VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: VARASYS:59d8ccf0fc186b9b56d85c3ba244b38a1c19257c
Branches Tags
VARASYS:main
VARASYS:transmittal-v0.0.26
VARASYS:tables-v0.0.26
VARASYS:landing-v0.0.26
VARASYS:form-v0.0.26
VARASYS:classifier-v0.0.26
VARASYS:browse-v0.0.26
VARASYS:archive-v0.0.26
..
compare: VARASYS:1db9fd06e7c576c5375950669254510a123706a3
Branches Tags
VARASYS:main
VARASYS:transmittal-v0.0.26
VARASYS:tables-v0.0.26
VARASYS:landing-v0.0.26
VARASYS:form-v0.0.26
VARASYS:classifier-v0.0.26
VARASYS:browse-v0.0.26
VARASYS:archive-v0.0.26

2 commits
59d8ccf0fc ... 1db9fd06e7

Author SHA1 Message Date
ZDDC
1db9fd06e7 chore(embedded): cut v0.0.17-beta
All checks were successful
Notify chart dev on beta cut / notify-chart-dev (push) Successful in 7s
Details
2026-05-13 13:10:12 -05:00
ZDDC
0fac49e60a fix(convert): chromium needs --disable-dev-shm-usage + larger /tmp 
The HTML→PDF stage failed with:

  Creating shared memory in /dev/shm/.org.chromium.Chromium.XXXXXX
  failed: Read-only file system (30)
  Unable to access(W_OK|X_OK) /dev/shm: Read-only file system (30)

Chromium tries to put its IPC shared-memory segments under /dev/shm
by default. Our container runs --read-only with /dev/shm inherited
from the image (which makes it read-only too). The well-known fix is
the --disable-dev-shm-usage chromium flag, which routes those
allocations to /tmp instead.

/tmp is a writable tmpfs we already set up. Bump its size from
128 MiB to 256 MiB so chromium has room for both its user-data-dir
and the redirected shared-memory segments. A small PDF flow used
~64 MiB free of 128 MiB available; doubling gives headroom without
materially changing the pod's memory footprint (tmpfs only consumes
RAM for bytes actually written).

The discardable_shared_memory_manager warning ("Less than 64MB of
free space in temporary directory") in the prior chromium log was a
symptom of this same /tmp-too-small condition; the bump quiets it
too.

Other warnings in the log (dbus connect failures) are not load-
bearing — chromium falls back gracefully when dbus is absent. No fix
needed there.
 2026-05-13 13:10:01 -05:00
9 changed files with 25 additions and 14 deletions
Show stats Expand all files Collapse all files

2
zddc/internal/apps/embedded/archive.html
View file

@ -2470,7 +2470,7 @@ td[data-field="trackingNumber"] {
</svg> </svg>
<div class="header-title-group"> <div class="header-title-group">
<span class="app-header__title">ZDDC Archive</span> <span class="app-header__title">ZDDC Archive</span>
<span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:06:45 · b8c6b98</span></span> <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e</span></span>
</div> </div>
<button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button> <button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button>
<button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh Data"></button> <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh Data"></button>

2
zddc/internal/apps/embedded/browse.html
View file

@ -1657,7 +1657,7 @@ html, body {
</svg> </svg>
<div class="header-title-group"> <div class="header-title-group">
<span class="app-header__title">ZDDC Browse</span> <span class="app-header__title">ZDDC Browse</span>
<span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:06:46 · b8c6b98</span></span> <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e</span></span>
</div> </div>
<button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button> <button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button>
<button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh listing" aria-label="Refresh listing"></button> <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh listing" aria-label="Refresh listing"></button>

2
zddc/internal/apps/embedded/classifier.html
View file

@ -1681,7 +1681,7 @@ body.help-open .app-header {
</svg> </svg>
<div class="header-title-group"> <div class="header-title-group">
<span class="app-header__title">ZDDC Classifier</span> <span class="app-header__title">ZDDC Classifier</span>
<span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:06:45 · b8c6b98</span></span> <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e</span></span>
</div> </div>
<button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button> <button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button>
<button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh and rescan directory" aria-label="Refresh" style="font-size:1.1rem;"></button> <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh and rescan directory" aria-label="Refresh" style="font-size:1.1rem;"></button>

2
zddc/internal/apps/embedded/index.html
View file

@ -1424,7 +1424,7 @@ body {
</svg> </svg>
<div class="header-title-group"> <div class="header-title-group">
<span class="app-header__title">ZDDC</span> <span class="app-header__title">ZDDC</span>
<span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:06:45 · b8c6b98</span></span> <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e</span></span>
</div> </div>
</div> </div>
<div class="header-right"> <div class="header-right">

2
zddc/internal/apps/embedded/transmittal.html
View file

@ -2523,7 +2523,7 @@ dialog.modal--narrow {
</svg> </svg>
<div class="header-title-group"> <div class="header-title-group">
<span class="app-header__title">ZDDC Transmittal</span> <span class="app-header__title">ZDDC Transmittal</span>
<span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:06:45 · b8c6b98</span></span> <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:10:01 · 0fac49e</span></span>
</div> </div>
<span id="no-js-notice" class="text-gray-400 text-xs italic">JavaScript not available</span> <span id="no-js-notice" class="text-gray-400 text-xs italic">JavaScript not available</span>
<!-- Publish split-button (Transmittal-specific primary action; <!-- Publish split-button (Transmittal-specific primary action;

14
zddc/internal/apps/embedded/versions.txt
View file

@ -1,8 +1,8 @@
# Generated by build.sh — do not edit. One <app>=<build label> per line. # Generated by build.sh — do not edit. One <app>=<build label> per line.
archive=v0.0.17-beta · 2026-05-13 18:06:45 · b8c6b98 archive=v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e
transmittal=v0.0.17-beta · 2026-05-13 18:06:45 · b8c6b98 transmittal=v0.0.17-beta · 2026-05-13 18:10:01 · 0fac49e
classifier=v0.0.17-beta · 2026-05-13 18:06:45 · b8c6b98 classifier=v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e
landing=v0.0.17-beta · 2026-05-13 18:06:45 · b8c6b98 landing=v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e
form=v0.0.17-beta · 2026-05-13 18:06:45 · b8c6b98 form=v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e
tables=v0.0.17-beta · 2026-05-13 18:06:46 · b8c6b98 tables=v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e
browse=v0.0.17-beta · 2026-05-13 18:06:46 · b8c6b98 browse=v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e

7
zddc/internal/convert/convert.go
View file

@ -210,10 +210,17 @@ func ToPDF(ctx context.Context, source []byte, m Metadata) ([]byte, error) {
// required because the container drops CAP_SYS_ADMIN; the threat // required because the container drops CAP_SYS_ADMIN; the threat
// model is "malicious markdown drives chromium RCE", contained by // model is "malicious markdown drives chromium RCE", contained by
// --network=none + --cap-drop=ALL + --read-only + tmpfs. // --network=none + --cap-drop=ALL + --read-only + tmpfs.
//
// --disable-dev-shm-usage: without this, chromium tries to allocate
// shared memory under /dev/shm, which our --read-only container
// can't write to. The flag tells chromium to fall back to /tmp,
// which is a writable tmpfs (sized in runner.go). Standard fix for
// chromium-in-container; required by every CI/headless setup.
cmd := []string{ cmd := []string{
"--headless", "--headless",
"--disable-gpu", "--disable-gpu",
"--no-sandbox", "--no-sandbox",
"--disable-dev-shm-usage",
"--user-data-dir=/tmp/chrome", "--user-data-dir=/tmp/chrome",
"--no-pdf-header-footer", "--no-pdf-header-footer",
"--virtual-time-budget=10000", "--virtual-time-budget=10000",

6
zddc/internal/convert/runner.go
View file

@ -244,7 +244,11 @@ func (cr *containerRunner) Run(ctx context.Context, image string, stdin []byte,
args = append(args, args = append(args,
"--network=none", "--network=none",
"--read-only", "--read-only",
"--tmpfs=/tmp:size=128m,exec", // /tmp must be large enough to host chromium's shared-memory
// fallback (--disable-dev-shm-usage redirects /dev/shm writes
// here) plus the user-data-dir. 256 MiB is plenty for the
// HTML→PDF flow; pandoc itself uses almost none.
"--tmpfs=/tmp:size=256m,exec",
"--tmpfs=/run:size=4m", "--tmpfs=/run:size=4m",
fmt.Sprintf("--memory=%dm", memMiB), fmt.Sprintf("--memory=%dm", memMiB),
fmt.Sprintf("--cpus=%s", cpus), fmt.Sprintf("--cpus=%s", cpus),

2
zddc/internal/handler/tables.html
View file

@ -1300,7 +1300,7 @@ body.help-open .app-header {
</svg> </svg>
<div class="header-title-group"> <div class="header-title-group">
<span class="app-header__title" id="table-title">ZDDC Table</span> <span class="app-header__title" id="table-title">ZDDC Table</span>
<span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:06:46 · b8c6b98</span></span> <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 18:10:02 · 0fac49e</span></span>
</div> </div>
</div> </div>
<div class="header-right"> <div class="header-right">