claim(Q3.5): immich full lifecycle GREEN — P4 fixed via recipe-PR recipe-maintainers/immich#1 (recipe backed up NO database); 5 tiers + 3 custom pass, deploy-count=1, clean teardown
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -49,26 +49,10 @@ tree must carry:
|
||||
- **Q5** — Completeness + docs; flip `## DONE`.
|
||||
|
||||
## In flight
|
||||
**Q3.5 immich — P4 restore RED → fixing via recipe-PR (postgres backup) @2026-05-29T22:42Z.**
|
||||
Adversary (REVIEW-2 `af94708`) confirms immich P4 restore is RED + unsigned. Root cause (verified on
|
||||
cc-ci): immich's published recipe backs up NO DB — `backupbot.backup` is only on `app` (its sole
|
||||
volume `uploads` is excluded), and the `database`/postgres service has no backup label/pg_dump hook.
|
||||
DECISION: recipe-PR adds a `database`-service postgres backup (matrix-synapse `/pg_backup.sh`
|
||||
config-mount + backupbot pre/restore-hook pattern), NOT a §7.1 N/A (immich is the large-volume/data
|
||||
D10 recipe; data survival is its whole point).
|
||||
- **Mechanism VALIDATED** empirically on a live immich `database` container: seed ci_marker →
|
||||
`/pg_backup.sh backup` (pg_dump|gzip→backup.sql, 16.7MB) → drop → `/pg_backup.sh restore`
|
||||
(terminate conns + DROP DATABASE FORCE + createdb + reimport) → **ci_marker=original survives,
|
||||
vchord+vector extensions intact (2/2), immich-server reconnects + serves /api/server/version**.
|
||||
- **Recipe-PR opened:** `recipe-maintainers/immich#1` (mirror created + synced from upstream
|
||||
coop-cloud/immich main@7eb3937a + all 14 tags), branch `ci/pg-backup`, head
|
||||
`a846cf38dc14430d0d1b95553ce9c3c42e3b348a`. Adds `pg_backup.sh`, `abra.sh`
|
||||
(PG_BACKUP_VERSION=v1), and `compose.yml` database-service backupbot hooks + config-mount.
|
||||
- **Full-lifecycle run IN FLIGHT** against the PR head:
|
||||
`RECIPE=immich PR=1 REF=a846cf38… SRC=recipe-maintainers/immich` → `/root/ccci-immich-prbackup.log`.
|
||||
EXPECTED: install/upgrade/backup/restore/custom all pass; restore tier `test_restore_returns_state`
|
||||
now GREEN (ci_marker survives the recipe's real backup→restore). NOT yet claimed.
|
||||
Inbox consumed (`9b2ce09`): removed forgotten drone smoke stack+volume — node clean.
|
||||
**Q3.5 immich — ✅ FULL LIFECYCLE GREEN @2026-05-30 — CLAIMED (see ## Gate Q3.5), awaiting Adversary.**
|
||||
P4 restore gap (recipe backed up NO DB) fixed via recipe-PR `recipe-maintainers/immich#1`; all 5 tiers
|
||||
+ 3 custom green, deploy-count=1, clean teardown; log `/root/ccci-immich-prfull.log`. Inbox consumed
|
||||
(`9b2ce09`): removed forgotten drone smoke stack+volume — node clean.
|
||||
|
||||
**Q4.6 discourse — BLOCKED/DEFERRED @2026-05-29.** Upstream recipe pins `bitnami/discourse:*` images
|
||||
that Docker Hub no longer serves (manifest unknown; swarm task Rejected "No such image"). Image exists
|
||||
@ -210,6 +194,63 @@ SKIP no longer yields a GREEN `!testme`.
|
||||
|
||||
## Gate
|
||||
|
||||
**Gate: Q3.5 immich — CLAIMED @2026-05-30, awaiting Adversary.**
|
||||
|
||||
**WHAT.** immich (D10 object-storage / large-volume photo+video manager; self-contained: app +
|
||||
machine-learning + redis + postgres) runs its **full lifecycle GREEN** — install + upgrade (real
|
||||
prev→PR-head crossover) + backup + restore + custom — with the **P4 data-integrity gap fixed via
|
||||
recipe-PR `recipe-maintainers/immich#1`**.
|
||||
- **P4 (headline):** the *published* immich recipe backs up **NO database** (`backupbot.backup` only
|
||||
on the `app` service, all its volumes excluded; the `database`/postgres service unlabeled, no
|
||||
pg_dump hook) → a restore yielded an empty DB (silent total-metadata-loss bug). recipe-PR #1 adds a
|
||||
`database`-service postgres backup (matrix-synapse `/pg_backup.sh` config-mount + backupbot
|
||||
pre/restore hooks). With it the postgres `ci_marker` survives the recipe's real backup→restore:
|
||||
`tests/immich/test_restore.py::test_restore_returns_state` **PASS (was RED)**. The VectorChord
|
||||
(vchord+vector) extensions + all tables round-trip; immich-server reconnects after the FORCE-drop.
|
||||
- **P2 parity:** `health_check.py` → `functional/test_health_check.py`. `oidc_login.py` is
|
||||
authentik-specific → documented non-port (PARITY.md; operator SSO policy: keycloak default, immich
|
||||
OIDC optional, immich + the §4.3 asset flow work with a local admin and no SSO).
|
||||
- **P3 (≥2 SEPARATE recipe-specific functional tests):** `functional/test_asset_upload.py` (§4.3
|
||||
create-an-object: upload asset `POST /api/assets` → read back `GET /api/assets/{id}` IMAGE →
|
||||
thumbnail derivative `GET .../thumbnail`) + `functional/test_asset_processing.py` (a DISTINCT
|
||||
microservice path: poll until metadata-extraction populates `exifInfo` 1x1 dims, then
|
||||
`GET /api/assets/statistics` shows the asset catalogued — images/total≥1).
|
||||
- **P5/P6 N/A:** immich self-contained (no deps); characteristic behaviour covered functionally via
|
||||
the API (upload/derivative/metadata/catalog), no browser-only UX owed.
|
||||
|
||||
**HOW (Adversary, cold, on cc-ci):**
|
||||
```
|
||||
ssh cc-ci 'cd /root/<your-clone> && git pull && RECIPE=immich PR=1 \
|
||||
REF=a846cf38dc14430d0d1b95553ce9c3c42e3b348a SRC=recipe-maintainers/immich \
|
||||
cc-ci-run runner/run_recipe_ci.py'
|
||||
```
|
||||
(the private mirror clone authenticates via the bridge gitea token fallback
|
||||
`/run/secrets/bridge_gitea_token` — no GITEA_TOKEN env needed.)
|
||||
|
||||
**EXPECTED:**
|
||||
- RUN SUMMARY: `deploy-count = 1 (expect 1)`; `install/upgrade/backup/restore/custom` **all pass**.
|
||||
- Upgrade: `upgrade→PR-head: head_ref=a846cf38 chaos-version=a846cf38 version=1.5.1+v2.6.3→
|
||||
1.6.0+v2.7.5` (HC1, real crossover; head_ref==chaos-version).
|
||||
- Restore: `tests/immich/test_restore.py::test_restore_returns_state PASSED` (P4 — ci_marker survives
|
||||
the recipe's DB backup→restore; without the recipe-PR this is RED).
|
||||
- Custom — **3 PASS**: `test_immich_processes_uploaded_asset_metadata_and_statistics`,
|
||||
`test_immich_upload_asset_readback_and_thumbnail`, `test_immich_returns_200`.
|
||||
- Clean teardown: post-run no `immi-*` stack/volumes/secrets.
|
||||
- The fix is the recipe-PR diff: `recipe-maintainers/immich#1` (head a846cf38) adds `pg_backup.sh`,
|
||||
`abra.sh` (PG_BACKUP_VERSION=v1), `compose.yml` database-service backupbot hooks + config-mount.
|
||||
(Negative control: `RECIPE=immich PR=0` — published recipe, no fix — restore tier FAILs
|
||||
`relation "ci_marker" does not exist`, the bug this PR repairs.)
|
||||
|
||||
**WHERE.** recipe-PR `recipe-maintainers/immich#1`, branch `ci/pg-backup`, head
|
||||
`a846cf38dc14430d0d1b95553ce9c3c42e3b348a` (mirror synced from upstream coop-cloud/immich
|
||||
main@7eb3937a + 14 tags). cc-ci tests: `tests/immich/{recipe_meta.py,PARITY.md,ops.py,test_install.py,
|
||||
test_backup.py,test_restore.py,functional/{test_health_check.py,test_asset_upload.py,
|
||||
test_asset_processing.py}}`. cc-ci commit `ecd770b` (P3 2nd test + PARITY + DECISIONS). DECISIONS.md
|
||||
"immich postgres backup recipe-PR". Authoritative log `/root/ccci-immich-prfull.log` (all 5 tiers + 3
|
||||
custom green, deploy-count=1, clean teardown). Mechanism-validation detail in JOURNAL-2.
|
||||
|
||||
---
|
||||
|
||||
**Gate: Q4.9 mailu — ✅ Adversary PASS @2026-05-29 (REVIEW-2 `2958eb6`).** Cold first-hand full
|
||||
lifecycle GREEN ×2: deploy-count=1, real upgrade crossover 3.0.0→3.0.1 (head_ref==chaos-version),
|
||||
2 non-vacuous P3 (unique-mailbox create→read-back + unique-marker postfix→dovecot delivery), clean
|
||||
|
||||
Reference in New Issue
Block a user