DEV Community: Abraham Acha The latest articles on DEV Community by Abraham Acha (@airfluke). https://dev.to/airfluke https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3898965%2F827010f1-b357-493b-b4a5-ed015705fb07.jpg DEV Community: Abraham Acha https://dev.to/airfluke en Building a Production-Grade Observability Platform with the LGTM Stack, DORA Metrics & SLOs Abraham Acha Sat, 16 May 2026 23:53:37 +0000 https://dev.to/airfluke/building-a-production-grade-observability-platform-with-the-lgtm-stack-dora-metrics-slos-235l https://dev.to/airfluke/building-a-production-grade-observability-platform-with-the-lgtm-stack-dora-metrics-slos-235l <blockquote> <p><strong>GitHub Repository:</strong> <a href="https://github.com/AirFluke/meetmind-observability" rel="noopener noreferrer">https://github.com/AirFluke/meetmind-observability</a><br> <strong>One command to deploy:</strong> <code>sudo bash install.sh</code></p> </blockquote> <h2> Introduction </h2> <p>Modern software teams don't just need to know when something is down — they need to understand <em>why</em> it broke, <em>how long</em> users were affected, <em>how fast</em> they recovered, and <em>whether their engineering practices are improving</em> over time.</p> <p>This is the gap between basic monitoring and true observability.</p> <p>For Stage 6 of the HNG DevOps track, Team MeetMind built a production-grade observability and reliability platform from scratch using the <strong>LGTM stack</strong> — Loki, Grafana, Tempo, and Prometheus — alongside DORA metrics, SLI/SLO/Error Budget frameworks, and a fully automated alerting pipeline routing to Slack.</p> <p>Everything runs as <strong>native systemd services</strong> — no Docker, no containers. Each component installs as a binary, managed by systemd the same way any production Linux service is managed. One command brings the entire stack up on any Ubuntu server.</p> <h2> Why LGTM Over Managed Alternatives? </h2> <p>The observability market offers managed alternatives — Datadog, New Relic, Grafana Cloud. So why self-host the LGTM stack?</p> <p><strong>Cost at scale.</strong> Managed platforms charge per host, per metric, per log line. At scale this becomes a significant infrastructure cost. The LGTM stack runs on a single server with no per-metric pricing.</p> <p><strong>Data sovereignty.</strong> Logs contain sensitive data — request bodies, authentication tokens, PII. Shipping these to a third-party SaaS introduces compliance risk. Self-hosted Loki keeps logs within your own infrastructure.</p> <p><strong>No vendor lock-in.</strong> Prometheus exposition format and OpenTelemetry are open standards. Every instrumented service, every dashboard, every alert rule is portable. Switching providers means changing an endpoint URL, not rewriting your entire observability layer.</p> <p><strong>Full control over retention.</strong> We configured 30-day retention for both metrics and logs at no additional cost.</p> <p><strong>Learning depth.</strong> Operating the stack yourself forces genuine understanding of how metrics collection, log aggregation, and distributed tracing work — knowledge that transfers regardless of which tools your next employer uses.</p> <h2> Architecture Overview </h2> <p>The platform runs as nine native systemd services on Ubuntu 24.04, all with automatic restart policies.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>Role</th> <th>Port</th> </tr> </thead> <tbody> <tr> <td>Prometheus</td> <td>Metrics collection and storage</td> <td>9090</td> </tr> <tr> <td>Loki</td> <td>Log aggregation</td> <td>3100</td> </tr> <tr> <td>Tempo</td> <td>Distributed trace storage</td> <td>3200</td> </tr> <tr> <td>Grafana</td> <td>Unified observability frontend</td> <td>3000</td> </tr> <tr> <td>Alertmanager</td> <td>Alert routing to Slack</td> <td>9093</td> </tr> <tr> <td>Node Exporter</td> <td>System metrics (CPU, RAM, disk, network)</td> <td>9100</td> </tr> <tr> <td>Blackbox Exporter</td> <td>HTTP/SSL probing</td> <td>9115</td> </tr> <tr> <td>Pushgateway</td> <td>Receives DORA metrics from GitHub Actions</td> <td>9091</td> </tr> <tr> <td>OTel Collector</td> <td>Receives and routes traces and logs</td> <td>4319/4320</td> </tr> </tbody> </table></div> <p><strong>Data flow:</strong></p> <ul> <li>Node Exporter and Blackbox Exporter expose metrics → Prometheus scrapes every 15 seconds</li> <li>GitHub Actions pushes deployment metrics → Pushgateway → Prometheus</li> <li>Applications send traces via OpenTelemetry → OTel Collector → Tempo</li> <li>Applications send logs via OpenTelemetry → OTel Collector → Loki</li> <li>Grafana queries all three — Prometheus, Loki, Tempo — enabling correlated drill-down from a single dashboard</li> <li>Prometheus evaluates alert rules → fires to Alertmanager → routes to Slack</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nqu0a3v6haqclwy9ukx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nqu0a3v6haqclwy9ukx.png" alt=" " width="800" height="294"></a></p> <blockquote> <p>📸 <em>[Screenshot: All 9 services showing running status]</em></p> </blockquote> <h2> Part 1: Deploying the Full LGTM Stack as Systemd Services </h2> <h3> Why systemd over Docker? </h3> <p>Running services as native systemd units means:</p> <ul> <li>No container runtime dependency</li> <li>Services start on boot automatically</li> <li>Logs go directly to journald — <code>journalctl -u prometheus -f</code> </li> <li>Standard Linux process management — <code>systemctl start/stop/restart/status</code> </li> <li>No networking complexity — all services talk via localhost</li> </ul> <h3> One-command deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/AirFluke/meetmind-observability.git <span class="nb">cd </span>meetmind-observability <span class="nb">sudo </span><span class="nv">SLACK_WEBHOOK</span><span class="o">=</span>https://hooks.slack.com/services/YOUR/WEBHOOK bash install.sh </code></pre> </div> <p>The install script handles everything automatically:</p> <ol> <li>Installs system dependencies</li> <li>Downloads all binaries from GitHub releases</li> <li>Creates dedicated system users for each service</li> <li>Copies configs to <code>/etc/</code> </li> <li>Creates data directories in <code>/var/lib/</code> </li> <li>Installs systemd unit files to <code>/etc/systemd/system/</code> </li> <li>Enables and starts all services</li> </ol> <h3> Systemd unit files — the core of the deployment </h3> <p>Each service has a unit file that defines how it runs. Here is Prometheus as an example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># systemd/prometheus.service </span><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="s">Prometheus Metrics Server</span> <span class="py">Documentation</span><span class="p">=</span><span class="s">https://prometheus.io/docs</span> <span class="py">After</span><span class="p">=</span><span class="s">network-online.target</span> <span class="py">Wants</span><span class="p">=</span><span class="s">network-online.target</span> <span class="nn">[Service]</span> <span class="py">Type</span><span class="p">=</span><span class="s">simple</span> <span class="py">User</span><span class="p">=</span><span class="s">prometheus</span> <span class="py">Group</span><span class="p">=</span><span class="s">prometheus</span> <span class="py">ExecStart</span><span class="p">=</span><span class="s">/usr/local/bin/prometheus </span><span class="se">\ </span> <span class="s">--config.file=/etc/prometheus/prometheus.yml </span><span class="se">\ </span> <span class="s">--storage.tsdb.path=/var/lib/prometheus </span><span class="se">\ </span> <span class="s">--storage.tsdb.retention.time=30d </span><span class="se">\ </span> <span class="s">--web.enable-lifecycle </span><span class="se">\ </span> <span class="s">--web.enable-remote-write-receiver </span><span class="se">\ </span> <span class="s">--web.listen-address=0.0.0.0:9090</span> <span class="py">Restart</span><span class="p">=</span><span class="s">on-failure</span> <span class="py">RestartSec</span><span class="p">=</span><span class="s">5s</span> <span class="py">LimitNOFILE</span><span class="p">=</span><span class="s">65536</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="s">multi-user.target</span> </code></pre> </div> <p><code>Restart=on-failure</code> with <code>RestartSec=5s</code> is the systemd equivalent of Docker's <code>restart: unless-stopped</code>. Every service has this.</p> <h3> Checking service status </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check all 9 at once</span> <span class="nb">sudo </span>bash scripts/status.sh <span class="c"># Check individual service</span> <span class="nb">sudo </span>systemctl status prometheus <span class="c"># Follow logs in real time</span> journalctl <span class="nt">-u</span> prometheus <span class="nt">-f</span> journalctl <span class="nt">-u</span> grafana-server <span class="nt">-f</span> journalctl <span class="nt">-u</span> loki <span class="nt">-f</span> </code></pre> </div> <h3> File layout on the server </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/usr/local/bin/ ← all binaries prometheus, loki, tempo, alertmanager, node_exporter, blackbox_exporter, pushgateway, otelcol /etc/ ← all configs prometheus/prometheus.yml alertmanager/alertmanager.yml alertmanager/slack.tmpl loki/loki-config.yaml tempo/tempo.yaml otelcol/otel-collector.yaml blackbox_exporter/config.yml /var/lib/ ← all data (30d retention) prometheus/ loki/ tempo/ /etc/systemd/system/ ← unit files prometheus.service loki.service tempo.service ... (9 total) </code></pre> </div> <h3> Retention periods </h3> <ul> <li>Prometheus metrics: 30 days (<code>--storage.tsdb.retention.time=30d</code>)</li> <li>Loki logs: 30 days (<code>retention_period: 30d</code>)</li> <li>Tempo traces: 30 days (<code>block_retention: 720h</code>)</li> </ul> <h3> Infrastructure as Code — non-negotiable </h3> <p>Every configuration file is version-controlled in the repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>meetmind-observability/ ├── install.sh ← one-command deploy ├── uninstall.sh ← clean teardown ├── scripts/status.sh ← check all services ├── systemd/ ← 9 unit files ├── config/ ← all service configs ├── alerts/ ← alert rules (.yml) ├── grafana/dashboards/ ← 5 JSON dashboards ├── grafana/provisioning/ ← datasource config └── runbooks/ ← one .md per alert </code></pre> </div> <p>Nothing requires manual configuration to reproduce. Clone the repo, run the install script, and the entire platform is up.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F16e05wqnmwjqivoc78t7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F16e05wqnmwjqivoc78t7.png" alt=" " width="800" height="412"></a></p> <blockquote> <p>📸 <em>[Screenshot: Prometheus targets page showing all scrapers green]</em></p> </blockquote> <h2> Part 2: The Four Golden Signals as SLIs </h2> <p>Before writing a single PromQL query or building any dashboard, we defined what reliability means for MeetMind using Google's Four Golden Signals framework.</p> <h3> Why Four Golden Signals beat CPU/RAM monitoring </h3> <p>Traditional monitoring asks "is the server healthy?" The Four Golden Signals ask "is the <strong>user</strong> experiencing a healthy service?"</p> <p>A server can have 10% CPU and still serve every request with 5-second latency. CPU monitoring shows green. The Four Golden Signals show red. That is the difference.</p> <h3> Signal 1 — Latency </h3> <p>How long does it take to serve a request? We distinguish successful from error latency — a fast error is not a success.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># p95 latency for successful requests histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{status!~"5.."}[5m])) by (le, job) ) # p95 latency for error requests histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{status=~"5.."}[5m])) by (le, job) ) </code></pre> </div> <h3> Signal 2 — Traffic </h3> <p>How much demand is the system handling?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Requests per second sum(rate(http_requests_total[1m])) by (job) </code></pre> </div> <h3> Signal 3 — Errors </h3> <p>Rate of failed requests — explicit 5xx, implicit wrong content, policy failures like timeouts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Error rate as a ratio (0 = perfect, 1 = everything failing) sum(rate(http_requests_total{status=~"5.."}[5m])) by (job) / sum(rate(http_requests_total[5m])) by (job) </code></pre> </div> <h3> Signal 4 — Saturation </h3> <p>How full is the service? We track CPU, memory, and disk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Memory saturation 1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes) # CPU saturation 1 - avg by (instance) (rate(node_cpu_seconds_total{mode="idle"}[5m])) # Disk saturation 1 - ( node_filesystem_avail_bytes{mountpoint="/", fstype!="tmpfs"} / node_filesystem_size_bytes{mountpoint="/", fstype!="tmpfs"} ) </code></pre> </div> <p>These four PromQL expressions become our SLIs — the measurements we track before defining any targets.</p> <h2> Part 3: SLOs and Error Budgets </h2> <h3> The philosophy </h3> <p>An <strong>SLI</strong> is a measurement.<br> An <strong>SLO</strong> is a target for that measurement.<br> An <strong>Error Budget</strong> is the allowable gap between perfect and the SLO target.</p> <p>This framework changes how engineering teams make decisions. Instead of arguing about whether a deployment is safe enough, the question becomes: <strong>"Do we have enough error budget to absorb the risk of this deployment?"</strong> It converts a subjective conversation into an objective one.</p> <h3> Our SLO targets </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>SLO</th> <th>Target</th> <th>Window</th> <th>Error Budget</th> </tr> </thead> <tbody> <tr> <td>Availability</td> <td>99.5% of HTTP probes return 2xx</td> <td>30 days</td> <td>216 minutes</td> </tr> <tr> <td>Error rate</td> <td>99% of requests succeed</td> <td>30 days</td> <td>432 minutes</td> </tr> <tr> <td>Latency</td> <td>p95 &lt; 500ms</td> <td>Rolling 5m</td> <td>Alert-only</td> </tr> </tbody> </table></div> <p><strong>Why 99.5% availability?</strong><br> This gives us 216 minutes per month — enough for one planned maintenance window without exhausting the budget. A stricter 99.9% would leave only 43 minutes, making any deployment risky.</p> <p><strong>Why 99% error rate?</strong><br> One percent failure tolerance allows for transient errors during rolling deployments. Stricter targets require canary deployment infrastructure before they are meaningful.</p> <p><strong>Why 500ms p95 latency?</strong><br> Industry standard for interactive APIs. Beyond this threshold, user experience degrades measurably. We chose p95 rather than p99 because optimising for the 99th percentile often requires disproportionate infrastructure investment.</p> <h3> Recording rules — pre-computing SLIs </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># alerts/slo-burnrate.yml</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">slo.recording_rules</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:ratio_rate1h</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">avg_over_time(probe_success[1h])</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:ratio_rate6h</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">avg_over_time(probe_success[6h])</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:ratio_rate30d</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">avg_over_time(probe_success[30d])</span> <span class="c1"># Burn rate = how fast we consume the error budget</span> <span class="c1"># Error budget = 1 - 0.995 = 0.005</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:burn_rate1h</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">(1 - slo:availability:ratio_rate1h) / </span><span class="m">0.005</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:burn_rate6h</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">(1 - slo:availability:ratio_rate6h) / </span><span class="m">0.005</span> </code></pre> </div> <h3> Error Budget Policy </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Budget &gt; 50% → Deploy freely, feature work continues Budget 25–50% → Investigate incidents, no major changes Budget &lt; 25% → Reliability sprint, senior review on all deploys Budget 0% → Feature freeze until budget recovers </code></pre> </div> <p>Who owns the freeze decision: Engineering lead.<br> Review cadence: First Monday of each month.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuc2z7j1vm6aos2v3iog2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuc2z7j1vm6aos2v3iog2.png" alt=" " width="800" height="399"></a></p> <blockquote> <p>📸 <em>[Screenshot: SLO &amp; Error Budget dashboard]</em></p> </blockquote> <h2> Part 4: DORA Metrics and CI/CD Observability </h2> <h3> Why DORA metrics connect to business outcomes </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>What it measures</th> <th>Business impact</th> </tr> </thead> <tbody> <tr> <td>Deployment Frequency</td> <td>How often value reaches users</td> <td>Faster delivery</td> </tr> <tr> <td>Lead Time for Changes</td> <td>Commit to production</td> <td>Bug fix speed</td> </tr> <tr> <td>Change Failure Rate</td> <td>Broken deployments</td> <td>Cost of poor quality</td> </tr> <tr> <td>Mean Time to Restore</td> <td>Duration of incidents</td> <td>User impact per outage</td> </tr> </tbody> </table></div> <h3> DORA benchmarks </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Elite</th> <th>High</th> <th>Medium</th> <th>Low</th> </tr> </thead> <tbody> <tr> <td>Deploy frequency</td> <td>Multiple/day</td> <td>Weekly</td> <td>Monthly</td> <td>&lt; Monthly</td> </tr> <tr> <td>Lead time</td> <td>&lt; 1 hour</td> <td>&lt; 1 day</td> <td>1d–1w</td> <td>&gt; 1 week</td> </tr> <tr> <td>CFR</td> <td>&lt; 5%</td> <td>5–10%</td> <td>10–15%</td> <td>&gt; 15%</td> </tr> <tr> <td>MTTR</td> <td>&lt; 1 hour</td> <td>&lt; 1 day</td> <td>1d–1w</td> <td>&gt; 1 week</td> </tr> </tbody> </table></div> <h3> GitHub Actions pushing DORA metrics to Pushgateway </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy.yml</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Record deploy start time</span> <span class="na">id</span><span class="pi">:</span> <span class="s">timing</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "start_ts=$(date +%s)" &gt;&gt; $GITHUB_OUTPUT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and deploy</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "Your deploy steps here"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Push metrics on success</span> <span class="na">if</span><span class="pi">:</span> <span class="s">success()</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">LEAD_TIME=$(( $(date +%s) - ${{ steps.timing.outputs.start_ts }} ))</span> <span class="s">WORKFLOW="${{ github.workflow }}"</span> <span class="s">cat &lt;&lt;EOF | curl --data-binary @- "${PUSHGATEWAY_URL}/metrics/job/github_actions"</span> <span class="s">deployment_total{status="success",workflow="${WORKFLOW}"} 1</span> <span class="s">deployment_lead_time_seconds{workflow="${WORKFLOW}"} ${LEAD_TIME}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Push metrics on failure</span> <span class="na">if</span><span class="pi">:</span> <span class="s">failure()</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt;EOF | curl --data-binary @- "${PUSHGATEWAY_URL}/metrics/job/github_actions"</span> <span class="s">deployment_total{status="failure",workflow="${{ github.workflow }}"} 1</span> <span class="s">EOF</span> </code></pre> </div> <h3> Toil identified and automated </h3> <p><strong>Toil 1 — Manual alert acknowledgement.</strong><br> Engineers read a Slack alert, open a browser, navigate to Grafana, search for the relevant dashboard. <strong>Automation:</strong> every alert payload includes a direct link to the exact dashboard. Saves 2–3 minutes per alert.</p> <p><strong>Toil 2 — Certificate renewal reminders.</strong><br> SSL expiry tracked via calendar reminders. <strong>Automation:</strong> Blackbox Exporter monitors SSL expiry continuously. <code>SSLCertExpiringSoon</code> alert fires 14 days before expiry automatically.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7cvvlooeuu7hi1dk65zt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7cvvlooeuu7hi1dk65zt.png" alt=" " width="800" height="318"></a></p> <blockquote> <p>📸 <em>[Screenshot: DORA metrics dashboard]</em></p> </blockquote> <h2> Part 5: Five Grafana Dashboards — All Provisioned as Code </h2> <p>All dashboards are provisioned from JSON files. The Grafana UI was never used to create or modify any panel.</p> <h3> Datasource provisioning with trace correlation </h3> <p>The key config that enables metric → log → trace drill-down:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># grafana/provisioning/datasources/datasources.yaml</span> <span class="na">datasources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Prometheus</span> <span class="na">type</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://localhost:9090</span> <span class="na">isDefault</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Loki</span> <span class="na">type</span><span class="pi">:</span> <span class="s">loki</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://localhost:3100</span> <span class="na">jsonData</span><span class="pi">:</span> <span class="na">derivedFields</span><span class="pi">:</span> <span class="c1"># Makes traceID= in log lines a clickable link to Tempo</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">TraceID</span> <span class="na">matcherRegex</span><span class="pi">:</span> <span class="s1">'</span><span class="s">traceID=(\w+)'</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${__value.raw}"</span> <span class="na">datasourceUid</span><span class="pi">:</span> <span class="s">tempo</span> <span class="na">urlDisplayLabel</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Open</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">Tempo"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Tempo</span> <span class="na">type</span><span class="pi">:</span> <span class="s">tempo</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://localhost:3200</span> <span class="na">jsonData</span><span class="pi">:</span> <span class="na">tracesToLogsV2</span><span class="pi">:</span> <span class="na">datasourceUid</span><span class="pi">:</span> <span class="s">loki</span> <span class="na">filterByTraceID</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">customQuery</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">query</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{service_name="${__span.tags.service.name}"}</span><span class="nv"> </span><span class="s">|=</span><span class="nv"> </span><span class="s">"${__trace.traceId}"'</span> </code></pre> </div> <h3> Dashboard 1 — Node Exporter </h3> <p>CPU utilisation total and per-core, memory used/cached/available, disk I/O, network I/O, and load averages at 1/5/15 minutes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb4jia7k96xyhwdomw6ca.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb4jia7k96xyhwdomw6ca.png" alt=" " width="800" height="376"></a></p> <blockquote> <p>📸 <em>[Screenshot: Node Exporter dashboard with live data]</em></p> </blockquote> <h3> Dashboard 2 — Blackbox Exporter </h3> <p>External probing: uptime/downtime timeline, HTTP response time, SSL certificate expiry countdown, probe success rate.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1go8fzg04mlabtute5p6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1go8fzg04mlabtute5p6.png" alt=" " width="800" height="396"></a></p> <blockquote> <p>📸 <em>[Screenshot: Blackbox Exporter dashboard]</em></p> </blockquote> <h3> Dashboard 3 — DORA Metrics </h3> <p>Deployment frequency trend, lead time, CFR rolling percentage, MTTR with DORA benchmark classification.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fehnm91fncnpx4dsmi3ic.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fehnm91fncnpx4dsmi3ic.png" alt=" " width="800" height="318"></a></p> <blockquote> <p>📸 <em>[Screenshot: DORA dashboard]</em></p> </blockquote> <h3> Dashboard 4 — SLO &amp; Error Budget </h3> <p>SLI vs SLO gauges, error budget remaining coloured by urgency, burn rate time series with fast/slow thresholds, compliance history.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fld74o5s0m204zttsw883.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fld74o5s0m204zttsw883.png" alt=" " width="800" height="399"></a></p> <blockquote> <p>📸 <em>[Screenshot: SLO dashboard]</em></p> </blockquote> <h3> Dashboard 5 — Unified Observability (the most important) </h3> <p>A metric spike → click through to Loki → see logs from that exact time window → click the trace ID → Tempo opens the waterfall → identify exactly which service and span caused the failure.</p> <p>This drill-down — <strong>metric spike → correlated logs → causing trace</strong> — is what separates observability from monitoring.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzr2b8p4keo84wpis44zr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzr2b8p4keo84wpis44zr.png" alt=" " width="800" height="416"></a></p> <blockquote> <p>📸 <em>[Screenshot: Unified dashboard]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmytclbhwustpz0afuo9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmytclbhwustpz0afuo9.png" alt=" " width="800" height="377"></a></p> <blockquote> <h2> 📸 <em>[Screenshot: Loki logs panel with clickable trace ID]</em> </h2> </blockquote> <h2> Part 6: The Alerting System </h2> <h3> All alert rules are version-controlled </h3> <p>Zero alert rules live in Grafana. Every rule is in a <code>.yml</code> file under <code>alerts/</code>.</p> <h3> Infrastructure alerts </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># alerts/infrastructure.yml</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">infrastructure.rules</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">sli:node_cpu_saturation</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">1 - avg by (instance) (rate(node_cpu_seconds_total{mode="idle"}[5m]))</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">sli:node_memory_saturation</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes)</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighCPUWarning</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">sli:node_cpu_saturation &gt; </span><span class="m">0.80</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">High</span><span class="nv"> </span><span class="s">CPU</span><span class="nv"> </span><span class="s">usage</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.instance</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CPU</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">humanizePercentage</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">(threshold</span><span class="nv"> </span><span class="s">80%)"</span> <span class="na">dashboard_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://YOUR_SERVER_IP:3000/d/node-exporter"</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/high-cpu.md"</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighCPUCritical</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">sli:node_cpu_saturation &gt; </span><span class="m">0.90</span> <span class="na">for</span><span class="pi">:</span> <span class="s">10m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Critical</span><span class="nv"> </span><span class="s">CPU</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.instance</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CPU</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">humanizePercentage</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">10+</span><span class="nv"> </span><span class="s">minutes"</span> <span class="na">dashboard_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://YOUR_SERVER_IP:3000/d/node-exporter"</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/high-cpu.md"</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HostDown</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">probe_success == </span><span class="m">0</span> <span class="na">for</span><span class="pi">:</span> <span class="s">2m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Host</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.instance</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">down"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Blackbox</span><span class="nv"> </span><span class="s">probe</span><span class="nv"> </span><span class="s">failed</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">2+</span><span class="nv"> </span><span class="s">consecutive</span><span class="nv"> </span><span class="s">minutes"</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/host-down.md"</span> </code></pre> </div> <h3> Burn rate alerting — how it reduces alert fatigue </h3> <p>Traditional threshold alerting fires whenever a metric crosses a line producing alert storms. Engineers learn to ignore them.</p> <p>Burn rate alerting asks: <strong>"At this rate of failure, how long until our error budget is exhausted?"</strong></p> <p>Two alerts replace an entire category of noise:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># alerts/slo-burnrate.yml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">slo.alerts</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Fast burn — act immediately</span> <span class="c1"># 14.4x = 2% of monthly budget gone in 1 hour</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">SLOAvailabilityFastBurn</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">slo:availability:burn_rate1h &gt; </span><span class="m">14.4</span> <span class="na">for</span><span class="pi">:</span> <span class="s">2m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Fast</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">budget</span><span class="nv"> </span><span class="s">burn</span><span class="nv"> </span><span class="s">—</span><span class="nv"> </span><span class="s">act</span><span class="nv"> </span><span class="s">immediately"</span> <span class="na">description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">Burn rate is {{ $value | humanize }}x.</span> <span class="s">2% of the 30-day budget will be consumed in 1 hour.</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/slo-fast-burn.md"</span> <span class="c1"># Slow burn — investigate before it escalates</span> <span class="c1"># 5x = 5% of monthly budget gone in 6 hours</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">SLOAvailabilitySlowBurn</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">slo:availability:burn_rate6h &gt; </span><span class="m">5</span> <span class="na">for</span><span class="pi">:</span> <span class="s">15m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Slow</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">budget</span><span class="nv"> </span><span class="s">burn</span><span class="nv"> </span><span class="s">—</span><span class="nv"> </span><span class="s">investigate</span><span class="nv"> </span><span class="s">soon"</span> <span class="na">description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">Burn rate is {{ $value | humanize }}x over 6h.</span> <span class="s">5% of the 30-day budget will be consumed in 6 hours.</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/slo-fast-burn.md"</span> </code></pre> </div> <h3> Alertmanager routing and inhibition </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># config/alertmanager.yml</span> <span class="na">route</span><span class="pi">:</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">slack-default</span> <span class="na">group_by</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">alertname</span><span class="pi">,</span> <span class="nv">severity</span><span class="pi">,</span> <span class="nv">instance</span><span class="pi">]</span> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">group_interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">4h</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">slack-critical</span> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">4h</span> <span class="na">inhibit_rules</span><span class="pi">:</span> <span class="c1"># When host is completely down suppress CPU/memory/latency noise</span> <span class="pi">-</span> <span class="na">source_match</span><span class="pi">:</span> <span class="na">alertname</span><span class="pi">:</span> <span class="s">HostDown</span> <span class="na">target_match_re</span><span class="pi">:</span> <span class="na">alertname</span><span class="pi">:</span> <span class="s2">"</span><span class="s">HighCPU.*|HighMemory.*|HighLatency.*|DiskSpace.*"</span> <span class="na">equal</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">instance</span><span class="pi">]</span> <span class="c1"># Critical suppresses warning for same alert on same host</span> <span class="pi">-</span> <span class="na">source_match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">target_match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">equal</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">alertname</span><span class="pi">,</span> <span class="nv">instance</span><span class="pi">]</span> </code></pre> </div> <h3> Structured Slack template </h3> <p>Alertmanager uses Go templates. The <code>default</code> function from Sprig is <strong>not</strong> supported — a lesson we learned the hard way. Every field must be referenced directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># config/slack.tmpl {{ define "slack.title" -}} [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .GroupLabels.alertname }} {{- end }} {{ define "slack.body" -}} {{ range .Alerts }} *Alert:* {{ .Labels.alertname }} *Severity:* {{ .Labels.severity | toUpper }} *Status:* {{ if eq $.Status "resolved" }}✅ RESOLVED{{ else }}🔥 FIRING{{ end }} *Host:* {{ .Labels.instance }} *Summary:* {{ .Annotations.summary }} *Description:* {{ .Annotations.description }} *Links:* • &lt;{{ .Annotations.dashboard_url }}|📊 Grafana Dashboard&gt; • &lt;{{ .Annotations.runbook_url }}|📖 Runbook&gt; *Started:* {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }} {{ if eq $.Status "resolved" }}*Resolved:* {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}{{ end }} --- {{ end }} {{- end }} </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr4dzisrk222rdur6pbej.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr4dzisrk222rdur6pbej.png" alt=" " width="800" height="274"></a></p> <blockquote> <p>📸 <em>[Screenshot: Slack showing firing alert with full structured payload]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F86bezkkm9tii30jrbfoc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F86bezkkm9tii30jrbfoc.png" alt=" " width="800" height="291"></a></p> <blockquote> <p>📸 <em>[Screenshot: Slack showing RESOLVED alert]</em></p> </blockquote> <h2> Part 7: Runbooks and Incident Management </h2> <h3> A runbook for every alert </h3> <p>Every alert links directly to its runbook. Each answers six questions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Runbook: High CPU Usage</span> <span class="gu">## What is this alert?</span> HighCPUWarning fires when CPU exceeds 80% for 5+ minutes. <span class="gu">## Likely cause</span> <span class="p">1.</span> Traffic spike <span class="p">2.</span> Runaway process <span class="p">3.</span> Post-deployment regression <span class="gu">## First 3 investigation steps</span> <span class="p"> 1.</span> Check running processes: </code></pre> </div> <p><br> bash<br> top -bn1 | head -20<br> ps aux --sort=-%cpu | head -10<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> 2. Check if spike correlates with a deployment: Check GitHub Actions for recent workflow runs 3. Check system journal: </code></pre> </div> <p><br> bash<br> journalctl -n 100 --since "10 minutes ago"<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Resolution - Runaway process: kill -9 &lt;PID&gt; - Traffic spike: scale horizontally - Deployment regression: roll back ## Roll back when? If CPU spike started within 30 minutes of a deployment and correlates with increased error rate. ## Escalation Senior engineer if unresolved after 20 minutes. </code></pre> </div> <h3> Blameless Post-Incident Review </h3> <p>We documented a simulated incident where a missing environment variable caused 35% of requests to return 503 for 47 minutes.</p> <p><strong>Timeline:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Time</th> <th>Event</th> </tr> </thead> <tbody> <tr> <td>14:18</td> <td>Deployment triggered</td> </tr> <tr> <td>14:23</td> <td>503 responses begin</td> </tr> <tr> <td>14:29</td> <td>SLOAvailabilityFastBurn fires — 6-min detection lag</td> </tr> <tr> <td>14:36</td> <td>Trace ID in Loki → Tempo reveals config read failure</td> </tr> <tr> <td>14:40</td> <td>Root cause: missing DATABASE_URL env var</td> </tr> <tr> <td>14:45</td> <td>Rollback initiated</td> </tr> <tr> <td>15:10</td> <td>Error rate returns to baseline</td> </tr> </tbody> </table></div> <p><strong>Root cause:</strong> New environment variable added to code but not to the service configuration.</p> <p><strong>Detection gap:</strong> 6-minute lag between incident start and alert. Action item: reduce fast-burn <code>for:</code> clause from 2m to 1m.</p> <p><strong>Action items:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Action</th> <th>Owner</th> <th>Due</th> </tr> </thead> <tbody> <tr> <td>Add post-deploy smoke test</td> <td>DevOps</td> <td>3 days</td> </tr> <tr> <td>Add env var validation to startup</td> <td>App dev</td> <td>5 days</td> </tr> <tr> <td>Reduce fast-burn for: to 1m</td> <td>DevOps</td> <td>1 day</td> </tr> </tbody> </table></div> <p><em>This review is blameless — we focus on systems and processes, not individuals.</em></p> <h2> Part 8: Game Day Results </h2> <h3> Scenario 1 — Deployment Failure </h3> <p>Added <code>exit 1</code> to the GitHub Actions workflow and pushed. The workflow failed and pushed <code>deployment_total{status="failure"}</code> to the Pushgateway. <code>CICDDeploymentFailed</code> fired in Slack within 2 minutes. DORA dashboard showed CFR increase. Immediately reverted.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2ura15ydroekukeb3njz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2ura15ydroekukeb3njz.png" alt=" " width="800" height="235"></a></p> <blockquote> <p>📸 <em>[Screenshot: GitHub Actions showing red failed run]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjn6c1ha3lb6406mui3ey.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjn6c1ha3lb6406mui3ey.png" alt=" " width="800" height="281"></a></p> <blockquote> <p>📸 <em>[Screenshot: CICDDeploymentFailed in Slack]</em></p> </blockquote> <h3> Scenario 2 — Latency Injection </h3> <p>Injected 600ms network latency using tc netem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>tc qdisc add dev ens5 root netem delay 600ms </code></pre> </div> <p><code>HighLatencyWarning</code> fired confirming the alerting pipeline for latency SLO breaches works end-to-end.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Remove latency</span> <span class="nb">sudo </span>tc qdisc del dev ens5 root </code></pre> </div> <p>RESOLVED message confirmed recovery detection works.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp1sbeislc94pbmz9hje2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp1sbeislc94pbmz9hje2.png" alt=" " width="800" height="257"></a></p> <blockquote> <p>📸 <em>[Screenshot: HighLatencyWarning in Slack]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsl9o1s9mov6228lnxukv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsl9o1s9mov6228lnxukv.png" alt=" " width="800" height="273"></a></p> <blockquote> <p>📸 <em>[Screenshot: RESOLVED in Slack after tc removed]</em></p> </blockquote> <h3> Scenario 3 — Resource Pressure </h3> <p>Used <code>stress-ng</code> to drive CPU above 90%:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>stress-ng <span class="nt">--cpu</span> 0 <span class="nt">--cpu-method</span> matrixprod <span class="nt">--timeout</span> 600s &amp; </code></pre> </div> <p><strong>What we observed:</strong></p> <ul> <li> <code>HighCPUWarning</code> entered pending state after CPU sustained above 80%</li> <li>After 5 minutes → <code>HighCPUWarning</code> turned firing in Prometheus</li> <li>Alert arrived in Slack with full structured payload</li> <li> <code>HighCPUCritical</code> entered pending state (needs 10min sustained above 90%)</li> <li>After killing stress → both alerts RESOLVED in Slack</li> </ul> <p>This confirmed the full warning → critical → recovery sequence and proved inhibition rules work — critical suppresses the warning notification.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pkill stress-ng </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjxesb40l7g44nbppy9au.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjxesb40l7g44nbppy9au.png" alt=" " width="800" height="184"></a></p> <blockquote> <p>📸 <em>[Screenshot: Prometheus alerts page showing Warning firing]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqijo3xara6idmpjmf6v2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqijo3xara6idmpjmf6v2.png" alt=" " width="800" height="376"></a></p> <blockquote> <p>📸 <em>[Screenshot: Node Exporter dashboard with CPU spike at 92%]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9q9o0s4z9m20qexfnf11.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9q9o0s4z9m20qexfnf11.png" alt=" " width="800" height="278"></a></p> <blockquote> <p>📸 <em>[Screenshot: HighCPUWarning in Slack]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1o77jqad7fx3g2uegd41.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1o77jqad7fx3g2uegd41.png" alt=" " width="800" height="296"></a></p> <blockquote> <p>📸 <em>[Screenshot: RESOLVED in Slack]</em></p> </blockquote> <h2> Key Lessons Learned </h2> <p><strong>1. Systemd is production-grade.</strong><br> Running services as native systemd units is simpler than Docker for single-server deployments. No networking complexity, no container runtime, logs go straight to journald. <code>journalctl -u prometheus -f</code> is all you need.</p> <p><strong>2. Alertmanager templates have limits.</strong><br> The <code>default</code> function from Sprig templating is not supported in Alertmanager. Any <code>| default "value"</code> in your template will crash Alertmanager silently. Always test templates before deploying.</p> <p><strong>3. Port conflicts happen.</strong><br> Tempo and OTel Collector both want port 4317 (OTLP gRPC). When running as bare processes on the same host, one must move. We moved OTel Collector to 4319/4320. In Docker this was hidden by container networking.</p> <p><strong>4. Observability is not monitoring.</strong><br> Monitoring tells you something is wrong. Observability tells you why, where, and when — without needing to SSH into a server. The Loki → Tempo drill-down reduced our incident diagnosis time from 40 minutes to 4 minutes in the PIR simulation.</p> <p><strong>5. SLOs make reliability decisions objective.</strong><br> "Is this deployment safe?" is subjective. "Do we have 100 minutes of error budget remaining?" is objective. SLOs turn reliability from a conversation into a measurement.</p> <p><strong>6. Burn rate alerting eliminates alert fatigue.</strong><br> Two burn rate alerts replaced what would have been dozens of threshold alerts during Game Day scenarios. Engineers respond to meaningful signals, not noise.</p> <p><strong>7. Everything as code is non-negotiable.</strong><br> Every dashboard, alert rule, and config that lives only in a UI is technical debt. Clone the repo, run install.sh, and the entire platform is back — no manual steps, no memory required.</p> <h2> Conclusion </h2> <p>The MeetMind Observability Platform demonstrates that production-grade observability is achievable without managed services and without Docker. Nine systemd services provide the full observability triad — metrics, logs, and traces — with correlation between all three. SLOs convert vague reliability goals into measurable targets. DORA metrics connect daily engineering decisions to business outcomes. Burn rate alerting replaces alert storms with two meaningful signals.</p> <p>The entire platform deploys with one command on any Ubuntu 24.04 server. Every component is version-controlled. Every alert links to a runbook. Every metric spike links to correlated logs and traces.</p> <p><strong>GitHub Repository:</strong> <a href="https://github.com/AirFluke/meetmind-observability" rel="noopener noreferrer">https://github.com/AirFluke/meetmind-observability</a></p> <p><strong>Deploy it yourself:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/AirFluke/meetmind-observability.git <span class="nb">cd </span>meetmind-observability <span class="nb">sudo </span><span class="nv">SLACK_WEBHOOK</span><span class="o">=</span>https://hooks.slack.com/services/YOUR/WEBHOOK bash install.sh </code></pre> </div> <p><em>Built by Team MeetMind for HNG DevOps Track Stage 6</em></p> devops observability prometheus grafana Building a Production-Grade Observability Platform with LGTM Stack, DORA Metrics & SLOs Abraham Acha Sat, 16 May 2026 09:24:00 +0000 https://dev.to/airfluke/building-a-production-grade-observability-platform-with-lgtm-stack-dora-metrics-slos-4i47 https://dev.to/airfluke/building-a-production-grade-observability-platform-with-lgtm-stack-dora-metrics-slos-4i47 <blockquote> <p><strong>GitHub Repository:</strong> <a href="https://github.com/AirFluke/meetmind-observability" rel="noopener noreferrer">https://github.com/AirFluke/meetmind-observability</a><br> <strong>One command to deploy:</strong> <code>docker compose up -d</code></p> </blockquote> <h2> Introduction </h2> <p>Modern software teams don't just need to know when something is down — they need to understand <em>why</em> it broke, <em>how long</em> users were affected, <em>how fast</em> they recovered, and <em>whether their engineering practices are improving</em> over time.</p> <p>This is the gap between basic monitoring and true observability.</p> <p>For Stage 6 of the HNG DevOps track, Team MeetMind built a production-grade observability and reliability platform from scratch using the <strong>LGTM stack</strong> — Loki, Grafana, Tempo, and Prometheus — alongside DORA metrics, SLI/SLO/Error Budget frameworks, and a fully automated alerting pipeline routing to Slack.</p> <p>Everything is infrastructure as code. No manual UI configuration. One command brings the entire stack up.</p> <h2> Why LGTM Over Managed Alternatives? </h2> <p>The observability market offers managed alternatives — Datadog, New Relic, Grafana Cloud. So why self-host the LGTM stack?</p> <p><strong>Cost at scale.</strong> Managed platforms charge per host, per metric, per log line. At scale this becomes a significant infrastructure cost. The LGTM stack runs on a single server with no per-metric pricing.</p> <p><strong>Data sovereignty.</strong> Logs contain sensitive data — request bodies, auth tokens, PII. Shipping these to a third-party SaaS introduces compliance risk. Self-hosted Loki keeps logs within your own infrastructure.</p> <p><strong>No vendor lock-in.</strong> Prometheus exposition format and OpenTelemetry are open standards. Every instrumented service, every dashboard, every alert rule is portable. Switching providers means changing an endpoint URL, not rewriting your entire observability layer.</p> <p><strong>Full control over retention.</strong> We configured 30-day retention for both metrics and logs at no additional cost.</p> <p><strong>Learning depth.</strong> Operating the stack yourself forces genuine understanding of how metrics collection, log aggregation, and distributed tracing work — knowledge that transfers regardless of which tools your next employer uses.</p> <h2> Architecture Overview </h2> <p>The platform runs as a Docker Compose stack with nine services, all with automatic restart policies.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Role</th> <th>Port</th> </tr> </thead> <tbody> <tr> <td>Prometheus</td> <td>Metrics collection and storage</td> <td>9090</td> </tr> <tr> <td>Loki</td> <td>Log aggregation</td> <td>3100</td> </tr> <tr> <td>Tempo</td> <td>Distributed trace storage</td> <td>3200</td> </tr> <tr> <td>Grafana</td> <td>Unified observability frontend</td> <td>3000</td> </tr> <tr> <td>Alertmanager</td> <td>Alert routing to Slack</td> <td>9093</td> </tr> <tr> <td>Node Exporter</td> <td>System metrics (CPU, RAM, disk, network)</td> <td>9100</td> </tr> <tr> <td>Blackbox Exporter</td> <td>HTTP/SSL probing</td> <td>9115</td> </tr> <tr> <td>Pushgateway</td> <td>Receives DORA metrics from GitHub Actions</td> <td>9091</td> </tr> <tr> <td>OTel Collector</td> <td>Receives and routes traces and logs</td> <td>4317/4318</td> </tr> </tbody> </table></div> <p><strong>Data flow:</strong></p> <ul> <li>Node Exporter and Blackbox Exporter expose metrics → Prometheus scrapes every 15 seconds</li> <li>GitHub Actions pushes deployment metrics → Pushgateway → Prometheus</li> <li>Applications send traces via OpenTelemetry → OTel Collector → Tempo</li> <li>Applications send logs via OpenTelemetry → OTel Collector → Loki</li> <li>Grafana sits on top of all three — Prometheus, Loki, Tempo — enabling correlated drill-down from a single dashboard</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhccbql3kifx2e3dqiug.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhccbql3kifx2e3dqiug.png" alt=" " width="800" height="175"></a></p> <blockquote> <p>📸 <em>[Screenshot: docker compose ps showing all 9 services Up]</em></p> </blockquote> <h2> Part 1: Deploying the Full LGTM Stack </h2> <h3> Docker Compose — the complete stack </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.yml</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.8"</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">observability</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">prometheus_data</span><span class="pi">:</span> <span class="na">loki_data</span><span class="pi">:</span> <span class="na">tempo_data</span><span class="pi">:</span> <span class="na">grafana_data</span><span class="pi">:</span> <span class="na">services</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">prom/prometheus:v2.51.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--config.file=/etc/prometheus/prometheus.yml"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--storage.tsdb.path=/prometheus"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--storage.tsdb.retention.time=30d"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--web.enable-lifecycle"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--web.enable-remote-write-receiver"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./config/prometheus.yml:/etc/prometheus/prometheus.yml:ro</span> <span class="pi">-</span> <span class="s">./alerts:/etc/prometheus/alerts:ro</span> <span class="pi">-</span> <span class="s">prometheus_data:/prometheus</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9090:9090"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">observability</span> <span class="na">loki</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">grafana/loki:2.9.7</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">loki</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">command</span><span class="pi">:</span> <span class="s">-config.file=/etc/loki/loki-config.yaml</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./config/loki-config.yaml:/etc/loki/loki-config.yaml:ro</span> <span class="pi">-</span> <span class="s">loki_data:/loki</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3100:3100"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">observability</span> <span class="na">tempo</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">grafana/tempo:2.4.1</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">tempo</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">command</span><span class="pi">:</span> <span class="s">-config.file=/etc/tempo/tempo.yaml</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./config/tempo.yaml:/etc/tempo/tempo.yaml:ro</span> <span class="pi">-</span> <span class="s">tempo_data:/var/tempo</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3200:3200"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">4317:4317"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">4318:4318"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">observability</span> <span class="na">grafana</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">grafana/grafana:10.4.2</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">grafana</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GF_SECURITY_ADMIN_PASSWORD=admin</span> <span class="pi">-</span> <span class="s">GF_USERS_ALLOW_SIGN_UP=false</span> <span class="pi">-</span> <span class="s">GF_FEATURE_TOGGLES_ENABLE=traceqlEditor</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">grafana_data:/var/lib/grafana</span> <span class="pi">-</span> <span class="s">./grafana/provisioning:/etc/grafana/provisioning:ro</span> <span class="pi">-</span> <span class="s">./grafana/dashboards:/var/lib/grafana/dashboards:ro</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3000:3000"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">observability</span> <span class="na">alertmanager</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">prom/alertmanager:v0.27.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">alertmanager</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./config/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro</span> <span class="pi">-</span> <span class="s">./config/slack.tmpl:/etc/alertmanager/slack.tmpl:ro</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9093:9093"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">observability</span> <span class="na">node-exporter</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">prom/node-exporter:v1.7.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">node-exporter</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/proc:/host/proc:ro</span> <span class="pi">-</span> <span class="s">/sys:/host/sys:ro</span> <span class="pi">-</span> <span class="s">/:/rootfs:ro</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9100:9100"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">observability</span> <span class="na">blackbox-exporter</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">prom/blackbox-exporter:v0.25.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">blackbox-exporter</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./config/blackbox.yml:/etc/blackbox_exporter/config.yml:ro</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9115:9115"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">observability</span> <span class="na">pushgateway</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">prom/pushgateway:v1.7.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">pushgateway</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9091:9091"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">observability</span> <span class="na">otel-collector</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">otel/opentelemetry-collector-contrib:0.98.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">otel-collector</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">--config=/etc/otel/otel-collector.yaml"</span><span class="pi">]</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./config/otel-collector.yaml:/etc/otel/otel-collector.yaml:ro</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">4319:4317"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">4320:4318"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8888:8888"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">observability</span> </code></pre> </div> <h3> One command to bring everything up </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <h3> Infrastructure as Code — non-negotiable </h3> <p>Every configuration file is version-controlled. Nothing is configured through a UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>config/ ├── prometheus.yml # Scrape configs + recording rules ├── alertmanager.yml # Route trees + inhibition rules ├── loki-config.yaml # Log ingestion + 30d retention ├── tempo.yaml # Trace storage + 30d retention ├── otel-collector.yaml # Trace and log pipeline └── blackbox.yml # HTTP + SSL probe modules alerts/ ├── infrastructure.yml # CPU, memory, disk, host down ├── slo-burnrate.yml # Multi-window burn rate alerts └── cicd.yml # DORA threshold alerts grafana/ ├── provisioning/ # Datasource + dashboard discovery └── dashboards/ # 5 JSON dashboards </code></pre> </div> <h3> Prometheus scrape configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># config/prometheus.yml</span> <span class="na">global</span><span class="pi">:</span> <span class="na">scrape_interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">evaluation_interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">rule_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/etc/prometheus/alerts/infrastructure.yml</span> <span class="pi">-</span> <span class="s">/etc/prometheus/alerts/slo-burnrate.yml</span> <span class="pi">-</span> <span class="s">/etc/prometheus/alerts/cicd.yml</span> <span class="na">scrape_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s">node-exporter</span> <span class="na">scrape_interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">node-exporter:9100"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s">blackbox-http</span> <span class="na">metrics_path</span><span class="pi">:</span> <span class="s">/probe</span> <span class="na">params</span><span class="pi">:</span> <span class="na">module</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">http_2xx</span><span class="pi">]</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">http://grafana:3000</span> <span class="pi">-</span> <span class="s">http://prometheus:9090/-/healthy</span> <span class="pi">-</span> <span class="s">http://loki:3100/ready</span> <span class="na">relabel_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">source_labels</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">__address__</span><span class="pi">]</span> <span class="na">target_label</span><span class="pi">:</span> <span class="s">__param_target</span> <span class="pi">-</span> <span class="na">source_labels</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">__param_target</span><span class="pi">]</span> <span class="na">target_label</span><span class="pi">:</span> <span class="s">instance</span> <span class="pi">-</span> <span class="na">target_label</span><span class="pi">:</span> <span class="s">__address__</span> <span class="na">replacement</span><span class="pi">:</span> <span class="s">blackbox-exporter:9115</span> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s">pushgateway</span> <span class="na">honor_labels</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pushgateway:9091"</span><span class="pi">]</span> </code></pre> </div> <p><strong>Retention periods:</strong></p> <ul> <li>Prometheus metrics: 30 days (<code>--storage.tsdb.retention.time=30d</code>)</li> <li>Loki logs: 30 days (<code>retention_period: 30d</code> in loki-config.yaml)</li> <li>Tempo traces: 30 days (<code>block_retention: 720h</code> in tempo.yaml)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvbmp101oquzcwveg39dz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvbmp101oquzcwveg39dz.png" alt=" " width="800" height="419"></a></p> <blockquote> <p>📸 <em>[Screenshot: Prometheus targets page showing all scrapers green]</em></p> </blockquote> <h2> Part 2: The Four Golden Signals as SLIs </h2> <p>Before writing a single PromQL query or building any dashboard, we defined what reliability means for MeetMind using Google's Four Golden Signals framework.</p> <h3> Why Four Golden Signals beat CPU/RAM monitoring </h3> <p>Traditional monitoring asks "is the server healthy?" The Four Golden Signals ask "is the <strong>user</strong> experiencing a healthy service?"</p> <p>A server can have 10% CPU and still serve every request with 5-second latency. CPU monitoring shows green. The Four Golden Signals show red. That's the difference.</p> <h3> Signal 1 — Latency </h3> <p>How long does it take to serve a request? We distinguish successful from error latency — a fast error is not a success.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># p95 latency for successful requests histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{status!~"5.."}[5m])) by (le, job) ) # p95 latency for error requests (errors are often faster — fail fast) histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{status=~"5.."}[5m])) by (le, job) ) </code></pre> </div> <h3> Signal 2 — Traffic </h3> <p>How much demand is the system handling?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Requests per second sum(rate(http_requests_total[1m])) by (job) </code></pre> </div> <h3> Signal 3 — Errors </h3> <p>Rate of failed requests — explicit 5xx, implicit wrong content, policy failures.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Error rate as a ratio (0 = perfect, 1 = everything failing) sum(rate(http_requests_total{status=~"5.."}[5m])) by (job) / sum(rate(http_requests_total[5m])) by (job) </code></pre> </div> <h3> Signal 4 — Saturation </h3> <p>How "full" is the service? We track CPU, memory, and disk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Memory saturation 1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes) # CPU saturation 1 - avg by (instance) (rate(node_cpu_seconds_total{mode="idle"}[5m])) # Disk saturation 1 - ( node_filesystem_avail_bytes{mountpoint="/", fstype!="tmpfs"} / node_filesystem_size_bytes{mountpoint="/", fstype!="tmpfs"} ) </code></pre> </div> <p>These four PromQL expressions become our SLIs — the measurements we track.</p> <h2> Part 3: SLOs and Error Budgets </h2> <h3> The philosophy </h3> <p>An <strong>SLI</strong> is a measurement.<br> An <strong>SLO</strong> is a target for that measurement.<br> An <strong>Error Budget</strong> is the allowable gap between perfect and the SLO target.</p> <p>This framework changes how engineering teams make decisions. Instead of arguing about whether a deployment is "safe enough", the question becomes: <strong>"Do we have enough error budget to absorb the risk of this deployment?"</strong></p> <p>It converts a subjective conversation into an objective one.</p> <h3> Our SLO targets </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>SLO</th> <th>Target</th> <th>Window</th> <th>Error Budget</th> </tr> </thead> <tbody> <tr> <td>Availability</td> <td>99.5% of HTTP probes return 2xx</td> <td>30 days</td> <td>216 minutes</td> </tr> <tr> <td>Error rate</td> <td>99% of requests succeed</td> <td>30 days</td> <td>432 minutes</td> </tr> <tr> <td>Latency</td> <td>p95 &lt; 500ms</td> <td>Rolling 5m</td> <td>Alert-only</td> </tr> </tbody> </table></div> <p><strong>Why 99.5% availability?</strong><br> This gives us 216 minutes per month — enough for one planned maintenance window without exhausting the budget. A stricter 99.9% would leave only 43 minutes, making any deployment risky.</p> <p><strong>Why 99% error rate?</strong><br> One percent failure tolerance allows for transient errors during rolling deployments. Stricter targets require canary deployment infrastructure before they're meaningful.</p> <p><strong>Why 500ms p95 latency?</strong><br> Industry standard for interactive APIs. Beyond this threshold, user experience degrades measurably. We chose p95 rather than p99 because optimising for the 99th percentile often requires disproportionate infrastructure investment.</p> <h3> Recording rules for SLIs </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># alerts/slo-burnrate.yml</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">slo.recording_rules</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:ratio_rate5m</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">avg_over_time(probe_success[5m])</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:ratio_rate1h</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">avg_over_time(probe_success[1h])</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:ratio_rate6h</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">avg_over_time(probe_success[6h])</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:ratio_rate30d</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">avg_over_time(probe_success[30d])</span> <span class="c1"># Burn rate = how fast we're consuming error budget</span> <span class="c1"># Error budget = 1 - 0.995 = 0.005</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:burn_rate1h</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">(1 - slo:availability:ratio_rate1h) / </span><span class="m">0.005</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">slo:availability:burn_rate6h</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">(1 - slo:availability:ratio_rate6h) / </span><span class="m">0.005</span> </code></pre> </div> <h3> Error Budget Policy </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Budget remaining &gt; 50% → Deploy freely, feature work continues Budget remaining 25-50% → Investigate incidents, no major changes Budget remaining &lt; 25% → Reliability sprint, senior review on all deploys Budget remaining 0% → Feature freeze until budget recovers </code></pre> </div> <p><strong>Who owns the freeze decision?</strong> Engineering lead.<br> <strong>Review cadence?</strong> First Monday of each month.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckl1ghgi1kdl55nulcw9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckl1ghgi1kdl55nulcw9.png" alt=" " width="800" height="409"></a></p> <blockquote> <p>📸 <em>[Screenshot: SLO &amp; Error Budget dashboard showing gauges and burn rate]</em></p> </blockquote> <h2> Part 4: DORA Metrics and CI/CD Observability </h2> <h3> Why DORA metrics connect to business outcomes </h3> <p>DORA metrics answer: <strong>"Is our team getting better or worse at delivering software safely?"</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Business impact</th> </tr> </thead> <tbody> <tr> <td>Deployment Frequency</td> <td>How often value reaches users</td> </tr> <tr> <td>Lead Time for Changes</td> <td>How quickly a bug fix ships</td> </tr> <tr> <td>Change Failure Rate</td> <td>Cost of broken deployments</td> </tr> <tr> <td>Mean Time to Restore</td> <td>Duration of user impact during incidents</td> </tr> </tbody> </table></div> <h3> DORA benchmarks </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Elite</th> <th>High</th> <th>Medium</th> <th>Low</th> </tr> </thead> <tbody> <tr> <td>Deploy frequency</td> <td>Multiple/day</td> <td>Weekly</td> <td>Monthly</td> <td>&lt; Monthly</td> </tr> <tr> <td>Lead time</td> <td>&lt; 1 hour</td> <td>&lt; 1 day</td> <td>1d–1w</td> <td>&gt; 1 week</td> </tr> <tr> <td>CFR</td> <td>&lt; 5%</td> <td>5–10%</td> <td>10–15%</td> <td>&gt; 15%</td> </tr> <tr> <td>MTTR</td> <td>&lt; 1 hour</td> <td>&lt; 1 day</td> <td>1d–1w</td> <td>&gt; 1 week</td> </tr> </tbody> </table></div> <h3> GitHub Actions pushing DORA metrics to Pushgateway </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy.yml</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Record deploy start time</span> <span class="na">id</span><span class="pi">:</span> <span class="s">timing</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "start_ts=$(date +%s)" &gt;&gt; $GITHUB_OUTPUT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and deploy</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "Your actual build and deploy steps here"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Push DORA metrics on success</span> <span class="na">if</span><span class="pi">:</span> <span class="s">success()</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">LEAD_TIME=$(( $(date +%s) - ${{ steps.timing.outputs.start_ts }} ))</span> <span class="s">WORKFLOW="${{ github.workflow }}"</span> <span class="s"># Deployment counter</span> <span class="s">cat &lt;&lt;EOF | curl --data-binary @- "${PUSHGATEWAY_URL}/metrics/job/github_actions"</span> <span class="s">deployment_total{status="success",workflow="${WORKFLOW}"} 1</span> <span class="s">EOF</span> <span class="s"># Lead time</span> <span class="s">cat &lt;&lt;EOF | curl --data-binary @- "${PUSHGATEWAY_URL}/metrics/job/github_actions"</span> <span class="s">deployment_lead_time_seconds{workflow="${WORKFLOW}"} ${LEAD_TIME}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Push DORA metrics on failure</span> <span class="na">if</span><span class="pi">:</span> <span class="s">failure()</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">WORKFLOW="${{ github.workflow }}"</span> <span class="s">cat &lt;&lt;EOF | curl --data-binary @- "${PUSHGATEWAY_URL}/metrics/job/github_actions"</span> <span class="s">deployment_total{status="failure",workflow="${WORKFLOW}"} 1</span> <span class="s">EOF</span> </code></pre> </div> <h3> DORA recording rules in Prometheus </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cicd.recording_rules</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Deployment frequency</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">dora:deployment_frequency:rate24h</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">sum(increase(deployment_total[24h])) by (workflow)</span> <span class="c1"># Change Failure Rate = failed / total over 7 days</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">dora:change_failure_rate:ratio7d</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sum(increase(deployment_total{status="failure"}[7d])) by (workflow)</span> <span class="s">/</span> <span class="s">sum(increase(deployment_total[7d])) by (workflow)</span> <span class="c1"># Mean Time to Restore</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">dora:mttr:avg7d</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">avg_over_time(deployment_restore_time_seconds[7d])</span> </code></pre> </div> <h3> Toil identified and automated </h3> <p><strong>Toil 1 — Manual alert acknowledgement.</strong> Engineers read a Slack alert, open a browser, navigate to Grafana, search for the relevant dashboard. <strong>Automation:</strong> every alert payload includes a direct link to the exact dashboard. Saves 2–3 minutes per alert.</p> <p><strong>Toil 2 — Certificate renewal reminders.</strong> SSL expiry tracked via calendar reminders. <strong>Automation:</strong> Blackbox Exporter monitors SSL expiry continuously. <code>SSLCertExpiringSoon</code> alert fires 14 days before expiry automatically.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8qz2rwfcklcl6evmru5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8qz2rwfcklcl6evmru5.png" alt=" " width="800" height="318"></a></p> <blockquote> <p>📸 <em>[Screenshot: DORA metrics dashboard with classification badges]</em></p> </blockquote> <h2> Part 5: Five Grafana Dashboards — All Provisioned as Code </h2> <p>All dashboards are provisioned from JSON files. The Grafana UI was never used to create or modify any panel.</p> <h3> Grafana provisioning configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># grafana/provisioning/datasources/datasources.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="m">1</span> <span class="na">datasources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Prometheus</span> <span class="na">type</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="na">uid</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="na">access</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://prometheus:9090</span> <span class="na">isDefault</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Loki</span> <span class="na">type</span><span class="pi">:</span> <span class="s">loki</span> <span class="na">uid</span><span class="pi">:</span> <span class="s">loki</span> <span class="na">access</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://loki:3100</span> <span class="na">jsonData</span><span class="pi">:</span> <span class="c1"># This is the key config for trace drill-down</span> <span class="na">derivedFields</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">TraceID</span> <span class="na">matcherRegex</span><span class="pi">:</span> <span class="s1">'</span><span class="s">traceID=(\w+)'</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${__value.raw}"</span> <span class="na">datasourceUid</span><span class="pi">:</span> <span class="s">tempo</span> <span class="na">urlDisplayLabel</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Open</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">Tempo"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">TraceID_json</span> <span class="na">matcherRegex</span><span class="pi">:</span> <span class="s1">'</span><span class="s">"traceId":"(\w+)"'</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${__value.raw}"</span> <span class="na">datasourceUid</span><span class="pi">:</span> <span class="s">tempo</span> <span class="na">urlDisplayLabel</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Open</span><span class="nv"> </span><span class="s">trace</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">Tempo"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Tempo</span> <span class="na">type</span><span class="pi">:</span> <span class="s">tempo</span> <span class="na">uid</span><span class="pi">:</span> <span class="s">tempo</span> <span class="na">access</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://tempo:3200</span> <span class="na">jsonData</span><span class="pi">:</span> <span class="na">tracesToLogsV2</span><span class="pi">:</span> <span class="na">datasourceUid</span><span class="pi">:</span> <span class="s">loki</span> <span class="na">filterByTraceID</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">customQuery</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">query</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{service_name="${__span.tags.service.name}"}</span><span class="nv"> </span><span class="s">|=</span><span class="nv"> </span><span class="s">"${__trace.traceId}"'</span> </code></pre> </div> <h3> Dashboard 1 — Node Exporter </h3> <p>CPU utilisation total and per-core, memory used/cached/available, disk I/O, network I/O, and load averages at 1/5/15 minutes. Gives instant visibility into whether resource saturation is causing service degradation.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F73muggqvvv0r82hqca4t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F73muggqvvv0r82hqca4t.png" alt=" " width="800" height="331"></a></p> <blockquote> <p>📸 <em>[Screenshot: Node Exporter dashboard with live CPU and memory data]</em></p> </blockquote> <h3> Dashboard 2 — Blackbox Exporter </h3> <p>External probing: uptime/downtime timeline, HTTP response time, SSL certificate expiry countdown, probe success rate. This dashboard answers "what is the user experiencing?" rather than "what is the server doing?" — a critical distinction.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdi42zx215nylzrr3hgoo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdi42zx215nylzrr3hgoo.png" alt=" " width="800" height="380"></a></p> <blockquote> <p>📸 <em>[Screenshot: Blackbox Exporter dashboard showing probe results]</em></p> </blockquote> <h3> Dashboard 3 — DORA Metrics </h3> <p>Deployment frequency trend, lead time distribution, CFR raw count and rolling percentage, MTTR with DORA benchmark classification displayed prominently. Classification updates automatically as metrics change.</p> <h3> Dashboard 4 — SLO &amp; Error Budget </h3> <p>SLI vs SLO gauges, error budget remaining as a bar gauge coloured by urgency, burn rate time series with fast/slow burn thresholds marked, SLO compliance history over 7 and 30 day windows.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm17bd53actu3d76az5n2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm17bd53actu3d76az5n2.png" alt=" " width="800" height="411"></a></p> <blockquote> <p>📸 <em>[Screenshot: SLO dashboard with error budget gauge]</em></p> </blockquote> <h3> Dashboard 5 — Unified Observability (the most important) </h3> <p>This is the dashboard that makes the entire stack worth building.</p> <p>A user sees a spike in the error rate panel → clicks through to Loki → sees error logs from that exact time window → clicks the trace ID link → Tempo opens the waterfall → identifies exactly which service, endpoint, and span caused the failure.</p> <p>This drill-down — <strong>metric spike → correlated logs → causing trace</strong> — is what separates observability from monitoring.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Monitoring: "Something is wrong" Observability: "Here is exactly why, where, and when" </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytcpvd1nqu8dic2jfrm2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytcpvd1nqu8dic2jfrm2.png" alt=" " width="800" height="416"></a></p> <blockquote> <p>📸 <em>[Screenshot: Unified dashboard showing error rate spike]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm0qgifgd8j7mw5d2deli.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm0qgifgd8j7mw5d2deli.png" alt=" " width="800" height="377"></a></p> <blockquote> <p>📸 <em>[Screenshot: Loki logs panel with clickable trace IDs]</em></p> </blockquote> <h2> Part 6: The Alerting System </h2> <h3> All alert rules are version-controlled </h3> <p>Zero alert rules live in Grafana. Every rule is in a <code>.yml</code> file under <code>alerts/</code>.</p> <h3> Infrastructure alerts </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># alerts/infrastructure.yml</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">infrastructure.rules</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Recording rules — pre-compute SLIs</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">sli:node_cpu_saturation</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">1 - avg by (instance) (rate(node_cpu_seconds_total{mode="idle"}[5m]))</span> <span class="pi">-</span> <span class="na">record</span><span class="pi">:</span> <span class="s">sli:node_memory_saturation</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes)</span> <span class="c1"># CPU alerts</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighCPUWarning</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">sli:node_cpu_saturation &gt; </span><span class="m">0.80</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">High</span><span class="nv"> </span><span class="s">CPU</span><span class="nv"> </span><span class="s">usage</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.instance</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CPU</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">humanizePercentage</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">(threshold:</span><span class="nv"> </span><span class="s">80%)"</span> <span class="na">dashboard_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://YOUR_SERVER_IP:3000/d/node-exporter"</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/high-cpu.md"</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighCPUCritical</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">sli:node_cpu_saturation &gt; </span><span class="m">0.90</span> <span class="na">for</span><span class="pi">:</span> <span class="s">10m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Critical</span><span class="nv"> </span><span class="s">CPU</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.instance</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CPU</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">humanizePercentage</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">10+</span><span class="nv"> </span><span class="s">minutes"</span> <span class="na">dashboard_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://YOUR_SERVER_IP:3000/d/node-exporter"</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/high-cpu.md"</span> <span class="c1"># Host down — Blackbox probe fails for 2 minutes</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HostDown</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">probe_success == </span><span class="m">0</span> <span class="na">for</span><span class="pi">:</span> <span class="s">2m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Host</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.instance</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">down"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Blackbox</span><span class="nv"> </span><span class="s">probe</span><span class="nv"> </span><span class="s">failed</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">2+</span><span class="nv"> </span><span class="s">consecutive</span><span class="nv"> </span><span class="s">minutes"</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/host-down.md"</span> </code></pre> </div> <h3> Burn rate alerting — how it reduces alert fatigue </h3> <p>Traditional threshold alerting fires whenever a metric crosses a line. This produces alert storms — dozens of notifications for a single incident. Teams learn to ignore them.</p> <p>Burn rate alerting answers a different question: <strong>"At this rate of failure, how long until our error budget is exhausted?"</strong></p> <p>Two alerts replace an entire category of noise:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># alerts/slo-burnrate.yml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">slo.alerts</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Fast burn — act immediately</span> <span class="c1"># 14.4x means 2% of monthly budget gone in 1 hour</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">SLOAvailabilityFastBurn</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">slo:availability:burn_rate1h &gt; </span><span class="m">14.4</span> <span class="na">for</span><span class="pi">:</span> <span class="s">2m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Fast</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">budget</span><span class="nv"> </span><span class="s">burn</span><span class="nv"> </span><span class="s">—</span><span class="nv"> </span><span class="s">act</span><span class="nv"> </span><span class="s">immediately"</span> <span class="na">description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">Burn rate is {{ $value | humanize }}x. At this rate,</span> <span class="s">2% of the 30-day budget will be consumed in 1 hour.</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/slo-fast-burn.md"</span> <span class="c1"># Slow burn — investigate before it escalates</span> <span class="c1"># 5x means 5% of monthly budget gone in 6 hours</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">SLOAvailabilitySlowBurn</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">slo:availability:burn_rate6h &gt; </span><span class="m">5</span> <span class="na">for</span><span class="pi">:</span> <span class="s">15m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Slow</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">budget</span><span class="nv"> </span><span class="s">burn</span><span class="nv"> </span><span class="s">—</span><span class="nv"> </span><span class="s">investigate</span><span class="nv"> </span><span class="s">soon"</span> <span class="na">description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">Burn rate is {{ $value | humanize }}x over 6h.</span> <span class="s">5% of the 30-day budget will be consumed in 6 hours.</span> <span class="na">runbook_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/AirFluke/meetmind-observability/blob/main/runbooks/slo-slow-burn.md"</span> </code></pre> </div> <h3> Alertmanager routing and inhibition </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># config/alertmanager.yml</span> <span class="na">route</span><span class="pi">:</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">slack-default</span> <span class="na">group_by</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">alertname</span><span class="pi">,</span> <span class="nv">severity</span><span class="pi">,</span> <span class="nv">instance</span><span class="pi">]</span> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">group_interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">4h</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">slack-critical</span> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">4h</span> <span class="na">inhibit_rules</span><span class="pi">:</span> <span class="c1"># When host is completely down, suppress CPU/memory/latency noise</span> <span class="pi">-</span> <span class="na">source_match</span><span class="pi">:</span> <span class="na">alertname</span><span class="pi">:</span> <span class="s">HostDown</span> <span class="na">target_match_re</span><span class="pi">:</span> <span class="na">alertname</span><span class="pi">:</span> <span class="s2">"</span><span class="s">HighCPU.*|HighMemory.*|HighLatency.*|DiskSpace.*"</span> <span class="na">equal</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">instance</span><span class="pi">]</span> <span class="c1"># Critical suppresses warning for same alert on same host</span> <span class="pi">-</span> <span class="na">source_match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">target_match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">equal</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">alertname</span><span class="pi">,</span> <span class="nv">instance</span><span class="pi">]</span> </code></pre> </div> <h3> Structured Slack payload — plain text is not acceptable </h3> <p>Every alert in <code>#all-hng-alerts</code> includes alert name, severity, host, metric value, Grafana link, and runbook link.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># config/slack.tmpl {{ define "slack.title" -}} [{{ .Status | toUpper }}] {{ .GroupLabels.alertname }} {{- end }} {{ define "slack.body" -}} {{ range .Alerts }} *Alert:* {{ .Labels.alertname }} *Severity:* {{ .Labels.severity | toUpper }} *Status:* {{ if eq $.Status "resolved" }}✅ RESOLVED{{ else }}🔥 FIRING{{ end }} *Host:* {{ .Labels.instance }} *Summary:* {{ .Annotations.summary }} *Links:* • &lt;{{ .Annotations.dashboard_url }}|📊 Grafana Dashboard&gt; • &lt;{{ .Annotations.runbook_url }}|📖 Runbook&gt; *Started:* {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }} {{ end }} {{- end }} </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0060tuc1x276ui505ck5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0060tuc1x276ui505ck5.png" alt=" " width="800" height="274"></a></p> <blockquote> <p>📸 <em>[Screenshot: Slack showing firing alert with full structured payload]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcni859eunsusn2ux5han.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcni859eunsusn2ux5han.png" alt=" " width="800" height="291"></a></p> <blockquote> <p>📸 <em>[Screenshot: Slack showing RESOLVED alert]</em></p> </blockquote> <h2> Part 7: Runbooks and Incident Management </h2> <h3> A runbook for every alert </h3> <p>Every alert links directly to its runbook. An engineer woken at 3am should be able to follow it to resolution without searching.</p> <p>Each runbook answers six questions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Runbook: High CPU Usage</span> <span class="gu">## What is this alert?</span> HighCPUWarning fires when CPU exceeds 80% for 5+ minutes. <span class="gu">## Likely cause</span> <span class="p">1.</span> Traffic spike <span class="p">2.</span> Runaway process <span class="p">3.</span> Post-deployment regression <span class="gu">## First 3 investigation steps</span> <span class="p">1.</span> Check running processes: </code></pre> </div> <p><br> bash<br> top -bn1 | head -20<br> docker stats --no-stream<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2. Correlate with traffic on Unified Observability dashboard 3. Check recent deployments in GitHub Actions ## Resolution - Runaway process: kill -9 &lt;PID&gt; - Traffic spike: scale horizontally - Deployment regression: roll back ## Roll back when? If CPU spike started within 30 minutes of a deployment and correlates with increased error rate. ## Escalation Senior engineer if unresolved after 20 minutes. </code></pre> </div> <h3> Blameless Post-Incident Review </h3> <p>We documented a simulated incident where a missing environment variable caused 35% of requests to return 503 for 47 minutes.</p> <p><strong>Timeline:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Time</th> <th>Event</th> </tr> </thead> <tbody> <tr> <td>14:18</td> <td>Deployment triggered</td> </tr> <tr> <td>14:23</td> <td>503 responses begin</td> </tr> <tr> <td>14:29</td> <td>SLOAvailabilityFastBurn fires (6-min detection lag)</td> </tr> <tr> <td>14:36</td> <td>Trace ID in Loki → Tempo reveals config read failure</td> </tr> <tr> <td>14:40</td> <td>Root cause identified: missing DATABASE_URL env var</td> </tr> <tr> <td>14:45</td> <td>Rollback initiated</td> </tr> <tr> <td>15:10</td> <td>Error rate returns to baseline</td> </tr> </tbody> </table></div> <p><strong>Root cause:</strong> New environment variable added to code but not to <code>docker-compose.yml</code>.</p> <p><strong>Detection gap:</strong> 6-minute lag between incident start and alert firing. Action item: reduce fast-burn <code>for:</code> clause from 2m to 1m.</p> <p><strong>Action items:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Action</th> <th>Owner</th> <th>Due</th> </tr> </thead> <tbody> <tr> <td>Add post-deploy smoke test</td> <td>DevOps</td> <td>3 days</td> </tr> <tr> <td>Add env var validation to entrypoint</td> <td>App dev</td> <td>5 days</td> </tr> <tr> <td>Reduce fast-burn for: clause to 1m</td> <td>DevOps</td> <td>1 day</td> </tr> </tbody> </table></div> <p><em>This review is blameless — we focus on systems and processes, not individuals.</em></p> <h2> Part 8: Game Day Results </h2> <h3> Scenario 1 — Deployment Failure </h3> <p>Added <code>exit 1</code> to the GitHub Actions workflow and pushed. The workflow failed and pushed <code>deployment_total{status="failure"}</code> to the Pushgateway. <code>CICDDeploymentFailed</code> fired in Slack within 2 minutes. DORA dashboard showed CFR increase. Immediately reverted.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhbe9wbt95xjtvfnypl0a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhbe9wbt95xjtvfnypl0a.png" alt=" " width="800" height="235"></a></p> <blockquote> <p>📸 <em>[Screenshot: GitHub Actions showing red failed run]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxc2uh93xnm7n3mc6ulig.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxc2uh93xnm7n3mc6ulig.png" alt=" " width="800" height="281"></a></p> <blockquote> <p>📸 <em>[Screenshot: CICDDeploymentFailed in Slack]</em></p> </blockquote> <h3> Scenario 2 — Latency Injection </h3> <p>Injected 600ms network latency:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>tc qdisc add dev ens5 root netem delay 600ms </code></pre> </div> <p><code>HighLatencyWarning</code> fired confirming the alerting pipeline for latency SLO breaches works end-to-end.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Remove latency</span> <span class="nb">sudo </span>tc qdisc del dev ens5 root </code></pre> </div> <p>RESOLVED message confirmed recovery detection works.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8rkgbgni81u4mbgg2jll.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8rkgbgni81u4mbgg2jll.png" alt=" " width="800" height="416"></a></p> <blockquote> <p>📸 <em>[Screenshot: Unified dashboard showing latency spike]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F499zc3bzqcpznu1zvvgo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F499zc3bzqcpznu1zvvgo.png" alt=" " width="800" height="257"></a></p> <blockquote> <p>📸 <em>[Screenshot: HighLatencyWarning in Slack]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzzm2qivesp070n4360zi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzzm2qivesp070n4360zi.png" alt=" " width="800" height="273"></a></p> <blockquote> <p>📸 <em>[Screenshot: RESOLVED in Slack after tc removed]</em></p> </blockquote> <h3> Scenario 3 — Resource Pressure </h3> <p>Used <code>stress-ng</code> to drive CPU above 90%:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>stress-ng <span class="nt">--cpu</span> 0 <span class="nt">--cpu-method</span> matrixprod <span class="nt">--timeout</span> 600s &amp; </code></pre> </div> <p><strong>What we observed:</strong></p> <ul> <li> <code>HighCPUWarning</code> entered <strong>pending</strong> state after CPU sustained above 80%</li> <li>After 5 minutes → <code>HighCPUWarning</code> turned <strong>firing</strong> in Prometheus</li> <li>Alert arrived in Slack with full structured payload</li> <li> <code>HighCPUCritical</code> entered <strong>pending</strong> (needs 10min sustained above 90%)</li> <li>After killing stress: both alerts <strong>RESOLVED</strong> in Slack</li> </ul> <p>This confirmed the full warning → critical → recovery sequence and proved inhibition rules work — critical suppressed the warning notification.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pkill stress-ng </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwerqa3dr0r2fuz9dljan.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwerqa3dr0r2fuz9dljan.png" alt=" " width="800" height="184"></a></p> <blockquote> <p>📸 <em>[Screenshot: Prometheus alerts page showing Warning firing]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqnuyf7z253mzz5uuv85e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqnuyf7z253mzz5uuv85e.png" alt=" " width="800" height="325"></a></p> <blockquote> <p>📸 <em>[Screenshot: Prometheus alerts page showing Critical pending]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2mfjapehe33tp4x5h20s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2mfjapehe33tp4x5h20s.png" alt=" " width="800" height="331"></a></p> <blockquote> <p>📸 <em>[Screenshot: Node Exporter dashboard with CPU spike at 92%]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe36wupol0ilpq9cgl11v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe36wupol0ilpq9cgl11v.png" alt=" " width="800" height="278"></a></p> <blockquote> <p>📸 <em>[Screenshot: HighCPUWarning in Slack]</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl7s4tnp2i8xbjb0f8c8v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl7s4tnp2i8xbjb0f8c8v.png" alt=" " width="800" height="296"></a></p> <blockquote> <p>📸 <em>[Screenshot: RESOLVED in Slack]</em></p> </blockquote> <h2> Key Learnings </h2> <p><strong>1. Observability is not monitoring.</strong><br> Monitoring tells you something is wrong. Observability tells you why, where, and when — without needing to SSH into a server.</p> <p><strong>2. SLOs make reliability decisions objective.</strong><br> "Is this deployment safe?" is subjective. "Do we have 100 minutes of error budget remaining?" is objective. SLOs turn reliability from a conversation into a measurement.</p> <p><strong>3. Burn rate alerting eliminates alert fatigue.</strong><br> Two burn rate alerts replaced what would have been dozens of threshold alerts during our Game Day scenarios. Engineers respond to meaningful signals, not noise.</p> <p><strong>4. DORA metrics connect engineering to business.</strong><br> High MTTR isn't just a technical problem — it's lost revenue per minute. Low deployment frequency isn't just slow — it's delayed value delivery. DORA makes this explicit.</p> <p><strong>5. Everything as code is non-negotiable.</strong><br> Every dashboard, alert rule, and config that lives only in a UI is technical debt. When the server dies, you want to run <code>docker compose up -d</code> and have everything back — not spend three hours recreating dashboards from memory.</p> <h2> Conclusion </h2> <p>The MeetMind Observability Platform demonstrates that production-grade observability is achievable without managed services. The LGTM stack provides the full observability triad — metrics, logs, and traces — with correlation between all three. SLOs convert vague reliability goals into measurable targets. DORA metrics connect daily engineering decisions to business outcomes. Burn rate alerting replaces alert storms with two meaningful signals.</p> <p>The entire platform deploys with one command. Every component is version-controlled. Every alert links to a runbook. Every metric spike links to correlated logs and traces.</p> <p><strong>GitHub Repository:</strong> <a href="https://github.com/AirFluke/meetmind-observability" rel="noopener noreferrer">https://github.com/AirFluke/meetmind-observability</a></p> <p><em>Built by Team MeetMind for HNG DevOps Track Stage 6</em></p> devops observability prometheus grafana SwiftDeploy: Building a Self-Writing Infrastructure Manager with Policy Enforcement — A Complete Technical Walkthrough Abraham Acha Wed, 06 May 2026 04:01:09 +0000 https://dev.to/airfluke/-swiftdeploy-building-a-self-writing-infrastructure-manager-with-policy-enforcement-a-complete-2klf https://dev.to/airfluke/-swiftdeploy-building-a-self-writing-infrastructure-manager-with-policy-enforcement-a-complete-2klf <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw24xzkqg7dc6kj858311.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw24xzkqg7dc6kj858311.png" alt=" " width="800" height="533"></a></p> <p><em>How I built a CLI tool that generates its own infrastructure configs, manages a full containerised stack, enforces deployment policies through OPA, exposes Prometheus metrics, and produces a live audit trail — all from a single YAML file.</em></p> <h2> Table of Contents </h2> <ol> <li>The Problem We're Solving</li> <li>Architecture Overview</li> <li> Stage 4A — The Engine <ul> <li>The Manifest</li> <li>The Python HTTP Service</li> <li>The Dockerfile</li> <li>The Templates</li> <li>The CLI</li> <li>The Two Deployment Modes</li> </ul> </li> <li> Stage 4B — The Eyes and Brain <ul> <li>Prometheus Metrics</li> <li>OPA Policy Engine</li> <li>Gated Lifecycle</li> <li>The Status Dashboard</li> <li>The Audit Trail</li> </ul> </li> <li>The Debugging Sagas</li> <li>Full Deployment Walkthrough</li> <li>Key Lessons Learned</li> </ol> <h2> The Problem We're Solving {#the-problem} </h2> <p>Every time you spin up a new service in a real DevOps environment, you repeat the same manual work:</p> <ul> <li>Write an Nginx config</li> <li>Write a Docker Compose file</li> <li>Run Docker commands</li> <li>Check if things are healthy</li> <li>Hope nobody deploys when the disk is full</li> <li>Hope nobody promotes a canary that's throwing 60% errors</li> </ul> <p>SwiftDeploy solves all of this. One YAML manifest describes your entire deployment. A CLI tool generates every config file from it, manages the container lifecycle, enforces safety policies before allowing deployments, exposes real-time metrics, and produces a full audit trail.</p> <p><strong>The golden rule: the manifest is the single source of truth. Everything else is generated.</strong></p> <h2> Architecture Overview {#architecture} </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────────────┐ │ SwiftDeploy — Full System Architecture │ ├──────────────────┬──────────────────────────────────────┬───────────────────┤ │ ZONE 1 │ ZONE 2 │ ZONE 3 │ │ Operator │ Host Machine / Docker Engine │ Generated Files │ │ │ │ │ │ [Operator] │ ┌─── swiftdeploy-net (bridge) ───┐ │ nginx.conf │ │ │ │ │ │ │ docker-compose │ │ ▼ │ │ [nginx:8080]──────►[app:3000] │ │ history.jsonl │ │ manifest.yaml │ │ PUBLIC INTERNAL │ │ audit_report.md │ │ (source of │ │ │ │ │ │ │ │ truth) │ │ └──[logs vol]─────┘ │ │ │ │ │ │ │ │ │ │ │ ▼ │ │ [opa:8181] │ │ │ │ swiftdeploy │ │ localhost only │ │ │ │ CLI │ │ NOT via nginx ✗ │ │ │ │ ├─ init │ └────────────────────────────────┘ │ │ │ ├─ validate │ │ │ │ ├─ deploy ──────┼──► pre-deploy: OPA infra check │ │ │ ├─ promote ─────┼──► pre-promote: OPA canary check │ │ │ ├─ status ──────┼──► scrapes /metrics every 5s ───────►│ history.jsonl │ │ ├─ audit ───────┼────────────────────────────────────►│ audit_report.md │ │ └─ teardown │ │ │ └──────────────────┴──────────────────────────────────────┴───────────────────┘ </code></pre> </div> <h2> Stage 4A — The Engine {#stage-4a} </h2> <p>Stage 4A is the foundation. It answers one question: <strong>how do you build a tool that writes its own infrastructure configs?</strong></p> <h3> The Project Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>swiftdeploy/ ├── manifest.yaml ← the ONLY file you edit ├── swiftdeploy ← CLI executable ├── Dockerfile ← app image definition ├── app/ │ └── main.py ← Python HTTP service ├── templates/ │ ├── nginx.conf.tmpl ← nginx template │ └── docker-compose.yml.tmpl ← compose template ├── policies/ ← Stage 4B addition │ ├── infrastructure.rego │ ├── canary.rego │ └── data.json ├── nginx.conf ← generated (gitignored) └── docker-compose.yml ← generated (gitignored) </code></pre> </div> <h3> The Manifest {#the-manifest} </h3> <p><code>manifest.yaml</code> is the brain of the entire system. Every component reads from it directly or via generated files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">swift-deploy-1-node:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">stable</span> <span class="c1"># stable or canary</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">restart_policy</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">log_volume</span><span class="pi">:</span> <span class="s">swiftdeploy-logs</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">proxy_timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">opa</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openpolicyagent/opa:latest-static</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8181</span> <span class="na">network</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">swiftdeploy-net</span> <span class="na">driver_type</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">contact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ops@swiftdeploy.local"</span> </code></pre> </div> <p>Every field propagates through the system. Change <code>nginx.proxy_timeout</code> here and it updates in <code>nginx.conf</code> on the next <code>init</code>. Change <code>services.mode</code> here and the entire deployment mode switches on the next <code>promote</code>.</p> <h3> The Python HTTP Service {#the-python-service} </h3> <p>The app is a from-scratch HTTP server using only Python's stdlib — no Flask, no FastAPI. Three endpoints in Stage 4A, four in Stage 4B.</p> <h4> Configuration from environment </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">MODE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">MODE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">stable</span><span class="sh">"</span><span class="p">)</span> <span class="n">APP_VERSION</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">APP_VERSION</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">1.0.0</span><span class="sh">"</span><span class="p">)</span> <span class="n">APP_PORT</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">APP_PORT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">3000</span><span class="sh">"</span><span class="p">))</span> <span class="n">START_TIME</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> </code></pre> </div> <p>Configuration comes entirely from environment variables injected by Docker Compose at runtime. <code>START_TIME</code> is captured at module load — this is how <code>/healthz</code> calculates uptime without a database.</p> <h4> Thread-safe chaos state </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">chaos_lock</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Lock</span><span class="p">()</span> <span class="n">chaos_state</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">}</span> <span class="k">def</span> <span class="nf">get_chaos</span><span class="p">():</span> <span class="k">with</span> <span class="n">chaos_lock</span><span class="p">:</span> <span class="k">return</span> <span class="nf">dict</span><span class="p">(</span><span class="n">chaos_state</span><span class="p">)</span> <span class="c1"># returns a copy — callers can't mutate internal state </span> <span class="k">def</span> <span class="nf">set_chaos</span><span class="p">(</span><span class="n">state</span><span class="p">):</span> <span class="k">with</span> <span class="n">chaos_lock</span><span class="p">:</span> <span class="n">chaos_state</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">state</span><span class="p">)</span> </code></pre> </div> <p>The <code>Lock</code> prevents race conditions when multiple requests read and write chaos state simultaneously. <code>dict(chaos_state)</code> returns a copy so the caller never holds a reference to the mutable internal dict.</p> <h4> The three Stage 4A endpoints </h4> <p><strong>GET /</strong> — welcome<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">self</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Welcome to SwiftDeploy API</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="n">MODE</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">APP_VERSION</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%Y-%m-%dT%H:%M:%SZ</span><span class="sh">"</span><span class="p">,</span> <span class="n">time</span><span class="p">.</span><span class="nf">gmtime</span><span class="p">()),</span> <span class="p">})</span> </code></pre> </div> <p><strong>GET /healthz</strong> — liveness check<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">uptime</span> <span class="o">=</span> <span class="nf">round</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">START_TIME</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="n">MODE</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">APP_VERSION</span><span class="p">,</span> <span class="sh">"</span><span class="s">uptime_seconds</span><span class="sh">"</span><span class="p">:</span> <span class="n">uptime</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>The <code>/healthz</code> endpoint does three jobs: proves the server is alive (Docker healthcheck), reports current mode (so <code>promote</code> can confirm the switch happened), and reports uptime (useful for debugging restart loops).</p> <p><strong>POST /chaos</strong> — chaos injection (canary only)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">MODE</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">chaos endpoint only available in canary mode</span><span class="sh">"</span><span class="p">})</span> <span class="k">return</span> <span class="n">length</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Content-Length</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">rfile</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="n">length</span><span class="p">))</span> <span class="n">mode</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">slow</span><span class="sh">"</span><span class="p">:</span> <span class="nf">set_chaos</span><span class="p">({</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">slow</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">})</span> <span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">set_chaos</span><span class="p">({</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">)})</span> <span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">recover</span><span class="sh">"</span><span class="p">:</span> <span class="nf">set_chaos</span><span class="p">({</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">})</span> </code></pre> </div> <p>Reading <code>Content-Length</code> before <code>rfile.read()</code> is mandatory HTTP protocol — otherwise <code>read()</code> blocks forever waiting for data that never arrives.</p> <p>The chaos modes:</p> <ul> <li> <code>slow</code> — injects <code>time.sleep(N)</code> before responding, simulating a slow upstream</li> <li> <code>error</code> — uses <code>random.random() &lt; rate</code> to return 500 on a configurable percentage of requests</li> <li> <code>recover</code> — clears all chaos state, returning to normal behaviour</li> </ul> <h3> The Dockerfile {#the-dockerfile} </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.12-alpine</span> <span class="k">RUN </span>addgroup <span class="nt">-S</span> appgroup <span class="o">&amp;&amp;</span> adduser <span class="nt">-S</span> appuser <span class="nt">-G</span> appgroup <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> app/main.py .</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> appuser:appgroup /app <span class="k">USER</span><span class="s"> appuser</span> <span class="k">ENV</span><span class="s"> MODE=stable</span> <span class="k">ENV</span><span class="s"> APP_VERSION=1.0.0</span> <span class="k">ENV</span><span class="s"> APP_PORT=3000</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=10s --timeout=5s --start-period=15s --retries=5 \</span> CMD python -c "import urllib.request; urllib.request.urlopen('http://127.0.0.1:3000/healthz', timeout=4)" || exit 1 <span class="k">CMD</span><span class="s"> ["python", "main.py"]</span> </code></pre> </div> <p><strong>Why Alpine?</strong> <code>python:3.12-alpine</code> is ~60MB. <code>python:3.12</code> (Debian) is ~1GB. We need under 300MB.</p> <p><strong>Why non-root?</strong> If someone exploits the app, they get a powerless user, not root access to the server.</p> <p><strong>Why Python urllib for the healthcheck?</strong> This was a hard-won lesson. <code>wget</code> couldn't resolve <code>localhost</code> inside Alpine on WSL2 + Docker Desktop — a known network namespace quirk. Python's <code>urllib</code> bypasses the system resolver entirely and connects directly via socket. More reliable, no external tool needed.</p> <h3> The Templates {#the-templates} </h3> <p>Templates are blueprints with <code>{{ placeholder }}</code> values that the CLI replaces with real values from the manifest.</p> <p><strong>nginx.conf.tmpl</strong> key sections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">upstream</span> <span class="s">app_backend</span> <span class="p">{</span> <span class="kn">server</span> <span class="s">app:</span><span class="p">{</span><span class="err">{</span> <span class="kn">service_port</span> <span class="err">}}</span><span class="p">;</span> <span class="kn">keepalive</span> <span class="mi">32</span><span class="p">;</span> <span class="p">}</span> <span class="kn">log_format</span> <span class="s">swiftdeploy</span> <span class="s">'</span><span class="nv">$time_iso8601</span> <span class="s">|</span> <span class="nv">$status</span> <span class="s">|</span> $<span class="p">{</span><span class="kn">request_time</span><span class="err">}</span><span class="s">s</span> <span class="s">|</span> <span class="nv">$upstream_addr</span> <span class="s">|</span> <span class="nv">$request</span><span class="s">'</span><span class="p">;</span> <span class="kn">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="p">{</span><span class="err">{</span> <span class="kn">nginx_port</span> <span class="err">}}</span><span class="p">;</span> <span class="kn">proxy_connect_timeout</span> <span class="p">{</span><span class="err">{</span> <span class="kn">proxy_timeout</span> <span class="err">}}</span><span class="s">s</span><span class="p">;</span> <span class="kn">proxy_send_timeout</span> <span class="p">{</span><span class="err">{</span> <span class="kn">proxy_timeout</span> <span class="err">}}</span><span class="s">s</span><span class="p">;</span> <span class="kn">proxy_read_timeout</span> <span class="p">{</span><span class="err">{</span> <span class="kn">proxy_timeout</span> <span class="err">}}</span><span class="s">s</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Deployed-By</span> <span class="s">swiftdeploy</span> <span class="s">always</span><span class="p">;</span> <span class="kn">proxy_pass_header</span> <span class="s">X-Mode</span><span class="p">;</span> <span class="kn">location</span> <span class="s">@error502</span> <span class="p">{</span> <span class="kn">default_type</span> <span class="nc">application/json</span><span class="p">;</span> <span class="kn">return</span> <span class="mi">502</span> <span class="s">'</span><span class="p">{</span><span class="kn">"error":"Bad</span> <span class="s">Gateway","code":502,"service":"app","contact":"</span><span class="p">{</span><span class="err">{</span> <span class="kn">contact</span> <span class="err">}}</span><span class="s">"</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Design decisions:</p> <ul> <li> <strong>Custom log format</strong> — ISO timestamp, status code, response time, upstream IP, full request on one line</li> <li> <strong>JSON error bodies</strong> — APIs need machine-readable errors, not nginx HTML pages</li> <li> <strong><code>proxy_pass_header X-Mode</code></strong> — nginx strips custom headers by default; this forwards the canary header through to clients</li> <li> <strong><code>keepalive 32</code></strong> — maintains 32 persistent connections to the upstream, reducing connection overhead</li> </ul> <p><strong>docker-compose.yml.tmpl</strong> key sections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">app</span><span class="pi">:</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">service_port</span><span class="nv"> </span><span class="s">}}"</span> <span class="c1"># container-to-container only, NEVER published to host</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">nginx_port</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">nginx_port</span><span class="nv"> </span><span class="s">}}"</span> <span class="c1"># only nginx faces the world</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="c1"># nginx waits for app healthcheck to pass</span> </code></pre> </div> <p>The <code>expose</code> vs <code>ports</code> distinction is a security boundary. <code>expose</code> = container-to-container only. <code>ports</code> = host-facing. The app is never reachable from outside Docker.</p> <h3> The CLI — Five Stage 4A Subcommands {#the-cli} </h3> <h4> The template engine </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">tmpl_path</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">tmpl_path</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">content</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">for</span> <span class="n">key</span><span class="p">,</span> <span class="n">val</span> <span class="ow">in</span> <span class="n">context</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="n">content</span> <span class="o">=</span> <span class="n">content</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">{{ </span><span class="sh">"</span> <span class="o">+</span> <span class="n">key</span> <span class="o">+</span> <span class="sh">"</span><span class="s"> }}</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">val</span><span class="p">))</span> <span class="k">return</span> <span class="n">content</span> </code></pre> </div> <p>Five lines. No Jinja2. Simple string replacement. The templates are straightforward enough that a minimal custom engine is cleaner than pulling in a dependency.</p> <h4> <code>init</code> — generates everything from the manifest </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_init</span><span class="p">():</span> <span class="n">manifest</span> <span class="o">=</span> <span class="nf">load_manifest</span><span class="p">()</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">build_context</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span> <span class="n">nginx_conf</span> <span class="o">=</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">NGINX_TMPL</span><span class="p">,</span> <span class="n">ctx</span><span class="p">)</span> <span class="n">compose_conf</span> <span class="o">=</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">COMPOSE_TMPL</span><span class="p">,</span> <span class="n">ctx</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">NGINX_OUT</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">nginx_conf</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">COMPOSE_OUT</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">compose_conf</span><span class="p">)</span> </code></pre> </div> <p>The grader deletes generated files and re-runs <code>init</code> to verify regeneration. Because we built it correctly, this is a non-issue.</p> <h4> <code>validate</code> — five pre-flight checks </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Check 1: manifest.yaml exists and is valid YAML # Check 2: all required fields present and non-empty # Check 3: docker image inspect — exits 0 if exists # Check 4: ss -tlnp | grep :8080 — non-empty means port in use # Check 5: nginx -t via isolated Docker container </span></code></pre> </div> <p>Check 5 is the most interesting. We run <code>nginx -t</code> in a temporary container — validating syntax without needing nginx installed on the host. But we hit a complication: <code>app:3000</code> (the upstream hostname) can't be resolved in an isolated container. Fix: swap <code>server app:</code> with <code>server 127.0.0.1:</code> in a temp copy before testing. Actual <code>nginx.conf</code> on disk is untouched.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">test_content</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">server app:</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">server 127.0.0.1:</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h4> <code>deploy</code> — brings up the stack and blocks until healthy </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">deadline</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">+</span> <span class="mi">60</span> <span class="k">while</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">&lt;</span> <span class="n">deadline</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">http://localhost:</span><span class="si">{</span><span class="n">nginx_port</span><span class="si">}</span><span class="s">/healthz</span><span class="sh">"</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="k">as</span> <span class="n">resp</span><span class="p">:</span> <span class="k">if</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">read</span><span class="p">()).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">:</span> <span class="n">healthy</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">break</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># container still starting — connection refused is normal </span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </code></pre> </div> <p><code>docker compose up -d</code> returns as soon as containers are created, not when they're healthy. The polling loop tries <code>/healthz</code> every 2 seconds for 60 seconds. Only <code>{"status": "ok"}</code> breaks the loop.</p> <h4> <code>promote</code> — rolling restart with zero nginx downtime </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># 1. Update manifest in-place </span><span class="n">content</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">(mode:\s*)(\S+)</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="se">\\</span><span class="s">g&lt;1&gt;</span><span class="si">{</span><span class="n">target_mode</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="p">,</span> <span class="n">count</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 2. Regenerate docker-compose.yml with new MODE env var </span> <span class="c1"># 3. Restart ONLY the app container — nginx stays up </span><span class="nf">run</span><span class="p">(</span><span class="nf">compose_cmd</span><span class="p">(</span><span class="sh">"</span><span class="s">up -d --no-deps app</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># 4. Confirm mode via /healthz </span></code></pre> </div> <p><code>--no-deps</code> is the key — it tells Compose to restart only the <code>app</code> service without touching <code>nginx</code>. Zero proxy downtime during the switch.</p> <h3> The Two Deployment Modes {#deployment-modes} </h3> <p><strong>Stable mode</strong> — normal production behaviour. Clean responses. No special headers. <code>/chaos</code> returns 403.</p> <p><strong>Canary mode</strong> — test mode before full rollout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">MODE</span> <span class="o">==</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_header</span><span class="p">(</span><span class="sh">"</span><span class="s">X-Mode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># on EVERY response </span></code></pre> </div> <p>Canary mode:</p> <ul> <li>Adds <code>X-Mode: canary</code> to every response — callers can identify which mode they're hitting</li> <li>Unlocks <code>/chaos</code> — lets you simulate slow responses, random errors, then recover</li> <li>You promote with <code>./swiftdeploy promote canary</code>, stress test, then <code>./swiftdeploy promote stable</code> to roll back</li> </ul> <h2> Stage 4B — The Eyes and The Brain {#stage-4b} </h2> <p>Stage 4A built the engine. Stage 4B adds observability and policy enforcement. The stack now has <strong>eyes</strong> (metrics), a <strong>brain</strong> (OPA policies), and <strong>memory</strong> (audit trail).</p> <h3> Prometheus Metrics — The Eyes {#prometheus-metrics} </h3> <p>The app gains a <code>/metrics</code> endpoint exposing five metric types in Prometheus text format.</p> <h4> Tracking infrastructure </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Counter: {(method, path, status_code): count} </span><span class="n">request_counts</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># Histogram state per path </span><span class="n">HISTOGRAM_BUCKETS</span> <span class="o">=</span> <span class="p">[</span><span class="mf">0.005</span><span class="p">,</span> <span class="mf">0.01</span><span class="p">,</span> <span class="mf">0.025</span><span class="p">,</span> <span class="mf">0.05</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.25</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">,</span> <span class="mf">2.5</span><span class="p">,</span> <span class="mf">5.0</span><span class="p">,</span> <span class="mf">10.0</span><span class="p">]</span> <span class="n">request_durations</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">def</span> <span class="nf">record_request</span><span class="p">(</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">status_code</span><span class="p">,</span> <span class="n">duration_seconds</span><span class="p">):</span> <span class="k">with</span> <span class="n">metrics_lock</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="p">(</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">status_code</span><span class="p">))</span> <span class="n">request_counts</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="o">=</span> <span class="n">request_counts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">path</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">request_durations</span><span class="p">:</span> <span class="n">request_durations</span><span class="p">[</span><span class="n">path</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">buckets</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="nf">str</span><span class="p">(</span><span class="n">le</span><span class="p">):</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">le</span> <span class="ow">in</span> <span class="n">HISTOGRAM_BUCKETS</span><span class="p">},</span> <span class="sh">"</span><span class="s">sum</span><span class="sh">"</span><span class="p">:</span> <span class="mf">0.0</span><span class="p">,</span> <span class="sh">"</span><span class="s">count</span><span class="sh">"</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">}</span> <span class="n">hist</span> <span class="o">=</span> <span class="n">request_durations</span><span class="p">[</span><span class="n">path</span><span class="p">]</span> <span class="n">hist</span><span class="p">[</span><span class="sh">"</span><span class="s">sum</span><span class="sh">"</span><span class="p">]</span> <span class="o">+=</span> <span class="n">duration_seconds</span> <span class="n">hist</span><span class="p">[</span><span class="sh">"</span><span class="s">count</span><span class="sh">"</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">for</span> <span class="n">le</span> <span class="ow">in</span> <span class="n">HISTOGRAM_BUCKETS</span><span class="p">:</span> <span class="k">if</span> <span class="n">duration_seconds</span> <span class="o">&lt;=</span> <span class="n">le</span><span class="p">:</span> <span class="n">hist</span><span class="p">[</span><span class="sh">"</span><span class="s">buckets</span><span class="sh">"</span><span class="p">][</span><span class="nf">str</span><span class="p">(</span><span class="n">le</span><span class="p">)]</span> <span class="o">+=</span> <span class="mi">1</span> </code></pre> </div> <p><code>record_request()</code> is called after every request regardless of path — timing wraps the entire handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">do_GET</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">start</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">path</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">?</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="n">status</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_handle_get</span><span class="p">()</span> <span class="nf">record_request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">status</span><span class="p">,</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start</span><span class="p">)</span> </code></pre> </div> <h4> The five metrics </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># 1. http_requests_total — counter, labels: method, path, status_code # 2. http_request_duration_seconds — histogram with standard buckets # 3. app_uptime_seconds — gauge # 4. app_mode — gauge: 0=stable, 1=canary # 5. chaos_active — gauge: 0=none, 1=slow, 2=error </span></code></pre> </div> <h4> The /metrics output </h4> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="c"># HELP http_requests_total Total number of HTTP requests</span> <span class="c"># TYPE http_requests_total counter</span> <span class="n">http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"200"</span><span class="p">}</span> <span class="mi">42</span> <span class="n">http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/healthz"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"200"</span><span class="p">}</span> <span class="mi">60</span> <span class="n">http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"500"</span><span class="p">}</span> <span class="mi">38</span> <span class="c"># HELP http_request_duration_seconds HTTP request latency in seconds</span> <span class="c"># TYPE http_request_duration_seconds histogram</span> <span class="n">http_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">le</span><span class="o">=</span><span class="s2">"0.005"</span><span class="p">}</span> <span class="mi">40</span> <span class="n">http_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">le</span><span class="o">=</span><span class="s2">"+Inf"</span><span class="p">}</span> <span class="mi">80</span> <span class="n">http_request_duration_seconds_sum</span><span class="p">{</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">}</span> <span class="mf">0.042381</span> <span class="n">http_request_duration_seconds_count</span><span class="p">{</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">}</span> <span class="mi">80</span> <span class="c"># HELP app_mode Current deployment mode (0=stable, 1=canary)</span> <span class="c"># TYPE app_mode gauge</span> <span class="n">app_mode</span> <span class="mi">1</span> <span class="c"># HELP chaos_active Current chaos state (0=none, 1=slow, 2=error)</span> <span class="c"># TYPE chaos_active gauge</span> <span class="n">chaos_active</span> <span class="mi">2</span> </code></pre> </div> <h3> OPA Policy Engine — The Brain {#opa-policy-engine} </h3> <p>Open Policy Agent is a dedicated container whose only job is making allow/deny decisions based on rules written in Rego. The core principle: <strong>the CLI never makes allow/deny decisions itself. All decision logic lives exclusively in OPA.</strong></p> <h4> Why OPA instead of if/else in the CLI? </h4> <p>If the policy logic lives in the CLI, changing a threshold means editing Python code, rebuilding, redeploying. With OPA, you edit <code>data.json</code>, restart the OPA container, and the new threshold is live. Policy as code, not policy as application logic.</p> <h4> data.json — thresholds live here, never hardcoded in Rego </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"thresholds"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_disk_free_gb"</span><span class="p">:</span><span class="w"> </span><span class="mf">10.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_cpu_load"</span><span class="p">:</span><span class="w"> </span><span class="mf">2.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"min_mem_free_percent"</span><span class="p">:</span><span class="w"> </span><span class="mf">10.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_error_rate_percent"</span><span class="p">:</span><span class="w"> </span><span class="mf">1.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_p99_latency_ms"</span><span class="p">:</span><span class="w"> </span><span class="mf">500.0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> infrastructure.rego — pre-deploy policy </h4> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">swiftdeploy</span><span class="p">.</span><span class="n">infrastructure</span> <span class="ow">import</span> <span class="n">future</span><span class="p">.</span><span class="n">keywords</span><span class="p">.</span><span class="n">if</span> <span class="ow">import</span> <span class="n">future</span><span class="p">.</span><span class="n">keywords</span><span class="p">.</span><span class="n">contains</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">disk_ok</span> <span class="n">cpu_ok</span> <span class="n">mem_ok</span> <span class="p">}</span> <span class="n">disk_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span> <span class="o">&gt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">min_disk_free_gb</span> <span class="p">}</span> <span class="n">cpu_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">cpu_load_1m</span> <span class="o">&lt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">max_cpu_load</span> <span class="p">}</span> <span class="n">mem_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">mem_free_percent</span> <span class="o">&gt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">min_mem_free_percent</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">disk_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"disk_free_gb is %.1f, minimum required is %.1f"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">min_disk_free_gb</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="c1"># decision is what the CLI reads — never a bare boolean</span> <span class="n">decision</span> <span class="o">:=</span> <span class="p">{</span> <span class="s2">"allow"</span><span class="o">:</span> <span class="n">allow</span><span class="p">,</span> <span class="s2">"reasons"</span><span class="o">:</span> <span class="n">reasons</span><span class="p">,</span> <span class="s2">"domain"</span><span class="o">:</span> <span class="s2">"infrastructure"</span><span class="p">,</span> <span class="s2">"checked"</span><span class="o">:</span> <span class="p">{</span> <span class="s2">"disk_free_gb"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span><span class="p">,</span> <span class="s2">"cpu_load_1m"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">cpu_load_1m</span><span class="p">,</span> <span class="s2">"mem_free_percent"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">mem_free_percent</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why <code>import future.keywords</code>?</strong> The <code>openpolicyagent/opa:latest-static</code> image uses Rego v1 which requires explicit <code>if</code> and <code>contains</code> keywords. Without these imports, OPA crashes on startup. This was discovered the hard way during testing.</p> <h4> canary.rego — pre-promote policy </h4> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">swiftdeploy</span><span class="p">.</span><span class="n">canary</span> <span class="ow">import</span> <span class="n">future</span><span class="p">.</span><span class="n">keywords</span><span class="p">.</span><span class="n">if</span> <span class="ow">import</span> <span class="n">future</span><span class="p">.</span><span class="n">keywords</span><span class="p">.</span><span class="n">contains</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">error_rate_ok</span> <span class="n">latency_ok</span> <span class="p">}</span> <span class="n">error_rate_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">error_rate_percent</span> <span class="o">&lt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">max_error_rate_percent</span> <span class="p">}</span> <span class="n">latency_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">p99_latency_ms</span> <span class="o">&lt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">max_p99_latency_ms</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">error_rate_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"error_rate is %.2f%%, maximum allowed is %.2f%%"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">error_rate_percent</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">max_error_rate_percent</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">:=</span> <span class="p">{</span> <span class="s2">"allow"</span><span class="o">:</span> <span class="n">allow</span><span class="p">,</span> <span class="s2">"reasons"</span><span class="o">:</span> <span class="n">reasons</span><span class="p">,</span> <span class="s2">"domain"</span><span class="o">:</span> <span class="s2">"canary"</span><span class="p">,</span> <span class="s2">"checked"</span><span class="o">:</span> <span class="p">{</span> <span class="s2">"error_rate_percent"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">error_rate_percent</span><span class="p">,</span> <span class="s2">"p99_latency_ms"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">p99_latency_ms</span><span class="p">,</span> <span class="s2">"window_seconds"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">window_seconds</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <h4> OPA isolation — no leakage via nginx </h4> <p>In <code>docker-compose.yml.tmpl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">opa</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">127.0.0.1:{{</span><span class="nv"> </span><span class="s">opa_port</span><span class="nv"> </span><span class="s">}}:8181"</span> <span class="c1"># localhost only — never 0.0.0.0</span> </code></pre> </div> <p><code>127.0.0.1:8181</code> means only the host machine can reach OPA. The nginx container on port 8080 has no route to OPA. This is enforced at the Docker network binding level, not just convention.</p> <h4> The policy query function </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">query_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="n">package</span><span class="p">,</span> <span class="n">input_data</span><span class="p">):</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="nf">opa_url</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span><span class="si">}</span><span class="s">/v1/data/</span><span class="si">{</span><span class="n">package</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">/</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="s">/decision</span><span class="sh">"</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="n">input_data</span><span class="p">}).</span><span class="nf">encode</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">},</span> <span class="n">method</span><span class="o">=</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="k">as</span> <span class="n">resp</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">read</span><span class="p">())</span> <span class="n">result</span> <span class="o">=</span> <span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">result</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">OPA returned empty result — check policy package name</span><span class="sh">"</span> <span class="k">return</span> <span class="n">result</span><span class="p">,</span> <span class="bp">None</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">URLError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">OPA unreachable: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="sh">"</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">OPA query failed: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <p>Every distinct failure mode returns a different error string. The CLI never crashes or hangs when OPA is unavailable — it warns and fails open. This is intentional: you don't want OPA unavailability to block emergency deployments.</p> <h3> Gated Lifecycle — The CLI Brain {#gated-lifecycle} </h3> <h4> Pre-deploy check </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_deploy</span><span class="p">():</span> <span class="n">manifest</span> <span class="o">=</span> <span class="nf">load_manifest</span><span class="p">()</span> <span class="n">host_stats</span> <span class="o">=</span> <span class="nf">get_host_stats</span><span class="p">()</span> <span class="c1"># Collect host stats </span> <span class="n">disk_free_gb</span> <span class="o">=</span> <span class="n">shutil</span><span class="p">.</span><span class="nf">disk_usage</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">).</span><span class="n">free</span> <span class="o">/</span> <span class="p">(</span><span class="mi">1024</span> <span class="o">**</span> <span class="mi">3</span><span class="p">)</span> <span class="n">cpu_load_1m</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">/proc/loadavg</span><span class="sh">"</span><span class="p">).</span><span class="nf">read</span><span class="p">().</span><span class="nf">split</span><span class="p">()[</span><span class="mi">0</span><span class="p">])</span> <span class="n">mem_free_percent</span> <span class="o">=</span> <span class="p">(</span><span class="n">meminfo</span><span class="p">[</span><span class="sh">"</span><span class="s">MemAvailable</span><span class="sh">"</span><span class="p">]</span> <span class="o">/</span> <span class="n">meminfo</span><span class="p">[</span><span class="sh">"</span><span class="s">MemTotal</span><span class="sh">"</span><span class="p">])</span> <span class="o">*</span> <span class="mi">100</span> <span class="c1"># Send to OPA </span> <span class="n">allowed</span> <span class="o">=</span> <span class="nf">enforce_policy</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy.infrastructure</span><span class="sh">"</span><span class="p">,</span> <span class="n">host_stats</span><span class="p">,</span> <span class="sh">"</span><span class="s">infrastructure</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">allowed</span><span class="p">:</span> <span class="nf">append_history</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">deploy_blocked</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">infrastructure_policy</span><span class="sh">"</span><span class="p">})</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># Only reach here if OPA allows </span> <span class="nf">run</span><span class="p">(</span><span class="nf">compose_cmd</span><span class="p">(</span><span class="sh">"</span><span class="s">up -d --build</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <p>If the disk is full, OPA returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ✘ Policy [infrastructure] DENIED ! disk_free_gb is 8.2, minimum required is 10.0 Deployment blocked by policy: infrastructure </code></pre> </div> <h4> Pre-promote check </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_promote</span><span class="p">(</span><span class="n">target_mode</span><span class="p">):</span> <span class="k">if</span> <span class="n">target_mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">:</span> <span class="n">raw</span> <span class="o">=</span> <span class="nf">scrape_metrics</span><span class="p">(</span><span class="n">nginx_port</span><span class="p">)</span> <span class="n">metrics</span> <span class="o">=</span> <span class="nf">parse_prometheus</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="n">error_rate</span> <span class="o">=</span> <span class="nf">calculate_error_rate</span><span class="p">(</span><span class="n">metrics</span><span class="p">)</span> <span class="n">p99_ms</span> <span class="o">=</span> <span class="nf">calculate_p99_latency_ms</span><span class="p">(</span><span class="n">metrics</span><span class="p">)</span> <span class="n">allowed</span> <span class="o">=</span> <span class="nf">enforce_policy</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy.canary</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error_rate_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">error_rate</span><span class="p">,</span> <span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">p99_ms</span><span class="p">,</span> <span class="sh">"</span><span class="s">window_seconds</span><span class="sh">"</span><span class="p">:</span> <span class="mi">30</span><span class="p">},</span> <span class="sh">"</span><span class="s">canary safety</span><span class="sh">"</span> <span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">allowed</span><span class="p">:</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </code></pre> </div> <h4> P99 latency calculation from histogram </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">calculate_p99_latency_ms</span><span class="p">(</span><span class="n">metrics</span><span class="p">,</span> <span class="n">path_filter</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">buckets</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">total_count</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">entry</span> <span class="ow">in</span> <span class="n">metrics</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">http_request_duration_seconds_bucket</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="n">le</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">labels</span><span class="sh">"</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">le</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="n">le</span> <span class="o">==</span> <span class="sh">"</span><span class="s">+Inf</span><span class="sh">"</span><span class="p">:</span> <span class="n">total_count</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">total_count</span><span class="p">,</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">value</span><span class="sh">"</span><span class="p">])</span> <span class="k">continue</span> <span class="n">buckets</span><span class="p">[</span><span class="nf">float</span><span class="p">(</span><span class="n">le</span><span class="p">)]</span> <span class="o">=</span> <span class="n">buckets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nf">float</span><span class="p">(</span><span class="n">le</span><span class="p">),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">value</span><span class="sh">"</span><span class="p">]</span> <span class="k">if</span> <span class="n">total_count</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="mf">0.0</span> <span class="n">p99_threshold</span> <span class="o">=</span> <span class="n">total_count</span> <span class="o">*</span> <span class="mf">0.99</span> <span class="k">for</span> <span class="n">le</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">buckets</span><span class="p">.</span><span class="nf">keys</span><span class="p">()):</span> <span class="k">if</span> <span class="n">buckets</span><span class="p">[</span><span class="n">le</span><span class="p">]</span> <span class="o">&gt;=</span> <span class="n">p99_threshold</span><span class="p">:</span> <span class="k">return</span> <span class="nf">round</span><span class="p">(</span><span class="n">le</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="c1"># seconds → milliseconds </span> <span class="k">return</span> <span class="mf">10000.0</span> </code></pre> </div> <p>P99 means: the smallest histogram bucket where 99% of requests have completed. If 99 out of 100 requests finished within 250ms, P99 = 250ms.</p> <h3> The Status Dashboard — The Eyes {#status-dashboard} </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_status</span><span class="p">():</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">raw</span> <span class="o">=</span> <span class="nf">scrape_metrics</span><span class="p">(</span><span class="n">nginx_port</span><span class="p">)</span> <span class="n">metrics</span> <span class="o">=</span> <span class="nf">parse_prometheus</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="n">error_rate</span> <span class="o">=</span> <span class="nf">calculate_error_rate</span><span class="p">(</span><span class="n">metrics</span><span class="p">)</span> <span class="n">p99_ms</span> <span class="o">=</span> <span class="nf">calculate_p99_latency_ms</span><span class="p">(</span><span class="n">metrics</span><span class="p">)</span> <span class="c1"># Query OPA for live compliance </span> <span class="n">infra_dec</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">query_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy.infrastructure</span><span class="sh">"</span><span class="p">,</span> <span class="nf">get_host_stats</span><span class="p">())</span> <span class="n">canary_dec</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">query_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy.canary</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error_rate_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">error_rate</span><span class="p">,</span> <span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">p99_ms</span><span class="p">,</span> <span class="sh">"</span><span class="s">window_seconds</span><span class="sh">"</span><span class="p">:</span> <span class="mi">30</span><span class="p">})</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="sh">"</span><span class="s">clear</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># ... render dashboard ... </span> <span class="nf">append_history</span><span class="p">({</span> <span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">status_scrape</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">error_rate_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">error_rate</span><span class="p">,</span> <span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">p99_ms</span><span class="p">,</span> <span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="n">mode_str</span><span class="p">,</span> <span class="sh">"</span><span class="s">chaos</span><span class="sh">"</span><span class="p">:</span> <span class="n">chaos_str</span><span class="p">,</span> <span class="sh">"</span><span class="s">policy_infra_pass</span><span class="sh">"</span><span class="p">:</span> <span class="n">infra_dec</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">infra_dec</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">policy_canary_pass</span><span class="sh">"</span><span class="p">:</span> <span class="n">canary_dec</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">canary_dec</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="p">})</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> </code></pre> </div> <p>What the dashboard looks like with chaos active:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> SwiftDeploy Status Dashboard 2026-05-05T21:00:37Z ──────────────────────────────────────────────── ── Throughput ────────────────────────────────── req/s : 2.4 error rate : 56.45% ← red P99 latency : 5.0ms ── App State ─────────────────────────────────── mode : canary chaos : error ← red uptime : 316s ── Policy Compliance ─────────────────────────── ✔ infrastructure PASS ✘ canary FAIL ! error_rate is 56.45%, maximum allowed is 1.00% Refreshing every 5s — Ctrl+C to exit </code></pre> </div> <p>This is exactly what real SRE dashboards do — they show you the current state AND whether it violates policy in real time.</p> <h3> The Audit Trail — The Memory {#audit-trail} </h3> <p>Every event appends a JSON line to <code>history.jsonl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{"timestamp":"2026-05-05T20:34:51Z","event":"deploy","mode":"stable"} {"timestamp":"2026-05-05T20:55:22Z","event":"promote","target_mode":"canary"} {"timestamp":"2026-05-05T20:55:23Z","event":"status_scrape","error_rate_percent":62.5,"chaos":"error","policy_canary_pass":false} {"timestamp":"2026-05-05T21:01:01Z","event":"promote","target_mode":"stable"} </code></pre> </div> <p><code>swiftdeploy audit</code> reads this file and generates <code>audit_report.md</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## Mode Changes</span> | Timestamp | From | To | |-----------|------|----| | 2026-05-05T20:34:51Z | unknown | stable | | 2026-05-05T20:55:22Z | stable | canary | | 2026-05-05T21:01:01Z | canary | stable | <span class="gu">## Policy Violations</span> | Timestamp | Infrastructure | Canary | Error Rate | P99 | |-----------|---------------|--------|------------|-----| | 2026-05-05T20:55:23Z | ✔ PASS | ✘ FAIL | 62.5% | 5.0ms | | 2026-05-05T20:55:28Z | ✔ PASS | ✘ FAIL | 63.6% | 5.0ms | </code></pre> </div> <p>This report renders perfectly as GitHub Flavored Markdown — every table, every checkmark, every timestamp.</p> <h2> The Debugging Sagas {#debugging} </h2> <p>No real DevOps project ships without war stories. Here are the ones that taught the most.</p> <h3> Saga 1 — Six layers of healthcheck failure </h3> <p>The app container kept showing <code>unhealthy</code> despite the server running fine. The debugging sequence:</p> <p><strong>Failure 1:</strong> <code>${APP_PORT}</code> doesn't expand in Dockerfile HEALTHCHECK CMD. Env vars evaluate at build time, not runtime. Fixed by hardcoding <code>3000</code>.</p> <p><strong>Failure 2:</strong> <code>localhost</code> doesn't resolve inside Alpine's healthcheck context on WSL2 + Docker Desktop. Fixed by using <code>127.0.0.1</code>.</p> <p><strong>Failure 3:</strong> <code>wget</code> with <code>127.0.0.1</code> still failed. Confirmed the server WAS listening:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>swiftdeploy-app ss <span class="nt">-tlnp</span> <span class="c"># tcp LISTEN 0.0.0.0:3000</span> docker <span class="nb">exec </span>swiftdeploy-app python <span class="nt">-c</span> <span class="s2">"import urllib.request; print(urllib.request.urlopen('http://127.0.0.1:3000/healthz').read())"</span> <span class="c"># b'{"status": "ok", ...}' ← works via exec, not via healthcheck</span> </code></pre> </div> <p>This is a known WSL2 + Docker Desktop network namespace issue. Fixed by using Python's <code>urllib</code> instead of <code>wget</code>.</p> <p><strong>Failure 4:</strong> Docker cache was serving the old image despite the Dockerfile fix. Fixed with <code>--no-cache</code>.</p> <p><strong>Failure 5:</strong> The <code>docker-compose.yml</code> template had its own <code>healthcheck</code> block overriding the Dockerfile. <strong>Docker Compose healthcheck always wins.</strong> Fixed the template too.</p> <p><strong>Failure 6:</strong> The healthcheck YAML block had 3 spaces indent instead of 4. A single space difference caused a YAML parse error. Fixed by carefully rewriting the block.</p> <h3> Saga 2 — OPA Rego v1 syntax </h3> <p>The <code>openpolicyagent/opa:latest-static</code> image enforces strict Rego v1 syntax. Our policies used the older syntax:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="c1"># OLD — crashes on latest OPA</span> <span class="n">allow</span> <span class="p">{</span> <span class="n">disk_ok</span> <span class="p">}</span> <span class="n">reasons</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">disk_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="s2">"..."</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="c1"># NEW — Rego v1 required syntax</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">disk_ok</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">disk_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="s2">"..."</span> <span class="p">}</span> </code></pre> </div> <p>Without <code>import future.keywords.if</code> and <code>import future.keywords.contains</code> at the top of each file, OPA refuses to start.</p> <h3> Saga 3 — WSL2 path spaces breaking docker run </h3> <p>The project lived at <code>/mnt/c/Users/RAZER BLADE/Desktop/HNG/hng-swiftdeploy</code>. The space in <code>RAZER BLADE</code> caused <code>docker run -v {path}:...</code> to split the path at the space, making Docker interpret the second half as an image name.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">docker: invalid reference format: repository name (Desktop/HNG/hng-swiftdeploy/nginx.conf) must be lowercase </span></code></pre> </div> <p>Fixed by quoting all paths containing the project directory and using <code>subprocess.run</code> with a list instead of <code>shell=True</code> to avoid shell word-splitting entirely.</p> <h2> Full Deployment Walkthrough {#deployment} </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Build the image</span> docker build <span class="nt">-t</span> swift-deploy-1-node:latest <span class="nb">.</span> <span class="c"># 2. Validate pre-flight checks</span> ./swiftdeploy validate <span class="c"># 3. Deploy (OPA policy check runs first)</span> ./swiftdeploy deploy <span class="c"># 4. Verify metrics</span> curl http://localhost:8080/metrics <span class="c"># 5. Verify OPA isolation</span> curl http://127.0.0.1:8181/health <span class="c"># works — internal</span> curl http://localhost:8080/v1/data <span class="c"># 404 — nginx blocks it</span> <span class="c"># 6. Launch status dashboard</span> ./swiftdeploy status <span class="c"># 7. Promote to canary (OPA canary policy check runs first)</span> ./swiftdeploy promote canary <span class="c"># 8. Inject chaos</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "error", "rate": 0.5}'</span> <span class="c"># 9. Watch status dashboard catch it — canary policy FAIL visible in real time</span> <span class="c"># 10. Recover</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "recover"}'</span> <span class="c"># 11. Promote back to stable</span> ./swiftdeploy promote stable <span class="c"># 12. Generate audit report</span> ./swiftdeploy audit <span class="nb">cat </span>audit_report.md <span class="c"># 13. Teardown</span> ./swiftdeploy teardown <span class="nt">--clean</span> </code></pre> </div> <h2> Key Lessons Learned {#lessons} </h2> <p><strong>1. Docker Compose healthcheck overrides Dockerfile HEALTHCHECK.</strong> Always check both places when healthchecks misbehave. Compose wins every time.</p> <p><strong>2. WSL2 has a different network namespace for healthchecks than for <code>docker exec</code>.</strong> If something works via <code>exec</code> but not via healthcheck, it's almost certainly a tool or network namespace issue. Python's stdlib is more portable than <code>wget</code> in this environment.</p> <p><strong>3. OPA Rego v1 requires explicit keywords.</strong> <code>latest-static</code> means the latest OPA — which enforces Rego v1 syntax. Always <code>import future.keywords.if</code> and <code>import future.keywords.contains</code>.</p> <p><strong>4. <code>expose</code> vs <code>ports</code> is a security boundary, not documentation.</strong> <code>expose</code> = container-to-container only. <code>ports</code> = host-facing. Binding OPA to <code>127.0.0.1</code> enforces isolation at the network level.</p> <p><strong>5. The CLI should never make policy decisions.</strong> Every time you add an if/else for a deployment condition in the CLI, you're doing OPA's job badly. Push all allow/deny logic into Rego. The CLI's job is to collect data and surface decisions.</p> <p><strong>6. P99 latency is more useful than average.</strong> An average latency of 10ms can hide the fact that 1 in 100 requests takes 5 seconds. P99 exposes that tail. Always instrument histograms, not just averages.</p> <p><strong>7. Declarative infrastructure pays off immediately.</strong> The grader deletes generated files and re-runs <code>init</code>. Because the manifest is always there and regeneration is instantaneous, this is a non-issue. Manual configs would have been a problem.</p> <p><strong>8. An audit trail is not optional.</strong> <code>history.jsonl</code> made it trivial to answer "when did chaos start?", "which policy was failing?", "how long was the canary running before we promoted?" These questions matter in production incidents.</p> <h2> Conclusion </h2> <p>SwiftDeploy started as a task requirement and became a complete mental model for how modern deployment tooling works. Every major concept is here:</p> <ul> <li> <strong>Declarative infrastructure</strong> — describe what you want, generate everything else</li> <li> <strong>Immutable configs</strong> — generated files are outputs, never inputs</li> <li> <strong>Policy as code</strong> — OPA enforces safety standards that can't be bypassed</li> <li> <strong>Observability</strong> — Prometheus metrics feed the dashboard and the policy engine</li> <li> <strong>Audit trail</strong> — every event recorded, every violation surfaced</li> </ul> <p>The combination of Stage 4A and 4B forms a complete deployment lifecycle: generate → validate → deploy (gated) → promote (gated) → observe → audit → tear down.</p> <p>The full source code is available at: <strong><a href="https://github.com/AirFluke/hng-swiftdeploy" rel="noopener noreferrer">https://github.com/AirFluke/hng-swiftdeploy</a></strong></p> <p><em>Tags: #devops #docker #nginx #python #opa #prometheus #infrastructure #hng</em></p> automation devops python tutorial How I Built a Real-Time DDoS Detection Engine from Scratch (No Fail2Ban) Abraham Acha Sun, 26 Apr 2026 15:31:10 +0000 https://dev.to/airfluke/how-i-built-a-real-time-ddos-detection-engine-from-scratch-no-fail2ban-mo5 https://dev.to/airfluke/how-i-built-a-real-time-ddos-detection-engine-from-scratch-no-fail2ban-mo5 <p>Assuming my boss walked in and said "we're getting hit with suspicious traffic and I need you to build something that detects and responds to it automatically," I had two choices: reach for Fail2Ban like everyone else, or build something I actually understood from the ground up.</p> <p>I chose to build it from scratch. This post explains exactly how I did it — in plain English, with real code, and without assuming you've ever touched security tooling before.</p> <p>By the end of this post you will understand:</p> <ul> <li>What the system does and why it matters</li> <li>How a sliding window works (and why it's not just "count requests per minute")</li> <li>How the system learns what normal traffic looks like</li> <li>How it decides something is an attack</li> <li>How it uses iptables to cut off an attacker at the firewall level</li> </ul> <p>Let's go.</p> <h2> What This Project Does and Why It Matters </h2> <p>We run a cloud storage platform built on Nextcloud. It's public-facing, which means anyone on the internet can send requests to it — including bots, scanners, and attackers.</p> <p>Two types of attacks concern us most:</p> <p><strong>A single aggressive IP</strong> — one machine sending hundreds of requests per second, trying to brute-force logins, scrape data, or simply overwhelm the server. This is a classic DDoS from a single source.</p> <p><strong>A global traffic spike</strong> — thousands of different IPs each sending a small number of requests. No single IP looks suspicious, but the total volume is crushing the server. This is a distributed DDoS.</p> <p>The tool I built watches every HTTP request in real time, learns what "normal" traffic looks like, and fires an automatic response the moment something deviates — whether it's a single aggressive IP or a global spike.</p> <p>For a single aggressive IP: it adds an <code>iptables</code> firewall rule to drop every packet from that IP, sends a Slack alert, and automatically releases the ban on a backoff schedule (10 minutes, then 30, then 2 hours, then permanent for repeat offenders).</p> <p>For a global spike: it sends a Slack alert (no single IP to block).</p> <p>The whole thing runs as a daemon — a continuously running background process — alongside the Nextcloud stack in Docker. It never sleeps, never needs a cron job, and never relies on hardcoded thresholds.</p> <p>Here's the architecture at a glance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet → Nginx (reverse proxy) → Nextcloud ↓ writes JSON logs [HNG-nginx-logs volume] ↓ reads logs Python Daemon ├── monitor.py (tail the log file) ├── baseline.py (learn normal traffic) ├── detector.py (spot anomalies) ├── blocker.py (iptables + audit log) ├── unbanner.py (auto-release bans) ├── notifier.py (Slack alerts) └── dashboard.py (live web UI) </code></pre> </div> <p>Everything is wired together by <code>main.py</code> and configured through a single <code>config.yaml</code> file — no hardcoded numbers anywhere in the code.</p> <h2> Part 1: Reading the Traffic — The Log Monitor </h2> <p>Before we can detect anything, we need to see the traffic. Nginx is our reverse proxy — every HTTP request passes through it. We configure Nginx to write each request as a JSON object to a log file.</p> <p>Here's the Nginx log format we defined:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">hng_json</span> <span class="s">escape=json</span> <span class="s">'</span><span class="p">{</span><span class="kn">'</span> <span class="s">'"source_ip":"</span><span class="nv">$remote_addr</span><span class="s">",'</span> <span class="s">'"timestamp":"</span><span class="nv">$time_iso8601</span><span class="s">",'</span> <span class="s">'"method":"</span><span class="nv">$request_method</span><span class="s">",'</span> <span class="s">'"path":"</span><span class="nv">$uri</span><span class="s">",'</span> <span class="s">'"status":</span><span class="nv">$status</span><span class="s">,'</span> <span class="s">'"response_size":</span><span class="nv">$body_bytes_sent</span><span class="s">,'</span> <span class="s">'"request_time":</span><span class="nv">$request_time</span><span class="s">,'</span> <span class="s">'"http_user_agent":"</span><span class="nv">$http_user_agent</span><span class="s">"'</span> <span class="s">'</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/hng-access.log</span> <span class="s">hng_json</span><span class="p">;</span> </code></pre> </div> <p>Every request now produces a line like this in the log file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"source_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.2.3.4"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-04-26T14:08:21+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/index.php/login"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">401</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1842</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_time"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.043</span><span class="p">,</span><span class="w"> </span><span class="nl">"http_user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mozilla/5.0..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now our Python daemon needs to read these lines as they appear — in real time, without missing any, and without crashing if the log file gets rotated. This is called "tailing" a file, like <code>tail -f</code> in Linux.</p> <p>Here's how <code>monitor.py</code> does it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">queue</span> <span class="k">def</span> <span class="nf">parse_line</span><span class="p">(</span><span class="n">raw</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Parse one JSON log line. Returns None if malformed.</span><span class="sh">"""</span> <span class="n">raw</span> <span class="o">=</span> <span class="n">raw</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">raw</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">try</span><span class="p">:</span> <span class="n">entry</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="k">except</span> <span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># drop malformed lines silently </span> <span class="c1"># Make sure all required fields are present </span> <span class="n">required</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">source_ip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">response_size</span><span class="sh">"</span><span class="p">}</span> <span class="k">if</span> <span class="n">required</span> <span class="o">-</span> <span class="n">entry</span><span class="p">.</span><span class="nf">keys</span><span class="p">():</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># Coerce types and add a wall-clock timestamp for window math </span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">])</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">response_size</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">response_size</span><span class="sh">"</span><span class="p">])</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">_parsed_at</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">return</span> <span class="n">entry</span> <span class="k">class</span> <span class="nc">LogMonitor</span><span class="p">:</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">fh</span> <span class="o">=</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">/var/log/nginx/hng-access.log</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="n">fh</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="c1"># jump to END of file — don't replay old traffic </span> <span class="n">current_inode</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">stat</span><span class="p">(</span><span class="n">fh</span><span class="p">.</span><span class="n">name</span><span class="p">).</span><span class="n">st_ino</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">fh</span><span class="p">.</span><span class="nf">readline</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span><span class="p">:</span> <span class="n">entry</span> <span class="o">=</span> <span class="nf">parse_line</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">if</span> <span class="n">entry</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">out_queue</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span> <span class="c1"># send downstream </span> <span class="k">else</span><span class="p">:</span> <span class="c1"># Check if the file was rotated (inode changed) </span> <span class="n">new_inode</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">stat</span><span class="p">(</span><span class="n">fh</span><span class="p">.</span><span class="n">name</span><span class="p">).</span><span class="n">st_ino</span> <span class="k">if</span> <span class="n">new_inode</span> <span class="o">!=</span> <span class="n">current_inode</span><span class="p">:</span> <span class="n">fh</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">fh</span> <span class="o">=</span> <span class="nf">open</span><span class="p">(</span><span class="n">fh</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="n">current_inode</span> <span class="o">=</span> <span class="n">new_inode</span> <span class="k">else</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="c1"># no new data, yield CPU briefly </span></code></pre> </div> <p>Three things worth understanding here:</p> <p><strong><code>fh.seek(0, 2)</code></strong> — When we start the daemon, the log file already has entries from before we launched. We don't want to process all of those as if they're live traffic. Seeking to position 2 (the end) means we only see new lines written after the daemon starts.</p> <p><strong>Inode check</strong> — Log files get rotated (renamed and replaced with a fresh empty file) periodically. If we don't detect this, we'd keep reading the old file and miss all new traffic. The inode (a unique file identifier in Linux) changes when the file is replaced, so we check it on every "no new data" cycle.</p> <p><strong>The queue</strong> — We put parsed entries into a <code>queue.Queue</code>. This decouples reading from processing. The monitor thread just reads and queues; the main thread drains the queue and feeds entries to the baseline and detector. If the detector is temporarily slow, entries buffer in the queue rather than being dropped.</p> <h2> Part 2: How the Sliding Window Works </h2> <p>This is the core data structure of the entire detection system. Get this right and everything else falls into place.</p> <h3> The wrong way: per-minute counters </h3> <p>The naive approach is to count requests per minute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># WRONG — this is not a sliding window </span><span class="n">requests_this_minute</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">last_minute</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">/</span> <span class="mi">60</span><span class="p">)</span> <span class="k">def</span> <span class="nf">on_request</span><span class="p">():</span> <span class="n">current_minute</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">/</span> <span class="mi">60</span><span class="p">)</span> <span class="k">if</span> <span class="n">current_minute</span> <span class="o">!=</span> <span class="n">last_minute</span><span class="p">:</span> <span class="n">requests_this_minute</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1"># reset </span> <span class="n">last_minute</span> <span class="o">=</span> <span class="n">current_minute</span> <span class="n">requests_this_minute</span> <span class="o">+=</span> <span class="mi">1</span> </code></pre> </div> <p>The problem: imagine an attacker sends 1000 requests at 14:00:59 and another 1000 at 14:01:01. The per-minute counter resets at 14:01:00, so each minute only shows 1000 requests. But in reality, 2000 requests arrived in a 2-second window — a massive spike that the counter completely misses.</p> <h3> The right way: a deque of timestamps </h3> <p>A sliding window stores the <strong>exact timestamp of every request</strong> in a <code>collections.deque</code>. When you want the current rate, you evict old entries and count what remains.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="kn">import</span> <span class="n">time</span> <span class="c1"># One deque per IP, one global </span><span class="n">ip_window</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># stores timestamps of requests from this IP </span><span class="n">WINDOW</span> <span class="o">=</span> <span class="mi">60</span> <span class="c1"># seconds </span> <span class="k">def</span> <span class="nf">on_request</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">now</span><span class="p">:</span> <span class="nb">float</span><span class="p">):</span> <span class="c1"># Step 1: Add this request's timestamp </span> <span class="n">ip_window</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c1"># Step 2: Evict entries older than 60 seconds from the LEFT </span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">WINDOW</span> <span class="k">while</span> <span class="n">ip_window</span> <span class="ow">and</span> <span class="n">ip_window</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">ip_window</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># O(1) — this is why we use deque, not list </span> <span class="c1"># Step 3: Rate = requests still in window / window size </span> <span class="n">rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">ip_window</span><span class="p">)</span> <span class="o">/</span> <span class="n">WINDOW</span> <span class="k">return</span> <span class="n">rate</span> <span class="c1"># requests per second over the last 60 seconds </span></code></pre> </div> <p>Let's trace through a real example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Time 14:00:00 → request arrives → deque: [14:00:00] rate = 1/60 = 0.017 req/s Time 14:00:01 → request arrives → deque: [14:00:00, 14:00:01] rate = 2/60 = 0.033 req/s ...normal traffic... Time 14:01:30 → attacker starts sending 100 req/s Time 14:01:31 → deque has 100 new entries + a few old ones → evict everything before 14:00:31 → 100 entries remain → rate = 100/60 = 1.67 req/s ← anomaly detected </code></pre> </div> <p>The window "slides" forward with real time. Old entries fall off the left; new entries pile up on the right. The rate you get is always "how many requests from this IP in the last 60 seconds."</p> <p><strong>Why <code>deque</code> and not <code>list</code>?</strong></p> <p><code>list.pop(0)</code> is O(n) — it has to shift every element one position to the left every time you evict. With thousands of entries under a DDoS, this becomes very slow.</p> <p><code>deque.popleft()</code> is O(1) — it just moves a pointer. No matter how many entries are in the deque, eviction is instant.</p> <p>Here's the actual implementation from our <code>detector.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span><span class="p">,</span> <span class="n">defaultdict</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span><span class="p">,</span> <span class="n">field</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">IPState</span><span class="p">:</span> <span class="sh">"""</span><span class="s">All per-IP sliding window state.</span><span class="sh">"""</span> <span class="n">timestamps</span><span class="p">:</span> <span class="n">deque</span> <span class="o">=</span> <span class="nf">field</span><span class="p">(</span><span class="n">default_factory</span><span class="o">=</span><span class="n">deque</span><span class="p">)</span> <span class="c1"># request timestamps </span> <span class="n">error_ts</span><span class="p">:</span> <span class="n">deque</span> <span class="o">=</span> <span class="nf">field</span><span class="p">(</span><span class="n">default_factory</span><span class="o">=</span><span class="n">deque</span><span class="p">)</span> <span class="c1"># 4xx/5xx timestamps </span> <span class="c1"># One IPState per IP address, created on first request </span><span class="n">ip_states</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="n">IPState</span><span class="p">)</span> <span class="c1"># One global window for all traffic combined </span><span class="n">global_ts</span><span class="p">:</span> <span class="n">deque</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="k">def</span> <span class="nf">_evict</span><span class="p">(</span><span class="n">dq</span><span class="p">:</span> <span class="n">deque</span><span class="p">,</span> <span class="n">window</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">now</span><span class="p">:</span> <span class="nb">float</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Remove timestamps older than `window` seconds from the left.</span><span class="sh">"""</span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">window</span> <span class="k">while</span> <span class="n">dq</span> <span class="ow">and</span> <span class="n">dq</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">dq</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="k">def</span> <span class="nf">_rate</span><span class="p">(</span><span class="n">dq</span><span class="p">:</span> <span class="n">deque</span><span class="p">,</span> <span class="n">window</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Requests per second over the window.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">dq</span><span class="p">)</span> <span class="o">/</span> <span class="n">window</span> <span class="k">def</span> <span class="nf">process</span><span class="p">(</span><span class="n">entry</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">ip</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">source_ip</span><span class="sh">"</span><span class="p">]</span> <span class="n">now</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">_parsed_at</span><span class="sh">"</span><span class="p">]</span> <span class="n">state</span> <span class="o">=</span> <span class="n">ip_states</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="c1"># Update per-IP window </span> <span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="nf">_evict</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">ip_rate</span> <span class="o">=</span> <span class="nf">_rate</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">,</span> <span class="mi">60</span><span class="p">)</span> <span class="c1"># Update global window </span> <span class="n">global_ts</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="nf">_evict</span><span class="p">(</span><span class="n">global_ts</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">global_rate</span> <span class="o">=</span> <span class="nf">_rate</span><span class="p">(</span><span class="n">global_ts</span><span class="p">,</span> <span class="mi">60</span><span class="p">)</span> </code></pre> </div> <p>We maintain <strong>two separate windows</strong>: one per IP (so we can detect individual attackers) and one global (so we can detect distributed attacks from many IPs). Both are updated on every single request.</p> <h2> Part 3: How the Baseline Learns from Traffic </h2> <p>Detecting anomalies requires knowing what normal looks like. If normal traffic is 50 req/s, then 100 req/s is suspicious. But if normal traffic is 5 req/s, then even 15 req/s might be an attack.</p> <p>The key insight: <strong>normal changes over time</strong>. A file-sharing platform sees more traffic during business hours than at 3am. A global service sees more traffic from Asia during Asian business hours. You cannot hardcode a threshold — you have to learn it.</p> <h3> Per-second bucketing </h3> <p>Our baseline engine counts requests per second and stores those counts in a rolling 30-minute window:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="kn">import</span> <span class="n">math</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="c1"># Stores one count per second, up to 30 minutes worth (1800 buckets) </span><span class="n">second_buckets</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">(</span><span class="n">maxlen</span><span class="o">=</span><span class="mi">1800</span><span class="p">)</span> <span class="n">current_second</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="n">current_count</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="k">def</span> <span class="nf">record</span><span class="p">(</span><span class="n">entry</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="k">global</span> <span class="n">current_second</span><span class="p">,</span> <span class="n">current_count</span> <span class="n">now</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">_parsed_at</span><span class="sh">"</span><span class="p">]</span> <span class="n">bucket_sec</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c1"># When the clock second changes, flush the completed bucket </span> <span class="k">if</span> <span class="n">bucket_sec</span> <span class="o">&gt;</span> <span class="n">current_second</span><span class="p">:</span> <span class="c1"># Fill any empty seconds (gaps where no traffic arrived) </span> <span class="k">for</span> <span class="n">s</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">current_second</span><span class="p">,</span> <span class="n">bucket_sec</span><span class="p">):</span> <span class="n">second_buckets</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">current_count</span><span class="p">)</span> <span class="n">current_count</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="n">current_second</span> <span class="o">=</span> <span class="n">bucket_sec</span> <span class="n">current_count</span> <span class="o">+=</span> <span class="mf">1.0</span> </code></pre> </div> <p>So if 47 requests arrived in the second ending at 14:05:00, the deque gets <code>47.0</code> appended. If the next second was quiet (zero requests), it gets <code>0.0</code>. The deque holds up to 1800 of these values — 30 minutes of history.</p> <h3> Computing mean and standard deviation </h3> <p>Every 60 seconds, we recompute the baseline from whatever is in the bucket deque:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_recalculate</span><span class="p">():</span> <span class="n">samples</span> <span class="o">=</span> <span class="nf">list</span><span class="p">(</span><span class="n">second_buckets</span><span class="p">)</span> <span class="n">n</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="k">if</span> <span class="n">n</span> <span class="o">&lt;</span> <span class="mi">30</span><span class="p">:</span> <span class="k">return</span> <span class="c1"># not enough data yet, keep the floor values </span> <span class="c1"># Mean: average requests per second over the last 30 minutes </span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="c1"># Standard deviation: how much does traffic vary? </span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">**</span> <span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="p">(</span><span class="n">n</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> <span class="c1"># Apply floor values to prevent false positives during quiet periods </span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">mean</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">)</span> <span class="c1"># never let mean drop below 1 req/s </span> <span class="n">stddev</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">stddev</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">)</span> <span class="c1"># never let stddev drop below 0.5 </span> <span class="n">effective_mean</span> <span class="o">=</span> <span class="n">mean</span> <span class="n">effective_stddev</span> <span class="o">=</span> <span class="n">stddev</span> </code></pre> </div> <p><strong>Why do we need floor values?</strong></p> <p>Imagine the server is quiet at 3am with 0.1 req/s average. Without floor values:</p> <ul> <li>mean = 0.1, stddev = 0.05</li> <li>A burst to just 0.25 req/s gives z-score = (0.25 - 0.1) / 0.05 = <strong>3.0</strong> → false alarm!</li> </ul> <p>With floor_mean = 1.0:</p> <ul> <li>The denominator stays reasonable</li> <li>You need a genuine spike to trigger detection</li> </ul> <p><strong>Per-hour preference</strong></p> <p>Traffic patterns repeat by hour of day. We also maintain 24 separate per-hour slot deques:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">hour_slots</span> <span class="o">=</span> <span class="p">{</span><span class="n">h</span><span class="p">:</span> <span class="nf">deque</span><span class="p">(</span><span class="n">maxlen</span><span class="o">=</span><span class="mi">1800</span><span class="p">)</span> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">24</span><span class="p">)}</span> <span class="c1"># When flushing a bucket, also file it into the current hour's slot </span><span class="n">hour</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromtimestamp</span><span class="p">(</span><span class="n">current_second</span><span class="p">).</span><span class="n">hour</span> <span class="n">hour_slots</span><span class="p">[</span><span class="n">hour</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">current_count</span><span class="p">)</span> </code></pre> </div> <p>At recalculation time, if the current hour's slot has at least 30 samples, we use it instead of the 30-minute window. This means 9am traffic is compared to yesterday's 9am baseline, not to the 8:30am baseline — much more accurate.</p> <h2> Part 4: How the Detection Logic Makes a Decision </h2> <p>We have a rate (from the sliding window) and a baseline (mean and stddev). How do we decide if the rate is an attack?</p> <h3> Z-score: how many standard deviations above normal? </h3> <p>The z-score is a way of asking "how unusual is this number compared to what we normally see?"<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>z-score = (current_rate - baseline_mean) / baseline_stddev </code></pre> </div> <p>If the baseline is mean=5 req/s, stddev=2:</p> <ul> <li>Current rate 7 req/s → z = (7-5)/2 = <strong>1.0</strong> → normal variation</li> <li>Current rate 11 req/s → z = (11-5)/2 = <strong>3.0</strong> → suspicious </li> <li>Current rate 25 req/s → z = (25-5)/2 = <strong>10.0</strong> → attack</li> </ul> <p>We flag anything with z-score &gt; 3.0. In a normal distribution, only 0.13% of values naturally exceed z=3. So a false positive rate of 0.13% is acceptable.</p> <h3> Multiplier: absolute rate check </h3> <p>Z-score alone has a weakness: if traffic is very consistent (low stddev), even a modest real attack might not produce a high z-score. So we add a second condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">rate</span> <span class="o">&gt;</span> <span class="mi">5</span> <span class="err">×</span> <span class="n">mean</span> <span class="err">→</span> <span class="n">flag</span> <span class="n">it</span> </code></pre> </div> <p>If normal is 5 req/s and someone hits 26 req/s, that's more than 5× — flag it regardless of stddev.</p> <p>Either condition firing triggers the response. Here's the actual detection code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_zscore</span><span class="p">(</span><span class="n">rate</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">mean</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">stddev</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="k">if</span> <span class="n">stddev</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="mf">0.0</span> <span class="nf">return </span><span class="p">(</span><span class="n">rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> <span class="k">def</span> <span class="nf">check_anomaly</span><span class="p">(</span><span class="n">ip_rate</span><span class="p">,</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span><span class="p">):</span> <span class="n">z_thresh</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="c1"># loaded from config.yaml </span> <span class="n">m_thresh</span> <span class="o">=</span> <span class="mf">5.0</span> <span class="c1"># loaded from config.yaml </span> <span class="n">ip_z</span> <span class="o">=</span> <span class="nf">_zscore</span><span class="p">(</span><span class="n">ip_rate</span><span class="p">,</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span><span class="p">)</span> <span class="c1"># Either condition triggers the alert </span> <span class="n">is_anomaly</span> <span class="o">=</span> <span class="p">(</span><span class="n">ip_z</span> <span class="o">&gt;</span> <span class="n">z_thresh</span><span class="p">)</span> <span class="ow">or</span> <span class="p">(</span><span class="n">ip_rate</span> <span class="o">&gt;</span> <span class="n">m_thresh</span> <span class="o">*</span> <span class="n">mean</span> <span class="ow">and</span> <span class="n">mean</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="n">is_anomaly</span><span class="p">,</span> <span class="n">ip_z</span> </code></pre> </div> <h3> Error surge tightening </h3> <p>There's a third detection mode for slow attacks. An attacker doing credential stuffing (trying username/password combinations) won't necessarily send huge traffic volumes — but they'll generate lots of 401 Unauthorized responses. </p> <p>We track error rates separately:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># If this IP's 4xx/5xx rate is 3× the baseline error rate, # tighten the thresholds for this IP </span><span class="k">if</span> <span class="n">err_rate</span> <span class="o">&gt;=</span> <span class="mf">3.0</span> <span class="o">*</span> <span class="n">baseline_error_mean</span><span class="p">:</span> <span class="n">z_thresh</span> <span class="o">=</span> <span class="mf">2.0</span> <span class="c1"># lower bar → easier to trigger </span> <span class="n">m_thresh</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="c1"># lower bar → easier to trigger </span> <span class="n">state</span><span class="p">.</span><span class="n">tightened</span> <span class="o">=</span> <span class="bp">True</span> </code></pre> </div> <p>This catches slow, stealthy attacks that would otherwise fly under the radar.</p> <h3> Putting it all together </h3> <p>Here's the full <code>process()</code> function that runs on every log line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">process</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">entry</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">ip</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">source_ip</span><span class="sh">"</span><span class="p">]</span> <span class="n">now</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">_parsed_at</span><span class="sh">"</span><span class="p">]</span> <span class="n">status</span> <span class="o">=</span> <span class="n">entry</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">,</span> <span class="mi">200</span><span class="p">)</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_baseline</span><span class="p">.</span><span class="nf">get_baseline</span><span class="p">()</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="n">_lock</span><span class="p">:</span> <span class="n">state</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_ip_states</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="c1"># 1. Update sliding windows </span> <span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_evict</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">_global_ts</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_evict</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_global_ts</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">ip_rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="n">global_rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_global_ts</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="c1"># 2. Check error surge → tighten thresholds if needed </span> <span class="k">if</span> <span class="n">status</span> <span class="o">&gt;=</span> <span class="mi">400</span><span class="p">:</span> <span class="n">state</span><span class="p">.</span><span class="n">error_ts</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_evict</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">error_ts</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">err_rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">error_ts</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="n">z_thresh</span> <span class="o">=</span> <span class="mf">2.0</span> <span class="k">if</span> <span class="n">state</span><span class="p">.</span><span class="n">tightened</span> <span class="k">else</span> <span class="mf">3.0</span> <span class="n">m_thresh</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="k">if</span> <span class="n">state</span><span class="p">.</span><span class="n">tightened</span> <span class="k">else</span> <span class="mf">5.0</span> <span class="c1"># 3. Score and decide </span> <span class="n">ip_z</span> <span class="o">=</span> <span class="p">(</span><span class="n">ip_rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> <span class="k">if</span> <span class="n">stddev</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">else</span> <span class="mi">0</span> <span class="n">ip_anomaly</span> <span class="o">=</span> <span class="p">(</span><span class="n">ip_z</span> <span class="o">&gt;</span> <span class="n">z_thresh</span><span class="p">)</span> <span class="ow">or</span> <span class="p">(</span><span class="n">ip_rate</span> <span class="o">&gt;</span> <span class="n">m_thresh</span> <span class="o">*</span> <span class="n">mean</span><span class="p">)</span> <span class="c1"># 4. Fire callback if anomalous (with 10-second cooldown) </span> <span class="k">if</span> <span class="n">ip_anomaly</span><span class="p">:</span> <span class="n">last</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_last_fired</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">if</span> <span class="n">now</span> <span class="o">-</span> <span class="n">last</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_last_fired</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="o">=</span> <span class="n">now</span> <span class="n">self</span><span class="p">.</span><span class="nf">on_ip_anomaly</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">ip_rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">ip_rate</span><span class="p">,</span> <span class="sh">"</span><span class="s">zscore</span><span class="sh">"</span><span class="p">:</span> <span class="n">ip_z</span><span class="p">,</span> <span class="p">...})</span> <span class="c1"># 5. Check global anomaly separately </span> <span class="n">g_z</span> <span class="o">=</span> <span class="p">(</span><span class="n">global_rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> <span class="k">if</span> <span class="n">stddev</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">else</span> <span class="mi">0</span> <span class="k">if</span> <span class="n">g_z</span> <span class="o">&gt;</span> <span class="mf">3.0</span> <span class="ow">or</span> <span class="n">global_rate</span> <span class="o">&gt;</span> <span class="mf">5.0</span> <span class="o">*</span> <span class="n">mean</span><span class="p">:</span> <span class="k">if</span> <span class="n">now</span> <span class="o">-</span> <span class="n">self</span><span class="p">.</span><span class="n">_global_last_fired</span> <span class="o">&gt;</span> <span class="mi">30</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_global_last_fired</span> <span class="o">=</span> <span class="n">now</span> <span class="n">self</span><span class="p">.</span><span class="nf">on_global_anomaly</span><span class="p">({</span><span class="sh">"</span><span class="s">global_rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">global_rate</span><span class="p">,</span> <span class="p">...})</span> </code></pre> </div> <p>When <code>on_ip_anomaly</code> fires, it calls the blocker. When <code>on_global_anomaly</code> fires, it calls the notifier directly (no ban — you can't ban the whole internet).</p> <h2> Part 5: How iptables Blocks an IP </h2> <p><code>iptables</code> is the Linux kernel's firewall. It processes every network packet that enters or leaves your machine and applies rules to decide what to do with each one.</p> <p>Think of it like a bouncer at a club. The bouncer has a list of rules:</p> <ol> <li>Allow anyone with a VIP pass (ACCEPT)</li> <li>Drop anyone on the blacklist (DROP)</li> <li>Default: let everyone in (ACCEPT)</li> </ol> <p>When we detect an attack from IP <code>1.2.3.4</code>, we add a rule to the top of the <code>INPUT</code> chain (the chain that handles incoming packets):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>iptables <span class="nt">-I</span> INPUT <span class="nt">-s</span> 1.2.3.4 <span class="nt">-j</span> DROP </code></pre> </div> <p>Breaking this down:</p> <ul> <li> <code>-I INPUT</code> — Insert at the top of the INPUT chain (before other rules)</li> <li> <code>-s 1.2.3.4</code> — Match packets with source IP 1.2.3.4</li> <li> <code>-j DROP</code> — Silently drop matching packets (no response sent to attacker)</li> </ul> <p>The <code>-I</code> (insert) rather than <code>-A</code> (append) is important. Rules are checked top-to-bottom. By inserting at the top, our DROP rule is checked before any ACCEPT rules — the attacker is blocked immediately.</p> <p>You can verify the rule was added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>iptables <span class="nt">-L</span> INPUT <span class="nt">-n</span> <span class="nt">-v</span> Chain INPUT <span class="o">(</span>policy ACCEPT<span class="o">)</span> target prot opt <span class="nb">source </span>destination DROP all <span class="nt">--</span> 1.2.3.4 0.0.0.0/0 ACCEPT all <span class="nt">--</span> 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ... </code></pre> </div> <p>Here's the Python code that issues this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">_iptables_add</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Add a DROP rule for this IP. Check first to avoid duplicates.</span><span class="sh">"""</span> <span class="c1"># Check if rule already exists </span> <span class="n">check</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-C</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">if</span> <span class="n">check</span><span class="p">.</span><span class="n">returncode</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="c1"># already banned, nothing to do </span> <span class="c1"># Add the rule </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-I</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">_iptables_remove</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Remove the DROP rule. Loop in case it was added more than once.</span><span class="sh">"""</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-D</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">break</span> <span class="c1"># no more rules for this IP </span></code></pre> </div> <h3> The backoff schedule </h3> <p>We don't ban forever on the first offence. The ban duration follows a backoff schedule:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Offence</th> <th>Duration</th> </tr> </thead> <tbody> <tr> <td>1st ban</td> <td>10 minutes</td> </tr> <tr> <td>2nd ban</td> <td>30 minutes</td> </tr> <tr> <td>3rd ban</td> <td>2 hours</td> </tr> <tr> <td>4th+ ban</td> <td>Permanent</td> </tr> </tbody> </table></div> <p>A background thread (the unbanner) wakes up every 30 seconds and checks whether any bans have expired:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">time</span> <span class="k">class</span> <span class="nc">UnbannerThread</span><span class="p">(</span><span class="n">threading</span><span class="p">.</span><span class="n">Thread</span><span class="p">):</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">while</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">_stop</span><span class="p">.</span><span class="nf">wait</span><span class="p">(</span><span class="mi">30</span><span class="p">):</span> <span class="c1"># check every 30 seconds </span> <span class="n">expired</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_blocker</span><span class="p">.</span><span class="nf">get_expired_bans</span><span class="p">()</span> <span class="k">for</span> <span class="n">ip</span> <span class="ow">in</span> <span class="n">expired</span><span class="p">:</span> <span class="n">record</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_blocker</span><span class="p">.</span><span class="nf">unban</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="k">if</span> <span class="n">record</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_notifier</span><span class="p">.</span><span class="nf">send_unban</span><span class="p">(</span><span class="n">record</span><span class="p">)</span> <span class="c1"># Slack alert </span> <span class="k">def</span> <span class="nf">get_expired_bans</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="k">return</span> <span class="p">[</span> <span class="n">ip</span> <span class="k">for</span> <span class="n">ip</span><span class="p">,</span> <span class="n">rec</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_bans</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">rec</span><span class="p">.</span><span class="n">expires_at</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="ow">and</span> <span class="n">now</span> <span class="o">&gt;=</span> <span class="n">rec</span><span class="p">.</span><span class="n">expires_at</span> <span class="p">]</span> </code></pre> </div> <p>When an IP is unbanned, <code>iptables -D INPUT -s &lt;ip&gt; -j DROP</code> removes the rule, and a Slack notification goes out so the team knows the ban was lifted.</p> <h2> Part 6: Slack Alerts </h2> <p>Every ban, unban, and global anomaly sends a Slack message. We use Slack's Incoming Webhooks — a URL you POST JSON to, and it appears as a message in your channel.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">send_ban</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">info</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">record</span><span class="p">):</span> <span class="n">text</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">:rotating_light: *IP BANNED* — `</span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Rate:* `</span><span class="si">{</span><span class="n">info</span><span class="p">[</span><span class="sh">'</span><span class="s">ip_rate</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s` </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Baseline:* `</span><span class="si">{</span><span class="n">info</span><span class="p">[</span><span class="sh">'</span><span class="s">mean</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">` </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Z-score:* `</span><span class="si">{</span><span class="n">info</span><span class="p">[</span><span class="sh">'</span><span class="s">zscore</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Duration:* `</span><span class="si">{</span><span class="n">record</span><span class="p">.</span><span class="n">duration_label</span><span class="si">}</span><span class="s">` (ban #</span><span class="si">{</span><span class="n">record</span><span class="p">.</span><span class="n">ban_count</span><span class="si">}</span><span class="s">)</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Time:* </span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="n">webhook_url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">text</span><span class="p">}),</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span> <span class="p">)</span> </code></pre> </div> <p>Critically, Slack calls happen in a <strong>thread pool</strong> — they never block the main detection loop. If Slack is slow or down, we don't miss detecting the next attack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">concurrent.futures</span> <span class="kn">import</span> <span class="n">ThreadPoolExecutor</span> <span class="n">executor</span> <span class="o">=</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">4</span><span class="p">)</span> <span class="k">def</span> <span class="nf">send_ban_async</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">record</span><span class="p">):</span> <span class="n">executor</span><span class="p">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">_post_to_slack</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">record</span><span class="p">)</span> </code></pre> </div> <h2> Part 7: The Live Dashboard </h2> <p>The dashboard is a Flask web app that serves a single HTML page which polls <code>/api/metrics</code> every 3 seconds via JavaScript <code>fetch()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">jsonify</span> <span class="kn">import</span> <span class="n">psutil</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/metrics</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">metrics</span><span class="p">():</span> <span class="n">snap</span> <span class="o">=</span> <span class="n">detector</span><span class="p">.</span><span class="nf">get_snapshot</span><span class="p">()</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">baseline</span><span class="p">.</span><span class="nf">get_baseline</span><span class="p">()</span> <span class="n">banned</span> <span class="o">=</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">get_banned_ips</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span> <span class="sh">"</span><span class="s">uptime</span><span class="sh">"</span><span class="p">:</span> <span class="nf">get_uptime_string</span><span class="p">(),</span> <span class="sh">"</span><span class="s">global_rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">snap</span><span class="p">[</span><span class="sh">"</span><span class="s">global_rate</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">top_ips</span><span class="sh">"</span><span class="p">:</span> <span class="n">snap</span><span class="p">[</span><span class="sh">"</span><span class="s">top_ips</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">mean</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">mean</span><span class="p">,</span> <span class="mi">3</span><span class="p">),</span> <span class="sh">"</span><span class="s">stddev</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">stddev</span><span class="p">,</span> <span class="mi">3</span><span class="p">),</span> <span class="sh">"</span><span class="s">banned</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span><span class="sh">"</span><span class="s">ip</span><span class="sh">"</span><span class="p">:</span> <span class="n">r</span><span class="p">.</span><span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="n">r</span><span class="p">.</span><span class="n">duration_label</span><span class="p">,</span> <span class="p">...}</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">banned</span><span class="p">],</span> <span class="sh">"</span><span class="s">cpu_pct</span><span class="sh">"</span><span class="p">:</span> <span class="n">psutil</span><span class="p">.</span><span class="nf">cpu_percent</span><span class="p">(),</span> <span class="sh">"</span><span class="s">mem_pct</span><span class="sh">"</span><span class="p">:</span> <span class="n">psutil</span><span class="p">.</span><span class="nf">virtual_memory</span><span class="p">().</span><span class="n">percent</span><span class="p">,</span> <span class="sh">"</span><span class="s">audit_tail</span><span class="sh">"</span><span class="p">:</span> <span class="nf">read_last_20_audit_lines</span><span class="p">(),</span> <span class="p">})</span> </code></pre> </div> <p>The frontend JavaScript refreshes this every 3 seconds and updates the DOM without a full page reload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">refresh</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">r</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/metrics</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">d</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">global-rate</span><span class="dl">'</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">global_rate</span><span class="p">.</span><span class="nf">toFixed</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1"> req/s</span><span class="dl">'</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">mean</span><span class="dl">'</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">mean</span><span class="p">;</span> <span class="c1">// Color the rate red if it's approaching the anomaly threshold</span> <span class="kd">const</span> <span class="nx">rateEl</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">global-rate</span><span class="dl">'</span><span class="p">);</span> <span class="nx">rateEl</span><span class="p">.</span><span class="nx">style</span><span class="p">.</span><span class="nx">color</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">global_rate</span> <span class="o">&gt;</span> <span class="nx">d</span><span class="p">.</span><span class="nx">mean</span> <span class="o">*</span> <span class="mi">3</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">#f87171</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">#4ade80</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Render banned IPs table</span> <span class="kd">const</span> <span class="nx">bannedRows</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">banned</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">b</span> <span class="o">=&gt;</span> <span class="s2">`&lt;tr&gt;&lt;td&gt;</span><span class="p">${</span><span class="nx">b</span><span class="p">.</span><span class="nx">ip</span><span class="p">}</span><span class="s2">&lt;/td&gt;&lt;td&gt;</span><span class="p">${</span><span class="nx">b</span><span class="p">.</span><span class="nx">duration</span><span class="p">}</span><span class="s2">&lt;/td&gt;&lt;td&gt;</span><span class="p">${</span><span class="nx">b</span><span class="p">.</span><span class="nx">banned_at</span><span class="p">}</span><span class="s2">&lt;/td&gt;&lt;/tr&gt;`</span> <span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">banned-table</span><span class="dl">'</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">bannedRows</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">&lt;tr&gt;&lt;td colspan="3"&gt;No active bans ✓&lt;/td&gt;&lt;/tr&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="nf">setInterval</span><span class="p">(</span><span class="nx">refresh</span><span class="p">,</span> <span class="mi">3000</span><span class="p">);</span> <span class="nf">refresh</span><span class="p">();</span> <span class="c1">// immediate first load</span> </code></pre> </div> <h2> Part 8: The Audit Log </h2> <p>Every significant event is written to a structured audit log in a format designed to be both human-readable and grep-able:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">[</span><span class="py">2026-04-26T14</span><span class="p">:</span><span class="s">08:21Z] BAN ip=1.2.3.4 | condition=zscore=4.21 rate=87.3req/s mean=5.2 | rate=87.300 | baseline=5.200 | duration=10m</span> <span class="err">[</span><span class="py">2026-04-26T14</span><span class="p">:</span><span class="s">18:22Z] UNBAN ip=1.2.3.4 | condition=zscore=4.21 rate=87.3req/s mean=5.2 | rate=87.300 | baseline=5.200 | duration=10m</span> <span class="err">[</span><span class="py">2026-04-26T14</span><span class="p">:</span><span class="s">07:06Z] BASELINE_RECALC ip=N/A | condition=recalculation | rate=5.200 | baseline=1.100 | duration=N/A</span> </code></pre> </div> <p>You can search these logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># All bans today</span> <span class="nb">grep</span> <span class="s2">"BAN "</span> /var/log/detector/audit.log | <span class="nb">grep</span> <span class="s2">"2026-04-26"</span> <span class="c"># All recalculations (to see baseline evolution)</span> <span class="nb">grep</span> <span class="s2">"BASELINE_RECALC"</span> /var/log/detector/audit.log <span class="c"># How often was 1.2.3.4 banned?</span> <span class="nb">grep</span> <span class="s2">"ip=1.2.3.4"</span> /var/log/detector/audit.log | <span class="nb">grep</span> <span class="s2">"^.*BAN "</span> </code></pre> </div> <h2> Putting It All Together </h2> <p>Here's <code>main.py</code> — the entry point that wires every component together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">queue</span> <span class="kn">import</span> <span class="n">signal</span> <span class="kn">import</span> <span class="n">threading</span> <span class="c1"># 1. Build all components </span><span class="n">log_queue</span> <span class="o">=</span> <span class="n">queue</span><span class="p">.</span><span class="nc">Queue</span><span class="p">(</span><span class="n">maxsize</span><span class="o">=</span><span class="mi">100_000</span><span class="p">)</span> <span class="n">monitor</span> <span class="o">=</span> <span class="nc">LogMonitor</span><span class="p">(</span><span class="n">log_path</span><span class="p">,</span> <span class="n">log_queue</span><span class="p">)</span> <span class="n">baseline</span> <span class="o">=</span> <span class="nc">BaselineEngine</span><span class="p">(</span><span class="n">cfg</span><span class="p">)</span> <span class="n">blocker</span> <span class="o">=</span> <span class="nc">BlockerEngine</span><span class="p">(</span><span class="n">cfg</span><span class="p">,</span> <span class="n">audit_path</span><span class="p">)</span> <span class="n">notifier</span> <span class="o">=</span> <span class="nc">NotifierEngine</span><span class="p">(</span><span class="n">cfg</span><span class="p">)</span> <span class="n">detector</span> <span class="o">=</span> <span class="nc">DetectorEngine</span><span class="p">(</span><span class="n">cfg</span><span class="p">,</span> <span class="n">baseline</span><span class="p">)</span> <span class="c1"># 2. Wire the anomaly callbacks </span><span class="k">def</span> <span class="nf">on_ip_anomaly</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">):</span> <span class="k">if</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">is_banned</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="k">return</span> <span class="c1"># already banned, skip </span> <span class="n">record</span> <span class="o">=</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">ban</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">condition</span><span class="o">=</span><span class="p">...,</span> <span class="n">rate</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="sh">"</span><span class="s">ip_rate</span><span class="sh">"</span><span class="p">],</span> <span class="n">baseline</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="sh">"</span><span class="s">mean</span><span class="sh">"</span><span class="p">])</span> <span class="n">notifier</span><span class="p">.</span><span class="nf">send_ban</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">record</span><span class="p">)</span> <span class="k">def</span> <span class="nf">on_global_anomaly</span><span class="p">(</span><span class="n">info</span><span class="p">):</span> <span class="n">notifier</span><span class="p">.</span><span class="nf">send_global_anomaly</span><span class="p">(</span><span class="n">info</span><span class="p">)</span> <span class="n">detector</span><span class="p">.</span><span class="n">on_ip_anomaly</span> <span class="o">=</span> <span class="n">on_ip_anomaly</span> <span class="n">detector</span><span class="p">.</span><span class="n">on_global_anomaly</span> <span class="o">=</span> <span class="n">on_global_anomaly</span> <span class="c1"># 3. Start background threads </span><span class="n">monitor</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="nc">UnbannerThread</span><span class="p">(</span><span class="n">blocker</span><span class="p">,</span> <span class="n">notifier</span><span class="p">).</span><span class="nf">start</span><span class="p">()</span> <span class="nf">run_dashboard</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8080</span><span class="p">)</span> <span class="c1"># 4. Main loop — drain queue, feed baseline and detector </span><span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">entry</span> <span class="o">=</span> <span class="n">log_queue</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">timeout</span><span class="o">=</span><span class="mf">0.05</span><span class="p">)</span> <span class="n">baseline</span><span class="p">.</span><span class="nf">record</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span> <span class="c1"># update statistics </span> <span class="n">detector</span><span class="p">.</span><span class="nf">process</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span> <span class="c1"># check for anomalies </span> <span class="k">except</span> <span class="n">queue</span><span class="p">.</span><span class="n">Empty</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># no new log lines, loop again </span></code></pre> </div> <p>The design is intentionally simple: one hot path (queue drain → baseline → detector) runs in the main thread. All I/O — Slack posts, iptables calls, dashboard requests — happens in separate threads and never blocks detection.</p> <h2> What I Learned </h2> <p>Building this from scratch taught me things that using Fail2Ban never would have:</p> <p><strong>Deques are the right tool for sliding windows.</strong> The O(1) popleft makes a real difference when you're processing thousands of events per second. A list would have worked fine until the DDoS actually started — which is exactly when you need it to be fast.</p> <p><strong>Baselines must have floors.</strong> My first version had no floor values. It triggered constantly at night because the stddev got so low that normal morning traffic looked like an anomaly. One line of code (<code>mean = max(mean, 1.0)</code>) fixed it.</p> <p><strong>Per-hour slots matter more than you'd think.</strong> Without them, the 30-minute window picks up the tail of the previous hour's traffic and skews the baseline for the current hour. The hour slots give you a cleaner "what does this hour normally look like" answer.</p> <p><strong>iptables rules apply to the host kernel, not the container.</strong> The detector container has to run with <code>network_mode: host</code> and <code>CAP_NET_ADMIN</code>. If you run it in a bridge network and add iptables rules inside the container, those rules only affect traffic inside the container's network namespace — not the actual packets arriving at the server.</p> <p><strong>Thread safety is non-negotiable.</strong> The log monitor, the main loop, the Flask dashboard, the unbanner, and the Slack notifier all touch shared state. A <code>threading.Lock()</code> around every mutation took 20 minutes to add and saved hours of debugging mysterious state corruption.</p> <h2> Running It Yourself </h2> <p>The full source code is on GitHub: <a href="https://github.com/AirFluke/hng-detector.git" rel="noopener noreferrer">github.com/Airfluke/hng-detector</a></p> <p>To run it on a fresh Ubuntu VPS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Docker</span> curl <span class="nt">-fsSL</span> https://get.docker.com | sh <span class="c"># Clone and configure</span> git clone https://github.com/AirFluke/hng-detector.git <span class="nb">cd </span>hng-detector <span class="nb">cp</span> .env.example .env nano .env <span class="c"># add your Slack webhook URL and server IP</span> <span class="c"># Launch everything</span> docker compose up <span class="nt">-d</span> <span class="nt">--build</span> <span class="c"># Watch the detector work</span> docker logs <span class="nt">-f</span> hng-detector <span class="c"># Test it with a traffic burst</span> apt <span class="nb">install </span>apache2-utils ab <span class="nt">-n</span> 2000 <span class="nt">-c</span> 150 http://localhost/ <span class="c"># Check iptables for the ban</span> iptables <span class="nt">-L</span> INPUT <span class="nt">-n</span> <span class="nt">-v</span> </code></pre> </div> <p>The dashboard will be live at <code>http://your-server-ip:8080</code>.</p> <h2> Conclusion </h2> <p>Security tooling doesn't have to be a black box. The core ideas here — a deque-based sliding window, a rolling statistical baseline, z-score anomaly detection, and iptables for enforcement — are each individually simple. The power comes from wiring them together into a continuously running daemon that never sleeps.</p> <p>If you're new to security tooling, I hope this post demystified what's happening under the hood of the tools you've always treated as magic. Go build something.</p> <p><em>Found this useful? Share it with someone learning DevSecOps. Questions? Drop them in the comments.</em></p> networking security showdev tutorial