recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

backlog(2): HQ1 — image pre-pull harness unit (plan-prepull-images.md), near-term; fixes the first-deploy 'No such image' race

Browse Source
This commit is contained in:
autonomic-bot
2026-05-29 14:56:18 +01:00
parent d4eae4ee49
commit f8af5b2307
1 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
machine-docs/BACKLOG-2.md
View File

@ -176,12 +176,19 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md`
with the F2-7 keycloak-specificity caveat; worked lasuite-docs example end-to-end. **Will
re-pass when Q3.2/Q3.5 enroll new recipes** (immich/lasuite-drive) to confirm a new
engineer can follow the doc cold.
- [ ] **[idea]** — Harness image pre-pull before `abra app deploy`. First-ever deploy of a fresh
recipe can hit a swarm "No such image" placement race on digest-pinned images (observed once on
lasuite-meet's first deploy; self-resolved after manual `docker pull`; images then cached + kept
by the conservative prune). A pre-pull (parse compose images, `docker pull` each in
`lifecycle.deploy_app` before deploy) would make first-cold deploys deterministic. Low-risk,
helps every fresh recipe + a from-scratch host (D8). Not blocking (warm-cache model masks it).
- [ ] **HQ1 — Harness image pre-pull (near-term unit, orchestrator 2026-05-29).** PLAN:
`cc-ci-plan/plan-prepull-images.md`. At the START of a recipe test sequence (before the first
`abra app deploy`) AND before the upgrade tier's new-version deploy: resolve recipe images via
`docker compose --env-file <app.env> -f <COMPOSE_FILE> config --images` and `docker pull` each
(skip-if-present via `docker image inspect` for pinned tags); then the normal abra deploy runs
UNCHANGED (real abra; pre-pull just warms the local store). Value: separates pull from converge
→ a pull failure is a CLEAR pull error (not a murky "not converged" timeout); images-local →
faster convergence within abra's native window (less need for the -c workaround on *pull-bound*
deploys — note collabora's slow-INIT still needs the recipe healthcheck, not affected). Cheap on
warm cache (`docker pull` = "Already exists" no re-download; skip-if-present = zero network for
pinned tags). Directly fixes the "No such image" first-deploy race I hit on immich + lasuite-meet.
**Adversary verifies:** warm-cache 2nd run does NO layer re-download; a bad-tag pre-pull fails as
a clear pull error PRE-deploy. Pick up as a near-term harness unit (NOT a phase-pause).
- [ ] **Q5.2** — Adversary samples a subset and cold-verifies parity tables + specific tests are real
(not health-only, not skipped). NO weakened test, no corners cut (P7).
- [ ] **Q5.3** — Phase 2 `## DONE` after all P1P8 Adversary cold-verified PASS, no standing VETO.