From e8ff760afff056299fecc9d2a60cedeaf867391d Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 1 Mar 2026 13:59:07 +0000
Subject: [PATCH] [ci skip] openclaw: cache tools on NFS for fast restarts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Switch /tools volume from emptyDir to NFS (/mnt/main/openclaw/tools)
- Skip download of kubectl, terraform, terragrunt, pip packages if cached
- Startup time: ~2.5min → ~38s on subsequent restarts
---
 secrets/nfs_directories.txt | Bin 1773 -> 1788 bytes
 stacks/openclaw/main.tf     |  50 ++++++++++++++++++++++++++----------
 2 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/secrets/nfs_directories.txt b/secrets/nfs_directories.txt
index 0c57a0f0ce48aea47335e382cd6e9a203a3a3b7e..8784f30f1b831e7dbfdfbd0518834337ae475767 100644
GIT binary patch
literal 1788
zcmV<Y1_Sv3M@dveQdv+`01Nu;%SfAaMYB)CXF1YLOcr*7oUL-0oDE<8sdoa_w!~{>
znll3}Q7J*FgT`kT3<JtyO3uw_^@GllVh{?M9w<HNP4@ySwA&Y|=vFV=`4P8lj~2!@
zd!NAV_gS1pmgpvd6314~vXIhmm=A9}t$7_nQw>nJ^Ppg=#=s_ZX9hce9Hps{NqomU
z|DOp1#0n)+C{Tnei2XYA5u2@ufG=t#9xso5X?IOogx(TuxVOhXdxD1a^mCD3HdN(N
zoXCv`6{FD9qtmg27jtEKHq5fm*MQAU-QT-c<vTfBA9^&s?`kBu;UdiMP@V7XMsLS2
z$Ak+y4RN{WB9?MRbIrTK$fCKNuXN_w_l8U>kYMuw`AEu6dH5Um0|+YrFy|v8lj=9n
zPO#<jm>NbZ%Yv(gXd|Yo3WxC&Vzgdg2-F%QQb2|TMk@|W>y%}b3axB0jdJs!<4YR8
z6gU6JOD}3}x2(F$<Tyw}`dk@#9-y_W8SqXRJzs=MD{IGWjY$MWNJC(@r7Pg^(LrI(
zZvQqyr>Sfyn-A>%^VeP@i_xlVB{<5imN0O6)Mk|q?~Ey-T2xW(m?)NXHj#!}*D(wY
zD|5vEswQ{v83;tpK=~TPL_%1zO+-D_FI!BK2NskZvlD&WY#99oy*ccC-YKJMFJnqj
z;isD;z(q&dEywZBR}GY^X&9i<A^javbO#w#OA{ZX3b0Fll4dQv>Jg(gQGhO3TK3c)
zQT}(v(=Rm)4$)bm4@SHKEVw1`|1Qiq?#$~X#R~B({dhaZ5YA6^YY~}eds{_IB3i&c
zKIvF(g}FOvd;oFipz~_ViC#DEbYe5<*({tgh&BR43DIuAQY-V(%yrX0sBhq7y1L#+
zLIvwb^t{AV;;zL!DkSV2E?N}s;B7I7*xE^ZfmU5Ij7=pK{d{xGNf$YAf^JT?0mFxw
z^15l<I!BH(!L&7H(AXu8Y<|8Y$bnXYtOs)!6xHp77v^M1)>)RD(|M~N3pHjYKNe-X
z#CfYZN7)tNV{s=mD6V@bt$RUeUDo29@LZMy<g-T+`|^#agUT65$?h<U)*(D!APwYQ
z(D``a8jgI3k5=E2*wN#pAXC))SW2n0D|(#ekI>WF<TjG@{tq;<A%U^Kd0o;UcUqLb
zW1RapX9T_UMWs-I+NbgLgGnPVk3+T~Y(4m_g<)Z~^oey~<x`{0^bl=!Ua9gq{I`Zs
zp&W3G`O=8fY(k{nq-d}Lah;m`5q8D++iRZ}{0#AU(TX)(;}?q<2tQvS1(3+tBGp$s
zIxbdq44?W4No9xqdgG2M+%yOhOL#i{b$h|U@FXx#AtU(}-LbLT_gkSkE2vC1%s^|g
zP%^x1HYngYBa|bRA{PG1zrba0Bf$7f=XoiJP|{1*Q&$)x!R>vy-|91VjD(OE6fm-J
zqU46T6v63oC_RUZ>%c_+p612~{PM2%#w76mHc^q}dZtHAB9c^9$9Wo5I}fTmBj9j9
z4YP)qh?;$iX+7P!!GRapo54B~47JO_6sD>g<s|h#39uPG1jLJ>CC4VdKr|HyWsRCb
z5g2ZiL-(ZE-ovmql-=O2nd9N<D!<lEvft+lH*M#83>uly2SespOIf~nlV7Rj<dtj|
z)~2-C$7!>bo_pJ6vUirIt<?HIroYiph>-s^cQX4HQFNo0r#D)4Q|gZ*m|;O8a3dw9
z>=^&z&_duySx^2`(@=FK(|xu8`<DByS9KH2*oj(Dnfu%{IV^okjEqs$VA!HW89a;X
z6l^9C$mHb#*4@9;2n>Q)o-yu=YHk^kPu&VDIjGc+0%9aKv=?$v)(|`*zlY&*p~69S
z#h>HwqV{sI5+<LXx_1cFJuA}XFC$LOFiL-mag#+Pa3nvfBaT-MqyRYp9qgFrkOhf8
zo5wxcen<8~?CBuT2#6n&6hrPcz~?ART)6^})#mOVJ0UyjnO892ZA*1TOyefNL3lHX
zH^j-2C^<ZGLo@VOe;UzFSsEe$#r^UUMX@H5h$P2aXWvkNy)LmN=}p8yFEq=nc>nBm
z>JxJ`4Xzgf+Kt0*W|{~InzB?=2jqBq575hczE$BuL9<ici3|_Wop(9|1_utV@Kf?i
zrudZ1?e(VqUgu*g{rGfIGwp|`W<=9;@TEhpFjr>4e7lM-H?`!d8yxQdToMMF4;Gv1
zmc{zZDakB{(}0EjrM~*;lBqufq-z19mRv#9Q4g}L?VO}wbMDJ*^l77HKZ8If(lga~
zgk04CqV82Y#=m#3vR{=Ao;`&U;==}JkxaG8U&VhLk-X}LGlwZPr;}7JnI^Q+4iz%z
emiQFD?4S-zp+|3%+daBpUGnSWx?7h0uUjdeZEODk

literal 1773
zcmV<J1`_!IM@dveQdv+`0A5fmspl(VirzjNWkW*>!LPolgCOquHcSNHV}cs@GGnoW
zQ%P7A?F22iKhg8;wueyB*I-vFchiHfL2_(Oa!+Eed^1@ojHa^m5O&TmMC=t`h}F?q
zGM{9#)G5P!)pqJd<1<CDTx+!JemY|%ON){a@-hzhdrXwA9&X1zdt|Qg+Oh&W1TXrR
zs;50@$31YlXH#z&9e`BJ@D0O(h2=L+25XqJ8;acCXM+&nnu6k!)oL^()+2;h@Mm6t
zuF>9+I4*UbGUV&xYe@kwZ;eOi=?+8-SM}(m_{BYKe$h8sq(|}}sm?jcy=xJXu6SKp
zKhwb>J}_eWD)04e8E3@;g`w#iGAB4Sw)D5;>1Ku~&zP6f=l&U==ZSRdYSGA}>9%eU
zg}R3#mHcxXHgm?z(u~Pz%%VS6`3RJBbXogE>(tT15XsYoH<ic(0iZB%`fr?1$sHan
z!vAZ{G<oB$e_tX(okY^6kbZ%yreN9%8Pt13oyU;9?hVk_j=pi|FdexJjMS!b|N4Wn
z)WVLScW-;th|_mS#WZY^q|gne+-j!w#2qsBN?1njZg_}`O?~=4@22!P=_*V({nWD6
zrum0~?0bzl^_0l(Jn*m!J1yM)f5y1l!$1uA#pAD_Hl7GA<s(mS91f*|vl2UM+4F--
zET8Q-JcX<+pOG~=Wh*8To1|)p(<zVO6h>~j-wa(-!b#aIYci2&&0)Lg33DTVLQvnE
zn*CIqcSbqVZm0Gw)URJcG8+nb*V|v8f{Dx&1o!&mBr>QRZt}sQ^T$KIP~06VTT8$A
zXZ6W!0QNvA*-@)KdLvY*W3{(oSwe>0%f!ROv0X8HEPygd7C;2OjFg(CWI((I1Lku0
zXB1%iW9~VwGSkd0Wr*|jV^wZ-&|+KMC&^{AXuTv1#El1v7@BiQZSAjI@QrS|LMr{r
zIEVNm?f>1qoO40Koj3c@)3gbdddwC%I|?34^S6TS7Q@25%m+Vz1d5VPX6b%Mj^xLB
z5e3g?2%8yT^wyg2QZ##HnjEW#&9AoZn4(S=qH&d8>ED~9i&a;eRAHf5ik(MpHm!Eq
zKcy!U=t-(CNME`qJ&FL#1yS_UOeTbUAk05xNJrm(!C;kHVkcm=5`<*Fqu{<K|8BPK
z$a#gMsf`IZIBzh-Qa!r)J9y8$CDdhB5l~VPiC=ysZTNbY$)Q@cofSwTQrX4A&NEA3
zMY(=Un_Sr%De3Wz#OnkGb77fV2oCTp;nVJf(@NF%hCI4}ZQB}++9qPr9|GL<G7L?q
zV5Q}^MsOhxI_Um;x%hQVWQzc*x0Bpc5Uxmdc6p#ajxSW#LPWPc60oDPw8jP_r-vi}
zX|*Jz)W&w3VO#&RHKdfax6))Iq~y2-1WX6!X@;uAK*S(M(-FdeTMENo>{IKs&xxX#
z&JDhdK%PejEWlj0l_v4FT7$`Kx@u1-DsyFprF+^YAL@%}wE|ZJPJgjHdb_+j6<qjj
z1J>Z8FY{vZ%eK{1ZfgXS2FscQ_xz6pJ=v4?whfj~04u0K^#3jvWo!X$UjAzJcCGiv
z<>I^_EWV%wbc+kGr&0M6rl`zcjexHN_(eECV~6i&3|^Qv6x*uMb^E~#>S6~x`y>tN
zo(JC={i4&tZ%cKx-ew8^&noGX6!rruMlnMUP>mp#!-Jad=a%BZ?!H(1-)o%{pJnuf
zX(a-Og;Xq^vl3-{>N`{t#;ReUvGU#SdfgTG&nU9p7lRp1&WG8d6-qkp_N7kJ7%!7<
zduOO?vvO}JqMdBdyX1DQ4Z<E}PC{G%p+Id^o}Kn^`XA*ri?Z+r+_CiW>mgnEdBx`A
z<oP`l?yQ>zYNB0*YvldFG-srB_H*+vs>4)^X8`AkrPu#V9cfn8%jgsk$d6#yk6X>W
zz;7Cgp&w(+KX!%6#+NTyfg2iO=3T~W+R7*I7<e#25~fcbb+*`RZM42Ukvv7N>@Q=s
zzp6SydD1eyT`g#1oK#g5DewBk>{(Z3Lv9n(L(;}8<;?Z19n>&sn3(Jtz)9as9;AjN
zvdpwCGCzP5T*nO=l_jf|eZB|PE&$?Syq%7iwe>)XKsOtj`kC{CvdPTZlP?#?qi1Aq
zGXyM6zYKfl{g)Kn*jjJIIZ|b9<yEIL>0Ow>;K^BzJqG1S6I_{Et(*&@)*((0v~{cN
zm<4^TPHm641C4zBrMX|a6(X#ZYRfNmsIX*by)!0`_Nf&ZFT2p4G6lbH-=1c(=_7-P
zB{UmsPu4>$VCr+nsz<Y-%?IK6{Ln`a=PsZd!gJza%+9zgnmVhaQ@GL$>~S|9vA3Fi
P9`7)}X#jllh)-%D3=)Ay

diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf
index 55d47260..edcd500e 100644
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@@ -209,7 +209,7 @@ resource "kubernetes_deployment" "openclaw" {
       spec {
         service_account_name = kubernetes_service_account.openclaw.metadata[0].name
 
-        # Init container: Download tools + clone repo (parallelized)
+        # Init container: Download tools + clone repo (parallelized, cached on NFS)
         init_container {
           name  = "setup"
           image = "alpine:3.20"
@@ -217,9 +217,14 @@ resource "kubernetes_deployment" "openclaw" {
             set -e
             apk add --no-cache curl unzip git-crypt openssh-client git bash
 
-            # Install pip and Python packages for skills
-            python3 -m ensurepip 2>/dev/null || apk add --no-cache py3-pip
-            pip3 install --break-system-packages --target=/tools/python-libs requests caldav icalendar uptime-kuma-api
+            # Install Python packages (skip if already cached)
+            if [ ! -f /tools/python-libs/.installed ]; then
+              python3 -m ensurepip 2>/dev/null || apk add --no-cache py3-pip
+              pip3 install --break-system-packages --target=/tools/python-libs requests caldav icalendar uptime-kuma-api
+              touch /tools/python-libs/.installed
+            else
+              echo "Python packages already cached, skipping pip install"
+            fi
 
             # Copy OpenClaw config to writable home dir
             cp /openclaw-config-src/openclaw.json /openclaw-home/openclaw.json
@@ -230,21 +235,35 @@ resource "kubernetes_deployment" "openclaw" {
             chmod 600 /root/.ssh/id_rsa
             ssh-keyscan github.com >> /root/.ssh/known_hosts 2>/dev/null
 
-            # --- Run downloads and clone in parallel ---
+            # --- Download tools only if missing or version changed ---
             # kubectl
-            (curl -sL --retry 3 --retry-delay 5 "https://dl.k8s.io/release/v1.34.2/bin/linux/amd64/kubectl" -o /tools/kubectl && chmod +x /tools/kubectl) &
-            PID_KUBECTL=$!
+            if [ ! -x /tools/kubectl ]; then
+              (curl -sL --retry 3 --retry-delay 5 "https://dl.k8s.io/release/v1.34.2/bin/linux/amd64/kubectl" -o /tools/kubectl && chmod +x /tools/kubectl) &
+              PID_KUBECTL=$!
+            else
+              echo "kubectl already cached" & PID_KUBECTL=$!
+            fi
 
             # terraform
-            (curl -sL --retry 3 --retry-delay 5 "https://releases.hashicorp.com/terraform/1.14.5/terraform_1.14.5_linux_amd64.zip" -o /tmp/tf.zip && unzip -q /tmp/tf.zip -d /tools && chmod +x /tools/terraform && rm /tmp/tf.zip) &
-            PID_TF=$!
+            if [ ! -x /tools/terraform ]; then
+              (curl -sL --retry 3 --retry-delay 5 "https://releases.hashicorp.com/terraform/1.14.5/terraform_1.14.5_linux_amd64.zip" -o /tmp/tf.zip && unzip -q /tmp/tf.zip -d /tools && chmod +x /tools/terraform && rm /tmp/tf.zip) &
+              PID_TF=$!
+            else
+              echo "terraform already cached" & PID_TF=$!
+            fi
 
             # terragrunt
-            (curl -sL --retry 3 --retry-delay 5 "https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64" -o /tools/terragrunt && chmod +x /tools/terragrunt) &
-            PID_TG=$!
+            if [ ! -x /tools/terragrunt ]; then
+              (curl -sL --retry 3 --retry-delay 5 "https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64" -o /tools/terragrunt && chmod +x /tools/terragrunt) &
+              PID_TG=$!
+            else
+              echo "terragrunt already cached" & PID_TG=$!
+            fi
 
-            # git-crypt (already installed via apk)
-            cp /usr/bin/git-crypt /tools/git-crypt
+            # git-crypt
+            if [ ! -x /tools/git-crypt ]; then
+              cp /usr/bin/git-crypt /tools/git-crypt
+            fi
 
             # Clone/pull repo
             if [ ! -d /workspace/infra/.git ]; then
@@ -423,7 +442,10 @@ resource "kubernetes_deployment" "openclaw" {
 
         volume {
           name = "tools"
-          empty_dir {}
+          nfs {
+            server = var.nfs_server
+            path   = "/mnt/main/openclaw/tools"
+          }
         }
         volume {
           name = "openclaw-home"