zlayer-agent 0.12.9

Container runtime agent using libcontainer/youki
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394

#![cfg(target_os = "windows")]
//! Windows-gated end-to-end tests for the HCS (Host Compute Service)
//! container runtime.
//!
//! These tests require a real Windows 10/11 or Windows Server host with
//! HCS available, outbound network access to `mcr.microsoft.com`, and the
//! ability to pull and run Windows nanoserver containers. They are
//! `#[ignore]` by default — run with:
//!
//! ```powershell
//! cargo test --package zlayer-agent --test windows_hcs_e2e -- --ignored --nocapture
//! ```
//!
//! # Why this file exists
//!
//! `HcsRuntime` is the Windows-native container runtime. It is feature
//! complete on paper but, without this file, has no automated end-to-end
//! coverage exercising the full
//! `pull_image → create_container → start_container → poll → exec → stop →
//! remove` lifecycle against a real Microsoft Container Registry image.
//! Test 1 pins the registry pull path; Test 2 is the high-value lifecycle
//! check; Test 3 proves that the synchronous exec path round-trips a
//! non-zero exit code through HCS.
#![allow(
    clippy::too_many_lines,
    clippy::used_underscore_binding,
    clippy::doc_markdown
)]

use std::path::PathBuf;
use std::sync::Arc;
use std::time::Duration;

use zlayer_agent::runtimes::hcs::{HcsConfig, HcsRuntime};
use zlayer_agent::{ContainerId, ContainerState, Runtime};
use zlayer_spec::{DeploymentSpec, ServiceSpec};

/// MCR nanoserver `ltsc2025` (Windows Server 2025, build 26100). Chosen so the
/// container build matches a Windows 11 24H2 host (26100) and process
/// isolation works without Hyper-V; small (~120 MB compressed) and
/// exits-on-empty-entrypoint friendly.
const TEST_IMAGE: &str = "mcr.microsoft.com/windows/nanoserver:ltsc2025";

/// Generate a unique short suffix so parallel CI shards do not collide on
/// the per-test storage root or HCS system id.
#[allow(clippy::cast_possible_truncation)]
fn unique_name(prefix: &str) -> String {
    let pid = std::process::id();
    let ts = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_millis() as u64
        % 1_000_000;
    format!("{prefix}-{pid}-{ts}")
}

/// Allocate a per-test storage root under the OS temp dir. We deliberately
/// avoid `tempfile::TempDir` so that a teardown failure leaves the directory
/// visible for post-mortem on CI — the explicit `remove_dir_all` calls in
/// each test perform the cleanup.
fn fresh_storage_root(tag: &str) -> PathBuf {
    std::env::temp_dir().join(format!("zlayer-hcs-e2e-{}", unique_name(tag)))
}

/// Build the test-local `HcsConfig`. `slice_cidr` is intentionally left at
/// `None`: the runtime warns and proceeds without overlay networking, which
/// is fine for these tests — none of them rely on container-to-container
/// or container-to-internet traffic.
fn test_config(tag: &str) -> (HcsConfig, PathBuf) {
    let storage_root = fresh_storage_root(tag);
    let cfg = HcsConfig {
        storage_root: storage_root.clone(),
        default_scratch_size_gb: 20,
        ..HcsConfig::default()
    };
    (cfg, storage_root)
}

/// Parse a single-service `DeploymentSpec` YAML and pop the named service
/// out. Mirrors the helper pattern used in `macos_sandbox_e2e.rs`.
fn spec_from_yaml(yaml: &str, service: &str) -> ServiceSpec {
    serde_yaml::from_str::<DeploymentSpec>(yaml)
        .expect("test YAML must parse into DeploymentSpec")
        .services
        .remove(service)
        .unwrap_or_else(|| panic!("test YAML is missing service {service:?}"))
}

/// Build a short-lived spec that exits with code 0 immediately.
fn echo_spec() -> ServiceSpec {
    let yaml = format!(
        r#"
version: v1
deployment: hcs-e2e
services:
  echo:
    rtype: service
    image:
      name: {TEST_IMAGE}
    command:
      entrypoint: ["cmd", "/c", "echo", "hello from hcs"]
    endpoints:
      - name: dummy
        protocol: tcp
        port: 8080
    scale:
      mode: fixed
      replicas: 1
"#
    );
    spec_from_yaml(&yaml, "echo")
}

/// Build a long-lived spec used for the exec round-trip test. `ping -n 60`
/// keeps the container alive ~60 seconds (one ping per second, default
/// interval), which is plenty for a single `cmd /c exit 7` exec round-trip
/// to complete. `timeout.exe` is not present in nanoserver's PATH, so we
/// use `ping` against loopback instead — the classic Windows sleep trick.
fn long_lived_spec() -> ServiceSpec {
    let yaml = format!(
        r#"
version: v1
deployment: hcs-e2e
services:
  longlived:
    rtype: service
    image:
      name: {TEST_IMAGE}
    command:
      entrypoint: ["cmd", "/c", "ping", "-n", "60", "127.0.0.1"]
    endpoints:
      - name: dummy
        protocol: tcp
        port: 8080
    scale:
      mode: fixed
      replicas: 1
"#
    );
    spec_from_yaml(&yaml, "longlived")
}

/// Poll `container_state` until it matches the expected variant or the
/// budget is exhausted. For `Exited` we match the variant (not the code)
/// because the caller asserts on the code separately. `Running` is matched
/// exactly. Returns the last observed state on success so callers can
/// inspect the exit code.
async fn wait_for_state(
    runtime: &dyn Runtime,
    id: &ContainerId,
    expected: ContainerState,
    budget: Duration,
) -> Result<ContainerState, String> {
    let start = std::time::Instant::now();
    let poll = Duration::from_millis(200);
    let mut last: Option<ContainerState> = None;

    while start.elapsed() < budget {
        match runtime.container_state(id).await {
            Ok(state) => {
                let matches = match (&state, &expected) {
                    (ContainerState::Exited { .. }, ContainerState::Exited { .. }) => true,
                    (a, b) => a == b,
                };
                if matches {
                    return Ok(state);
                }
                last = Some(state);
            }
            Err(e) => return Err(format!("container_state error: {e}")),
        }
        tokio::time::sleep(poll).await;
    }

    Err(format!(
        "timed out after {budget:?} waiting for {expected:?}; last observed = {last:?}"
    ))
}

/// Best-effort directory removal that swallows errors. Used in teardown
/// where we must not mask the original assertion failure.
fn rm_storage_root(root: &PathBuf) {
    let _ = std::fs::remove_dir_all(root);
}

/// Test 1: image pull pins the on-disk image cache against the public MCR
/// nanoserver layer chain. If this passes, the registry client, blob cache,
/// and HCS layer unpacker are all wired correctly on the host.
#[tokio::test(flavor = "multi_thread")]
#[ignore = "requires Windows host with HCS + outbound access to mcr.microsoft.com"]
async fn test_pull_nanoserver_image() {
    let outcome = tokio::time::timeout(Duration::from_secs(600), async {
        let (cfg, storage_root) = test_config("pull");
        let runtime = HcsRuntime::new(cfg)
            .await
            .expect("HcsRuntime::new must succeed on a Windows host with HCS available");

        let pull_result = runtime.pull_image(TEST_IMAGE).await;

        let assertion = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
            assert!(
                pull_result.is_ok(),
                "pull_image({TEST_IMAGE}) must succeed; got {pull_result:?}",
            );
        }));

        rm_storage_root(&storage_root);

        if let Err(p) = assertion {
            std::panic::resume_unwind(p);
        }
    })
    .await;

    outcome.expect("test_pull_nanoserver_image exceeded the 600s outer budget");
}

/// Test 2: high-value end-to-end lifecycle. Pull the image, create a
/// container with a short-lived entrypoint, start it, poll for exit, and
/// remove it. Asserts the captured exit code is 0 because `cmd /c echo`
/// exits cleanly once the line is printed.
#[tokio::test(flavor = "multi_thread")]
#[ignore = "requires Windows host with HCS + outbound access to mcr.microsoft.com"]
async fn test_run_short_lived_container_lifecycle() {
    let outcome = tokio::time::timeout(Duration::from_secs(600), async {
        let (cfg, storage_root) = test_config("life");
        let runtime: Arc<HcsRuntime> = Arc::new(
            HcsRuntime::new(cfg)
                .await
                .expect("HcsRuntime::new must succeed"),
        );

        runtime
            .pull_image(TEST_IMAGE)
            .await
            .expect("pull_image must succeed before create_container");

        let id = ContainerId::new(unique_name("life"), 1);
        let spec = echo_spec();

        let create_result = runtime.create_container(&id, &spec).await;

        let runtime_for_body = runtime.clone();
        let id_for_body = id.clone();
        let body = async move {
            create_result.expect("create_container must succeed");
            runtime_for_body
                .start_container(&id_for_body)
                .await
                .expect("start_container must succeed");

            let final_state = wait_for_state(
                runtime_for_body.as_ref(),
                &id_for_body,
                ContainerState::Exited { code: 0 },
                Duration::from_secs(60),
            )
            .await
            .expect("container must reach Exited within 60s");

            match final_state {
                ContainerState::Exited { code } => {
                    assert_eq!(code, 0, "echo entrypoint must exit with code 0");
                }
                other => panic!("expected Exited, got {other:?}"),
            }
        };

        let body_outcome = std::panic::AssertUnwindSafe(body)
            .catch_unwind_async()
            .await;

        let _ = runtime.remove_container(&id).await;
        rm_storage_root(&storage_root);

        if let Err(p) = body_outcome {
            std::panic::resume_unwind(p);
        }
    })
    .await;

    outcome.expect("test_run_short_lived_container_lifecycle exceeded the 600s outer budget");
}

/// Test 3: `exec` round-trips a non-zero exit code through HCS. Stdout and
/// stderr are unchecked because the HCS exec path currently returns empty
/// placeholders for both — see `crates/zlayer-agent/src/runtimes/hcs.rs:1311`.
/// The exit code, however, comes directly from `HcsGetProcessProperties` and
/// is the authoritative status signal for callers that use exec as a health
/// probe.
#[tokio::test(flavor = "multi_thread")]
#[ignore = "requires Windows host with HCS + outbound access to mcr.microsoft.com"]
async fn test_exec_into_running_container() {
    let outcome = tokio::time::timeout(Duration::from_secs(600), async {
        let (cfg, storage_root) = test_config("exec");
        let runtime: Arc<HcsRuntime> = Arc::new(
            HcsRuntime::new(cfg)
                .await
                .expect("HcsRuntime::new must succeed"),
        );

        runtime
            .pull_image(TEST_IMAGE)
            .await
            .expect("pull_image must succeed before create_container");

        let id = ContainerId::new(unique_name("exec"), 1);
        let spec = long_lived_spec();

        let create_result = runtime.create_container(&id, &spec).await;

        let runtime_for_body = runtime.clone();
        let id_for_body = id.clone();
        let body = async move {
            create_result.expect("create_container must succeed");
            runtime_for_body
                .start_container(&id_for_body)
                .await
                .expect("start_container must succeed");

            wait_for_state(
                runtime_for_body.as_ref(),
                &id_for_body,
                ContainerState::Running,
                Duration::from_secs(30),
            )
            .await
            .expect("container must reach Running within 30s");

            let cmd: Vec<String> = vec!["cmd".into(), "/c".into(), "exit".into(), "7".into()];
            let (exit_code, _stdout, _stderr) = runtime_for_body
                .exec(&id_for_body, &cmd)
                .await
                .expect("exec must succeed against a Running container");

            assert_eq!(
                exit_code, 7,
                "exec must round-trip the child's exit code through HCS",
            );
        };

        let body_outcome = std::panic::AssertUnwindSafe(body)
            .catch_unwind_async()
            .await;

        let _ = runtime.stop_container(&id, Duration::from_secs(5)).await;
        let _ = runtime.remove_container(&id).await;
        rm_storage_root(&storage_root);

        if let Err(p) = body_outcome {
            std::panic::resume_unwind(p);
        }
    })
    .await;

    outcome.expect("test_exec_into_running_container exceeded the 600s outer budget");
}

/// Local async-aware `catch_unwind` adapter. `std::panic::catch_unwind`
/// cannot be wrapped around an `async` block directly because the future
/// must be polled, not just called once. This helper polls the wrapped
/// future and catches any panic raised inside `poll`, converting it into
/// the same `Err` shape `catch_unwind` produces for sync code.
trait CatchUnwindAsyncExt: std::future::Future + Sized {
    async fn catch_unwind_async(
        self,
    ) -> Result<Self::Output, Box<dyn std::any::Any + Send + 'static>>;
}

impl<F> CatchUnwindAsyncExt for std::panic::AssertUnwindSafe<F>
where
    F: std::future::Future,
{
    async fn catch_unwind_async(
        self,
    ) -> Result<F::Output, Box<dyn std::any::Any + Send + 'static>> {
        use std::future::Future;
        use std::pin::Pin;
        use std::task::Poll;

        let mut inner = Box::pin(self.0);
        std::future::poll_fn(move |cx| {
            let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
                Pin::new(&mut inner).as_mut().poll(cx)
            }));
            match result {
                Ok(Poll::Pending) => Poll::Pending,
                Ok(Poll::Ready(v)) => Poll::Ready(Ok(v)),
                Err(panic) => Poll::Ready(Err(panic)),
            }
        })
        .await
    }
}