Support both vm and container oci images

Signed-off-by: Guvenc Gulce <[email protected]>

Author: guvenc

feos/services/image-service/src/filestore.rs

@@ -1,17 +1,22 @@
 // SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and IronCore contributors
 // SPDX-License-Identifier: Apache-2.0
 
-use crate::{FileCommand, PulledImageData, IMAGE_DIR};
-use feos_proto::image_service::{ImageInfo, ImageState};
+use crate::{FileCommand, ImageInfo, PulledImageData, IMAGE_DIR};
+use feos_proto::image_service::ImageState;
 use flate2::read::GzDecoder;
 use log::{error, info, warn};
+use oci_distribution::manifest;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::io::Cursor;
 use std::path::Path;
 use tar::Archive;
 use tokio::{fs, sync::mpsc};
 
+const INITRAMFS_MEDIA_TYPE: &str = "application/vnd.ironcore.image.initramfs.v1alpha1.initramfs";
+const VMLINUZ_MEDIA_TYPE: &str = "application/vnd.ironcore.image.vmlinuz.v1alpha1.vmlinuz";
+const ROOTFS_MEDIA_TYPE: &str = "application/vnd.ironcore.image.rootfs.v1alpha1.rootfs";
+
 #[derive(Serialize, Deserialize)]
 struct ImageMetadata {
     image_ref: String,
@@ -86,27 +91,42 @@ impl FileStore {
     ) -> Result<(), std::io::Error> {
         fs::create_dir_all(final_dir).await?;
 
-        // Handle both single-blob rootfs (for VMs) and layered rootfs (for containers)
-        if image_data.layers.len() == 1 && image_ref.contains("cloud-hypervisor") {
-            // Assuming this is a single rootfs blob for a VM
-            let final_disk_path = final_dir.join("disk.image");
-            fs::write(final_disk_path, &image_data.layers[0]).await?;
-        } else {
-            // Unpack layers for a container
-            let rootfs_path = final_dir.join("rootfs");
-            fs::create_dir_all(&rootfs_path).await?;
-            for layer_data in image_data.layers {
-                let cursor = Cursor::new(layer_data);
-                let decoder = GzDecoder::new(cursor);
-                let mut archive = Archive::new(decoder);
-                archive.unpack(&rootfs_path)?;
+        for layer in image_data.layers {
+            match layer.media_type.as_str() {
+                manifest::IMAGE_LAYER_GZIP_MEDIA_TYPE
+                | manifest::IMAGE_DOCKER_LAYER_GZIP_MEDIA_TYPE => {
+                    let rootfs_path = final_dir.join("rootfs");
+                    if !rootfs_path.exists() {
+                        fs::create_dir_all(&rootfs_path).await?;
+                    }
+                    let cursor = Cursor::new(layer.data);
+                    let decoder = GzDecoder::new(cursor);
+                    let mut archive = Archive::new(decoder);
+                    tokio::task::block_in_place(move || archive.unpack(&rootfs_path))?;
+                }
+                ROOTFS_MEDIA_TYPE => {
+                    let path = final_dir.join("disk.image");
+                    fs::write(path, layer.data).await?;
+                }
+                INITRAMFS_MEDIA_TYPE => {
+                    let path = final_dir.join("initramfs");
+                    fs::write(path, layer.data).await?;
+                }
+                VMLINUZ_MEDIA_TYPE => {
+                    let path = final_dir.join("vmlinuz");
+                    fs::write(path, layer.data).await?;
+                }
+                _ => {
+                    warn!(
+                        "FileStore: Skipping layer with unsupported media type: {}",
+                        layer.media_type
+                    );
+                }
             }
         }
 
-        // Save OCI config.json
         fs::write(final_dir.join("config.json"), image_data.config).await?;
 
-        // Save internal metadata
         let metadata = ImageMetadata {
             image_ref: image_ref.to_string(),
         };

feos/services/image-service/src/lib.rs

@@ -46,10 +46,16 @@ pub enum Command {
     ),
 }
 
+#[derive(Debug)]
+pub struct PulledLayer {
+    pub media_type: String,
+    pub data: Vec<u8>,
+}
+
 #[derive(Debug)]
 pub struct PulledImageData {
     pub config: Vec<u8>,
-    pub layers: Vec<Vec<u8>>,
+    pub layers: Vec<PulledLayer>,
 }
 
 #[derive(Debug)]

feos/services/image-service/src/worker.rs

@@ -3,6 +3,7 @@
 
 use crate::{
     error::ImageServiceError, FileCommand, ImageStateEvent, OrchestratorCommand, PulledImageData,
+    PulledLayer,
 };
 use feos_proto::image_service::{
     DeleteImageResponse, ImageInfo, ImageState, ImageStatusResponse, ListImagesResponse,
@@ -238,12 +239,10 @@ async fn pull_oci_data(image_ref: &str) -> Result<PulledImageData, ImageServiceE
     let reference = Reference::try_from(image_ref.to_string())?;
 
     let accepted_media_types = [
-        // VM-specific types
         ROOTFS_MEDIA_TYPE,
         SQUASHFS_MEDIA_TYPE,
         INITRAMFS_MEDIA_TYPE,
         VMLINUZ_MEDIA_TYPE,
-        // Standard container layer types
         manifest::IMAGE_LAYER_GZIP_MEDIA_TYPE,
         manifest::IMAGE_DOCKER_LAYER_GZIP_MEDIA_TYPE,
     ];
@@ -286,7 +285,10 @@ async fn pull_oci_data(image_ref: &str) -> Result<PulledImageData, ImageServiceE
             .pull_blob(&reference, &layer, &mut layer_data)
             .await?;
         info!("ImagePuller: pulled layer blob {} bytes", layer_data.len());
-        layers.push(layer_data);
+        layers.push(PulledLayer {
+            media_type: layer.media_type.clone(),
+            data: layer_data,
+        });
     }
 
     if layers.is_empty() {

feos/services/task-service/src/lib.rs

@@ -13,18 +13,15 @@ pub use feos_proto::task_service::{
 
 pub const TASK_SERVICE_SOCKET: &str = "/tmp/feos/task_service.sock";
 
-/// Represents the state of a single container managed by the shim.
 #[derive(Debug)]
 pub struct Container {
     pub status: Status,
     pub pid: Option<i32>,
     pub bundle_path: String,
     pub exit_code: Option<i32>,
-    // Holds the responder for a pending `Wait` call.
     pub wait_responder: Option<oneshot::Sender<Result<WaitResponse, TaskError>>>,
 }
 
-/// Represents the lifecycle status of a container.
 #[derive(Debug, PartialEq, Clone, Copy)]
 pub enum Status {
     Creating,
@@ -33,7 +30,6 @@ pub enum Status {
     Stopped,
 }
 
-/// Defines the commands that can be sent from the API layer to the Dispatcher.
 #[derive(Debug)]
 pub enum Command {
     Create {
@@ -58,7 +54,6 @@ pub enum Command {
     },
 }
 
-/// Internal events sent from workers back to the dispatcher to trigger state changes.
 #[derive(Debug)]
 pub enum Event {
     ContainerCreated { id: String, pid: i32 },

feos/services/task-service/src/worker.rs

@@ -13,8 +13,6 @@ use tokio::sync::{mpsc, oneshot};
 
 const YOUKI_BIN: &str = "youki";
 
-/// Executes a short-lived youki command (like start, kill, delete) and waits for it to complete.
-/// This version is safe as these commands are guaranteed to be short-lived.
 async fn run_youki_command(args: &[&str]) -> Result<(), TaskError> {
     info!(
         "Worker: Executing short-lived command: {} {}",
@@ -45,8 +43,6 @@ async fn run_youki_command(args: &[&str]) -> Result<(), TaskError> {
     Ok(())
 }
 
-/// Creates a container using the spawn method to avoid hangs, waits for the launcher to exit,
-/// and then gets the true container PID from the pid-file.
 pub async fn handle_create(
     req: CreateRequest,
     event_tx: mpsc::Sender<Event>,
@@ -70,10 +66,8 @@ pub async fn handle_create(
         args.join(" ")
     );
 
-    // Use spawn() to avoid potential I/O deadlocks that hang the command.
     let child_result = Command::new(YOUKI_BIN)
         .args(args)
-        // Redirect stdio to null to ensure the youki process does not block on I/O.
         .stdout(Stdio::null())
         .stderr(Stdio::null())
         .spawn();
@@ -93,8 +87,6 @@ pub async fn handle_create(
         }
     };
 
-    // Now, wait for the short-lived `youki create` process to exit.
-    // This is non-blocking and safe because we are not tied to its I/O pipes.
     let status = match child.wait().await {
         Ok(status) => status,
         Err(e) => {
@@ -112,7 +104,6 @@ pub async fn handle_create(
     };
 
     if !status.success() {
-        // Since we redirected output, we can't show it here, but we can report the failure.
         let err = TaskError::YoukiCommand(format!(
             "youki create exited with non-zero status: {status}"
         ));
@@ -126,7 +117,6 @@ pub async fn handle_create(
         return;
     }
 
-    // Now that `youki create` has exited, read the PID of the real container process.
     let result: Result<i32, TaskError> = async {
         let pid_str = tokio::fs::read_to_string(&pid_file)
             .await
@@ -160,7 +150,6 @@ pub async fn handle_create(
     }
 }
 
-/// Starts a previously created container.
 pub async fn handle_start(
     req: StartRequest,
     pid: i32,
@@ -190,7 +179,6 @@ pub async fn handle_start(
     }
 }
 
-/// Sends a signal to the container's init process.
 pub async fn handle_kill(
     req: KillRequest,
     responder: oneshot::Sender<Result<KillResponse, TaskError>>,
@@ -200,7 +188,6 @@ pub async fn handle_kill(
     let _ = responder.send(result.map(|_| KillResponse {}));
 }
 
-/// Deletes the container's resources.
 pub async fn handle_delete(
     req: DeleteRequest,
     event_tx: mpsc::Sender<Event>,
@@ -218,7 +205,6 @@ pub async fn handle_delete(
     let _ = responder.send(Ok(DeleteResponse {}));
 }
 
-/// Waits in the background for a container process to exit and sends an event.
 pub async fn wait_for_process_exit(id: String, pid: i32, event_tx: mpsc::Sender<Event>) {
     info!("Worker: Background task started, waiting for PID {pid} ({id}) to exit");
     let pid_obj = Pid::from_raw(pid);

feos/services/vm-service/src/lib.rs

@@ -24,7 +24,7 @@ pub mod worker;
 pub const DEFAULT_VM_DB_URL: &str = "sqlite:/var/lib/feos/vms.db";
 pub const VM_API_SOCKET_DIR: &str = "/tmp/feos/vm_api_sockets";
 pub const VM_CH_BIN: &str = "cloud-hypervisor";
-pub const IMAGE_DIR: &str = "/tmp/feos/images";
+pub const IMAGE_DIR: &str = "/var/lib/feos/images";
 pub const VM_CONSOLE_DIR: &str = "/tmp/feos/consoles";
 
 #[derive(Debug, Clone)]

feos/src/lib.rs

@@ -46,12 +46,10 @@ pub async fn run_server(restarted_after_upgrade: bool) -> Result<()> {
         info!("Main: Skipping one-time initialization on restart after upgrade.");
     }
 
-    // This now only sets up the database for the VM service.
     let vm_db_url = setup_database().await?;
 
     let (restart_tx, mut restart_rx) = mpsc::channel::<RestartSignal>(1);
 
-    // Initialize each service. container_service will now set up its own database.
     let vm_service = initialize_vm_service(&vm_db_url).await?;
     let container_service = initialize_container_service().await?;
 

feos/tests/integration/image_tests.rs

@@ -94,7 +94,7 @@ async fn test_container_image_lifecycle() -> Result<()> {
     ensure_server().await;
     let mut image_client = get_image_service_client().await?;
 
-    let image_ref = "ghcr.io:5000/ironcore-dev/dpservice".to_string();
+    let image_ref = "ghcr.io:5000/appvia/hello-world/hello-world".to_string();
     info!("Pulling container image: {}", image_ref);
     let pull_req = PullImageRequest {
         image_ref: image_ref.clone(),