defined service levels and cluster specifications. I don’t think that product will have this problem.
It’s just these super mega special (read: big, important, fortune 100) companies have requirements that mean they need something more hand-crafted. Otherwise we’d have automated the toil by now.
As soon as you go down the path of customization for “special clients” you’ve already lost the battle. Business needs to agree to not sell something like that. I’m not being helpful here, but as soon as you’ve started customizing like that to get massive clients it will never end and it will just slowly suffocate your company.
When I was working in enterprise software, we had 2 ways of handling special customer requirements.
The product manager would engage with the sales engineer to identify if this was part of a feature that other customers of similar size or industry might need.
If so, design the feature for the broadest use cases and put in the development roadmap.
If it’s highly specific to one customer, offer customization work on a contract basis and keep it as a separate code branch and environment.
deleted by creator
How are they placing this data? Api? Not possible to align disk tiers to api requests per minute? Api response limited to every 1ms for some clients, 0.1ms rate for others?
You’re pretty forthcoming about the problems so I do genuinely hope you get some talking points since this issue affects, app&db design, sales, and maintenance teams minimally. Considering all aspects will give you more chance for the business to realise there’s a problem that affects customer experience.
I think from handling tickets, maybe processes to auto respond to rate limited/throttled customers with 'your instance been rate limited as it has reached the {tier limit} as per your performance tier. This limit is until {rate limit block time expiry}. Support tickets related to performance or limits will be limited to P3 until this rate limit expires."
Work with your sales and contracts team to update the sla to exclude rate limited customers from priority sla.
I guess I’m still on the “maybe there’s more you can do to get your feet out of the fire for customer self inflicted injury” like correctly classifying customer stuff right. It’s bad when one customer can misclassify stuff and harm another customer with an issue by jumping a queue and delaying response to real issues, when it’s working as intended.
If a customer was warned and did it anyway, it can’t be a top priority issue, which is your argument I guess. Customers who need more, but pay for less and then have a expectation for more than they get. It’s really not your fault or problem. But if it’s affecting you I guess I’m wondering how to get it to affect you less.
My answer won’t be as popular, but it’ll definitely get the attention of the right people on the customer’s side: charge HANDSOMELY for issues caused due to customers using the systems outside of agreemed to or published best practices.
I am consistently surprised by what companies are willing to pay to not worry about capacity. Incredible DataDog bills, for example, because they didn’t want to think about how many application metrics to store; “just keep it all!”. And boy do they happily pay for it!
Queues must stop accepting more work before they bring down the application.
If the customer wants to write too much data, start rejecting jobs.
Our database is actually pretty graceful. It just goes into stop writes status. You can still read any data and resolving the situation is as easy as scaling the cluster or removing old records. By no means is the database down or inoperable.
Essentially our database is working as designed. If we rate limited it further then we have less of a product to sell. The main feature we sell of our database technology is its IOPS and resiliency.
Further, this is just for a specific customer, it has no impact to any other customers or any sort of central orchestration. Generally speaking the stop writes status only ever impacts a single customer and their associated applications.
Also, customers can be very stingy with the clusters they are willing to buy. We actually are on poor terms of the couple of our customers who just refuse to scale and just expect us to magic their cluster into accepting more data than its sized for.
There is a fundamental rate limit based on cluster performance.
Your application is not aware of this limit, so it pretends to the client that there is no limit, then falls over.
Since you can’t make that number be infinity for your stingy customers, you need to send a rate limit exceeded error, even if you won’t admit to having an actual IOPS limit.
Surely there are cluster sizing guidelines you can point to once someone fills the queue?
“Your application” - the customers you mean. Our DB definitely does it’s own rate limiting and it emits rate limit warnings and errors as well. I didn’t say we advertised infinite IOPs that would be silly. We are totally aware of the scaling factors there and to date IOPs based scaling is rarely a Sev1 because of it. (Oh no p99 breached 8ms. Time to talk to Mr customer about scaling up soon)
The problem is that the resulting cluster is so performant that you could load in 100x the amount of data and not notice until the disk fills up. And since these are NVME drives on cloud infrastructure, they are $$$.
So usually what happens is that the customer fills up the disk arrays so fast that we can’t scale the volumes/cluster fast enough to avoid stop-writes let alone get feedback from the customer in time. And now that’s like the primary reason to get paged these days.
We generally catch gradual disk space increases from normal customer app usage. Those give us hours to respond and our alerts are well tuned. It’s the “Mr. Customer launched a new app and didn’t tell us, and now they’ve filled up the disks in 1 hour flat.” that I’m complaining about.
deleted by creator
Inform and throttle. Think about how your own computer works. If storage reaches its max capacity, you get a signal back saying “filesystem full” (or whatever), not “internal storage error”. If the CPU gets busy, it doesn’t crash; things start slowing down, queued up, prioritised (and many other complicated mechanisms I’m not across!).
You could borrow those ideas, come up with a way to implement the behaviour in your systems, then present them to whoever could allocate the time & money.
Another approach is try to get a small, resource-constrained version of the system running and hammer it by loading heaps of data like those customers do. How does it behave? What are the fatal errors and what can we deal with later?
That is exactly what we do. The problem is that as a managed service offering. It is on us to scale in response to these alerts.
I think people are misunderstanding my original post. When I say that customer cluster will go into stop writes, that does not mean it is not functional. It is an entirely intended function of the database so that no important data is lost or overwritten.
The problem is more organizational. It’s that we have a 5 minute SLA to respond to these types of events and that they can happen at any random customer impulse.
I don’t have a problem with customers that can correctly project their load and let us know in advance. Those are my favorite customers. But they’re not most of our customers.
As for automation. As I had exhaustedly detailed in another response, we do have another product that does this a lot better. And it’s the one that we are mass marketing a lot more. The one where I’m feeling all the pain is actually our enterprise level managed service offering. Which goes to customers that have “special requirements” and usually mean that they will never get as robust automation as the other product line.
I think the issue is that customers can escalate directly to SRE.
SRE is supposed to work on the health and reliability of the service. It does sound like there is a reliability issue when loading large datasets. But this should be project work, not incident response work.
Is your service violating your internal SLOs when this happens?
Where I work, customers escalate to a support team, who tries to work with them. It’s only after the support team decides it’s a product issue that it makes it to SRE. Even then, 90% of the time, the support staff will file a ticket to be handled at business hours rather than page SRE.
If this auto scaling delay is expected, I’d try to do two things:
-
Produce better error messages, so that the customer can know what’s happening and hopefully not need to escalate.
-
Work with the rest of the company (typically the Product or Support teams if you have them) to make sure customers understand these limitations.
-
Edit Oh, also don’t let customers page you for known limitations. Design a better process around this.
And if it’s that bad, SRE should invest in project work to make the autoscaling less painful.
Edit: Your service should return some kind of client error (i.e. exempt from SLO) in this situation. In gRPC, that would probably be RESOURCE_EXHAUSTED, and the error message should be something like “Yo your DB is out of disk, chill out while we fetch more disk. To avoid these errors in the future, pre-scale before large writes.”
-