fix: registry fallback skips dead primary, WireGuard first-boot, Gitea port 3001

Registry fallback now only tries DIFFERENT registries (skips original
that already failed). 120s timeout per fallback attempt. WireGuard
keys generated on unbundled first-boot. Gitea ROOT_URL uses port 3001.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-04-12 11:40:52 -04:00
parent c520109108
commit c910be87af
3 changed files with 43 additions and 12 deletions

View File

@@ -80,14 +80,11 @@ impl RegistryConfig {
format!("{}/{}", registry.url, image_name)
}
/// Generate all image URLs to try for a given image, in priority order.
/// Generate fallback image URLs to try (excludes the original since it already failed).
pub fn image_candidates(&self, image: &str) -> Vec<(String, bool)> {
let mut candidates = Vec::new();
// First: the original image as-is
candidates.push((image.to_string(), true));
// Then: rewritten for each active registry
// Rewrite for each active registry (skip if identical to original)
for reg in self.active_registries() {
let rewritten = self.rewrite_image(image, reg);
if rewritten != image {
@@ -154,15 +151,29 @@ pub async fn pull_from_registries(
args.push("--tls-verify=false".to_string());
}
let status = tokio::process::Command::new("podman")
let mut child = tokio::process::Command::new("podman")
.args(&args)
.env("TMPDIR", tmpdir)
.stdout(std::process::Stdio::null())
.stderr(std::process::Stdio::null())
.status()
.await;
.spawn()
.ok();
if status.map(|s| s.success()).unwrap_or(false) {
let status = if let Some(ref mut c) = child {
match tokio::time::timeout(std::time::Duration::from_secs(120), c.wait()).await {
Ok(Ok(s)) => Some(s.success()),
_ => {
let _ = c.kill().await;
let _ = c.wait().await;
debug!("Fallback pull timed out: {}", candidate);
None
}
}
} else {
None
};
if status == Some(true) {
// If we pulled from a non-original registry, tag it with the original name
if candidate != image {
let _ = tokio::process::Command::new("podman")