inside_docker: allow to run Rustwide inside a Docker container

Author: pietroalbini

CHANGELOG.md

@@ -16,6 +16,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - New method `BuildBuilder::run` to run a build.
 - New method `Command::log_command` to disable logging the command name and
   args before executing it.
+- New method `WorkspaceBuilder::running_inside_docker` to adapt Rustwide itself
+  to run inside a Docker container.
 
 ### Changed
 

Cargo.toml

@@ -40,6 +40,8 @@ walkdir = "2.2"
 toml = "0.4.6"
 fs2 = "0.4.3"
 remove_dir_all = "0.5.2"
+base64 = "0.10.1"
+getrandom = "0.1.12"
 
 [dev-dependencies]
 env_logger = "0.6.1"

src/cmd/sandbox.rs

@@ -66,33 +66,51 @@ struct MountConfig {
 }
 
 impl MountConfig {
-    fn to_volume_arg(&self) -> String {
+    fn host_path(&self, workspace: &Workspace) -> Result<PathBuf, Error> {
+        if let Some(container) = workspace.current_container() {
+            // If we're inside a Docker container we'll need to remap the mount sources to point to
+            // the directories in the host system instead of the containers. To do that we try to
+            // see if the mount source is inside an existing mount point, and "rebase" the path.
+            let inside_container_path = crate::utils::normalize_path(&self.host_path);
+            for mount in container.mounts() {
+                let dest = crate::utils::normalize_path(Path::new(mount.destination()));
+                if let Ok(shared) = inside_container_path.strip_prefix(&dest) {
+                    return Ok(Path::new(mount.source()).join(shared));
+                }
+            }
+            failure::bail!("the workspace is not mounted from outside the container");
+        } else {
+            Ok(crate::utils::normalize_path(&self.host_path))
+        }
+    }
+
+    fn to_volume_arg(&self, workspace: &Workspace) -> Result<String, Error> {
         let perm = match self.perm {
             MountKind::ReadWrite => "rw",
             MountKind::ReadOnly => "ro",
             MountKind::__NonExaustive => panic!("do not create __NonExaustive variants manually"),
         };
-        format!(
+        Ok(format!(
             "{}:{}:{},Z",
-            absolute(&self.host_path).to_string_lossy(),
+            self.host_path(workspace)?.to_string_lossy(),
             self.sandbox_path.to_string_lossy(),
             perm
-        )
+        ))
     }
 
-    fn to_mount_arg(&self) -> String {
+    fn to_mount_arg(&self, workspace: &Workspace) -> Result<String, Error> {
         let mut opts_with_leading_comma = vec![];
 
         if self.perm == MountKind::ReadOnly {
             opts_with_leading_comma.push(",readonly");
         }
 
-        format!(
+        Ok(format!(
             "type=bind,src={},dst={}{}",
-            absolute(&self.host_path).to_string_lossy(),
+            self.host_path(workspace)?.to_string_lossy(),
             self.sandbox_path.to_string_lossy(),
             opts_with_leading_comma.join(""),
-        )
+        ))
     }
 }
 
@@ -175,10 +193,10 @@ impl SandboxBuilder {
             // Linux we need the Z flag, which doesn't work with `--mount`, for SELinux relabeling.
             if cfg!(windows) {
                 args.push("--mount".into());
-                args.push(mount.to_mount_arg())
+                args.push(mount.to_mount_arg(workspace)?)
             } else {
                 args.push("-v".into());
-                args.push(mount.to_volume_arg())
+                args.push(mount.to_volume_arg(workspace)?)
             }
         }
 
@@ -245,15 +263,6 @@ impl SandboxBuilder {
     }
 }
 
-fn absolute(path: &Path) -> PathBuf {
-    if path.is_absolute() {
-        path.to_owned()
-    } else {
-        let cd = std::env::current_dir().expect("unable to get current dir");
-        cd.join(path)
-    }
-}
-
 #[derive(Deserialize)]
 #[serde(rename_all = "PascalCase")]
 struct InspectContainer {

src/inside_docker.rs

@@ -0,0 +1,105 @@
+use crate::cmd::Command;
+use crate::workspace::Workspace;
+use failure::Error;
+use getrandom::getrandom;
+use log::info;
+
+static PROBE_FILENAME: &str = "rustwide-probe";
+
+pub(crate) struct CurrentContainer {
+    metadata: Metadata,
+}
+
+impl CurrentContainer {
+    pub(crate) fn detect(workspace: &Workspace) -> Result<Option<Self>, Error> {
+        if let Some(id) = probe_container_id(workspace)? {
+            info!("inspecting the current container");
+            let inspect = Command::new(workspace, "docker")
+                .args(&["inspect", &id])
+                .log_output(false)
+                .log_command(false)
+                .run_capture()?;
+            let content = inspect.stdout_lines().join("\n");
+            let mut metadata: Vec<Metadata> = serde_json::from_str(&content)?;
+            if metadata.len() != 1 {
+                failure::bail!("invalid output returned by `docker inspect`");
+            }
+            Ok(Some(CurrentContainer {
+                metadata: metadata.pop().unwrap(),
+            }))
+        } else {
+            Ok(None)
+        }
+    }
+
+    pub(crate) fn mounts(&self) -> &[Mount] {
+        &self.metadata.mounts
+    }
+}
+
+/// Apparently there is no cross platform way to easily get the current container ID from Docker
+/// itself. On Linux is possible to inspect the cgroups and parse the ID out of there, but of
+/// course cgroups are not available on Windows.
+///
+/// This function uses a simpler but slower method to get the ID: a file with a random string is
+/// created in the temp directory, the list of all the containers is fetched from Docker and then
+/// `cat` is executed inside each of them to check whether they have the same random string.
+pub(crate) fn probe_container_id(workspace: &Workspace) -> Result<Option<String>, Error> {
+    info!("detecting the ID of the container where rustwide is running");
+
+    // Create the probe on the current file system
+    let probe_path = std::env::temp_dir().join(PROBE_FILENAME);
+    let probe_path_str = probe_path.to_str().unwrap();
+    let mut probe_content = [0u8; 64];
+    getrandom(&mut probe_content)?;
+    let probe_content = base64::encode(&probe_content[..]);
+    std::fs::write(&probe_path, probe_content.as_bytes())?;
+
+    // Check if the probe exists on any of the currently running containers.
+    let out = Command::new(workspace, "docker")
+        .args(&["ps", "--format", "{{.ID}}", "--no-trunc"])
+        .log_output(false)
+        .log_command(false)
+        .run_capture()?;
+    for id in out.stdout_lines() {
+        info!("probing container id {}", id);
+
+        let res = Command::new(workspace, "docker")
+            .args(&["exec", &id, "cat", probe_path_str])
+            .log_output(false)
+            .log_command(false)
+            .run_capture();
+        if let Ok(&[ref probed]) = res.as_ref().map(|out| out.stdout_lines()) {
+            if *probed == probe_content {
+                info!("probe successful, this is container ID {}", id);
+                return Ok(Some(id.clone()));
+            }
+        }
+    }
+
+    info!("probe unsuccessful, this is not running inside a container");
+    Ok(None)
+}
+
+#[derive(serde::Deserialize)]
+#[serde(rename_all = "PascalCase")]
+struct Metadata {
+    mounts: Vec<Mount>,
+}
+
+#[derive(serde::Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub(crate) struct Mount {
+    source: String,
+    destination: String,
+}
+
+impl Mount {
+    pub(crate) fn source(&self) -> &str {
+        &self.source
+    }
+
+    pub(crate) fn destination(&self) -> &str {
+        &self.destination
+    }
+}

src/lib.rs

@@ -21,6 +21,7 @@ extern crate toml;
 mod build;
 pub mod cmd;
 mod crates;
+mod inside_docker;
 pub mod logging;
 mod native;
 mod prepare;

src/workspace.rs

@@ -1,5 +1,6 @@
 use crate::build::BuildDirectory;
 use crate::cmd::{Command, SandboxImage};
+use crate::inside_docker::CurrentContainer;
 use crate::Toolchain;
 use failure::{Error, ResultExt};
 use log::info;
@@ -25,6 +26,7 @@ pub struct WorkspaceBuilder {
     command_timeout: Option<Duration>,
     command_no_output_timeout: Option<Duration>,
     fetch_registry_index_during_builds: bool,
+    running_inside_docker: bool,
     fast_init: bool,
 }
 
@@ -41,6 +43,7 @@ impl WorkspaceBuilder {
             command_timeout: DEFAULT_COMMAND_TIMEOUT,
             command_no_output_timeout: DEFAULT_COMMAND_NO_OUTPUT_TIMEOUT,
             fetch_registry_index_during_builds: false,
+            running_inside_docker: false,
             fast_init: false,
         }
     }
@@ -103,6 +106,25 @@ impl WorkspaceBuilder {
         self
     }
 
+    /// Enable or disable support for running Rustwide itself inside Docker (disabled by default).
+    ///
+    /// When support is enabled Rustwide will try to detect whether it's actually running inside a
+    /// Docker container during initialization, and in that case it will adapt itself. This is
+    /// needed because starting a sibling container from another one requires mount sources to be
+    /// remapped to the real directory on the host.
+    ///
+    /// Other than enabling support for it, to run Rustwide inside Docker your container needs to
+    /// meet these requirements:
+    ///
+    /// * The Docker socker (`/var/run/docker.sock`) needs to be mounted inside the container.
+    /// * The workspace directory must be either mounted from the host system or in a child
+    ///   directory of a mount from the host system. Workspaces created inside the container are
+    ///   not supported.
+    pub fn running_inside_docker(mut self, inside: bool) -> Self {
+        self.running_inside_docker = inside;
+        self
+    }
+
     /// Initialize the workspace. This will create all the necessary local files and fetch the rest from the network. It's
     /// not unexpected for this method to take minutes to run on slower network connections.
     pub fn init(self) -> Result<Workspace, Error> {
@@ -126,16 +148,23 @@ impl WorkspaceBuilder {
                 .default_headers(headers)
                 .build()?;
 
-            let ws = Workspace {
+            let mut ws = Workspace {
                 inner: Arc::new(WorkspaceInner {
                     http,
                     path: self.path,
                     sandbox_image,
                     command_timeout: self.command_timeout,
                     command_no_output_timeout: self.command_no_output_timeout,
                     fetch_registry_index_during_builds: self.fetch_registry_index_during_builds,
+                    current_container: None,
                 }),
             };
+
+            if self.running_inside_docker {
+                let container = CurrentContainer::detect(&ws)?;
+                Arc::get_mut(&mut ws.inner).unwrap().current_container = container;
+            }
+
             ws.init(self.fast_init)?;
             Ok(ws)
         })
@@ -149,6 +178,7 @@ struct WorkspaceInner {
     command_timeout: Option<Duration>,
     command_no_output_timeout: Option<Duration>,
     fetch_registry_index_during_builds: bool,
+    current_container: Option<CurrentContainer>,
 }
 
 /// Directory on the filesystem containing rustwide's state and caches.
@@ -238,6 +268,10 @@ impl Workspace {
         self.inner.fetch_registry_index_during_builds
     }
 
+    pub(crate) fn current_container(&self) -> Option<&CurrentContainer> {
+        self.inner.current_container.as_ref()
+    }
+
     fn init(&self, fast_init: bool) -> Result<(), Error> {
         info!("installing tools required by rustwide");
         crate::tools::install(self, fast_init)?;