DevOpsDaysPortugal 2019 - Pedro Torres - Unicorn on-call

Transcript

1. Unicorn On-call DevOpsDays Portugal 2019, Lisbon

2. Unicorn On-call • DevOpsDays Portugal 2019, Lisbon

3. Unicorn On-call DevOpsDays Portugal 2019, Lisbon

4. Hi there! I’m Pedro! • Engineering Director @ • Impact-driven

   person • Passionate about People, Technology, and Products • Agile, Lean and DevOps aficionado • 10+ years of experience running engineering teams

5. On-call :: Definition (of a person) able to be contacted

   in order to provide a professional service if necessary, but not formally on duty. ‘The team is on call 24 hours-a-day, and is trained in resuscitation techniques and how to use live-saving defibrillators.’ ‘If you work in a global organization, you might be on call 24 hours a day for troubleshooting or consulting.’ ‘You have to get up in the middle of the night if you're on call.’

6. On-call :: You need Shifts People Systems

7. On-call :: You need Rotas People Systems

8. On-call :: You need Rotas Heroes Systems

9. On-call :: You need Rotas The Critical Ones Heroes

10. On-call :: Why Customers Production Systems Engineers Company Job

11. Our On-call journey (so far)

12. Choose your civilization Greek Egyptian Mesopotamian Asian

13. Stone Age Town Center 200 (wood)

14. Stone Age • Everyone was on-call (even the CEO)

15. Tool Age

16. Tool Age • “Operations team” aka “DevOps team” • “DevOps

    engineers” were on-call (not all of them)

17. Tool Age • Officially we only had two engineers on-call

18. Tool Age • 3 days rotas

19. Tool Age • After business hours, everyone available on Slack

    would help out

20. Tool Age • VictorOps

21. Tool Age • Tons of alarms • False positives (Broken

    windows theory https://en.wikipedia.org/wiki/Broken_windows_theory) • MTTA not tracked • MTTR “over 9000” • All systems were on-call (Because none was… so all of them were)

22. Tool Age • No compensation (voluntarily and pro-bono)

23. Tool Age • Alarms in staging environments

24. None

25. Tool Age • Fatigue and Burn out

26. Tool Age • Churn

27. Tool Age • Blameless PMs (PIs and PEs)

28. Tool Age • (Not so) Cool Stats • Alarms triggered:

    2356 • Days with alarms triggered: 279 • MTTA: 456 seconds / ~ 7,5 minutes • MTTR: 1029 seconds / ~ 17 minutes • PMs written: 75 • Uptime: 99,919%

29. Bronze Age

30. Bronze Age • We evaluated 3 scenarios: “Primary / Secondary”,

    “Just primary” and “Primary / Secondary (SRE)” • SRE team covering own rota (infra one) –> We rebranded the Ops team to SRE team • Development teams with rotas (dedicated to their systems) • One engineer per rota (no secondaries) • Engineers on-call (eat your own dog food: you develop it… you maintain it in PROD!)

31. Bronze Age • We had more than twenty engineers on-call

32. Bronze Age • Tools: One hotspot per rota (no smartphones

    so that we don’t make people carry two devices) + VictorOps App

33. Bronze Age • One week rotas (four rotas in total)

    • The rotas start / end every Tuesday (i.e. End-of-Sprint day) aligning the rotas calendar with the sprints calendar

34. Bronze Age • Only critical systems covered by the program

    (defined by Engineering and agreed with stakeholders (e.g. Product, Customer Services, Support))

35. Bronze Age • On-call playbooks

36. Bronze Age • Incident commander defined - The Incident Commander

    (IC) holds the high-level state about the incident. They structure the incident response task force, assigning responsibilities according to need and priority

37. Bronze Age • Weekly fire drills (or like Google calls

    it "Wheel of misfortune")

38. Bronze Age • Compensation defined (money + time off). Flat

    fee. No compensation per incident

39. Bronze Age • Alarms fine tuned • Defined time to

    Ack under 5 minutes • Redefined thresholds • Distinguished Alarms from Notifications: The alarm requires immediate action. The notification can wait for the next day or so • Cleaned up alarms from non Production environments
40. None

41. Bronze Age • Volunteer based and not compulsory based (Yeah…

    we ran into “trouble” and I went on-call because of that: eat your own dog food… lead by example… I took 4 consecutive weeks on-call)

42. Bronze Age • Engineers participating in multiple rotas • Avoiding

    engineers doing rotas back to back

43. Bronze Age • PTO/Vacations and unexpected leaves self-managed (with facilitation)

    by each rota

44. Bronze Age • Acacio’s list when joining the program (origin:

    internal meetup with Acacio Cruz –> Google SRE and co-author of Google SRE book)

45. Bronze Age • Shadowing when joining the program

46. Bronze Age • Little time to work on the resiliency

    of systems (hard to prioritize and hard to complete action points from PMs during sprints)

47. Bronze Age • On-call procedure • Updating the company’s status

    page • Keeping the organization/stakeholders informed with the incident status every 5 minutes

48. Bronze Age • 24x7x365 coverage

49. Bronze Age • Performance reviews completely disassociated from the on-call

    program (no one gets a worst review because of not participating in the program)

50. Bronze Age • Although we have offices in different time

    zones we didn’t use a “follow the sun” strategy (lack of engineers in the US)

51. Bronze Age • P0s are all-hands on deck and we

    are “entitled” to call all engineers that can help • Panic button on slack with Zappier integration

52. Bronze Age • Cool Stats • Alarms triggered: 1583 (-33%)

    • Days with alarms triggered: 292 (+5%) • MTTA: 41 seconds (-91%) • MTTR: 424 seconds / ~ 7 minutes (-59%) • PMs written: 123 (+64%) • Uptime: 99,983% (+0,064%)

53. Iron Age

54. Iron Age • Vanguard program (thank you Raoul, Bruno, and

    Sean)
55. None
56. None
57. None
58. None
59. None
60. None
61. None
62. None
63. None
64. None
65. None
66. None
67. None
68. None
69. None
70. None
71. None
72. None
73. None
74. None
75. None
76. None

77. Iron Age • Gamification

78. Iron Age • On-call engineers stay off their regular sprint

    to work on Vanguard’s backlog

79. Iron Age • (Really) Cool Stats • Alarms triggered: 454

    (-14%) • Days with alarms triggered: 100 (+3%) • MTTA: 32 seconds (-21%) • MTTR: 374 seconds / ~ 6 minutes (-12%) • PMs written: 34 (-17%) • Uptime: 99,996% (+0,013%)

80. Final thoughts

81. Final thoughts • On-call doesn’t need to suck

82. Final thoughts • Be fair • Be honest • Be

    respectful

83. Final thoughts • Although the engineers are being paid to

    be on-call… don’t forget that they are doing us a favor!

84. Final thoughts • Don’t aim for perfection and don’t overthink

    things… Any start is better than none

85. Final thoughts • Google SRE book is a great inspiration

    (and an herculean task to read the entire book… 552 pages!)

86. Final thoughts • #oncallselfie

87. Final thoughts • Burnout is a real thing… it affects

    performance and churn… but most importantly… health!

88. Final thoughts • Tune those alarms! It’s one of the

    main factors of success!

89. Final thoughts • Don’t make rushed decisions because you are

    getting too many alerts (e.g. turning off alarms)

90. Final thoughts • Take advantage of the business hours (when

    you have the entire engineering team at the office) to tackle issues that might come up during out-of-business hours (when you “only” have the on-call engineers available)

91. Final thoughts • Being on-call doesn’t mean that you need

    to save the world. We don’t need “Rambos”… so play it safe, stick to the playbooks and don’t make risky decisions under stress

92. Final thoughts • Don’t hesitate to jump into a (video)

    call to coordinate the incident resolution (usually Slack is not enough) – sync vs async comms

93. Final thoughts • Don’t forget to keep the stakeholders in

    the loop (we are in the heat zone… but they are suffering from the sideline… and they need to know what is happening)

94. Final thoughts • Action items on (Blameless) post mortems should

    be tracked and assured that they are executed

95. Final thoughts • Don’t fall into the wishful thinking game:

    if you believe/suspect that an alarm is triggered by something harmless that you “can’t control” (e.g. network glitch)… be ready to prove that… otherwise don’t stop investigating the root cause

96. Final thoughts • Always write PMs (for PEs and PIs)

    and bare in mind that you should have public versions of the PM (sooner or later your customers will ask for them)

97. Thank you DevOpsDays Portugal 2019, Lisbon