self updater manual update boundaries

Author: cabaucom376

backend/api/handlers/system.go

@@ -505,6 +505,15 @@ func (h *SystemHandler) CheckUpgradeAvailable(ctx context.Context, input *CheckU
 	canUpgrade, err := h.upgradeService.CanUpgrade(ctx)
 	if err != nil {
 		slog.Debug("System upgrade check failed", "error", err)
+		if errors.Is(err, services.ErrManualUpdateRequired) {
+			return &CheckUpgradeOutput{
+				Body: UpgradeCheckResultData{
+					CanUpgrade: false,
+					Error:      false,
+					Message:    strings.TrimPrefix(err.Error(), services.ErrManualUpdateRequired.Error()+": "),
+				},
+			}, nil
+		}
 		return &CheckUpgradeOutput{
 			Body: UpgradeCheckResultData{
 				CanUpgrade: false,
@@ -547,6 +556,9 @@ func (h *SystemHandler) TriggerUpgrade(ctx context.Context, input *TriggerUpgrad
 		if errors.Is(err, services.ErrUpgradeInProgress) {
 			return nil, huma.Error409Conflict((&common.UpgradeTriggerError{Err: err}).Error())
 		}
+		if errors.Is(err, services.ErrManualUpdateRequired) {
+			return nil, huma.Error409Conflict(strings.TrimPrefix(err.Error(), services.ErrManualUpdateRequired.Error()+": "))
+		}
 
 		return nil, huma.Error500InternalServerError((&common.UpgradeTriggerError{Err: err}).Error())
 	}

backend/cli/upgrade/upgrade.go

@@ -419,6 +419,18 @@ func upgradeContainer(ctx context.Context, dockerClient *client.Client, oldConta
 		return fmt.Errorf("stop old container: %w", err)
 	}
 
+	if shouldRunMigratorForContainerInternal(oldContainer) {
+		fmt.Println("PROGRESS:73:Running database migrator")
+		slog.Info("Running database migrator before starting new container", "image", newImage)
+		if err := runMigratorContainerInternal(ctx, dockerClient, oldContainer, newImage, hostConfig, networkConfig, apiVersion); err != nil {
+			_, _ = dockerClient.ContainerStart(ctx, oldContainer.ID, client.ContainerStartOptions{})
+			_, _ = dockerClient.ContainerRename(ctx, oldContainer.ID, client.ContainerRenameOptions{NewName: originalName})
+			return fmt.Errorf("run database migrator: %w", err)
+		}
+	} else {
+		slog.Info("Skipping database migrator for non-server Arcane target", "container", originalName)
+	}
+
 	fmt.Println("PROGRESS:75:Creating new container")
 	slog.Info("Creating new container", "name", originalName)
 	resp, err := libarcane.ContainerCreateWithCompatibilityForAPIVersion(ctx, dockerClient, client.ContainerCreateOptions{
@@ -460,6 +472,86 @@ func upgradeContainer(ctx context.Context, dockerClient *client.Client, oldConta
 	return nil
 }
 
+func shouldRunMigratorForContainerInternal(cont container.InspectResponse) bool {
+	if cont.Config == nil {
+		return false
+	}
+
+	return !isAgentContainer(cont)
+}
+
+func runMigratorContainerInternal(
+	ctx context.Context,
+	dockerClient *client.Client,
+	oldContainer container.InspectResponse,
+	image string,
+	baseHostConfig *container.HostConfig,
+	networkConfig *network.NetworkingConfig,
+	apiVersion string,
+) error {
+	if oldContainer.Config == nil {
+		return fmt.Errorf("container config is unavailable")
+	}
+
+	migratorConfig := *oldContainer.Config
+	migratorConfig.Image = image
+	migratorConfig.Entrypoint = []string{"/app/arcane-migrator"}
+	migratorConfig.Cmd = []string{"up"}
+	migratorConfig.ExposedPorts = nil
+	migratorConfig.Healthcheck = nil
+
+	migratorHostConfig := &container.HostConfig{}
+	if baseHostConfig != nil {
+		copiedHostConfig := *baseHostConfig
+		migratorHostConfig = &copiedHostConfig
+	}
+	migratorHostConfig.AutoRemove = false
+	migratorHostConfig.PortBindings = nil
+	migratorHostConfig.PublishAllPorts = false
+	migratorHostConfig.RestartPolicy = container.RestartPolicy{Name: "no"}
+
+	migratorName := fmt.Sprintf("%s-migrator-%d", strings.TrimPrefix(oldContainer.Name, "/"), time.Now().UnixNano())
+	resp, err := libarcane.ContainerCreateWithCompatibilityForAPIVersion(ctx, dockerClient, client.ContainerCreateOptions{
+		Config:           &migratorConfig,
+		HostConfig:       migratorHostConfig,
+		NetworkingConfig: networkConfig,
+		Name:             migratorName,
+	}, apiVersion)
+	if err != nil {
+		return fmt.Errorf("create migrator container: %w", err)
+	}
+
+	removeMigrator := true
+	defer func() {
+		if removeMigrator {
+			if _, err := dockerClient.ContainerRemove(ctx, resp.ID, client.ContainerRemoveOptions{Force: true}); err != nil {
+				slog.Warn("Failed to remove migrator container", "id", resp.ID[:12], "error", err)
+			}
+		}
+	}()
+
+	if _, err := dockerClient.ContainerStart(ctx, resp.ID, client.ContainerStartOptions{}); err != nil {
+		return fmt.Errorf("start migrator container: %w", err)
+	}
+
+	waitResult := dockerClient.ContainerWait(ctx, resp.ID, client.ContainerWaitOptions{Condition: container.WaitConditionNotRunning})
+	select {
+	case err := <-waitResult.Error:
+		if err != nil {
+			return fmt.Errorf("wait for migrator container: %w", err)
+		}
+	case status := <-waitResult.Result:
+		if status.StatusCode != 0 {
+			return fmt.Errorf("migrator container exited with status %d", status.StatusCode)
+		}
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+
+	slog.Info("Database migrator completed successfully", "container", migratorName)
+	return nil
+}
+
 // looksLikeContainerID checks if a string looks like a Docker container ID
 // (12 or 64 lowercase hex characters, which Docker auto-generates as hostnames)
 func looksLikeContainerID(s string) bool {

backend/internal/services/system_upgrade_service.go

@@ -21,11 +21,12 @@ import (
 )
 
 var (
-	ErrNotRunningInDocker = errors.New("arcane is not running in a Docker container")
-	ErrContainerNotFound  = errors.New("could not find Arcane container")
-	ErrUpgradeInProgress  = errors.New("an upgrade is already in progress")
-	ErrDockerSocketAccess = errors.New("docker socket is not accessible")
-	ArcaneUpgraderImage   = "ghcr.io/getarcaneapp/arcane:latest"
+	ErrNotRunningInDocker   = errors.New("arcane is not running in a Docker container")
+	ErrContainerNotFound    = errors.New("could not find Arcane container")
+	ErrUpgradeInProgress    = errors.New("an upgrade is already in progress")
+	ErrDockerSocketAccess   = errors.New("docker socket is not accessible")
+	ErrManualUpdateRequired = errors.New("manual update required")
+	ArcaneUpgraderImage     = "ghcr.io/getarcaneapp/arcane:latest"
 )
 
 type SystemUpgradeService struct {
@@ -70,40 +71,61 @@ func (s *SystemUpgradeService) CanUpgrade(ctx context.Context) (bool, error) {
 		return false, err
 	}
 
+	if err := s.checkManualUpdateRequirement(ctx); err != nil {
+		return false, err
+	}
+
 	return true, nil
 }
 
 // TriggerUpgradeViaCLI spawns the upgrade CLI command in a separate container
 // This avoids self-termination issues by running the upgrade from outside
 func (s *SystemUpgradeService) TriggerUpgradeViaCLI(ctx context.Context, user models.User) error {
+	return s.TriggerUpgradeViaCLIForContainer(ctx, user, "")
+}
+
+// TriggerUpgradeViaCLIForContainer spawns the upgrade CLI command targeting a
+// specific Arcane container. An empty container ID keeps the legacy self-targeting behavior.
+func (s *SystemUpgradeService) TriggerUpgradeViaCLIForContainer(ctx context.Context, user models.User, containerID string) error {
+	if err := s.checkManualUpdateRequirement(ctx); err != nil {
+		return err
+	}
+
 	if !s.upgrading.CompareAndSwap(false, true) {
 		return ErrUpgradeInProgress
 	}
 	defer s.upgrading.Store(false)
 
-	// Get current container name
-	containerId, err := s.getCurrentContainerID()
-	if err != nil {
-		return fmt.Errorf("get current container: %w", err)
+	targetContainerID := strings.TrimSpace(containerID)
+	if targetContainerID == "" {
+		var err error
+		targetContainerID, err = s.getCurrentContainerID()
+		if err != nil {
+			return fmt.Errorf("get current container: %w", err)
+		}
 	}
 
-	currentContainer, err := s.findArcaneContainer(ctx, containerId)
+	targetContainer, err := s.findArcaneContainer(ctx, targetContainerID)
 	if err != nil {
 		return fmt.Errorf("inspect container: %w", err)
 	}
 
-	containerName := strings.TrimPrefix(currentContainer.Name, "/")
+	logContainerID := targetContainer.ID
+	if logContainerID == "" {
+		logContainerID = targetContainerID
+	}
+	containerName := strings.TrimPrefix(targetContainer.Name, "/")
 
 	// Determine binary path based on container type (agent vs main)
 	binaryPath := "/app/arcane"
-	if currentContainer.Config != nil {
-		binaryPath = determineUpgradeBinaryPathInternal(currentContainer.Config.Labels)
+	if targetContainer.Config != nil {
+		binaryPath = determineUpgradeBinaryPathInternal(targetContainer.Config.Labels)
 	}
 
 	// Log upgrade event
 	metadata := models.JSON{
 		"action":        "system_upgrade_cli",
-		"containerId":   containerId,
+		"containerId":   logContainerID,
 		"containerName": containerName,
 		"method":        "cli",
 	}
@@ -113,8 +135,8 @@ func (s *SystemUpgradeService) TriggerUpgradeViaCLI(ctx context.Context, user mo
 
 	// Use the same image reference as the currently running Arcane container for the upgrader.
 	// This avoids mismatches where a newer/older upgrader CLI expects different behavior.
-	if currentContainer.Config != nil {
-		if img := strings.TrimSpace(currentContainer.Config.Image); img != "" {
+	if targetContainer.Config != nil {
+		if img := strings.TrimSpace(targetContainer.Config.Image); img != "" {
 			ArcaneUpgraderImage = img
 		}
 	}
@@ -154,7 +176,7 @@ func (s *SystemUpgradeService) TriggerUpgradeViaCLI(ctx context.Context, user mo
 	slog.Info("Upgrader image pulled successfully", "image", ArcaneUpgraderImage)
 
 	// Try to get the /app/data mount from current container so upgrade logs persist.
-	appDataMount := dockerutils.MountForDestination(currentContainer.Mounts, "/app/data", "/app/data")
+	appDataMount := dockerutils.MountForDestination(targetContainer.Mounts, "/app/data", "/app/data")
 	if appDataMount == nil {
 		slog.Warn("Could not detect /app/data mount; upgrader logs may not persist")
 	} else {
@@ -210,6 +232,22 @@ func (s *SystemUpgradeService) TriggerUpgradeViaCLI(ctx context.Context, user mo
 	return nil
 }
 
+func (s *SystemUpgradeService) checkManualUpdateRequirement(ctx context.Context) error {
+	if s.versionService == nil {
+		return nil
+	}
+
+	required, message := s.versionService.ManualUpdateRequirement(ctx, "", "")
+	if !required {
+		return nil
+	}
+	if strings.TrimSpace(message) == "" {
+		message = ErrManualUpdateRequired.Error()
+	}
+
+	return fmt.Errorf("%w: %s", ErrManualUpdateRequired, message)
+}
+
 func determineUpgradeBinaryPathInternal(labels map[string]string) string {
 	if libupdater.IsArcaneAgentContainer(labels) {
 		return "/app/arcane-agent"

backend/internal/services/system_upgrade_service_test.go

@@ -39,12 +39,14 @@ func TestSystemUpgradeService_ErrorVariables(t *testing.T) {
 	require.Error(t, ErrContainerNotFound)
 	require.Error(t, ErrUpgradeInProgress)
 	require.Error(t, ErrDockerSocketAccess)
+	require.Error(t, ErrManualUpdateRequired)
 
 	// Test error messages
 	require.Equal(t, "arcane is not running in a Docker container", ErrNotRunningInDocker.Error())
 	require.Equal(t, "could not find Arcane container", ErrContainerNotFound.Error())
 	require.Equal(t, "an upgrade is already in progress", ErrUpgradeInProgress.Error())
 	require.Equal(t, "docker socket is not accessible", ErrDockerSocketAccess.Error())
+	require.Equal(t, "manual update required", ErrManualUpdateRequired.Error())
 }
 
 // TestSystemUpgradeService_UpgradingFlag_ConcurrentAccess tests upgrading flag

backend/internal/services/updater_service.go

@@ -47,7 +47,7 @@ type UpdaterService struct {
 }
 
 type selfUpgradeService interface {
-	TriggerUpgradeViaCLI(ctx context.Context, user models.User) error
+	TriggerUpgradeViaCLIForContainer(ctx context.Context, user models.User, containerID string) error
 }
 
 // NewUpdaterService constructs an UpdaterService with the dependencies needed
@@ -1617,7 +1617,7 @@ func (s *UpdaterService) triggerSelfUpdateViaCLIInternal(ctx context.Context, so
 		"container", containerName,
 		"instanceType", instanceType)
 
-	if err := s.upgradeService.TriggerUpgradeViaCLI(ctx, systemUser); err != nil {
+	if err := s.upgradeService.TriggerUpgradeViaCLIForContainer(ctx, systemUser, containerID); err != nil {
 		wrappedErr := fmt.Errorf("CLI upgrade failed: %w", err)
 		slog.WarnContext(ctx, source+": CLI upgrade failed",
 			"containerId", containerID,

backend/internal/services/updater_service_test.go

@@ -29,10 +29,11 @@ import (
 
 // mockSystemUpgradeService is a simple mock implementation for testing
 type mockSystemUpgradeService struct {
-	triggerCalled bool
-	triggerError  error
-	capturedUser  *models.User
-	canUpgrade    bool
+	triggerCalled       bool
+	triggerError        error
+	capturedUser        *models.User
+	capturedContainerID string
+	canUpgrade          bool
 }
 
 func (m *mockSystemUpgradeService) TriggerUpgradeViaCLI(ctx context.Context, user models.User) error {
@@ -41,6 +42,13 @@ func (m *mockSystemUpgradeService) TriggerUpgradeViaCLI(ctx context.Context, use
 	return m.triggerError
 }
 
+func (m *mockSystemUpgradeService) TriggerUpgradeViaCLIForContainer(ctx context.Context, user models.User, containerID string) error {
+	m.triggerCalled = true
+	m.capturedUser = &user
+	m.capturedContainerID = containerID
+	return m.triggerError
+}
+
 func (m *mockSystemUpgradeService) CanUpgrade(ctx context.Context) (bool, error) {
 	return m.canUpgrade, nil
 }
@@ -88,6 +96,7 @@ func TestUpdaterService_ArcaneAgentLabel_TriggersCLIUpgrade(t *testing.T) {
 	assert.True(t, mockUpgrade.triggerCalled, "TriggerUpgradeViaCLI should have been called for Arcane agent container")
 	assert.NotNil(t, mockUpgrade.capturedUser)
 	assert.Equal(t, systemUser.ID, mockUpgrade.capturedUser.ID)
+	assert.Equal(t, "container-1", mockUpgrade.capturedContainerID)
 }
 
 // TestUpdaterService_NonArcaneLabel_DoesNotTriggerCLI verifies that containers without