docs(#20): indeedhub fresh-create FIXED + verified on .228 (special-cases deleted + nginx caps); hook exec cgroup gap noted
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
archipelago
parent
ff8f11b87e
commit
fdb465f8ac
@ -160,7 +160,26 @@ phases 2–6 (`dual-ecash-design.md`).
|
|||||||
frontend :7778 → 200, nostr-provider.js → 200, **/api/ → 200 (proves
|
frontend :7778 → 200, nostr-provider.js → 200, **/api/ → 200 (proves
|
||||||
network_aliases: frontend nginx `http://api:4000` resolved on indeedhub-net)**.
|
network_aliases: frontend nginx `http://api:4000` resolved on indeedhub-net)**.
|
||||||
Fleet healthy (36 containers, none down).
|
Fleet healthy (36 containers, none down).
|
||||||
**FRESH-CREATE PATH = BLOCKED (found live 2026-06-21).** Removed the stateless
|
**FRESH-CREATE PATH = FIXED + VERIFIED (2026-06-21).** Deleted the legacy
|
||||||
|
indeedhub orchestrator special-cases (`b73084db`, −382 lines: reconcile_indeedhub_stack,
|
||||||
|
start_indeedhub_backends, the 120s dependency-DNS gate, patch_indeedhub_nostr_provider,
|
||||||
|
etc.) so "indeedhub" flows through the generic install_fresh path. Then two live fixes
|
||||||
|
on .228: (1) frontend nginx needs `capabilities: [CHOWN,DAC_OVERRIDE,SETGID,SETUID]`
|
||||||
|
under the orchestrator's --cap-drop=ALL (workers died "setgid(101) failed"); manifest
|
||||||
|
fix `ff8f11b8`. (2) NOTE: manifest reload needs an archipelago restart (manifests
|
||||||
|
cached at startup) — a disk manifest edit alone won't take. RESULT: frontend
|
||||||
|
fresh-creates via install_fresh, caps applied, post_install hook FIRES
|
||||||
|
(copy_from_host nostr-provider.js ✅), UI 200 (/, /nostr-provider.js, /api/).
|
||||||
|
**KNOWN GAP (general hook capability, NOT blocking indeedhub):** the post_install
|
||||||
|
`exec` steps fail via `podman exec` from the archipelago.service systemd cgroup
|
||||||
|
(`crun: write cgroup.procs: Permission denied / OCI permission denied`). Harmless
|
||||||
|
here (image bakes the nginx config so the exec steps are no-ops; copy_from_host is
|
||||||
|
the one that matters and works). FIX = wrap the hook executor's `podman exec` in a
|
||||||
|
transient user scope (`systemd-run --user --scope`, like `podman_user_scope`) in
|
||||||
|
core/archipelago/src/container/hooks.rs::run_podman. Do before relying on exec hooks
|
||||||
|
for an app whose image does NOT pre-bake its mutations.
|
||||||
|
|
||||||
|
PRIOR (now resolved) — was: **FRESH-CREATE PATH = BLOCKED (found live 2026-06-21).** Removed the stateless
|
||||||
frontend + reinstalled to exercise install_fresh → it FAILED:
|
frontend + reinstalled to exercise install_fresh → it FAILED:
|
||||||
`orchestrator stack install indeedhub failed at app indeedhub: IndeedHub
|
`orchestrator stack install indeedhub failed at app indeedhub: IndeedHub
|
||||||
dependencies were not ready within 120s (indeedhub-api dependency DNS not ready)`,
|
dependencies were not ready within 120s (indeedhub-api dependency DNS not ready)`,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user