kernel · rgarcia · Mar 9, 2026 · Feb 25, 2026 · Feb 25, 2026 · Mar 6, 2026
diff --git a/.gitignore b/.gitignore
@@ -190,3 +190,5 @@ infra/tests/*
 .mise.toml
 
 recordings/
+.refs/
+server/api
diff --git a/images/chromium-headful/Dockerfile b/images/chromium-headful/Dockerfile
@@ -290,6 +290,15 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-ap
     apt -y install chromium && \
     apt --no-install-recommends -y install sqlite3;
 
+# Install ChromeDriver matching the installed Chromium version
+RUN set -eux; \
+    CHROMIUM_VERSION=$(chromium --version | awk '{print $2}'); \
+    curl -fsSL "https://storage.googleapis.com/chrome-for-testing-public/${CHROMIUM_VERSION}/linux64/chromedriver-linux64.zip" -o /tmp/cd.zip; \
+    unzip /tmp/cd.zip -d /tmp; \
+    mv /tmp/chromedriver-linux64/chromedriver /usr/local/bin/chromedriver; \
+    chmod +x /usr/local/bin/chromedriver; \
+    rm -rf /tmp/cd.zip /tmp/chromedriver-linux64
+
 # Copy Chromium policy configuration
 RUN mkdir -p /etc/chromium/policies/managed
 COPY shared/chromium-policies/managed/policy.json /etc/chromium/policies/managed/policy.json

diff --git a/images/chromium-headful/run-docker.sh b/images/chromium-headful/run-docker.sh
@@ -57,6 +57,7 @@ RUN_ARGS=(
   -v "$HOST_RECORDINGS_DIR:/recordings"
   --memory 8192m
   -p 9222:9222
+  -p 9224:9224
   -p 444:10001
   -e DISPLAY_NUM=1
   -e HEIGHT=1080

diff --git a/images/chromium-headful/run-unikernel.sh b/images/chromium-headful/run-unikernel.sh
@@ -69,6 +69,7 @@ deploy_args=(
   --vcpus ${VCPUS:-4}
   -M 4096
   -p 9222:9222/tls
+  -p 9224:9224/tls
   -p 444:10001/tls
   -e DISPLAY_NUM=1
   -e HEIGHT=1080

diff --git a/images/chromium-headful/supervisor/services/chromedriver.conf b/images/chromium-headful/supervisor/services/chromedriver.conf
@@ -0,0 +1,7 @@
+[program:chromedriver]
+command=/usr/local/bin/chromedriver --port=9225 --allowed-ips=127.0.0.1 --log-level=INFO
+autostart=false
+autorestart=true
+startsecs=2
+stdout_logfile=/var/log/supervisord/chromedriver
+redirect_stderr=true
diff --git a/images/chromium-headful/wrapper.sh b/images/chromium-headful/wrapper.sh
@@ -27,6 +27,38 @@ scale_to_zero_write() {
 disable_scale_to_zero() { scale_to_zero_write "+"; }
 enable_scale_to_zero()  { scale_to_zero_write "-"; }
 
+wait_for_tcp_port() {
+  local host="$1"
+  local port="$2"
+  local name="$3"
+  local attempts="${4:-0}"
+  local sleep_secs="${5:-0.5}"
+  local timeout_label="${6:-}"
+  local attempt=0
+
+  echo "[wrapper] Waiting for ${name} on ${host}:${port}..."
+  while true; do
+    if (echo >/dev/tcp/"${host}"/"${port}") >/dev/null 2>&1; then
+      echo "[wrapper] ${name} is ready on ${host}:${port}"
+      return 0
+    fi
+
+    if (( attempts > 0 )); then
+      attempt=$((attempt + 1))
+      if (( attempt >= attempts )); then
+        if [[ -n "${timeout_label}" ]]; then
+          echo "[wrapper] WARNING: ${name} not ready on ${host}:${port} after ${timeout_label}" >&2
+        else
+          echo "[wrapper] WARNING: ${name} not ready on ${host}:${port} after ${attempts} attempts" >&2
+        fi
+        return 1
+      fi
+    fi
+
+    sleep "${sleep_secs}"
+  done
+}
+
 # Disable scale-to-zero for the duration of the script when not running under Docker
 if [[ -z "${WITHDOCKER:-}" ]]; then
   echo "[wrapper] Disabling scale-to-zero"
@@ -143,6 +175,7 @@ cleanup () {
   echo "[wrapper] Cleaning up..."
   # Re-enable scale-to-zero if the script terminates early
   enable_scale_to_zero
+  supervisorctl -c /etc/supervisor/supervisord.conf stop chromedriver || true
   supervisorctl -c /etc/supervisor/supervisord.conf stop chromium || true
   supervisorctl -c /etc/supervisor/supervisord.conf stop kernel-images-api || true
   supervisorctl -c /etc/supervisor/supervisord.conf stop dbus || true
@@ -210,25 +243,15 @@ export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/dbus/system_bus_socket"
 # Start Chromium with display :1 and remote debugging, loading our recorder extension.
 echo "[wrapper] Starting Chromium via supervisord on internal port $INTERNAL_PORT"
 supervisorctl -c /etc/supervisor/supervisord.conf start chromium
-echo "[wrapper] Waiting for Chromium remote debugging on 127.0.0.1:$INTERNAL_PORT..."
-for i in {1..100}; do
-  if nc -z 127.0.0.1 "$INTERNAL_PORT" 2>/dev/null; then
-    break
-  fi
-  sleep 0.2
-done
+wait_for_tcp_port 127.0.0.1 "$INTERNAL_PORT" "Chromium remote debugging" 100 0.2 "20s" || true
 
 if [[ "${ENABLE_WEBRTC:-}" == "true" ]]; then
   # use webrtc
   echo "[wrapper] ✨ Starting neko (webrtc server) via supervisord."
   supervisorctl -c /etc/supervisor/supervisord.conf start neko
 
   # Wait for neko to be ready.
-  echo "[wrapper] Waiting for neko port 0.0.0.0:8080..."
-  while ! nc -z 127.0.0.1 8080 2>/dev/null; do
-    sleep 0.5
-  done
-  echo "[wrapper] Port 8080 is open"
+  wait_for_tcp_port 127.0.0.1 8080 "neko"
 fi
 
 echo "[wrapper] ✨ Starting kernel-images API."
@@ -241,6 +264,11 @@ API_OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}"
 
 # Start via supervisord (env overrides are read by the service's command)
 supervisorctl -c /etc/supervisor/supervisord.conf start kernel-images-api
+wait_for_tcp_port 127.0.0.1 "${API_PORT}" "kernel-images API"
+
+echo "[wrapper] Starting ChromeDriver via supervisord"
+supervisorctl -c /etc/supervisor/supervisord.conf start chromedriver
+wait_for_tcp_port 127.0.0.1 9225 "ChromeDriver" 50 0.2 "10s" || true
 
 echo "[wrapper] Starting PulseAudio daemon via supervisord"
 supervisorctl -c /etc/supervisor/supervisord.conf start pulseaudio
@@ -257,13 +285,6 @@ if [[ "${RUN_AS_ROOT:-}" == "true" ]]; then
       OFFSET_X=0
     fi
 
-    # Wait for kernel-images API port to be ready.
-    echo "[wrapper] Waiting for kernel-images API port 127.0.0.1:${API_PORT}..."
-    while ! nc -z 127.0.0.1 "${API_PORT}" 2>/dev/null; do
-      sleep 0.5
-    done
-    echo "[wrapper] Port ${API_PORT} is open"
-
     # Wait for Chromium window to open before dismissing the --no-sandbox warning.
     target='New Tab - Chromium'
     echo "[wrapper] Waiting for Chromium window \"${target}\" to appear and become active..."

diff --git a/images/chromium-headless/image/Dockerfile b/images/chromium-headless/image/Dockerfile
@@ -154,7 +154,16 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=$CACHEIDPREFIX-ap
     --mount=type=cache,target=/var/lib/apt,sharing=locked,id=$CACHEIDPREFIX-apt-lib \
     apt-get update -y && \
     apt-get -y install chromium && \
-    apt-get --no-install-recommends -y install sqlite3;
+    apt-get --no-install-recommends -y install sqlite3 unzip;
+
+# Install ChromeDriver matching the installed Chromium version
+RUN set -eux; \
+    CHROMIUM_VERSION=$(chromium --version | awk '{print $2}'); \
+    curl -fsSL "https://storage.googleapis.com/chrome-for-testing-public/${CHROMIUM_VERSION}/linux64/chromedriver-linux64.zip" -o /tmp/cd.zip; \
+    unzip /tmp/cd.zip -d /tmp; \
+    mv /tmp/chromedriver-linux64/chromedriver /usr/local/bin/chromedriver; \
+    chmod +x /usr/local/bin/chromedriver; \
+    rm -rf /tmp/cd.zip /tmp/chromedriver-linux64
 
 # Copy Chromium policy configuration
 RUN mkdir -p /etc/chromium/policies/managed

diff --git a/images/chromium-headless/image/supervisor/services/chromedriver.conf b/images/chromium-headless/image/supervisor/services/chromedriver.conf
@@ -0,0 +1,7 @@
+[program:chromedriver]
+command=/usr/local/bin/chromedriver --port=9225 --allowed-ips=127.0.0.1 --log-level=INFO
+autostart=false
+autorestart=true
+startsecs=2
+stdout_logfile=/var/log/supervisord/chromedriver
+redirect_stderr=true
diff --git a/images/chromium-headless/image/wrapper.sh b/images/chromium-headless/image/wrapper.sh
@@ -24,6 +24,38 @@ scale_to_zero_write() {
 disable_scale_to_zero() { scale_to_zero_write "+"; }
 enable_scale_to_zero()  { scale_to_zero_write "-"; }
 
+wait_for_tcp_port() {
+  local host="$1"
+  local port="$2"
+  local name="$3"
+  local attempts="${4:-0}"
+  local sleep_secs="${5:-0.5}"
+  local timeout_label="${6:-}"
+  local attempt=0
+
+  echo "[wrapper] Waiting for ${name} on ${host}:${port}..."
+  while true; do
+    if (echo >/dev/tcp/"${host}"/"${port}") >/dev/null 2>&1; then
+      echo "[wrapper] ${name} is ready on ${host}:${port}"
+      return 0
+    fi
+
+    if (( attempts > 0 )); then
+      attempt=$((attempt + 1))
+      if (( attempt >= attempts )); then
+        if [[ -n "${timeout_label}" ]]; then
+          echo "[wrapper] WARNING: ${name} not ready on ${host}:${port} after ${timeout_label}" >&2
+        else
+          echo "[wrapper] WARNING: ${name} not ready on ${host}:${port} after ${attempts} attempts" >&2
+        fi
+        return 1
+      fi
+    fi
+
+    sleep "${sleep_secs}"
+  done
+}
+
 # Disable scale-to-zero for the duration of the script when not running under Docker
 if [[ -z "${WITHDOCKER:-}" ]]; then
   echo "[wrapper] Disabling scale-to-zero"
@@ -184,6 +216,7 @@ cleanup () {
   echo "[wrapper] Cleaning up..."
   # Re-enable scale-to-zero if the script terminates early
   enable_scale_to_zero
+  supervisorctl -c /etc/supervisor/supervisord.conf stop chromedriver || true
   supervisorctl -c /etc/supervisor/supervisord.conf stop chromium || true
   supervisorctl -c /etc/supervisor/supervisord.conf stop xvfb || true
   supervisorctl -c /etc/supervisor/supervisord.conf stop dbus || true
@@ -230,20 +263,16 @@ done
 
 echo "[wrapper] Starting Chromium via supervisord on internal port $INTERNAL_PORT"
 supervisorctl -c /etc/supervisor/supervisord.conf start chromium
-for i in {1..100}; do
-  if (echo >/dev/tcp/127.0.0.1/"$INTERNAL_PORT") >/dev/null 2>&1; then
-    break
-  fi
-  sleep 0.2
-done
+wait_for_tcp_port 127.0.0.1 "$INTERNAL_PORT" "Chromium remote debugging" 100 0.2 "20s" || true
 
 echo "[wrapper] ✨ Starting kernel-images API via supervisord."
 supervisorctl -c /etc/supervisor/supervisord.conf start kernel-images-api
 API_PORT="${KERNEL_IMAGES_API_PORT:-10001}"
-echo "[wrapper] Waiting for kernel-images API on 127.0.0.1:${API_PORT}..."
-while ! (echo >/dev/tcp/127.0.0.1/"${API_PORT}") >/dev/null 2>&1; do
-  sleep 0.5
-done
+wait_for_tcp_port 127.0.0.1 "${API_PORT}" "kernel-images API"
+
+echo "[wrapper] Starting ChromeDriver via supervisord"
+supervisorctl -c /etc/supervisor/supervisord.conf start chromedriver
+wait_for_tcp_port 127.0.0.1 9225 "ChromeDriver" 50 0.2 "10s" || true
 
 echo "[wrapper] startup complete!"
 # Re-enable scale-to-zero once startup has completed (when not under Docker)

diff --git a/images/chromium-headless/run-docker.sh b/images/chromium-headless/run-docker.sh
@@ -15,6 +15,7 @@ RUN_ARGS=(
   --privileged
   --tmpfs /dev/shm:size=2g
   -p 9222:9222
+  -p 9224:9224
   -p 444:10001
   -v "$HOST_RECORDINGS_DIR:/recordings"
 )

diff --git a/images/chromium-headless/run-unikernel.sh b/images/chromium-headless/run-unikernel.sh
@@ -20,6 +20,7 @@ deploy_args=(
   -e RUN_AS_ROOT="$RUN_AS_ROOT"
   -e LOG_CDP_MESSAGES=true
   -p 9222:9222/tls
+  -p 9224:9224/tls
   -p 444:10001/tls
   -n "$NAME"
 )