harden(deploy): db internal-only + robust container-loopback frontend verify
CI — Build, Lint & Security Scan / backend (push) Failing after 1m3s
CI — Build, Lint & Security Scan / frontend (push) Failing after 1m23s
CI — Build, Lint & Security Scan / image-scan (push) Has been skipped
CI — Build, Lint & Security Scan / secrets-scan (push) Failing after 37s
Deploy to TrueNAS / deploy (push) Successful in 37s
CI — Build, Lint & Security Scan / backend (push) Failing after 1m3s
CI — Build, Lint & Security Scan / frontend (push) Failing after 1m23s
CI — Build, Lint & Security Scan / image-scan (push) Has been skipped
CI — Build, Lint & Security Scan / secrets-scan (push) Failing after 37s
Deploy to TrueNAS / deploy (push) Successful in 37s
- db: drop host :5432 publish (ports !override []) — no LAN exposure, reached via compose net (db:5432) + docker exec for the ALTER USER reconcile. Matches inspectflow isolation. backend :8081 kept (LAN-only, used by healthcheck). - deploy verify-frontend: probe container loopback via bundled node instead of host :3000 wget. Network-namespace-independent; fixes the transient false-failure when polling mid-recreate. <500 = healthy (307->/login).
This commit is contained in:
Patrick Plate
@@ -12,7 +12,8 @@ name: Deploy to TrueNAS
|
||||
#
|
||||
# Compose project name is pinned to "cannamanage" so it updates the existing
|
||||
# containers and reuses the persistent "cannamanage_pgdata" volume on the host.
|
||||
# Live ports: backend 8081->8080, frontend 3000, db 5432
|
||||
# Live host ports: frontend 3000, backend 8081->8080 (LAN, healthcheck/debug).
|
||||
# db is internal-only (no host publish) — reachable as db:5432 on the compose net.
|
||||
|
||||
on:
|
||||
push:
|
||||
@@ -101,15 +102,24 @@ jobs:
|
||||
|
||||
- name: Verify frontend
|
||||
run: |
|
||||
for i in $(seq 1 10); do
|
||||
if wget -q -O /dev/null http://192.168.188.119:3000; then
|
||||
echo "✅ Frontend responding on :3000"
|
||||
set -euo pipefail
|
||||
# Probe the frontend on its own loopback INSIDE the container via the
|
||||
# bundled node runtime. This is network-namespace-independent (no
|
||||
# reliance on the host port being wired during a mid-recreate window,
|
||||
# which caused a transient false-failure previously) and needs no
|
||||
# wget/curl in the image. Any HTTP status < 500 counts as "up" — the
|
||||
# root path returns 307 -> /login when unauthenticated, which is healthy.
|
||||
echo "Waiting for frontend on container loopback :3000 ..."
|
||||
for i in $(seq 1 20); do
|
||||
if docker exec cannamanage-frontend node -e "require('http').get('http://127.0.0.1:3000/',r=>process.exit(r.statusCode<500?0:1)).on('error',()=>process.exit(1))"; then
|
||||
echo "✅ Frontend responding after ${i} attempt(s)"
|
||||
exit 0
|
||||
fi
|
||||
echo " attempt $i/10 — waiting 5s"
|
||||
echo " attempt $i/20 — waiting 5s"
|
||||
sleep 5
|
||||
done
|
||||
echo "❌ Frontend did not respond"
|
||||
echo "❌ Frontend did not respond — recent logs:"
|
||||
$COMPOSE logs --tail=40 frontend
|
||||
exit 1
|
||||
|
||||
- name: Prune dangling images
|
||||
|
||||
Reference in New Issue
Block a user