implementing an incident response workflow automation tool for SRE
Open, MediumPublic
Actions

Assigned To

None

Authored By

	lmata
	May 16 2022, 5:38 PM

Description

Q\ What tools should we implement to facilitate responding to incidents?

There is a nontrivial amount of manual work and paperwork currently required of incident responders, on-call staff, incident coordinators, and the onfire team to keep the current IR effort moving forward. We want to reduce the amount of "toil" work from the current incident workflow.

This is a generic big picture wishlist

Incident Lifecycle Management
- Single Intake
  - Create incident from klaxon/phabricator
  - Automated create incident (from manual pages, alertmanager, icinga)
Google Docs integration (maybe auto-create notes doc)
Integration with existing tooling for annotations (grafana, logstash/OpenSearch)
Suppport for Incident stats (duration, category, severity, impact) and additional relevant metadata
SLOs, Metric Reports, and other trending data
Integration with Klaxon (future state)
Integration with Public Status Page (future state)
Should support Internal notices and message
Potential integration with Phabricator Ticketing Workflow
Chat (IRC) Integrations / bots
Slack support (for fallback)
Splunk on call / VictorOps integration

Additional considerations that might need a decision:

hosting our incident response tools out of band.
build vs buy vs rent (saas)
open source vs commercial
Privacy review for SAAS or hosted solutions

~~Update~~

~~We have selected Netflix's Dispatch as our tool of choice for this project. https://github.com/Netflix/dispatch~~

Update Update

Netflix's Dispatch has proven to probably not suit our needs due to limitations of the platform, relative immaturity of the product, and difficulty establishing a workflow that fits WMF's needs.

The current living document with proposals lives at https://docs.google.com/document/d/1UqNRU0_jv66VLGyrY8QOYKqrM8rn3Iuv70t0JcoNX3M

Related Objects
Search...

Status	Assigned	Task
Open	None	T308467 implementing an incident response workflow automation tool for SRE
Declined	None	T313228 Deploy Dispatch for SRE incident workflow automation
Resolved	herron	T309033 Set up POC Dispatch environment and evaluate its viability
Declined	fgiunchedi	T313229 Production Dispatch Infrastructure
Resolved	fgiunchedi	T322556 Site: codfw VM %request for dispatch-be2001
Declined	andrea.denisse	T326842 Service/host monitoring for dispatch
Declined	None	T326843 Dispatch Data protection (e.g. data exported and backed up)
Declined	None	T340772 Dispatch: enable gmail plugin
Resolved	herron	T344937 Decom dispatch infrastructure
Declined	None	T313230 Dispatch IRC Integration
Resolved	herron	T313231 Dispatch Google workspace integration
Declined	None	T317316 Fine-tune dispatch SRE incident template
Declined	None	T313232 Dispatch Documentation
Declined	None	T313233 Dispatch Splunk On-call / VictorOps Integration
Declined	None	T313234 Dispatch Phabricator Integration
Declined	None	T317192 implement on call shift hand-off / hand-overs in dispatch
Resolved	Eevans	T356790 Corto: Incident responder workflow automation (MVP)
Resolved	jhathaway	T355756 Create & test Google service account for 'corto'
Resolved	fgiunchedi	T355755 Create phabricator bot user for 'corto'
Resolved	fgiunchedi	T355758 Create "corto" Phabricator bot account for Corto
Resolved	fgiunchedi	T355754 Create git repo for 'corto' (incident response tool)
Resolved	Eevans	T370783 corto: implement resolve incident
Resolved	Eevans	T370784 corto: implement changing the IC
Resolved	Eevans	T370786 corto: review irc grammar ergonomics
Resolved	BCornwall	T370788 corto: CI & packaging
Resolved	BCornwall	T370789 corto: production deployment
Resolved	andrea.denisse	T375139 The corto service fails to start after the alert hosts failover
Resolved	BCornwall	T375305 Corto: Licensing & copyright information
Resolved	Eevans	T375309 Corto: configuration improvements
Resolved	Eevans	T375451 Corto: Access model (MVP only)
Resolved	Eevans	T376500 Corto: ensure Phabricator tasks are created with correct default visibility & priority
Resolved	Eevans	T376501 Corto: remove unused context.Context arguments
Resolved	jhathaway	T376941 Corto: Scrutinize/finalize template text
Resolved	Eevans	T378650 Corto: Bot needs a registered nick
Resolved	Eevans	T379204 corto: update production deployment for project changes
Resolved	Eevans	T379858 corto: failure to create google doc should not be fatal
Resolved	Eevans	T379958 corto: binary doesn't include build information
Open	None	T377036 Corto: Functional & Integration testing
Open	None	T377047 Functional tests are tied to user accounts
Open	None	T370785 corto: implement updating IRC topics and wikimediastatus.net
Duplicate	None	T379305 corto: have CI build the Debian package
Open	None	T372437 Harden corto systemd service
Resolved	Eevans	T380293 corto: only operate on applicable phabricator issues

Event Timeline

lmata created this task.May 16 2022, 5:38 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 16 2022, 5:38 PM

lmata moved this task from Inbox to Up next on the SRE Observability (FY2021/2022-Q4) board.May 16 2022, 5:38 PM

lmata updated the task description. (Show Details)May 16 2022, 5:49 PM

lmata renamed this task from untitled masterwork on incident response automation to implementing an incident response workflow automation tool for SRE.May 17 2022, 1:37 AM

lmata triaged this task as Medium priority.

lmata updated the task description. (Show Details)

lmata added a project: SRE-OnFire.

lmata updated the task description. (Show Details)May 17 2022, 1:24 PM

lmata edited projects, added SRE Observability (FY2022/2023-Q1); removed SRE Observability (FY2021/2022-Q4).Jul 13 2022, 7:41 PM

lmata moved this task from Inbox to Up next on the SRE Observability (FY2022/2023-Q1) board.Jul 14 2022, 6:09 PM

herron closed subtask T309033: Set up POC Dispatch environment and evaluate its viability as Resolved.Aug 9 2022, 2:41 PM

lmata edited projects, added SRE Observability (FY2022/2023-Q2); removed SRE Observability (FY2022/2023-Q1).Oct 28 2022, 6:30 PM

lmata moved this task from Inbox to Up next on the SRE Observability (FY2022/2023-Q2) board.

lmata edited projects, added SRE Observability (FY2022/2023-Q3); removed SRE Observability (FY2022/2023-Q2).Jan 12 2023, 12:20 AM

lmata moved this task from Inbox to Epics In Progress on the SRE Observability (FY2022/2023-Q3) board.Jan 12 2023, 8:18 PM

lmata added a subtask: T313228: Deploy Dispatch for SRE incident workflow automation.

lmata updated the task description. (Show Details)Jan 12 2023, 8:21 PM

lmata edited projects, added SRE Observability (FY2022/2023-Q4), Incident Tooling; removed SRE Observability (FY2022/2023-Q3).May 2 2023, 1:37 PM

lmata moved this task from Inbox to Epics In Progress on the SRE Observability (FY2022/2023-Q4) board.May 2 2023, 1:57 PM

lmata moved this task from Inbox to Prioritized on the Incident Tooling board.May 16 2023, 3:31 AM

lmata edited projects, added SRE Observability (FY2023/2024-Q1); removed SRE Observability (FY2022/2023-Q4).Jul 18 2023, 4:56 PM

lmata removed a project: SRE Observability (FY2023/2024-Q1).Jul 18 2023, 8:50 PM

joanna_borun subscribed.Aug 22 2023, 2:31 PM

BCornwall claimed this task.Aug 22 2023, 4:47 PM

BCornwall updated the task description. (Show Details)

BCornwall added subscribers: BCornwall, jhathaway, JMeybohm.

After some discussion in our last ONFIRE meeting it appears that our most basic needs comprise of:

A real-time editor for in-the-moment information management
A technical platform that allows us to manage immediate incident-related action items as well as any follow-up items post-incident
A predictable place for "finished" incident documents to live for later consumption

The rest are "nice-to-have" integrations of varying importance (like notifying people on IRC/Slack).

Our current setup uses Google Docs for 1, Phabricator for 2, and Wikitech for 3. I propose we start with these first three requirements, see what solutions work better than our current one and then work our way down with the integrations/niceties. We've been circling the wagons trying to come up with some sort of integrated approach but tend to just keep coming back to a slightly altered version of the present one.

A recurring pain point is information duplication/transference: Synchronizing the same information between our bug report, our real-time knowledge/graphs, our IRC, and the final Wikitech article is painful.

Already-rejected ideas:

Remove Wikitech and just have the Google doc be the final resting place of the document (Too easy to lose/change the doc)
Remove Google docs and just use IRC for the real-time communication (IRC is too primitive to easily collect and maintain all of this info)
Remove Wikitech and use the ticket description instead (Too difficult to locate the ticket)

The feedback I've heard in the meetings suggests to me that nobody wants to leave the current phab/gdocs/wt setup (and if we did it'd be pretty much just replacing one component with one very similar).

BCornwall added a subscriber: fgiunchedi.Aug 24 2023, 4:13 PM

BCornwall mentioned this in T313229: Production Dispatch Infrastructure.Aug 24 2023, 4:27 PM

herron updated the task description. (Show Details)Aug 24 2023, 4:48 PM

herron closed subtask T313228: Deploy Dispatch for SRE incident workflow automation as Declined.

herron mentioned this in T313228: Deploy Dispatch for SRE incident workflow automation.

Volans subscribed.Aug 30 2023, 12:46 PM

BCornwall removed BCornwall as the assignee of this task.Sep 6 2023, 9:45 PM

BCornwall updated the task description. (Show Details)Sep 6 2023, 10:17 PM

hnowlan subscribed.Feb 20 2024, 4:16 PM

Eevans mentioned this in T370785: corto: implement updating IRC topics and wikimediastatus.net.Oct 18 2024, 6:23 PM

Eevans added a subtask: T370785: corto: implement updating IRC topics and wikimediastatus.net.

Eevans updated the task description. (Show Details)Thu, Nov 7, 8:53 PM