marcel/familienarchiv
1
0
Fork 0
Code Issues 126 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(ci): reload Caddy via nsenter, not sudo systemctl

Browse Source 
`sudo systemctl reload caddy` does not work from inside a DooD job
container: `systemctl` is absent from Ubuntu container images and
container processes cannot reach the host systemd without entering its
namespaces. Replace with `docker run --privileged --pid=host ubuntu:22.04
nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy`, which uses
the already-mounted Docker socket to spin up a privileged sibling
container that enters the host PID namespace via nsenter. Tested live on
the Hetzner VPS. No sudoers entry required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-05-11 22:28:24 +02:00
parent 432ae2ac83
commit 99de6f1d07
1 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.gitea/workflows/nightly.yml
View File

@@ -105,11 +105,23 @@ jobs:
# header or a still-proxied /actuator route rather than confirming # header or a still-proxied /actuator route rather than confirming
# the current config is live. # the current config is live.
# #
# `systemctl reload caddy` sends SIGHUP; Caddy re-reads /etc/caddy/Caddyfile # The runner executes job steps inside Docker containers (DooD).
# (symlinked to infra/caddy/Caddyfile) without dropping connections. # `systemctl` is not present in Ubuntu container images and cannot
# If Caddy is not running this step fails fast and clearly before the # reach the host's systemd directly. We use the Docker socket
# smoke test issues a misleading "port 443 refused" error. # (mounted into every job container via runner-config.yaml) to spin
run: sudo systemctl reload caddy # up a privileged sibling container in the host PID namespace;
# nsenter then enters the host's namespaces so systemctl talks to
# the real host systemd daemon. No sudoers entry is required — the
# Docker socket already grants root-equivalent host access.
#
# `systemctl reload caddy` sends SIGHUP; Caddy re-reads
# /etc/caddy/Caddyfile (symlinked to infra/caddy/Caddyfile) without
# dropping connections. If Caddy is not running this step fails fast
# before the smoke test issues a misleading "port 443 refused" error.
run: |
docker run --rm --privileged --pid=host \
ubuntu:22.04 \
nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy
- name: Smoke test deployed environment - name: Smoke test deployed environment
# Healthchecks confirm containers are healthy; they do NOT confirm the # Healthchecks confirm containers are healthy; they do NOT confirm the