Design doc: embed Litestream replication for sqlite-rest #121
Conversation
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
|
|
||
| ### High-level flow | ||
|
|
||
| 1. **Configuration** (new `ReplicationOptions`): |
There was a problem hiding this comment.
change to consume litestream configuration file here to minimal the deltas.
There was a problem hiding this comment.
Updated to prefer a Litestream YAML config via --replication-config so sqlite-rest changes stay minimal. (f01868e)
| - `--replication-restore-lag` (duration, default `0` meaning no lag allowed; used during startup restore decisions to tolerate a small amount of staleness between the local DB and the replica before forcing a restore). | ||
| - Env var mirrors for container use (e.g., `SQLITEREST_REPLICATION_ENABLED`, etc.). | ||
|
|
||
| 2. **Restore before serving**: |
There was a problem hiding this comment.
describe the behavior of diverging with remote backup
There was a problem hiding this comment.
Added divergence behavior: default fail-fast on lineage mismatch with remote, operator can force-restore or allow degraded if they accept overwrite risk. (f01868e)
|
|
||
| ## Open questions | ||
|
|
||
| - Should we expose multiple replicas at launch or keep single-replica until requested? |
There was a problem hiding this comment.
multiple replicas of what? Please clarify
There was a problem hiding this comment.
Clarified this means multiple remote destinations for the same SQLite DB via Litestream; initial scope remains single replica. (f01868e)
There was a problem hiding this comment.
remove this question as we have the answer
There was a problem hiding this comment.
Removed the answered question about multiple replicas; doc now just states initial scope is single replica with Litestream config controlling replicas. (d41a7dd)
There was a problem hiding this comment.
Removed the answered question; doc reflects single-replica initial scope with Litestream config controlling destinations. (d41a7dd)
| ## Open questions | ||
|
|
||
| - Should we expose multiple replicas at launch or keep single-replica until requested? | ||
| - How strict should startup be when replication is enabled but the remote is unreachable? **Recommendation:** fail fast by default to avoid running without configured durability, with an explicit `--replication-allow-degraded` escape hatch if operators need to accept the data-loss risk. |
There was a problem hiding this comment.
agree with this decision, but we should refine the cli flag experience.
There was a problem hiding this comment.
Flag UX is now minimal: enable + config path, optional restore-from/allow-degraded; all other tuning stays in the Litestream config. (f01868e)
There was a problem hiding this comment.
Removed the resolved question; CLI UX stays minimal via enable + config path, optional restore-from. (d41a7dd)
There was a problem hiding this comment.
Removed the resolved question per feedback. (d41a7dd)
|
|
||
| - Should we expose multiple replicas at launch or keep single-replica until requested? | ||
| - How strict should startup be when replication is enabled but the remote is unreachable? **Recommendation:** fail fast by default to avoid running without configured durability, with an explicit `--replication-allow-degraded` escape hatch if operators need to accept the data-loss risk. | ||
| - What are the sensible defaults for snapshot/retention to balance durability and cost? |
There was a problem hiding this comment.
defaults to disable this feature, delegate the detailed settings to litestream config
There was a problem hiding this comment.
Documented that replication stays disabled by default and detailed settings are delegated to the Litestream config file. (f01868e)
There was a problem hiding this comment.
Removed the answered question; defaults remain disabled with detailed settings delegated to the Litestream config. (d41a7dd)
There was a problem hiding this comment.
Removed the remaining question; open questions now only cover sensible defaults for snapshot/retention. (d41a7dd)
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
|
|
||
| ## Open questions | ||
|
|
||
| - Should we expose multiple replicas at launch or keep single-replica until requested? |
There was a problem hiding this comment.
remove this question as we have the answer
| ## Open questions | ||
|
|
||
| - Should we expose multiple replicas at launch or keep single-replica until requested? | ||
| - How strict should startup be when replication is enabled but the remote is unreachable? **Recommendation:** fail fast by default to avoid running without configured durability, with an explicit `--replication-allow-degraded` escape hatch if operators need to accept the data-loss risk. |
|
|
||
| - Should we expose multiple replicas at launch or keep single-replica until requested? | ||
| - How strict should startup be when replication is enabled but the remote is unreachable? **Recommendation:** fail fast by default to avoid running without configured durability, with an explicit `--replication-allow-degraded` escape hatch if operators need to accept the data-loss risk. | ||
| - What are the sensible defaults for snapshot/retention to balance durability and cost? |
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
| 1. **Configuration** (new `ReplicationOptions`): | ||
| - `--replication-enabled` (bool, default false). | ||
| - `--replication-config` (string, path to Litestream YAML config; preferred path to keep sqlite-rest changes minimal and delegate detailed tuning like snapshot/retention/replicas to Litestream). | ||
| - `--replication-restore-from` (optional override to restore from a different replica URL; if omitted, use the primary replica from the Litestream config). |
There was a problem hiding this comment.
remove --replication-restore-from flag
There was a problem hiding this comment.
Removed the --replication-restore-from flag; minimal flags are now enable + config path. (61a3a12)
| - `--replication-config` (string, path to Litestream YAML config; preferred path to keep sqlite-rest changes minimal and delegate detailed tuning like snapshot/retention/replicas to Litestream). | ||
| - `--replication-restore-from` (optional override to restore from a different replica URL; if omitted, use the primary replica from the Litestream config). | ||
| - Env var mirrors for container use (e.g., `SQLITEREST_REPLICATION_ENABLED`, `SQLITEREST_REPLICATION_CONFIG`, etc.). | ||
| - Recommended CLI UX: keep flags minimal (`--replication-enabled`, `--replication-config`, optional `--replication-restore-from`) and leave all other Litestream knobs to the config file. |
There was a problem hiding this comment.
Dropped the UX line tied to the removed flag; doc reflects only enable + config path. (61a3a12)
Co-authored-by: bcho <1975118+bcho@users.noreply.github.com>
The issue requests a design for embedding Litestream’s Go library to add replication/restore to sqlite-rest without altering the REST API.
--replication-config(minimal sqlite-rest flags: enable/config path); detailed tuning (snapshot/retention/replicas) delegated to Litestream config; least-privilege S3 IAM notes; multi-replica refers to multiple remote destinations for the same DB, with initial scope single.Example lifecycle sketch:
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.