Description
We've had a couple database-related outages in the past few weeks, all of which impacted the download endpoint of crates.io. That endpoint is the most important one in the application, as any error returned by it results in end-user or CI builds failing. To improve crates.io's resilience we need to make sure the endpoint works even without a database connection.
The two uses of a connection during a download are counting the downloads and canonicalizing the crate name, to ensure the user is redirect to the CDN path with the right capitalization and hyphenation. Cargo always provides the canonical name to the API though, so only during outages we can do an unconditional redirects without affecting Cargo downloads.
Third-party clients that don't send the canonical name might get redirected to an invalid CDN path, but 0.00039% of the download requests we served in the past 48 hours would receive a wrong response (and none of those are Cargo builds). That's better than having downloads be down for everyone until the outage is fixed.
Needed steps:
- Move stuff that requires a database connection during startup to the release phase Create
crates-admin migrateto sync categories and migrate the db #3556 Ensure the release succeeds when the primary database is read-only #3562 - Change the downloads endpoint to do an unconditional redirect when the database is broken Do unconditional redirects for downloads when the db is broken #3564
- Change the startup not to require a database