[fm] Introduce SitrepGuardedInsert.#10532
Open
mergeconflict wants to merge 1 commit into
Open
Conversation
mergeconflict
added
the
fault-management
This was referenced Jun 2, 2026
Add the `SitrepGuardedInsert` Diesel combinator and the
`SitrepGuardedResource` trait: a generic primitive for FM rendezvous to
insert a resource row idempotently and guarded against stale-sitrep
execution.
The combinator wraps a caller-supplied resource INSERT in a single CTE
statement that:
- aborts (StaleSitrep) unless the executor's expected generation still
equals the latest sitrep's generation column;
- short-circuits (AlreadyExists) if a creation marker already exists for
the resource id;
- on a successful insert, atomically writes a creation marker, gated by
`WHERE EXISTS (SELECT 1 FROM new_resource)` so a marker is never
fabricated for a pre-existing row.
All spliced SQL identifiers come from the trait's `&'static str` consts, so
the query is injection-safe. The result is surfaced as a
`SitrepGuardedInsertOutcome` of Created / AlreadyExists / StaleSitrep.
mergeconflict
force-pushed
the
mergeconflict/fm-sitrepguardedinsert
branch
from
6663e70 to
c6e5904
Compare
hawkw
reviewed
Jun 2, 2026
Comment on lines
+315
to
+326
| Err(e) => { | ||
| if matches_sentinel(&e, &[STALE_GENERATION_SENTINEL]).is_some() | ||
| { | ||
| Ok(SitrepGuardedInsertOutcome::StaleSitrep) | ||
| } else if matches_sentinel(&e, &[ALREADY_EXISTS_SENTINEL]) | ||
| .is_some() | ||
| { | ||
| Ok(SitrepGuardedInsertOutcome::AlreadyExists) | ||
| } else { | ||
| Err(e) | ||
| } | ||
| } |
Member
There was a problem hiding this comment.
style nit, feel free to ignore me: personally, I prefer to stuff the if conditions into the match arms so it feels less nested, like:
Suggested change
| Err(e) => { | |
| if matches_sentinel(&e, &[STALE_GENERATION_SENTINEL]).is_some() | |
| { | |
| Ok(SitrepGuardedInsertOutcome::StaleSitrep) | |
| } else if matches_sentinel(&e, &[ALREADY_EXISTS_SENTINEL]) | |
| .is_some() | |
| { | |
| Ok(SitrepGuardedInsertOutcome::AlreadyExists) | |
| } else { | |
| Err(e) | |
| } | |
| } | |
| Err(e) if matches_sentinel(&e, &[STALE_GENERATION_SENTINEL]).is_some() => { | |
| Ok(SitrepGuardedInsertOutcome::StaleSitrep) | |
| } | |
| Err(e) if matches_sentinel(&e, &[ALREADY_EXISTS_SENTINEL]).is_some() => { | |
| Ok(SitrepGuardedInsertOutcome::AlreadyExists) | |
| }, | |
| Err(e) => Err(e), |
| /// 5. `new_marker`: the marker INSERT, emitted inline by the | ||
| /// combinator using R's `&'static str` consts. This only runs when | ||
| /// `new_resource` actually produced a row. | ||
| fn walk_ast<'b>(&'b self, mut out: AstPass<'_, 'b, Pg>) -> QueryResult<()> { |
Member
There was a problem hiding this comment.
It would be nice to have an expectorate test (and maybe also an EXPLAIN test) for the kind of queries that this generates.
Comment on lines
+61
to
+66
| /// Column on `fm_sitrep` carrying this resource's generation counter. | ||
| const GENERATION_COLUMN: &'static str; | ||
| /// Creation table tracked alongside the resource. | ||
| const MARKER_TABLE: &'static str; | ||
| /// Resource-id column in the marker table. | ||
| const MARKER_ID_COLUMN: &'static str; |
Member
There was a problem hiding this comment.
I don't love that these are all just &'static strs that have to be the name of the table/column, which you could easily imagine someone typoing and silently breaking something. I wonder if we can instead use the generated diesel schema types, so that you could instead write something like
impl SitrepGuardedResource for nexus_db_model::Alert {
type MarkerTable = schema::rendezvous_alert_created::table;
type MarkerIdColumn = schema::rendezvous_alert_created::dsl::alert_id;
type GenerationColumn = schema::fm_sitrep::dsl::alert_generation;
}This way, you get the actual table name from the schema and can't mistype it --- and we can probably leverage diesel to enforce that MarkerIdColumn comes from the same table as MarkerTable?
I notice that this is what the DatastoreCollectionConfig trait does:
omicron/nexus/db-model/src/collection.rs
Lines 11 to 77 in 8341849
| /// turn the "row already exists" outcome into a hard error. | ||
| pub fn new( | ||
| resource_id: Uuid, | ||
| expected_generation: i64, |
Member
There was a problem hiding this comment.
i feel like this should probably be a Generation?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add the
SitrepGuardedInsertDiesel combinator and theSitrepGuardedResourcetrait: a generic primitive for FM rendezvous to insert a resource row idempotently and guarded against stale-sitrep execution.The combinator wraps a caller-supplied resource INSERT in a single CTE statement that:
The result is surfaced as a
SitrepGuardedInsertOutcomeofCreated/AlreadyExists/StaleSitrep.Context: #10248. This is used in #10533 and #10535 which are split out in hopes of making the review somewhat less miserable.