autonomic-bot
16d177e73a
Removes virtualisation.docker.autoPrune (daily `docker system prune --all` evicted in-use base images → cold re-pull → Hub rate-limit churn, JOURNAL-2). Adds modules/docker-prune.nix: daily timer + oneshot that prunes only dangling+until=24h, gated on disk pressure (>=80%) AND no run-app live AND no swarm service converging; never --all, never --volumes. Teardown unchanged (never removes images). Registry pull-through cache dropped per operator scope correction. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1.5 KiB
1.5 KiB
BACKLOG — Phase 2pc (sane image-prune policy)
SSOT: /srv/cc-ci/cc-ci-plan/plan-phase2pc-image-cache.md.
Scope (post operator correction 2026-05-29): PC1 prune policy + confirm local-store
retention/auth ONLY. The registry:2 pull-through cache is dropped (deferred to IDEAS /
Phase 2b — revisit only if multi-node OR a measured cold-deploy bottleneck on recreate-surviving
storage).
Build backlog
- PC1 — Conservative prune policy. Remove
virtualisation.docker.autoPrune(--allevicts in-use base images → forced cold re-pull → rate-limit). Replace with a surgical, gated prune: dangling +until=24honly, NEVER--all/--volumes; gated on (a) genuine disk pressure (/≥ 80%), (b) no run-app stack live, (c) no swarm service converging (mid-pull). Teardown already removes only services/volumes/secrets/.env — NOT images (verified) — keep it that way. - PC2 — Confirm local cache retained + authenticated. Daemon stays PAT-authenticated
(
docker infoUsername=nptest2, sopsdockerhub_auth→/root/.docker/config.json); local image store/var/lib/dockerpersists across runs/teardowns/reboots. No code change expected — confirm + document. - PC3 — Verify + document. Deploy → teardown → redeploy reuses local layers (no
re-download); disk bounded without
-af. Updatedocs/runbook.md+docs/prune note; record the policy + the dropped-registry-cache deviation inDECISIONS.md.
Adversary findings
(Adversary owns this section.)