zlayer-agent 0.11.12

Container runtime agent using libcontainer/youki
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476

//! Container runtime implementations
//!
//! This module contains implementations of the Runtime trait for different
//! container runtimes:
//!
//! - **youki**: Linux-native container runtime using libcontainer. Preferred on Linux
//!   for its performance (no daemon overhead) and tight integration with the kernel.
//!   Only available on Linux targets.
//! - **docker**: Cross-platform runtime using Docker daemon. Works on Linux, Windows,
//!   and macOS. Requires Docker Desktop or Docker daemon to be running.
//! - **wasm**: WebAssembly runtime using wasmtime for executing WASM workloads with
//!   WASI support. Lightweight alternative to containers for compatible workloads.
//!
//! # Runtime Selection
//!
//! Use [`RuntimeConfig::Auto`](crate::RuntimeConfig::Auto) to automatically select
//! the best available runtime for container images:
//!
//! - On Linux: Prefers youki if available, falls back to Docker
//! - On Windows/macOS: Uses Docker (youki is Linux-only)
//!
//! For WASM artifacts, use [`create_runtime_for_image`] to automatically detect
//! the artifact type and create the appropriate runtime:
//!
//! ```no_run
//! use zlayer_agent::runtimes::create_runtime_for_image;
//! use zlayer_registry::{BlobCache, ImagePuller};
//! use std::sync::Arc;
//!
//! # async fn example() -> Result<(), zlayer_agent::AgentError> {
//! let cache = BlobCache::open("/tmp/blobs.redb").unwrap();
//! let registry = Arc::new(ImagePuller::new(cache));
//!
//! // Automatically detect and create the right runtime
//! let runtime = create_runtime_for_image(
//!     "ghcr.io/myorg/myimage:latest",
//!     registry,
//! ).await?;
//! # Ok(())
//! # }
//! ```
//!
//! # WASM Runtime
//!
//! The WASM runtime provides an alternative execution model for WebAssembly workloads.
//! WASM artifacts are detected by examining the OCI manifest for:
//!
//! 1. **Artifact type** (OCI 1.1+): `application/vnd.wasm.component.v1+wasm` or
//!    `application/vnd.wasm.module.v1+wasm`
//! 2. **Config media type**: `application/vnd.wasm.config.v1+json`
//! 3. **Layer media types**: `application/vnd.wasm.content.layer.v1.wasm` or `application/wasm`
//!
//! ## WASI Versions
//!
//! - **WASI Preview 1 (wasip1)**: Core module format with basic syscall interface
//! - **WASI Preview 2 (wasip2)**: Component model format (detected but not yet fully supported)
//!
//! ## Limitations
//!
//! The WASM runtime has some inherent limitations compared to container runtimes:
//!
//! - No `exec` support (WASM modules are single-process)
//! - No cgroup statistics (WASM runs in-process without kernel isolation)
//! - Limited filesystem access (environment variables and args only currently)
//!
//! # Feature Flags
//!
//! - `docker`: Enables the Docker runtime (uses bollard crate)
//! - `wasm`: Enables the WebAssembly runtime (uses wasmtime crate)
//!
//! # Platform Support
//!
//! - The youki runtime (using libcontainer) is only available on Linux targets.
//!   On non-Linux platforms, use Docker or WASM runtimes.
//!
//! # Examples
//!
//! ```no_run
//! use zlayer_agent::{RuntimeConfig, create_runtime};
//!
//! # async fn example() -> Result<(), zlayer_agent::AgentError> {
//! // Auto-select the best runtime for this platform
//! let runtime = create_runtime(RuntimeConfig::Auto, None).await?;
//!
//! // Or explicitly choose a runtime
//! #[cfg(feature = "docker")]
//! let docker_runtime = create_runtime(RuntimeConfig::Docker, None).await?;
//!
//! #[cfg(feature = "wasm")]
//! {
//!     use zlayer_agent::WasmConfig;
//!     let wasm_runtime = create_runtime(RuntimeConfig::Wasm(WasmConfig::default()), None).await?;
//! }
//! # Ok(())
//! # }
//! ```

// Cross-platform composite runtime that dispatches per-container between a
// primary runtime and an optional delegate (e.g. a WSL2 Linux delegate on a
// Windows host). Compiled unconditionally — the delegate is optional at
// runtime, so the abstraction is useful on every target.
pub mod composite;

// Youki runtime is Linux-only as it depends on libcontainer which uses
// Linux-specific APIs (cgroups, namespaces, procfs). Gated behind the
// `youki-runtime` feature so the crate publishes without pulling libcontainer.
#[cfg(all(target_os = "linux", feature = "youki-runtime"))]
mod youki;

#[cfg(feature = "docker")]
mod docker;

#[cfg(feature = "wasm")]
mod wasm;

#[cfg(feature = "wasm")]
mod wasm_host;

#[cfg(feature = "wasm")]
mod wasm_http;

#[cfg(feature = "wasm")]
mod wasm_http_interfaces;

#[cfg(feature = "wasm")]
mod wasm_pipeline;

#[cfg(feature = "wasm")]
pub mod wasm_test;

#[cfg(target_os = "macos")]
pub mod macos_sandbox;

#[cfg(target_os = "macos")]
pub mod macos_vm;

// HCS-backed native Windows container runtime. Compiled only on Windows
// because it depends on the `zlayer-hcs` crate and the `crate::windows`
// submodule, both of which are Windows-only.
#[cfg(target_os = "windows")]
pub mod hcs;

// WSL2 delegate runtime. Compiled only on Windows with the `wsl` feature
// enabled; shells out to `youki` inside the dedicated `zlayer` WSL2 distro
// so Linux containers can run alongside HCS-managed Windows containers via
// [`composite::CompositeRuntime`].
#[cfg(all(target_os = "windows", feature = "wsl"))]
pub mod wsl2_delegate;

#[cfg(target_os = "windows")]
pub use hcs::{HcsConfig, HcsRuntime, IsolationMode};

#[cfg(all(target_os = "linux", feature = "youki-runtime"))]
pub use youki::{YoukiConfig, YoukiRuntime};

#[cfg(target_os = "macos")]
pub use macos_sandbox::SandboxRuntime;

#[cfg(target_os = "macos")]
pub use macos_vm::VmRuntime;

#[cfg(feature = "docker")]
pub use docker::DockerRuntime;

#[cfg(feature = "wasm")]
pub use wasm::{WasmConfig, WasmRuntime};

#[cfg(feature = "wasm")]
pub use wasm_host::{
    add_to_linker, add_to_linker_with_capabilities, configure_wasi_ctx_with_capabilities,
    DefaultHost, KvError, LogLevel, MetricsStore, ZLayerHost,
};

#[cfg(feature = "wasm")]
pub use wasm_http::{HttpRequest, HttpResponse, PoolStats, WasmHttpError, WasmHttpRuntime};

#[cfg(feature = "wasm")]
pub use wasm_pipeline::WasmPipelineRuntime;

#[cfg(feature = "wasm")]
pub use wasm_http_interfaces::{
    // Utility functions
    duration_to_ns,
    ns_to_duration,
    // Caching types
    CacheDecision,
    CacheEntry,
    // Plugin traits
    CachingPlugin,
    // Common types
    DurationNs,
    // HTTP types
    HttpMethod,
    HttpVersion,
    ImmediateResponse,
    KeyValue,
    // WebSocket types
    MessageType,
    // Middleware types
    MiddlewareAction,
    MiddlewarePlugin,
    PluginRequest,
    RedirectInfo,
    RequestMetadata,
    RouterPlugin,
    RoutingDecision,
    Timestamp,
    UpgradeDecision,
    Upstream,
    // Errors
    WasmInterfaceError,
    WebSocketMessage,
    WebSocketPlugin,
};

/// Discriminated union of WASM runtime types.
///
/// Each variant corresponds to a different WASM execution model:
/// - `Http`: Full HTTP request/response handler (wasi:http/incoming-handler)
/// - `Plugin`: General plugin with full host access (zlayer:plugin/handler)
/// - `Pipeline`: Proxy-adjacent component (transformer, auth, rate-limiter, middleware, router)
#[cfg(feature = "wasm")]
pub enum WasmRuntimeKind {
    /// HTTP request handler (wasi:http/incoming-handler)
    Http(WasmHttpRuntime),
    /// General plugin runtime (zlayer:plugin/handler)
    Plugin(WasmPluginConfig),
    /// Proxy pipeline component (transformer, auth, rate-limiter, middleware, router)
    Pipeline(WasmPipelineConfig),
}

/// Configuration for a WASM plugin runtime
#[cfg(feature = "wasm")]
#[derive(Debug, Clone)]
pub struct WasmPluginConfig {
    pub capabilities: zlayer_spec::WasmCapabilities,
    pub max_memory: Option<String>,
    pub max_fuel: u64,
    pub request_timeout: std::time::Duration,
}

/// Configuration for a WASM pipeline runtime (proxy-adjacent worlds)
#[cfg(feature = "wasm")]
#[derive(Debug, Clone)]
pub struct WasmPipelineConfig {
    pub service_type: zlayer_spec::ServiceType,
    pub capabilities: zlayer_spec::WasmCapabilities,
    pub max_memory: Option<String>,
    pub max_fuel: u64,
    pub request_timeout: std::time::Duration,
    pub min_instances: u32,
    pub max_instances: u32,
}

/// Create the appropriate WASM runtime for a given service type.
///
/// Dispatches to specialized runtimes based on the WASM world:
/// - `WasmHttp` -> [`WasmHttpRuntime`] (existing)
/// - `WasmPlugin` -> General plugin runtime (uses [`WasmPluginConfig`])
/// - Proxy-adjacent types (Transformer, Auth, `RateLimiter`, Middleware, Router)
///   -> [`WasmPipelineConfig`] (for use with [`WasmPipelineRuntime`])
///
/// # Errors
///
/// Returns an error if the service type is not a WASM variant, or if runtime
/// creation fails (e.g., wasmtime engine initialization).
///
/// # Panics
///
/// Panics if `default_wasm_capabilities()` returns `None` for a known WASM
/// service type when no explicit capabilities are provided.
#[cfg(feature = "wasm")]
pub fn create_wasm_runtime_for_service_type(
    service_type: zlayer_spec::ServiceType,
    wasm_config: &zlayer_spec::WasmConfig,
) -> Result<WasmRuntimeKind, Box<dyn std::error::Error + Send + Sync>> {
    use zlayer_spec::ServiceType;

    match service_type {
        ServiceType::WasmHttp => {
            // Convert WasmConfig to the deprecated WasmHttpConfig that the
            // HTTP runtime still uses internally
            #[allow(deprecated)]
            let http_config = zlayer_spec::WasmHttpConfig {
                min_instances: wasm_config.min_instances,
                max_instances: wasm_config.max_instances,
                idle_timeout: wasm_config.idle_timeout,
                request_timeout: wasm_config.request_timeout,
            };

            // Use capability-gated constructor if capabilities are configured
            let capabilities = wasm_config
                .capabilities
                .clone()
                .unwrap_or_else(|| service_type.default_wasm_capabilities().unwrap());
            let mut runtime = WasmHttpRuntime::new_with_capabilities(http_config, capabilities)?;
            // Apply resource limits (max_memory, max_fuel) from the spec config
            runtime.set_resource_limits(wasm_config);
            Ok(WasmRuntimeKind::Http(runtime))
        }
        ServiceType::WasmPlugin => Ok(WasmRuntimeKind::Plugin(WasmPluginConfig {
            capabilities: wasm_config
                .capabilities
                .clone()
                .unwrap_or_else(|| service_type.default_wasm_capabilities().unwrap()),
            max_memory: wasm_config.max_memory.clone(),
            max_fuel: wasm_config.max_fuel,
            request_timeout: wasm_config.request_timeout,
        })),
        ServiceType::WasmTransformer
        | ServiceType::WasmAuthenticator
        | ServiceType::WasmRateLimiter
        | ServiceType::WasmMiddleware
        | ServiceType::WasmRouter => Ok(WasmRuntimeKind::Pipeline(WasmPipelineConfig {
            service_type,
            capabilities: wasm_config
                .capabilities
                .clone()
                .unwrap_or_else(|| service_type.default_wasm_capabilities().unwrap()),
            max_memory: wasm_config.max_memory.clone(),
            max_fuel: wasm_config.max_fuel,
            request_timeout: wasm_config.request_timeout,
            min_instances: wasm_config.min_instances,
            max_instances: wasm_config.max_instances,
        })),
        _ => Err(format!("service type {service_type:?} is not a WASM type").into()),
    }
}

use crate::error::{AgentError, Result};
use crate::runtime::Runtime;
use std::sync::Arc;
use zlayer_registry::ImagePuller;

/// Detect the artifact type of an image and create the appropriate runtime
///
/// This function pulls the image manifest from the registry to determine whether
/// the image is a traditional container image or a WASM artifact, then creates
/// the appropriate runtime to execute it.
///
/// # Detection Logic
///
/// 1. Pull the manifest from the registry
/// 2. Examine the manifest for WASM indicators (artifact type, config media type, layer types)
/// 3. If WASM: Return a [`WasmRuntime`] (requires `wasm` feature)
/// 4. If container: Return the best available container runtime via [`crate::create_runtime`]
///
/// # Arguments
///
/// * `image` - Image reference (e.g., "ghcr.io/myorg/mymodule:v1.0" or "docker.io/library/nginx:latest")
/// * `registry` - Registry client for pulling manifests. Can be shared across calls.
///
/// # Returns
///
/// Returns an `Arc<dyn Runtime + Send + Sync>` suitable for executing the image.
///
/// # Errors
///
/// - Returns [`AgentError::PullFailed`] if the manifest cannot be fetched
/// - Returns [`AgentError::Configuration`] if a WASM image is detected but the `wasm` feature
///   is not enabled
/// - Returns [`AgentError::Configuration`] if no suitable container runtime is available
///
/// # Examples
///
/// ```no_run
/// use zlayer_agent::runtimes::create_runtime_for_image;
/// use zlayer_registry::{BlobCache, ImagePuller};
/// use std::sync::Arc;
///
/// # async fn example() -> Result<(), zlayer_agent::AgentError> {
/// // Create a registry client
/// let cache = BlobCache::open("/tmp/blobs.redb").unwrap();
/// let registry = Arc::new(ImagePuller::new(cache));
///
/// // Detect and create runtime for a container image
/// let nginx_runtime = create_runtime_for_image(
///     "docker.io/library/nginx:latest",
///     Arc::clone(&registry),
/// ).await?;
///
/// // Detect and create runtime for a WASM image
/// #[cfg(feature = "wasm")]
/// {
///     let wasm_runtime = create_runtime_for_image(
///         "ghcr.io/example/wasm-module:v1.0",
///         registry,
///     ).await?;
/// }
/// # Ok(())
/// # }
/// ```
pub async fn create_runtime_for_image(
    image: &str,
    registry: Arc<ImagePuller>,
) -> Result<Arc<dyn Runtime + Send + Sync>> {
    // Use anonymous auth for manifest detection
    // In production, the caller should configure auth on the registry client
    let auth = zlayer_registry::RegistryAuth::Anonymous;

    tracing::info!(image = %image, "detecting artifact type for runtime selection");

    // Detect artifact type from manifest
    let (artifact_type, _manifest, _digest) = registry
        .detect_artifact_type(image, &auth)
        .await
        .map_err(|e| AgentError::PullFailed {
            image: image.to_string(),
            reason: format!("failed to detect artifact type: {e}"),
        })?;

    match artifact_type {
        zlayer_registry::ArtifactType::Wasm { wasi_version } => {
            tracing::info!(
                image = %image,
                wasi_version = %wasi_version,
                "detected WASM artifact"
            );

            #[cfg(feature = "wasm")]
            {
                // Create WASM runtime
                let runtime = WasmRuntime::new(WasmConfig::default(), None).await?;
                Ok(Arc::new(runtime))
            }

            #[cfg(not(feature = "wasm"))]
            {
                Err(AgentError::Configuration(format!(
                    "Image '{image}' is a WASM artifact (WASI {wasi_version}) but the 'wasm' feature is not enabled. \
                     Recompile zlayer-agent with --features wasm to run WASM workloads."
                )))
            }
        }
        zlayer_registry::ArtifactType::Container => {
            tracing::info!(image = %image, "detected container image");

            // Use standard auto-selection for container images
            crate::create_runtime(crate::RuntimeConfig::Auto, None).await
        }
    }
}

/// Detect the artifact type of an image without creating a runtime
///
/// This is useful for pre-flight checks or when you need to know the artifact
/// type before deciding how to handle an image.
///
/// # Arguments
///
/// * `image` - Image reference (e.g., "ghcr.io/myorg/mymodule:v1.0")
/// * `registry` - Registry client for pulling manifests
///
/// # Returns
///
/// Returns the detected [`ArtifactType`](zlayer_registry::ArtifactType).
///
/// # Errors
///
/// Returns [`AgentError::PullFailed`] if the manifest cannot be fetched.
pub async fn detect_image_artifact_type(
    image: &str,
    registry: Arc<ImagePuller>,
) -> Result<zlayer_registry::ArtifactType> {
    let auth = zlayer_registry::RegistryAuth::Anonymous;

    let (artifact_type, _manifest, _digest) = registry
        .detect_artifact_type(image, &auth)
        .await
        .map_err(|e| AgentError::PullFailed {
            image: image.to_string(),
            reason: format!("failed to detect artifact type: {e}"),
        })?;

    Ok(artifact_type)
}