Slipstream/auto_review
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 27 Packages Activity Actions

fix(gateway): support rootless packaged serve #234

Merged
jwilger merged 8 commits from fix/rootless-oci-gateway-serve into main 2026-05-17 12:17:47 -07:00
Conversation 2 Commits 8 Files changed 4 +659 -60
jwilger commented 2026-05-17 12:09:54 -07:00
Owner
Copy link

Summary

Fixes the rootless packaged gateway path used by just serve by making the embedded OCI bundle compatible with rootless youki and repeated local launches.

  • declare and stage rootless user namespace mappings for the current outer user
  • pass only the minimal non-secret rootless runtime env allowlist to youki
  • generate unique observable OCI container IDs to avoid stale state collisions
  • align the embedded OCI config with rootless container UID/GID 0 mapped to host 65532
  • provide /dev/null for masked path setup
  • keep the rootfs writable for rootless masked-path preparation while staging an ephemeral copied rootfs, preserving packaged directory modes after copy
  • ensure staged secret-bearing bundles clean up even with restrictive copied directories
  • update threat-model T1a for the staged ephemeral rootfs and runtime env allowlist

Filed follow-up tooling issue for the RGR guard recovery gap encountered during this work: #233.

Verification

  • rtk just fmt
  • rtk cargo clippy -p ar-gateway --lib -- -D warnings
  • rtk cargo test -p ar-gateway staged_oci_bundle_materializes_config_and_runtime_command_points_at_stage --lib
  • rtk cargo test -p ar-gateway packaged_oci_runtime_with_staged_bundle_removes_secret_config_after_restrictive_rootfs_success --lib
  • nix build --no-link .#checks.x86_64-linux.ar-gateway-embedded-oci-config-contract
  • nix build --no-link .#ar-cli
  • packaged smoke: timeout 20s just serve launched the gateway through the embedded OCI boundary, listened on 0.0.0.0:8090, then shut down on timeout SIGTERM as expected
## Summary Fixes the rootless packaged gateway path used by `just serve` by making the embedded OCI bundle compatible with rootless `youki` and repeated local launches. - declare and stage rootless user namespace mappings for the current outer user - pass only the minimal non-secret rootless runtime env allowlist to `youki` - generate unique observable OCI container IDs to avoid stale state collisions - align the embedded OCI config with rootless container UID/GID `0` mapped to host `65532` - provide `/dev/null` for masked path setup - keep the rootfs writable for rootless masked-path preparation while staging an ephemeral copied rootfs, preserving packaged directory modes after copy - ensure staged secret-bearing bundles clean up even with restrictive copied directories - update threat-model T1a for the staged ephemeral rootfs and runtime env allowlist Filed follow-up tooling issue for the RGR guard recovery gap encountered during this work: #233. ## Verification - `rtk just fmt` - `rtk cargo clippy -p ar-gateway --lib -- -D warnings` - `rtk cargo test -p ar-gateway staged_oci_bundle_materializes_config_and_runtime_command_points_at_stage --lib` - `rtk cargo test -p ar-gateway packaged_oci_runtime_with_staged_bundle_removes_secret_config_after_restrictive_rootfs_success --lib` - `nix build --no-link .#checks.x86_64-linux.ar-gateway-embedded-oci-config-contract` - `nix build --no-link .#ar-cli` - packaged smoke: `timeout 20s just serve` launched the gateway through the embedded OCI boundary, listened on `0.0.0.0:8090`, then shut down on timeout SIGTERM as expected
fix(gateway): stage writable OCI rootfs copy
All checks were successful
CI / Format check (pull_request) Successful in 5s
Details
CI / Clippy (pull_request) Successful in 42s
Details
CI / Dependency policy (pull_request) Successful in 12s
Details
CI / Test (pull_request) Successful in 54s
Details
CI / Build (pull_request) Successful in 31s
Details
CI / Request auto_review semantic review (pull_request) Successful in 1s
Details
CI / Build PR artifacts (no token) (pull_request) Successful in 1s
Details
CI / Publish PR artifact packages (pull_request) Successful in 1s
Details
auto_review auto_review: 1 warning
48791584f1
auto-review approved these changes 2026-05-17 12:11:47 -07:00
auto-review left a comment
Copy link

The PR introduces changes to support rootless packaged gateway paths, focusing on compatibility with rootless youki and ensuring unique container IDs. The changes appear well-structured and include necessary tests, but there are potential concerns with environment variable handling and unique ID generation.

Walkthrough

  • Environment Variables:

    • Added OCI_RUNTIME_ENV_ALLOWLIST to specify allowed environment variables for the runtime.
    • Ensure all necessary variables are included to avoid runtime issues.

  • Unique Container IDs:

    • Introduced unique_packaged_oci_container_id to generate unique IDs using system time and sequence numbers.
    • Consider potential issues with time synchronization and sequence number collisions.

  • Cross-Platform Considerations:

    • Functions like staged_oci_config_with_outer_rootless_mapping_ids and remove_staged_oci_bundle have Unix and non-Unix implementations. Ensure non-Unix implementations are robust.
The PR introduces changes to support rootless packaged gateway paths, focusing on compatibility with rootless `youki` and ensuring unique container IDs. The changes appear well-structured and include necessary tests, but there are potential concerns with environment variable handling and unique ID generation. ## Walkthrough - **Environment Variables**: - Added `OCI_RUNTIME_ENV_ALLOWLIST` to specify allowed environment variables for the runtime. - Ensure all necessary variables are included to avoid runtime issues. - **Unique Container IDs**: - Introduced `unique_packaged_oci_container_id` to generate unique IDs using system time and sequence numbers. - Consider potential issues with time synchronization and sequence number collisions. - **Cross-Platform Considerations**: - Functions like `staged_oci_config_with_outer_rootless_mapping_ids` and `remove_staged_oci_bundle` have Unix and non-Unix implementations. Ensure non-Unix implementations are robust.
crates/ar-gateway/src/startup.rs
auto-review commented 2026-05-17 12:11:47 -07:00
Owner
Copy link

🟡 Warning: Ensure that the OCI_RUNTIME_ENV_ALLOWLIST includes all necessary environment variables for the rootless runtime environment. Missing variables could lead to unexpected behavior.

🟡 **Warning:** Ensure that the `OCI_RUNTIME_ENV_ALLOWLIST` includes all necessary environment variables for the rootless runtime environment. Missing variables could lead to unexpected behavior.
jwilger marked this conversation as resolved
Merge remote-tracking branch 'origin/main' into fix/rootless-oci-gateway-serve
All checks were successful
CI / Clippy (pull_request) Successful in 40s
Details
auto_review auto_review: 1 warning
CI / Format check (pull_request) Successful in 5s
Details
CI / Dependency policy (pull_request) Successful in 11s
Details
CI / Test (pull_request) Successful in 52s
Details
CI / Build (pull_request) Successful in 32s
Details
CI / Request auto_review semantic review (pull_request) Successful in 1s
Details
CI / Build PR artifacts (no token) (pull_request) Successful in 1s
Details
082a6a8690
auto-review approved these changes 2026-05-17 12:17:04 -07:00
auto-review left a comment
Copy link

This PR modifies the CI workflows by simplifying the artifact handling process and removing certain dependencies. The changes appear to streamline the release process, but ensure that all necessary steps are still covered.

Walkthrough

Δ since 4879158:

  • CI Workflow Changes:
    • The pr-packages job has been removed from the CI workflow, along with its steps for publishing PR artifacts.
    • The release-publish.yml workflow no longer installs jq and curl, which may affect steps that previously relied on these tools.
This PR modifies the CI workflows by simplifying the artifact handling process and removing certain dependencies. The changes appear to streamline the release process, but ensure that all necessary steps are still covered. ## Walkthrough ### Δ since 4879158: - **CI Workflow Changes**: - The `pr-packages` job has been removed from the CI workflow, along with its steps for publishing PR artifacts. - The `release-publish.yml` workflow no longer installs `jq` and `curl`, which may affect steps that previously relied on these tools.
.forgejo/workflows/release-publish.yml
auto-review commented 2026-05-17 12:17:04 -07:00
Owner
Copy link

🟡 Warning: The removal of jq and curl from the release-publish.yml workflow may affect any steps that rely on these tools. Verify that their absence does not impact the release process.

🟡 **Warning:** The removal of `jq` and `curl` from the `release-publish.yml` workflow may affect any steps that rely on these tools. Verify that their absence does not impact the release process.
jwilger marked this conversation as resolved
jwilger deleted branch fix/rootless-oci-gateway-serve 2026-05-17 12:17:47 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
auto-review
Labels
Clear labels   
bug

   
discussion

   
enhancement
  
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
wontfix
This won't be fixed

No labels
bug
discussion
enhancement
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Slipstream/auto_review!234
No description provided.