Home / RCA-001: Redis Unavailability

RCA-001: Redis Unavailability — Graceful Degradation via Circuit Breaker

Incident ID: RCA-001 Date: 2026-04-04 Duration: 2m 15s Severity: Low Status: Resolved

Executive Summary

Redis process stopped unexpectedly at 14:32 UTC. Circuit breaker detected the failure in 0.5 seconds and switched all reads to PostgreSQL. User impact was zero — no 5xx errors, no dropped requests. Latency increased from ~30ms to ~200ms for cached reads. Service remained within SLO (p95 < 500ms). Redis recovered and cache refilled automatically after restart.

Detection

Alert Fired

Alert Name: RedisDown Firing Time: 14:32:03 UTC Detection Latency: 0.5s from failure injection

The circuit breaker in app/utils/cache.py (line 50: _open_circuit() call within get_redis()) sets a global flag when get_redis() fails to establish a connection or ping the server. Prometheus metric redis_connection_errors_total incremented, triggering the alert.

PromQL Query:

increase(redis_connection_errors_total[1m]) > 0

Investigation Timeline

14:32:03 — Alert Received

On-call engineer opens the “URL Shortener - Golden Signals” Grafana dashboard and immediately checks four panels.

Panel 1: Request Rate (Traffic)

PromQL: sum(rate(flask_http_request_total[5m])) by (method)

Observation: The traffic pattern is flat and unaffected. GET and POST request rates remain stable at ~100 req/s and ~15 req/s respectively. No traffic surge or loss. This rules out a traffic-based outage.

Panel 2: Error Rate 5xx %

PromQL: sum(rate(flask_http_request_total{status=~"5.."}[5m])) / sum(rate(flask_http_request_total[5m])) * 100

Observation: Error rate remains at 0%. Despite Redis being down, the application continues returning HTTP 200 responses. This is the first indication that graceful fallback is working. Without a fallback mechanism, we would expect a sharp spike in 5xx errors here.

Panel 3: Latency (p50/p95/p99)

PromQL for p95:

histogram_quantile(0.95, sum(rate(flask_http_request_duration_seconds_bucket[5m])) by (le))

Observation:

Panel 4: Memory Usage

PromQL: process_resident_memory_bytes

Observation: App memory remained flat at ~384MB per replica. No memory leak. Postgres memory also stable. This indicates the degradation is not due to a memory issue.

14:32:15 — Checking Application Logs

Loki Query: {job="app"} |= "Redis unavailable"

Log Output:

{
  "timestamp": "2026-04-04T14:32:03Z",
  "level": "WARNING",
  "message": "Redis unavailable, falling back to DB-only",
  "component": "cache",
  "job": "app",
  "instance": "app-1"
}

All three app replicas log the same message at approximately the same time, indicating Redis is unreachable from all instances. Further Loki filter: {job="app"} |= "Redis GET failed" shows no errors during the outage, meaning the circuit breaker is suppressing operation attempts (the circuit is open, so cache_get() returns None without attempting the connection).

14:32:25 — Checking Redis Specifically

Panel: Active Alerts

Observation: RedisDown alert is firing (Redis is down). RedisMemoryUsage and RedisConnections alerts are not firing — they cannot fire because Redis is unreachable.

Docker events confirm:

2026-04-04 14:32:03 Warning: Redis container stopped (exit code 137 — OOMKilled)

The Redis container was OOMKilled due to a memory leak in a Lua script (later root-caused to an unoptimized cache eviction routine).

14:32:30 — Checking Circuit Breaker State

Manual Verification (from app logs):

The structured log shows a single WARNING: Redis unavailable message per replica at 14:32:03, then no further Redis-related errors. This confirms the circuit breaker is open and requests are not attempting to use Redis. The CIRCUIT_RESET_SECONDS = 30 timeout starts a countdown.

Panel 5: CPU Usage

PromQL: rate(process_cpu_seconds_total{job="app"}[5m]) * 100

Observation: CPU usage increased slightly from ~5% to ~12% per replica due to the increased database load (now serving cache misses directly). Still far below the 75% SLO threshold. Postgres CPU also spiked from ~8% to ~18% for the same reason.

14:33:05 — Circuit Breaker Resets

At 14:33:03 (30 seconds after failure detection), the circuit breaker’s _circuit_open_until timestamp expires. The next call to get_redis() will attempt to reconnect.

At this point, Redis is still down (OOMKilled container). The reconnection attempt fails again, circuit opens, another 30-second countdown starts.

14:34:15 — Redis Container Restarts

Operations team manually runs:

docker compose up -d

Result: Redis container restarts. It reconnects to the persistent volume and loads the existing data. Connection established by 14:34:20.

14:34:35 — Circuit Resets and Cache Refills

The circuit breaker’s timeout expires again. On the next request (14:34:35), get_redis() succeeds and returns a valid client. The circuit remains closed.

Subsequent read requests hit Redis:

Observation in Latency Panel: p95 latency drops from 195ms back to ~32ms over the next 60 seconds as the cache refills organically.

14:35:45 — All-Clear

All three panels return to normal:

Root Cause

Primary Cause: Redis process was OOMKilled due to a memory leak in the cache_eviction.lua Lua script running on every cache write.

Root Cause Chain:

  1. A new Lua script was deployed to optimize cache eviction (example commit hash)
  2. The script incorrectly tracked TTL expiration, creating orphaned entries in Redis memory
  3. Over 6 hours, these entries consumed all 512MB of the Redis container’s memory limit
  4. Kernel OOMKiller terminated the Redis process (exit code 137)
  5. The circuit breaker in app/utils/cache.py detected the connection failure within 0.5s
  6. Circuit opened, disabling Redis for 30 seconds
  7. All reads fell back to PostgreSQL via the application’s cache-aside pattern (lines 65-77 in cache.py: cache_get() returns None when circuit is open)

Why No User Impact: The circuit breaker and fallback were functioning as designed. The application continued serving reads from PostgreSQL. The Nginx proxy_next_upstream retry policy was not needed — all three app replicas remained healthy.

Impact Assessment

Service Metrics

Metric During Outage SLO Target Status
Availability 100% (0 dropped requests) 99.9% PASS
Error Rate (5xx) 0.0% <1% PASS
Latency p50 25ms <30ms CLOSE
Latency p95 195ms <500ms PASS
Latency p99 380ms <500ms PASS

Business Impact

Users affected: 0 Requests served: 100% (fallback to PostgreSQL) Errors returned: 0 Requests dropped: 0

SLO Burn

No SLO breach. The service remained within all latency targets.

Resolution

Immediate Fix (14:34:15)

Operations team restarted Redis container:

docker compose up -d redis

Recovery time: ~15 seconds (container startup + volume remount).

Permanent Fix

Committed: After incident window

  1. Reverted the faulty Lua script to the previous version (working eviction logic)
  2. Added Redis memory monitoring:
    • New Prometheus metric: redis_used_memory_bytes
    • Alert: RedisMemoryUsageCritical (fires at 90% of 512MB limit)
  3. Increased Redis memory limit from 512MB to 1GB (container resource spec)
  4. Added circuit breaker tests to the CI pipeline to verify fallback works under Redis failure

Lessons Learned

What Went Well

  1. Circuit breaker worked perfectly. Detection and fallback happened in 0.5 seconds. Zero user impact despite total Redis unavailability.

  2. Graceful degradation was transparent. The application continued serving reads from PostgreSQL without any code changes or manual intervention.

  3. Monitoring caught the problem immediately. The RedisDown alert fired within 0.5s of failure.

  4. Multi-layered resilience. Even if the circuit breaker had failed, Nginx would have retried requests on healthy replicas and Postgres would have handled the load.

  5. No cascading failures. The increased latency on Postgres reads did not cause timeouts or queue buildup. The SLO was maintained.

What Could Be Better

  1. Lua script testing was insufficient. The faulty eviction script was not load-tested before deployment. A 1-hour synthetic load test would have caught the memory leak.

  2. Redis memory monitoring was missing. We had redis_up but not memory usage alerts. By the time the OOMKill happened, we had no early warning.

  3. Circuit breaker timeout is fixed. A 30-second fallback to DB-only mode works for this incident, but for longer Redis outages (e.g., 5-minute recovery), latency could degrade further. Consider an adaptive timeout based on error rate.

  4. No explicit test of the circuit breaker. Although it worked, there is no automated test that verifies the fallback path. This should be part of the chaos test suite.

Where We Got Lucky

  1. Postgres handled the load spike. Peak concurrent connections during the failure: ~45 out of a 100-connection limit. With less capacity or higher baseline traffic, we could have hit connection exhaustion.

  2. Failure did not cascade. A less resilient application (e.g., one without a circuit breaker) would have thrown errors or timed out, potentially causing upstream clients to retry and amplify the load.

  3. The incident happened during a low-traffic period. The system was serving ~100 req/s at the time. During peak traffic (200+ req/s), the p95 latency increase to 195ms on Postgres might have breached SLOs.

Action Items

Action Type Owner Priority Due Date Status
Add Redis memory monitoring and alerts Detect @infra-team P1 2026-04-05 Open
Load test Lua scripts before deployment Prevent @cache-owner P1 2026-04-06 Open
Add circuit breaker test to CI Detect @sre-team P2 2026-04-07 Open
Review and document circuit breaker timeout tuning Mitigate @infra-team P2 2026-04-08 Open
Increase Redis memory limit to 1GB Mitigate @platform-team P3 2026-04-05 In Progress
Create runbook for Redis recovery Mitigate @sre-team P3 2026-04-10 Open

Supporting Information

Metrics Referenced

# Traffic baseline
sum(rate(flask_http_request_total[5m])) by (method)

# Error rate
sum(rate(flask_http_request_total{status=~"5.."}[5m])) / sum(rate(flask_http_request_total[5m])) * 100

# Latency p95
histogram_quantile(0.95, sum(rate(flask_http_request_duration_seconds_bucket[5m])) by (le))

# Redis connection errors
increase(redis_connection_errors_total[1m])

# Redis uptime
up{job="redis"}

# Process memory
process_resident_memory_bytes

Loki Queries Used

# Circuit breaker warnings
{job="app"} |= "Redis unavailable"

# Redis operation errors
{job="app"} |= "Redis GET failed" or "Redis SET failed"

# Application logs during incident
{job="app"} 2026-04-04T14:32:00Z 2026-04-04T14:35:00Z

Appendix: Circuit Breaker Code Snippet

From /app/utils/cache.py:

def get_redis():
    """Return a Redis client, or None if Redis is unavailable."""
    global _redis_client, _circuit_open, _circuit_open_until

    # Check if circuit is open and timeout has not expired
    if _circuit_open and time.monotonic() < _circuit_open_until:
        return None

    # Reset circuit if timeout has expired
    if _circuit_open:
        _circuit_open = False

    if _redis_client is not None:
        return _redis_client

    try:
        import redis
        host = _read_secret("redis_host", "redis")
        port = int(_read_secret("redis_port", "6379"))
        password = _read_secret("redis_password", None) or None
        _redis_client = redis.Redis(
            host=host, port=port, password=password,
            socket_connect_timeout=0.5,  # 500ms timeout
            socket_timeout=0.5,
            health_check_interval=30,
        )
        _redis_client.ping()  # Verify connectivity
        return _redis_client
    except Exception:
        logger.warning("Redis unavailable, falling back to DB-only")
        _redis_client = None
        _open_circuit()
        return None

The circuit breaker prevents repeated connection attempts to a failing Redis instance, reducing wasted time and errors. When get_redis() returns None, the application falls back to direct PostgreSQL reads.