undefined | Better HN

0 pointsmewpmewp24mo ago0 comments

It seems they had this continous rollout for the config service, but the services consuming this were affected even by small percentage of these config providers being faulty, since they were auto updating every few minutes their configs. And it seems there is a reason for these updating so fast, presumably having to react to threat actors quickly.

0 comments

otterley4mo ago

It's in everyone's interest to mitigate threats as quickly as possible. But it's of even greater interest that a core global network infrastructure service provider not DOS a significant proportion of the Internet by propagating a bad configuration too quickly. The key here is to balance responsiveness against safety, and I'm not sure they struck the right balance here. I'm just glad that the impact wasn't as long and as severe as it could have been.

tptacek4mo ago

This isn't really "configuration" so much as it is "durable state" within the context of this system.

otterley4mo ago

In my 30 years of reliability engineering, I've come to learn that this is a distinction without a difference.

People think of configuration updates (or state updates, call them what you will) as inherently safer than code updates, but history (and today!) demonstrates that they are not. Yet even experienced engineers will allow changes like these into production unattended -- even ones who wouldn't dare let a single line of code go live without being subject to the full CI/CD process.

2 more replies

j / k navigate · click thread line to collapse

0 pointsmewpmewp24mo ago0 comments

0 comments

otterley4mo ago

tptacek4mo ago

This isn't really "configuration" so much as it is "durable state" within the context of this system.

otterley4mo ago

In my 30 years of reliability engineering, I've come to learn that this is a distinction without a difference.

2 more replies

j / k navigate · click thread line to collapse