@opencode-cloud/core 1.0.8 → 3.0.15

package/src/docker/exec.rs

@@ -0,0 +1,278 @@
+//! Container exec wrapper for running commands in containers
+//!
+//! This module provides functions to execute commands inside running Docker
+//! containers, with support for capturing output and providing stdin input.
+//! Used for user management operations like useradd, chpasswd, etc.
+
+use bollard::exec::{CreateExecOptions, StartExecOptions, StartExecResults};
+use futures_util::StreamExt;
+use tokio::io::AsyncWriteExt;
+
+use super::{DockerClient, DockerError};
+
+/// Execute a command in a running container and capture output
+///
+/// Creates an exec instance, runs the command, and collects stdout/stderr.
+/// Returns the combined output as a String.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `cmd` - Command and arguments to execute
+///
+/// # Example
+/// ```ignore
+/// let output = exec_command(&client, "opencode-cloud", vec!["whoami"]).await?;
+/// ```
+pub async fn exec_command(
+    client: &DockerClient,
+    container: &str,
+    cmd: Vec<&str>,
+) -> Result<String, DockerError> {
+    let exec_config = CreateExecOptions {
+        attach_stdout: Some(true),
+        attach_stderr: Some(true),
+        cmd: Some(cmd.iter().map(|s| s.to_string()).collect()),
+        user: Some("root".to_string()),
+        ..Default::default()
+    };
+
+    let exec = client
+        .inner()
+        .create_exec(container, exec_config)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to create exec: {e}")))?;
+
+    let start_config = StartExecOptions {
+        detach: false,
+        ..Default::default()
+    };
+
+    let mut output = String::new();
+
+    match client
+        .inner()
+        .start_exec(&exec.id, Some(start_config))
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to start exec: {e}")))?
+    {
+        StartExecResults::Attached {
+            output: mut stream, ..
+        } => {
+            while let Some(result) = stream.next().await {
+                match result {
+                    Ok(log_output) => {
+                        output.push_str(&log_output.to_string());
+                    }
+                    Err(e) => {
+                        return Err(DockerError::Container(format!(
+                            "Error reading exec output: {e}"
+                        )));
+                    }
+                }
+            }
+        }
+        StartExecResults::Detached => {
+            return Err(DockerError::Container(
+                "Exec unexpectedly detached".to_string(),
+            ));
+        }
+    }
+
+    Ok(output)
+}
+
+/// Execute a command with stdin input and capture output
+///
+/// Creates an exec instance with stdin attached, writes the provided data to
+/// stdin, then collects stdout/stderr. Used for commands like `chpasswd` that
+/// read passwords from stdin (never from command arguments for security).
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `cmd` - Command and arguments to execute
+/// * `stdin_data` - Data to write to the command's stdin
+///
+/// # Security Note
+/// This function is specifically designed for secure password handling.
+/// The password is written to stdin and never appears in process arguments
+/// or command logs.
+///
+/// # Example
+/// ```ignore
+/// // Set password via chpasswd (secure, non-interactive)
+/// exec_command_with_stdin(
+///     &client,
+///     "opencode-cloud",
+///     vec!["chpasswd"],
+///     "username:password\n"
+/// ).await?;
+/// ```
+pub async fn exec_command_with_stdin(
+    client: &DockerClient,
+    container: &str,
+    cmd: Vec<&str>,
+    stdin_data: &str,
+) -> Result<String, DockerError> {
+    let exec_config = CreateExecOptions {
+        attach_stdin: Some(true),
+        attach_stdout: Some(true),
+        attach_stderr: Some(true),
+        cmd: Some(cmd.iter().map(|s| s.to_string()).collect()),
+        user: Some("root".to_string()),
+        ..Default::default()
+    };
+
+    let exec = client
+        .inner()
+        .create_exec(container, exec_config)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to create exec: {e}")))?;
+
+    let start_config = StartExecOptions {
+        detach: false,
+        ..Default::default()
+    };
+
+    let mut output = String::new();
+
+    match client
+        .inner()
+        .start_exec(&exec.id, Some(start_config))
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to start exec: {e}")))?
+    {
+        StartExecResults::Attached {
+            output: mut stream,
+            input: mut input_sink,
+        } => {
+            // Write stdin data using AsyncWrite
+            input_sink
+                .write_all(stdin_data.as_bytes())
+                .await
+                .map_err(|e| DockerError::Container(format!("Failed to write to stdin: {e}")))?;
+
+            // Close stdin to signal EOF
+            input_sink
+                .shutdown()
+                .await
+                .map_err(|e| DockerError::Container(format!("Failed to close stdin: {e}")))?;
+
+            // Collect output
+            while let Some(result) = stream.next().await {
+                match result {
+                    Ok(log_output) => {
+                        output.push_str(&log_output.to_string());
+                    }
+                    Err(e) => {
+                        return Err(DockerError::Container(format!(
+                            "Error reading exec output: {e}"
+                        )));
+                    }
+                }
+            }
+        }
+        StartExecResults::Detached => {
+            return Err(DockerError::Container(
+                "Exec unexpectedly detached".to_string(),
+            ));
+        }
+    }
+
+    Ok(output)
+}
+
+/// Execute a command and return its exit code
+///
+/// Runs a command in the container and returns the exit code instead of output.
+/// Useful for checking if a command succeeded (exit code 0) or failed.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `cmd` - Command and arguments to execute
+///
+/// # Example
+/// ```ignore
+/// // Check if user exists (id -u returns 0 if user exists)
+/// let exit_code = exec_command_exit_code(&client, "opencode-cloud", vec!["id", "-u", "admin"]).await?;
+/// let user_exists = exit_code == 0;
+/// ```
+pub async fn exec_command_exit_code(
+    client: &DockerClient,
+    container: &str,
+    cmd: Vec<&str>,
+) -> Result<i64, DockerError> {
+    let exec_config = CreateExecOptions {
+        attach_stdout: Some(true),
+        attach_stderr: Some(true),
+        cmd: Some(cmd.iter().map(|s| s.to_string()).collect()),
+        user: Some("root".to_string()),
+        ..Default::default()
+    };
+
+    let exec = client
+        .inner()
+        .create_exec(container, exec_config)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to create exec: {e}")))?;
+
+    let exec_id = exec.id.clone();
+
+    let start_config = StartExecOptions {
+        detach: false,
+        ..Default::default()
+    };
+
+    // Run the command
+    match client
+        .inner()
+        .start_exec(&exec.id, Some(start_config))
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to start exec: {e}")))?
+    {
+        StartExecResults::Attached { mut output, .. } => {
+            // Drain the output stream (we don't care about the content)
+            while output.next().await.is_some() {}
+        }
+        StartExecResults::Detached => {
+            return Err(DockerError::Container(
+                "Exec unexpectedly detached".to_string(),
+            ));
+        }
+    }
+
+    // Inspect the exec to get exit code
+    let inspect = client
+        .inner()
+        .inspect_exec(&exec_id)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to inspect exec: {e}")))?;
+
+    // Exit code is None if process is still running, which shouldn't happen
+    let exit_code = inspect.exit_code.unwrap_or(-1);
+
+    Ok(exit_code)
+}
+
+#[cfg(test)]
+mod tests {
+    // Note: These tests verify compilation and module structure.
+    // Actual Docker exec tests require a running container and are
+    // covered by integration tests.
+
+    #[test]
+    fn test_command_patterns() {
+        // Verify the command patterns used in user management
+        let useradd_cmd = ["useradd", "-m", "-s", "/bin/bash", "testuser"];
+        assert_eq!(useradd_cmd.len(), 5);
+        assert_eq!(useradd_cmd[0], "useradd");
+
+        let id_cmd = ["id", "-u", "testuser"];
+        assert_eq!(id_cmd.len(), 3);
+
+        let chpasswd_cmd = ["chpasswd"];
+        assert_eq!(chpasswd_cmd.len(), 1);
+    }
+}

package/src/docker/health.rs

@@ -0,0 +1,165 @@
+//! Health check module for OpenCode service
+//!
+//! Provides health checking functionality by querying OpenCode's /global/health endpoint.
+
+use serde::{Deserialize, Serialize};
+use std::time::Duration;
+use thiserror::Error;
+
+use super::DockerClient;
+
+/// Response from OpenCode's /global/health endpoint
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct HealthResponse {
+    /// Whether the service is healthy
+    pub healthy: bool,
+    /// Service version string
+    pub version: String,
+}
+
+/// Extended health response including container stats
+#[derive(Debug, Serialize)]
+pub struct ExtendedHealthResponse {
+    /// Whether the service is healthy
+    pub healthy: bool,
+    /// Service version string
+    pub version: String,
+    /// Container state (running, stopped, etc.)
+    pub container_state: String,
+    /// Uptime in seconds
+    pub uptime_seconds: u64,
+    /// Memory usage in megabytes (if available)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub memory_usage_mb: Option<u64>,
+}
+
+/// Errors that can occur during health checks
+#[derive(Debug, Error)]
+pub enum HealthError {
+    /// HTTP request failed
+    #[error("Request failed: {0}")]
+    RequestError(#[from] reqwest::Error),
+
+    /// Service returned non-200 status
+    #[error("Service unhealthy (HTTP {0})")]
+    Unhealthy(u16),
+
+    /// Connection refused - service may not be running
+    #[error("Connection refused - service may not be running")]
+    ConnectionRefused,
+
+    /// Request timed out - service may be starting
+    #[error("Timeout - service may be starting")]
+    Timeout,
+}
+
+/// Check health by querying OpenCode's /global/health endpoint
+///
+/// Returns the health response on success (HTTP 200).
+/// Returns an error for connection issues, timeouts, or non-200 responses.
+pub async fn check_health(port: u16) -> Result<HealthResponse, HealthError> {
+    let url = format!("http://127.0.0.1:{port}/global/health");
+
+    let client = reqwest::Client::builder()
+        .timeout(Duration::from_secs(5))
+        .build()?;
+
+    let response = match client.get(&url).send().await {
+        Ok(resp) => resp,
+        Err(e) => {
+            // Check for connection refused
+            if e.is_connect() {
+                return Err(HealthError::ConnectionRefused);
+            }
+            // Check for timeout
+            if e.is_timeout() {
+                return Err(HealthError::Timeout);
+            }
+            return Err(HealthError::RequestError(e));
+        }
+    };
+
+    let status = response.status();
+
+    if status.is_success() {
+        let health_response = response.json::<HealthResponse>().await?;
+        Ok(health_response)
+    } else {
+        Err(HealthError::Unhealthy(status.as_u16()))
+    }
+}
+
+/// Check health with extended information including container stats
+///
+/// Combines basic health check with container statistics from Docker.
+/// If container stats fail, still returns response with container_state = "unknown".
+pub async fn check_health_extended(
+    client: &DockerClient,
+    port: u16,
+) -> Result<ExtendedHealthResponse, HealthError> {
+    // Get basic health info
+    let health = check_health(port).await?;
+
+    // Get container stats
+    let container_name = super::CONTAINER_NAME;
+
+    // Try to get container info
+    let (container_state, uptime_seconds, memory_usage_mb) =
+        match client.inner().inspect_container(container_name, None).await {
+            Ok(info) => {
+                let state = info
+                    .state
+                    .as_ref()
+                    .and_then(|s| s.status.as_ref())
+                    .map(|s| s.to_string())
+                    .unwrap_or_else(|| "unknown".to_string());
+
+                // Calculate uptime
+                let uptime = info
+                    .state
+                    .as_ref()
+                    .and_then(|s| s.started_at.as_ref())
+                    .and_then(|started| {
+                        let timestamp = chrono::DateTime::parse_from_rfc3339(started).ok()?;
+                        let now = chrono::Utc::now();
+                        let started_utc = timestamp.with_timezone(&chrono::Utc);
+                        if now >= started_utc {
+                            Some((now - started_utc).num_seconds() as u64)
+                        } else {
+                            None
+                        }
+                    })
+                    .unwrap_or(0);
+
+                // Get memory usage (would require stats API call - skip for now)
+                let memory = None;
+
+                (state, uptime, memory)
+            }
+            Err(_) => ("unknown".to_string(), 0, None),
+        };
+
+    Ok(ExtendedHealthResponse {
+        healthy: health.healthy,
+        version: health.version,
+        container_state,
+        uptime_seconds,
+        memory_usage_mb,
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[tokio::test]
+    async fn test_health_check_connection_refused() {
+        // Port 1 should always refuse connection
+        let result = check_health(1).await;
+        assert!(result.is_err());
+        match result.unwrap_err() {
+            HealthError::ConnectionRefused => {}
+            other => panic!("Expected ConnectionRefused, got: {other:?}"),
+        }
+    }
+}

package/src/docker/image.rs

@@ -203,8 +203,7 @@ pub async fn pull_image(
             Ok(full_name)
         }
         Err(dockerhub_err) => Err(DockerError::Pull(format!(
-            "Failed to pull from both registries. GHCR: {}. Docker Hub: {}",
-            ghcr_err, dockerhub_err
+            "Failed to pull from both registries. GHCR: {ghcr_err}. Docker Hub: {dockerhub_err}"
         ))),
     }
 }
@@ -246,8 +245,7 @@ async fn pull_from_registry(
 
     Err(last_error.unwrap_or_else(|| {
         DockerError::Pull(format!(
-            "Pull failed for {} after {} attempts",
-            full_name, MAX_PULL_RETRIES
+            "Pull failed for {full_name} after {MAX_PULL_RETRIES} attempts"
         ))
     }))
 }

package/src/docker/mod.rs

@@ -8,13 +8,23 @@
 //! - Image build and pull operations
 //! - Volume management for persistent storage
 //! - Container lifecycle (create, start, stop, remove)
+//! - Container exec for running commands inside containers
+//! - User management operations (create, delete, lock/unlock users)
+//! - Image update and rollback operations
 
 mod client;
 pub mod container;
 mod dockerfile;
 mod error;
+pub mod exec;
+mod health;
 pub mod image;
+pub mod mount;
 pub mod progress;
+pub mod state;
+pub mod update;
+pub mod users;
+mod version;
 pub mod volume;
 
 // Core types
@@ -22,24 +32,51 @@ pub use client::DockerClient;
 pub use error::DockerError;
 pub use progress::ProgressReporter;
 
+// Health check operations
+pub use health::{
+    ExtendedHealthResponse, HealthError, HealthResponse, check_health, check_health_extended,
+};
+
 // Dockerfile constants
 pub use dockerfile::{DOCKERFILE, IMAGE_NAME_DOCKERHUB, IMAGE_NAME_GHCR, IMAGE_TAG_DEFAULT};
 
 // Image operations
 pub use image::{build_image, image_exists, pull_image};
 
+// Update operations
+pub use update::{UpdateResult, has_previous_image, rollback_image, update_image};
+
+// Version detection
+pub use version::{VERSION_LABEL, get_cli_version, get_image_version, versions_compatible};
+
+// Container exec operations
+pub use exec::{exec_command, exec_command_exit_code, exec_command_with_stdin};
+
+// User management operations
+pub use users::{
+    UserInfo, create_user, delete_user, list_users, lock_user, set_user_password, unlock_user,
+    user_exists,
+};
+
 // Volume management
 pub use volume::{
     MOUNT_CONFIG, MOUNT_PROJECTS, MOUNT_SESSION, VOLUME_CONFIG, VOLUME_NAMES, VOLUME_PROJECTS,
     VOLUME_SESSION, ensure_volumes_exist, remove_all_volumes, remove_volume, volume_exists,
 };
 
+// Bind mount parsing and validation
+pub use mount::{MountError, ParsedMount, check_container_path_warning, validate_mount_path};
+
 // Container lifecycle
 pub use container::{
-    CONTAINER_NAME, OPENCODE_WEB_PORT, container_exists, container_is_running, container_state,
-    create_container, remove_container, start_container, stop_container,
+    CONTAINER_NAME, ContainerBindMount, ContainerPorts, OPENCODE_WEB_PORT, container_exists,
+    container_is_running, container_state, create_container, get_container_bind_mounts,
+    get_container_ports, remove_container, start_container, stop_container,
 };
 
+// Image state tracking
+pub use state::{ImageState, clear_state, get_state_path, load_state, save_state};
+
 /// Full setup: ensure volumes exist, create container if needed, start it
 ///
 /// This is the primary entry point for starting the opencode service.
@@ -49,10 +86,18 @@ pub use container::{
 /// * `client` - Docker client
 /// * `opencode_web_port` - Port to bind on host for opencode web UI (defaults to OPENCODE_WEB_PORT)
 /// * `env_vars` - Additional environment variables (optional)
+/// * `bind_address` - IP address to bind on host (defaults to "127.0.0.1")
+/// * `cockpit_port` - Port to bind on host for Cockpit (defaults to 9090)
+/// * `cockpit_enabled` - Whether to enable Cockpit port mapping (defaults to true)
+/// * `bind_mounts` - User-defined bind mounts from config and CLI flags (optional)
 pub async fn setup_and_start(
     client: &DockerClient,
     opencode_web_port: Option<u16>,
     env_vars: Option<Vec<String>>,
+    bind_address: Option<&str>,
+    cockpit_port: Option<u16>,
+    cockpit_enabled: Option<bool>,
+    bind_mounts: Option<Vec<mount::ParsedMount>>,
 ) -> Result<String, DockerError> {
     // Ensure volumes exist first
     volume::ensure_volumes_exist(client).await?;
@@ -65,13 +110,24 @@ pub async fn setup_and_start(
             .inspect_container(container::CONTAINER_NAME, None)
             .await
             .map_err(|e| {
-                DockerError::Container(format!("Failed to inspect existing container: {}", e))
+                DockerError::Container(format!("Failed to inspect existing container: {e}"))
             })?;
         info.id
             .unwrap_or_else(|| container::CONTAINER_NAME.to_string())
     } else {
         // Create new container
-        container::create_container(client, None, None, opencode_web_port, env_vars).await?
+        container::create_container(
+            client,
+            None,
+            None,
+            opencode_web_port,
+            env_vars,
+            bind_address,
+            cockpit_port,
+            cockpit_enabled,
+            bind_mounts,
+        )
+        .await?
     };
 
     // Start if not running
@@ -82,25 +138,33 @@ pub async fn setup_and_start(
     Ok(container_id)
 }
 
+/// Default graceful shutdown timeout in seconds
+pub const DEFAULT_STOP_TIMEOUT_SECS: i64 = 30;
+
 /// Stop and optionally remove the opencode container
 ///
 /// # Arguments
 /// * `client` - Docker client
 /// * `remove` - Also remove the container after stopping
-pub async fn stop_service(client: &DockerClient, remove: bool) -> Result<(), DockerError> {
+/// * `timeout_secs` - Graceful shutdown timeout (default: 30 seconds)
+pub async fn stop_service(
+    client: &DockerClient,
+    remove: bool,
+    timeout_secs: Option<i64>,
+) -> Result<(), DockerError> {
     let name = container::CONTAINER_NAME;
+    let timeout = timeout_secs.unwrap_or(DEFAULT_STOP_TIMEOUT_SECS);
 
     // Check if container exists
     if !container::container_exists(client, name).await? {
         return Err(DockerError::Container(format!(
-            "Container '{}' does not exist",
-            name
+            "Container '{name}' does not exist"
         )));
     }
 
     // Stop if running
     if container::container_is_running(client, name).await? {
-        container::stop_container(client, name, None).await?;
+        container::stop_container(client, name, Some(timeout)).await?;
     }
 
     // Remove if requested