SLO: Front page loads and latency

The users of The Wiener Shirt-zel Clothing Company website are human customers. This means that they’re actually fairly patient in a world of computer services where we often measure things on the order of milliseconds. As discussed in Chapter 3, humans are totally fine with a web page taking a few seconds to completely render in their browser.

A bit more important to people are error rates. If a website loads in 2 seconds 99% of the time, they’re probably fine if it takes 5 seconds just 1% of the time. This is probably not a rate at which they’ll abandon you for a competitor. But if a page fails to load a full 1% of the time, you’re probably going to lose a certain number of customers. Despite this divergence, this doesn’t mean you need to have two entirely separate SLOs. You can use the data you have about both of these aspects of reliability to power a single SLI and SLO.

In this case, a reasonable SLO might read like the following:

99.9% of responses to our website will return a 2xx, 3xx, or 4xx HTTP code within 2,000 ms.

Having 99.9% of responses completing within our parameters seems reasonable. Just convert this into a number of page views and ask yourself how you’d feel if faced with this as a reality. From an events-based perspective, if you were browsing a website for dog clothing and only 1 in 1,000 clicks resulted in a slow load or an error, you’d almost certainly be able to shrug this off. The Wiener Shirt-zel Clothing Company has been able to track that the average user clicks on approximately 25 links per browsing session. This means that only 1 in 40 customers is expected to experience even a single bad response during their time on the site. Trying to fix the database problems that lead to these errors would be a major project that could take several quarters, and it’s been determined that users that experience an error rarely abandon their browsing, so the engineering, product, and business teams agree on 99.9%.

As you may recall from Chapter 4, that translates to about 43 minutes of downtime per month. From a time-based perspective, the company certainly might lose some sales if the site were down for a full 43 minutes in a row, but this target does account for it being able to endure blips in reliability. Everything has trade-offs, and the company feels good about this target for now.

SLO: Search results

Now that we have general page loads covered, we can talk about a special class of page load: search results. Here again you can make things easier on yourself when you put yourself in your users’ shoes and think about what they expect.

Humans have come to expect computers to have to “think.” In fact, it is not unheard of for UI designers to purposely introduce delay into a task because if things happen too quickly, the human user at the other end of things will assume nothing happened or that there was some kind of problem. Those spinny circles or bars that fill up are sometimes just there for effect. For this reason, you can relax your SLO for search result page loads versus just visiting the front page. The Wiener Shirt-zel Clothing Company did some research and determined it could make the following changes to its search results SLO when compared with the front page load SLO:

• Search results likely will take longer than a standard front page load, since the backend service is being asked to perform actual work instead of serving static assets that might already be cached.

• Humans are more accepting of failure, both in terms of error rate and latency, when a service is being asked to perform actual work.

• 4xx response codes can no longer be considered as “good” since this problem would be due to the company’s own service and not to a user entering an incorrect URL. Even if there are no results to return, the service should be returning a 200 instead of a 4xx.

Acknowledging the findings of the research, the following SLO was defined:

99.8% of responses to product searches will return a 2xx or 3xx within 4,000 ms.

I could go on and on in this manner and define any number of SLOs for the website itself and how users interact with it, but that would get dry and boring. (For example, a lot of the lessons from Chapter 11 could be applied here—search results don’t just need to return good HTTP response codes, they need to contain the correct data.) These two examples should put you well on your way in terms of thinking about what your own customer-facing website might need to do in order to be seen as reliable.

SLO: Checkout success

Checkout success rates for The Wiener Shirt-zel Clothing Company are directly tied to another company. Payment vendors have to be pretty good at successfully responding to their users, for a few reasons. Even if we account for retry logic that could cover some transient failures contained within the “humans are okay with a little extra latency when computers do work” bubble mentioned earlier, customers would quickly move on to another solution if they couldn’t make money selling things to their own customers.

SLAs are business decisions, and I’ve mentioned why we don’t talk about them much in this book. They require contract language and legal consultation and remuneration techniques and all sorts of other things that are simply out of scope for what this book is about. What is also generally true about them is that they’re almost always much simpler than SLOs. Rarely do SLAs involve using percentiles or classifying various response types. They don’t even always include any sort of threshold. In contrast to the SLO for the request and response service responsible for serving The Wiener Shirt-zel Clothing Company website’s front page, the SLA provided by the vendor in a contract could be as simple as:

99.99% of transaction requests will succeed over any calendar month.

This seems reasonably sufficient to account for with retry logic. Unless the vendor is down hard, having to retry 1 in every 10,000 requests should be workable without also severely impacting whatever SLO the clothing company has for checkout attempts. Even so, don’t forget about how things can add up quickly. 99.99% is a difficult target to reach.

As always, this is a little easier to think about when using time-based language: 99.99% implies 4 minutes and 22 seconds of hard downtime per 30 days. Let’s explore what that means in terms of the SLO that the payment processing microservice itself could have at 99.99%, 99.9%, and 99% percent (see Table 12-1).

And this goes in both directions, of course. Perhaps the vendor has a target that’s lower than four nines. If the payment service can only promise a 99.9% reliability rate and the vendor does the same, you’re now dealing with a guarantee of 99.80% reliability, which translates to 20/10,000 events potentially failing or 1h 27m 39s of downtime being considered acceptable every 30 days. From an events perspective, this might still be manageable when using retries—but when thinking about time, approximately an hour and a half when the site is unavailable and customers cannot purchase from the company is probably starting to be a bit much.

And it continues to escalate so quickly! Let’s say the vendor can only promise 99% and the microservice can only aim for the same. Now we’re at 98.01%, which equates to 299/10,000 requests and 14h 32m 11s of downtime per month. That’s likely going to really start being a pain for customers, even with good retry logic.

And this doesn’t even account for any other SLO targets, such as that of the database this microservice depends upon, or the front page SLO we defined earlier, or your networking setup, and so forth.

Clearly this is a service that not only needs to be very reliable, but has to set its own targets based on the contract the company signed with the vendor. You can use this kind of math to ensure that everyone knows up front what kind of service they’re going to be maintaining and what kind of commitment they’re going to have to make in terms of keeping it reliable into the future.

Let’s return to our example where the vendor has promised you an SLA of 99.99%. If the company aims toward a goal of 99.99% reliability, and the database that is depended upon has an objective of 99.95%, you’re left with an overall user journey percentage of 99.93%. This translates to 7/10,000 events failing, or just about 1 minute of unavailability per day per month. This seems like a number that can easily be accounted for via retries or other logic in other parts of the architecture. So, the SLO for the payment microservice itself reads:

99.99% of checkout requests will succeed on their first attempt.

And a further SLO is set for the entire payment workflow that reads:

99.93% of checkouts following the entire workflow will succeed on their first attempt.

That number can then be used to build the correct retry logic into the web app to ensure that actual customers of The Wiener Shirt-zel Clothing Company are happy with their day-to-day experience. It could also be used to draw attention to when the different teams responsible for this workflow need to work together to focus on the entire SLI-as-user-journey. Therefore, the following SLO is defined as well:

99.99% of checkouts following the entire workflow will succeed within 5 attempts.

You can apply this same sort of thinking in terms of setting SLOs for all your services that depend on other services, whether they be internal or external. Remember to do the math to determine how multiple target percentages impact each other, but also remember that you can use better math (see Chapter 9 to account for this) or retries and other methods to account for how multiple percentages impact each other.

SLO: Business data analysis

One of the neat things The Wiener Shirt-zel Clothing Company does is provide its business and marketing departments with excellent data. Every single user interaction on the site is cataloged in some manner, from what is clicked, to how long is spent on a page, to what clothing options such as size or color are browsed most frequently. Of course, actual purchases are also cataloged, as well the number of “shares” to social media these items receive. This data is all sent from the web app to a database, where occasional batch jobs run to pass the data through a processing pipeline, with the resulting output data stored in a second database. A custom desktop application has been written allowing for various internal departments to interact with the analysis via a microservice that acts as an API in front of the results database.

Almost without fail so far in this book (and elsewhere!), example services for SLO-based approaches revolve around response and request APIs. After that, you might see people discuss SLOs for things like databases and platforms, and even more rarely for data itself. What you essentially never see anyone discuss are SLOs for things that aren’t network services, but instead act as something like a desktop application or a mobile app. Here, we’re not concerned with the SLOs for the APIs these applications need to talk to in order to get their data (if they do that at all), but the applications themselves.

As always, you just need to put yourself into your users’ shoes and ask them what they need. A good exercise in order to do this is to imagine yourself actually using the application. In this case the users are coworkers, so engineers at the company can just go talk to them directly! Here is a quick list of user journeys engineers at The Wiener Shirt-zel Clothing Company discovered via interviews that they can use to inform some SLIs:

1. Application needs to start

2. Application needs to not crash and remain running

3. Application needs to be able to deliver queries for customer interaction data

4. Application needs to be able to present the results of the queries in a manner human operators can understand

5. Application needs to be able to export this data for sharing or inclusion in documents and presentations

We could go much deeper, but that’s a great start in terms of describing some things that the users of this internal application need it to do. Let’s now dive a little more deeply into what #5 might look like to a user.

An internal user in the marketing department at The Wiener Shirt-zel Clothing Company is curious about what particular shirt patterns have recently been viewed often or for lengthy periods of time, but haven’t actually been purchased very often. Familiar with the use of their internal application, they key in the appropriate query and wait for a result. Processing sometimes takes upwards of 20 seconds, but that’s fine. That’s how this system has always worked, and it’s not really a detriment to the business. Not everything has to be lightning fast, and that should be remembered when you’re thinking about SLOs.

But what does matter is whether the application is able to export the data once the user has it. Measuring this might seem a little tricky, but it’s not all that different from how you’d measure any other sort of event-driven process. Let’s say that the user should be able to click a button to save the results of their analysis to a file on local storage. Any reasonable piece of software that performs this sort of task likely has the capability to log about each step of the way. First the click is registered, then a routine is called to perform the export, and so on. You can collect metrics on each of these steps and use these metrics to inform an SLO.

If this feels pretty different from everything else we’ve talked about in this book, that’s because it is. Log lines are not a great source for SLOs that help you understand high-performance web services. They are easily delayed, they are computationally expensive to parse, they require a lot of storage if you need to analyze them over lengthy periods of time, etc. However, that doesn’t mean you can’t use them in the right scenario. And using them to analyze the performance of a feature of an application that might only be used a few times per day (and not at all on some days!) seems like a totally reasonable choice.

You might only have a few data points per day in this sort of situation, but you can still use that to drive discussions and decision making. You probably don’t want to be alerting off of this data, and even a dashboard is likely overkill, but if you can identify an SLI that tells you whether things are working for customers or not, you can use it to pick an SLO target that tells you when you need to look at something. It’s certainly an improvement over doing nothing, which could result in the marketing department having to constantly interrupt the engineering team to ask them why things aren’t working.

For example, at The Wiener Shirt-zel Clothing Company, 95% of exports were working on the first attempt last month, but this month that dropped to 80%. Perhaps a bug introduced a regression into the code, or the users have changed their habits in a way that needs to be addressed; any number of things could be responsible. Even with just a few data points per day, the team responsible for this service is able to define the following SLO:

90% of data export attempts log a success over the course of a month.

This is simple, it’s unambiguous, and it doesn’t require anything more than a report produced once per month—but it forces the team to measure things and lets them think about their users and have better data about how to plan future work. Is the export feature still working, even if it’s only used by one small marketing team? Suppose after a month the measurement says that 91% of exports completed correctly, but the marketing team is still upset. The target could be moved to 92% as a next step, since all SLOs need to be open to evolving—and it will continue to evolve with feedback from the users.

SLO-based approaches give you a way to find out whether users are happy or not, even if this example doesn’t fit all of the traditional trappings of the general discussions about SLOs. Always remember that it’s the philosophies behind these approaches that are the most important, not having the slickest technology to use to perform complicated math against statistically derived SLIs.

SLO: Internal wiki

Another great example of the kind of service that is often overlooked when discussing SLO-based approaches to reliability is pieces of third-party or open source software—especially those that stand alone and might be managed by IT teams that are unfortunately often left out of the discussions that surround software or systems engineering. They’re services all the same, they have users, and those users need them to perform at certain levels!

It’s always a great idea to try to ensure that your SLIs are as close to what your users need from you as possible—this is an idea that has been repeated over and over again. But we’ve also tried to be reasonable in terms of what data you have to work with. A service for which you don’t control the codebase is a great example of where you might want to fall back on something simpler while still getting the job done well enough.

For the internal wiki documentation setup, the measurement options available to the team running it are a bit limited. And here is a great example of a place where something like “Is it up?” is probably sufficient for everyone! Not everything has to be complicated. An example SLO for the team responsible for the internal wiki in this case reads:

The internal documentation wiki will be available to users 99.9% of the time during working hours.

Working hours at The Wiener Shirt-zel Clothing Company are defined as 08:00–18:00 ET. An SLO like this allows for the team responsible for it to experiment or perform upgrades or other work whenever they’d like outside of normal working hours.

SLO: Container platform

For example, since pods are intended to sometimes not be available, measuring total pod uptime doesn’t give the company a great data point, even if at first glance that would seem like a thing users would care about. When something is a platform, you can’t just measure the health of the platform itself; you need to keep users in mind.

A better SLI might be something that talks about having a certain percentage of an individual service’s pods running at the same time, but that can run into additional problems. If you say that 90% of pods for a certain service should be available, how do you handle the fact that you can’t have partial pods? You can’t round up, since, for example, 90% of 7 is 6.3, which rounded up would just be 7 again. So instead you round down. This works, but it’s just an example of some of the extra calculation you have to do in this situation.

However, this also now means that you are aiming for all services with fewer than 20 pods to never have more than a single pod unavailable at a time. This probably makes sense for services that have, say, 10 or fewer pods, but it may be stricter than necessary for services with closer to 20 pods. For example, The Wiener Shirt-zel Clothing Company has 200 pods running the primary web app, but only 19 handling communication to the payments vendors. Perhaps those smaller services should never have more than one missing pod at a time. But it could also seem reasonable that a service with 19 pods should be able to handle only 17 being available at a time. This is a great example where the company decided it needed multiple SLOs powered by a single SLI measurement, as follows:

For services with 20 or more pods, at least 90% of their pods will be available 99.9% of the time.

For services with 10–19 pods, no fewer than 2 of their configured number will be unavailable 99.9% of the time.

For services with fewer than 10 pods, no fewer than 1 of their configured number will be unavailable 99.9% of the time.

As you can see, this allows you to set a reasonable SLO target percentage like 99.9% while allowing the services that are dependent on yours to set even higher targets. Introducing multiple constraints to your target can make your SLOs much more meaningful without you having to resort to a ridiculous number of nines in a row.

Other great ideas for something that acts as a platform include thinking about things like pod startup time or eviction rate.