Skip to main content

BootSentinel

kanade_shared::boot_sentinel

Struct BootSentinel

pub struct BootSentinel { /* private fields */ }

Expand description

Per-role boot guard. Construct once at the top of main().

Implementations§

impl BootSentinel

pub fn new(data_dir: &Path, exe: PathBuf, version: impl Into<String>) -> Self

data_dir holds the sentinel/quarantine state; exe is the live binary path (std::env::current_exe() in production); version is this binary’s own version string.

pub fn check_on_boot(&self, max_attempts: u32) -> BootDecision

Call FIRST in main(), before anything that can crash.

No sentinel → Proceed.
Sentinel for a different version (we already rolled back, or last-good is now live) → clear it, Proceed.
Sentinel for THIS version → bump attempts; attempts 1..=max_attempts Proceed, and the first that EXCEEDS max_attempts rolls back to .last-good + quarantines the bad version and returns RolledBack.

pub fn confirm_healthy(&self) -> Result<()>

Call once the process is confirmed healthy (backend: serving; agent: NATS connected + first heartbeat). Promotes the live exe to .last-good and clears the sentinel, so this version becomes the rollback target for the next swap.

pub fn arm_for_swap(&self, current_exe: &Path, new_version: &str) -> Result<()>

Call at swap time (deploy / self-update), before restarting into the new binary. Snapshots the CURRENT (outgoing, known-good) exe to .last-good and writes a fresh sentinel for new_version so the next boot is gated.

current_exe is the still-running good binary (copy it now, before it’s overwritten by the swap).

pub fn is_quarantined(&self, version: &str) -> bool

True if version was rolled back after a failed boot. The self-update path consults this before swapping so a bad rollout target isn’t re-attempted in a loop.

pub fn quarantined_versions(&self) -> Vec<String>

Every quarantined version (#582 Phase 2). The agent reports these in its heartbeat so the SPA rollout view can flag which PCs failed to adopt a target.

pub fn clear_quarantine(&self, version: &str) -> Result<()>

Drop version from quarantine (operator re-published a fixed binary under the same version string).

Auto Trait Implementations§

impl Freeze for BootSentinel

impl RefUnwindSafe for BootSentinel

impl Send for BootSentinel

impl Sync for BootSentinel

impl Unpin for BootSentinel

impl UnsafeUnpin for BootSentinel

impl UnwindSafe for BootSentinel

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
where ST: ?Sized, DT: ?Sized,

impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
where ST: ?Sized, DT: ?Sized,

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T> Instrument for T

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Pointable for T

const ALIGN: usize

The alignment of pointer.

type Init = T

The type for initializers.

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more

impl<T> Read<Exclusive, BecauseExclusive> for T
where T: ?Sized,

impl<T> Same for T

type Output = T

Should always be Self

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

fn vzip(self) -> V

impl<T> WithSubscriber for T

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more