Avoid Irrecoverable Deployments

A distributed system never updates all at once. One server gets new code while another is still on the old version, so every rollout creates a temporary mixed-language conversation inside your own product. (threadreaderapp.com) That is how a normal deploy turns into an irrecoverable one. If new code rewrites data into a shape old code cannot read, a rollback stops being a safety switch and becomes a second outage. (threadreaderapp.com) James Cowling’s thread starts with the simplest rule: change storage and change behavior in separate steps. Ship code that can understand both the old format and the new format, move the data later, and only then remove the old path. (threadreaderapp.com) Application programming interface compatibility is the same problem at the service boundary. If Service A starts sending a field that Service B rejects, or stops sending a field Service B still needs, the break happens between healthy machines that now disagree on the contract. (threadreaderapp.com) That is why forward compatibility and backward compatibility both matter. New code has to survive old requests, and old code has to survive new requests, because a rolling deploy guarantees both versions will coexist for some part of the release. (threadreaderapp.com) Cowling’s next rule is to avoid jumping production across multiple versions at once. If version 7 can talk to version 6, and version 6 can talk to version 5, that does not mean version 7 can safely land on top of version 5 without exposing a gap nobody tested. (threadreaderapp.com) Canarying is the operational version of dipping one toe in the water. Google’s Site Reliability Engineering workbook defines a canary as a partial, time-limited deployment to a small slice of production that you compare against the unchanged control before continuing. (sre.google) The point of a canary is blast radius. If 1 percent of traffic sees a memory leak, rising errors, or a bad database write, you can stop the rollout before 100 percent of users and 100 percent of records inherit the same bug. (sre.google) The last part of Cowling’s playbook is about interface design, not release tooling. Clean, type-safe application programming interfaces catch bad assumptions earlier because the compiler or schema checker can reject impossible states before production traffic ever sees them. (threadreaderapp.com) That is the quiet argument underneath the whole thread. Fancy delivery platforms can automate a rollout, but they cannot rescue a system whose data model, version policy, and service contracts were designed with rollback as an afterthought. (threadreaderapp.com)