diff --git a/DeploymentBlueprint.md b/DeploymentBlueprint.md index f0cb370..c6bb981 100644 --- a/DeploymentBlueprint.md +++ b/DeploymentBlueprint.md @@ -72,8 +72,16 @@ each node. │ → builds inter-hub-binaries │ → assembles OCI tarball (result → /root/ihp-railiance-probe/result) │ - │ skopeo copy docker-archive:result - │ docker://92.205.130.254:32166/coulomb/ihp-railiance-probe: + │ # Gitea's registry token realm points to port 80; skopeo must use a + │ # pre-fetched token to avoid following that misconfigured URL. + │ TOKEN=$(curl -s \ + │ "http://92.205.130.254:32166/v2/token?service=container_registry\ + │&scope=repository:coulomb/:push,pull" \ + │ -u 'tegwick:' | awk -F'"' '/token/{print $4}') + │ skopeo copy --insecure-policy --dest-tls-verify=false \ + │ --dest-registry-token "$TOKEN" \ + │ docker-archive:result \ + │ docker://92.205.130.254:32166/coulomb/: ▼ [CoulombCore — Registry] │ image stored as coulomb/ihp-railiance-probe: @@ -131,6 +139,7 @@ each node. | GHC 9.10.3 `.hi` overflow (>274 MB) | Crash after all modules compile | ActualTypes postUnpack overlay in flake.nix | | GHC 9.10.3 `libHSghc.a` truncated | Crash at position 287,686,318 | Direct archive patch on haskelseed (one-time; check after flake lock update) | | Registry on HTTP (no TLS) | k3s defaults to HTTPS for pulls | Configure k3s `registries.yaml` with mirror entry for `92.205.130.254:32166` | +| Gitea registry token realm misconfigured | `Bearer realm` points to `gitea.coulomb.social:80` but Gitea is on port 32166; skopeo follows the realm URL and gets 404 | Pre-fetch token via `curl` against port 32166 and pass with `--dest-registry-token`; do NOT rely on skopeo's automatic token fetch | | No CI runner yet | Manual build + push | Phase 6 of workplan adds Gitea Actions runner on haskelseed | --- diff --git a/workplans/IRP-WP-0001-pipeline-validation.md b/workplans/IRP-WP-0001-pipeline-validation.md index 9385bc4..f65b703 100644 --- a/workplans/IRP-WP-0001-pipeline-validation.md +++ b/workplans/IRP-WP-0001-pipeline-validation.md @@ -231,19 +231,34 @@ priority: medium state_hub_task_id: "24b892fa-2a81-4606-b7a8-20e493c89441" ``` -Push the built image to the Gitea container registry: +Push the built image to the Gitea container registry. + +**Note:** Gitea's registry token realm is misconfigured — it points to +`gitea.coulomb.social:80` but Gitea runs on port 32166. Pre-fetch the token +manually and pass it with `--dest-registry-token` to bypass the broken token +dance (no `iptables` on haskelseed's Alpine to redirect ports): ```bash -sshpass -p 'hcs26!x' ssh root@192.168.178.135 \ - 'cd /root/ihp-railiance-probe && \ - SHA=$(git rev-parse --short HEAD) && \ - skopeo copy docker-archive:result \ - docker://92.205.130.254:32166/coulomb/ihp-railiance-probe:$SHA' +sshpass -p 'hcs26!x' ssh root@192.168.178.135 bash <<'EOF' +cd /root/ihp-railiance-probe +SHA=$(git rev-parse --short HEAD) +SKOPEO=/nix/store/fwdagky9lfsyrgzxiq14zijcziazfdsn-skopeo-1.22.2/bin/skopeo +TOKEN=$(curl -s \ + "http://92.205.130.254:32166/v2/token?service=container_registry&scope=repository:coulomb/ihp-railiance-probe:push,pull" \ + -u 'tegwick:' | awk -F'"' '/token/{print $4}') +$SKOPEO copy --insecure-policy --dest-tls-verify=false \ + --dest-registry-token "$TOKEN" \ + docker-archive:result \ + docker://92.205.130.254:32166/coulomb/ihp-railiance-probe:$SHA +EOF ``` -Verify: +Verify via the registry API: ```bash -skopeo inspect docker://92.205.130.254:32166/coulomb/ihp-railiance-probe: +TOKEN=$(curl -s "http://92.205.130.254:32166/v2/token?service=container_registry&scope=repository:coulomb/ihp-railiance-probe:pull" \ + -u 'tegwick:' | awk -F'"' '/token/{print $4}') +curl -s -H "Authorization: Bearer $TOKEN" \ + "http://92.205.130.254:32166/v2/coulomb/ihp-railiance-probe/tags/list" ``` **Exit criteria:** `skopeo inspect` succeeds; image visible in Gitea Packages UI.