Implement Production-Ready Perry Container Subsystem#72
Open
yumin-chen wants to merge 2 commits into
Open
Conversation
Implement the `perry/container` and `perry/container-compose` (workloads)
subsystems, finalising the OCI stack. This transition moves from initial
stubs to a hardened implementation featuring deterministic orchestration
and cross-runtime compatibility.
Core Subsystems:
- Orchestration: Implemented `WorkloadGraphEngine` using Kahn's algorithm for
topological dependency resolution, deterministic startup, and rollback.
- Backend: Multi-layered auto-detection for 7+ runtimes (Apple Container,
Podman, OrbStack, etc.) with liveness checks and strict priority ordering.
- Security: Integrated Sigstore/cosign for image verification and hardened
ephemeral runners with `cap_drop: ALL`, `seccomp`, and `read_only` root.
- FFI Bridge: Expanded `perry-stdlib` with async-safe, promise-based handlers
optimized for raw C-ABI passing of primitives and validated pointers.
Technical Details:
- Restructured `perry-container-compose` into a flat module layout.
- Refactored `CliBackend` to be generic over `CliProtocol` for zero vtable
overhead.
- Standardised container naming to `{image_hash_8}-{random_hex}` with
label-based orphan cleanup logic.
- Modernised internal registries using `DashMap` for improved concurrency.
- Integrated with Perry compiler (HIR registration and codegen dispatch).
Refinements & Fixes:
- Restored `Buffer` synonym and `process.argv` specialization in `lower.rs`.
- Fixed SQLite linker conflicts by gating runtime stubs.
- Implemented robust IP and label extraction for the `DockerProtocol`.
- Added Forgejo production example and exhaustive documentation.
- Standardize container naming to {md5_8chars}-{random_hex8}.
- Align ComposeEngine up/down orchestration with canonical spec.
- Implement comprehensive FFI bridge with standardized i64 signatures.
- Wire perry/container, perry/compose, and perry/workloads to HIR and Codegen.
- Add support for read-only rootfs and seccomp security profiles.
- Ensure idempotency and robust rollback in stack orchestration.
- Verified with unit tests and FFI contract tests.
Co-authored-by: yumin-chen <10954839+yumin-chen@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
yumin-chen
force-pushed
the
feat/container-compose
branch
24 times, most recently
from
a7e9d31 to
dd181eb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR implements the production-ready Perry container subsystem as per the canonical specification.
Key changes:
ComposeEngineinperry-container-composeto implement the correct startup/teardown sequences, including external resource protection, idempotency checks, and image build/pull triggers.js_container_*andjs_compose_*symbols inperry-stdlibto usei64for handles and boolean flags, ensuring compatibility with the LLVM backend's NaN-boxing truncation.perry/container,perry/compose, andperry/workloadsas native modules inperry-hirand updated theNATIVE_MODULE_TABLEinperry-codegenfor static dispatch.{md5_8chars}-{random_hex8}naming format inservice.rs, derived from hashing the service configuration.read_onlyroot filesystems andseccompprofiles viaSecurityProfileandrun_with_securitybackend calls.The subsystem is fully functional across macOS/Podman/Docker backends and verified through comprehensive unit and integration tests.
PR created automatically by Jules for task 2916472828020898139 started by @yumin-chen