fix(dev): harden docker-desktop image delivery, drop broken --no-workers (#517, #518, #519)#521
Merged
Merged
Conversation
…orkers (#517, #518, #519) Three follow-ups from the Docker Desktop dev-target work (#520), all in the dev-tooling layer (scripts/lib/deploy.py + dev k8s overlays). #517 — pre-import postgres/redis base images to avoid the first-run cgr.dev pull flake. Docker Desktop's containerd pulls cgr.dev/chainguard/{postgres,redis} independently of the host Docker daemon, and that first pull occasionally fails with a transient EOF, leaving the pods in ErrImagePull. build_and_push now `docker pull`s the base images on the host and imports them into the node's containerd alongside the tmi-* images, and the postgres/redis manifests are pinned to imagePullPolicy: IfNotPresent so the imported copy is used (a :latest tag otherwise defaults to Always and re-pulls, defeating the import). The redis pin is a per-overlay kustomize patch (redis.yml is shared with k3s, which remaps redis to redis:7-alpine); postgres is pinned directly in the docker-desktop postgres.yml (applied raw by deploy.py). The base-image set is db-aware: oracle uses an external ADB and deploys no Postgres pod, so only redis is imported there. #518 — remove the --no-workers bring-up path. It applied the raw leaf manifests (image: localhost:5000/tmi-*:dev), which only worked against the retired kind local registry and yields ErrImagePull on docker-desktop/k3s. No make target passes it, so it was developer-manual-only dead/broken code. Dropped the flag from devenv.py, the no_workers params from start/restart/apply_overlay, and the _no_workers_files helper. #519 — harden import_image_to_node against a Popen-raises-before-close hang. If the importer Popen raised before saver.stdout.close() ran, the parent kept the pipe's read end open and saver.wait() in the finally could deadlock once the pipe buffer filled. The importer Popen is now wrapped so saver's stdout is released (and saver killed) on any exception before the wait. Unit tests added for the db-aware base-image selection and the import teardown path; the --no-workers tests were removed. make test-dev-scripts (94) and make lint pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Kk9GxWS9EpazjbwBKfMpUX
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three follow-ups from the Docker Desktop dev-target work (#520), all in the dev-tooling layer (
scripts/lib/deploy.py+ dev k8s overlays). No production/Go code, no DB schema.#517 — pre-import postgres/redis to avoid first-run cgr.dev flake
Docker Desktop's containerd pulls
cgr.dev/chainguard/{postgres,redis}independently of the host Docker daemon; that first pull occasionally fails with a transient EOF, leaving pods inErrImagePull.build_and_pushnowdocker pulls the base images on the host and imports them into the node's containerd alongside thetmi-*images.imagePullPolicy: IfNotPresentso the imported copy is used (a:latesttag otherwise defaults toAlwaysand re-pulls, defeating the import). Redis pin is a per-overlay kustomize patch becauseredis.ymlis shared with k3s (which remaps redis toredis:7-alpine); postgres is pinned directly indocker-desktop/postgres.yml(applied raw by deploy.py).#518 — remove the broken
--no-workerspathIt applied raw leaf manifests (
image: localhost:5000/tmi-*:dev) that only worked against the retired kind local registry —ErrImagePullon docker-desktop/k3s. No make target passed it (developer-manual-only dead code). Removed the flag, theno_workersparams onstart/restart/apply_overlay, and_no_workers_files.#519 — harden
import_image_to_nodeagainst a pipe hangIf the importer
Popenraised beforesaver.stdout.close(), the parent kept the pipe's read end open andsaver.wait()could deadlock once the buffer filled. The importerPopenis now wrapped so saver's stdout is released (and saver killed) on any exception before the wait.Verification
make test-dev-scripts— 94 pass (added tests for DB-aware base-image selection and the import teardown path; removed the--no-workerstests).make lint— pass.kubectl kustomizerendersIfNotPresenton redis across all three docker-desktop overlays; k3s unaffected.make dev-up CLUSTER=docker-desktopon a fresh node.Closes #517
Closes #518
Closes #519
🤖 Generated with Claude Code