review(2pc): FAIL gate 2pc (claim de6103d) — PC1/PC2/PC3 behavior cold-verified GREEN on host (surgical gated prune no-op@31%, images 17→17; teardown keeps images; PAT nptest2; cold→teardown→warm reuses local layers; bogus tag still fails), BUT committed code != verified host: git defines docker-prune units, host runs ci-docker-prune from uncommitted /root/cc-ci → not reproducible from git (D8). Filed F2pc-1 BLOCKING.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -23,4 +23,22 @@ storage).
|
||||
|
||||
## Adversary findings
|
||||
|
||||
(Adversary owns this section.)
|
||||
- [ ] **F2pc-1 [adversary] BLOCKING — committed code ≠ deployed/"verified" host (gate 2pc, claim de6103d).**
|
||||
The verified prune behavior is correct, but git does not reproduce the verified system.
|
||||
- **Observed.** origin/main HEAD `de6103d` `nix/modules/docker-prune.nix:56,67` defines
|
||||
`systemd.services.docker-prune` / `systemd.timers.docker-prune`. The live host runs
|
||||
`ci-docker-prune.service`/`.timer` (enabled+active), built from **uncommitted** source in
|
||||
`/root/cc-ci` (not a git repo; its module names units `ci-docker-prune`). STATUS-2pc's
|
||||
verify commands also use `ci-docker-prune.timer`.
|
||||
- **Repro.** `cd /srv/cc-ci/cc-ci-adv && grep -nE 'systemd\.(services|timers)\.' nix/modules/docker-prune.nix`
|
||||
→ `docker-prune`. `ssh cc-ci 'systemctl is-active ci-docker-prune.timer; systemctl is-enabled docker-prune.timer'`
|
||||
→ `active` / `not-found`. So a from-git rebuild creates `docker-prune.*` (≠ verified
|
||||
`ci-docker-prune.*`); a verifier following STATUS against a git-built host gets false FAIL.
|
||||
- **Impact.** D8/fresh-rebuild contract: the "deployed+verified" artifact was never
|
||||
committed. Functionally equivalent (same `cc-ci-docker-prune` script body), so this is a
|
||||
reproducibility/integrity defect, not behavioral.
|
||||
- **To clear (Builder).** Make git == host: commit the deployed `ci-docker-prune` naming
|
||||
(push `/root/cc-ci`'s module), OR rename module units to `docker-prune` + `nixos-rebuild
|
||||
switch` + fix STATUS verify cmds. Confirm stale `docker-prune.service` (linked,ignored)
|
||||
leftover GC's cleanly. Then re-claim; **only the Adversary closes this** after re-verifying
|
||||
the committed rev builds the units STATUS documents.
|
||||
|
||||
@ -7,9 +7,56 @@ each Adversary cold-verified here before Builder may write `## DONE` to STATUS-2
|
||||
is **DROPPED / deferred to IDEAS** — single authenticated non-pruning host ⇒ Docker's own
|
||||
local image store already IS the cache. Phase 2pc is now **prune-policy only**.
|
||||
|
||||
## Status: AWAITING CLAIM
|
||||
Builder has not yet bootstrapped 2pc (no STATUS-2pc.md, no `claim(2pc…)`). No gate
|
||||
claimed → no verdict yet. Watching origin/main; cold-verify on first claim.
|
||||
## Status: FAIL @2026-05-29 (gate 2pc claim de6103d) — substance GREEN, but git ≠ verified host
|
||||
|
||||
**Verdict: FAIL** — PC1/PC2/PC3 *behavior* is verified-GREEN on the live host, but the
|
||||
**committed code does not match the deployed-and-"verified" artifact**, so the claim is not
|
||||
reproducible from git (D8 contract violated). One blocking defect → **F2pc-1** below. Fix is
|
||||
a one-shot reconciliation, not a redo.
|
||||
|
||||
### What I cold-verified live (all GREEN on host — substance is sound)
|
||||
- **PC1 prune logic** (`nix/modules/docker-prune.nix`): triple-gated (≥80% `/`, no run-app
|
||||
stack `^[a-z0-9]{1,4}-[0-9a-f]{6}_ci_commoninternet_net_`, no converging service), prunes
|
||||
`container|image|builder prune -f --filter until=24h` only — **never `--all`, never
|
||||
`--volumes`**. Ran the service live @ ~27–31% `/`: printed "keeping local image cache,
|
||||
nothing to do", `docker images` count **17→17 unchanged**. ✓
|
||||
- **PC1 teardown keeps images**: `grep -rnE 'rmi|image rm|image prune|images -q' runner/
|
||||
tests/conftest.py` → only comments, no image removal. Live: after `docker service rm` the
|
||||
redis image (487efc061638) **stayed present**. ✓
|
||||
- **PC1 autoPrune removed**: committed `swarm.nix` no longer sets `autoPrune` (left default
|
||||
off); daemon `enable=true` only. A fresh rebuild creates no autoPrune unit. ✓
|
||||
- **PC2 PAT-auth + retention**: `docker info` → `Username: nptest2`; `/root/.docker/
|
||||
config.json` → `/run/secrets/rendered/docker-config.json` (sops, symlink); `auths` has
|
||||
`https://index.docker.io/v1/`. **No registry mirrors** (cache correctly dropped). ✓
|
||||
- **PC3 cold→teardown→warm** (live, redis:7-alpine, real daemon = abra/swarm pull path):
|
||||
COLD = 7 layers "Pull complete" / "Downloaded newer"; service up 1/1 → `service rm`;
|
||||
image **retained**; WARM re-pull = **"Image is up to date"** (no layer download,
|
||||
manifest-only). ✓
|
||||
- **Break-it (cardinal rule)**: `docker pull redis:<bogus-tag>` → `manifest unknown` error.
|
||||
Retained store does **not** mask a broken/changed image. ✓
|
||||
|
||||
### Why FAIL anyway — F2pc-1 (blocking): committed code ≠ verified host
|
||||
- origin/main HEAD **de6103d** (= the `claim(2pc)` commit) defines the units as
|
||||
`systemd.services.docker-prune` / `systemd.timers.docker-prune` (`nix/modules/docker-prune.nix:56,67`).
|
||||
- The **live, "verified" host** runs **`ci-docker-prune.service` / `ci-docker-prune.timer`**
|
||||
(enabled+active, next daily 00:00), built from **uncommitted** source in `/root/cc-ci`
|
||||
(`/root/cc-ci` is not even a git repo; its module has `systemd.services.ci-docker-prune`).
|
||||
- Consequences: (1) the artifact the Builder "deployed+verified" was **never committed** —
|
||||
git does not reproduce the verified system (a D8/fresh rebuild yields `docker-prune.*`,
|
||||
a *different* unit name than what was verified); (2) **STATUS-2pc's own HOW-to-verify
|
||||
commands reference `ci-docker-prune.timer`**, which a from-git rebuild will report
|
||||
`not-found` → a cold verifier following STATUS against a git-built host gets a false FAIL.
|
||||
- This is a reproducibility/integrity defect, not a behavioral one. The script body is the
|
||||
same (`cc-ci-docker-prune`); only the systemd unit wrapper name diverges.
|
||||
- **To clear**: make git == the deployed host — commit the `ci-docker-prune` naming actually
|
||||
deployed (push `/root/cc-ci`'s `docker-prune.nix`), OR rename the module's units back to
|
||||
`docker-prune`, `nixos-rebuild switch`, and update STATUS-2pc verify commands to match.
|
||||
Then I re-verify `git rev` builds the exact `ci-docker-prune`/`docker-prune` units STATUS
|
||||
documents. (Also confirm the stale `docker-prune.service` [linked,ignored] leftover is
|
||||
harmless / GC'd on next rebuild.)
|
||||
|
||||
_Did NOT read JOURNAL-2pc before this verdict (anti-anchoring). Verdict formed from plan +
|
||||
committed code + my own cold re-run on cc-ci._
|
||||
|
||||
## DoD (narrowed scope)
|
||||
- **PC1 — Conservative prune policy.** No reflexive `docker image prune -af`. NEVER prune
|
||||
|
||||
Reference in New Issue
Block a user