1
0
Fork 0
mirror of https://github.com/imjasonh/kontain.me synced 2026-07-07 00:32:28 +00:00
Commit graph

120 commits

Author SHA1 Message Date
977420c74d git: document incremental plan/blockers; some deps work
Signed-off-by: Jason Hall <imjasonh@gmail.com>
2026-05-15 10:30:35 -04:00
c7ea6912f0 fix some tests
Signed-off-by: Jason Hall <imjasonh@gmail.com>
2026-05-13 22:19:59 -04:00
c90342181d fix upload-pack negotiation for stateless-RPC
Three related bugs in the git smart-HTTP upload-pack handler surfaced as
'bad band #78', 60s 504 hangs, and "expected ACK/NAK, got '?PACK'" when
fetching after previous pulls.

- Don't advertise no-done; we don't implement the ACK ready handshake.
- With multi_ack_detailed, don't emit per-round NAKs — only the final
  one after 'done'. Per-round NAKs make the client treat the first as
  the transition to sideband pack data, then choke on the second.
- Break out of the negotiation loop when a round reads no content
  (client closed without 'done') so we don't spin on EOF.
- Only emit pack data when 'done' was actually received. Non-final
  rounds get just NAK so HTTP keep-alive doesn't desync the next round.

Also trigger null_resource.test on the ko_build image digest so tests
re-run on every deploy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 21:54:40 -04:00
ac854e7f67 git: use ref in cache key
Signed-off-by: Jason Hall <imjasonh@gmail.com>
2026-05-13 18:08:57 -04:00
c99a73b556 redirect to github url
Signed-off-by: Jason Hall <imjasonh@gmail.com>
2026-05-13 17:12:22 -04:00
83808c437f move infinite-git and infinite-go into this repo
Signed-off-by: Jason Hall <imjasonh@gmail.com>
2026-05-13 17:01:52 -04:00
2b7bb23ae2 git: annotate the checkout layer with the resolved commit, source, and ref
gitLayer now returns the commit it checked out (dereferencing annotated
tags). build records it, the clone URL, and the ref name as
me.kontain.git.{commit,source,ref} annotations on the checkout layer's
manifest descriptor, so the commit a :branch / :tag / :latest pull
resolved to is visible from the image manifest. The test now also checks
gitLayer's returned commit matches what resolveRef resolved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 13:05:51 -04:00
d3d7e20500 git: own the checkout as the image's user so git can write to it
The layer's entries were root-owned, but cgr.dev/chainguard/git runs as
uid 65532, so `git fetch`/`git commit` inside the checkout failed with
"Permission denied" creating .git/FETCH_HEAD. Stamp the base image's
runtime uid/gid onto every layer entry, and explicitly emit the
checkout's parent directories (git/, git/<repo>/, git/<repo>/.git/) so
the image extractor doesn't auto-create them root-owned.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 12:45:50 -04:00
Claude
b00925bf9e
git: assert objects stay packed in the layer
Guards against a regression where go-git would unpack the fetched packfile
into loose objects, which would put the repo's whole decompressed contents in
memory.

https://claude.ai/code/session_01Jfhuuwb5haNaasc9hs53jw
2026-05-12 15:28:42 +00:00
Claude
61e2ace4bc
git: stream worktree into the layer instead of unpacking to disk
git.kontain.me used to clone+checkout a repo onto Cloud Run's tmpfs (memory)
and then tar the result. Now it fetches the packfile into an in-memory git dir,
walks the requested commit's tree, and streams each blob straight into the
layer tar. Only the packfile bytes (plus go-git's delta cache) are buffered, so
memory no longer scales with the size of the checked-out worktree.

The shipped .git directory is preserved (with core.bare unset and a generated
index) so the git CLI still works inside the checkout. Object SHAs change since
the tar is rebuilt differently, but the contents are the same.

https://claude.ai/code/session_01Jfhuuwb5haNaasc9hs53jw
2026-05-12 14:54:11 +00:00
2e4488f6d3 add git.kontain.me
Signed-off-by: Jason Hall <imjasonh@gmail.com>
2026-05-11 21:42:04 -04:00
5d020bef59 bump deps
Signed-off-by: Jason Hall <imjasonh@gmail.com>
2026-04-02 18:16:22 +01:00
Jason Hall
dc96e41aa3
put the train back on its rails
Signed-off-by: Jason Hall <jason@chainguard.dev>
2025-02-14 03:52:52 -06:00
Jason Hall
c329df25bf
add random image prober and prober dashboard
Signed-off-by: Jason Hall <jason@chainguard.dev>
2023-12-22 09:56:15 -05:00
Jason Hall
794dbed8cb
use glue dashboards, fix tests
Signed-off-by: Jason Hall <jason@chainguard.dev>
2023-12-19 20:02:31 -05:00
Jason Hall
ad02c93765
remove pipefail
Signed-off-by: Jason Hall <jason@chainguard.dev>
2023-11-26 12:51:16 -05:00
Jason Hall
d13b71d327
moar context
Signed-off-by: Jason Hall <jason@chainguard.dev>
2023-11-15 09:32:51 -05:00
Jason Hall
787ea7e9b0
bump deps
Signed-off-by: Jason Hall <jason@chainguard.dev>
2023-11-14 21:39:50 -05:00
Jason Hall
f95c30bdfd
use slog, refactor TF
Signed-off-by: Jason Hall <jason@chainguard.dev>
2023-11-14 21:27:18 -05:00
Jason Hall
d194a4f550
deploy using terraform
- remove some apps (cowsay, transparency, estargz)
- start to move DNS zone management into TF too (optional)
- update GH workflow to deploy using TF

TODO:
- store state in GCS
- define one-time setup to grant GHA SA permissions it needs to deploy
- documentation for Future Jason
- cosign_verify base images
- cosign_sign images and cosign_verify before deploy
2023-04-25 10:56:19 -04:00
Jason Hall
2e1f107239
apko: update to use wolfi packages 2023-01-31 00:20:57 -05:00
Jason Hall
3e1686e26a
update setup-ko, bump mirror resources 2022-09-08 09:14:00 -04:00
086517ba78
Enable CORS for mirror.kontain.me 2022-06-09 22:27:00 -04:00
d4c362ad95
fix link, add readme 2022-06-03 14:44:45 -04:00
3373009e74
add cowsay 2022-06-03 14:42:21 -04:00
Jason Hall
57a00f75d4 lower resources, add apko to README 2022-04-01 16:32:22 -04:00
Jason Hall
6902ee4fba add URL fetching 2022-03-20 14:06:57 -04:00
Jason Hall
9883cc499e don't defer-rm the tar.gz, use gen2 for proot, update README; it works 2022-03-20 13:18:32 -04:00
Jason Hall
636972acc8 apko: initial commit 2022-03-19 20:49:00 -04:00
Jason Hall
527e37135e ko: disable sbom 2022-03-19 02:53:37 -04:00
Jason Hall
3f19fe5563 ko: Test using a faster build 2022-03-19 02:44:20 -04:00
Jason Hall
ed67da0ca1 kaniko: don't set up creds ourselves, kaniko can do it 2021-10-22 10:46:24 -04:00
Jason Hall
941448730c improve README, add tests, reinstate cache hits 2021-10-11 17:37:03 -04:00
Jason Hall
a79099aa7e works 2021-10-11 16:49:38 -04:00
Jason Hall
df9e4880b7 WIP: use go module proxy and cache results 2021-10-11 15:05:38 -04:00
Jason Hall
ed77c5e672 upgrade ko dep, fix breakages 2021-10-07 10:12:32 -04:00
Jason Hall
f1f11f46ad disable transparency test 2021-09-22 12:57:15 -04:00
Jason Hall
49dc313c4d fix shebang 2021-09-22 08:27:53 -04:00
Jason Hall
1f766ba9d2 crib from Jon's cmd/mirror 2021-08-14 16:25:25 -04:00
Jason Hall
5aeb9dad88 split up tests too 2021-08-14 15:58:51 -04:00
Jason Hall
a8c70f6e02 add deploy.sh scripts 2021-08-14 14:40:25 -04:00
Jason Hall
a445897438 iterating on transparency, redirecting doesn't work 2021-08-14 14:07:46 -04:00
Jason Hall
3fc2038530 add skeleton of transparency 2021-08-14 11:46:06 -04:00
Jason Hall
c730f74956 document pull-by-digest limitations for estargz and flatten 2021-07-26 10:51:43 -04:00
Jason Hall
012b357a5e document estargz usage 2021-07-25 14:26:31 -04:00
Jason Hall
7692dc8b86 Add estargz optimizer, log Range requests 2021-07-24 22:03:08 -04:00
Jason Hall
9beb876dcd document wait 2021-04-09 12:38:33 -04:00
Jason Hall
c449bb59bd better support registries in flatten and mirror
- previous change to support registries that don't support HEAD in
flatten broke flatten for other conformant registries; fix that
- support registies that don't support HEAD in mirror (without breaking
conformant registries)
2021-04-09 12:30:21 -04:00
Jason Hall
6946849f92 flatten: Support registries that don't support HEAD correctly 2021-03-18 13:28:52 -04:00
Jason Hall
b7c83b4432 base buildpack images on gcp/run:v1 2021-02-08 13:24:30 -05:00