nosportugal · suvl · Feb 16, 2026 · Apr 30, 2024 · Apr 30, 2024 · Apr 30, 2024
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,9 +6,7 @@ on:
       - master
 
 env:
-  # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -18,49 +16,36 @@ jobs:
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
       id-token: write
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3.3.0
-        with:
-          cosign-release: 'v2.2.2' # optional
+        uses: sigstore/cosign-installer@v4
 
-      # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+        uses: docker/setup-buildx-action@v3
 
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -70,16 +55,6 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
       - name: Sign the published Docker image
         if: ${{ github.event_name != 'pull_request' }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
         run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
diff --git a/.github/workflows/release_slim.yaml b/.github/workflows/release_slim.yaml
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -1,22 +1,23 @@
 name: test
 
 on:
- pull_request:
-   paths-ignore:
-    - 'Slim/**'  
+  pull_request:
+    paths-ignore:
+      - 'Slim/**'
 
 jobs:
   test:
     runs-on: ubuntu-latest
 
     steps:
       - name: checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579  # v2.4.0
-        with:
-          fetch-depth: 1
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: build image
-        run: docker build -t doks-debug .
+        run: docker buildx build --platform linux/amd64 --load -t debug-pod .
 
       - name: smoke test
-        run: docker run --rm doks-debug sleep 1
+        run: docker run --rm debug-pod curl --version | head -1
diff --git a/Dockerfile b/Dockerfile
@@ -1,46 +1,54 @@
-FROM debian:12 AS builder
+FROM debian:13 AS builder
 
-# this builder part is the work of Yury Muski, from https://github.com/yurymuski/curl-http3
-LABEL maintainer="Yury Muski <muski.yury@gmail.com>"
+# Build curl with HTTP/3 support using ngtcp2 (non-experimental) backend.
+# Debian 13 ships OpenSSL 3.5 which has native QUIC API support for ngtcp2.
+# https://github.com/curl/curl/blob/master/docs/HTTP3.md#ngtcp2-version
 
 WORKDIR /opt
 
-ARG CURL_VERSION=curl-8_2_1
-# https://github.com/curl/curl/blob/master/docs/HTTP3.md#quiche-version
-ARG QUICHE_VERSION=0.18.0
+ARG CURL_VERSION=curl-8_18_0
+ARG NGTCP2_VERSION=v1.20.0
+ARG NGHTTP3_VERSION=v1.15.0
 
 RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get update && \
     apt-get full-upgrade --auto-remove --purge -y && \
-    apt-get install -y build-essential git autoconf libtool cmake golang-go curl libnghttp2-dev zlib1g-dev;
+    apt-get install -y build-essential git autoconf libtool pkg-config \
+        libssl-dev libnghttp2-dev zlib1g-dev libpsl-dev;
 
+# Build nghttp3
+RUN git clone -b $NGHTTP3_VERSION https://github.com/ngtcp2/nghttp3 && \
+    cd nghttp3 && \
+    git submodule update --init && \
+    autoreconf -fi && \
+    ./configure --prefix=/usr/local --enable-lib-only && \
+    make --jobs=$(nproc) && \
+    make install
 
-# install rust & cargo
-RUN curl https://sh.rustup.rs -sSf | sh -s -- -y -q;
-
-RUN git clone --recursive https://github.com/cloudflare/quiche
-
-# build quiche
-RUN export PATH="$HOME/.cargo/bin:$PATH" && \
-    cd quiche && \
-    git checkout $QUICHE_VERSION && \
-    cargo build --package quiche --release --features ffi,pkg-config-meta,qlog && \
-    mkdir quiche/deps/boringssl/src/lib && \
-    ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/
-
-# add curl
-RUN git clone https://github.com/curl/curl
-RUN cd curl && \
+# Build ngtcp2 (with system OpenSSL 3.5+)
+RUN git clone -b $NGTCP2_VERSION https://github.com/ngtcp2/ngtcp2 && \
+    cd ngtcp2 && \
+    autoreconf -fi && \
+    ./configure PKG_CONFIG_PATH=/usr/local/lib/pkgconfig \
+        --prefix=/usr/local --enable-lib-only --with-openssl && \
+    make --jobs=$(nproc) && \
+    make install
+
+# Build curl with HTTP/3 (ngtcp2 + nghttp3) + HTTP/2 (nghttp2) + TLS (OpenSSL)
+RUN git clone https://github.com/curl/curl && \
+    cd curl && \
     git checkout $CURL_VERSION && \
     autoreconf -fi && \
-    ./configure LDFLAGS="-Wl,-rpath,/opt/quiche/target/release" --with-openssl=/opt/quiche/quiche/deps/boringssl/src --with-quiche=/opt/quiche/target/release --with-nghttp2 --with-zlib && \
-    make && \
-    make DESTDIR="/debian/" install
+    ./configure PKG_CONFIG_PATH=/usr/local/lib/pkgconfig \
+        --with-openssl --with-nghttp3 --with-ngtcp2 --with-nghttp2 --with-zlib && \
+    make --jobs=$(nproc) && \
+    make install
+
 
+FROM debian:13-slim
 
-# match doks-debug version with DOKS worker node image version for kernel
-# tooling compatibility reasons
-FROM debian:stable-slim
+# Specify the version of crictl to install
+ARG CRICTL_VERSION="v1.33.0"
 
 LABEL org.opencontainers.image.source=https://github.com/nosportugal/debug-pod
 LABEL org.opencontainers.image.description="A debian image with some debugging tools installed."
@@ -50,20 +58,17 @@ WORKDIR /root
 
 # use same dpkg path-exclude settings that come by default with ubuntu:focal
 # image that we previously used
-RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' > /etc/dpkg/dpkg.cfg.d/excludes
-RUN echo 'path-exclude=/usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/excludes
-RUN echo 'path-include=/usr/share/doc/*/copyright' > /etc/dpkg/dpkg.cfg.d/excludes
-RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' > /etc/dpkg/dpkg.cfg.d/excludes
-
-RUN echo 'deb http://deb.debian.org/debian bullseye-backports main' > /etc/apt/sources.list.d/backports.list
+RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' >> /etc/dpkg/dpkg.cfg.d/excludes
+RUN echo 'path-exclude=/usr/share/doc/*' >> /etc/dpkg/dpkg.cfg.d/excludes
+RUN echo 'path-include=/usr/share/doc/*/copyright' >> /etc/dpkg/dpkg.cfg.d/excludes
+RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' >> /etc/dpkg/dpkg.cfg.d/excludes
 
 RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get update && \
     apt-get full-upgrade --auto-remove --purge -y && \
     apt-get install -y \
-        apt-transport-https \
         ca-certificates \
-        software-properties-common \
+        curl \
         httping \
         man \
         man-db \
@@ -72,7 +77,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
         gnupg \
         atop \
         htop \
-        dstat \
+        sysstat \
         jq \
         dnsutils \
         tcpdump \
@@ -91,26 +96,28 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
         bpftool \
         nmap \
         redis-tools \
-        kafkacat \
+        kcat \
         nghttp2 \
-        zlib1g && \
+        libpsl5t64 \
+        zlib1g \
+        wget && \
     rm -rf /var/lib/apt/lists/*
 
-COPY --from=builder /debian/usr/local/ /usr/local/
-COPY --from=builder /opt/quiche/target/release /opt/quiche/target/release
+COPY --from=builder /usr/local/ /usr/local/
 
 # Resolve any issues of C-level lib
 # location caches ("shared library cache")
 RUN ldconfig
 
-RUN install -m 0755 -d /etc/apt/keyrings && \
-    . /etc/os-release && \
-    curl -fsSL "https://download.docker.com/linux/$ID/gpg" | gpg --dearmor -o "/etc/apt/keyrings/$ID.gpg" && \
-    chmod a+r "/etc/apt/keyrings/$ID.gpg" && \
-    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/$ID.gpg] https://download.docker.com/linux/$ID $VERSION_CODENAME stable" | \
-        tee /etc/apt/sources.list.d/docker.list > /dev/null && \
-    apt-get update -qq && \
-    apt-get install -y docker-ce
+# Install crictl
+RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \
+    tar zxvf crictl-${CRICTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin && \
+    rm -f crictl-${CRICTL_VERSION}-linux-amd64.tar.gz
+
+# Specify the default image endpoint for crictl
+RUN echo 'runtime-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml
+RUN echo 'image-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml
+RUN echo 'timeout: 2' >> /etc/crictl.yaml
 
 # for httpie
 RUN curl -SsL https://packages.httpie.io/deb/KEY.gpg | gpg --dearmor -o /usr/share/keyrings/httpie.gpg && \

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,7 @@
 MIT License
 
 Copyright (c) 2021 DigitalOcean
+Copyright (c) 2025-2026 NOS Portugal
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal