M10 finding: Docker Hub rate limit blocks lasuite-docs upgrade — A1 registry creds needed (5/6 green)
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
16
STATUS.md
16
STATUS.md
@ -59,8 +59,20 @@ Drone build with RECIPE=<r> (or `cc-ci-run runner/run_recipe_ci.py` with RECIPE/
|
||||
the recipe-CI pipeline will set `CCCI_JANITOR_MAX_AGE=0` (safe — no concurrent runs). See DECISIONS.
|
||||
|
||||
## Blocked
|
||||
- (none) — M3 webhook blocker cleared by the polling-primary redesign (polling is
|
||||
read-only/outbound and needs no Gitea `ALLOWED_HOST_LIST` whitelist).
|
||||
- **Docker Hub anonymous pull rate limit — registry pull creds needed (A1, operator).** During the
|
||||
D10 real-`!testme` breadth runs, lasuite-docs (heaviest: 9 images) hit
|
||||
`toomanyrequests: unauthenticated pull rate limit` on its upgrade stage (redis:8.2.6 task
|
||||
Rejected "No such image" → couldn't pull). Confirmed: `docker pull redis:8.2.6` on the node →
|
||||
rate-limited. This is the plan's flagged A1 input (§1.5/§4.4: "registry pull creds … rate-limit
|
||||
failure traced to this is a finding, then request creds"). **Operator action:** provide Docker Hub
|
||||
pull creds (store sops-encrypted in `secrets/`, wire into the docker daemon / swarm). NOT globally
|
||||
blocking: **5/6 recipes already green via real `!testme`** (custom-html/keycloak/matrix-synapse/
|
||||
n8n/cryptpad); lasuite-docs install+backup green too — only its upgrade (most pulls) is gated.
|
||||
Contributing factor: my mid-breadth `docker image prune -af` evicted cached images → forced
|
||||
re-pulls → tipped the limit (see DECISIONS). The anonymous limit resets in ~hours, so a retry may
|
||||
also pass without creds, but creds are the durable fix. Working M9 (docs) meanwhile.
|
||||
- (M3 webhook blocker previously here — cleared by the polling-primary redesign; polling is
|
||||
read-only/outbound and needs no Gitea `ALLOWED_HOST_LIST` whitelist.)
|
||||
|
||||
## Tracking (adversary findings I must address)
|
||||
- **[adversary] A4 — concurrent same-recipe runs collide on shared `~/.abra/recipes/<recipe>`.**
|
||||
|
||||
Reference in New Issue
Block a user