first commit

vmg-dev · vmg-dev · commit 26dd1c74ba16 · 2026-02-11T16:23:06.000-05:00
diff --git a/01-oci2gondolin-spec.md b/01-oci2gondolin-spec.md
@@ -0,0 +1,75 @@
+# 01 — `oci2gondolin` Spec
+
+## Objective
+Convert an OCI image into a Gondolin-compatible boot artifact set that can be loaded via:
+
+- `VM.create({ sandbox: { rootDiskPath, ... } })` (rootfs-only output), or
+- `GONDOLIN_GUEST_DIR=<asset-dir>` / `sandbox.imagePath=<asset-dir>` (full bundle output)
+
+## Constraints
+- No changes to Gondolin runtime APIs required for MVP
+- Keep host-side extraction secure (no path traversal, no symlink escapes)
+- Ensure output keeps Gondolin guest contract required by `vm.exec`
+
+## Inputs
+Support at least these sources:
+
+1. `--image <ref>` (registry image reference)
+2. `--oci-layout <path>` (OCI layout directory)
+3. `--oci-tar <path>` (OCI archive)
+
+## Outputs
+### Mode A: `rootfs`
+Output files:
+- `rootfs.ext4`
+- `meta.json` (source digest, platform, entrypoint/cmd/env/workdir/user)
+
+### Mode B: `assets`
+Output directory:
+- `vmlinuz-virt`
+- `initramfs.cpio.lz4`
+- `rootfs.ext4`
+- `manifest.json`
+
+`assets` mode copies kernel/initramfs from a selected Gondolin base bundle, then injects converted rootfs.
+
+## CLI (proposed)
+```bash
+oci2gondolin --image ghcr.io/org/app:latest \
+  --platform linux/arm64 \
+  --out ./out/app-assets \
+  --mode assets
+
+oci2gondolin --oci-tar ./app.oci.tar \
+  --out ./out/app-rootfs \
+  --mode rootfs
+```
+
+## Functional pipeline
+1. Parse source + platform
+2. Resolve OCI manifest (single or index)
+3. Download/read blobs + verify digest
+4. Apply layers in order with whiteout handling
+5. Materialize merged rootfs tree
+6. Inject Gondolin runtime requirements
+7. Build `rootfs.ext4`
+8. Emit metadata + optional full assets bundle
+
+## Runtime compatibility contract
+For Gondolin SDK features to work, output rootfs must include:
+- `sandboxd` available and started by init
+- `sandboxfs` available if VFS mount behavior is expected
+- init flow compatible with Gondolin initramfs handoff (`switch_root /init`) unless full custom initramfs is supplied
+
+## MVP scope
+- Linux images only
+- `amd64` + `arm64`
+- gzip-compressed layers required
+- whiteouts supported
+- private registry auth via standard bearer token flow
+
+## Out of scope (initially)
+- Windows containers
+- non-Linux platforms
+- advanced runtime translation (`HEALTHCHECK`, `STOPSIGNAL`, cgroups tuning)
+- full parity with Docker runtime semantics
diff --git a/02-dockerfile2gondolin-wrapper.md b/02-dockerfile2gondolin-wrapper.md
@@ -0,0 +1,49 @@
+# 02 — `dockerfile2gondolin` Wrapper
+
+## Objective
+Provide a convenience CLI that takes a Dockerfile context and produces Gondolin output by delegating to:
+
+1. BuildKit (Dockerfile -> OCI)
+2. `oci2gondolin` (OCI -> Gondolin)
+
+## Why wrapper only
+Avoid reimplementing Dockerfile semantics. BuildKit already supports modern Dockerfile behavior and caching.
+
+## Supported backends (priority)
+1. `docker buildx build`
+2. standalone `buildctl`
+
+## CLI (proposed)
+```bash
+dockerfile2gondolin \
+  --file ./Dockerfile \
+  --context . \
+  --platform linux/arm64 \
+  --out ./out/app-assets \
+  --mode assets
+```
+
+Optional:
+- `--builder docker-buildx|buildctl`
+- `--target <stage>`
+- `--build-arg KEY=VALUE` (repeatable)
+- `--secret id=...,src=...` (pass-through)
+
+## Internal flow
+1. Validate builder availability
+2. Build Dockerfile into temp OCI tar/layout
+3. Invoke `oci2gondolin` with resulting OCI artifact
+4. Copy final output to requested destination
+5. Emit concise build summary
+
+## Error mapping
+Map common failures to clear messages:
+- builder missing
+- build step failed
+- OCI output missing/invalid
+- conversion failed
+
+## Deliverable quality bar
+- deterministic output for same Dockerfile + pinned base digests
+- clear logs separating build phase and conversion phase
+- no Gondolin code changes required
diff --git a/03-implementation-phases.md b/03-implementation-phases.md
@@ -0,0 +1,62 @@
+# 03 — Implementation Phases
+
+## Timeline (single engineer estimate)
+- MVP: **2–4 weeks**
+- Hardened v1: **6–10 weeks**
+
+## Phase breakdown
+
+## Phase 0 — Spike (2–3 days)
+- Validate rootfs-only loading path with current Gondolin (`rootDiskPath`)
+- Confirm minimum runtime files/processes needed for `vm.exec`
+- Capture one known-good manual conversion recipe
+
+**Exit criteria:** end-to-end manual demo from OCI image to running VM
+
+## Phase 1 — `oci2gondolin` scaffolding (2–3 days)
+- CLI parser + config model
+- source abstraction (`image ref`, `oci tar`, `oci layout`)
+- output modes (`rootfs`, `assets`)
+
+**Exit criteria:** CLI skeleton + dry-run mode
+
+## Phase 2 — OCI resolver/puller (4–6 days)
+- auth token flow
+- manifest/index selection by platform
+- blob download/read + digest verification
+- local blob cache by digest
+
+**Exit criteria:** pull and verify layers/config for public images
+
+## Phase 3 — Layer apply engine (4–7 days)
+- ordered extraction
+- whiteout/opaque directory handling
+- secure extraction checks
+
+**Exit criteria:** merged rootfs matches expected filesystem semantics
+
+## Phase 4 — Gondolin materialization (3–5 days)
+- inject runtime requirements
+- ext4 build step
+- emit `meta.json` and/or full assets bundle
+
+**Exit criteria:** converted image boots and supports `vm.exec`
+
+## Phase 5 — `dockerfile2gondolin` wrapper (3–5 days)
+- BuildKit integration (`buildx`, `buildctl`)
+- argument passthrough for target/build args/secrets
+- temporary OCI artifact handling
+
+**Exit criteria:** Dockerfile -> Gondolin in one command
+
+## Phase 6 — Hardening + docs (4–7 days)
+- integration tests with multiple fixtures
+- performance/caching tuning
+- user docs + troubleshooting
+
+**Exit criteria:** v1 candidate release
+
+## Suggested sequencing notes
+- Keep converter core independent from CLI wrappers
+- Keep all Dockerfile logic in wrapper layer
+- Ensure all artifacts are reproducible and cache-addressable by digest
diff --git a/04-testing-and-release.md b/04-testing-and-release.md
@@ -0,0 +1,39 @@
+# 04 — Testing and Release Plan
+
+## Test matrix
+
+## Unit tests
+- Image ref parsing
+- Manifest/index platform selection
+- Digest verification
+- Whiteout handling logic
+- Secure extraction path checks
+
+## Integration tests
+- Public image conversion (alpine, debian-slim, distroless-like)
+- Converted rootfs boots in Gondolin and can execute command
+- Entry point/env/workdir metadata captured correctly
+
+## Regression/security tests
+- Path traversal tar entries
+- Symlink overwrite attempts
+- Duplicate file/dir collisions across layers
+
+## Performance checks
+- Cold pull timing vs warm cache timing
+- Output rootfs size sanity checks
+- Repeated conversion correctness with cache hits
+
+## Release criteria
+- `oci2gondolin` stable CLI + docs
+- `dockerfile2gondolin` wrapper stable for at least one backend (`buildx`)
+- deterministic outputs for pinned digests
+- passing integration suite on macOS + Linux hosts
+
+## Versioning/release strategy
+- Start at `0.x`
+- publish CLI artifacts and npm package (if Node-based)
+- include compatibility table:
+  - supported Gondolin versions
+  - supported host OS
+  - supported target architectures
diff --git a/05-open-questions.md b/05-open-questions.md
@@ -0,0 +1,37 @@
+# 05 — Open Questions
+
+## 1) Runtime injection strategy
+How should `sandboxd`/`sandboxfs`/`sandboxssh` be injected?
+- copy from known Gondolin base assets
+- or package alongside converter and inject directly
+
+## 2) Init ownership
+Should converted images reuse Gondolin init scripts by default, or attempt to preserve container entrypoint semantics directly in init?
+
+## 3) `USER` behavior
+For non-root container users, should converter:
+- preserve user exactly if present
+- auto-create missing user
+- fallback to root with warning
+
+## 4) Full assets vs rootfs-only default
+Which mode should be default for better UX?
+- `assets` is easiest to run from CLI
+- `rootfs` is simpler if caller already controls kernel/initramfs
+
+## 5) Backend policy for Dockerfile wrapper
+Should initial wrapper support only `docker buildx`, or also standalone `buildctl` on day one?
+
+## 6) Distribution model
+Should this live as:
+- separate repo/tool (preferred for isolation)
+- subpackage within Gondolin monorepo
+
+## 7) Security posture
+Do we need mandatory signature/cosign verification in v1, or treat as optional policy hook?
+
+## 8) Metadata handoff
+How should entrypoint/cmd/env/workdir/user metadata be passed to callers?
+- JSON sidecar only
+- generated launcher script
+- direct VM helper API in separate SDK package
diff --git a/README.md b/README.md
@@ -0,0 +1,30 @@
+# Gondolin Image Tooling Plan
+
+## Goal
+Create external tooling that converts container artifacts into images Gondolin can boot **without modifying Gondolin core code**.
+
+## Recommendation
+Build in this order:
+
+1. **`oci2gondolin` first** (core converter)
+2. **`dockerfile2gondolin` second** (thin wrapper around BuildKit + `oci2gondolin`)
+
+This keeps complexity low and allows multiple input paths (registry, CI-produced OCI tar, local OCI layout).
+
+## Why OCI-first
+- Dockerfile support is effectively a full build system
+- OCI image/manifest/layers are a stable output contract
+- Reusable converter for any upstream build stack
+
+## Deliverables
+- `oci2gondolin` CLI
+- `dockerfile2gondolin` CLI (wrapper)
+- Test fixtures + conformance tests
+- Basic docs and examples
+
+## Directory contents
+- [`01-oci2gondolin-spec.md`](./01-oci2gondolin-spec.md)
+- [`02-dockerfile2gondolin-wrapper.md`](./02-dockerfile2gondolin-wrapper.md)
+- [`03-implementation-phases.md`](./03-implementation-phases.md)
+- [`04-testing-and-release.md`](./04-testing-and-release.md)
+- [`05-open-questions.md`](./05-open-questions.md)
