Discord Rebuilds ScyllaDB Operations with Scylla Control Plane to Automate Cluster Management

Discord has replaced slow, ad hoc database maintenance with a new internal orchestration framework called the Scylla Control Plane (SCP) to automate ScyllaDB cluster operations that previously required days of manual work. The Persistence Infrastructure team, which runs dozens of ScyllaDB clusters containing hundreds of nodes that store core platform data-messages, channels and servers — now delegates rolling upgrades, capacity expansion and node recovery to SCP, reducing the hands — on burden and the risk of human error.

SCP is a generalized automation engine built from reusable tasks, composable workflows and resumable jobs. Engineers declare cluster — wide operations in YAML and the framework executes them while enforcing safety checks, retries, dependency validation, concurrency controls and rollback protections. By moving procedures out of brittle scripts into a consistent, declarative model, Discord can extend the same operational approach across many maintenance scenarios without bespoke tooling for each case.

The framework was designed to address three specific failure modes in the prior tooling: unsafe execution order, poor recovery after interruptions, and difficulty extending automation. SCP introduces explicit preconditions, error classification, webhook — driven alerting and configurable parallelism to mitigate those risks. It persists job state using SQLite so workflows can be resumed safely after failures and interrupted steps can be retried without corrupting cluster state.

A notable capability is automated shadow cluster management. Shadow clusters are temporary, full-production replicas that receive real traffic to validate upgrades and infrastructure changes before they affect live clusters. SCP automates provisioning, replication setup, validation and teardown for these environments, converting processes that once consumed more than a day of engineer attention into largely unattended workflows.

The changes are driven by scale: edge cases that surface only under heavy traffic or after every node has been updated exposed limits in the older tooling. SCP enforces operational safety with idempotent tasks and policy controls — examples include rules such as “never restart nodes across multiple availability zones simultaneously” to protect quorum — and thereby reduces the chance of outages caused by unsafe concurrent actions.

For platform builders and operators, the practical implications are concrete: lower cognitive load, repeatable declarative operations, resumable jobs backed by persisted state, and reduced operational risk when running a distributed database at hyperscale. By formalizing safety and recovery in the control plane, Discord has turned many formerly manual, error — prone procedures into automated, auditable workflows.