gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:11:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
certctl/deploy/test/libest
T
History
shankar0123 5a1dbce6d5 fix(deploy): Hotfix #18 — apt-get retry loop in libest Dockerfile (transient mirror flake) 
CI image-and-supply-chain job failed building deploy/test/libest/
Dockerfile:

  Get:62 http://deb.debian.org/debian bullseye/main amd64 libssh2-1
        amd64 1.9.0-2+deb11u1 [156 kB]
  Err:62 http://deb.debian.org/debian bullseye/main amd64 libssh2-1
        amd64 1.9.0-2+deb11u1
    Error reading from server - read (104: Connection reset by peer)
    [IP: 151.101.202.132 80]
  E: Failed to fetch http://deb.debian.org/debian/pool/main/libs/
     libssh2/libssh2-1_1.9.0-2%2bdeb11u1_amd64.deb
  E: Unable to fetch some archives, maybe run apt-get update or try
     with --fix-missing?

Root cause:
  Transient TCP reset from fastly's Debian mirror at 151.101.202.132
  mid-fetch of one of 73 packages. Mirrors flake; the apt error
  message itself suggests "--fix-missing." This was NOT a code
  regression — the build sequence completed Dockerfile (main
  server), Dockerfile.agent, and f5-mock-icontrol/Dockerfile cleanly
  before hitting the flake on the 4th and final Dockerfile. The Go
  + npm steps for the main image all succeeded.

  The main Dockerfile already wraps `npm ci` in a 3-retry loop
  (Hotfix #9 from the Storybook lockfile saga; npm registry has the
  same flake profile as Debian mirrors). The libest Dockerfile's
  two apt-get install sites (builder stage line 85, runtime stage
  line 189) had no such wrapping.

Fix:
  Wrap both apt-get install invocations in a 3-retry loop matching
  the main Dockerfile's npm-ci pattern. Each retry runs
  `apt-get update && apt-get install --fix-missing ...`, exits the
  loop on success, sleeps 5s between attempts. After 3 failed
  attempts the build fails (preserves CI's signal for a genuinely
  broken mirror state).

  --fix-missing telling apt to continue past temporarily-missing
  packages on subsequent retries; combined with the update + sleep,
  the 3-attempt loop covers the typical mirror-flake window
  (~30-60s of churn before another mirror takes over).

  Both apt-get sites in the libest Dockerfile get the same treatment
  (builder + runtime). The two are independent install operations
  so failure in one is independent of the other.

Verification (sandbox):
  • Visual diff of both apt-get blocks — consistent retry shape +
    --fix-missing + error message + sleep cadence
  • No Go-side code touched; this is a pure CI-infrastructure
    Dockerfile change
  • Other Dockerfiles in the repo (main + agent + f5-mock-icontrol)
    don't need this fix today; the main Dockerfile already has
    the retry loop for npm ci, and agent + f5-mock use Alpine `apk`
    which has its own retry semantics

Ground-truth: origin/master tip 7268d12 (FE-M6 just pushed)
verified via GitHub API BEFORE commit.

Falsifiable proof for the next CI run: the image-and-supply-chain
job's libest build should either succeed on first attempt OR retry
through the flake automatically. The expected outcome is a green
build; a real broken-mirror state would still fail after 3
attempts (which is the right signal).
2026-05-14 20:57:24 +00:00
..
Dockerfile
fix(deploy): Hotfix #18 — apt-get retry loop in libest Dockerfile (transient mirror flake)
2026-05-14 20:57:24 +00:00