mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-13 21:01:21 +08:00
a65022b8f7
Ships a compressed RAM/device snapshot (stack-emulator-<arch>.savevm.zst) alongside the qcow2. `emulator start` resumes from it and rotates the per-install secrets in place, taking cold-boot from 30-120s to ~6-7s. Build phase adds a STACKCFG runtime ISO so stack.service can boot during image creation, starts qemu-guest-agent so its virtio-serial port stays open in the snapshot, then stop+migrate file:+quit via QMP. Runtime sends fresh secrets through QGA guest-exec input-data, which pipes them to trigger-fast-rotate and rotate-secrets inside the container: targeted sed on the placeholder PCK in built JS, UPDATE on the internal ApiKeySet, supervisorctl restart stack-app + cron-jobs. Placeholder hex values are baked in instead of random keys under STACK_EMULATOR_BUILD_SNAPSHOT=1 so no real secret ships in the snapshot. Device topology and SMP must match at capture and resume; runtime adds phantom seed/bundle drives and pins SMP=4. Cold-boot fallback kicks in automatically when the snapshot is missing, corrupt, or incompatible. supervisord.conf now uses stopasgroup/killasgroup for stack-app and cron-jobs so supervisor restart actually kills the Node children (they were keeping their port bindings and breaking rotation). |
||
|---|---|---|
| .. | ||
| backend | ||
| dependencies | ||
| dev-postgres-replica | ||
| dev-postgres-with-extensions | ||
| local-emulator | ||
| mock-oauth-server | ||
| server | ||