admin/felhom-controller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

slice 8C C.3: de-privilege the controller container (legacy docker-setup template) + CHANGELOG (v0.37.0)

Browse Source 
Dropped privileged:true + /mnt rshared + /sys + /dev + /etc/fstab + /run/udev
from the bare-metal compose template (controller no longer does disk ops). The
golden bootstrap run was already minimal (8A). Slice 8 CLOSED on the controller.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
authentik Default Admin
2026-06-10 13:59:26 +02:00
parent abe4e8e619
commit 6d267b3e4d
2 changed files with 46 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+41
View File
@@ -1,5 +1,46 @@
## Changelog
### v0.37.0 — slice 8C: controller de-privileging + disk management via the agent (2026-06-10)
The in-guest controller half of slice 8C (closes slice 8). The disk-execution subsystem moves to
the host agent (`felhom-agent` v0.12.0); the controller becomes **Docker-only with no disk
privileges** and drives disk management through the agent's local API. ~12.3k LOC retired.
#### Added
- **`internal/web/agent_disk_handlers.go`** — agent-backed disk API (`ServeDiskAPI`): `GET
/api/disks` (list + data-bearing flags), `POST /api/disks/assign` (mount), `POST /api/disks/eject`
(unmount + dependent-guest warning), `POST /api/disks/format`. Thin proxies over the slice-8A
`agentapi` client (leaf-pinned, own token). **Execution is the agent's**; the UX stays here.
A data-bearing format refusal (`agentapi.ErrFormatRefused`) is surfaced as **HTTP 409 "operator
authorization required"** (the 8C invariant — the agent inspects the device; the controller's
claim is irrelevant).
- **`internal/agentapi`**: `Disks`/`AssignDisk`/`EjectDisk`/`FormatDisk` + `ErrFormatRefused`.
#### Retired (moved to the host agent / obsolete)
- **`internal/storage/`** — the entire package (scan/format/attach/migrate/safety, DriveMigrator).
- **`internal/backup/`** — restic (`ResticManager`), `crossdrive` (`CrossDriveRunner`),
`restore_drives*`, `disk_layout`, `local_infra`, `restore_scan`, the restic path helpers, and the
drive-restore `restore_app*`. **`backup.Manager` surgically split to app-data only**: kept DB
dumps, Docker-volume tars, and per-app restore; dropped restic snapshots, cross-drive, per-drive
repo stats, integrity check, snapshot history. `RestoreApp` now restores from the on-disk
volume-tar dumps (snapshot/restic restore is the agent's domain).
- **`internal/report/infra_backup*` + `infra_pull`** (kept the setup fresh-install config download as
`config_pull.go`); **`internal/setup/scanner.go`** + the wizard's drive-recovery flows (restore is
the agent's job now); **`internal/monitor/watchdog.go` + `pinger.go`** (storage watchdog →
agent; Healthchecks.io pinging → the Hub owns monitoring); **`web/storage_handlers.go` +
`handler_restore.go`** (replaced by the thin agent-backed disk API).
- Wiring dropped from `main.go` / `api/router.go` / `web/server.go`: CrossDriveRunner, DriveMigrator,
storage watchdog, infra-backup push, the restic backup scheduler jobs (kept the **db-dump** job).
#### De-privileged
- `scripts/docker-setup.sh` controller compose template: dropped `privileged: true`, the `/mnt`
rshared bind, `/sys`, `/dev`, `/etc/fstab`, `/run/udev`. The golden's bootstrap `docker run`
(felhom-agent `build-golden.sh`) was already minimal (bootstrap config + data + docker socket).
#### Tests / build
- `go build ./...` + `go test ./...` green (app-data backup / stacks / quiesce / bootstrap / agentapi
/ disk-client tests pass). The data-bearing-format refusal is proven in `agentapi` tests.
### v0.36.0 — slice 8B: app-consistent backup quiesce loop (stack-stop) (2026-06-10)
The in-guest controller half of slice 8B (doc 03 §6/§8). Pairs with `felhom-agent` v0.11.0. An