[docs] Capture nginx stale-DNS trap in registry-vm runbook

Discovered during the 2026-04-19 registry:2.8.3 pin deploy: nginx caches its upstream DNS at startup and does NOT re-resolve after registry-* containers are recreated. Symptom was /v2/_catalog returning {"repositories": []} and /v2/ returning 200 without auth — nginx was forwarding to a stale IP that a different backend container now owns. Fix is always 'docker restart registry-nginx' after any registry-* bounce. Captured in registry-vm.md so future manual operators and the coming auto-sync pipeline (beads code-3vl) both encode the step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 17:24:09 +00:00 · 2026-04-19 17:24:09 +00:00 · 6e96b436b1
commit 6e96b436b1
parent c9d6343a9b
1 changed files with 30 additions and 0 deletions
--- a/docs/runbooks/registry-vm.md
+++ b/docs/runbooks/registry-vm.md
@ -140,6 +140,36 @@ ssh root@10.0.20.10 '
 '
 ```

+## Bouncing registry containers — the nginx DNS trap
+
+`docker compose up -d` on `/opt/registry/docker-compose.yml` recreates
+`registry-*` containers when their image tag changes, which assigns them
+new IPs on the `registry` bridge network. **`registry-nginx` resolves its
+upstream DNS names (`registry-private`, `registry-dockerhub`, …) ONCE at
+startup and caches the results** — it does not re-resolve after a
+recreate.
+
+Symptom if you forget: `/v2/_catalog` on `:5050` returns
+`{"repositories": []}`, `/v2/` returns 200 without auth, pulls return
+the wrong image. nginx is forwarding to a stale IP that now belongs to a
+different registry-* backend (commonly the pull-through ghcr or
+dockerhub cache, which have empty catalogs from the htpasswd-auth user's
+perspective).
+
+**Always follow a registry-* bounce with `docker restart registry-nginx`.**
+Or prevent the problem by setting a `resolver` directive in
+`nginx_registry.conf` so upstream names are re-resolved per request.
+
+```sh
+ssh root@10.0.20.10 '
+  cd /opt/registry && docker compose up -d
+  docker restart registry-nginx
+  sleep 3
+  docker ps --format "{{.Names}}\t{{.Image}}\t{{.Status}}" \
+    | grep -E "registry-"
+'
+```
+
 ## Related docs

 - `docs/architecture/dns.md` — resolver IP assignments per subnet.