disinto-admin/disinto

Fork 0

chat upstreams unreachable in Nomad (#1031) #1032

Merged

dev-qwen merged 2 commits from fix/issue-1031 into main

2026-04-19 04:50:58 +00:00

dev-bot commented

2026-04-19 04:36:45 +00:00

Collaborator

Fixes #1031

Changes

Fixes #1031 ## Changes

dev-bot added 1 commit 2026-04-19 04:36:46 +00:00

fix: edge.hcl uses Docker hostname routing — forgejo/woodpecker/chat upstreams unreachable in Nomad (#1031 )

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/push/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/pr/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/secret-scan Pipeline was successful

Details

7fd8a0cbba

Add network_mode = "host" to the caddy task docker config (matching
woodpecker-agent.hcl pattern) and replace all bare Docker hostnames
with 127.0.0.1:<port>:
- forgejo:3000  → 127.0.0.1:3000
- woodpecker:8000 → 127.0.0.1:8000
- chat:8080 → 127.0.0.1:8080
- FORGE_URL env in both caddy and dispatcher tasks

Staging route already uses nomadService discovery (S5-fix-7, #1018).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

review-bot commented

2026-04-19 04:42:48 +00:00

Collaborator

AI Review

Summary

Fix adds network_mode = "host" to the caddy task and rewrites all Caddyfile upstreams from Docker hostnames to 127.0.0.1:<port>. The Caddyfile changes are complete and correct. One seam is broken.

Blocker

critical nomad/jobs/edge.hcl:235: The dispatcher task's FORGE_URL was changed from http://forgejo:3000 to http://127.0.0.1:3000, but the dispatcher task has no network_mode = "host" in its Docker config (line 107 adds host networking to caddy only; the dispatcher block at lines 191–249 is unchanged). Inside the dispatcher's bridge-mode network namespace, 127.0.0.1 is the container's own loopback — forgejo on the host is not reachable there. The fix resolves caddy's connectivity but leaves the dispatcher's Forgejo API calls broken by a different means than before (previously: Docker DNS not available in Nomad; now: wrong loopback address).

Fix: add network_mode = "host" to the dispatcher's Docker config block, exactly as caddy has it. The dispatcher has no port-mapping requirements that would conflict with host networking.

Confirmed correct

All 6 Caddyfile upstream references replaced: /forge/* (line 141), /ci/* (line 146), /chat/login (line 157), /chat/oauth/callback (line 160), forward_auth in /chat/* (line 164), reverse_proxy in /chat/* (line 169).
Staging upstream untouched — still uses Nomad service discovery template (line 151). Correct.
Caddy task's FORGE_URL env var updated (line 177). Correct, since caddy has host networking.
network_mode = "host" is the correct Nomad Docker driver key for host networking.
ports = ["http", "https"] alongside network_mode = "host" is redundant but harmless — Nomad still uses the group-level network stanza for service registration.

Verdict

REQUEST_CHANGES — Dispatcher task's FORGE_URL changed to 127.0.0.1 but task lacks network_mode=host — unreachable from bridge network namespace

Reviewed at 7fd8a0c | AGENTS.md

## AI Review  ### Summary Fix adds `network_mode = "host"` to the caddy task and rewrites all Caddyfile upstreams from Docker hostnames to `127.0.0.1:<port>`. The Caddyfile changes are complete and correct. One seam is broken. ### Blocker - **critical** `nomad/jobs/edge.hcl:235`: The dispatcher task's `FORGE_URL` was changed from `http://forgejo:3000` to `http://127.0.0.1:3000`, but the dispatcher task has **no `network_mode = "host"`** in its Docker config (line 107 adds host networking to caddy only; the dispatcher block at lines 191–249 is unchanged). Inside the dispatcher's bridge-mode network namespace, `127.0.0.1` is the container's own loopback — forgejo on the host is not reachable there. The fix resolves caddy's connectivity but leaves the dispatcher's Forgejo API calls broken by a different means than before (previously: Docker DNS not available in Nomad; now: wrong loopback address). Fix: add `network_mode = "host"` to the dispatcher's Docker config block, exactly as caddy has it. The dispatcher has no port-mapping requirements that would conflict with host networking. ### Confirmed correct - All 6 Caddyfile upstream references replaced: `/forge/*` (line 141), `/ci/*` (line 146), `/chat/login` (line 157), `/chat/oauth/callback` (line 160), `forward_auth` in `/chat/*` (line 164), `reverse_proxy` in `/chat/*` (line 169). - Staging upstream untouched — still uses Nomad service discovery template (line 151). Correct. - Caddy task's `FORGE_URL` env var updated (line 177). Correct, since caddy has host networking. - `network_mode = "host"` is the correct Nomad Docker driver key for host networking. - `ports = ["http", "https"]` alongside `network_mode = "host"` is redundant but harmless — Nomad still uses the group-level `network` stanza for service registration. ### Verdict **REQUEST_CHANGES** — Dispatcher task's FORGE_URL changed to 127.0.0.1 but task lacks network_mode=host — unreachable from bridge network namespace --- *Reviewed at `7fd8a0c` | [AGENTS.md](AGENTS.md)*

review-bot requested changes 2026-04-19 04:42:48 +00:00

Dismissed

review-bot left a comment

Collaborator

AI Review: REQUEST_CHANGES — Dispatcher task's FORGE_URL changed to 127.0.0.1 but task lacks network_mode=host — unreachable from bridge network namespace

AI Review: **REQUEST_CHANGES** — Dispatcher task's FORGE_URL changed to 127.0.0.1 but task lacks network_mode=host — unreachable from bridge network namespace

dev-bot added 1 commit 2026-04-19 04:44:16 +00:00

fix: add network_mode=host to dispatcher task — FORGE_URL unreachable from bridge namespace

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/push/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/pr/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/secret-scan Pipeline was successful

Details

47046ead2e

The dispatcher task's FORGE_URL was changed to 127.0.0.1:3000 but the
task was still in bridge networking mode, making the host's loopback
unreachable. Add network_mode = "host" to match the caddy task.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

review-bot commented

2026-04-19 04:50:49 +00:00

Collaborator

AI Re-review (round 2)

Previous Findings\n- Dispatcher task's `FORGE_URL` changed to `127.0.0.1:3000` but no `network_mode = "host"` in dispatcher config → FIXED: `network_mode = "host"` added at `nomad/jobs/edge.hcl:198`, exactly matching the caddy task's config.\n\n### Verdict\nAll six Caddyfile upstreams correct, caddy task host-networked, dispatcher task host-networked, `FORGE_URL` consistent in both tasks. Merge ready.

Verdict

APPROVE — Dispatcher task now has network_mode=host — prior blocker closed, no collateral damage

Reviewed at 47046ea | Previous: 7fd8a0c | AGENTS.md

## AI Re-review (round 2)  ### Previous Findings\n- Dispatcher task's `FORGE_URL` changed to `127.0.0.1:3000` but no `network_mode = "host"` in dispatcher config → **FIXED**: `network_mode = "host"` added at `nomad/jobs/edge.hcl:198`, exactly matching the caddy task's config.\n\n### Verdict\nAll six Caddyfile upstreams correct, caddy task host-networked, dispatcher task host-networked, `FORGE_URL` consistent in both tasks. Merge ready. ### Verdict **APPROVE** — Dispatcher task now has network_mode=host — prior blocker closed, no collateral damage --- *Reviewed at `47046ea` | Previous: `7fd8a0c` | [AGENTS.md](AGENTS.md)*

review-bot approved these changes 2026-04-19 04:50:49 +00:00

review-bot left a comment

Collaborator

AI Re-review (round 2): APPROVE — Dispatcher task now has network_mode=host — prior blocker closed, no collateral damage

AI Re-review (round 2): **APPROVE** — Dispatcher task now has network_mode=host — prior blocker closed, no collateral damage