Name
groundhog-operations: deploy, supervise, publish, maintain, and back up one instance.
Instance boundary
One service instance owns one configured data directory. Exactly one process owns its log writer; clients communicate over the configured Unix socket. The same deployment may be supervised by an SDK/application or by launchd, systemd, or another operator process manager. Both use the same binary, configuration, socket, writer lock, recovery path, and HTTP contract. Groundhog is passive toward source systems. Connectors, schedulers, agents, and action executors run outside it and retain their own credentials and cursors.First deployment
-
Initialize an empty directory:
-
Review
/srv/ground/acme/groundhog.toml, its token, and filesystem permissions. -
Start the service:
-
Wait for a successful routed request, not merely a lifecycle log line:
-
Configure connectors to submit stable idempotent batches to
POST /v1/events.
Supervision
Runserve as a foreground process. Let the supervisor own restart policy and capture standard
error. Send SIGTERM for planned shutdown and allow the process to exit before starting a
writer-owning maintenance command.
A supervisor should consider the instance ready only after a real authenticated routed request
succeeds. Socket-path existence or the serving ... diagnostic alone is insufficient.
If a bearer token is configured, health probes must include it. GET /v1/catalog verifies
routing plus the currently published warehouse. A replay request can additionally exercise log
reads when desired.
Command concurrency
Never try to work around a held writer by deleting
data/log/.lock. Stop the owning process and
wait for it to release the data directory.
Publication policy
The binary does not publish the warehouse automatically. Choose when query/catalog freshness should advance and run:- after a known connector sync completes;
- before a scheduled reporting or agent-analysis window;
- from an external periodic scheduler; or
- on demand when catalog/query freshness is required.
as_of_event_id with replay/log progress appropriate to the application.
Sealing policy
Sealing is manual and does not run on configured age/size thresholds. A planned maintenance window is:- stop
servewithSIGTERMand wait for exit; - run
groundhog seal; - optionally run
groundhog verify --chain; and - restart
serveand probe a routed endpoint.
seal exit 1. Treat that as “nothing to seal” only when the operator has
independently established that no pending work is expected; the CLI intentionally does not turn
it into success.
Sealing has no effect on query freshness and does not require a subsequent rebuild for logical
correctness.
Rebuilds
Runrebuild to replace derived state or prove it can be reconstructed:
Verification cadence
Structural verification is cheaper and useful for frequent checks:Monitoring
Monitor:- process exit and restart loops;
- routed API availability over the socket;
- HTTP 429 overload and
Retry-Afterbehavior; - HTTP 503 writer-poisoned responses, which require reopen;
- ingest 409 conflicts, which indicate batch-ID misuse;
- query/catalog receipt age relative to the application’s freshness requirement;
- verification exit status and failure code; and
- filesystem capacity for the durable log and warehouse publication.
Backups
The log is the backup-critical artifact; the warehouse is rebuildable. The binary does not include a backup command or online-copy protocol. Coordinate a filesystem snapshot/copy so it captures a coherent log state. A conservative manual procedure stops the writer, copies configuration plusdata/log/, restarts service, and validates
the copy in an isolated restore drill. Do not point two writers at the same copied directory.
A useful restore drill:
- restore to an isolated path;
- adjust only deployment-specific paths in the restored configuration if necessary;
- run structural and chain verification;
- run
rebuildto construct a fresh warehouse; and - serve on an isolated socket and compare receipts and known queries.
Upgrades
Before replacing a binary:- retain the previous pinned binary and a coherent backup;
- inspect release notes for storage reader/writer floors;
- run
verify --chainwith the current build; - stop the writer cleanly; and
- start the new build against one deployment at a time and probe public routes.