containertool: Support resource directories

Author: euanh

Sources/containertool/ELFDetect.swift

@@ -12,6 +12,9 @@
 //
 //===----------------------------------------------------------------------===//
 
+import class Foundation.FileHandle
+import struct Foundation.URL
+
 struct ArrayField<T: Collection> where T.Element == UInt8 {
     var start: Int
     var count: Int
@@ -52,6 +55,11 @@ extension Array where Element == UInt8 {
 /// architecture and operating system ABI for which that object
 /// was created.
 struct ELF: Equatable {
+    /// Minimum ELF header length is 52 bytes for a 32-bit ELF header.
+    /// A 64-bit header is 64 bytes.   A potential header must be at
+    /// least 52 bytes or it cannot possibly be an ELF header.
+    static let minHeaderLength = 52
+
     /// Multibyte ELF fields are stored in the native endianness of the target system.
     /// This field records the endianness of objects in the file.
     enum Endianness: UInt8 {
@@ -189,7 +197,7 @@ extension ELF {
         /// Object type: 2 bytes
         static let EI_TYPE = IntField<UInt16>(start: 0x10)
 
-        //l Machine ISA (processor architecture): 2 bytes
+        /// Machine ISA (processor architecture): 2 bytes
         static let EI_MACHINE = IntField<UInt16>(start: 0x12)
     }
 
@@ -205,7 +213,7 @@ extension ELF {
     static func read(_ bytes: [UInt8]) -> ELF? {
         // An ELF file starts with a magic number which is the same in either endianness.
         // The only defined ELF header version is 1.
-        guard bytes.count > 0x13, bytes[Field.EI_MAGIC] == ELFMagic, bytes[Field.EI_VERSION] == 1 else {
+        guard bytes.count >= minHeaderLength, bytes[Field.EI_MAGIC] == ELFMagic, bytes[Field.EI_VERSION] == 1 else {
             return nil
         }
 
@@ -226,3 +234,13 @@ extension ELF {
         )
     }
 }
+
+extension ELF {
+    static func read(at path: URL) throws -> ELF? {
+        let handle = try FileHandle(forReadingFrom: path)
+        guard let header = try handle.read(upToCount: minHeaderLength) else {
+            return nil
+        }
+        return ELF.read([UInt8](header))
+    }
+}

Sources/containertool/Extensions/Archive+appending.swift

@@ -0,0 +1,84 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftContainerPlugin open source project
+//
+// Copyright (c) 2025 Apple Inc. and the SwiftContainerPlugin project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of SwiftContainerPlugin project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import class Foundation.FileManager
+import struct Foundation.Data
+import struct Foundation.FileAttributeType
+import struct Foundation.URL
+
+import Tar
+
+extension URL {
+    var isDirectory: Bool {
+        (try? resourceValues(forKeys: [.isDirectoryKey]))?.isDirectory == true
+    }
+}
+
+extension Archive {
+    /// Append a file or directory tree to the archive.   Directory trees are appended recursively.
+    /// Parameters:
+    /// - root: The path to the file or directory to add.
+    /// Returns:  A new archive made by appending `root` to the receiver.
+    public func appendingRecursively(atPath root: String) throws -> Self {
+        let url = URL(fileURLWithPath: root)
+        if url.isDirectory {
+            return try self.appendingDirectoryTree(at: url)
+        } else {
+            return try self.appendingFile(at: url)
+        }
+    }
+
+    /// Append a single file to the archive.
+    /// Parameters:
+    /// - path: The path to the file to add.
+    /// Returns:  A new archive made by appending `path` to the receiver.
+    func appendingFile(at path: URL) throws -> Self {
+        try self.appendingFile(name: path.lastPathComponent, data: try [UInt8](Data(contentsOf: path)))
+    }
+
+    /// Recursively append a single directory tree to the archive.
+    /// Parameters:
+    /// - root: The path to the directory to add.
+    /// Returns:  A new archive made by appending `root` to the receiver.
+    func appendingDirectoryTree(at root: URL) throws -> Self {
+        var ret = self
+
+        guard let enumerator = FileManager.default.enumerator(atPath: root.path) else {
+            throw ("Unable to read \(root.path)")
+        }
+
+        for case let subpath as String in enumerator {
+            // https://developer.apple.com/documentation/foundation/filemanager/1410452-attributesofitem
+            // https://developer.apple.com/documentation/foundation/fileattributekey
+
+            guard let filetype = enumerator.fileAttributes?[.type] as? FileAttributeType else {
+                throw ("Unable to get file type for \(subpath)")
+            }
+
+            switch filetype {
+            case .typeRegular:
+                let resource = try [UInt8](Data(contentsOf: root.appending(path: subpath)))
+                try ret.appendFile(name: subpath, prefix: root.lastPathComponent, data: resource)
+
+            case .typeDirectory:
+                try ret.appendDirectory(name: subpath, prefix: root.lastPathComponent)
+
+            default:
+                throw "Resource file \(subpath) of type \(filetype) is not supported"
+            }
+        }
+
+        return ret
+    }
+}

Sources/containertool/Extensions/RegistryClient+Layers.swift

@@ -40,12 +40,11 @@ extension RegistryClient {
     // See https://github.com/opencontainers/image-spec/blob/main/media-types.md
     func uploadImageLayer(
         repository: String,
-        layer: Data,
+        layer: [UInt8],
         mediaType: String = "application/vnd.oci.image.layer.v1.tar+gzip"
     ) async throws -> ContentDescriptor {
         // The layer blob is the gzipped tarball
-        let blob = Data(gzip([UInt8](layer)))
-        log("Uploading application layer")
+        let blob = Data(gzip(layer))
         return try await putBlob(repository: repository, mediaType: mediaType, data: blob)
     }
 }

Sources/containertool/containertool.swift

@@ -38,6 +38,9 @@ enum AllowHTTP: String, ExpressibleByArgument, CaseIterable { case source, desti
     @Argument(help: "Executable to package")
     private var executable: String
 
+    @Option(help: "Resource bundle directory")
+    private var resources: [String] = []
+
     @Option(help: "Username")
     private var username: String?
 
@@ -72,9 +75,6 @@ enum AllowHTTP: String, ExpressibleByArgument, CaseIterable { case source, desti
         let baseimage = try ImageReference(fromString: from, defaultRegistry: defaultRegistry)
         var destination_image = try ImageReference(fromString: repository, defaultRegistry: defaultRegistry)
 
-        let executableURL = URL(fileURLWithPath: executable)
-        let payload = try Data(contentsOf: executableURL)
-
         let authProvider: AuthorizationProvider?
         if !netrc {
             authProvider = nil
@@ -87,8 +87,9 @@ enum AllowHTTP: String, ExpressibleByArgument, CaseIterable { case source, desti
             authProvider = try NetrcAuthorizationProvider(defaultNetrc)
         }
 
-        // Create clients for the source and destination registries
-        // The base image may be stored on a different registry, so two clients are needed.
+        // MARK: Create registry clients
+
+        // The base image may be stored on a different registry to the final destination, so two clients are needed.
         // `scratch` is a special case and requires no source client.
         let source: RegistryClient?
         if from == "scratch" {
@@ -113,7 +114,10 @@ enum AllowHTTP: String, ExpressibleByArgument, CaseIterable { case source, desti
 
         // MARK: Find the base image
 
-        let elfheader = ELF.read([UInt8](payload))
+        // Try to detect the architecture of the application executable so a suitable base image can be selected.
+        // This reduces the risk of accidentally creating an image which stacks an aarch64 executable on top of an x86_64 base image.
+        let executableURL = URL(fileURLWithPath: executable)
+        let elfheader = try ELF.read(at: executableURL)
         let architecture =
             architecture
             ?? ProcessInfo.processInfo.environment["CONTAINERTOOL_ARCHITECTURE"]
@@ -146,20 +150,30 @@ enum AllowHTTP: String, ExpressibleByArgument, CaseIterable { case source, desti
             if verbose { log("Using scratch as base image") }
         }
 
-        // MARK: Build the application layer
+        // MARK: Upload resource layers
 
-        let payload_name = executableURL.lastPathComponent
-        let tardiff = try tar([UInt8](payload), filename: payload_name)
-        log("Built application layer")
+        var resourceLayers: [RegistryClient.ImageLayer] = []
+        for resourceDir in resources {
+            let layer = try await destination.uploadLayer(
+                repository: destination_image.repository,
+                contents: try Archive().appendingRecursively(atPath: resourceDir).bytes
+            )
 
-        // MARK: Upload the application layer
+            if verbose {
+                log("resource layer: \(layer.descriptor.digest) (\(layer.descriptor.size) bytes)")
+            }
 
-        let application_layer = try await destination.uploadImageLayer(
+            resourceLayers.append(layer)
+        }
+
+        // MARK: Upload the application layer
+        let applicationLayer = try await destination.uploadLayer(
             repository: destination_image.repository,
-            layer: Data(tardiff)
+            contents: try Archive().appendingFile(at: executableURL).bytes
         )
-
-        if verbose { log("application layer: \(application_layer.digest) (\(application_layer.size) bytes)") }
+        if verbose {
+            log("application layer: \(applicationLayer.descriptor.digest) (\(applicationLayer.descriptor.size) bytes)")
+        }
 
         // MARK: Create the application configuration
 
@@ -168,7 +182,7 @@ enum AllowHTTP: String, ExpressibleByArgument, CaseIterable { case source, desti
         // Inherit the configuration of the base image - UID, GID, environment etc -
         // and override the entrypoint.
         var inherited_config = baseimage_config.config ?? .init()
-        inherited_config.Entrypoint = ["/\(payload_name)"]
+        inherited_config.Entrypoint = ["/\(executableURL.lastPathComponent)"]
         inherited_config.Cmd = []
         inherited_config.WorkingDir = "/"
 
@@ -182,7 +196,9 @@ enum AllowHTTP: String, ExpressibleByArgument, CaseIterable { case source, desti
                 // The diff_id is the digest of the _uncompressed_ layer archive.
                 // It is used by the runtime, which might not store the layers in
                 // the compressed form in which it received them from the registry.
-                diff_ids: baseimage_config.rootfs.diff_ids + [digest(of: tardiff)]
+                diff_ids: baseimage_config.rootfs.diff_ids
+                    + resourceLayers.map { $0.diffID }
+                    + [applicationLayer.diffID]
             ),
             history: [.init(created: timestamp, created_by: "containertool")]
         )
@@ -200,7 +216,9 @@ enum AllowHTTP: String, ExpressibleByArgument, CaseIterable { case source, desti
             schemaVersion: 2,
             mediaType: "application/vnd.oci.image.manifest.v1+json",
             config: config_blob,
-            layers: baseimage_manifest.layers + [application_layer]
+            layers: baseimage_manifest.layers
+                + resourceLayers.map { $0.descriptor }
+                + [applicationLayer.descriptor]
         )
 
         // MARK: Upload base image
@@ -237,3 +255,16 @@ enum AllowHTTP: String, ExpressibleByArgument, CaseIterable { case source, desti
         print(destination_image)
     }
 }
+
+extension RegistryClient {
+    typealias DiffID = String
+    struct ImageLayer {
+        var descriptor: ContentDescriptor
+        var diffID: DiffID
+    }
+    func uploadLayer(repository: String, contents: [UInt8]) async throws -> ImageLayer {
+        let diffID = digest(of: contents)
+        let descriptor = try await self.uploadImageLayer(repository: repository, layer: contents)
+        return ImageLayer(descriptor: descriptor, diffID: diffID)
+    }
+}