chrome-service: pin noVNC image to the x11vnc-supervision build
Some checks failed
ci/woodpecker/push/default Pipeline was canceled
Some checks failed
ci/woodpecker/push/default Pipeline was canceled
Deploys the self-heal fix from the previous commit. Keel is off for this
deployment (keel.sh/policy=never, because the browser container's playwright
image is version-pinned to f1-stream) and the novnc image was :latest with
imagePullPolicy=IfNotPresent, so a rebuilt :latest would NOT be re-pulled on a
rollout — the supervised entrypoint would never reach the running pod.
Pin novnc to :19d0f0933a (the build of the prior
commit; ghcr digest sha256:5b783ac6, == :latest) so the stack apply rolls the
sidecar onto the new image. Future novnc entrypoint changes deploy by bumping
this digest after build-chrome-service-novnc.yml publishes a new SHA tag.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
19d0f0933a
commit
7b4a8ba867
1 changed files with 10 additions and 5 deletions
|
|
@ -333,15 +333,20 @@ resource "kubernetes_deployment" "chrome_service" {
|
||||||
container {
|
container {
|
||||||
name = "novnc"
|
name = "novnc"
|
||||||
# Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
|
# Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
|
||||||
image = "ghcr.io/viktorbarzin/chrome-service-novnc:latest"
|
# SHA-pinned (not :latest): Keel is OFF for this deployment
|
||||||
|
# (keel.sh/policy=never, below) and :latest/IfNotPresent won't re-pull a
|
||||||
|
# rebuilt image, so a new noVNC entrypoint only deploys when this digest
|
||||||
|
# is bumped here. Bump after build-chrome-service-novnc.yml pushes a new
|
||||||
|
# SHA tag. 2026-06-27: bumped to land the x11vnc-supervision self-heal fix
|
||||||
|
# (noVNC went black after a browser-container restart; see
|
||||||
|
# docs/architecture/chrome-service.md "x11vnc supervision").
|
||||||
|
image = "ghcr.io/viktorbarzin/chrome-service-novnc:19d0f0933a8ec75be6cfa077db88e0f8c3760f40"
|
||||||
image_pull_policy = "IfNotPresent"
|
image_pull_policy = "IfNotPresent"
|
||||||
# Cap RLIMIT_NOFILE before the entrypoint runs. Containerd grants pods
|
# Cap RLIMIT_NOFILE before the entrypoint runs. Containerd grants pods
|
||||||
# nofile=2^31; x11vnc sweeps the whole fd table on each client connect,
|
# nofile=2^31; x11vnc sweeps the whole fd table on each client connect,
|
||||||
# so every VNC connection hangs on "Connecting" until it times out
|
# so every VNC connection hangs on "Connecting" until it times out
|
||||||
# (fd-sweep bug, same as android-emulator). entrypoint.sh now also sets
|
# (fd-sweep bug, same as android-emulator). entrypoint.sh also sets this;
|
||||||
# this, but the image is :latest/IfNotPresent so a rebuilt entrypoint
|
# the wrapper keeps the cap deterministic even off a cached image.
|
||||||
# isn't guaranteed to be pulled — this wrapper applies the cap
|
|
||||||
# deterministically on every rollout off the cached image.
|
|
||||||
command = ["bash", "-c", "ulimit -n 65536; exec /entrypoint.sh"]
|
command = ["bash", "-c", "ulimit -n 65536; exec /entrypoint.sh"]
|
||||||
port {
|
port {
|
||||||
name = "http"
|
name = "http"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue