[memory-bank] Documented docker-up, image-builder-bob, node-labeler

Tool: gitpod/catfood.gitpod.cloud

Author: geropl

memory-bank/activeContext.md

@@ -43,6 +43,9 @@ Key areas of focus include:
   - spicedb: Provides authorization and permission management
   - scrubber: Removes or masks sensitive information from data
   - service-waiter: Waits for services to become available
+  - docker-up: Sets up and manages Docker within workspace containers
+  - image-builder-bob: Builds and pushes workspace images during workspace startup
+  - node-labeler: Manages node labels and annotations for workspace scheduling
 
 As work progresses, this section will continue to be updated to reflect:
 - Additional component documentation

memory-bank/components/docker-up.md

@@ -0,0 +1,159 @@
+# Docker-Up Component
+
+## Overview
+
+The Docker-Up component in Gitpod is responsible for setting up and managing Docker within workspace containers. It provides a way to run Docker in a rootless mode inside Gitpod workspaces, enabling users to build and run containers without requiring privileged access. The component handles the installation, configuration, and startup of Docker daemon and related tools, ensuring they work correctly within the constraints of a workspace environment.
+
+## Purpose
+
+The primary purposes of the Docker-Up component are:
+- Enable Docker functionality within Gitpod workspaces
+- Provide rootless Docker execution for security
+- Automatically install Docker and its dependencies when needed
+- Configure Docker daemon with appropriate settings for workspace environments
+- Handle network namespace and user namespace setup
+- Provide Docker Compose functionality
+- Ensure proper permissions for Docker socket access
+- Manage container runtime (runc) with appropriate configuration
+- Support custom Docker daemon arguments
+- Facilitate container port binding through capability management
+
+## Architecture
+
+The Docker-Up component consists of several key parts:
+
+1. **Docker-Up**: The main executable that sets up and starts the Docker daemon
+2. **Runc-Facade**: A wrapper around runc (the OCI container runtime) that handles rootless container execution
+3. **Dockerd**: Configuration and argument parsing for the Docker daemon
+4. **Embedded Binaries**: Docker, Docker Compose, and runc binaries embedded in the component
+
+The component is designed to run as a service within a Gitpod workspace, automatically starting when Docker functionality is requested and configuring the environment appropriately.
+
+## Key Features
+
+### Docker Daemon Management
+
+- Starts and configures the Docker daemon with appropriate settings
+- Sets up the Docker socket with proper permissions
+- Configures data storage location within the workspace
+- Handles MTU configuration based on the container network interface
+- Supports custom Docker daemon arguments through environment variables
+- Manages Docker daemon lifecycle
+
+### Automatic Installation
+
+- Detects missing prerequisites (Docker, Docker Compose, iptables, etc.)
+- Automatically installs required components when needed
+- Embeds Docker and Docker Compose binaries for reliable installation
+- Ensures correct versions of dependencies are installed
+- Handles different Linux distribution package managers
+
+### Rootless Container Execution
+
+- Configures Docker to run in rootless mode for security
+- Uses runc-facade to handle rootless container execution
+- Manages user namespace mappings
+- Configures capabilities for container processes
+- Handles OOM score adjustment for container stability
+
+### Network Configuration
+
+- Configures Docker network with appropriate MTU settings
+- Handles network namespace setup
+- Enables binding to privileged ports (below 1024) without root
+- Configures iptables for container networking
+
+## Configuration
+
+The Docker-Up component can be configured through command-line flags and environment variables:
+
+### Command-line Flags
+- `--verbose`, `-v`: Enables verbose logging
+- `--runc-facade`: Enables the runc-facade to handle rootless idiosyncrasies
+- `--bin-dir`: Directory where runc-facade is found
+- `--auto-install`: Auto-install prerequisites (Docker)
+- `--user-accessible-socket`: Make the Docker socket user accessible
+- `--dont-wrap-netns`: Control network namespace wrapping
+- `--auto-login`: Use content of GITPOD_IMAGE_AUTH to automatically login with the Docker daemon
+
+### Environment Variables
+- `DOCKERD_ARGS`: JSON-formatted custom arguments for the Docker daemon
+- `LISTEN_FDS`: Used for socket activation
+- `WORKSPACEKIT_WRAP_NETNS`: Controls network namespace wrapping
+- `GITPOD_IMAGE_AUTH`: Docker registry authentication information
+
+## Integration Points
+
+The Docker-Up component integrates with:
+1. **Workspace Container**: Runs within the workspace container
+2. **Supervisor**: Started by the supervisor when Docker functionality is requested
+3. **Workspacekit**: Interacts with workspacekit for namespace management
+4. **Container Registry**: For pulling and pushing container images
+5. **User Code**: Provides Docker CLI and API for user code
+
+## Usage Patterns
+
+### Starting Docker Daemon
+```bash
+docker-up
+```
+
+### Using Custom Docker Daemon Arguments
+```bash
+DOCKERD_ARGS='{"remap-user":"1000"}' docker-up
+```
+
+### Using Docker Compose
+```bash
+docker-compose up -d
+```
+
+## Dependencies
+
+### Internal Dependencies
+- `components/common-go`: Common Go utilities
+
+### External Dependencies
+- Docker daemon
+- Docker CLI
+- Docker Compose
+- runc (OCI container runtime)
+- iptables
+- uidmap (for user namespace mapping)
+
+## Security Considerations
+
+The component implements several security measures:
+
+1. **Rootless Execution**: Runs Docker without root privileges
+2. **User Namespace Mapping**: Isolates container user IDs from host
+3. **Capability Management**: Provides minimal required capabilities
+4. **Socket Permissions**: Controls access to the Docker socket
+5. **OOM Score Adjustment**: Prevents container processes from being killed under memory pressure
+6. **Network Isolation**: Configures network namespaces for isolation
+
+## Implementation Details
+
+### Runc-Facade
+
+The runc-facade is a wrapper around the standard runc container runtime that:
+- Modifies container configurations for rootless execution
+- Adds the CAP_NET_BIND_SERVICE capability to allow binding to privileged ports
+- Sets OOM score adjustment to prevent container processes from being killed
+- Removes problematic sysctl settings that don't work in rootless mode
+- Implements retry logic for container creation to handle timing issues
+
+### Docker Daemon Arguments
+
+The component supports custom Docker daemon arguments through the `DOCKERD_ARGS` environment variable, which accepts a JSON object with configuration options:
+- `remap-user`: Configure user namespace remapping
+- `proxies`: HTTP/HTTPS proxy settings
+- `http-proxy`: HTTP proxy configuration
+- `https-proxy`: HTTPS proxy configuration
+
+## Related Components
+
+- **Supervisor**: Manages the lifecycle of Docker-Up
+- **Workspacekit**: Provides namespace management
+- **Registry-Facade**: Interacts with Docker for image management
+- **Image-Builder**: Uses Docker for building workspace images

memory-bank/components/image-builder-bob.md

@@ -0,0 +1,153 @@
+# Image-Builder-Bob Component
+
+## Overview
+
+The Image-Builder-Bob component in Gitpod is a CLI tool responsible for building and pushing workspace images during workspace startup. It operates within a headless workspace created by the image-builder-mk3 component and handles the building of custom Docker images based on user-defined Dockerfiles in `.gitpod.yml`. The component consists of two main parts: a build process that creates the images and a proxy that handles authentication for pushing the images to registries.
+
+## Purpose
+
+The primary purposes of the Image-Builder-Bob component are:
+- Build custom workspace images from user-defined Dockerfiles
+- Create base layers for workspace images
+- Push built images to container registries
+- Handle authentication for private container registries
+- Provide a secure way to build images without exposing registry credentials
+- Support the workspace prebuild process
+- Enable customization of development environments
+- Optimize image building with caching
+- Facilitate the use of custom Docker configurations in workspaces
+
+## Architecture
+
+The Image-Builder-Bob component consists of several key parts:
+
+1. **Bob Build**: A command that builds the base layer and workspace image
+2. **Bob Proxy**: A proxy that authenticates image pushes to registries
+3. **Builder Package**: Core functionality for building images
+4. **Proxy Package**: Handles registry authentication and proxying
+5. **Runc-Facade**: A wrapper for the runc container runtime
+
+The component operates in a headless workspace where:
+- `bob proxy` runs in ring1 (started by workspacekit) and receives credentials for pushing images
+- `bob build` runs as a workspace task and builds the images, pushing them to `bob proxy`
+
+## Key Features
+
+### Image Building
+
+- **Base Layer Building**: Creates a base image from a custom Dockerfile specified in `.gitpod.yml`
+- **Workspace Image Building**: Uses the base layer to create a workspace image
+- **Caching**: Reuses previously built base images when available
+- **Buildkit Integration**: Uses Buildkit for efficient image building
+- **Context Management**: Handles the build context for Docker images
+- **Error Handling**: Provides detailed error messages for build failures
+- **Logging**: Writes build logs to `/workspace/.gitpod/bob.log`
+
+### Registry Authentication
+
+- **Secure Credential Handling**: Manages registry credentials securely
+- **Authentication Proxy**: Proxies and authenticates image pushes
+- **Encryption**: Supports encrypted authentication tokens
+- **Multiple Registry Support**: Can authenticate with different registries
+- **Cloud Provider Integration**: Supports authentication with cloud provider registries (AWS ECR, etc.)
+
+## Configuration
+
+The Image-Builder-Bob component is configured through environment variables:
+
+### Build Configuration
+- `BOB_TARGET_REF`: Reference for the target image
+- `BOB_BASE_REF`: Reference for the base image
+- `BOB_BUILD_BASE`: Whether to build the base image
+- `BOB_DOCKERFILE_PATH`: Path to the Dockerfile
+- `BOB_CONTEXT_DIR`: Directory to use as build context
+- `BOB_EXTERNAL_BUILDKITD`: External Buildkit daemon to use
+- `BOB_LOCAL_CACHE_IMPORT`: Local cache import configuration
+- `THEIA_WORKSPACE_ROOT`: Workspace root directory
+
+### Authentication Configuration
+- `BOB_BASELAYER_AUTH`: Authentication for the base layer registry
+- `BOB_WSLAYER_AUTH`: Authentication for the workspace layer registry
+- `BOB_AUTH_KEY`: Key for decrypting authentication tokens
+
+### Proxy Configuration
+- `WORKSPACEKIT_BOBPROXY_BASEREF`: Base image reference for the proxy
+- `WORKSPACEKIT_BOBPROXY_TARGETREF`: Target image reference for the proxy
+- `WORKSPACEKIT_BOBPROXY_AUTH`: Authentication for the proxy
+- `WORKSPACEKIT_BOBPROXY_ADDITIONALAUTH`: Additional authentication for the proxy
+
+## Usage Patterns
+
+### Building an Image
+```bash
+BOB_BASE_REF=localhost:5000/source:latest BOB_TARGET_REF=localhost:5000/target:83 bob build
+```
+
+### Running the Proxy
+```bash
+bob proxy --base-ref=localhost:5000/source:latest --target-ref=localhost:5000/target:83 --auth='{"username":"user","password":"pass"}'
+```
+
+### Typical Workflow
+1. `image-builder-mk3` creates a headless workspace
+2. `bob proxy` starts in ring1 with registry credentials
+3. `bob build` runs as a workspace task
+4. Base layer is built if needed (custom Dockerfile)
+5. Workspace image is built using the base layer
+6. Images are pushed through `bob proxy` to the registry
+7. Workspace starts using the built image
+
+## Integration Points
+
+The Image-Builder-Bob component integrates with:
+1. **Image-Builder-MK3**: Creates the headless workspace where Bob runs
+2. **Workspacekit**: Starts `bob proxy` in ring1
+3. **Registry-Facade**: The built images are later modified by registry-facade
+4. **Container Registries**: For pushing and pulling images
+5. **Buildkit**: For efficient image building
+
+## Dependencies
+
+### Internal Dependencies
+- `components/common-go`: Common Go utilities
+
+### External Dependencies
+- Buildkit: For building container images
+- Docker Registry: For storing built images
+- Containerd: For container operations
+- OCI Tools: For working with OCI images
+
+## Security Considerations
+
+The component implements several security measures:
+
+1. **Credential Isolation**: Registry credentials are only available to `bob proxy`, not to user code
+2. **Encryption**: Authentication tokens can be encrypted
+3. **Proxy Authentication**: All image pushes are authenticated through the proxy
+4. **Rootless Building**: Images are built without requiring root privileges
+5. **Isolated Workspaces**: Building happens in isolated headless workspaces
+
+## Implementation Details
+
+### Build Process
+
+The build process consists of two main steps:
+1. **Base Layer Building**: If a custom Dockerfile is specified, a base image is built
+2. **Workspace Image Building**: Using crane to copy the image from the base layer
+
+The base layer can be either a previously built custom Dockerfile or a public image. The built images do not include components like `supervisor` or the IDE, as these layers are added by `registry-facade` during image pull.
+
+### Proxy Implementation
+
+The proxy acts as an intermediary between `bob build` and the actual container registry:
+1. Receives image pushes from `bob build` on localhost
+2. Authenticates with the target registry using provided credentials
+3. Forwards the image to the target registry
+4. Handles authentication for both base and target images
+
+## Related Components
+
+- **Image-Builder-MK3**: Orchestrates the image building process
+- **Registry-Facade**: Adds additional layers to the built images
+- **Supervisor**: Manages the workspace environment
+- **Workspacekit**: Starts `bob proxy` in ring1