Skip to main content

Crate osproxy_control

Crate osproxy_control 

Source
Expand description

Control plane.

The operator/automation-driven side of the proxy (docs/06 §5): it owns the migration state transitions and the fleet-safe protocol that flips a partition’s placement without a window where any instance writes to the wrong cluster. It does not handle request traffic.

Proxy instances poll the shared placement backend fresh on every request (no cached migration decision), so the backend is the single synchronized source of truth. The ControlPlane drives migrations through that backend (the MigrationStore seam) and holds a drain barrier between cutover and completion so in-flight writes cannot land after the flip.

The in-memory backend is the M1 PlacementTable; distributed watched stores (etcd/Consul/Redis/OS index) implement the same MigrationStore contract in M7 without changing the control protocol.

It also owns CursorAffinity, the bounded, TTL’d cursor_id -> cluster map that pins scroll/PIT follow-ups to their creating cluster (docs/03 §6).

Structs§

ControlPlane
Drives a partition through its migration phases against a MigrationStore, enforcing the drain barrier between cutover and completion (docs/06 §5).
CursorAffinity
A bounded, TTL’d map from cursor id to the cluster that created it (docs/03 §6). Cloneable handles are not provided; wrap in an Arc to share.

Enums§

Affinity
Whether the proxy pins cursor follow-ups to the cluster that created them. Opt-in, off by default, deployments without cursors pay no state cost (docs/03 §6).
ControlError
Why a control-plane operation was refused.

Constants§

DEFAULT_CAPACITY
The default cap on live cursor bindings, bounding affinity memory (NFR-P).
DEFAULT_CURSOR_TTL
The default cursor-binding TTL: bindings expire on this keep-alive if not refreshed, matching a typical scroll/PIT lifetime.
DEFAULT_DRAIN_BARRIER
The default drain barrier: how long the controller holds after publishing Cutover before completing, so in-flight pre-cutover writes drain. Should be ≥ the sink’s upstream write timeout (30s, NFR-R7); set higher for safety.

Traits§

MigrationStore
The backend that holds and transitions the fleet’s placement state, the seam the proxy instances poll for reads and the controller drives for migration.