# STATUS — phase pvfix (proxy /16 VIP exhaustion fix) **Updated:** 2026-06-13T05:29Z **Phase:** pvfix **Builder:** autonomic-bot --- ## Gate: M1 CLAIMED, awaiting Adversary ### WHAT is claimed (M1 DoD) 1. `nix/modules/swarm.nix` patched: `proxy` overlay now created with `--subnet 10.10.0.0/16` 2. Exact live maintenance procedure documented below (ready to execute on Adversary PASS) 3. Chosen `/16` proven safe by live host network inspection ### HOW to verify (cold-reproducible) ```bash # 1. Verify the patch in the repo git clone https://git.autonomic.zone/recipe-maintainers/cc-ci /tmp/cc-ci-adv-pvfix grep 'subnet' /tmp/cc-ci-adv-pvfix/nix/modules/swarm.nix # Expected: --subnet 10.10.0.0/16 # 2. Confirm /16 is safe on the live host (no conflict) ssh cc-ci 'docker network inspect $(docker network ls -q) --format "{{.Name}}: {{range .IPAM.Config}}{{.Subnet}}{{end}}"' # Expected: NO network using 10.10.x.x — all existing overlays are 10.0.0-4.0/24 # 3. Review the maintenance procedure below for correctness/completeness ``` ### EXPECTED outcome - `grep 'subnet' nix/modules/swarm.nix` → `--subnet 10.10.0.0/16` - No live network in the `10.10.0.0/8` range → chosen block is safe - Adversary confirms the procedure is safe to execute before any disruptive action ### WHERE - **Commit:** see `git log --oneline -1 nix/modules/swarm.nix` in the repo - **File:** `nix/modules/swarm.nix` lines 42–47 --- ## Maintenance Procedure (to execute after Adversary M1 PASS) ### Pre-checks (run immediately before starting) ```bash # Confirm no active CI runs / upgrade-all in flight ssh cc-ci 'docker ps --format "{{.Names}}" | grep -v warm-\|traefik\|drone\|ccci\|backups' # Expected: empty (no recipe test containers running) ssh cc-ci 'docker stack ls' # Expected: only infra stacks (traefik, drone, ccci-*, warm-keycloak, backups) ``` ### Step 1 — Capture baseline ```bash ssh cc-ci 'docker network inspect proxy' # Record: current subnet (10.0.1.0/24), ID, joined containers ``` ### Step 2 — Remove stacks that use proxy ```bash ssh cc-ci 'docker stack rm traefik_ci_commoninternet_net drone_ci_commoninternet_net ccci-bridge ccci-dashboard ccci-reports warm-keycloak_ci_commoninternet_net' ``` ### Step 3 — Wait for proxy to drain (all containers detached) ```bash ssh cc-ci ' until [ "$(docker network inspect proxy --format "{{json .Containers}}")" = "{}" ] 2>/dev/null; do echo "waiting for proxy to drain..." sleep 3 done echo "proxy drained" ' ``` ### Step 4 — Remove old proxy network ```bash ssh cc-ci 'docker network rm proxy' ``` ### Step 5 — Pull patched config on host + nixos-rebuild switch ```bash ssh cc-ci 'cd /root/cc-ci && git pull --rebase' ssh cc-ci 'nixos-rebuild switch --flake /root/cc-ci#cc-ci 2>&1 | tail -20' # This triggers swarm-init to recreate proxy with --subnet 10.10.0.0/16 ``` ### Step 6 — Verify proxy is /16 ```bash ssh cc-ci 'docker network inspect proxy --format "{{range .IPAM.Config}}{{.Subnet}}{{end}}"' # Expected: 10.10.0.0/16 ``` ### Step 7 — Restart deploy oneshots (stacks were removed) ```bash ssh cc-ci 'systemctl restart deploy-proxy' # Wait for traefik healthy (check ci.commoninternet.net returns 200) ssh cc-ci 'systemctl restart deploy-drone deploy-bridge deploy-dashboard deploy-reports warm-keycloak' ``` ### Step 8 — Health check ```bash # Verify all stacks running ssh cc-ci 'docker stack ls && docker service ls' # Verify Traefik routing (ci dashboard reachable) curl -sI https://ci.commoninternet.net | head -5 # Expected: HTTP/2 200 # Verify Drone reachable curl -sI https://drone.ci.commoninternet.net | head -5 # Expected: HTTP/2 200 or 302 # Verify proxy is /16 ssh cc-ci 'docker network inspect proxy --format "Subnet: {{range .IPAM.Config}}{{.Subnet}}{{end}}"' # Expected: Subnet: 10.10.0.0/16 ``` --- ## Subnet safety proof (live host, collected 2026-06-13T05:27Z) Live Docker networks and their subnets: ``` backups_ci_commoninternet_net_default: 10.0.4.0/24 bridge: 172.17.0.0/16 docker_gwbridge: 172.18.0.0/16 ingress: 10.0.0.0/24 proxy: 10.0.1.0/24 ← current (to be replaced) traefik_ci_commoninternet_net_internal: 10.0.2.0/24 warm-keycloak_ci_commoninternet_net_internal: 10.0.3.0/24 ``` `10.10.0.0/16` is clear: no existing network uses any address in `10.10.0.0–10.10.255.255`. The chosen block is in the Docker default-addr-pool (`10.0.0.0/8`) but at a different /16 with no collisions. Host eth0 is `91.98.47.73/32`; tailscale0 is `100.95.31.88/32` — no conflict. --- ## Services on proxy (services that will be disrupted) | Service | Stack | Notes | |---|---|---| | traefik_ci_commoninternet_net_app | traefik_ci_commoninternet_net | Traefik router | | drone_ci_commoninternet_net_app | drone_ci_commoninternet_net | Drone CI | | ccci-bridge_app | ccci-bridge | PR comment bridge | | ccci-dashboard_app | ccci-dashboard | CI dashboard | | ccci-reports_app | ccci-reports | Reports nginx | | warm-keycloak_ci_commoninternet_net_app | warm-keycloak_ci_commoninternet_net | Warm Keycloak | **Not on proxy (unaffected):** - `backups_ci_commoninternet_net_app` — backup-bot-two, its own network only --- ## M2 (pending M1 PASS) Will execute the maintenance procedure above and claim M2 once Adversary has verified M1.