mirror of
https://github.com/apple/container.git
synced 2026-07-15 14:07:04 +00:00
16f2630126
We're working on making a pure swift container image build system that leverages containerization. This PR represents our initial design and initial work towards this goal. The native builder is still in active development and most of the implementation has not been started or completed. We will be opening a series of issues that represent various (but not necessarily all) pieces of work that need to be done here. There are docs included in this PR that describe the overall design of each component and outline some of our goals. The easiest way to view the docs by themselves (since this is a massive PR) is to look at the docs commit in the `Commits` tab. We'd love any feedback! @wlan0 --------- Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
174 lines
4.5 KiB
Swift
174 lines
4.5 KiB
Swift
//===----------------------------------------------------------------------===//
|
|
// Copyright © 2025 Apple Inc. and the container project authors. All rights reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// https://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
import ContainerizationOCI
|
|
import Foundation
|
|
|
|
/// Represents base image operations (FROM in Dockerfile).
|
|
///
|
|
/// Design rationale:
|
|
/// - Handles both image pulls and scratch images
|
|
/// - Platform-aware for multi-arch support
|
|
/// - Supports image verification and policy
|
|
public struct ImageOperation: Operation, Hashable, Equatable {
|
|
public static let operationKind = OperationKind.image
|
|
public var operationKind: OperationKind { Self.operationKind }
|
|
|
|
/// Image source
|
|
public let source: ImageSource
|
|
|
|
/// Target platform
|
|
public let platform: Platform?
|
|
|
|
/// Pull policy
|
|
public let pullPolicy: PullPolicy
|
|
|
|
/// Image verification
|
|
public let verification: ImageVerification?
|
|
|
|
/// Operation metadata
|
|
public let metadata: OperationMetadata
|
|
|
|
public init(
|
|
source: ImageSource,
|
|
platform: Platform? = nil,
|
|
pullPolicy: PullPolicy = .ifNotPresent,
|
|
verification: ImageVerification? = nil,
|
|
metadata: OperationMetadata = OperationMetadata()
|
|
) {
|
|
self.source = source
|
|
self.platform = platform
|
|
self.pullPolicy = pullPolicy
|
|
self.verification = verification
|
|
self.metadata = metadata
|
|
}
|
|
|
|
public func accept<V: OperationVisitor>(_ visitor: V) throws -> V.Result {
|
|
try visitor.visit(self)
|
|
}
|
|
}
|
|
|
|
// MARK: - Image Source
|
|
|
|
/// Source of base image.
|
|
///
|
|
/// Design rationale:
|
|
/// - Supports registry images and scratch
|
|
/// - Extensible for future image sources
|
|
/// - Clear semantics for each source type
|
|
public enum ImageSource: Hashable, Sendable {
|
|
/// Image from registry
|
|
case registry(ImageReference)
|
|
|
|
/// Empty image (FROM scratch)
|
|
case scratch
|
|
|
|
/// Local OCI layout
|
|
case ociLayout(path: String, tag: String?)
|
|
|
|
/// Tarball
|
|
case tarball(path: String)
|
|
}
|
|
|
|
// MARK: - Pull Policy
|
|
|
|
/// Policy for pulling images.
|
|
///
|
|
/// Design rationale:
|
|
/// - Matches Kubernetes/Docker semantics
|
|
/// - Allows optimization vs freshness tradeoffs
|
|
public enum PullPolicy: String, Hashable, Sendable {
|
|
/// Always pull
|
|
case always
|
|
|
|
/// Pull if not present locally
|
|
case ifNotPresent
|
|
|
|
/// Never pull (must exist locally)
|
|
case never
|
|
}
|
|
|
|
// MARK: - Image Verification
|
|
|
|
/// Image verification requirements.
|
|
///
|
|
/// Design rationale:
|
|
/// - Supports multiple verification methods
|
|
/// - Extensible for new verification types
|
|
/// - Policy-based for enterprise requirements
|
|
public struct ImageVerification: Hashable, Sendable {
|
|
/// Verification method
|
|
public let method: VerificationMethod
|
|
|
|
/// Required signatures
|
|
public let requiredSignatures: Int
|
|
|
|
/// Trusted keys/identities
|
|
public let trustedKeys: Set<TrustedKey>
|
|
|
|
public init(
|
|
method: VerificationMethod,
|
|
requiredSignatures: Int = 1,
|
|
trustedKeys: Set<TrustedKey> = []
|
|
) {
|
|
self.method = method
|
|
self.requiredSignatures = requiredSignatures
|
|
self.trustedKeys = trustedKeys
|
|
}
|
|
}
|
|
|
|
/// Verification method.
|
|
public enum VerificationMethod: String, Hashable, Sendable {
|
|
/// No verification
|
|
case none
|
|
|
|
/// Verify digest only
|
|
case digest
|
|
|
|
/// Cosign signatures
|
|
case cosign
|
|
|
|
/// Notary v2
|
|
case notary
|
|
|
|
/// In-toto attestations
|
|
case intoto
|
|
}
|
|
|
|
/// Trusted key for verification.
|
|
public enum TrustedKey: Hashable, Sendable {
|
|
/// Public key
|
|
case publicKey(Data)
|
|
|
|
/// Key ID (for key servers)
|
|
case keyID(String)
|
|
|
|
/// Certificate
|
|
case certificate(Data)
|
|
|
|
/// OIDC identity
|
|
case oidcIdentity(issuer: String, subject: String)
|
|
}
|
|
|
|
// MARK: - Codable
|
|
|
|
extension ImageOperation: Codable {}
|
|
extension ImageSource: Codable {}
|
|
extension PullPolicy: Codable {}
|
|
extension ImageVerification: Codable {}
|
|
extension VerificationMethod: Codable {}
|
|
extension TrustedKey: Codable {}
|