- Remove phantom `-i, --image` CLI flag that doesn't exist in code - Fix default base image from gcr.io/distroless/static:nonroot to cgr.dev/chainguard/static:latest - Update --platform description to reflect auto-detection from base image - Move -v/--verbose to Global Options (it's a global flag, not per-command) - Add missing `version` command to CLI reference - Fix non-existent `make test-verbose` reference - Mark multi-platform image manifests as implemented in CLAUDE.md https://claude.ai/code/session_019QkKmgPcFYaLwKe34EMFJy
9.1 KiB
krust Development Notes
This document captures key learnings and decisions made during the development of krust with Claude.
Project Overview
krust is a container image build tool for Rust applications, inspired by ko.build for Go. It builds static binaries and packages them into minimal OCI container images without requiring Docker.
Key Design Decisions
1. Static Binaries with musl
We chose musl libc over glibc for static linking because:
- True static linking: glibc uses dynamic loading internally (NSS) which breaks in static binaries
- Smaller binaries: musl static binaries are 5-10x smaller than glibc
- No runtime surprises: glibc static binaries often fail with DNS resolution, user lookups, or locale issues
- Container-optimized: Perfect for minimal container images
2. Default Push Behavior
krust pushes images by default (use --no-push to skip) because:
- Aligns with the common workflow of building and immediately using images
- Enables the
docker run $(krust build)pattern - Reduces friction for the most common use case
3. Output Design
- stdout: Only the pushed image reference by digest (e.g.,
ttl.sh/user/app@sha256:...) - stderr: All logging and progress information
- This enables composability with other tools
4. Image Naming Strategy
- Uses
KRUST_REPOenvironment variable for repository prefix - Automatically appends project name from Cargo.toml
- Can be overridden with
--imageflag - Default tag is
latest
Technical Learnings
OCI Image Building
-
Layer Digest vs Diff ID:
- Layer digest: SHA256 of the compressed (gzip) layer
- Diff ID: SHA256 of the uncompressed tar (goes in image config)
- Docker validates these match during pull
-
Image Structure:
Manifest -> Config + Layers Config contains: architecture, OS, environment, command, diff_ids Layers contain: compressed tar.gz files -
Registry API:
- Push blobs (config and layers) first
- Then push manifest referencing those blobs
- Manifest URL contains the final digest
Google Artifact Registry (GAR) Blob Uploads
GAR has special handling for blob uploads that differs from the standard OCI spec:
-
Location Header Format:
- POST to
/v2/.../blobs/uploads/returnslocation: /artifacts-uploads/... - The location is a relative path starting with
/artifacts-uploads/, NOT/v2/ - Must build absolute URL as
https://{registry}{location}for ANY path starting with/
- POST to
-
Upload Flow (Resumable):
- Monolithic upload not supported: PUT with body to
location?digest=returns301 Moved Permanently - Must use resumable upload flow instead:
- POST to
/v2/.../blobs/uploads/→ get upload location - PATCH to upload location with blob data → returns
202 Accepted - PUT to finalize location with
?digest=and empty body → returns201 Created
- POST to
- Monolithic upload not supported: PUT with body to
-
Critical Implementation Details:
- GAR returns
301redirect on monolithic PUT attempts (not307) - HTTP spec says
301means don't resend body, so automatic redirect following fails - Must explicitly handle
301as a signal to switch to resumable upload - PATCH response may include a new
locationheader for the finalize PUT - Use
reqwestwithredirect::Policy::none()to handle redirects manually
- GAR returns
-
Why reqwest over hyper:
- Initially used raw
hyperbut it doesn't auto-follow redirects with request bodies - Switched to
reqwestfor cleaner API and better redirect handling - Disabled automatic redirects to manually handle GAR's upload flow
- Initially used raw
-
Memory Efficiency:
- Blob downloads return
bytes::Bytesinstead ofVec<u8>to avoid unnecessary copies - Blob uploads require
.to_vec()due to reqwest's'staticrequirement for request bodies - This is acceptable as reqwest streams the data internally
- Blob downloads return
Cross-Compilation
krust requires cargo-zigbuild for cross-compilation. This eliminates the need for
per-target system linkers and .cargo/config.toml linker configuration. If zigbuild is not
available, krust fails with install instructions.
Required targets are auto-installed via rustup target add when needed.
Rust Static Linking
- Use
RUSTFLAGS="-C target-feature=+crt-static"for static linking - musl targets default to static, but explicit is better
- The resulting binary has no runtime dependencies
Architecture Decisions
Module Structure
src/
├── main.rs # CLI entry point and orchestration
├── lib.rs # Public API exports
├── cli/ # Command-line interface definitions
├── builder/ # Rust compilation logic
├── image/ # OCI image construction
├── registry/ # Registry push operations
└── config/ # Configuration management
Error Handling
- Used
anyhowfor error propagation with context - Errors include contextual information for debugging
- All errors go to stderr, preserving stdout for output
Dependencies
Key crates chosen:
clap- CLI parsing with derive macrostokio- Async runtime for registry operationsreqwest- HTTP client with automatic redirect handlingtar+flate2- Layer creationsha256- Digest calculationtracing- Structured loggingcargo-zigbuild- Cross-compilation backend (external tool, not a crate dep)
Testing Strategy
- Unit tests for each module
- Integration tests for CLI commands
- E2E tests that actually run the built binary
- Used
assert_cmdfor testing CLI behavior
Development Workflow
The iterative development process:
- Start with basic CLI structure
- Implement core functionality (build, image, push)
- Test with real registries (ttl.sh for anonymous push)
- Fix issues discovered during real usage
- Refine UX based on actual workflows
Pre-commit Checks
Before committing changes, always run:
make check-fmt # Check code formatting
make lint # Run clippy linter
make test # Run all tests
Or run all checks at once:
make check # Runs check-fmt, lint, and test
Features Implemented
YAML Resolution (krust resolve)
Inspired by ko's Kubernetes integration, krust can resolve krust:// references in YAML files:
- Reference Syntax: Use
krust://path/to/projectin YAML (e.g.,image: krust://./example/hello-krust) - Deduplication: Multiple references to the same path are deduplicated - builds only once
- Multi-document support: Handles YAML files with multiple
---separated documents - Directory support: Can process entire directories of YAML files with
-f ./k8s/ - Output: Resolved YAML to stdout with all
krust://replaced by digests
Implementation details:
- Uses
serde_yml(maintained fork of deprecated serde_yaml) for parsing and serialization - Recursively walks YAML tree to find all string values with
krust://prefix - Builds each unique path once, stores digest mapping
- Second pass replaces all references with digests
- Preserves YAML structure and formatting
Usage:
krust resolve -f deployment.yaml | kubectl apply -f -- Or use the convenience command:
krust apply -f deployment.yaml
Apply Command (krust apply)
Convenience wrapper that combines resolve with kubectl apply:
- Resolves
krust://references - Pipes resolved YAML directly to
kubectl apply -f - - Exits with kubectl's exit code
- Requires
kubectlto be installed and configured
Usage: krust apply -f deployment.yaml
Future Improvements
Potential enhancements identified:
Registry authentication support✓ Implemented (supports Docker credential helpers)YAML resolution for Kubernetes deployments✓ Implemented (krust resolve)Multi-platform image manifests✓ Implemented (OCI image index with concurrent builds)Build caching✓ Implemented (persistenttarget/krust/directory)- Image layer optimization
- Support for custom Dockerfile-like configs
- SBOM (Software Bill of Materials) generation
Optimize blob uploads (check if blob exists before uploading)✓ Implemented- Stream uploads from disk instead of buffering in memory
- Currently buffers tar and compressed layer in memory
- Could write to temp file, calculate diff_id, then stream upload
- Would reduce memory usage for large binaries
Useful Commands
# Test with anonymous registry (ttl.sh)
export KRUST_REPO=ttl.sh/test
docker run $(krust build example/hello-krust)
# Test with Google Artifact Registry
export KRUST_REPO=us-central1-docker.pkg.dev/project-id/repo-name
krust build example/hello-krust
# Debug output
krust build -v 2>&1 | less
# Check static linking
file target/krust/x86_64-unknown-linux-musl/release/binary
ldd target/krust/x86_64-unknown-linux-musl/release/binary # should say "not a dynamic executable"
# Verify pushed image
crane manifest $(krust build --no-push example/hello-krust)
Resources
- OCI Image Spec
- OCI Distribution Spec
- ko.build - Inspiration for this project
- ttl.sh - Anonymous ephemeral registry for testing