惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
V2EX - 技术
D
DataBreaches.Net
阮一峰的网络日志
阮一峰的网络日志
Recent Announcements
Recent Announcements
V
V2EX
Hugging Face - Blog
Hugging Face - Blog
T
The Exploit Database - CXSecurity.com
Simon Willison's Weblog
Simon Willison's Weblog
Cisco Talos Blog
Cisco Talos Blog
Microsoft Security Blog
Microsoft Security Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
K
Kaspersky official blog
F
Fortinet All Blogs
GbyAI
GbyAI
Forbes - Security
Forbes - Security
The Cloudflare Blog
博客园 - 司徒正美
博客园_首页
量子位
Schneier on Security
Schneier on Security
G
GRAHAM CLULEY
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
P
Proofpoint News Feed
N
News | PayPal Newsroom
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 聂微东
T
Tor Project blog
V
Vulnerabilities – Threatpost
Y
Y Combinator Blog
Jina AI
Jina AI
Help Net Security
Help Net Security
T
Threat Research - Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cybersecurity and Infrastructure Security Agency CISA
Project Zero
Project Zero
N
News and Events Feed by Topic
I
Intezer
B
Blog
美团技术团队
C
CERT Recently Published Vulnerability Notes
NISL@THU
NISL@THU
L
LINUX DO - 最新话题
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Blog — PlanetScale
Blog — PlanetScale
AWS News Blog
AWS News Blog
T
Tailwind CSS Blog
The Last Watchdog
The Last Watchdog
雷峰网
雷峰网
有赞技术团队
有赞技术团队

The Practical Developer

The Libuv Thread Pool Trap: Why Node.js Async APIs Stall Under Load Postgres Covering Indexes with INCLUDE: Eliminate Heap Fetches on Read-Heavy Workloads Postgres DISTINCT ON: The Fastest Way to Get the Latest Row Per Group Postgres Transaction Isolation: The Anomalies Your App Actually Faces in Production Linux TCP Tuning for Node.js Microservices: The Kernel Settings That Stop Silent Connection Drops Under Load Postgres HOT Updates and Fillfactor: Why Not All Writes Are Created Equal Database Connection Pool Leaks: Finding the Promise That Never Returns Its Seat Linux OOM Killer in Production: Why Your Node.js Containers Die Without a Stack Trace Postgres Materialized Views: Refresh Strategies That Do Not Lock Your Dashboards API Dependency Health Checks: Why /health Is Not Enough Authorization with Zanzibar Tuples: How Google Manages Permissions and How To Build the Same Check in Node.js Postgres Advisory Locks: The 20-Character Primitive That Replaces Redis for Coordination Dead Letter Queues: The Message Queue Pattern That Saves You at 2 a.m. File Descriptor Exhaustion: The Kernel Limit That Silently Drops Node.js Connections Graceful Degradation: The Pattern That Turns Total Outages into Partial Success PostgreSQL Full-Text Search: Dropping Elasticsearch for 90% of Use Cases S3 Presigned Multipart Uploads: Stop Your API Server from Being a File Upload Bottleneck MessagePack vs JSON: The Binary Serialization Switch That Cut Our Internal RPC Overhead by 40% DNS Caching in Node.js: The Silent Cause of Production Latency Spikes Reliable Cron Jobs: The Pattern That Stops Double Runs, Missed Executions, And The 2 AM Page GraphQL Query Complexity: Stop the OOM Query Before It Reaches Your Resolver Node.js Event Loop Lag: The Hidden Metric Behind Random Latency Spikes API Request Validation with Zod: The Schema That Catches Bad Input Before It Corrupts Your Database Load Shedding in Node.js: How to Reject Traffic Before You Drown Request Hedging: Cut Tail Latency In Half Without Overprovisioning Git Bisect: The Automated Binary Search That Finds Breaking Commits in Minutes Node.js Garbage Collection Tuning: Stop Letting V8 Pause Your Event Loop Node.js Server Timeouts: The Settings That Stop Slow Clients from Holding Sockets Hostage Postgres BRIN Indexes: The Time-Series Secret That Shrinks Indexes by 99% Event Sourcing with PostgreSQL: The Pragmatic 80% Solution Node.js Cluster Mode: Scaling the Event Loop Across CPU Cores Postgres Partial Indexes: Stopping Soft Deletes from Ruining Your Query Performance Request Coalescing with the Singleflight Pattern: Stop Drowning Your Database on Every Cache Miss The Bulkhead Pattern: Why One Slow Endpoint Should Not Drown Your Whole Service Node.js AsyncLocalStorage: End-to-End Request Context Without the Propagation Hell Postgres Deadlocks: Logging the Victim, Reproducing the Race, and Fixing the Lock Order Your Node.js HTTP Client Is the Bottleneck: Connection Pool Tuning That Works Optimistic Locking in Postgres: Stop Losing Data to Race Conditions Postgres Read Replicas: Stop Serving Stale Data to Your Users Cursor Pagination: Why Offset Queries Explode at Scale and How to Fix Them Node.js Worker Threads: 60 Lines That Stop a CSV Upload from Timing Out Every Other Request Reliable Webhook Delivery: Architecture for Outbound HTTP You Can Trust Request Timeouts and Deadline Propagation: Stop the Chain of Slowness Advanced Security Practices in Node.js Graceful Shutdown in Node.js: The 40 Lines That Stop 502s During Deploys Finding Node.js Memory Leaks with Heap Snapshots Idempotency Keys in 30 Lines: Stop Your Webhook From Charging Customers Twice Backpressure In Node.js: The Fix For Slow-Motion Queue Meltdowns Retries Done Right: Jitter, Budgets, and the Stampede You Did Not See Coming The Cache Stampede: Why Your "Just Add Redis" Layer Crashes Postgres at 3 a.m. Postgres SKIP LOCKED: An 80-Line Job Queue You Can Run Without Redis Stop Doing Work Nobody Wants: AbortController in Node.js, Done Right The N+1 Query Problem: We Found 23 In One Codebase And Killed Every One I Tried 5 AI Coding Tools for a Month. Here Is What I Actually Use CI/CD From Zero to Production in 30 Minutes With GitHub Actions Node.js vs Bun vs Deno: Which Runtime Should You Pick in 2025? Kubernetes Resource Requests And Limits: The Numbers That Decide If Your Cluster Is Stable The Three Pillars of Observability Are A Myth: What Actually Matters In Production pnpm Vs npm Vs yarn Vs Bun For Monorepos: Which One Earns The Migration In 2024 JSONB Indexing In Postgres: GIN Vs Expression Indexes, And When Each Is The Right Choice A Code Review Checklist That Ends The Same Three Arguments Every Sprint gRPC Vs REST In 2024: When The Switch Pays For Itself React Suspense For Data Fetching: The Pattern That Replaces Half Your Loading State Code The Five-Stage Rollout: How To Ship A Risky Change Without Holding Your Breath GitHub Actions In A Monorepo: Caching, Path Filters, And Secret Boundaries That Actually Work Recursive CTEs In Postgres: How To Query A Tree Without N Round Trips Node.js Streams: When They Actually Help, And When They Just Add Complexity Playwright Vs Cypress In 2024: The Honest Comparison Of Which One Earns The Test Time React Server Components: The Mental Model That Makes The "use client" Boundary Obvious Pod Disruption Budgets: The K8s Object That Keeps Your Service Up During Cluster Maintenance Postgres LISTEN/NOTIFY: The Pub/Sub You Already Have And Are Not Using Chaos Engineering Starter Kit: The Five Drills That Don't Need Netflix-Scale Spec-Driven API Development With OpenAPI: How To Stop Drifting From Your Docs Saga Pattern vs Two-Phase Commit: Distributed Transactions Without The Lies Kubernetes Autoscaling Beyond CPU: The Custom-Metric HPA Pattern That Actually Works Postgres Partitioning For Time-Series: The Boring Setup That Saves Your Database Distributed Locks With Redis: An Honest Look At Redlock And When You Don't Need It HTTP/2 vs HTTP/3: What Actually Changes For Your App, And What Doesn't Image Optimization For The Web In 2023: srcset, AVIF, And The Lighthouse Score You Actually Want Kafka vs RabbitMQ: A Decision Tree That Doesn't Hate You UUID vs Bigint Primary Keys In Postgres: The Index Math That Decides For You Flame Graphs: How To Find The Slow Function In 30 Seconds Without Profiling Theatre Postgres Streaming Vs. Logical Replication: Which One Solves Your Actual Problem ESLint Rules That Earn Their Keep: The Twelve I Enable On Every Project Pre-Commit Hooks That Pay For Themselves: Husky, lint-staged, And The Five Rules That Stick Zero-Downtime Database Migrations: The Six-Step Pattern That Rules Them All Circuit Breakers In Node.js: 50 Lines That Stop A Failing Dependency From Taking Down Your Service Postgres VACUUM Is Not Magic: How Your Hot Table Bloats To 80GB And How To Fix It Kubernetes Liveness And Readiness Probes: The Difference That Causes Half Your Outages Rate Limiting In Production: A Token Bucket In 30 Lines Of Redis The Outbox Pattern: How To Stop Losing Events When Postgres And Kafka Disagree Load Testing With k6: The Three Scenarios That Find Real Bugs (Not Synthetic Numbers) Postgres Row-Level Security For Multi-Tenant Apps: The Pattern That Stops You From Leaking Data Rebase vs. Merge: The Team Policy That Ends The Argument Forever OpenTelemetry in Node.js: Distributed Tracing That Actually Helps During an Incident Feature Flags That Pay Rent: The 4 Flag Types And When To Delete Each ETag, Last-Modified, and the Caching Headers Most APIs Get Wrong Connection Pooling Without the Cargo Cult: pgbouncer in 100 Lines of Config JSONB Is Not a Schema: When To Reach For It in Postgres, And When To Stop Bash Strict Mode: The Three Lines That Stop Your Deploy Script From Lying To You
The Blameless Postmortem That Actually Improves Things: A Template And Six Hard-Won Rules
The Practica · 2024-04-26 · via The Practical Developer

The team had an outage Tuesday. The postmortem doc was opened Wednesday, written Thursday, presented Friday, and forgotten by the following Monday. Three months later, the same incident happens with the same root cause, because the action items lived in a Google Doc nobody read.

A useful postmortem is not the document. It is the process around the document: the questions asked, the system-level conclusions drawn, the action items that get owned and shipped. Most teams have the document right and the process wrong, which is why the same incidents keep happening.

This post is the template that has worked for me on multiple teams, plus the six rules that distinguish “incident analysis that improves the system” from “an artifact for the records.”

# Incident Postmortem: <short summary>

## Status
- **Severity:** SEV1 / SEV2 / SEV3
- **Duration:** 14:32 - 15:47 UTC (1h15m)
- **Customer impact:** ~3% of users saw 5xx on /api/checkout for 35 min
- **Author:** @engineer (incident commander during)
- **Reviewers:** @teamlead, @sre

## Summary
Two paragraphs max. What happened, what was the impact, what was the trigger.

## Timeline

| Time (UTC) | Event |
|---|---|
| 14:25 | Deploy of api-svc v2.43 begins |
| 14:30 | First 5xx spike observed in dashboards |
| 14:32 | PagerDuty fires; @oncall acknowledges |
| 14:38 | @oncall identifies recent deploy as likely cause |
| 14:42 | Rollback initiated |
| 14:48 | Rollback complete; 5xx rate normalizing |
| 15:47 | All metrics back to normal; incident declared resolved |

## Root cause
What changed in the system that caused this. Not "human error."
Be specific: which line, which config, which assumption.

## Why we didn't catch it sooner
Why did monitoring not fire earlier? Why did testing not catch this?
Why did the deploy succeed when it should have failed?

## What went well
Yes, really. The team responded fast, the rollback was clean, etc.
Most postmortems skip this and miss reinforcing what worked.

## What didn't go well
Concrete failures. The dashboard for X took 10 minutes to load.
The runbook for Y was outdated. Etc.

## Lessons learned
The system-level takeaways. What does this incident reveal about
our architecture, processes, or assumptions?

## Action items

| # | Action | Owner | Due | Status |
|---|---|---|---|---|
| 1 | Add unit test covering the bad config path | @alice | 2024-04-30 | Open |
| 2 | Update deploy gate to verify config before rollout | @bob | 2024-05-15 | Open |
| 3 | Add SLO alert for 5xx ratio > 0.5% (currently > 1%) | @carol | 2024-05-08 | Open |

## Related incidents
Links to similar past incidents.

The format is not magic. The discipline of filling each section honestly is what matters.

The six rules

1. Blameless means systems-focused, not “no consequences.”

A blameless postmortem doesn’t mean “Alice merged the bad PR” is forbidden. It means the question is “why did our system make it possible for Alice to merge the bad PR,” not “Alice should be more careful.” Action items target the system, not the person.

The right question is “what would have made it impossible for anyone to do this?”

The wrong question is “who is responsible?”

2. Root cause is the change, not the symptom.

“Database was slow” is a symptom. “Connection pool was exhausted” is closer. “We released a feature that opens a connection per request and never returns it” is root cause.

Keep asking “and why did that happen” until you hit a system property that can change. Often three to five whys deep.

3. Action items must have owners and dates.

A postmortem with action items like “improve testing” and no owner is a postmortem that produced nothing. Each action item needs:

  • A specific deliverable (a PR, a runbook, a config change).
  • An owner (one person, named).
  • A due date (specific, not “soon”).

If you can’t write all three, the action is too vague. Refine.

4. Action items get tracked like any other work.

After the postmortem, action items go into the team’s normal task tracker (Linear, Jira, GitHub Issues). Not into a “postmortem follow-ups” graveyard that nobody opens. They are reviewed in the next sprint planning like any other work.

The metric: how many postmortem action items were completed within their due date. A healthy team is above 80%. Below 50%, postmortems are theatre.

5. Share the postmortem widely.

The team that had the incident learns. But the next team has similar systems and similar risks. Share postmortems org-wide, in a channel everyone reads, with clear summaries.

This is also how cultural norms spread. New teams see what a good postmortem looks like by reading existing ones.

6. Read your old postmortems.

Once a quarter, scan your incident history. Are the same root causes recurring? Are action items shipping? Has anything actually improved?

If you cannot point to a specific reliability win in the last quarter that came from postmortem follow-ups, the process is broken. Probably action items aren’t being completed or aren’t ambitious enough.

What “five whys” looks like in practice

A real example of drilling down:

Q: Why did the API return 5xx? A: Database connections were exhausted.

Q: Why were connections exhausted? A: A new endpoint we deployed opens a connection per request and never closes it.

Q: Why did that ship to prod? A: Code review missed it; there’s no automated test for connection lifetime.

Q: Why is there no test? A: We don’t have an integration-test setup that catches resource leaks.

Q: Why don’t we have one? A: Building it would take a week and we’ve been deferring it.

Action items emerge naturally from each “why”:

  1. Fix the leaking endpoint (immediate).
  2. Add a code-review checklist item: “does this open new connections?” (cheap).
  3. Build the integration-test setup that catches resource leaks (the long-term fix).

What about “we didn’t catch it”

Outages are also detection failures. Always include a “why didn’t we catch this sooner?” section. Common findings:

  • Alert thresholds were too generous (“5xx > 5%” instead of ”> 0.5%”).
  • Alert was firing but went to a Slack channel nobody watches.
  • Dashboard for the affected metric was buried in a Looker folder.
  • The metric for the failure mode wasn’t being collected at all.

These are typically the easiest, highest-leverage action items. Fixing detection is cheap. Fixing the underlying system is harder.

Resist these patterns

Three antipatterns to call out and avoid:

“We learned a lot from this.” A postmortem that identifies no concrete actions has not learned anything. The action items are the learning.

“We need to improve communication.” Vague. What specifically needs to change? Who owns it?

“This was a freak occurrence; nothing to do.” Almost never true. The Swiss-cheese model: every incident is multiple holes lining up. Even rare incidents tell you about the holes.

The cadence that works

A weekly schedule that prevents postmortem rot:

  • Day 1 (within 24h of resolution): Incident commander writes timeline and summary while memory is fresh.
  • Day 2-3: Document circulates for input from involved engineers.
  • Day 5: Postmortem meeting (30-45 minutes). Discuss findings, agree on action items, assign owners.
  • Day 7: Final document published org-wide. Action items in trackers.
  • Quarterly: Review unfinished action items; close or re-prioritize.

Don’t let the document drag on for two weeks. The longer it sits, the less anyone remembers, the less useful it becomes.

The takeaway

A postmortem is a tool for systemic improvement, not an artifact. The template is straightforward; the discipline around it is what matters. Blameless means systems-focused. Root cause is the change, not the symptom. Action items have owners and dates and get tracked. Share widely. Re-read quarterly.

The team that does this well shows up at the next incident response with the muscle memory built from previous postmortems. The team that doesn’t has the same incident every quarter.

A note from Yojji

The kind of incident-management discipline that turns “we had an outage” from a recurring drama into a cycle of measurable improvement (postmortems with owned action items, shared learnings, quarterly reviews) is the kind of long-haul engineering culture Yojji’s teams put into the products they ship for clients.

Yojji is an international custom software development company founded in 2016, with teams across Europe, the US, and the UK. They specialize in the JavaScript ecosystem, cloud platforms (AWS, Azure, GCP), and full-cycle product engineering, including the operational practices that decide whether reliability improves over time or stays the same.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。