Bluesky April 2026 Outage Post-Mortem

Bluesky April 2026 Outage Post-Mortem(pckt.blog)

141 points by jcalabro 38 days ago | 79 comments

> What I had missed is that we deployed a new internal service last week that sent less than three GetPostRecord requests per second, but it did sometimes send batches of 15-20 thousand URIs at a time. Typically, we'd probably be doing between 1-50 post lookups per request.

That’ll do it.

98codes 38 days ago | |

Ahh, the three relevant numbers in development: 0, 1, and infinity.

jandrese 38 days ago | |

The incredible part about this is because their backend is all TCP/IP they were literally exhausting the ports by leaving all 65k of them in TIME_WAIT, and the workaround was to start randomizing the localhost address to give them another trillion ports or so.

kyledrake 37 days ago | | |

This is a pretty interesting solution. I could see how this could useful for certain kinds of problems (as part of a ddos attack mitigation for example).

Night_Thastus 37 days ago | | |

I mean, it's one GetPostRecord, Michael. What could it cost? 1 trillion ports?

bombcar 38 days ago | |

Zero, one, many, many thousands.

LoganDark 38 days ago | |

And then they fix the issue by using multiple localhost IPs rather than, perhaps, not sending 15-20 thousand URIs at a time

odo1242 38 days ago | | |

They mentioned it was a temporary fix that they removed after finding and fixing the true root cause, though.

htx80nerd 38 days ago | |

less than ideal if I had to be frank.

pembrook 38 days ago |

Distributed social media goes down? hrmmm.

Email and the internet don't have "downtime." Certain key infra providers do of course. ISPs can go down. DNS providers can go down. But the internet and email itself can't go down absent a global electricity outage.

You haven't built a decentralized network until you reach that standard imo. Otherwise its just "distributed protocol" cosplay. Nice costume. Kind of like how everybody has been amnesia'd into thinking Obsidian is open source when it really isn't.

iAMkenough 38 days ago | |

Bluesky is a provider. Blacksky didn’t go down.

pembrook 38 days ago | | |

Is there anything running on Blacksky other than Bluesky with more than say, 100 active users?

AOL never even got to that level of dominance in the internet 1.0 era.

The point is it's not a distributed network if one node is 99.9% of all traffic.

tapoxi 38 days ago |

I don't really understand this architecture, but I thought Bluesky was distributed like Mastodon? How can it have an outage?

pfraze 38 days ago | |

This writeup is useful for backend engineers: https://atproto.com/articles/atproto-for-distsys-engineers

The simple answer is that atproto works like the web & search engines, where the apps aggregate from the distributed accounts. So the proper analogy here would be like yahoo going down in 1999.

tapoxi 38 days ago | | |

This is a fantastic write-up, thanks for sharing!

fiatjaf 38 days ago | | |

Sorry, but this analogy is very misleading, no one browses websites through Google's servers.

For example, right now in my URL bar I read "news.ycombinator.com", not "google.com/profile/news.ycombinator.com".

If Google goes down now I can keep browsing this website and all the other websites I have in all my other tabs as if nothing had happened.

isodev 38 days ago | | |

Google and MSN Search were already available at this time. Also websites used to publish webrings and there was IRC and forums to ask people about things.

isodev 38 days ago | |

It’s more of a concept of a plan for being distributed. I even went through the trouble of hosting my own PDC and still, I was unable to use the service during the outage

direwolf20 38 days ago | |

It's not really distributed. It's a centralised service that pulls some parts of 0.01% of user profiles from their own servers.

Retr0id 38 days ago | |

Mastodon infra can have outages, too.

tapoxi 38 days ago | | |

It's just confined to one instance if it goes down, not all of Mastodon.

chr15m 37 days ago | |

"decentralized"

LoganDark 38 days ago | |

A web interface and home server can have an outage. Bluesky is just a web interface and home server.

opem 38 days ago |

At least they aren't hiding and transparent about it unlike the big tech corps with so called SLAs

tmpz22 38 days ago | |

There are no outages in Azure sing se.

_heimdall 37 days ago | | |

GitHub's Ops team would approve this message, I assume.

thedrexster 35 days ago | | |

i see you, brother! <3

mwkaufma 38 days ago |

Tell us more about this buggy "new internal service" that's scraping batch data :P

heliumtera 37 days ago |

Good to know the discussion about decentralization and federation had finally ended

goekjclo 38 days ago |

> The timing of these log spikes lined up with drops in user-facing traffic, which makes sense. Our data plane heavily uses memcached to keep load off our main Scylla database, and if we're exhausting ports, that's a huge problem.

I expect this is common.

jonstaab 38 days ago |

nostr never goes down

jandrese 38 days ago | |

If nostr went down would people even notice?

yangm97 37 days ago | | |

The good thing about nostr is that, contrary to popular federated protocols, your identity is not tied to any single server, you own the keypair to your account, so you can continue using it just fine even if some relays experience a downtime.

nout 38 days ago | | |

If any major nostr relay goes down, no one notices. That has happened many times, the network is very resilient to that.

jonstaab 38 days ago | | |

probably not

pfraze 38 days ago | |

All support to other decentralizers but nothing never goes down.

nout 38 days ago | | |

The comparison here is to something like TCP/IP. TCP/IP never goes down. TCP/IP is a protocol, the servers may go down and cause disruption, but the protocol doesn't really have the ability to "go down". Nostr is also a protocol. The communication on top of Nostr is pretty resilient compared to other solutions though, so that's the main highlight here.

If tens of servers go down, then some people may start noticing a bit of inconvenience. If hundreds of servers go down, then some people may need to coordinate out of bound on what relays to use, but it still generally speaking works ok.

jonstaab 38 days ago | | |

1000x redundancy makes it vanishingly unlikely. Although I know we're due for a pole shift so all bets are off I suppose.

bit1993 37 days ago | | |

Bitcoin, BitTorrent never go down.

emidoots 38 days ago | |

There's stark contrast for an average human visiting the landing page of bsky.app vs nostr.org

jonstaab 37 days ago | | |

That's what decentralization looks like. You might also try:

nostr.com nostr.how nostr.net nostrich.love nostrhub.io usenostr.org And of course https://github.com/nostr-protocol/nostr

gsibble 38 days ago |

Did all 3 users notice?

ffsm8 38 days ago | |

Naw, only one did. Turns out the other two were his socket accounts he used to upvote and comment on his own content.

Okay, nuff trolling for today

mwagstaff 37 days ago |

With my SRE hat on, dare I ask... could/should this have been picked up in testing?

And then normally there's a nice discussion about how production is very different to the test environment.

rvz 38 days ago |

Thank you for the post mortem on this outage.

electrondood 38 days ago |

Great write up... curious about the RCA. Thanks!

drewg123 38 days ago |

Golang's use of a potentially unbounded number of threads is just insane. I used to be fairly bullish on golang, but this, combined with the fact that its garbage collected, makes me feel its just unsuitable for production use.

floating-io 38 days ago | |

You can have this problem with any kind of thread -- including OS threads -- if you do an unbounded spawn loop. Go is hardly unique in this.

Goroutines are actually better AFAIK because they distribute work on a thread pool that can be much smaller than the number of active goroutines.

If my quick skim created a correct understanding, then the problem here looks more like architecture. Put simply: does the memcached client really require a new TCP connection for every lookup? I would think you would pool those connections just like you would a typical database and keep them around for approximately forever. Then they wouldn't have spammed memcache with so many connections in the first place...

(edit: ah, it looks like they do use a pool, but perhaps the pool does not have a bounded upper size, which is its own kind of fail.)

slopinthebag 38 days ago | | |

Rust's async doesn't have this issue. Or at least, it's the same issue as malloc in an unbounded loop, but that's a more general issue not related to async or threading.

15-20 thousand futures would be trivial. 15-20 thousand goroutines, definitely not.

tombert 38 days ago | |

Why does garbage collection make it unsuitable for production use? A lot of production software is written in garbage collected languages like Java. Pretty much the entire backend for iTunes/Apple Music is written in Java, and it's not doing any kind of fancy bump allocator tricks to avoid garbage. In my mind, kind of hard to argue that Apple Music is not "production use".

There are certainly plenty of projects where garbage collection is too slow, but I don't know that they're the majority, and more people would likely prefer memory safety by default.

madeofpalk 38 days ago | | |

Based on my experience of Apple Music being pretty bad at streaming music, i would say that it's not ready for 'production use'.

slopinthebag 38 days ago | | |

Everything is understood by comparison. Unsuitable for production use, compared to what is the more apt question.

streetfighter64 38 days ago |

> They represent real user-facing downtime

Off-topic, but "real" feels like the new "delve". Is there such a thing as "fake" or "virtual" downtime, or why do people feel the need to specify that all manner of things are "real" nowadays?

jmclnx 38 days ago |

Lite Blue on a dark Blue background. That is a new one, I have seen grey text on lite grey, but blue on blue ?

The article does work in lynx, at least I can read it.