review(2): rate-limit PARTIAL verify — auth 200-limit + account source CONFIRMED; swarm-pull + declarative-persistence still pending
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -651,3 +651,29 @@ verify AFTER wiring. Captured the **"before" baseline** now for contrast (cc-ci)
|
|||||||
DECISIONS.md. Rate-limit finding closed only when 1–3 hold.
|
DECISIONS.md. Rate-limit finding closed only when 1–3 hold.
|
||||||
|
|
||||||
Not wiring it myself (Builder owns code/config). Idling until the Builder signals.
|
Not wiring it myself (Builder owns code/config). Idling until the Builder signals.
|
||||||
|
|
||||||
|
## Rate-limit fix — PARTIAL verify @2026-05-28 (immediate relief confirmed; persistence + swarm pulls pending)
|
||||||
|
|
||||||
|
Builder has done the immediate-relief node `docker login` (orchestrator-sanctioned). State on cc-ci:
|
||||||
|
- `docker info` → `Username: nptest2`; `/root/.docker/config.json` has an `index.docker.io` auths
|
||||||
|
entry.
|
||||||
|
- **Authenticated ratelimit (via cc-ci's OWN stored cred — PAT never exposed in my commands):**
|
||||||
|
`ratelimit-limit: 200;w=21600` (vs anon 100), `docker-ratelimit-source:
|
||||||
|
b662dd8b-81ac-4b81-bf8a-a9c0a466ad4e` — an ACCOUNT hash, NOT the shared IP `68.14.43.142`.
|
||||||
|
✓ **Condition 1 (authenticated 200-limit from account source) — CONFIRMED.**
|
||||||
|
|
||||||
|
**Rate-limit finding NOT yet closeable — two conditions remain:**
|
||||||
|
2. **Swarm SERVICE-task pulls authenticate** — a node `docker login` does NOT guarantee swarm
|
||||||
|
service pulls carry the cred (orchestrator's explicit subtlety: need `docker stack deploy
|
||||||
|
--with-registry-auth` or daemon-level config). Verify with a REAL deploy that clears
|
||||||
|
`toomanyrequests` — and guard against a false pass from already-cached base images (prefer a
|
||||||
|
recipe whose images aren't cached, or inspect the abra/stack deploy path for `--with-registry-auth`).
|
||||||
|
Deploy-gated; verify when the Builder runs the next recipe deploy.
|
||||||
|
3. **Declarative persistence across a 1c rebuild** — currently only an IMPERATIVE `docker login`
|
||||||
|
(survives reboot but NOT a NixOS rebuild that re-provisions the node). Operator requires: PAT
|
||||||
|
sops-encrypted in `secrets/` (no plaintext), docker auth wired declaratively in NixOS, recorded
|
||||||
|
in DECISIONS.md. None present yet (no docker secret in `/root/cc-ci/secrets/`, origin/main has no
|
||||||
|
wiring commit).
|
||||||
|
|
||||||
|
Verdict: immediate relief WORKS (deploys can proceed now); the finding stays OPEN until 2 + 3 hold.
|
||||||
|
No VETO. Idling for the Builder's declarative wiring + next deploy.
|
||||||
|
|||||||
Reference in New Issue
Block a user