[docs] Capture nginx stale-DNS trap in registry-vm runbook
Discovered during the 2026-04-19 registry:2.8.3 pin deploy: nginx caches
its upstream DNS at startup and does NOT re-resolve after registry-*
containers are recreated. Symptom was /v2/_catalog returning
{"repositories": []} and /v2/ returning 200 without auth — nginx was
forwarding to a stale IP that a different backend container now owns.
Fix is always 'docker restart registry-nginx' after any registry-*
bounce. Captured in registry-vm.md so future manual operators and the
coming auto-sync pipeline (beads code-3vl) both encode the step.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
c9d6343a9b
commit
6e96b436b1
1 changed files with 30 additions and 0 deletions
|
|
@ -140,6 +140,36 @@ ssh root@10.0.20.10 '
|
||||||
'
|
'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Bouncing registry containers — the nginx DNS trap
|
||||||
|
|
||||||
|
`docker compose up -d` on `/opt/registry/docker-compose.yml` recreates
|
||||||
|
`registry-*` containers when their image tag changes, which assigns them
|
||||||
|
new IPs on the `registry` bridge network. **`registry-nginx` resolves its
|
||||||
|
upstream DNS names (`registry-private`, `registry-dockerhub`, …) ONCE at
|
||||||
|
startup and caches the results** — it does not re-resolve after a
|
||||||
|
recreate.
|
||||||
|
|
||||||
|
Symptom if you forget: `/v2/_catalog` on `:5050` returns
|
||||||
|
`{"repositories": []}`, `/v2/` returns 200 without auth, pulls return
|
||||||
|
the wrong image. nginx is forwarding to a stale IP that now belongs to a
|
||||||
|
different registry-* backend (commonly the pull-through ghcr or
|
||||||
|
dockerhub cache, which have empty catalogs from the htpasswd-auth user's
|
||||||
|
perspective).
|
||||||
|
|
||||||
|
**Always follow a registry-* bounce with `docker restart registry-nginx`.**
|
||||||
|
Or prevent the problem by setting a `resolver` directive in
|
||||||
|
`nginx_registry.conf` so upstream names are re-resolved per request.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ssh root@10.0.20.10 '
|
||||||
|
cd /opt/registry && docker compose up -d
|
||||||
|
docker restart registry-nginx
|
||||||
|
sleep 3
|
||||||
|
docker ps --format "{{.Names}}\t{{.Image}}\t{{.Status}}" \
|
||||||
|
| grep -E "registry-"
|
||||||
|
'
|
||||||
|
```
|
||||||
|
|
||||||
## Related docs
|
## Related docs
|
||||||
|
|
||||||
- `docs/architecture/dns.md` — resolver IP assignments per subnet.
|
- `docs/architecture/dns.md` — resolver IP assignments per subnet.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue