nucleus-container 0.3.1

Extremely lightweight Docker alternative for agents and production services — isolated execution using cgroups, namespaces, seccomp, Landlock, and gVisor
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293

//! Structured audit logging for container lifecycle events.
//!
//! Every significant container event (start, stop, security hardening, network setup,
//! health check result, etc.) is emitted as a structured JSON event to the
//! `nucleus::audit` tracing target. This provides the minimum observability
//! required for post-incident analysis in production deployments.
//!
//! Events are written to journald via tracing's stdout integration and can be
//! filtered with `RUST_LOG=nucleus::audit=info`.

use serde::Serialize;
use std::time::{SystemTime, UNIX_EPOCH};

/// Audit event types covering the full container lifecycle.
#[derive(Debug, Clone, Serialize)]
#[serde(rename_all = "snake_case")]
pub enum AuditEventType {
    ContainerStart,
    ContainerStop,
    ContainerExec,
    NamespaceCreated,
    CgroupCreated,
    FilesystemMounted,
    RootSwitched,
    MountAuditPassed,
    MountAuditFailed,
    CapabilitiesDropped,
    SeccompApplied,
    SeccompProfileLoaded,
    LandlockApplied,
    NoNewPrivsSet,
    NetworkBridgeSetup,
    EgressPolicyApplied,
    EgressDenied,
    HealthCheckPassed,
    HealthCheckFailed,
    HealthCheckUnhealthy,
    ReadinessProbeReady,
    ReadinessProbeFailed,
    SecretsMounted,
    InitSupervisorStarted,
    ZombieReaped,
    SignalForwarded,
    GVisorStarted,
}

/// A structured audit event emitted as JSON for post-incident analysis.
#[derive(Debug, Clone, Serialize)]
pub struct AuditEvent {
    /// Unix epoch timestamp with millisecond precision (e.g. "1712345678.123")
    pub timestamp: String,
    /// Container ID (correlation ID for all events in a lifecycle)
    pub container_id: String,
    /// Container name
    pub container_name: String,
    /// Event type
    pub event_type: AuditEventType,
    /// Human-readable detail message
    pub detail: String,
    /// Whether this event represents a failure
    pub is_error: bool,
    /// Security posture details (populated for security-related events)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub security_posture: Option<SecurityPosture>,
}

/// Security posture captured at container start for incident analysis.
#[derive(Debug, Clone, Serialize)]
pub struct SecurityPosture {
    /// Seccomp mode: "enforce", "trace", "profile:`<path>`", or "none"
    pub seccomp_mode: String,
    /// Landlock ABI version negotiated (e.g. "V5", "none")
    #[serde(skip_serializing_if = "Option::is_none")]
    pub landlock_abi: Option<String>,
    /// Capabilities that were dropped
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dropped_caps: Option<Vec<String>>,
    /// Whether gVisor was used
    pub gvisor: bool,
    /// Whether rootless mode was used
    pub rootless: bool,
}

impl AuditEvent {
    /// Create a new audit event for the given container.
    pub fn new(
        container_id: &str,
        container_name: &str,
        event_type: AuditEventType,
        detail: impl Into<String>,
    ) -> Self {
        let timestamp = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .map(|d| {
                // RFC 3339 / ISO 8601 UTC timestamp for audit log interoperability.
                let total_secs = d.as_secs();
                let millis = d.subsec_millis();

                // Break epoch seconds into date/time components (no leap seconds).
                let days = total_secs / 86400;
                let day_secs = total_secs % 86400;
                let hours = day_secs / 3600;
                let minutes = (day_secs % 3600) / 60;
                let seconds = day_secs % 60;

                // Civil date from days since 1970-01-01 (Rata Die algorithm).
                let z = days as i64 + 719468;
                let era = (if z >= 0 { z } else { z - 146096 }) / 146097;
                let doe = (z - era * 146097) as u64;
                let yoe = (doe - doe / 1460 + doe / 36524 - doe / 146096) / 365;
                let y = yoe as i64 + era * 400;
                let doy = doe - (365 * yoe + yoe / 4 - yoe / 100);
                let mp = (5 * doy + 2) / 153;
                let d = doy - (153 * mp + 2) / 5 + 1;
                let m = if mp < 10 { mp + 3 } else { mp - 9 };
                let y = if m <= 2 { y + 1 } else { y };

                format!(
                    "{:04}-{:02}-{:02}T{:02}:{:02}:{:02}.{:03}Z",
                    y, m, d, hours, minutes, seconds, millis
                )
            })
            .unwrap_or_else(|_| "1970-01-01T00:00:00.000Z".to_string());

        Self {
            timestamp,
            container_id: container_id.to_string(),
            container_name: container_name.to_string(),
            event_type,
            detail: detail.into(),
            is_error: false,
            security_posture: None,
        }
    }

    /// Mark this event as an error.
    pub fn as_error(mut self) -> Self {
        self.is_error = true;
        self
    }

    /// Attach security posture to this event.
    pub fn with_security_posture(mut self, posture: SecurityPosture) -> Self {
        self.security_posture = Some(posture);
        self
    }

    /// Emit this event to the audit log via tracing.
    pub fn emit(&self) {
        let json = serde_json::to_string(self).unwrap_or_else(|_| {
            // Avoid Debug format which could leak sensitive fields;
            // emit only the non-sensitive event envelope.
            format!(
                r#"{{"timestamp":"{}","container_id":"{}","event_type":"{:?}","detail":"[serialization failed]","is_error":{}}}"#,
                self.timestamp, self.container_id, self.event_type, self.is_error
            )
        });
        if self.is_error {
            tracing::error!(target: "nucleus::audit", "{}", json);
        } else {
            tracing::info!(target: "nucleus::audit", "{}", json);
        }
    }
}

/// Redact command-line arguments that may contain secrets.
///
/// Replaces values following flags whose names suggest sensitive content
/// (e.g. `--password`, `--token`, `--secret`, `--key`, `--auth`) with
/// `[REDACTED]`, and redacts arguments that look like inline `KEY=VALUE`
/// assignments for those same patterns.
pub fn redact_command(args: &[String]) -> Vec<String> {
    const SENSITIVE: &[&str] = &[
        "password",
        "passwd",
        "token",
        "secret",
        "key",
        "auth",
        "credential",
        "api-key",
        "apikey",
        "api_key",
        "access-token",
        "private-key",
    ];

    fn is_sensitive_flag(s: &str) -> bool {
        let lower = s.to_ascii_lowercase();
        let name = lower.trim_start_matches('-');
        SENSITIVE.iter().any(|pat| name.contains(pat))
    }

    let mut out = Vec::with_capacity(args.len());
    let mut redact_next = false;
    for arg in args {
        if redact_next {
            out.push("[REDACTED]".to_string());
            redact_next = false;
            continue;
        }
        if is_sensitive_flag(arg) {
            out.push(arg.clone());
            redact_next = true;
        } else if let Some((k, _)) = arg.split_once('=') {
            if is_sensitive_flag(k) {
                out.push(format!("{}=[REDACTED]", k));
            } else {
                out.push(arg.clone());
            }
        } else {
            out.push(arg.clone());
        }
    }
    out
}

/// Convenience function to emit an audit event.
pub fn audit(
    container_id: &str,
    container_name: &str,
    event_type: AuditEventType,
    detail: impl Into<String>,
) {
    AuditEvent::new(container_id, container_name, event_type, detail).emit();
}

/// Convenience function to emit an audit event with security posture.
pub fn audit_with_posture(
    container_id: &str,
    container_name: &str,
    event_type: AuditEventType,
    detail: impl Into<String>,
    posture: SecurityPosture,
) {
    AuditEvent::new(container_id, container_name, event_type, detail)
        .with_security_posture(posture)
        .emit();
}

/// Convenience function to emit an error audit event.
pub fn audit_error(
    container_id: &str,
    container_name: &str,
    event_type: AuditEventType,
    detail: impl Into<String>,
) {
    AuditEvent::new(container_id, container_name, event_type, detail)
        .as_error()
        .emit();
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_audit_event_serialization() {
        let event = AuditEvent::new("abc123", "test", AuditEventType::ContainerStart, "started");
        let json = serde_json::to_string(&event).unwrap();
        assert!(json.contains("container_start"));
        assert!(json.contains("abc123"));
        // security_posture should be omitted when None
        assert!(!json.contains("security_posture"));
    }

    #[test]
    fn test_audit_event_with_security_posture() {
        let posture = SecurityPosture {
            seccomp_mode: "enforce".to_string(),
            landlock_abi: Some("V5".to_string()),
            dropped_caps: Some(vec!["CAP_SYS_ADMIN".to_string()]),
            gvisor: false,
            rootless: true,
        };
        let event = AuditEvent::new("abc123", "test", AuditEventType::ContainerStart, "started")
            .with_security_posture(posture);

        let json = serde_json::to_string(&event).unwrap();
        assert!(json.contains("security_posture"));
        assert!(json.contains("enforce"));
        assert!(json.contains("V5"));
        assert!(json.contains("CAP_SYS_ADMIN"));
        assert!(json.contains("\"rootless\":true"));
    }

    #[test]
    fn test_audit_event_error_flag() {
        let event =
            AuditEvent::new("abc123", "test", AuditEventType::SeccompApplied, "applied").as_error();
        assert!(event.is_error);
    }
}