diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1e7caa9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +Cargo.lock +target/ diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..c8e5c46 --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,29 @@ +[package] +description = "Interact with the github.com/containers/image library via skopeo" +edition = "2018" +license = "MIT OR Apache-2.0" +name = "containers-image-proxy" +readme = "README.md" +repository = "https://github.com/cgwalters/containers-image-proxy" +version = "0.1.0" + +[dependencies] +anyhow = "1.0" +fn-error-context = "0.2.0" +futures-util = "0.3.13" +lazy_static = "1.4.0" +nix = "0.22.0" +serde = { features = ["derive"], version = "1.0.125" } +serde_json = "1.0.64" +semver = "1.0.4" +tokio = { features = ["full"], version = "1" } +tokio-stream = "0.1.5" +tokio-util = { features = ["io"], version = "0.6" } +tracing = "0.1" + +[package.metadata.docs.rs] +features = ["dox"] + +[lib] +path = "src/imageproxy.rs" + diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..9535635 --- /dev/null +++ b/LICENSE @@ -0,0 +1,189 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..d66b11e --- /dev/null +++ b/README.md @@ -0,0 +1,46 @@ +# Rust bindings for accessing the Go containers/image stack + +This crate contains a Rust API that forks `/usr/bin/skopeo` and +talks to it via a custom API. You can use it to fetch container +images in a streaming fashion. + +# Why? + +First, assume one is operating on a codebase that isn't Go, but wants +to interact with container images - we can't just include the Go containers/image +library. + +The primary intended use case of this is for things like +[ostree-containers](https://github.com/ostreedev/ostree-rs-ext/issues/18) +where we're using container images to encapsulate host operating system +updates, but we don't want to involve the [containers/image](github.com/containers/image/) +storage layer. + +What we *do* want from the containers/image library is support for things like +signatures and offline mirroring. More on this below. + +Forgetting things like ostree exist for a second - imagine that you wanted to +encapsulate a set of Debian/RPM/etc packages inside +a container image to ship for package-based operating systems. You could use this to stream +out the layer containing those packages and extract them directly, rather than serializing +everything to disk in the containers/storage disk location, only to copy it out again and delete the first. + +Another theoretical use case could be something like [krustlet](https://github.com/deislabs/krustlet), +which fetches WebAssembly blobs inside containers. Here again, we don't want to involve +containers/storage. + +# Desired containers/image features + +There are e.g. Rust libraries like [dkregistry-rs](https://github.com/camallo/dkregistry-rs) and +[oci-distribution](https://crates.io/crates/oci-distribution) and similar for other languages. + +However, the containers/image Go library has a lot of additional infrastructure +that will impose a maintenance burden to replicate: + + - Signatures (`man containers-auth.json`) + - Mirroring/renaming (`man containers-registries.conf`) + - Support for `~/.docker/config.json` for authentication as well as `/run` + +# Status + +API is subject to change. diff --git a/src/imageproxy.rs b/src/imageproxy.rs new file mode 100644 index 0000000..fcf44b4 --- /dev/null +++ b/src/imageproxy.rs @@ -0,0 +1,296 @@ +//! Run skopeo as a subprocess to fetch container images. +//! +//! This allows fetching a container image manifest and layers in a streaming fashion. +//! +//! More information: + +use anyhow::{anyhow, Context, Result}; +use futures_util::{Future, FutureExt, TryFutureExt}; +use nix::sys::socket::{self as nixsocket, ControlMessageOwned}; +use nix::sys::uio::IoVec; +use serde::{Deserialize, Serialize}; +use std::fs::File; +use std::os::unix::io::AsRawFd; +use std::os::unix::prelude::{FromRawFd, RawFd}; +use std::pin::Pin; +use std::process::Stdio; +use std::sync::{Arc, Mutex}; +use tokio::io::{AsyncBufRead, AsyncReadExt}; + +pub const OCI_TYPE_LAYER_GZIP: &str = "application/vnd.oci.image.layer.v1.tar+gzip"; +pub const OCI_TYPE_LAYER_TAR: &str = "application/vnd.oci.image.layer.v1.tar"; + +// This is defined in skopeo; maximum size of JSON we will read/write. +// Note that payload data (non-metadata) should go over a pipe file descriptor. +const MAX_MSG_SIZE: usize = 32 * 1024; + +lazy_static::lazy_static! { + static ref SUPPORTED_PROTO_VERSION: semver::VersionReq = { + semver::VersionReq::parse("0.2.0").unwrap() + }; +} + +#[derive(Serialize)] +struct Request { + method: String, + args: Vec, +} + +impl Request { + fn new(method: &str, args: T) -> Self + where + T: IntoIterator, + I: Into, + { + let args: Vec<_> = args.into_iter().map(|v| v.into()).collect(); + Self { + method: method.to_string(), + args, + } + } + + fn new_bare(method: &str) -> Self { + Self { + method: method.to_string(), + args: vec![], + } + } +} + +#[derive(Deserialize)] +struct Reply { + success: bool, + error: String, + pipeid: u32, + value: serde_json::Value, +} + +type JoinFuture = Pin>>>>; + +/// Manage a child process proxy to fetch container images. +pub struct ImageProxy { + proc: tokio::process::Child, + sockfd: Arc>, + stderr: JoinFuture, +} + +impl std::fmt::Debug for ImageProxy { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.debug_struct("ImageProxy").finish() + } +} + +/// Opaque identifier for an image +pub struct OpenedImage(u32); + +#[allow(unsafe_code)] +fn new_seqpacket_pair() -> Result<(File, File)> { + let (mysock, theirsock) = nixsocket::socketpair( + nixsocket::AddressFamily::Unix, + nixsocket::SockType::SeqPacket, + None, + nixsocket::SockFlag::SOCK_CLOEXEC, + )?; + // Convert to owned values + let mysock = unsafe { std::fs::File::from_raw_fd(mysock) }; + let theirsock = unsafe { std::fs::File::from_raw_fd(theirsock) }; + Ok((mysock, theirsock)) +} + +#[allow(unsafe_code)] +fn file_from_scm_rights(cmsg: ControlMessageOwned) -> Option { + if let nixsocket::ControlMessageOwned::ScmRights(fds) = cmsg { + fds.get(0) + .map(|&fd| unsafe { std::fs::File::from_raw_fd(fd) }) + } else { + None + } +} + +impl ImageProxy { + /// Create an image proxy that fetches the target image. + pub async fn new() -> Result { + let (mysock, theirsock) = new_seqpacket_pair()?; + let mut c = std::process::Command::new("skopeo"); + c.args(&["experimental-image-proxy"]); + c.stdout(Stdio::null()).stderr(Stdio::piped()); + c.stdin(Stdio::from(theirsock)); + let mut c = tokio::process::Command::from(c); + c.kill_on_drop(true); + let mut proc = c.spawn().context("Failed to spawn skopeo")?; + + // Safety: We passed `Stdio::piped()` above + let mut child_stderr = proc.stderr.take().unwrap(); + + let stderr = tokio::spawn(async move { + let mut buf = String::new(); + child_stderr.read_to_string(&mut buf).await?; + Ok(buf) + }) + .map_err(anyhow::Error::msg) + .boxed(); + + let sockfd = Arc::new(Mutex::new(mysock)); + + // Verify semantic version + let (protover, _) = + Self::impl_request_raw::(Arc::clone(&sockfd), Request::new_bare("Initialize")) + .await?; + let protover = semver::Version::parse(protover.as_str())?; + let supported = &*SUPPORTED_PROTO_VERSION; + if !supported.matches(&protover) { + return Err(anyhow!( + "Unsupported protocol version {} (compatible: {})", + protover, + supported + )); + } + + let r = Self { + proc, + stderr, + sockfd, + }; + Ok(r) + } + + async fn impl_request_raw( + sockfd: Arc>, + req: Request, + ) -> Result<(T, Option<(File, u32)>)> { + // TODO: Investigate https://crates.io/crates/uds for SOCK_SEQPACKET tokio + let r = tokio::task::spawn_blocking(move || { + let sockfd = sockfd.lock().unwrap(); + let sendbuf = serde_json::to_vec(&req)?; + nixsocket::send(sockfd.as_raw_fd(), &sendbuf, nixsocket::MsgFlags::empty())?; + drop(sendbuf); + let mut buf = [0u8; MAX_MSG_SIZE]; + let mut cmsg_buffer = nix::cmsg_space!([RawFd; 1]); + let iov = IoVec::from_mut_slice(buf.as_mut()); + let r = nixsocket::recvmsg( + sockfd.as_raw_fd(), + &[iov], + Some(&mut cmsg_buffer), + nixsocket::MsgFlags::MSG_CMSG_CLOEXEC, + )?; + let buf = &buf[0..r.bytes]; + let mut fdret: Option = None; + for cmsg in r.cmsgs() { + if let Some(f) = file_from_scm_rights(cmsg) { + fdret = Some(f); + break; + } + } + let reply: Reply = serde_json::from_slice(buf).context("Deserializing reply")?; + if !reply.success { + return Err(anyhow!("remote error: {}", reply.error)); + } + let fdret = match (fdret, reply.pipeid) { + (Some(fd), n) => { + if n == 0 { + return Err(anyhow!("got fd but no pipeid")); + } + Some((fd, n)) + } + (None, n) => { + if n != 0 { + return Err(anyhow!("got no fd with pipeid {}", n)); + } + None + } + }; + let reply = serde_json::from_value(reply.value).context("Deserializing value")?; + Ok((reply, fdret)) + }) + .await??; + Ok(r) + } + + async fn impl_request( + &self, + method: &str, + args: T, + ) -> Result<(R, Option<(File, u32)>)> + where + T: IntoIterator, + I: Into, + { + let req = Request::new(method, args); + Self::impl_request_raw(Arc::clone(&self.sockfd), req).await + } + + async fn finish_pipe(&self, pipeid: u32) -> Result<()> { + let (r, fd) = self.impl_request("FinishPipe", [pipeid]).await?; + if fd.is_some() { + return Err(anyhow!("Unexpected fd in finish_pipe reply")); + } + Ok(r) + } + + pub async fn open_image(&self, imgref: &str) -> Result { + let (imgid, _) = self + .impl_request::("OpenImage", [imgref]) + .await?; + Ok(OpenedImage(imgid)) + } + + pub async fn close_image(&self, img: &OpenedImage) -> Result<()> { + let (r, _) = self.impl_request("CloseImage", [img.0]).await?; + Ok(r) + } + + /// Fetch the manifest. + /// https://github.com/opencontainers/image-spec/blob/main/manifest.md + pub async fn fetch_manifest(&self, img: &OpenedImage) -> Result<(String, Vec)> { + let (digest, fd) = self.impl_request("GetManifest", [img.0]).await?; + let (fd, pipeid) = fd.ok_or_else(|| anyhow!("Missing fd from reply"))?; + let mut fd = tokio::io::BufReader::new(tokio::fs::File::from_std(fd)); + let mut manifest = Vec::new(); + let reader = fd.read_to_end(&mut manifest); + let (reader, finish) = tokio::join!(reader, self.finish_pipe(pipeid)); + reader?; + finish?; + Ok((digest, manifest)) + } + + /// Fetch a blob identified by e.g. `sha256:`. + /// https://github.com/opencontainers/image-spec/blob/main/descriptor.md + /// Note that right now the proxy does verification of the digest: + /// https://github.com/cgwalters/container-image-proxy/issues/1#issuecomment-926712009 + pub async fn get_blob( + &self, + img: &OpenedImage, + digest: &str, + size: u64, + ) -> Result<( + impl AsyncBufRead + Send + Unpin, + impl Future> + Unpin + '_, + )> { + let args: Vec = + vec![img.0.into(), digest.to_string().into(), size.into()]; + let (_bloblen, fd) = self.impl_request::("GetBlob", args).await?; + let (fd, pipeid) = fd.ok_or_else(|| anyhow!("Missing fd from reply"))?; + let fd = tokio::io::BufReader::new(tokio::fs::File::from_std(fd)); + let finish = Box::pin(self.finish_pipe(pipeid)); + Ok((fd, finish)) + } + + /// Close the connection and wait for the child process to exit successfully. + pub async fn finalize(mut self) -> Result<()> { + let req = Request::new_bare("Shutdown"); + let sendbuf = serde_json::to_vec(&req)?; + // SAFETY: Only panics if a worker thread already panic'd + let sockfd = Arc::try_unwrap(self.sockfd).unwrap().into_inner().unwrap(); + nixsocket::send(sockfd.as_raw_fd(), &sendbuf, nixsocket::MsgFlags::empty())?; + drop(sendbuf); + let status = self.proc.wait().await?; + if !status.success() { + if let Some(stderr) = self.stderr.await.map(|v| v.ok()).ok().flatten() { + anyhow::bail!("proxy failed: {}\n{}", status, stderr) + } else { + anyhow::bail!("proxy failed: {} (failed to fetch stderr)", status) + } + } + Ok(()) + } +}