cellos-host-gvisor 0.5.0

gVisor runsc backend for CellOS — runs cells in user-space syscall-emulated sandboxes for environments without KVM.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318

//! Pure bundle-generation logic for the gVisor backend.
//!
//! Translates an [`ExecutionCellDocument`] into the JSON shape `runsc` reads
//! when invoked as `runsc run --bundle <dir> <cell-id>`. Kept platform-
//! independent (no `unix`-only types, no `runsc` shell-out) so it can be
//! exercised by unit tests on macOS dev hosts.
//!
//! The resulting [`BundleConfig`] is a *subset* of the OCI runtime spec —
//! only the fields that `runsc` actually consumes for our use case
//! (`process.args`, `process.cwd`, `root.path`, `linux.namespaces`). We do
//! not attempt to be a general-purpose OCI generator; a runtime spec
//! upgrade is owned by the L2-06 follow-up that wires real `runsc`
//! invocation.

use cellos_core::ExecutionCellDocument;
use serde::{Deserialize, Serialize};

/// Generator error. Kept simple and self-describing; surfaced verbatim
/// in the supervisor's `CellosError::Backend` wrapping at the call site
/// (`backend::GVisorCellBackend::create`).
///
/// We hand-roll `Display` / `Error` (no `thiserror` dep) to keep the
/// gVisor skeleton crate's transitive dependency surface minimal — the
/// backend has only two failure modes at the bundle layer, both static.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum BundleConfigError {
    MissingCellId,
    MissingArgv,
}

impl std::fmt::Display for BundleConfigError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::MissingCellId => {
                f.write_str("spec.id must be non-empty for gVisor bundle generation")
            }
            Self::MissingArgv => {
                f.write_str("spec.run.argv must be non-empty for gVisor bundle generation")
            }
        }
    }
}

impl std::error::Error for BundleConfigError {}

/// Minimal OCI bundle config — what we hand to `runsc` via `config.json`.
///
/// This intentionally mirrors only the keys our `runsc run` invocation
/// reads. We never round-trip back through this struct after generation;
/// `runsc` is the authoritative consumer.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct BundleConfig {
    #[serde(rename = "ociVersion")]
    pub oci_version: String,
    pub process: Process,
    pub root: Root,
    pub hostname: String,
    pub linux: LinuxSection,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct Process {
    pub terminal: bool,
    pub args: Vec<String>,
    pub cwd: String,
    pub env: Vec<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct Root {
    /// Relative path to the bundle's `rootfs/` directory. `runsc` resolves
    /// this against the bundle dir passed via `--bundle`.
    pub path: String,
    pub readonly: bool,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct LinuxSection {
    /// Which Linux namespaces `runsc` should unshare for this cell. We
    /// always request the full set — gVisor's threat model assumes them.
    pub namespaces: Vec<Namespace>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct Namespace {
    #[serde(rename = "type")]
    pub kind: String,
}

/// Translate an [`ExecutionCellDocument`] into a [`BundleConfig`].
///
/// Required:
/// - `spec.id` non-empty (becomes the container id `runsc` tracks),
/// - `spec.run.argv` non-empty (becomes `process.args`).
///
/// Optional / defaulted:
/// - `spec.run.working_directory` → `process.cwd` (defaults to `/`),
/// - hostname is derived from `spec.id` so guest output is identifiable.
///
/// Network namespace is always declared so the cell starts off the host
/// network; the supervisor's nftables layer (when present) attaches to
/// the unshared netns separately.
pub fn generate_bundle_config(
    spec: &ExecutionCellDocument,
) -> Result<BundleConfig, BundleConfigError> {
    let cell_id = spec.spec.id.trim();
    if cell_id.is_empty() {
        return Err(BundleConfigError::MissingCellId);
    }

    let run = spec
        .spec
        .run
        .as_ref()
        .ok_or(BundleConfigError::MissingArgv)?;

    if run.argv.is_empty() {
        return Err(BundleConfigError::MissingArgv);
    }

    let cwd = run
        .working_directory
        .clone()
        .filter(|s| !s.is_empty())
        .unwrap_or_else(|| "/".to_string());

    Ok(BundleConfig {
        oci_version: "1.0.2".to_string(),
        process: Process {
            terminal: false,
            args: run.argv.clone(),
            cwd,
            // Empty by design — secrets and env are layered by the
            // supervisor's broker plumbing, not by the bundle generator.
            env: Vec::new(),
        },
        root: Root {
            path: "rootfs".to_string(),
            readonly: true,
        },
        hostname: cell_id.to_string(),
        linux: LinuxSection {
            namespaces: vec![
                Namespace {
                    kind: "pid".to_string(),
                },
                Namespace {
                    kind: "network".to_string(),
                },
                Namespace {
                    kind: "ipc".to_string(),
                },
                Namespace {
                    kind: "uts".to_string(),
                },
                Namespace {
                    kind: "mount".to_string(),
                },
            ],
        },
    })
}

#[cfg(test)]
mod tests {
    use super::*;
    use cellos_core::types::{AuthorityBundle, ExecutionCellSpec, Lifetime, RunSpec};
    use cellos_core::ExecutionCellDocument;

    fn doc_with(id: &str, argv: Vec<String>, cwd: Option<String>) -> ExecutionCellDocument {
        let spec = ExecutionCellSpec {
            id: id.to_string(),
            authority: AuthorityBundle::default(),
            lifetime: Lifetime::default(),
            run: Some(RunSpec {
                argv,
                working_directory: cwd,
                timeout_ms: None,
                limits: None,
                secret_delivery: Default::default(),
            }),
            ..ExecutionCellSpec::default()
        };
        ExecutionCellDocument {
            api_version: "cellos.dev/v1".to_string(),
            kind: "ExecutionCell".to_string(),
            spec,
        }
    }

    #[test]
    fn happy_path_populates_args_cwd_hostname() {
        let doc = doc_with(
            "cell-alpha",
            vec!["/bin/true".to_string()],
            Some("/work".to_string()),
        );
        let cfg = generate_bundle_config(&doc).expect("bundle generation succeeds");

        assert_eq!(cfg.process.args, vec!["/bin/true"]);
        assert_eq!(cfg.process.cwd, "/work");
        assert_eq!(cfg.hostname, "cell-alpha");
        assert!(cfg.root.readonly);
        assert_eq!(cfg.root.path, "rootfs");
    }

    #[test]
    fn cwd_defaults_to_root_when_absent() {
        let doc = doc_with("cell-beta", vec!["/bin/sh".to_string()], None);
        let cfg = generate_bundle_config(&doc).unwrap();
        assert_eq!(cfg.process.cwd, "/");
    }

    #[test]
    fn cwd_defaults_to_root_when_empty_string() {
        let doc = doc_with(
            "cell-gamma",
            vec!["/bin/sh".to_string()],
            Some(String::new()),
        );
        let cfg = generate_bundle_config(&doc).unwrap();
        assert_eq!(cfg.process.cwd, "/");
    }

    #[test]
    fn empty_cell_id_is_rejected() {
        let doc = doc_with("", vec!["/bin/true".to_string()], None);
        let err = generate_bundle_config(&doc).unwrap_err();
        assert!(matches!(err, BundleConfigError::MissingCellId));
    }

    #[test]
    fn whitespace_only_cell_id_is_rejected() {
        let doc = doc_with("   ", vec!["/bin/true".to_string()], None);
        let err = generate_bundle_config(&doc).unwrap_err();
        assert!(matches!(err, BundleConfigError::MissingCellId));
    }

    #[test]
    fn missing_run_is_rejected() {
        let spec = ExecutionCellSpec {
            id: "cell".to_string(),
            authority: AuthorityBundle::default(),
            lifetime: Lifetime::default(),
            run: None,
            ..ExecutionCellSpec::default()
        };
        let doc = ExecutionCellDocument {
            api_version: "cellos.dev/v1".to_string(),
            kind: "ExecutionCell".to_string(),
            spec,
        };
        let err = generate_bundle_config(&doc).unwrap_err();
        assert!(matches!(err, BundleConfigError::MissingArgv));
    }

    #[test]
    fn empty_argv_is_rejected() {
        let doc = doc_with("cell-delta", vec![], None);
        let err = generate_bundle_config(&doc).unwrap_err();
        assert!(matches!(err, BundleConfigError::MissingArgv));
    }

    #[test]
    fn namespaces_include_expected_set() {
        let doc = doc_with("cell-eps", vec!["/bin/true".to_string()], None);
        let cfg = generate_bundle_config(&doc).unwrap();
        let kinds: Vec<&str> = cfg
            .linux
            .namespaces
            .iter()
            .map(|n| n.kind.as_str())
            .collect();
        for required in &["pid", "network", "ipc", "uts", "mount"] {
            assert!(
                kinds.contains(required),
                "expected namespace {required} in {kinds:?}",
            );
        }
    }

    #[test]
    fn config_serializes_to_json_with_oci_keys() {
        let doc = doc_with(
            "cell-json",
            vec!["/bin/echo".to_string(), "hi".to_string()],
            None,
        );
        let cfg = generate_bundle_config(&doc).unwrap();
        let json = serde_json::to_value(&cfg).unwrap();
        // OCI runtime spec expects camelCase / specific key names — pin them.
        assert!(
            json.get("ociVersion").is_some(),
            "ociVersion missing: {json}"
        );
        assert!(json.get("process").is_some());
        assert!(json.get("root").is_some());
        assert_eq!(
            json["linux"]["namespaces"][0]["type"], "pid",
            "namespaces must use OCI 'type' key, got: {json}",
        );
    }

    #[test]
    fn multi_arg_argv_round_trips() {
        let doc = doc_with(
            "cell-multi",
            vec![
                "/usr/bin/env".to_string(),
                "PATH=/bin".to_string(),
                "sh".to_string(),
            ],
            None,
        );
        let cfg = generate_bundle_config(&doc).unwrap();
        assert_eq!(cfg.process.args, vec!["/usr/bin/env", "PATH=/bin", "sh"],);
    }
}