@opencode-cloud/core 1.0.7 → 1.0.10

package/src/docker/client.rs

@@ -4,12 +4,18 @@
 //! errors gracefully and provides clear error messages.
 
 use bollard::Docker;
+use std::time::Duration;
 
 use super::error::DockerError;
+use crate::host::{HostConfig, SshTunnel};
 
 /// Docker client wrapper with connection handling
 pub struct DockerClient {
     inner: Docker,
+    /// SSH tunnel for remote connections (kept alive for client lifetime)
+    _tunnel: Option<SshTunnel>,
+    /// Host name for remote connections (None = local)
+    host_name: Option<String>,
 }
 
 impl DockerClient {
@@ -21,7 +27,11 @@ impl DockerClient {
         let docker = Docker::connect_with_local_defaults()
             .map_err(|e| DockerError::Connection(e.to_string()))?;
 
-        Ok(Self { inner: docker })
+        Ok(Self {
+            inner: docker,
+            _tunnel: None,
+            host_name: None,
+        })
     }
 
     /// Create client with custom timeout (in seconds)
@@ -31,9 +41,109 @@ impl DockerClient {
     pub fn with_timeout(timeout_secs: u64) -> Result<Self, DockerError> {
         let docker = Docker::connect_with_local_defaults()
             .map_err(|e| DockerError::Connection(e.to_string()))?
-            .with_timeout(std::time::Duration::from_secs(timeout_secs));
+            .with_timeout(Duration::from_secs(timeout_secs));
 
-        Ok(Self { inner: docker })
+        Ok(Self {
+            inner: docker,
+            _tunnel: None,
+            host_name: None,
+        })
+    }
+
+    /// Create client connecting to remote Docker daemon via SSH tunnel
+    ///
+    /// Establishes an SSH tunnel to the remote host and connects Bollard
+    /// to the forwarded local port.
+    ///
+    /// # Arguments
+    /// * `host` - Remote host configuration
+    /// * `host_name` - Name of the host (for display purposes)
+    pub async fn connect_remote(host: &HostConfig, host_name: &str) -> Result<Self, DockerError> {
+        // Create SSH tunnel
+        let tunnel = SshTunnel::new(host, host_name)
+            .map_err(|e| DockerError::Connection(format!("SSH tunnel failed: {e}")))?;
+
+        // Wait for tunnel to be ready with exponential backoff
+        tunnel
+            .wait_ready()
+            .await
+            .map_err(|e| DockerError::Connection(format!("SSH tunnel not ready: {e}")))?;
+
+        // Connect Bollard to the tunnel's local port
+        let docker_url = tunnel.docker_url();
+        tracing::debug!("Connecting to remote Docker via {}", docker_url);
+
+        // Retry connection with backoff (tunnel may need a moment)
+        let max_attempts = 3;
+        let mut last_err = None;
+
+        for attempt in 0..max_attempts {
+            if attempt > 0 {
+                let delay = Duration::from_millis(100 * 2u64.pow(attempt));
+                tracing::debug!("Retry attempt {} after {:?}", attempt + 1, delay);
+                tokio::time::sleep(delay).await;
+            }
+
+            match Docker::connect_with_http(&docker_url, 120, bollard::API_DEFAULT_VERSION) {
+                Ok(docker) => {
+                    // Verify connection works
+                    match docker.ping().await {
+                        Ok(_) => {
+                            tracing::info!("Connected to Docker on {} via SSH tunnel", host_name);
+                            return Ok(Self {
+                                inner: docker,
+                                _tunnel: Some(tunnel),
+                                host_name: Some(host_name.to_string()),
+                            });
+                        }
+                        Err(e) => {
+                            tracing::debug!("Ping failed: {}", e);
+                            last_err = Some(e.to_string());
+                        }
+                    }
+                }
+                Err(e) => {
+                    tracing::debug!("Connection failed: {}", e);
+                    last_err = Some(e.to_string());
+                }
+            }
+        }
+
+        Err(DockerError::Connection(format!(
+            "Failed to connect to Docker on {}: {}",
+            host_name,
+            last_err.unwrap_or_else(|| "unknown error".to_string())
+        )))
+    }
+
+    /// Create remote client with custom timeout
+    pub async fn connect_remote_with_timeout(
+        host: &HostConfig,
+        host_name: &str,
+        timeout_secs: u64,
+    ) -> Result<Self, DockerError> {
+        let tunnel = SshTunnel::new(host, host_name)
+            .map_err(|e| DockerError::Connection(format!("SSH tunnel failed: {e}")))?;
+
+        tunnel
+            .wait_ready()
+            .await
+            .map_err(|e| DockerError::Connection(format!("SSH tunnel not ready: {e}")))?;
+
+        let docker_url = tunnel.docker_url();
+
+        let docker =
+            Docker::connect_with_http(&docker_url, timeout_secs, bollard::API_DEFAULT_VERSION)
+                .map_err(|e| DockerError::Connection(e.to_string()))?;
+
+        // Verify connection
+        docker.ping().await.map_err(DockerError::from)?;
+
+        Ok(Self {
+            inner: docker,
+            _tunnel: Some(tunnel),
+            host_name: Some(host_name.to_string()),
+        })
     }
 
     /// Verify connection to Docker daemon
@@ -57,6 +167,16 @@ impl DockerClient {
         Ok(version_str)
     }
 
+    /// Get the host name if this is a remote connection
+    pub fn host_name(&self) -> Option<&str> {
+        self.host_name.as_deref()
+    }
+
+    /// Check if this is a remote connection
+    pub fn is_remote(&self) -> bool {
+        self._tunnel.is_some()
+    }
+
     /// Access inner Bollard client for advanced operations
     pub fn inner(&self) -> &Docker {
         &self.inner
@@ -81,4 +201,13 @@ mod tests {
         let result = DockerClient::with_timeout(600);
         drop(result);
     }
+
+    #[test]
+    fn test_host_name_methods() {
+        // Local client has no host name
+        if let Ok(client) = DockerClient::new() {
+            assert!(client.host_name().is_none());
+            assert!(!client.is_remote());
+        }
+    }
 }

package/src/docker/container.rs

@@ -33,28 +33,36 @@ pub const OPENCODE_WEB_PORT: u16 = 3000;
 /// * `image` - Image to use (defaults to IMAGE_NAME_GHCR:IMAGE_TAG_DEFAULT)
 /// * `opencode_web_port` - Port to bind on host for opencode web UI (defaults to OPENCODE_WEB_PORT)
 /// * `env_vars` - Additional environment variables (optional)
+/// * `bind_address` - IP address to bind on host (defaults to "127.0.0.1")
+/// * `cockpit_port` - Port to bind on host for Cockpit (defaults to 9090)
+/// * `cockpit_enabled` - Whether to enable Cockpit port mapping (defaults to true)
+#[allow(clippy::too_many_arguments)]
 pub async fn create_container(
     client: &DockerClient,
     name: Option<&str>,
     image: Option<&str>,
     opencode_web_port: Option<u16>,
     env_vars: Option<Vec<String>>,
+    bind_address: Option<&str>,
+    cockpit_port: Option<u16>,
+    cockpit_enabled: Option<bool>,
 ) -> Result<String, DockerError> {
     let container_name = name.unwrap_or(CONTAINER_NAME);
     let default_image = format!("{IMAGE_NAME_GHCR}:{IMAGE_TAG_DEFAULT}");
     let image_name = image.unwrap_or(&default_image);
     let port = opencode_web_port.unwrap_or(OPENCODE_WEB_PORT);
+    let cockpit_port_val = cockpit_port.unwrap_or(9090);
+    let cockpit_enabled_val = cockpit_enabled.unwrap_or(true);
 
     debug!(
-        "Creating container {} from image {} with port {}",
-        container_name, image_name, port
+        "Creating container {} from image {} with port {} and cockpit_port {} (enabled: {})",
+        container_name, image_name, port, cockpit_port_val, cockpit_enabled_val
     );
 
     // Check if container already exists
     if container_exists(client, container_name).await? {
         return Err(DockerError::Container(format!(
-            "Container '{}' already exists. Remove it first with 'occ stop --remove' or use a different name.",
-            container_name
+            "Container '{container_name}' already exists. Remove it first with 'occ stop --remove' or use a different name."
         )));
     }
 
@@ -68,8 +76,7 @@ pub async fn create_container(
 
     if !super::image::image_exists(client, image_repo, image_tag).await? {
         return Err(DockerError::Container(format!(
-            "Image '{}' not found. Run 'occ pull' first to download the image.",
-            image_name
+            "Image '{image_name}' not found. Run 'occ pull' first to download the image."
         )));
     }
 
@@ -98,26 +105,85 @@ pub async fn create_container(
         },
     ];
 
-    // Create port bindings (localhost only for security)
+    // Create port bindings (default to localhost for security)
+    let bind_addr = bind_address.unwrap_or("127.0.0.1");
     let mut port_bindings: PortMap = HashMap::new();
+
+    // opencode web port
     port_bindings.insert(
         "3000/tcp".to_string(),
         Some(vec![PortBinding {
-            host_ip: Some("127.0.0.1".to_string()),
+            host_ip: Some(bind_addr.to_string()),
             host_port: Some(port.to_string()),
         }]),
     );
 
+    // Cockpit port (if enabled)
+    // Container always listens on 9090, map to host's configured port
+    if cockpit_enabled_val {
+        port_bindings.insert(
+            "9090/tcp".to_string(),
+            Some(vec![PortBinding {
+                host_ip: Some(bind_addr.to_string()),
+                host_port: Some(cockpit_port_val.to_string()),
+            }]),
+        );
+    }
+
     // Create exposed ports map
     let mut exposed_ports = HashMap::new();
     exposed_ports.insert("3000/tcp".to_string(), HashMap::new());
+    if cockpit_enabled_val {
+        exposed_ports.insert("9090/tcp".to_string(), HashMap::new());
+    }
 
     // Create host config
-    let host_config = HostConfig {
-        mounts: Some(mounts),
-        port_bindings: Some(port_bindings),
-        auto_remove: Some(false),
-        ..Default::default()
+    // When Cockpit is enabled, add systemd-specific settings (requires Linux host)
+    // When Cockpit is disabled, use simpler tini-based config (works everywhere)
+    let host_config = if cockpit_enabled_val {
+        HostConfig {
+            mounts: Some(mounts),
+            port_bindings: Some(port_bindings),
+            auto_remove: Some(false),
+            // CAP_SYS_ADMIN required for systemd cgroup access
+            cap_add: Some(vec!["SYS_ADMIN".to_string()]),
+            // tmpfs for /run, /run/lock, and /tmp (required for systemd)
+            tmpfs: Some(HashMap::from([
+                ("/run".to_string(), "exec".to_string()),
+                ("/run/lock".to_string(), String::new()),
+                ("/tmp".to_string(), String::new()),
+            ])),
+            // cgroup mount (read-write for systemd)
+            binds: Some(vec!["/sys/fs/cgroup:/sys/fs/cgroup:rw".to_string()]),
+            // Use HOST cgroup namespace for systemd compatibility across Linux distros:
+            // - cgroups v2 (Amazon Linux 2023, Fedora 31+, Ubuntu 21.10+, Debian 11+): required
+            // - cgroups v1 (CentOS 7, Ubuntu 18.04, Debian 10): works fine
+            // - Docker Desktop (macOS/Windows VM): works fine
+            // Note: PRIVATE mode is more isolated but causes systemd to exit(255) on cgroups v2.
+            // Since we already use privileged mode, HOST namespace is acceptable.
+            cgroupns_mode: Some(bollard::models::HostConfigCgroupnsModeEnum::HOST),
+            // Privileged mode required for systemd to manage cgroups and system services
+            privileged: Some(true),
+            ..Default::default()
+        }
+    } else {
+        // Simple config for tini mode (works on macOS and Linux)
+        HostConfig {
+            mounts: Some(mounts),
+            port_bindings: Some(port_bindings),
+            auto_remove: Some(false),
+            ..Default::default()
+        }
+    };
+
+    // Build environment variables
+    // Add USE_SYSTEMD=1 when Cockpit is enabled to tell entrypoint to use systemd
+    let final_env = if cockpit_enabled_val {
+        let mut env = env_vars.unwrap_or_default();
+        env.push("USE_SYSTEMD=1".to_string());
+        Some(env)
+    } else {
+        env_vars
     };
 
     // Create container config
@@ -126,7 +192,7 @@ pub async fn create_container(
         hostname: Some(CONTAINER_NAME.to_string()),
         working_dir: Some("/workspace".to_string()),
         exposed_ports: Some(exposed_ports),
-        env: env_vars,
+        env: final_env,
         host_config: Some(host_config),
         ..Default::default()
     };
@@ -145,11 +211,10 @@ pub async fn create_container(
             let msg = e.to_string();
             if msg.contains("port is already allocated") || msg.contains("address already in use") {
                 DockerError::Container(format!(
-                    "Port {} is already in use. Stop the service using that port or use a different port with --port.",
-                    port
+                    "Port {port} is already in use. Stop the service using that port or use a different port with --port."
                 ))
             } else {
-                DockerError::Container(format!("Failed to create container: {}", e))
+                DockerError::Container(format!("Failed to create container: {e}"))
             }
         })?;
 
@@ -165,9 +230,7 @@ pub async fn start_container(client: &DockerClient, name: &str) -> Result<(), Do
         .inner()
         .start_container(name, None::<StartContainerOptions<String>>)
         .await
-        .map_err(|e| {
-            DockerError::Container(format!("Failed to start container {}: {}", name, e))
-        })?;
+        .map_err(|e| DockerError::Container(format!("Failed to start container {name}: {e}")))?;
 
     debug!("Container {} started", name);
     Ok(())
@@ -198,9 +261,9 @@ pub async fn stop_container(
             // "container already stopped" is not an error
             if msg.contains("is not running") || msg.contains("304") {
                 debug!("Container {} was already stopped", name);
-                return DockerError::Container(format!("Container '{}' is not running", name));
+                return DockerError::Container(format!("Container '{name}' is not running"));
             }
-            DockerError::Container(format!("Failed to stop container {}: {}", name, e))
+            DockerError::Container(format!("Failed to stop container {name}: {e}"))
         })?;
 
     debug!("Container {} stopped", name);
@@ -230,9 +293,7 @@ pub async fn remove_container(
         .inner()
         .remove_container(name, Some(options))
         .await
-        .map_err(|e| {
-            DockerError::Container(format!("Failed to remove container {}: {}", name, e))
-        })?;
+        .map_err(|e| DockerError::Container(format!("Failed to remove container {name}: {e}")))?;
 
     debug!("Container {} removed", name);
     Ok(())
@@ -248,8 +309,7 @@ pub async fn container_exists(client: &DockerClient, name: &str) -> Result<bool,
             status_code: 404, ..
         }) => Ok(false),
         Err(e) => Err(DockerError::Container(format!(
-            "Failed to inspect container {}: {}",
-            name, e
+            "Failed to inspect container {name}: {e}"
         ))),
     }
 }
@@ -267,8 +327,7 @@ pub async fn container_is_running(client: &DockerClient, name: &str) -> Result<b
             status_code: 404, ..
         }) => Ok(false),
         Err(e) => Err(DockerError::Container(format!(
-            "Failed to inspect container {}: {}",
-            name, e
+            "Failed to inspect container {name}: {e}"
         ))),
     }
 }
@@ -289,12 +348,10 @@ pub async fn container_state(client: &DockerClient, name: &str) -> Result<String
         Err(bollard::errors::Error::DockerResponseServerError {
             status_code: 404, ..
         }) => Err(DockerError::Container(format!(
-            "Container '{}' not found",
-            name
+            "Container '{name}' not found"
         ))),
         Err(e) => Err(DockerError::Container(format!(
-            "Failed to inspect container {}: {}",
-            name, e
+            "Failed to inspect container {name}: {e}"
         ))),
     }
 }

package/src/docker/exec.rs

@@ -0,0 +1,278 @@
+//! Container exec wrapper for running commands in containers
+//!
+//! This module provides functions to execute commands inside running Docker
+//! containers, with support for capturing output and providing stdin input.
+//! Used for user management operations like useradd, chpasswd, etc.
+
+use bollard::exec::{CreateExecOptions, StartExecOptions, StartExecResults};
+use futures_util::StreamExt;
+use tokio::io::AsyncWriteExt;
+
+use super::{DockerClient, DockerError};
+
+/// Execute a command in a running container and capture output
+///
+/// Creates an exec instance, runs the command, and collects stdout/stderr.
+/// Returns the combined output as a String.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `cmd` - Command and arguments to execute
+///
+/// # Example
+/// ```ignore
+/// let output = exec_command(&client, "opencode-cloud", vec!["whoami"]).await?;
+/// ```
+pub async fn exec_command(
+    client: &DockerClient,
+    container: &str,
+    cmd: Vec<&str>,
+) -> Result<String, DockerError> {
+    let exec_config = CreateExecOptions {
+        attach_stdout: Some(true),
+        attach_stderr: Some(true),
+        cmd: Some(cmd.iter().map(|s| s.to_string()).collect()),
+        user: Some("root".to_string()),
+        ..Default::default()
+    };
+
+    let exec = client
+        .inner()
+        .create_exec(container, exec_config)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to create exec: {e}")))?;
+
+    let start_config = StartExecOptions {
+        detach: false,
+        ..Default::default()
+    };
+
+    let mut output = String::new();
+
+    match client
+        .inner()
+        .start_exec(&exec.id, Some(start_config))
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to start exec: {e}")))?
+    {
+        StartExecResults::Attached {
+            output: mut stream, ..
+        } => {
+            while let Some(result) = stream.next().await {
+                match result {
+                    Ok(log_output) => {
+                        output.push_str(&log_output.to_string());
+                    }
+                    Err(e) => {
+                        return Err(DockerError::Container(format!(
+                            "Error reading exec output: {e}"
+                        )));
+                    }
+                }
+            }
+        }
+        StartExecResults::Detached => {
+            return Err(DockerError::Container(
+                "Exec unexpectedly detached".to_string(),
+            ));
+        }
+    }
+
+    Ok(output)
+}
+
+/// Execute a command with stdin input and capture output
+///
+/// Creates an exec instance with stdin attached, writes the provided data to
+/// stdin, then collects stdout/stderr. Used for commands like `chpasswd` that
+/// read passwords from stdin (never from command arguments for security).
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `cmd` - Command and arguments to execute
+/// * `stdin_data` - Data to write to the command's stdin
+///
+/// # Security Note
+/// This function is specifically designed for secure password handling.
+/// The password is written to stdin and never appears in process arguments
+/// or command logs.
+///
+/// # Example
+/// ```ignore
+/// // Set password via chpasswd (secure, non-interactive)
+/// exec_command_with_stdin(
+///     &client,
+///     "opencode-cloud",
+///     vec!["chpasswd"],
+///     "username:password\n"
+/// ).await?;
+/// ```
+pub async fn exec_command_with_stdin(
+    client: &DockerClient,
+    container: &str,
+    cmd: Vec<&str>,
+    stdin_data: &str,
+) -> Result<String, DockerError> {
+    let exec_config = CreateExecOptions {
+        attach_stdin: Some(true),
+        attach_stdout: Some(true),
+        attach_stderr: Some(true),
+        cmd: Some(cmd.iter().map(|s| s.to_string()).collect()),
+        user: Some("root".to_string()),
+        ..Default::default()
+    };
+
+    let exec = client
+        .inner()
+        .create_exec(container, exec_config)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to create exec: {e}")))?;
+
+    let start_config = StartExecOptions {
+        detach: false,
+        ..Default::default()
+    };
+
+    let mut output = String::new();
+
+    match client
+        .inner()
+        .start_exec(&exec.id, Some(start_config))
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to start exec: {e}")))?
+    {
+        StartExecResults::Attached {
+            output: mut stream,
+            input: mut input_sink,
+        } => {
+            // Write stdin data using AsyncWrite
+            input_sink
+                .write_all(stdin_data.as_bytes())
+                .await
+                .map_err(|e| DockerError::Container(format!("Failed to write to stdin: {e}")))?;
+
+            // Close stdin to signal EOF
+            input_sink
+                .shutdown()
+                .await
+                .map_err(|e| DockerError::Container(format!("Failed to close stdin: {e}")))?;
+
+            // Collect output
+            while let Some(result) = stream.next().await {
+                match result {
+                    Ok(log_output) => {
+                        output.push_str(&log_output.to_string());
+                    }
+                    Err(e) => {
+                        return Err(DockerError::Container(format!(
+                            "Error reading exec output: {e}"
+                        )));
+                    }
+                }
+            }
+        }
+        StartExecResults::Detached => {
+            return Err(DockerError::Container(
+                "Exec unexpectedly detached".to_string(),
+            ));
+        }
+    }
+
+    Ok(output)
+}
+
+/// Execute a command and return its exit code
+///
+/// Runs a command in the container and returns the exit code instead of output.
+/// Useful for checking if a command succeeded (exit code 0) or failed.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `cmd` - Command and arguments to execute
+///
+/// # Example
+/// ```ignore
+/// // Check if user exists (id -u returns 0 if user exists)
+/// let exit_code = exec_command_exit_code(&client, "opencode-cloud", vec!["id", "-u", "admin"]).await?;
+/// let user_exists = exit_code == 0;
+/// ```
+pub async fn exec_command_exit_code(
+    client: &DockerClient,
+    container: &str,
+    cmd: Vec<&str>,
+) -> Result<i64, DockerError> {
+    let exec_config = CreateExecOptions {
+        attach_stdout: Some(true),
+        attach_stderr: Some(true),
+        cmd: Some(cmd.iter().map(|s| s.to_string()).collect()),
+        user: Some("root".to_string()),
+        ..Default::default()
+    };
+
+    let exec = client
+        .inner()
+        .create_exec(container, exec_config)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to create exec: {e}")))?;
+
+    let exec_id = exec.id.clone();
+
+    let start_config = StartExecOptions {
+        detach: false,
+        ..Default::default()
+    };
+
+    // Run the command
+    match client
+        .inner()
+        .start_exec(&exec.id, Some(start_config))
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to start exec: {e}")))?
+    {
+        StartExecResults::Attached { mut output, .. } => {
+            // Drain the output stream (we don't care about the content)
+            while output.next().await.is_some() {}
+        }
+        StartExecResults::Detached => {
+            return Err(DockerError::Container(
+                "Exec unexpectedly detached".to_string(),
+            ));
+        }
+    }
+
+    // Inspect the exec to get exit code
+    let inspect = client
+        .inner()
+        .inspect_exec(&exec_id)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to inspect exec: {e}")))?;
+
+    // Exit code is None if process is still running, which shouldn't happen
+    let exit_code = inspect.exit_code.unwrap_or(-1);
+
+    Ok(exit_code)
+}
+
+#[cfg(test)]
+mod tests {
+    // Note: These tests verify compilation and module structure.
+    // Actual Docker exec tests require a running container and are
+    // covered by integration tests.
+
+    #[test]
+    fn test_command_patterns() {
+        // Verify the command patterns used in user management
+        let useradd_cmd = ["useradd", "-m", "-s", "/bin/bash", "testuser"];
+        assert_eq!(useradd_cmd.len(), 5);
+        assert_eq!(useradd_cmd[0], "useradd");
+
+        let id_cmd = ["id", "-u", "testuser"];
+        assert_eq!(id_cmd.len(), 3);
+
+        let chpasswd_cmd = ["chpasswd"];
+        assert_eq!(chpasswd_cmd.len(), 1);
+    }
+}