From 5a2ebf991ca6ff8d565a6ee9fe6c9ebbe2f8af23 Mon Sep 17 00:00:00 2001 From: Josh Knapp Date: Tue, 12 May 2026 16:08:44 -0700 Subject: [PATCH] ci: mirror python:3.12-slim into in-house registry docker.io serves image blobs from Cloudflare R2. The 2026-05-12 Cloudflare incident took out blob pulls for hours and broke this image's Gitea CI build mid-way through the haproxy-manager gunicorn migration (commit bdd7d2f). With the base image mirrored at repo.anhonesthost.net, CI builds no longer depend on docker.io reachability. Refresh procedure documented in the Dockerfile comment block. Manual re-push monthly or when Python patches drop. A future Gitea Action could automate the pull-tag-push so we always have a current base. Co-Authored-By: Claude Opus 4.7 (1M context) --- Dockerfile | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b1dc26d..2df21ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,14 @@ -FROM python:3.12-slim +# Base image mirrored into the in-house registry to remove docker.io +# (Cloudflare R2) as a single point of failure for CI builds. The 2026-05-12 +# Cloudflare incident took down docker.io blob pulls and broke this image's CI. +# Refresh procedure (run on a workstation that can reach docker.io, e.g. +# monthly or when Python patches drop): +# docker pull docker.io/library/python:3.12-slim +# docker tag docker.io/library/python:3.12-slim \ +# repo.anhonesthost.net/cloud-hosting-platform/python:3.12-slim +# docker push repo.anhonesthost.net/cloud-hosting-platform/python:3.12-slim +# Future improvement: a scheduled Gitea Action that does the above automatically. +FROM repo.anhonesthost.net/cloud-hosting-platform/python:3.12-slim RUN apt update -y && apt dist-upgrade -y && apt install socat haproxy cron certbot curl jq net-tools -y && apt clean && rm -rf /var/lib/apt/lists/* WORKDIR /haproxy COPY ./templates /haproxy/templates