diff --git a/.gitattributes b/.gitattributes index ffcc340..eb7a120 100644 --- a/.gitattributes +++ b/.gitattributes @@ -6,3 +6,6 @@ # Shell scripts MUST be LF -- a CRLF shebang or command line breaks execution. *.sh text eol=lf *.py text eol=lf + +# Binary artifacts must never be EOL-normalized (DOCFIX-071 ships a committed zip). +*.zip binary diff --git a/.gitignore b/.gitignore index 9400355..2709393 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -# Local artifacts / secrets — must never be committed +# Local artifacts / secrets -- must never be committed *-openrc *.tar.gz *.tar.zst diff --git a/bundle.yaml b/bundle.yaml index c6bd4b4..cee28e1 100644 --- a/bundle.yaml +++ b/bundle.yaml @@ -18,7 +18,7 @@ # REMOVED -- the etcd backend was never used (live storage = mysql) and is moot at # 1 unit; HA backend (Raft vs etcd) is a Roosevelt rehearsal item. (C1; revises D-006) # Ceph networks: FULL separation via network-space BINDINGS -- ceph-mon/ceph-osd public->storage -# (10.12.16.0/22), ceph-osd cluster->replication (10.12.20.0/22). Bindings, NOT +# (10.12.32.0/22), ceph-osd cluster->replication (10.12.36.0/22). Bindings, NOT # ceph-*-network config, so the LXD-contained mon actually gets a storage NIC. # Clients bind ceph->storage; container principals carry it too (subset rule). (C2) # Magnum: Layer A only -- CAPI driver graft is Layer B (runbooks/phase-06..08) @@ -157,6 +157,12 @@ # ===================================================================== keystone: + # DOCFIX-071: the D-051/D-064 SCS Domain Manager policy ships WITH the deploy -- + # a manual post-deploy attach-resource proved unreachable from the schedule. + # Keep policies/overrides.zip in sync with domain-manager-policy.yaml + # (provider-bundle-check.py enforces the content match). + resources: + policyd-override: ./policies/overrides.zip charm: keystone channel: 2024.1/stable num_units: 1 # 3 on Roosevelt (D-009) diff --git a/docs/as-executed-log-convention.md b/docs/as-executed-log-convention.md new file mode 100644 index 0000000..e9e0cff --- /dev/null +++ b/docs/as-executed-log-convention.md @@ -0,0 +1,30 @@ +# As-executed log convention (DOCFIX-076) + +The verbatim-retrieval rule -- "for irreversible / one-shot / secret steps, +retrieve the exact prior working command verbatim, never improvise" (the +DOCFIX-006 vault-init loss is the cautionary tale) -- is only as strong as the +artifact it retrieves from. Until now "the as-executed log" was a habit with no +defined location, format, or retention. This defines it. + +WHERE: jumphost, `~/as-executed/-