MCP HubMCP Hub
Retour aux compétences

write-incident-runbook

pjt222
Mis à jour 2 days ago
5 vues
17
2
17
Voir sur GitHub
Métawordai

À propos

Cette compétence Claude génère des runbooks d'incident structurés avec des étapes de diagnostic, des procédures de résolution et des chemins d'escalade pour standardiser la réponse. Elle est utilisée pour documenter les procédures pour les alertes récurrentes, réduire le MTTR et créer des supports de formation. La compétence produit des guides opérationnels pour améliorer la gestion des incidents au sein des rotations de permanence.

Installation rapide

Claude Code

Recommandé
Principal
npx skills add pjt222/agent-almanac -a claude-code
Commande PluginAlternatif
/plugin add https://github.com/pjt222/agent-almanac
Git CloneAlternatif
git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/write-incident-runbook

Copiez et collez cette commande dans Claude Code pour installer cette compétence

Documentation

Write Incident Runbook

Create actionable runbooks guiding responders through incident diagnosis and resolution.

When Use

  • Documenting response procedures for recurring alerts or incidents
  • Standardizing incident response across on-call rotation members
  • Reducing mean time to resolution (MTTR) with clear diagnostic steps
  • Creating training materials for new team members on incident handling
  • Establishing escalation paths and communication protocols
  • Migrating tribal knowledge to written documentation
  • Linking alerts to resolution procedures (alert annotations)

Inputs

  • Required: Incident or alert name/description
  • Required: Historical incident data and resolution patterns
  • Optional: Diagnostic queries (Prometheus, logs, traces)
  • Optional: Escalation contacts and communication channels
  • Optional: Previous incident post-mortems

Steps

Step 1: Choose Runbook Template Structure

See Extended Examples for complete template files.

Select appropriate template based on incident type and complexity.

Basic runbook template structure:

# [Alert/Incident Name] Runbook
## Overview | Severity | Symptoms
## Diagnostic Steps | Resolution Steps
## Escalation | Communication | Prevention | Related

Advanced SRE runbook template (excerpt):

# [Service Name] - [Incident Type] Runbook

## Metadata
- Service, Owner, Severity, On-Call, Last Updated

## Diagnostic Phase
### Quick Health Check (< 5 min): Dashboard, error rate, deployments
### Detailed Investigation (5-20 min): Metrics, logs, traces, failure patterns
# ... (see EXAMPLES.md for complete template)

Key template components:

  • Metadata: Service ownership, severity, on-call rotation
  • Diagnostic Phase: Quick checks → detailed investigation → failure patterns
  • Resolution Phase: Immediate mitigation → root cause fix → verification
  • Escalation: Criteria and contact paths
  • Communication: Internal/external templates
  • Prevention: Short/long-term actions

Got: Template selected matches incident complexity. Sections appropriate for service type.

If err:

  • Start with basic template, iterate based on incident patterns
  • Review industry examples (Google SRE books, vendor runbooks)
  • Adapt template based on team feedback after first use

Step 2: Document Diagnostic Procedures

See Extended Examples for complete diagnostic queries and decision trees.

Create step-by-step investigation procedures with specific queries.

Six-step diagnostic checklist:

  1. Verify Service Health: Health endpoint checks and uptime metrics

    curl -I https://api.example.com/health  # Expected: HTTP 200 OK

    up{job="api-service"}  # Expected: 1 for all instances

  2. Check Error Rate: Current error percentage and breakdown by endpoint

    sum(rate(http_requests_total{status=~"5.."}[5m]))
/ sum(rate(http_requests_total[5m])) * 100  # Expected: < 1%

  3. Analyze Logs: Recent errors and top error messages from Loki

    {job="api-service"} |= "error" | json | level="error"

  4. Check Resource Utilization: CPU, memory, connection pool status

    avg(rate(container_cpu_usage_seconds_total{pod=~"api-service.*"}[5m])) * 100
# Expected: < 70%

  5. Review Recent Changes: Deployments, git commits, infrastructure changes

  6. Examine Dependencies: Downstream service health, database/API latency

Failure pattern decision tree (excerpt):

  • Service down? → Check all pods/instances
  • Error rate elevated? → Check specific error types (5xx, gateway, database, timeouts)
  • When did it start? → After deployment (rollback), gradual (resource leak), sudden (traffic/dependency)

Got: Diagnostic procedures specific. Include expected vs actual values. Guide responder through investigation.

If err:

  • Test queries in actual monitoring system before documenting
  • Include screenshots of dashboards for visual reference
  • Add "Common mistakes" section for frequently missed steps
  • Iterate based on feedback from incident responders

Step 3: Define Resolution Procedures

See Extended Examples for all 5 resolution options with full commands and rollback procedures.

Document step-by-step remediation with rollback options.

Five resolution options (brief summary):

  1. Rollback Deployment (fastest): For post-deployment errors

    kubectl rollout undo deployment/api-service

    Verify → Monitor → Confirm resolution (error rate < 1%, latency normal, no alerts)

  2. Scale Up Resources: For high CPU/memory, connection pool exhaustion

    kubectl scale deployment/api-service --replicas=$((current * 3/2))

  3. Restart Service: For memory leaks, stuck connections, cache corruption

    kubectl rollout restart deployment/api-service

  4. Feature Flag / Circuit Breaker: For specific feature errors or external dependency failures

    kubectl set env deployment/api-service FEATURE_NAME=false

  5. Database Remediation: For database connections, slow queries, pool exhaustion

    -- Kill long-running queries, restart connection pool, increase pool size

Universal verification checklist:

  • Error rate < 1%
  • Latency P99 < threshold
  • Throughput at baseline
  • Resource usage healthy (CPU < 70%, Memory < 80%)
  • Dependencies healthy
  • User-facing tests pass
  • No active alerts

Rollback procedure: Resolution worsens situation? → pause/cancel → revert → reassess

Got: Resolution steps clear. Include verification checks. Provide rollback options for each action.

If err:

  • Add more granular steps for complex procedures
  • Include screenshots or diagrams for multi-step processes
  • Document command outputs (expected vs actual)
  • Create separate runbook for complex resolution procedures

Step 4: Establish Escalation Paths

See Extended Examples for full escalation levels and contact directory template.

Define when and how to escalate incidents.

When to escalate immediately:

  • Customer-facing outage > 15 minutes
  • SLO error budget > 10% depleted
  • Data loss/corruption or security breach suspected
  • Unable to identify root cause within 20 minutes
  • Mitigation attempts fail or worsen situation

Five escalation levels:

  1. Primary On-Call (5 min response): Deploy fixes, rollback, scale (up to 30 min solo)
  2. Secondary On-Call (auto after 15 min): Additional investigation support
  3. Team Lead (architectural decisions): Database changes, vendor escalation, incidents > 1 hour
  4. Incident Commander (cross-team coord): Multiple teams, customer comms, incidents > 2 hours
  5. Executive (C-level): Major impact (>50% users), SLA breach, media/PR, outages > 4 hours

Escalation process:

  1. Notify target with: current status, impact, actions taken, help needed, dashboard link
  2. Handoff if needed: share timeline, actions, access. Remain available
  3. Don't go silent: update every 15 min, ask questions, provide feedback

Contact directory: Maintain table with role, Slack, phone, PagerDuty for:

  • Platform/Database/Security/Network teams
  • Incident Commander
  • External vendors (AWS, database vendor, CDN provider)

Got: Clear criteria for escalation. Contact information readily accessible. Escalation paths aligned with organizational structure.

If err:

  • Validate contact information current (test quarterly)
  • Add decision tree for when to escalate
  • Include examples of escalation messages
  • Document response time expectations for each level

Step 5: Create Communication Templates

See Extended Examples for all internal and external templates with full formatting.

Provide pre-written messages for incident updates.

Internal templates (Slack #incident-response):

  1. Initial Declaration:

    🚨 INCIDENT: [Title] | Severity: [Critical/High/Medium]
Impact: [users/services] | Owner: @username | Dashboard: [link]
Quick Summary: [1-2 sentences] | Next update: 15 min

  2. Progress Update (every 15-30 min):

    📊 UPDATE #N | Status: [Investigating/Mitigating/Monitoring]
Actions: [what we tried and outcomes]
Theory: [what we think is happening]
Next: [planned actions]

  3. Mitigation Complete:

    ✅ MITIGATION | Metrics: Error [before→after], Latency [before→after]
Root Cause: [brief or "investigating"] | Monitoring 30min before resolved

  4. Resolution:

    🎉 RESOLVED | Duration: [time] | Root Cause + Impact + Follow-up actions

  5. False Alarm: No impact, no follow-up needed

External templates (status page):

  • Initial: Investigating, started time, next update in 15 min
  • Progress: Identified cause (customer-friendly), implementing fix, estimated resolution
  • Resolution: Resolved time, root cause (simple), duration, prevention measures

Customer email template: Timeline, impact description, resolution, prevention, compensation (if applicable)

Got: Templates save time during incidents. Ensure consistent communication. Reduce cognitive load on responders.

If err:

  • Customize templates to match company communication style
  • Pre-fill templates with common incident types
  • Create Slack workflow/bot to populate templates automatically
  • Review templates during incident retrospectives

Step 6: Link Runbook to Monitoring

See Extended Examples for complete Prometheus alert configuration and Grafana dashboard JSON.

Integrate runbook with alerts and dashboards.

Add runbook links to Prometheus alerts:

- alert: HighErrorRate
  annotations:
    runbook_url: "https://wiki.example.com/runbooks/high-error-rate"
    dashboard_url: "https://grafana.example.com/d/service-overview"
    incident_channel: "#incident-platform"

Embed quick diagnostic links in runbook:

  • Service Overview Dashboard
  • Error Rate Last 1h (Prometheus direct link)
  • Recent Error Logs (Loki/Grafana Explore)
  • Recent Deployments (GitHub/CI)
  • PagerDuty Incidents

Create Grafana dashboard panel with runbook links (markdown panel listing all incident runbooks with on-call and escalation info)

Got: Responders can access runbooks directly from alerts or dashboards. Diagnostic queries pre-filled. One-click access to relevant tools.

If err:

  • Verify runbook URLs accessible without VPN/login
  • Use URL shorteners for complex Grafana/Prometheus links
  • Test links quarterly to ensure they don't break
  • Create browser bookmarks for frequently used runbooks

Check

  • Runbook follows consistent template structure
  • Diagnostic procedures include specific queries and expected values
  • Resolution steps actionable with clear commands
  • Escalation criteria and contacts current
  • Communication templates provided for internal and external audiences
  • Runbook linked from monitoring alerts and dashboards
  • Runbook tested during incident simulation or actual incident
  • Feedback from responders incorporated into runbook
  • Revision history tracked with dates and authors
  • Runbook accessible without authentication (or cached offline)

Pitfalls

  • Too generic: Runbooks with vague steps like "check the logs" without specific queries not actionable. Be specific.
  • Outdated information: Runbooks referencing old systems or commands become useless. Review quarterly.
  • No verification steps: Resolution without verification leads to false positives. Always include "how to confirm it's fixed."
  • Missing rollback procedures: Every action should have rollback plan. Don't trap responders in worse state.
  • Assume knowledge: Runbooks for experts only exclude junior engineers. Write for least experienced person on rotation.
  • No ownership: Runbooks without owners become stale. Assign team/person responsible for updates.
  • Hidden behind auth: Runbooks inaccessible during VPN/SSO issues useless during crisis. Cache copies or use public wiki.

See Also

  • configure-alerting-rules - Link runbooks to alert annotations for immediate access during incidents
  • build-grafana-dashboards - Embed runbook links in dashboards and diagnostic panels
  • setup-prometheus-monitoring - Include diagnostic queries from Prometheus in runbook procedures
  • define-slo-sli-sla - Reference SLO impact in incident severity classification

Dépôt GitHub

pjt222/agent-almanac
Chemin: i18n/caveman/skills/write-incident-runbook
0
agentsagentskillsai-assisted-developmentclaude-codeskillsteams

Compétences associées

content-collections

Méta

Cette compétence propose une configuration éprouvée en production pour Content Collections, un outil axé sur TypeScript qui transforme des fichiers Markdown/MDX en collections de données typées de manière sûre avec une validation Zod. Utilisez-la lors de la création de blogs, de sites de documentation ou d'applications Vite + React riches en contenu pour garantir la sécurité de typage et la validation automatique du contenu. Elle couvre tout, de la configuration du plugin Vite et de la compilation MDX à l'optimisation des déploiements et la validation des schémas.

Voir la compétence

polymarket

Méta

Cette compétence permet aux développeurs de créer des applications avec la plateforme de marchés prédictifs Polymarket, incluant l'intégration d'API pour le trading et les données de marché. Elle fournit également une diffusion de données en temps réel via WebSocket pour surveiller les transactions en direct et l'activité du marché. Utilisez-la pour mettre en œuvre des stratégies de trading ou pour créer des outils traitant les mises à jour de marché en direct.

Voir la compétence

creating-opencode-plugins

Méta

Cette compétence aide les développeurs à créer des plugins OpenCode qui s'interconnectent avec plus de 25 types d'événements tels que les commandes, les fichiers et les opérations LSP. Elle fournit la structure du plugin, les spécifications de l'API événementielle et les modèles d'implémentation pour les modules JavaScript/TypeScript. Utilisez-la lorsque vous avez besoin d'intercepter, de surveiller ou d'étendre le cycle de vie de l'assistant IA OpenCode avec une logique personnalisée pilotée par les événements.

Voir la compétence

sglang

Méta

SGLang est un framework de service LLM haute performance spécialisé dans la génération rapide et structurée pour les workflows JSON, regex et agentiques grâce à son cache de préfixe RadixAttention. Il offre une inférence nettement plus rapide, particulièrement pour les tâches avec des préfixes répétés, ce qui le rend idéal pour les sorties complexes et structurées ainsi que les conversations multi-tours. Choisissez SGLang plutôt que des alternatives comme vLLM lorsque vous avez besoin d'un décodage contraint ou que vous construisez des applications avec un partage étendu de préfixes.

Voir la compétence