Runbooks That Actually Get Used

Quickstart

If you only have one hour this week to improve operations, do these steps in order. They create an immediately usable runbook (even if you refine it later).

Overview

A runbook is an operational guide for a specific situation: “High error rate on checkout-api,” “Database connections exhausted,” “Queue lag rising,” “Latency p95 spikes,” “Pod crash loop.” The best runbooks are designed around two truths: incidents are time-pressured, and the responder may not be the original author.

This post shows how to write runbooks that actually get used: a structure that works under stress, what to include (and what to exclude), and how to keep runbooks accurate over time without turning documentation into a full-time job.

Core concepts

A runbook is not a brain dump. It’s a decision aid for a specific failure mode. When you write one, assume: the responder is tired, the system is changing, and every action has risk. Your goal is to provide clarity and safety.

The “critical path” and the “reference path”

Safety labels: READ-ONLY vs WRITE

Most incidents start with investigation. Your first steps should be read-only by default. When you include mutating actions, label them clearly and include guardrails.

Entry conditions and exit criteria

A runbook needs a clear “when to use this” section. Otherwise responders will either misuse it or ignore it. Equally important: define when you can stop (exit criteria) and when you should escalate.

• Entry condition: “Alert X firing for 5 minutes” or “p95 latency > Y for Z minutes”
• Exit criteria: “Errors < threshold for 10 minutes and backlog decreasing”
• Escalate when: “Customer impact confirmed” or “Mitigation doesn’t help within 15 minutes”

Runbooks must be attached to alerts

Search is unreliable during incidents. The best place for a runbook link is the alert payload itself (Pager/Slack/Email), with the same keywords as the alert title. If the runbook isn’t linked, it won’t be used consistently.

Step-by-step

This process produces a runbook that’s useful immediately and improves over time. Start with one incident pattern (one alert), ship the critical path, then iterate after each real incident.

Step 1 — Pick a single scenario (one alert, one runbook)

Don’t write “The Service Runbook.” Write “High error rate on Service” or “Database connections exhausted.” Specificity makes it usable.

• Choose the top 3 alerts by frequency or impact
• Write a runbook per alert (or per tightly related group)
• Ensure the runbook title matches the alert title (same keywords)

Step 2 — Use a standard template (so scanning works)

A consistent structure reduces “where do I look?” time. Here’s a compact Markdown template you can copy into a repo as RUNBOOK.md or runbooks/ALERT_NAME.md. Keep the critical path at the top.

# Runbook: High error rate — checkout-api

**Owner:** team-payments  
**On-call:** https://internal/oncall/team-payments  
**Dashboards:** https://internal/obs/d/checkout  
**Logs:** https://internal/logs?q=service:checkout-api  
**Last deploy:** https://internal/deployments/checkout-api  

## Entry conditions
- Alert: `checkout-api / http_5xx_rate_high` firing for 5 minutes
- Customer impact: elevated failures at /checkout

## Critical path (first 5 minutes)
**READ-ONLY**
1) Confirm impact (scope + time window)
   - Look for: 5xx rising, p95 latency rising, queue/backlog rising
2) Check recent deploys (last 60 minutes)
   - If deploy occurred: compare error rates before/after
3) Check dependency health (payments gateway, orders-db)
   - Look for timeouts, connection errors, rate limits

## Mitigations (timebox each to 10 minutes)
**WRITE (guardrails apply)**
A) Roll back last deploy (preferred if correlation is strong)
- Preconditions: deploy occurred within last 60 minutes and rollback is safe
- Verify: 5xx rate decreases within 5–10 minutes

B) Reduce load / fail open
- Actions: enable rate limiting, disable non-critical features, shed traffic
- Verify: error budget burn slows and latencies stabilize

## Verification (exit criteria)
- 5xx rate below threshold for 10 minutes
- p95 latency trending back to baseline
- Backlog decreasing

## Escalation
- Escalate immediately if: data loss risk, widespread outage, mitigation unsafe
- Include: incident timeline, dashboards screenshots/links, actions attempted

## Follow-up
- Create a ticket: root cause + prevention
- Update this runbook with new learnings (what worked, what didn’t)

Step 3 — Attach the runbook to the alert payload

Runbooks are most effective when they’re one click away. Add a Runbook URL field to alert annotations (or message templates) so responders don’t hunt for docs. Also ensure the alert includes the minimum diagnostic context.

Step 4 — Write read-only diagnostics as copy/paste commands

Commands are useful only if they’re safe and specific. Prefer read-only commands that give quick signal: is this a deploy issue, a dependency issue, capacity, or a config change?

# READ-ONLY triage (Kubernetes)
# Set these for your environment
NS="payments"
APP="checkout-api"

# 1) Are pods healthy and stable?
kubectl -n "$NS" get pods -l app="$APP" -o wide
kubectl -n "$NS" get deploy "$APP" -o wide
kubectl -n "$NS" describe deploy "$APP" | sed -n '1,120p'

# 2) Are there recent restarts or crash loops?
kubectl -n "$NS" get pods -l app="$APP" --sort-by=.status.containerStatuses[0].restartCount

# 3) What do recent logs say? (limit scope)
POD="$(kubectl -n "$NS" get pods -l app="$APP" -o jsonpath='{.items[0].metadata.name}')"
kubectl -n "$NS" logs "$POD" --since=10m | tail -n 200

# 4) Is the service responding internally?
kubectl -n "$NS" get svc "$APP" -o wide
kubectl -n "$NS" port-forward svc/"$APP" 18080:8080
# In another terminal:
# curl -sS http://localhost:18080/health
# curl -sS http://localhost:18080/ready

# 5) Quick dependency signal (example: DNS + connectivity from a pod)
kubectl -n "$NS" exec -it "$POD" -- sh -lc 'getent hosts orders-db; getent hosts payments-gateway'

Step 5 — Add one mitigation, then add guardrails

Runbooks become valuable when they include safe actions. Start with a mitigation that’s reversible and well understood: rollback, scale out, disable a feature flag, or reduce load. For every mitigation, add guardrails: when to do it, when not to do it, and how to verify.

• Preconditions: what must be true before you act?
• Blast radius: what might break or get worse?
• Stop conditions: when do you stop trying this?
• Verification: which metric/log confirms improvement?
• Rollback: how do you undo it?

Step 6 — Keep runbooks up to date (without heroics)

The biggest reason runbooks fail is rot. You can fight rot with small automation: validate required sections exist, ensure links aren’t obviously malformed, and keep ownership metadata current. A simple “runbook lint” check in CI catches many issues early.

#!/usr/bin/env python3
"""
runbook_lint.py - minimal checks to prevent runbook rot.

Usage:
  python runbook_lint.py path/to/RUNBOOK.md

Exit codes:
  0 = ok
  2 = lint failures
"""
from __future__ import annotations

import re
import sys
from pathlib import Path

REQUIRED_HEADINGS = [
    r"^##\s+Entry conditions\b",
    r"^##\s+Critical path\b",
    r"^##\s+Mitigations\b",
    r"^##\s+Verification\b",
    r"^##\s+Escalation\b",
]

def main() -> int:
    if len(sys.argv) != 2:
        print("Usage: python runbook_lint.py path/to/RUNBOOK.md", file=sys.stderr)
        return 2

    path = Path(sys.argv[1])
    if not path.exists():
        print(f"File not found: {path}", file=sys.stderr)
        return 2

    text = path.read_text(encoding="utf-8", errors="replace")

    failures = []
    for pattern in REQUIRED_HEADINGS:
        if not re.search(pattern, text, flags=re.MULTILINE):
            failures.append(f"Missing heading: {pattern}")

    # Encourage safety labeling
    if "READ-ONLY" not in text:
        failures.append("Missing safety label: include 'READ-ONLY' steps in the critical path.")
    if "WRITE" not in text:
        failures.append("Missing safety label: include 'WRITE' mitigations with guardrails.")

    if failures:
        print("Runbook lint failed:")
        for f in failures:
            print(f"- {f}")
        return 2

    print("Runbook lint OK")
    return 0

if __name__ == "__main__":
    raise SystemExit(main())

Step 7 — Test runbooks like you test code

A runbook is “correct” only when it works during an incident. Schedule a short review cycle: once per quarter (or after every major incident), validate links, rerun key commands, and update mitigations.

Common mistakes

Most runbooks fail because they’re written like documentation, not like an operational tool. Here are the pitfalls that make runbooks unusable under pressure—and fixes that keep them practical.

FAQ

What should every runbook include?

At minimum: entry conditions, a “first 5 minutes” critical path (read-only checks), one or two mitigations with guardrails, verification/exit criteria, and escalation contacts. If any of those are missing, the runbook won’t be reliably usable during incidents.

How long should a runbook be?

The critical path should fit on one screen. You can add a reference section below for deeper diagnostics, but responders should be able to take meaningful action within 60–120 seconds of opening the page.

Where should we store runbooks?

Store them where they are easiest to find and keep up to date: commonly in the service repo (versioned with code) or in a service catalog that indexes ownership and links. Either way, the runbook should be linked directly from the alert payload.

Runbook vs playbook: what’s the difference?

A runbook is for fixing a specific technical failure mode. A playbook is for managing the incident process (roles, comms, severity, timelines). Most teams need both: playbooks keep coordination sane; runbooks reduce MTTR.

Do we need a runbook for every alert?

Not for every alert on day one. Start with alerts that are frequent, high-impact, or complex to debug. Over time, a healthy practice is: if an alert pages someone, it should have a linked runbook—even if the first version is short.

How do we keep runbooks from going stale?

Tie updates to reality: update within 24 hours after an incident, run a quarterly link/command check, and add lightweight automation (linting for required sections, ownership metadata). “Living docs” works when it’s part of the incident loop, not a separate initiative.

What makes “Runbooks That Actually Get Used” different from regular documentation?

They’re written for stressed responders: short, labeled for safety, full of specific links and copy/paste commands, and they include verification + escalation guidance. Regular documentation explains systems; runbooks move incidents forward.

Cheatsheet

Print this mentally. If your runbook meets these checks, it will be used more often and reduce time-to-recovery.

Wrap-up

Good runbooks aren’t “nice documentation.” They’re operational tooling: optimized for speed, safety, and clarity under stress. If you want runbooks that actually get used, focus on the critical path, label actions for safety, include verification, and attach the runbook to the alert.

If you’re building stronger operations, pair runbooks with solid observability, SLOs, and incident hygiene. The goal isn’t to eliminate incidents—it’s to recover quickly, safely, and consistently.

Related posts

• SRE Basics: SLIs, SLOs, Error Budgets in Plain English
• Centralized Logging: From ‘grep’ to Useful Dashboards
• Docker for Developers: Images, Layers, and Caching Explained
• Kubernetes Without Tears: Pods, Services, Ingress in One Story
• CI/CD That Stays Green: Pipeline Patterns That Scale
• GitOps Explained: Deployments You Can Roll Back With Confidence