Skip to content

feat: pull latest images before boot and bump to v0.0.15 #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Leechael merged 1 commit into from
Jun 2, 2026
Merged

feat: pull latest images before boot and bump to v0.0.15 #98

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 30 additions & 10 deletions phala-cloud-prelaunch-script/prelaunch.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
echo "----------------------------------------------"
echo "Running Phala Cloud Pre-Launch Script v0.0.14"
echo "Running Phala Cloud Pre-Launch Script v0.0.15"
echo "----------------------------------------------"
set -e

Expand Down Expand Up @@ -158,16 +159,13 @@ if [[ "$DOCKER_REGISTRY_TARGET" == "ghcr.io" && -n "$DSTACK_DOCKER_USERNAME" &&
repo="${img#ghcr.io/}"; repo="${repo%%:*}"
tag="${img##*:}"; [[ "$tag" == "$img" || "$tag" == "$repo" ]] && tag="latest"
echo "Verifying GHCR pull access: $img"
token=$(curl -sf -u "$DSTACK_DOCKER_USERNAME:$DSTACK_DOCKER_PASSWORD" \
"https://ghcr.io/token?service=ghcr.io&scope=repository:${repo}:pull" | jq -r '.token // empty' || true)
token=$(curl -sf -u "$DSTACK_DOCKER_USERNAME:$DSTACK_DOCKER_PASSWORD" "https://ghcr.io/token?service=ghcr.io&scope=repository:${repo}:pull" | jq -r '.token // empty' || true)
if [[ -z "$token" ]]; then
echo "ERROR: GHCR token exchange failed for $img"
notify_host_hoot_error "GHCR token exchange failed: $img"
exit 1
fi
http_code=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" \
-H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json" \
"https://ghcr.io/v2/${repo}/manifests/${tag}")
http_code=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json" "https://ghcr.io/v2/${repo}/manifests/${tag}")
if [[ "$http_code" != "200" ]]; then
echo "ERROR: GHCR pull access denied for $img (HTTP $http_code)"
notify_host_hoot_error "GHCR pull access denied: $img (HTTP $http_code)"
Expand All @@ -177,6 +175,26 @@ if [[ "$DOCKER_REGISTRY_TARGET" == "ghcr.io" && -n "$DSTACK_DOCKER_USERNAME" &&
done
fi

#
# Pull latest images from docker-compose.yaml so existing CVMs pick up new tags.
# Pull is fail-soft: short-lived tokens may expire between login and pull, but
# falling back to already-cached images is preferable to blocking boot.
#
echo "Images before pull:"
docker images --format '{{.Repository}}:{{.Tag}} {{.ID}} ({{.CreatedSince}})'

echo "Pulling latest images from /dstack/docker-compose.yaml..."
if docker compose -f /dstack/docker-compose.yaml pull; then
echo "docker compose pull completed"
notify_host_hoot_info "docker compose pull completed"
else
echo "WARNING: docker compose pull failed; continuing with existing images"
notify_host_hoot_info "docker compose pull failed; using existing images"
fi

echo "Images after pull:"
docker images --format '{{.Repository}}:{{.Tag}} {{.ID}} ({{.CreatedSince}})'

#
# Set root password.
#
Expand Down Expand Up @@ -221,17 +239,19 @@ else

if [ -n "$DSTACK_ROOT_PASSWORD" ]; then
echo "Setting root password from user.."
echo "$DSTACK_ROOT_PASSWORD" | passwd --stdin root 2>/dev/null \
|| printf '%s\n%s\n' "$DSTACK_ROOT_PASSWORD" "$DSTACK_ROOT_PASSWORD" | passwd root
echo "$DSTACK_ROOT_PASSWORD" | passwd --stdin root 2>/dev/null || printf '%s
%s
' "$DSTACK_ROOT_PASSWORD" "$DSTACK_ROOT_PASSWORD" | passwd root
unset DSTACK_ROOT_PASSWORD
echo "Root password set/updated from DSTACK_ROOT_PASSWORD"
elif [ -z "$(grep '^root:' /etc/shadow 2>/dev/null | cut -d: -f2)" ]; then
echo "Setting random root password.."
DSTACK_ROOT_PASSWORD=$(
LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | dd bs=1 count=32 2>/dev/null
)
echo "$DSTACK_ROOT_PASSWORD" | passwd --stdin root 2>/dev/null \
|| printf '%s\n%s\n' "$DSTACK_ROOT_PASSWORD" "$DSTACK_ROOT_PASSWORD" | passwd root
echo "$DSTACK_ROOT_PASSWORD" | passwd --stdin root 2>/dev/null || printf '%s
%s
' "$DSTACK_ROOT_PASSWORD" "$DSTACK_ROOT_PASSWORD" | passwd root
unset DSTACK_ROOT_PASSWORD
echo "Root password set (random auto-init)"
else
Expand Down
Loading