recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(2pc): PC1 conservative prune — drop autoPrune --all, add gated surgical docker-prune

Browse Source 
Removes virtualisation.docker.autoPrune (daily `docker system prune --all` evicted in-use base
images → cold re-pull → Hub rate-limit churn, JOURNAL-2). Adds modules/docker-prune.nix: daily
timer + oneshot that prunes only dangling+until=24h, gated on disk pressure (>=80%) AND no run-app
live AND no swarm service converging; never --all, never --volumes. Teardown unchanged (never
removes images). Registry pull-through cache dropped per operator scope correction.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-29 09:29:54 +01:00
parent e42753c17c
commit 16d177e73a
6 changed files with 179 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
machine-docs/BACKLOG-2pc.md Normal file
View File

@ -0,0 +1,26 @@
# BACKLOG — Phase 2pc (sane image-prune policy)
SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase2pc-image-cache.md`.
Scope (post operator correction 2026-05-29): **PC1 prune policy + confirm local-store
retention/auth ONLY.** The registry:2 pull-through cache is **dropped** (deferred to IDEAS /
Phase 2b — revisit only if multi-node OR a measured cold-deploy bottleneck on recreate-surviving
storage).
## Build backlog
- [ ] **PC1 — Conservative prune policy.** Remove `virtualisation.docker.autoPrune` (`--all` evicts
in-use base images → forced cold re-pull → rate-limit). Replace with a surgical, gated prune:
dangling + `until=24h` only, NEVER `--all`/`--volumes`; gated on (a) genuine disk pressure
(`/` ≥ 80%), (b) no run-app stack live, (c) no swarm service converging (mid-pull). Teardown
already removes only services/volumes/secrets/.env — NOT images (verified) — keep it that way.
- [ ] **PC2 — Confirm local cache retained + authenticated.** Daemon stays PAT-authenticated
(`docker info` Username=nptest2, sops `dockerhub_auth``/root/.docker/config.json`); local
image store `/var/lib/docker` persists across runs/teardowns/reboots. No code change expected —
confirm + document.
- [ ] **PC3 — Verify + document.** Deploy → teardown → redeploy reuses local layers (no
re-download); disk bounded without `-af`. Update `docs/runbook.md` + `docs/` prune note;
record the policy + the dropped-registry-cache deviation in `DECISIONS.md`.
## Adversary findings
(Adversary owns this section.)