Only recreate the orchestrator container on a real source change #382
Reference in New Issue
Block a user
Delete Branch "fix-orchestrator-recreate-drops-tokens"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #381.
Summary
OrchestratorService.ensure_running()(910267b8a8/bot_bottle/orchestrator/lifecycle.py) unconditionally recreated thebot-bottle-orchestratorcontainer on every bottle launch. That was added deliberately so bind-mounted code changes take effect (the control-plane process never reloads its source) — but the orchestrator's per-bottle egress auth tokens live only in that process's memory (Orchestrator._tokensinbot_bottle/orchestrator/service.py), never persisted to disk by design. So starting a second bottle while a first was already running recreated the container out from under it, silently wiping the first bottle's already-injected token. Its next authed egress request then 403s withenv var EGRESS_TOKEN_0 is unset, and it needs a full restart to recover — reproduced live in the session that filed #381.The fix mirrors the gateway's existing image-staleness check (
DockerGateway._running_image_is_current): the orchestrator container is now labeled with a content hash of its bind-mountedbot_bottlesource, andensure_runningonly recreates it when that hash no longer matches the running container's label — i.e. on an actual code change, not on every launch. A bottle launch that isn't accompanied by a code change now leaves a healthy orchestrator, and every other active bottle's in-memory tokens, alone.Testing
python3 -m unittest discover -s tests/unit -p "test_orchestrator*.py"— 113 tests pass, including two new/rewritten cases intest_orchestrator_lifecycle.pycovering the noop-when-unchanged and recreate-when-changed paths.npx pyright bot_bottle/orchestrator/lifecycle.py— 0 errors.@didericis-claude
This is a bad solution... we need a way to reprovision the secrets when an orchestrator gets rebuilt. Really should have that separate vault... but suppose this is ok for now.
Agreed — this PR is intentionally scoped to the specific bug (unnecessary recreation on every launch), not the broader problem of tokens surviving a real rebuild. A vault or out-of-process token store is the right fix for that, and worth a follow-up issue so it does not get lost.