docs: partial recovery — add guide for host failure recovery and orphaned instance cleanup

[tsivaprasad]

Summary

This PR adds documentation for partial failure recovery (quorum intact) and improves node unavailability detection during force host removal operations.

Changes

• Add comprehensive disaster recovery guide for partial failure scenarios (docs/disaster-recovery/partial-recovery.md)
• Add ErrNodeUnavailable sentinel error for precise node unavailability detection
• Update WaitForService to detect stuck tasks due to unavailable nodes instead of relying on generic timeouts
• Update postgres_service.go to use the new sentinel error during service deletion
• Add CleanupInstance activity to clean up orphaned instance records when force-removing hosts

Testing

• Manually validated the partial failure recovery (quorum intact) workflow on a 3-node Docker Swarm cluster.
• Simulated permanent loss of a host-3 and Quorum state Intact (2 healthy hosts remained)
  Phase 1: Failed Host Removal (Verified)

✅ Step 1.1: Force Remove Host from Control Plane

Executed:

curl -X DELETE http://192.168.105.3:3000/v1/hosts/host-3?force=true

Observed:

• remove_host task created and completed
• Automatic database update task triggered for storefront
• All instances and subscriptions belonging to host-3 were removed
• Control Plane remained available throughout

Verified via:

curl /v1/hosts/host-3/tasks/<task-id>
curl /v1/databases/storefront/tasks/<task-id>

Matches documented behavior: forced host removal + automatic database cleanup

✅ Step 1.3: Docker Swarm Cleanup

On a healthy manager (host-1):

docker node ls
docker node demote lima-host-3
docker node rm lima-host-3 --force

Observed:

• Failed node removed from Swarm
• Swarm manager quorum preserved
• Remaining managers stayed Ready

Confirms documented Swarm cleanup procedure

Phase 2: Reduced-Capacity Operation (Verified)
✅ Step 2.1: Host Status Verification
curl http://192.168.105.3:3000/v1/hosts

Observed:

• Only host-1 and host-2 listed
• Both hosts healthy
• etcd quorum intact

✅ Step 2.2: Database Health Verification
curl http://192.168.105.3:3000/v1/databases/storefront

Observed:

Database state: available

• Instances:
  n1 on host-1
  n2 on host-2

• No references to host-3

✅ Step 2.3: Data Replication Verification

Executed:

• Inserted data on n2
• Verified visibility on n1

Observed:

• Writes succeeded
• Data replicated correctly

Confirms cluster remained fully operational with reduced capacity

Phase 3: Restored Host Preparation (Verified)
✅ Step 3.1: Clean Old Control Plane Data

On restored host-3:

sudo rm -rf /data/control-plane/*
ls -la /data/control-plane/

Observed:

• Directory fully empty
• No stale etcd state

✅ Step 3.2: Rejoin Docker Swarm (Manager)

From host-1:
docker swarm join-token manager

On host-3:
docker swarm join --token <TOKEN> 192.168.104.1:2377

Observed:

• Host rejoined Swarm successfully as manager

✅ Step 3.4: Redeploy Control Plane Stack
docker stack deploy -c /tmp/stack.yaml control-plane

Observed:

• Control Plane service started on host-3
• Service reached Running state

Verified via:

  docker service ps control-plane_host-3
  docker service logs control-plane_host-3

Phase 4: Control Plane Cluster Rejoin (Verified)
✅ Step 4.1: Generate Join Token
curl http://192.168.105.3:3000/v1/cluster/join-token

Response included:

• token
• server_url

✅ Step 4.2: Join Cluster from Restored Host

curl -X POST http://192.168.105.5:3000/v1/cluster/join \
  -H 'Content-Type:application/json' \
  --data '<join-token-json>'

Observed:

• Host successfully joined Control Plane cluster

✅ Step 4.3: Host Verification
curl http://192.168.105.3:3000/v1/hosts

Observed:

• host-3 present
• Status: healthy

Phase 5: Database Capacity Restoration (Verified)
✅ Step 5.1: Add Database Node Back

curl -X POST http://192.168.105.3:3000/v1/databases/storefront \
  -H 'Content-Type:application/json' \
  --data '{
    "spec": {
      "nodes": [
        {"name":"n1","host_ids":["host-1"]},
        {"name":"n2","host_ids":["host-2"]},
        {"name":"n3","host_ids":["host-3"]}
      ]
    }
  }'

Observed:

• New instance storefront-n3-* created
• Patroni + Spock configured automatically
• Database state transitioned modifying → available

✅ Step 5.3: Final Replication Verification

Executed:

• Inserted data on n3
• Verified data on n2

Observed:

• Data fully consistent across all three nodes

Verification Summary:

• Host failure handled without downtime
• Quorum preserved
• Database continued serving traffic
• Failed host safely removed and re-added
• Database capacity fully restored
• Replication integrity verified at every stage

Checklist

• Changelog

PLAT-313

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces partial recovery functionality for handling host failures in quorum-intact clusters. It adds comprehensive recovery documentation, implements a new CleanupInstance activity to remove orphaned database instances, integrates cleanup into host removal workflows, and enhances Docker task filtering for ready nodes.

Changes

Cohort / File(s)	Summary
Documentation changes/unreleased/Added-20260204-000115.yaml, docs/disaster-recovery/partial-recovery.md	Adds changelog entry and comprehensive recovery guide for partial failure recovery in 3-node clusters, including five-phase recovery workflow with concrete API endpoints, curl commands, and monitoring guidance.
Recovery Activity Implementation server/internal/workflows/activities/cleanup_instance.go	Introduces CleanupInstanceInput and CleanupInstanceOutput types, with ExecuteCleanupInstance and CleanupInstance methods to remove orphaned database instances via the database service.
Workflow Integration server/internal/workflows/activities/activities.go, server/internal/workflows/common.go	Registers the new CleanupInstance activity and integrates cleanup logic into host removal workflow, automatically calling ExecuteCleanupInstance when an instance resource is removed due to host failure.
Infrastructure server/internal/docker/docker.go	Adds readyNodeIDs helper to filter Docker tasks by ready node status, improving service deployment robustness during partial outages.

Poem

🐰 When hosts must gracefully depart,
Our cleanup sweeps with careful art,
Remove the orphaned instances clean,
Restore the cluster's healthy sheen,
Recovery's dance, now set to start!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: adding documentation for partial recovery and orphaned instance cleanup in host failure scenarios.
Description check	✅ Passed	The PR description follows the template structure with Summary, Changes, Testing, and Checklist sections; all major changes are documented with detailed testing evidence and a changelog entry reference.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch PLAT-313-recovery-approach-when-swarm-quorum-is-lost

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@docs/disaster-recovery/partial-recovery.md`:
- Around line 179-183: Replace the placeholder comments with concrete psql
commands that show how to insert test data on the primary and verify it on the
replica; for example, add a psql INSERT on n1 targeting the example database and
test_table (e.g., INSERT INTO test_table (id, value) VALUES (...)) and a psql
SELECT on n2 to confirm the replicated row (e.g., SELECT * FROM test_table WHERE
value = 'recovery_test'); ensure you include host/port/user flags (-h, -p, -U)
and use the same database name (example) and table name (test_table) as shown in
the suggested improvement so readers can run the steps end-to-end.
- Around line 413-416: Replace the placeholder comments "# Insert on n1" and "#
Verify on n3" with concrete psql commands: on the primary node run a psql
command to INSERT a test row into the example database (e.g., use psql -h host-1
-p 5432 -U admin -d example -c "INSERT INTO test_table (id, value) VALUES
(...);"), and on the restored node run a psql SELECT to verify the row exists
(e.g., psql -h host-3 -p 5432 -U admin -d example -c "SELECT * FROM test_table
WHERE value = '...';"); ensure the SQL matches the test_table schema and uses a
unique value (e.g., 'full_recovery_test') so the verification step is
unambiguous.

In `@server/internal/orchestrator/swarm/postgres_service.go`:
- Around line 171-185: The timeout branch currently falls through and lets
ServiceRemove proceed even though scale-down may not have completed; update the
isTimeoutError(err) case in the same function (the scale-down/ServiceRemove
sequence) to return a descriptive error instead of continuing, e.g., return an
error indicating the scale-down timed out (wrap the original err), so callers
must handle the timeout (until the TODO RemovingHosts/context distinction is
implemented); reference isTimeoutError, the scale-down logic, and the subsequent
ServiceRemove call when making the change.

🧹 Nitpick comments (1)

server/internal/workflows/activities/cleanup_instance.go (1)

27-31: MaxAttempts: 1 means no retries on transient failures.

With MaxAttempts: 1, any transient failure (network blip, etcd leader election) will fail the cleanup permanently. Consider allowing a small number of retries with backoff for resilience.

Optional: Allow limited retries

 	options := workflow.ActivityOptions{
 		Queue: utils.HostQueue(a.Config.HostID),
 		RetryOptions: workflow.RetryOptions{
-			MaxAttempts: 1,
+			MaxAttempts: 3,
 		},
 	}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@docs/disaster-recovery/partial-recovery.md`:
- Around line 271-273: Fix the typo and endpoint mismatches: remove the extra
slash in the curl invocation used to set JOIN_TOKEN so it calls
"/v1/cluster/join-token" (the line containing JOIN_TOKEN="$(curl
http://host-1:3000//v1/cluster/join-token)") and update the summary table
entries so they exactly match the routes used earlier—use
"/v1/cluster/join-token" for fetching the join token and "/v1/cluster/join" for
joining the cluster (also correct the same occurrences noted around lines
388-390).

In `@server/internal/docker/docker.go`:
- Around line 424-449: The checkNodesUnavailable function currently treats only
NodeStateDown and NodeStateUnknown as unavailable; update the availability check
in Docker.checkNodesUnavailable to also treat swarm.NodeStateDisconnected as
unavailable (i.e., include node.Status.State == swarm.NodeStateDisconnected in
the conditional alongside NodeStateDown and NodeStateUnknown) and update the
function comment to reflect "(status 'down', 'unknown' or 'disconnected')";
ensure you reference the NodeList call and the loop over nodes in
checkNodesUnavailable when making the change.

🧹 Nitpick comments (1)

docs/disaster-recovery/partial-recovery.md (1)

131-136: Add language identifiers to output blocks (markdownlint MD040).

The example output fences are missing a language. Adding text (or console) will satisfy MD040.

Example tweak

-```
+```text
 ID                            HOSTNAME      STATUS    AVAILABILITY   MANAGER STATUS
 4aoqjp3q8jcny4kec5nadcn6x *   lima-host-1   Ready     Active         Leader
 959g9937i62judknmr40kcw9r     lima-host-2   Ready     Active         Reachable
 l0l51d890edg3f0ccd0xppw06     lima-host-3   Down      Active         Unreachable

- +text
docker swarm join --token SWMTKN-1-xxx...xxx 10.0.0.1:2377

Also applies to: 222-224

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@server/internal/docker/docker.go`:
- Around line 424-432: The current loop swallows errors from
checkNodesUnavailable by continuing, which hides Docker API failures; change the
behavior in the block that calls d.checkNodesUnavailable(ctx, stuckNodeIDs) to
return the error (or wrap it with context) instead of continue so upstream sees
the real failure; update the call site that currently checks unavailable, err :=
d.checkNodesUnavailable(...) to handle err by returning fmt.Errorf("checking
node availability: %w", err) (or similar) and keep the existing
ErrNodeUnavailable return path when unavailable is true.

🧹 Nitpick comments (1)

docs/disaster-recovery/partial-recovery.md (1)

131-136: Add language identifiers to fenced output blocks (MD040).
Use text (or similar) to satisfy linting.

📝 Example fix

-```
+```text
 ID                            HOSTNAME      STATUS    AVAILABILITY   MANAGER STATUS
 4aoqjp3q8jcny4kec5nadcn6x *   lima-host-1   Ready     Active         Leader
 959g9937i62judknmr40kcw9r     lima-host-2   Ready     Active         Reachable
 l0l51d890edg3f0ccd0xppw06     lima-host-3   Down      Active         Unreachable

Also applies to: 222-224

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Don’t swallow node-list errors.
Continuing on checkNodesUnavailable errors hides persistent Docker API failures and turns them into a timeout instead of a root-cause error.

🔧 Suggested fix

-				if err != nil {
-					continue
-				}
+				if err != nil {
+					return fmt.Errorf("failed to check node availability: %w", err)
+				}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// If we have tasks that should be stopping, check if their nodes are unavailable
	if len(stuckNodeIDs) > 0 {
	unavailable, err := d.checkNodesUnavailable(ctx, stuckNodeIDs)
	if err != nil {
	continue
	}
	if unavailable {
	return fmt.Errorf("%w: tasks cannot stop because their nodes are down", ErrNodeUnavailable)
	}
	// If we have tasks that should be stopping, check if their nodes are unavailable
	if len(stuckNodeIDs) > 0 {
	unavailable, err := d.checkNodesUnavailable(ctx, stuckNodeIDs)
	if err != nil {
	return fmt.Errorf("failed to check node availability: %w", err)
	}
	if unavailable {
	return fmt.Errorf("%w: tasks cannot stop because their nodes are down", ErrNodeUnavailable)
	}

🤖 Prompt for AI Agents

In `@server/internal/docker/docker.go` around lines 424 - 432, The current loop
swallows errors from checkNodesUnavailable by continuing, which hides Docker API
failures; change the behavior in the block that calls
d.checkNodesUnavailable(ctx, stuckNodeIDs) to return the error (or wrap it with
context) instead of continue so upstream sees the real failure; update the call
site that currently checks unavailable, err := d.checkNodesUnavailable(...) to
handle err by returning fmt.Errorf("checking node availability: %w", err) (or
similar) and keep the existing ErrNodeUnavailable return path when unavailable
is true.

[jason-lynch]

Thanks for pinning down how this times out. I think we can improve this change a little bit. The way this is written, we're always going to call checkNodesUnavailable, so there's little point in making it conditional.

Instead, maybe we could add a method that returns a ds.Set of all node IDs where Status.State == swarm.NodeStateReady, like:

func (d *Docker) readyNodeIDs(ctx context.Context) (ds.Set[string], error)

And call it up here before we loop over the tasks. Then, we change our loop to skip tasks that aren't on a ready node:

			for _, t := range tasks {
						if !readyNodes.Has(t.NodeID) {
									continue
						}
						// ...
			}

That way, they don't count toward our running or stopping totals. We'll still time out if we're trying to run a task on an unavailable node, which is appropriate, and we'll exit early without having to return an error if we're trying to stop a task on an unavailable node. Then, you won't need the sentinel error or the empty case in postgres_service.go.