While trying to debug why opam.ocaml.org isn't updating, I see this:

But no history of builds. Without the history, it's impossible to tell what's causing the build failure.
@patricoferris noted in another conversation that this may be due to the shape of the ocurrent DAG changing via binds, and so each run of the pipeline is actually a different graph.

In the meanwhile, the deployer is showing orange all the time, and the Hub shows that there hasn't been a push to opam.ocaml.org for 2 days... /cc @tmcgilchrist

Setup an ocurrent-deployer for https://github.com/ocurrent/mirage-ci to deploy the https://ci.mirage.io service based off the live branch.

Outcome

• ocurrent-deployer on deploy.ci3.ocamllabs.io
• ansible config for server in infrastructure project
• deployability checks running alongside the ocaml-ci checks.

2022-01-13 18:11.35: New job: push ocurrent/base-images:live = {"manifests":["ocurrentbuilder/staging@sha256:841e529d4efb29f6cee506f0b5a46fd9741882e6d9658ccce4d059d97e961bc1"]}
2022-01-13 18:11.35: Exec: "docker" "--config" "/tmp/push-manifest1447c4a7" 
                           "login" "--password-stdin" "--username" "ocurrent"
WARNING! Your password will be stored unencrypted in /tmp/push-manifest1447c4a7/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
2022-01-13 18:11.46: Exec: "docker" "--config" "/tmp/push-manifest1447c4a7" 
                           "manifest" "create" "ocurrent/base-images:live" 
                           "ocurrentbuilder/staging@sha256:841e529d4efb29f6cee506f0b5a46fd9741882e6d9658ccce4d059d97e961bc1"
Created manifest list docker.io/ocurrent/base-images:live
2022-01-13 18:11.57: Exec: "docker" "--config" "/tmp/push-manifest1447c4a7" 
                           "manifest" "push" "ocurrent/base-images:live"
failed to mount blob ocurrentbuilder/staging@sha256:4468e11d2912dbcf79c02b4ef446879df44003b72056013db14db5dd4e8a59e4 to docker.io/ocurrent/base-images:live: Post "https://registry-1.docker.io/v2/ocurrent/base-images/blobs/uploads/?from=ocurrentbuilder%2Fstaging&mount=sha256%3A4468e11d2912dbcf79c02b4ef446879df44003b72056013db14db5dd4e8a59e4": Get "https://auth.docker.io/token?account=ocurrent&scope=repository%3Aocurrent%2Fbase-images%3Apush%2Cpull&scope=repository%3Aocurrentbuilder%2Fstaging%3Apull&service=registry.docker.io": net/http: TLS handshake timeout
2022-01-13 18:13.34: Job failed: Command "docker" "--config" "/tmp/push-manifest1447c4a7" "manifest" "push" 
"ocurrent/base-images:live" exited with status 1
2022-01-13 18:13.34: Log analysis:
2022-01-13 18:13.34: >>> net/http: TLS handshake timeout (score = 40)
2022-01-13 18:13.34: Hub: net/http: TLS handshake timeout

https://deploy.ci3.ocamllabs.io/job/2022-01-13/181135-docker-push-manifest-784b44

We switched from using statuses to using GitHub checks in #65. But the link there ("View more details on ci3.ocamllabs.io deployer") instead goes to https://github.com/ocurrent/ocurrent-deployer, which isn't very useful.

/cc @tmcgilchrist

The docker pull stage in deployer can hit rate limits for anonymous pulls on docker hub. We can increase this limit by using docker login for occurrent user before doing the pull.

See https://deploy.ci.ocaml.org/job/2023-03-16/032401-docker-pull-142ac8

Dear Madam or Sir,

first of all thanks for running opam.ocaml.org as a community service. :)

I noticed from opam update that the opam.ocaml.org hosts are not getting updates since Sunday June 4th 19:04:41 2023 +0100 (commit 9681b042 according to the repo file of the opam.ocaml.org hosts).

I'm curious how to move here, is the infrastructure and its setup/deployment maybe a bit too involved (in terms of complexity, requiring GitHub, some machines to produce artifacts (docker images), Docker Hub for download and upload, and some other machines to execute things), esp. with the recent issues in this area: IPv6 outage, and failure to update some of the machines that serve the repository (missing ssh key).

Another question is whether you have monitoring of the service opam.ocaml.org (about the key things: online, replies to HTTP requests, serves an up-to-date archive), and if yes, is that online and available somewhere? (I suggest setting up a "status.opam.ocaml.org" with some information, and maybe post-mortens about the issues that happened in recent months.)

I hope this is the right repository to report this issue to, in case you've any questions or want to discuss this topic further, don't hesitate to reach out to me.

Consider switching from Docker Swarm to Docker Compose.

Currently, the applications this deployer manages are deployed using Ansible. Ansible runs docker stack create to define the stack based on the YAML description. Subsequently, ocurrent-deployer will update the running instance using docker service update --image <new-sha>. The YAML description can be trivially refactored into a docker-compose.yml file, which can be stored in the Git repository along with the service.

• Docker Swarm gives us a headache with respect to IPv6. Entry point services need to be defined with host networking to listen on IPv6.
• All services are deployed as a single instance to a single host where Swarm's magic networking sauce isn't relevant.
• Docker Swarm gives us access to Docker secrets. Docker secrets are encrypted on disk and held on a tmpfs volume within the container. They can easily be accessed via docker exec <container_id> cat /run/secrets/mysecret. With Docker Compose, secrets are typically held in plain text files. Alternatives would be a vault sidecar.
• Both Swarm and Compose automatically start the services on reboot.
• docker compose pull && docker compose up -d updates all images within the compose file. With docker service update, we specifically update the OCaml service we just rebuilt: new releases of other components, such as the Caddy proxy, are not managed.

Before pushing to AWS for opam.ocaml.org and ocaml.org, the container should be tested on a non-live service to ensure that it starts. If that stage fails, then the deployment itself doesn't proceed, and the website(s) remain at the previous deployment (with the issue picked up on the firehose).

Currently the deployability check just shows as pass or fail, and links to the general project that is being checked.
Often if there are multiple git refs being checked and/or multiple Dockerfiles to check for deployability, it isn't obvious what has failed.

As an improvement ocurrent-deployer should post the summary output of each deployability check with links directly to the failing /passing build step. As per the ocaml-ci compilation UI.

Calling docker container restart <container> will somehow make the underlying docker commands used by ocurrent-deployer forget about it. Thus when upgrading the service associated with the container the old one will stick stick around and the new one will still be spawned.

I've moved all the Docker services from the old deployer on toxis to the new one on ci3.

The only thing the old service is still doing is deploying the unikernels. This code is now on the old-master branch.

The old service builds the unikernels locally with Docker and then rsyncs to the host. However, the new deployer host isn't suitable for building things. Instead, it should use the cluster. We need to decide how to get the resulting binaries from the workers to the host.

Some options:

1. Push to Docker hub and have the unikernel host pull them (requires Docker on the host though).
2. Have the worker transfer directly to the host (will probably want some kind of short-lived session key for the transfer).
3. Transfer from the worker to the deployer and rsync from there as before. Avoids having to make changes on the unikernel host.

@hannesm do you have a preference here? I think you mentioned that you were planning some kind of unikernel registery which we could push to...

Post build failures for this pipeline to the opam repository maintainers channel in slack.

Currently all build success/failures are going to #ci-firehose.

I see View more details on deploy.ci3.ocamllabs.io but it links to https://github.com/ocurrent/ocurrent-deployer.

Retire the v2.ocaml.org staging deployment and setup a staging deployment of https://github.com/ocaml/ocaml.org.

The final setup should be:

• v2.ocaml.org deploying master branch of https://github.com/ocaml/v2.ocaml.org
• ocaml.org deploying main branch of https://github.com/ocaml/ocaml.org
• staging.ocaml.org deploying staging branch of https://github.com/ocaml/ocaml.org

I've been building a (private) deployer and have ended up re-using a lot of components from ocurrent-deployer. I was wondering if there was any interest (or perhaps even some preliminary work :)) on extracting some of the reusable components into a publishable current_deployer library. In particular, things like https://github.com/ocurrent/ocurrent-deployer/blob/master/src/build.ml ?

It would be nice to keep this repository compiling without submodules. Various systems (including ocaml-ci) do not deal very well with those.

Background

The docker contexts used in ocurrent-deployer have mixed naming standards and it's not clear which environment or machine a context is targeting.

Summary

The docker contexts as used by deployer are a mix of various naming standards. They should be renamed to follow a standardised naming pattern of hostnames. Currently it looks like:

which should change to :

Outcome

As a result of this work the docker contexts used in deployer should be changed to the new names and the different ocurrent-deployer flavours are updated.