feat: add support for running a subset of app components

Signed-off-by: Kate Goldenring <[email protected]>

Author: kate-goldenring

containerd-shim-spin/Cargo.toml

@@ -13,30 +13,32 @@ Containerd shim for running Spin workloads.
 [dependencies]
 containerd-shim-wasm = "0.6.0"
 containerd-shim = "0.7.1"
+http = "1"
 log = "0.4"
-spin-app = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-core = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-componentize = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
+spin-app = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-core = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-componentize = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
 # Enable loading components precompiled by the shim
-spin-trigger = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c", features = [
+spin-trigger = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c", features = [
     "unsafe-aot-compilation",
 ] }
-spin-trigger-http = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-trigger-redis = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
+spin-trigger-http = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-trigger-redis = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
 trigger-mqtt = { git = "https://github.com/spinkube/spin-trigger-mqtt", rev = "4c76e52dc5d3e7961c7b4d4933543c1adb2778cf" }
 trigger-sqs = { git = "https://github.com/fermyon/spin-trigger-sqs", rev = "71877907ebd822bb1aacf7a20065733b7cd188dc" }
 trigger-command = { git = "https://github.com/fermyon/spin-trigger-command", rev = "db55291552233e04189275a2dd82c07e5fa4fdf2" }
-spin-manifest = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-loader = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-oci = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-common = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-expressions = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-factors-executor = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-telemetry = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-runtime-factors = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
-spin-factors = { git = "https://github.com/fermyon/spin", rev = "485b04090644ecfda4d0034891a5feca9a90332c" }
+spin-manifest = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-loader = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-oci = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-common = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-expressions = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-factors-executor = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-telemetry = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-runtime-factors = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-factors = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
+spin-factor-outbound-networking = { git = "https://github.com/fermyon/spin", rev = "788dec12bec206b40ef6226a90e508691cf9312c" }
 wasmtime = "22.0"
-tokio = { version = "1.38", features = ["rt"] }
+tokio = { version = "1", features = ["rt"] }
 openssl = { version = "*", features = ["vendored"] }
 serde = "1.0"
 serde_json = "1.0"

containerd-shim-spin/src/constants.rs

@@ -18,3 +18,6 @@ pub(crate) const SPIN_MANIFEST_FILE_PATH: &str = "/spin.toml";
 pub(crate) const SPIN_APPLICATION_VARIABLE_PREFIX: &str = "SPIN_VARIABLE";
 /// Working directory for Spin applications
 pub(crate) const SPIN_TRIGGER_WORKING_DIR: &str = "/";
+/// Defines the subset of application components that should be executable by the shim
+/// If empty or DNE, all components will be supported
+pub(crate) const SPIN_COMPONENTS_TO_RETAIN_ENV: &str = "SPIN_COMPONENTS_TO_RETAIN";

containerd-shim-spin/src/engine.rs

@@ -4,7 +4,7 @@ use std::{
     hash::{Hash, Hasher},
 };
 
-use anyhow::{Context, Result};
+use anyhow::{bail, Context, Result};
 use containerd_shim_wasm::{
     container::{Engine, RuntimeContext, Stdio},
     sandbox::WasmLayer,
@@ -13,6 +13,7 @@ use containerd_shim_wasm::{
 use futures::future;
 use log::info;
 use spin_app::locked::LockedApp;
+use spin_factor_outbound_networking::{allowed_outbound_hosts, parse_service_chaining_target};
 use spin_trigger::cli::NoCliArgs;
 use spin_trigger_http::HttpTrigger;
 use spin_trigger_redis::RedisTrigger;
@@ -136,6 +137,12 @@ impl SpinEngine {
     async fn wasm_exec_async(&self, ctx: &impl RuntimeContext) -> Result<()> {
         let cache = initialize_cache().await?;
         let app_source = Source::from_ctx(ctx, &cache).await?;
+        let components_to_execute = env::var(constants::SPIN_COMPONENTS_TO_RETAIN_ENV)
+        .ok()
+        .map(|s| s.split(',').map(|s| s.to_string()).collect::<Vec<String>>());
+        if components_to_execute.is_some() {
+            log::info!("Components to execute: {:?}", components_to_execute);
+        }
         let locked_app = app_source.to_locked_app(&cache).await?;
         configure_application_variables_from_environment_variables(&locked_app)?;
         let trigger_cmds = get_supported_triggers(&locked_app)
@@ -218,6 +225,86 @@ impl SpinEngine {
     }
 }
 
+/// Scrubs the locked app to only contain the given list of components
+/// Introspects the LockedApp to find and selectively retain the triggers that correspond to those components
+fn retain_components(locked_app: &mut LockedApp, retained_components: &[String]) -> Result<()> {
+    // Create a temporary app to access parsed component and trigger information
+    let tmp_app = spin_app::App::new("tmp", locked_app.clone());
+    validate_retained_components_exist(&tmp_app, retained_components)?;
+    validate_retained_components_service_chaining(&tmp_app, retained_components)?;
+    let (component_ids, trigger_ids): (HashSet<String>, HashSet<String>) = tmp_app
+        .triggers()
+        .filter_map(|t| match t.component() {
+            Ok(comp) if retained_components.contains(&comp.id().to_string()) => {
+                Some((comp.id().to_owned(), t.id().to_owned()))
+            }
+            _ => None,
+        })
+        .collect();
+    locked_app
+        .components
+        .retain(|c| component_ids.contains(&c.id));
+    locked_app.triggers.retain(|t| trigger_ids.contains(&t.id));
+    Ok(())
+}
+
+/// Validates that all service chaining of an app will be satisfied by the
+/// retained components.
+///
+/// This does a best effort look up of components that are
+/// allowed to be accessed through service chaining and will error early if a
+/// component is configured to to chain to another component that is not
+/// retained. All wildcard service chaining is disallowed and all templated URLs
+/// are ignored.
+fn validate_retained_components_service_chaining(
+    app: &spin_app::App,
+    retained_components: &[String],
+) -> Result<()> {
+    app
+        .triggers().try_for_each(|t| {
+            let Ok(component) = t.component() else  { return Ok(()) };
+            if retained_components.contains(&component.id().to_string()) {
+            let allowed_hosts = allowed_outbound_hosts(&component).context("failed to get allowed hosts")?;
+            for host in allowed_hosts {
+                // Templated URLs are not yet resolved at this point, so ignore unresolvable URIs
+                if let Ok(uri) = host.parse::<http::Uri>() {
+                    if let Some(chaining_target) = parse_service_chaining_target(&uri) {
+                        if !retained_components.contains(&chaining_target) {
+                            if chaining_target == "*" {
+                                bail!("Component selected with '--component {}' cannot use wildcard service chaining: allowed_outbound_hosts = [\"http://*.spin.internal\"]", component.id());
+                            }
+                            bail!(
+                                "Component selected with '--component {}' cannot use service chaining to unselected component: allowed_outbound_hosts = [\"http://{}.spin.internal\"]",
+                                component.id(), chaining_target
+                            );
+                        }
+                    }
+                }
+            }
+        }
+        anyhow::Ok(())
+    })?;
+
+    Ok(())
+}
+
+/// Validates that all components specified to be retained actually exist in the app
+fn validate_retained_components_exist(
+    app: &spin_app::App,
+    retained_components: &[String],
+) -> Result<()> {
+    let app_components = app
+        .components()
+        .map(|c| c.id().to_string())
+        .collect::<HashSet<_>>();
+    for c in retained_components {
+        if !app_components.contains(c) {
+            bail!("Specified component \"{c}\" not found in application");
+        }
+    }
+    Ok(())
+}
+
 #[cfg(test)]
 mod tests {
     use oci_spec::image::MediaType;