Series MapLesson 110 / 112
Focus mode active/Press Alt+Shift+R to toggle/Esc to exit
Final StretchOrdered learning track

Production Operations and Incident Response

Runbook, alert triage, SLO/SLA, error budget, incident severity, timeline, RCA, corrective action, rollback playbook, customer impact assessment, and post-incident backlog for Java/JAX-RS enterprise systems

6 min read1194 words
PrevNext
Lesson 110112 lesson track93–112 Final Stretch
#production-operations#incident-response#runbook#alert-triage+6 more

Part 110 — Production Operations and Incident Response

Fokus part ini: memahami bagaimana senior engineer mengoperasikan Java/JAX-RS enterprise service di production: runbook, alert triage, SLO/SLA, error budget, incident severity, timeline, RCA, corrective/preventive action, rollback playbook, customer impact assessment, dan post-incident backlog.

Catatan penting:

This part does not assume CSG's internal incident process, severity model,
SLO/SLA definitions, on-call rotation, customer communication process,
rollback mechanism, observability stack, ticketing system, or RCA template.

All operational process details must be verified internally.

Core idea:

Production ownership is not only writing correct code.
Production ownership means the team can detect, triage, mitigate, explain,
repair, and prevent failures under real customer pressure.

Senior engineer asks:

How do we know the service is unhealthy?
Who gets paged?
What is the customer impact?
What is the fastest safe mitigation?
What evidence do we have?
What changed recently?
What should we roll back, disable, shed, or degrade?
How do we prevent recurrence without blaming individuals?

1. Production Operations Mental Model

A production service has two lifecycles:

1. Software lifecycle
   code -> review -> build -> test -> deploy -> operate -> change again

2. Incident lifecycle
   signal -> triage -> declare -> mitigate -> recover -> analyze -> improve

Incident response begins before the incident. It depends on:

  • clear service ownership
  • useful alerts
  • reliable runbooks
  • dashboards that answer real questions
  • rollback capability
  • safe feature flags/kill switches
  • dependency map
  • SLO/SLA definitions
  • escalation path
  • post-incident learning loop

Production anti-pattern:

"We will figure it out when it happens."

Production-grade posture:

"We know the likely failure modes, we know what signals detect them,
we know how to mitigate them, and we continuously improve after incidents."

2. Service Ownership Model

Every production service needs explicit ownership.

Ownership includes:

[ ] Source code ownership
[ ] Runtime ownership
[ ] Alert ownership
[ ] Dashboard ownership
[ ] Runbook ownership
[ ] Deployment ownership
[ ] Data ownership
[ ] Dependency ownership
[ ] Customer impact ownership
[ ] Post-incident action ownership

For a JAX-RS service, ownership boundaries include:

flowchart TD API[JAX-RS API] DB[PostgreSQL] Kafka[Kafka/RabbitMQ] Cache[Redis] Cloud[Cloud SDK / Storage / Secrets] K8s[Kubernetes] Gateway[Gateway / APIM / Ingress] Obs[Observability] Team[Owning Team] Team --> API Team --> DB Team --> Kafka Team --> Cache Team --> Cloud Team --> K8s Team --> Gateway Team --> Obs

A senior engineer does not need to personally own every platform. But they must know:

Who owns it?
How do we escalate?
What evidence do they need?
What is the dependency contract?
What is our mitigation while waiting?

3. SLO, SLA, and Error Budget

Definitions:

SLI: Service Level Indicator
A measurement of service behavior.
Example: successful request ratio, p95 latency, message processing lag.

SLO: Service Level Objective
Target level for an SLI over a time window.
Example: 99.9% of quote creation requests succeed over 30 days.

SLA: Service Level Agreement
External/customer/legal commitment, often with business consequences.

Error budget:
The allowed unreliability within an SLO window.

Example:

SLO: 99.9% successful quote submission over 30 days.
Error budget: 0.1% failed quote submissions.

Important:

An SLA is not the same as an SLO.
An SLO should guide engineering decisions.
An SLA may guide customer/legal obligations.

Useful JAX-RS service SLIs:

AreaExample SLI
API availabilitypercentage of non-5xx responses for eligible requests
API latencyp95/p99 latency by endpoint class
validation qualityvalidation failure ratio after release
DB healthquery latency, lock wait, connection pool saturation
messagingconsumer lag, DLQ rate, processing success ratio
cachehit ratio, Redis latency, timeout rate
rolloutdeployment success, rollback frequency
jobsjob success ratio, reconciliation backlog

Do not define SLO only on infrastructure uptime. Users experience business operations, not pods.


4. Alert Design and Triage

Good alerts are actionable.

Bad alert:

CPU > 80%

Better alert:

Quote creation p95 latency > SLO threshold for 10 minutes
and successful request ratio below target.

Alert should answer:

What is broken?
Who is affected?
How urgent is it?
What is the first runbook?
What dashboard should I open?
What changed recently?

Alert categories:

CategoryExample
symptom alertcustomer-facing API availability/latency
cause alertDB pool saturation, Kafka lag, Redis timeout
burn-rate alerterror budget burning too fast
deployment alertrollout stuck, crash loop, image pull failure
data correctness alertreconciliation drift, duplicate processing, stuck saga
observability alerttelemetry ingestion failing

Triage principle:

Start with customer-facing symptoms.
Use cause alerts to explain and mitigate.
Do not page humans for non-actionable noise.

5. Incident Severity Model

Every organization may use different labels. Verify internal process.

Generic severity model:

SeverityMeaningExample
SEV1critical customer/business impactquote/order submission globally unavailable
SEV2major partial impactsubset of tenants cannot submit orders
SEV3degraded servicelatency high, workaround exists
SEV4low impactnon-critical job delayed

Severity should consider:

customer impact
revenue/business impact
data correctness risk
security/compliance risk
duration
blast radius
availability of workaround
regulatory/reporting obligations

Do not under-classify incidents because the system is technically "up".

Example:

API returns 200 but writes incorrect pricing data.
This may be more severe than a clean 500 failure.

6. Incident Lifecycle

Incident lifecycle:

flowchart TD Detect[Detect Signal] Triage[Triage] Declare[Declare Incident] Stabilize[Stabilize / Mitigate] Recover[Recover Service] Validate[Validate Customer Impact] Communicate[Communicate Status] RCA[RCA / Postmortem] Actions[Corrective and Preventive Actions] Detect --> Triage --> Declare --> Stabilize --> Recover --> Validate --> Communicate --> RCA --> Actions

The important distinction:

Mitigation is not root cause fix.
Recovery is not prevention.
RCA is not complete until actions are owned and tracked.

Incident roles may include:

  • incident commander
  • technical lead
  • communications lead
  • scribe/timeline owner
  • customer/support liaison
  • platform escalation owner
  • subject matter expert

In small teams one person may hold multiple roles, but the responsibilities still exist.


7. First 15 Minutes of an Incident

The first minutes should reduce confusion.

Checklist:

[ ] Confirm signal is real.
[ ] Identify affected service/tenant/region/environment.
[ ] Check customer-facing symptoms first.
[ ] Declare incident if threshold is met.
[ ] Open incident channel/bridge if internal process requires it.
[ ] Assign incident commander and scribe.
[ ] Freeze unrelated deploys if needed.
[ ] Identify recent changes.
[ ] Open primary dashboard and logs.
[ ] Decide first mitigation path.
[ ] Communicate initial status.

Avoid:

[ ] Everyone debugging silently.
[ ] Multiple people applying fixes without coordination.
[ ] Jumping to root cause before confirming impact.
[ ] Restarting everything without evidence.
[ ] Hiding uncertainty.

Good incident statement:

We are seeing elevated 5xx and p95 latency on quote submission in production
starting at 10:42 UTC. Impact appears limited to tenant group A based on current
dashboards. We are checking recent deployment and DB connection pool saturation.
Next update in the incident channel after mitigation decision.

8. Alert Triage Decision Tree

flowchart TD Alert[Alert fires] CustomerImpact{Customer impact?} DeployChange{Recent deploy/config change?} Dependency{Dependency degraded?} DataRisk{Data correctness risk?} Mitigate[Mitigate] Rollback[Rollback / Disable flag] Escalate[Escalate dependency/platform] Investigate[Continue investigation] Alert --> CustomerImpact CustomerImpact -->|Yes| DataRisk CustomerImpact -->|No| Investigate DataRisk -->|Yes| Mitigate DataRisk -->|No| DeployChange DeployChange -->|Yes| Rollback DeployChange -->|No| Dependency Dependency -->|Yes| Escalate Dependency -->|No| Investigate

Triage questions by signal:

API 5xx spike

Which endpoint?
Which status codes?
Which exception classes?
Which tenants?
Was there a deployment/config change?
Is DB/cache/downstream dependency failing?

Latency spike

Is latency server-side, gateway-side, or client-side?
Is thread pool saturated?
Is DB query slow?
Is connection pool saturated?
Is downstream call timing out?
Is CPU throttled?

Kafka lag

Which consumer group?
Which partitions?
Did consumer crash or slow down?
Is a poison message blocking progress?
Is downstream dependency slow?
Was partition count or assignment changed?

DB lock/deadlock

Which query/table?
Which transaction is blocking?
Was a migration deployed?
Is a batch job running?
Is isolation level changed?

OOMKilled / CrashLoopBackOff

Was memory limit changed?
Did traffic increase?
Is there large payload or buffering?
Did GC behavior change?
Is native memory/thread count high?

9. Runbook Structure

A useful runbook is precise and executable under stress.

Recommended structure:

1. Purpose
2. Symptoms covered
3. Severity criteria
4. Dashboards
5. Logs and queries
6. First checks
7. Mitigation options
8. Rollback options
9. Escalation path
10. Validation steps
11. Customer impact notes
12. Known false positives
13. Post-incident follow-up

Example runbook skeleton:

# Runbook: Quote Submission 5xx Spike

## Symptoms
- 5xx ratio above threshold for quote submission endpoint
- error budget burn alert

## First checks
- Dashboard: API availability by endpoint
- Logs: error_code, exception_class, tenant, correlation_id
- Deployment: last release/config change
- Dependencies: DB pool, Redis, Kafka, downstream pricing service

## Mitigation
- Disable feature flag <flag-name> if new path is involved
- Roll back deployment <deployment-name> if release correlated
- Shed low-priority traffic if saturation is confirmed
- Escalate DB/platform if dependency-level outage

## Validation
- 5xx returns to baseline
- p95 latency returns to target
- customer support confirms no new reports
- reconciliation job shows no data drift

Runbooks should be versioned like code. Stale runbooks create false confidence.


10. Rollback, Roll-Forward, and Kill Switch

Mitigation choices:

OptionUse whenRisk
rollback deploymentbad code release likelyincompatible DB/event/config change may block rollback
roll-forward fixroot cause understood and small fix safeslow if build/test/release pipeline long
disable feature flagflagged behavior caused issueflag may not cover all side effects
activate kill switchstop harmful integration/job/path quicklybusiness capability degraded
scale outcapacity issue and dependency can handle itmay amplify downstream overload
load shedoverload threatens core pathsome users/requests intentionally rejected
pause consumer/jobprocessing causes harmbacklog grows

Rollback is not always safe.

Dangerous rollback cases:

DB schema was contracted.
Event schema changed incompatibly.
New version wrote data old version cannot read.
Feature flag only controls read path, not write side effect.
External dependency contract changed.

Senior rule:

Every production change should have a mitigation plan before deployment.
Rollback is one mitigation option, not the only strategy.

11. Customer Impact Assessment

Incident response is incomplete without impact analysis.

Questions:

Who was affected?
Which tenants/customers/regions?
Which business operations failed or degraded?
How many requests failed?
Were any successful responses actually incorrect?
Was data lost, duplicated, delayed, or corrupted?
Was there security or privacy exposure?
Is reconciliation required?
Do customers need notification or support action?

For quote/order systems, impact may include:

  • quote cannot be created
  • quote created with wrong price
  • quote submitted twice
  • order state stuck
  • catalog version mismatch
  • pricing effective date wrong
  • event published but DB transaction rolled back
  • DB committed but event not published
  • downstream provisioning not triggered

Availability incident and correctness incident are different.

A clean failure is often easier to recover than a silent incorrect success.

12. Incident Timeline

A timeline is evidence, not storytelling.

Capture:

[ ] when first bad signal appeared
[ ] when alert fired
[ ] when human acknowledged
[ ] when incident was declared
[ ] recent deployments/config changes
[ ] mitigation actions and exact times
[ ] customer impact windows
[ ] recovery time
[ ] validation time
[ ] communication updates

Example:

10:42 UTC - 5xx begins on POST /quotes
10:45 UTC - burn-rate alert fires
10:47 UTC - on-call acknowledges
10:50 UTC - incident declared SEV2
10:55 UTC - recent deployment identified
11:02 UTC - feature flag disabled
11:07 UTC - 5xx returns to baseline
11:20 UTC - reconciliation confirms no duplicate quotes
11:45 UTC - RCA draft started

Good timeline practice:

Use absolute times and timezone.
Do not rely on vague phrases like "earlier" or "a bit later".

13. RCA / Postmortem

RCA should explain system behavior, not assign blame.

Good RCA covers:

1. What happened?
2. What was the customer impact?
3. How was it detected?
4. Why did it happen?
5. Why was it not prevented?
6. Why was it not detected earlier?
7. What mitigated it?
8. What corrective actions will reduce recurrence?
9. What preventive actions will reduce blast radius?
10. What follow-up items have owners and due dates?

Weak RCA:

Developer made a mistake.

Better RCA:

The API accepted a backward-incompatible enum value because contract tests did not
cover older generated clients. The release pipeline did not run compatibility
diff against the published OpenAPI contract. The canary did not include traffic
from the affected client type.

This points to system improvements:

  • add compatibility gate
  • add canary traffic coverage
  • improve generated client matrix
  • update PR checklist
  • add runtime metric for unknown enum mapping

14. Corrective and Preventive Actions

Corrective action fixes damage or immediate bug.

Preventive action reduces recurrence or blast radius.

Examples:

IncidentCorrective actionPreventive action
bad DB migrationrestore schema/dataexpand-contract policy and migration test
retry stormreduce retry configretry budget and circuit breaker standard
missing logsfix logger configtelemetry health alert and CI config check
wrong price roundingpatch calculationrounding policy tests and BigDecimal review checklist
Kafka duplicate processingreconcile duplicate rowsidempotency key and inbox table
TLS cert expiredrotate certexpiry alert and automated rotation

Action item quality:

Bad: Improve testing.
Good: Add contract test that verifies old v1 client can parse new quote response.

Bad: Add monitoring.
Good: Add burn-rate alert for quote submission 5xx with dashboard link and runbook.

Every post-incident action should have:

owner
priority
due date
acceptance criteria
tracking issue/link

15. Operational Readiness in Daily Engineering

Incident response is not separate from normal engineering.

Every meaningful PR should consider:

How will we know this change is unhealthy?
Can we disable it?
Can we roll it back?
Can old and new versions coexist?
Can DB schema support both versions?
Can event consumers handle the change?
Can support/customer teams understand the impact?
Is the runbook updated?

For senior PR review:

No observability plan -> not production-ready.
No rollback/mitigation plan -> risky deployment.
No compatibility check -> possible consumer incident.
No data correction plan -> dangerous for quote/order flows.

16. Operational Debugging Patterns for JAX-RS Services

Pattern 1 — Start at the edge, then move inward

gateway -> ingress -> service -> pod -> JAX-RS filter -> resource method -> service layer -> DB/Kafka/downstream

Do not assume the request reached the resource method.

Pattern 2 — Correlate by ID

Use:

trace_id
correlation_id
causation_id
request_id
tenant when allowed
operation name

Avoid:

raw payload
PII
secret
full token
high-cardinality metric labels

Pattern 3 — Separate symptom from cause

Symptom:

POST /quotes returns 500.

Possible causes:

validation mapper bug
DB lock timeout
Redis timeout
Kafka publish failure
pricing service timeout
feature flag config mismatch
JVM OOMKilled
wrong tenant routing

Pattern 4 — Confirm mitigation worked

Mitigation is not complete until:

customer-facing SLI recovers
error budget burn stops
dependency pressure falls
backlog is understood
no hidden data correctness issue remains

17. Incident Communication

Communication should be factual, calm, and time-bounded.

Good communication includes:

current status
known impact
unknowns
mitigation underway
next update expectation
owner/channel

Avoid:

speculation presented as fact
blame
technical overload for non-technical audience
silence during uncertainty
promising root cause too early

Example internal update:

We have confirmed elevated 5xx on quote submission for production starting 10:42 UTC.
Current evidence points to DB connection pool saturation after the latest deployment,
but root cause is not final. We disabled the new pricing enrichment flag at 11:02 UTC.
5xx is decreasing. Next update after validation and reconciliation check.

Example customer/support-oriented update:

We are investigating degraded quote submission affecting a subset of customers.
A mitigation has been applied and we are validating recovery. We will provide
an update when validation is complete.

18. Production Operations Checklist

For a Java/JAX-RS enterprise service, verify:

Service ownership:
[ ] Owner team is documented.
[ ] On-call/escalation path is documented.
[ ] Dependencies and owners are documented.

SLO/SLA:
[ ] Customer-facing SLIs are defined.
[ ] SLO targets and windows are defined.
[ ] Error budget policy is known.
[ ] SLA obligations are understood if applicable.

Alerting:
[ ] Symptom alerts exist.
[ ] Cause alerts support triage.
[ ] Alerts have dashboard links.
[ ] Alerts have runbook links.
[ ] Noise/non-actionable alerts are controlled.

Runbooks:
[ ] Runbooks exist for top failure modes.
[ ] Runbooks are tested or reviewed.
[ ] Rollback/kill-switch procedures are documented.
[ ] Data reconciliation procedures are documented.

Incident response:
[ ] Severity model is defined.
[ ] Incident roles are known.
[ ] Timeline process exists.
[ ] RCA/postmortem process exists.
[ ] Action items are tracked.

Customer impact:
[ ] Impact assessment template exists.
[ ] Tenant/customer blast radius can be queried.
[ ] Correctness incidents trigger reconciliation.
[ ] Communication path to support/customer teams exists.

19. Internal Verification Checklist

For CSG Quote & Order or similar enterprise systems, verify:

Incident process:
[ ] What severity levels are used internally?
[ ] Who declares incidents?
[ ] Which channel/tool is used?
[ ] Who communicates customer impact?
[ ] What is the RCA/postmortem template?

Operational ownership:
[ ] Which team owns Quote & Order runtime?
[ ] Which team owns database/platform/network dependencies?
[ ] Which team owns Kafka/RabbitMQ/Redis dependencies?
[ ] Which team owns cloud/Kubernetes/GitOps pipeline?

SLO/SLA:
[ ] Are there formal SLOs?
[ ] Are there external SLAs?
[ ] What are the critical business operations?
[ ] Which endpoints/jobs/events map to those operations?

Dashboards and alerts:
[ ] Where are service dashboards?
[ ] Which alerts page the team?
[ ] Are alerts tied to runbooks?
[ ] Are burn-rate alerts used?
[ ] Are deployment events visible in dashboards?

Mitigation:
[ ] How is rollback done?
[ ] Are feature flags/kill switches available?
[ ] Can Kafka consumers/jobs be paused safely?
[ ] Can traffic be shed safely?
[ ] Is reconciliation available after partial failure?

Data correctness:
[ ] How are duplicate quotes/orders detected?
[ ] How are stuck workflows detected?
[ ] How is pricing/catalog correctness validated?
[ ] Which reconciliation jobs exist?
[ ] Who approves manual correction?

20. Senior PR Review Checklist for Operability

Every risky production PR should answer:

[ ] What customer-facing behavior changes?
[ ] What telemetry proves it works?
[ ] What telemetry proves it is failing?
[ ] What alert/runbook needs update?
[ ] What is the rollback or mitigation plan?
[ ] Does DB/event/API compatibility hold during rollout?
[ ] Can old and new versions run together?
[ ] Is there a feature flag or kill switch for risky behavior?
[ ] Is there a reconciliation plan if partial failure occurs?
[ ] Is customer impact measurable?

Block or challenge PR when:

[ ] It changes production behavior without observable signal.
[ ] It changes DB schema without expand-contract safety.
[ ] It changes event contract without compatibility proof.
[ ] It introduces retry without retry budget.
[ ] It adds scheduled job without idempotency/locking/monitoring.
[ ] It changes auth/tenant logic without negative tests and audit trail.
[ ] It depends on manual rollback that is not documented.

21. Production Incident Simulation Exercises

Useful drills:

[ ] API 5xx spike after deployment
[ ] DB connection pool exhaustion
[ ] PostgreSQL deadlock storm
[ ] Kafka consumer lag with poison message
[ ] Redis unavailable
[ ] cloud secret rotation failure
[ ] DNS private endpoint misresolution
[ ] TLS certificate expiry
[ ] bad feature flag configuration
[ ] reconciliation finds duplicate orders

A drill should test:

detection
triage
communication
mitigation
rollback/flag disable
dashboard usefulness
runbook accuracy
post-incident action tracking

Do not wait for real incidents to discover that runbooks are incomplete.


22. Senior Mental Model

Production operations is the engineering discipline of reducing surprise.

Good code reduces defects.
Good tests reduce escaped defects.
Good observability reduces diagnosis time.
Good runbooks reduce chaos.
Good rollout strategy reduces blast radius.
Good incident response reduces customer harm.
Good RCA reduces recurrence.

For a senior engineer, the standard is not:

I implemented the feature.

The standard is:

I implemented the feature, made it observable, made it safe to roll out,
made it safe to disable, documented how it fails, and ensured the team can
recover when reality disagrees with our assumptions.

That is production ownership.

Lesson Recap

You just completed lesson 110 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.