marcoallegretti/karapace
1
0
Fork 0
mirror of https://github.com/marcoallegretti/karapace.git synced 2026-03-27 05:53:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
54 commits 2 branches 0 tags 746 KiB
Commit graph

9 commits

Author SHA1 Message Date
Marco Allegretti
cad64482c0 chore: trim runtime/store comments 2026-02-25 13:24:02 +01:00
Marco Allegretti
c47e9d1175 chore(runtime): trim sandbox comments 2026-02-25 13:15:05 +01:00
Marco Allegretti
c576321479 perf(runtime): avoid spawning external true in mock backend 2026-02-25 12:40:39 +01:00
Marco Allegretti
064981f716 test(runtime): make OCI status test hermetic 2026-02-25 12:18:29 +01:00
Marco Allegretti
9554c4f6ff fix(runtime): oci status treats missing state as not running 2026-02-25 12:04:26 +01:00
Marco Allegretti
961209ef0a fix: harden enter/stop and WAL recovery 
- Guard WAL recovery and stale .running cleanup behind a try-acquired store lock\n- Persist rollback ResetState via MetadataStore to recompute checksums\n- Track a killable host PID for namespace enter/stop and treat SIGTERM/SIGKILL as clean exit\n- Derive OCI status PID via runtime state output\n- Make sandbox chroot script quoting robust for exec/enter
 2026-02-25 11:48:58 +01:00
Marco Allegretti
cbf954bead runtime: propagate offline mode 
Add RuntimeSpec.offline and thread it through OCI/namespace backends.

Offline mode requires cached base images, forces sandbox network isolation,
and fails fast when system package resolution/installation would require
network access.
 2026-02-23 18:28:10 +01:00
Marco Allegretti
62b9b569be fix supply chain: bump cargo-cyclonedx 0.5.7, fix SBOM generation, fix rmeta test 
- Bump cargo-cyclonedx from 0.5.5 to 0.5.7 (supports lockfile v4)
- Generate SBOM for karapace-cli crate only (single predictable file)
- Fix --output-prefix → --override-filename (CLI change in 0.5.x)
- Fix rmeta tampering test: accept build failure as valid defense
  (cargo rejects corrupted .rmeta with compilation errors)
 2026-02-22 20:31:08 +01:00
Marco Allegretti
8493831222 feat: karapace-runtime — namespace/OCI/mock backends, sandbox, host integration 
- RuntimeBackend trait: resolve, build, enter, exec, destroy, status
- Namespace backend: unshare + fuse-overlayfs + chroot (unprivileged)
- OCI backend: crun/runc/youki support
- Mock backend: deterministic test backend with configurable resolution
- Image downloading from images.linuxcontainers.org with blake3 verification
- Sandbox script generation with POSIX shell-quote injection prevention
- Host integration: Wayland, X11, PipeWire, PulseAudio, D-Bus, GPU, audio, SSH agent
- Desktop app export as .desktop files on the host
- SecurityPolicy: mount whitelist, device policy, env var allow/deny, resource limits
- Prerequisite detection with distro-specific install instructions
- OSC 777 terminal markers for container-aware terminals
 2026-02-22 18:36:46 +01:00