惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
T
Troy Hunt's Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Vercel News
Vercel News
T
Threatpost
G
Google Developers Blog
T
Threat Research - Cisco Blogs
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
The Exploit Database - CXSecurity.com
H
Heimdal Security Blog
Google DeepMind News
Google DeepMind News
Cyberwarzone
Cyberwarzone
T
The Blog of Author Tim Ferriss
Know Your Adversary
Know Your Adversary
Hacker News: Ask HN
Hacker News: Ask HN
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Schneier on Security
B
Blog
V2EX - 技术
V2EX - 技术
NISL@THU
NISL@THU
C
CERT Recently Published Vulnerability Notes
W
WeLiveSecurity
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Y
Y Combinator Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Spread Privacy
Spread Privacy
The Last Watchdog
The Last Watchdog
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
Schneier on Security
Schneier on Security
F
Fortinet All Blogs
N
News | PayPal Newsroom
Attack and Defense Labs
Attack and Defense Labs
Blog — PlanetScale
Blog — PlanetScale
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
S
Security @ Cisco Blogs
人人都是产品经理
人人都是产品经理
爱范儿
爱范儿
P
Privacy & Cybersecurity Law Blog
P
Proofpoint News Feed
Project Zero
Project Zero
I
Intezer
罗磊的独立博客
H
Hackread – Cybersecurity News, Data Breaches, AI and More
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - Franky
SecWiki News
SecWiki News
Martin Fowler
Martin Fowler

Buttondown's blog

Email could have been X.400 times better The physicists who convinced Fermilab to send Brazil's emails Better in-app previews Analytics 3.0 Subscriber ID variables Comments! Send latest premium action Automation filtering Free API subscribers Surveys in automations Reply to replies Labels for RSS feeds How Jeremy Singer-Vine curates curious datasets for readers 2023 (and what's next) Email vs web content Sort by engagement Better gift subscriptions How Andy Dehnart built a career reviewing television New email template Email-based automations Opt-in reply tracking Automatic alt text More social network integrations Sort by metadata Overlarge image warnings Automation tag actions Pause emails mid-flight Search tags and automations Gift via automations Subscriber-driving emails Programmatic webhooks Email page views Tag statistics Discord webhook formatting Automatic subscriber cleanup RSS subscriber count Weekly subscriber reports More list columns Customizable list views How Max Voltar turned a side gig into a trusted keyboard resource How Nick Disabato runs two newsletters from one design consultancy Made-for-you share images Automation improvements End-of-email surveys Filter by date Survey-triggered automations More automation functionality New webhooks How France Insider built a news service with paid subscribers Email as primary key How John Willshire unites two businesses in one newsletter Confirmation reminders Email churned subscribers Email-to-draft Subscriber metadata columns ChatGPT integration Faster web archives Referral program Better search results TikTok embeds Subscriber timeline Spotify embeds Improved RSS-to-email Subscribe page OG image New analytics page Google Tag Manager Even more subscriber types Integrating Duda with Buttondown Linktree integration guide Advanced and enterprise plans Framer integration guide API requests page Team collaboration In-email surveys Better CSS settings Better RSS automation fetching! Editor toolbar improvements Smart filters Faster emails page RSS automations Faster email analytics Zapier error codes Image accessibility checks Tags vs newsletters OG image picker Image editor improvements API bulk actions Improved OpenAPI spec Mastodon support Better subscriber filtering Better subscriber validation Hotkey support! Programmatic access to analytics Stronger bulk actions Faster archive page Custom canonical URLs Email slug and metadata Improved writing interface Generating a Typescript router in Django Filter emails by source
Public postmortem: database connection exhaustion
Justin Duke · 2026-04-01 · via Buttondown's blog

Our public postmortem for the incident on March 31st, 2026.

Justin Duke

Justin Duke

April 1, 2026

TL;DR

Yesterday (March 31st), Buttondown experienced two periods of downtime — approximately seven minutes and thirteen minutes, respectively — both stemming from the same root cause: database connection exhaustion.

To be specific: our database itself was healthy. Queries were fast, CPU and memory were fine, replication lag was nominal. The problem was simpler and, frankly, more embarrassing than that: we hit the ceiling on the number of connections our database was configured to accept. Once that ceiling was hit, new requests couldn't acquire a connection and failed.

First off, apologies for the disruption — particularly because this happened twice in one day.

How did we detect the issue?

This is where things get uncomfortable. Our health checker mostly reported things as fine. The health check endpoint returned 200s for the majority of requests because the checker's requests happened to land on workers that already held open connections. Think of it like a house party where the front door has collapsed: if you're already inside, or you know where the back door is, everything seems fine. Our external monitoring was essentially getting lucky — squeezing through just often enough to not trigger alerts.

We were alerted by user reports and our own manual observation, not by automated systems. That's not acceptable.

How did we mitigate the issue?

First incident: We identified the connection exhaustion, killed active queries to free up connections, and earmarked follow-up work for later. Downtime: ~7 minutes.

Second incident: Same root cause, but this time the connection count was so thoroughly saturated that we couldn't even connect to the database to kill queries. The tool we'd used to fix the first incident required the very resource that was exhausted. We had to restart the database to force-kill the ongoing queries. Downtime: ~13 minutes.

How will we prevent this from happening again?

Five things, roughly in order of "should have already existed" to "genuinely new investment":

  1. Reserved administrative connections. This is the single highest-leverage change. Most Postgres configurations support reserving a small number of connections specifically for administrative access. If we'd had even one reserved connection for ops, we could have killed queries during the second incident the same way we did during the first. The reason the second incident lasted nearly twice as long as the first is that we were locked out of our own fix. That won't happen again.

  2. Database-level alerting. We're adding direct monitoring on connection count as a percentage of the configured maximum. This is distinct from our end-to-end health checking — it doesn't care whether HTTP requests are succeeding. It watches the database itself and alerts when we're approaching capacity. By the time you read this, this should be live.

  3. Health check hardening. Our health check endpoint currently returns a static 200 — it doesn't actually verify that the process can acquire a database connection. We're changing it to attempt a lightweight query so that connection exhaustion is immediately visible to our health checker and load balancer. A health check that can't detect the most common failure mode isn't much of a health check.

  4. Connection headroom review. The configuration that was "too low" had been set a long time ago and never revisited as our traffic patterns changed. We're adding connection limits to our quarterly capacity review so this kind of slow drift doesn't catch us off guard again.

  5. Out-of-band recovery tooling. Beyond reserved connections, we're documenting and scripting a fallback for when even administrative access is blocked: force-recycling workers to release connections without needing a database connection at all. Not as surgical as killing individual queries, but it releases connections immediately and gives us a way out when nothing else works.