Chapter DCanary deploy labPage 5 of 8

Canary deploy lab

Design retries, degradation, and recovery

Build a containerized answer API releasing image v2 beside stable image v1 through weighted routing as an operable release, not a slide-deck example.

~14 minFailure handling

1Try it yourself

Playground

Canary deploy desk

Split traffic, watch metrics, rollback or promote — never big-bang without a safety net.

Route 10% traffic to v2

Before you start

Why this matters

Before changing code, write the single production outcome this chapter must prove and the signal that would stop you. For this lab, the service boundary is both revisions expose identical /answer, /live, and /ready contracts and emit revision, request_id, latency_ms, and groundedness. Record one request identifier you can follow from ingress through the final decision. If you cannot name the owner of the stop decision, the rollout is not yet controlled.

The source runbook keeps v1 as the instant rollback target and compares latency, errors, and groundedness before promotion. This chapter turns that compact lesson into implementation evidence. The running scenario is a containerized answer API releasing image v2 beside stable image v1 through weighted routing. You will keep the same scenario across all eight chapters so setup decisions, tests, telemetry, and rollback controls accumulate into one coherent system rather than eight disconnected exercises.

2Learn the idea

Read

Classify before retrying

Map failures into invalid input, unauthorized action, transient dependency failure, permanent dependency rejection, internal defect, and ambiguous outcome. Retry only transient failures, with exponential backoff, jitter, a strict attempt cap, and an overall deadline shorter than the caller’s timeout. Invalid signatures, authorization failures, and schema errors are not retryable. An ambiguous side effect requires an idempotency lookup before another attempt.

The known hazards are low canary volume, cache warming bias, unequal request mixes, shared dependency failures, and automation promoting on missing data. Pick three and inject them locally. For each, record expected HTTP behavior, durable state, user-facing response, alert, and operator action. A handled failure is not merely caught; it leaves the system in a state an operator can explain and recover.

Read

Add bounded degradation

Define a degraded mode that removes risky capability while preserving honest service. Never convert unavailable evidence into a confident answer. Return a typed temporarily_unavailable, serve a known-safe control, accept to a durable inbox, or create a human handoff as appropriate. Include a retry-after hint only when the service can support it.

Use a circuit breaker around a failing dependency to prevent retry storms. The breaker should open on a rolling failure threshold, permit a small number of probes after a cool-down, and emit state transitions. Bulkhead concurrency so one slow provider cannot consume every worker. Queue consumers need maximum attempts and a dead-letter destination with a replay procedure.

Read

Practice recovery

Execute the operational rollback: route zero traffic to v2, preserve its logs and image digest, and confirm v1 capacity before terminating v2. Measure time from the first injected breach to restored safe behavior. Confirm new requests use the safe path, in-flight requests are drained or completed according to contract, and no durable work is lost. Preserve the failed revision’s logs, configuration, and fixtures for diagnosis.

After rollback, reconcile ambiguous records. Compare ingress IDs with completion or outcome IDs, identify duplicates and gaps, and repair using an idempotent replay command. The replay command must support dry-run, bounded batches, and an operator-supplied reason. Never repair production by manually editing rows without an audit record.

Read

Exit criteria

This chapter passes when every classified failure has a deterministic disposition, retries are bounded, degradation is truthful, and rollback is rehearsed rather than merely documented. Save timestamps and commands from the drill. If recovery requires the original author’s memory, the system is not operable.

Read

Implement the safe failure branch

Make the disposition executable. This handler converts canary_guardrail_breached into a bounded response and never retries a policy or contract failure. The reason is safe for logs; detailed dependency text stays in a protected trace.

from dataclasses import dataclass

@dataclass(frozen=True)
class Recovery:
    action: str
    retryable: bool
    retry_after_seconds: int | None

def recover(kind: str, attempts: int) -> Recovery:
    if kind == "canary_guardrail_breached":
        return Recovery("traffic.v1=100 traffic.v2=0", False, None)
    if kind == "transient_dependency" and attempts < 3:
        return Recovery("retry_with_jitter", True, 2 ** attempts)
    return Recovery("hold_and_escalate", False, None)

Exercise the branch against the local service and capture both the control action and request identity. The expected result proves safe behavior without erasing evidence.

$ curl -sS -H 'X-Debug-Failure: canary_guardrail_breached' http://localhost:8000/answer
{"status":"degraded","action":"traffic.v1=100 traffic.v2=0","retryable":false}
$ curl -sS http://localhost:8000/answer
{"status":"ok","request_id":"fixture-001","revision":"stable"}

A generic 500 means classification is incomplete; do not add broad retries. If recovery says success but the second response still names the failed revision, routing or cache invalidation is incomplete. Preserve the identity, old configuration digest, and rollback timestamp before replaying ambiguous work.

Checking tutor…

Continue learning · glossary & guides