review(2pc): FAIL gate 2pc (claim de6103d) — PC1/PC2/PC3 behavior cold-verified GREEN on host (surgical gated prune no-op@31%, images 17→17; teardown keeps images; PAT nptest2; cold→teardown→warm reuses local layers; bogus tag still fails), BUT committed code != verified host: git defines docker-prune units, host runs ci-docker-prune from uncommitted /root/cc-ci → not reproducible from git (D8). Filed F2pc-1 BLOCKING.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -23,4 +23,22 @@ storage).
|
|||||||
|
|
||||||
## Adversary findings
|
## Adversary findings
|
||||||
|
|
||||||
(Adversary owns this section.)
|
- [ ] **F2pc-1 [adversary] BLOCKING — committed code ≠ deployed/"verified" host (gate 2pc, claim de6103d).**
|
||||||
|
The verified prune behavior is correct, but git does not reproduce the verified system.
|
||||||
|
- **Observed.** origin/main HEAD `de6103d` `nix/modules/docker-prune.nix:56,67` defines
|
||||||
|
`systemd.services.docker-prune` / `systemd.timers.docker-prune`. The live host runs
|
||||||
|
`ci-docker-prune.service`/`.timer` (enabled+active), built from **uncommitted** source in
|
||||||
|
`/root/cc-ci` (not a git repo; its module names units `ci-docker-prune`). STATUS-2pc's
|
||||||
|
verify commands also use `ci-docker-prune.timer`.
|
||||||
|
- **Repro.** `cd /srv/cc-ci/cc-ci-adv && grep -nE 'systemd\.(services|timers)\.' nix/modules/docker-prune.nix`
|
||||||
|
→ `docker-prune`. `ssh cc-ci 'systemctl is-active ci-docker-prune.timer; systemctl is-enabled docker-prune.timer'`
|
||||||
|
→ `active` / `not-found`. So a from-git rebuild creates `docker-prune.*` (≠ verified
|
||||||
|
`ci-docker-prune.*`); a verifier following STATUS against a git-built host gets false FAIL.
|
||||||
|
- **Impact.** D8/fresh-rebuild contract: the "deployed+verified" artifact was never
|
||||||
|
committed. Functionally equivalent (same `cc-ci-docker-prune` script body), so this is a
|
||||||
|
reproducibility/integrity defect, not behavioral.
|
||||||
|
- **To clear (Builder).** Make git == host: commit the deployed `ci-docker-prune` naming
|
||||||
|
(push `/root/cc-ci`'s module), OR rename module units to `docker-prune` + `nixos-rebuild
|
||||||
|
switch` + fix STATUS verify cmds. Confirm stale `docker-prune.service` (linked,ignored)
|
||||||
|
leftover GC's cleanly. Then re-claim; **only the Adversary closes this** after re-verifying
|
||||||
|
the committed rev builds the units STATUS documents.
|
||||||
|
|||||||
@ -7,9 +7,56 @@ each Adversary cold-verified here before Builder may write `## DONE` to STATUS-2
|
|||||||
is **DROPPED / deferred to IDEAS** — single authenticated non-pruning host ⇒ Docker's own
|
is **DROPPED / deferred to IDEAS** — single authenticated non-pruning host ⇒ Docker's own
|
||||||
local image store already IS the cache. Phase 2pc is now **prune-policy only**.
|
local image store already IS the cache. Phase 2pc is now **prune-policy only**.
|
||||||
|
|
||||||
## Status: AWAITING CLAIM
|
## Status: FAIL @2026-05-29 (gate 2pc claim de6103d) — substance GREEN, but git ≠ verified host
|
||||||
Builder has not yet bootstrapped 2pc (no STATUS-2pc.md, no `claim(2pc…)`). No gate
|
|
||||||
claimed → no verdict yet. Watching origin/main; cold-verify on first claim.
|
**Verdict: FAIL** — PC1/PC2/PC3 *behavior* is verified-GREEN on the live host, but the
|
||||||
|
**committed code does not match the deployed-and-"verified" artifact**, so the claim is not
|
||||||
|
reproducible from git (D8 contract violated). One blocking defect → **F2pc-1** below. Fix is
|
||||||
|
a one-shot reconciliation, not a redo.
|
||||||
|
|
||||||
|
### What I cold-verified live (all GREEN on host — substance is sound)
|
||||||
|
- **PC1 prune logic** (`nix/modules/docker-prune.nix`): triple-gated (≥80% `/`, no run-app
|
||||||
|
stack `^[a-z0-9]{1,4}-[0-9a-f]{6}_ci_commoninternet_net_`, no converging service), prunes
|
||||||
|
`container|image|builder prune -f --filter until=24h` only — **never `--all`, never
|
||||||
|
`--volumes`**. Ran the service live @ ~27–31% `/`: printed "keeping local image cache,
|
||||||
|
nothing to do", `docker images` count **17→17 unchanged**. ✓
|
||||||
|
- **PC1 teardown keeps images**: `grep -rnE 'rmi|image rm|image prune|images -q' runner/
|
||||||
|
tests/conftest.py` → only comments, no image removal. Live: after `docker service rm` the
|
||||||
|
redis image (487efc061638) **stayed present**. ✓
|
||||||
|
- **PC1 autoPrune removed**: committed `swarm.nix` no longer sets `autoPrune` (left default
|
||||||
|
off); daemon `enable=true` only. A fresh rebuild creates no autoPrune unit. ✓
|
||||||
|
- **PC2 PAT-auth + retention**: `docker info` → `Username: nptest2`; `/root/.docker/
|
||||||
|
config.json` → `/run/secrets/rendered/docker-config.json` (sops, symlink); `auths` has
|
||||||
|
`https://index.docker.io/v1/`. **No registry mirrors** (cache correctly dropped). ✓
|
||||||
|
- **PC3 cold→teardown→warm** (live, redis:7-alpine, real daemon = abra/swarm pull path):
|
||||||
|
COLD = 7 layers "Pull complete" / "Downloaded newer"; service up 1/1 → `service rm`;
|
||||||
|
image **retained**; WARM re-pull = **"Image is up to date"** (no layer download,
|
||||||
|
manifest-only). ✓
|
||||||
|
- **Break-it (cardinal rule)**: `docker pull redis:<bogus-tag>` → `manifest unknown` error.
|
||||||
|
Retained store does **not** mask a broken/changed image. ✓
|
||||||
|
|
||||||
|
### Why FAIL anyway — F2pc-1 (blocking): committed code ≠ verified host
|
||||||
|
- origin/main HEAD **de6103d** (= the `claim(2pc)` commit) defines the units as
|
||||||
|
`systemd.services.docker-prune` / `systemd.timers.docker-prune` (`nix/modules/docker-prune.nix:56,67`).
|
||||||
|
- The **live, "verified" host** runs **`ci-docker-prune.service` / `ci-docker-prune.timer`**
|
||||||
|
(enabled+active, next daily 00:00), built from **uncommitted** source in `/root/cc-ci`
|
||||||
|
(`/root/cc-ci` is not even a git repo; its module has `systemd.services.ci-docker-prune`).
|
||||||
|
- Consequences: (1) the artifact the Builder "deployed+verified" was **never committed** —
|
||||||
|
git does not reproduce the verified system (a D8/fresh rebuild yields `docker-prune.*`,
|
||||||
|
a *different* unit name than what was verified); (2) **STATUS-2pc's own HOW-to-verify
|
||||||
|
commands reference `ci-docker-prune.timer`**, which a from-git rebuild will report
|
||||||
|
`not-found` → a cold verifier following STATUS against a git-built host gets a false FAIL.
|
||||||
|
- This is a reproducibility/integrity defect, not a behavioral one. The script body is the
|
||||||
|
same (`cc-ci-docker-prune`); only the systemd unit wrapper name diverges.
|
||||||
|
- **To clear**: make git == the deployed host — commit the `ci-docker-prune` naming actually
|
||||||
|
deployed (push `/root/cc-ci`'s `docker-prune.nix`), OR rename the module's units back to
|
||||||
|
`docker-prune`, `nixos-rebuild switch`, and update STATUS-2pc verify commands to match.
|
||||||
|
Then I re-verify `git rev` builds the exact `ci-docker-prune`/`docker-prune` units STATUS
|
||||||
|
documents. (Also confirm the stale `docker-prune.service` [linked,ignored] leftover is
|
||||||
|
harmless / GC'd on next rebuild.)
|
||||||
|
|
||||||
|
_Did NOT read JOURNAL-2pc before this verdict (anti-anchoring). Verdict formed from plan +
|
||||||
|
committed code + my own cold re-run on cc-ci._
|
||||||
|
|
||||||
## DoD (narrowed scope)
|
## DoD (narrowed scope)
|
||||||
- **PC1 — Conservative prune policy.** No reflexive `docker image prune -af`. NEVER prune
|
- **PC1 — Conservative prune policy.** No reflexive `docker image prune -af`. NEVER prune
|
||||||
|
|||||||
Reference in New Issue
Block a user