Repair live canonical migrations and scanner cache bootstrap

2026-03-09 21:56:41 +02:00
parent 00bf2fa99a
commit dfd22281ed
21 changed files with 1018 additions and 12 deletions
--- a/devops/compose/docker-compose.stella-ops.yml
+++ b/devops/compose/docker-compose.stella-ops.yml
@@ -102,6 +102,7 @@ volumes:
  registry-data:
  concelier-jobs:
  scanner-surface-cache:
+  scanner-cache-data:
  console-dist:
  advisory-ai-queue:
  advisory-ai-plans:
@@ -646,11 +647,31 @@ services:
    labels: *release-labels

  # --- Slot 8: Scanner -------------------------------------------------------
+  scanner-cache-init:
+    image: stellaops/scanner-worker:dev
+    container_name: stellaops-scanner-cache-init
+    restart: "no"
+    user: "0:0"
+    entrypoint:
+      - /bin/sh
+      - -lc
+      - |
+        mkdir -p /var/lib/stellaops/cache/scanner/layers /var/lib/stellaops/cache/scanner/cas &&
+        chown -R 10001:10001 /var/lib/stellaops/cache/scanner &&
+        chmod -R u+rwX,go-rwx /var/lib/stellaops/cache/scanner
+    volumes:
+      - scanner-cache-data:/var/lib/stellaops/cache/scanner
+    networks:
+      stellaops: {}
+    labels: *release-labels
+
  scanner-web:
    image: stellaops/scanner-web:dev
    container_name: stellaops-scanner-web
    restart: unless-stopped
    depends_on:
+      scanner-cache-init:
+        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      valkey:
@@ -677,6 +698,7 @@ services:
      SCANNER_SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
      SCANNER_SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
      SCANNER_SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
+      SCANNER_SCANNER__CACHE__ROOTPATH: "/var/lib/stellaops/cache/scanner"
      SCANNER_SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
      SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://s3.stella-ops.local:8333}"
      SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
@@ -699,6 +721,7 @@ services:
      - ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
      - ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
      - *cert-volume
+      - scanner-cache-data:/var/lib/stellaops/cache/scanner
    tmpfs:
      - /var/lib/stellaops/surface:mode=1777
    ports:
@@ -718,6 +741,8 @@ services:
    container_name: stellaops-scanner-worker
    restart: unless-stopped
    depends_on:
+      scanner-cache-init:
+        condition: service_completed_successfully
      postgres:
        condition: service_healthy
      valkey:
@@ -742,10 +767,12 @@ services:
      SCANNER_SURFACE_SECRETS_PROVIDER: "file"
      SCANNER_SURFACE_SECRETS_ROOT: "/var/lib/stellaops/surface"
      SCANNER_SURFACE_VALIDATION_DISABLED: "true"
+      SCANNER_SCANNER__CACHE__ROOTPATH: "/var/lib/stellaops/cache/scanner"
      # EPSS bundle source path (EpssBundleSource constructor)
      EPSS_BUNDLE_PATH: "/app/epss"
    volumes:
      - *cert-volume
+      - scanner-cache-data:/var/lib/stellaops/cache/scanner
    tmpfs:
      - /var/lib/stellaops/surface:mode=1777
      - /app/epss:mode=1777
@@ -2268,7 +2295,7 @@ services:
      ADVISORYAI__KnowledgeSearch__VexAdapterEnabled: "true"
      ADVISORYAI__KnowledgeSearch__VexAdapterBaseUrl: "http://concelier.stella-ops.local"
      ADVISORYAI__KnowledgeSearch__PolicyAdapterEnabled: "true"
-      ADVISORYAI__KnowledgeSearch__PolicyAdapterBaseUrl: "http://policy-gateway.stella-ops.local"
+      ADVISORYAI__KnowledgeSearch__PolicyAdapterBaseUrl: "http://policy-gateway.stella-ops.local"
    volumes:
      - *cert-volume
    networks: