Hussein Nasser

Shopify increased their write throughput by 50% moving one of their MySQL keys from UUIDv4 to ULID.

But How?

When you make a purchase, Shopify guarantees idempotency by having the client uniquely tagging the request using UUID. If you accidentally replay the request and they check if the request exists or not and no-op.

UUIDs (at least version 4) are random while order placements are ordered, this leads to thrashing pages in and out of the buffer pool as it fills up dramatically slowing down writes.

Shopify replaced their primary key to ULID which is ordered and timestamped so now requests are chronologically ordered and as a result requests in a given time period live almost in the same pages and recent request (which is the common query) live in tail pages keeping those hot in memory.

Also worth mentioning that UUIDv7 and 8 are ordered and work as well, this is specific to UUIDv4.

Watch my full coverage on this amazing change, truly show engineers knowing what they are doing

The topic of UUID is surfacing again so I thought I’d share this again

https://lnkd.in/gdUwpDEU


—-
Get my fundamentals of database engineering to learn low level database internals https://databases.win

In interviews, I like to gauge the candidate’s knowledge and interest in certain topics. I found that a good conversational question for backend engineers is this:

what happens when the web server crashes while processing a request which has already connected to a database server, started a database transaction and sent few queries but didn’t yet commit?

It is a beautiful question that can lead to exploring backend communication protocols and networking.

And depending on how that goes I may change the discussion towards database internals by flipping the question.

What happens when the database server crashes while it’s in a middle of a transaction sent from a webserver server (backend server still running)?

I purposely don’t specify the database or protocol, this provides vast room for exploration of possibilities and it is what I enjoy the most.

Google is deprecating 3rd party cookies. What does that mean? I’ll try to break it down:

Those are cookies that are sent for sites other than the one you are currently in.

Say you went to facebook dot com and logged in. Your browser stores a cookie for the facebook domain such that if you visited it again it sends the cookie to the server so you are auto-logged in (given that HTTP is stateless and we need to transfer the state with every request, the ST in REST)

But the question is when should the browser send the cookie? The web consists of pages and each page has resources referenced by other domains.

Imagine you visited thepiratebay and in that site there is a javascript that makes a POST request to facebook to update your status. Given that you have a cookie with facebook, should the browser send the cookie along side the POST request? If that happens the piratebay will be able to post on your behalf to your facebook profile by just visiting it.

Now this is extreme and it’s practically solved with CORS (as long as the request requires a preflight OPTIONS), however sometimes you need to enable CORS in some situations (think of an API gateway) but prevent sending cookies from the cross site.

That is why Chome came up with the SameSite property back in 2020 which I covered in a video. The samesite cookie property controls when the browser should send the cookie if it belongs to another domain than the one you are currently In (the one that appears at the top of your browser address) here are the 3 different values for samesite.

samesite=lax (default) means only send the cookie when a user clicks a link and causes a top level navigation. So if you are on the piratebay and there is a link to facebook, clicking that link will take you to facebook and facebook will recognize you, because the cookie was sent.

samesite=strict: never send the cookie unless you are on the same site. So if you are on the piratebay and there is a link to facebook, clicking that link will take you to facebook but facebook will not recognize you. it will be as if you went incongito

samesite=none: this always sends the cookie as long as CORS allows it. So if you are on the piratebay and there is a link to facebook, clicking that link will take you to facebook and facebook will recognize you. Also if you have referenced an image from your private facebook album in the piratebay, visiting the piratebay will view that image as long as you are logged in to facebook.

The last one is the definition of 3rd party cookies. Those are getting deprecated by Google. So you can easily know if your website uses 3rd party cookies by looking for samesite=none and replace them by lax, of course things might break so you need to rewrite some code, or find another way to achieve the functionality.

Of course like CORS, third party cookie make no sense in non browser environments so curl or other CLI’s and backends aren’t affected by this.

Code with fewer lines is not always simple code.\n\nFewer lines of code often indicate an abstraction.\n\nAbstractions are not inherently simple; they create the illusion of simplicity.\n\nThey don’t remove complexity—they hide it.\n\nThis hidden complexity can cause engineers to lower their guard.\n\nEventually, abstractions leak this complexity to end users in unexpected ways:\n\nOften in the form of performance issues, latency, or high CPU and memory usage.\n\nDeep down, we know this.\n\nWrap a large block of code in a function call, and the client code appears simple.\nBut we know it’s not.\n\nPut that function in a library and ship it.\nNow, only you know the true nature of the code.\nThe developers using it don’t.\n\nThose devs build more software and libraries on top of it, creating further illusions of simplicity.\n\nThe same applies to frameworks, client libraries, APIs or even languages.\n\nThe best performance comes from fully understanding the intricacies and complexities of a system—\nAnd tuning them to your specific use case.\n\nAbstractions are most powerful when we understand what lies behind them.\n\nUse them, but never let your guard down.