Log rotation on all services + pin base images by digest (#123, #135)#147
Merged
Conversation
#123: caddy, docker-proxy, and docker-control were missing `logging:`, so they used Docker's uncapped json-file default — their logs could grow without bound and fill the disk on a long-running host. Apply the shared 10 MB × 3 cap to all three. #135: pin every externally-pulled image by immutable @sha256 digest — caddy:2.11, tecnativa/docker-socket-proxy:v0.4.2 (×2), the Tari node, and the ubuntu:24.04 / python:3.11-slim / alpine build bases — so a re-pushed tag or registry MITM can't silently change the running image. Digests are the multi-arch index digests. Locked in with test_compose.sh assertions (log rotation on every service; the three external images carry an @sha256 digest). CHANGELOG updated. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two small launch-robustness wins from the v1.0 sweep.
#123 — log rotation on every service
caddy,docker-proxy, anddocker-controlwere missinglogging:, so they fell back to Docker's uncapped json-file default. The dashboard pollsdocker-proxyevery 30s, so its access log grows continuously — a silent disk-fill risk on a long-running unattended host. This applies the shared*default-logginganchor (10 MB × 3) to all three; now every service is capped.#135 — pin base/runtime images by digest
Every externally-pulled image is now pinned by its immutable multi-arch
@sha256index digest instead of a mutable tag, so a re-pushed tag or a registry MITM can't silently swap the running image (most important for the two privileged socket proxies + Caddy):caddy:2.11tecnativa/docker-socket-proxy:v0.4.2(×2)quay.io/tarilabs/minotari_node:v5.3.1-mainnetubuntu:24.04(×3)python:3.11-slimalpine:latestThis makes SECURITY.md's "version-pinned" posture hold for images too. Digests fetched registry-direct via
docker buildx imagetools inspect(the multi-arch index digest, so all platforms resolve correctly).Tests
test_compose.shnow asserts log rotation is present on every service and that the three external images carry an@sha256digest — so an accidental unpin or a missinglogging:fails CI.make testgreen locally: shellcheck clean,docker compose configvalid, all assertions pass.Note — #134 not included
The batch was originally going to also drop xmrig-proxy's
--http-no-restricted, but that flag is load-bearing: the XvB switching engine repoints the proxy's pools viaPUT /1/config(algo_service.switch_miners→update_config), which the flag enables. Dropping it would break hashrate switching, so #134 is being closed as invalid instead.Closes #123. Closes #135.
🤖 Generated with Claude Code