Use image config for container Entrypoint, Cmd, Env, WorkingDir

Parse OCI image config during pull and store in metadata. Apply
Kubernetes/CRI semantics when generating OCI runtime spec:
- command overrides ENTRYPOINT
- args overrides CMD
- If only args set, use image ENTRYPOINT + container args

Simplified OCI spec by removing capabilities, resources, and masked
paths. Added writable /tmp and /run tmpfs mounts for container apps.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: MalteJ

Cargo.lock

@@ -67,3 +67,4 @@ tonic-build = "0.12"
 tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "net"] }
 tonic = "0.12"
 nix = { version = "0.29", features = ["user", "process", "signal"] }
+reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] }

mvirt-one/Cargo.toml

@@ -3,7 +3,7 @@
 //! Handles layer extraction and rootfs assembly.
 //! Based on FeOS image-service/filestore.rs pattern.
 
-use super::{ImageInfo, ImageState, PulledImageData};
+use super::{ImageConfig, ImageInfo, ImageState, PulledImageData};
 use crate::error::ImageError;
 use flate2::read::GzDecoder;
 use log::{error, info, warn};
@@ -20,6 +20,14 @@ use tokio::sync::{mpsc, oneshot};
 #[derive(Serialize, Deserialize)]
 struct ImageMetadata {
     image_ref: String,
+    #[serde(default)]
+    entrypoint: Vec<String>,
+    #[serde(default)]
+    cmd: Vec<String>,
+    #[serde(default)]
+    env: Vec<String>,
+    #[serde(default)]
+    working_dir: String,
 }
 
 /// Commands for the FileStore actor.
@@ -146,14 +154,21 @@ impl FileStore {
             }
         }
 
-        // Write config.json
+        // Parse image config (Entrypoint, Cmd, Env, etc.)
+        let image_config = super::parse_image_config(&image_data.config);
+
+        // Write config.json (raw OCI image config)
         fs::write(final_dir.join("config.json"), image_data.config)
             .await
             .map_err(ImageError::Storage)?;
 
-        // Write metadata.json
+        // Write metadata.json (with parsed config for easy loading)
         let metadata = ImageMetadata {
             image_ref: image_ref.to_string(),
+            entrypoint: image_config.entrypoint,
+            cmd: image_config.cmd,
+            env: image_config.env,
+            working_dir: image_config.working_dir,
         };
         let metadata_json = serde_json::to_string_pretty(&metadata)
             .map_err(|e| ImageError::Storage(std::io::Error::other(e)))?;
@@ -201,6 +216,12 @@ impl FileStore {
                                 image_ref: metadata.image_ref,
                                 rootfs_path: rootfs_path.to_string_lossy().to_string(),
                                 state: ImageState::Ready,
+                                config: ImageConfig {
+                                    entrypoint: metadata.entrypoint,
+                                    cmd: metadata.cmd,
+                                    env: metadata.env,
+                                    working_dir: metadata.working_dir,
+                                },
                             };
                             store.insert(uuid.to_string(), image_info);
                         } else {

mvirt-one/src/services/image/filestore.rs

@@ -42,6 +42,16 @@ pub enum Command {
 pub struct PullResponse {
     pub image_id: String,
     pub rootfs_path: String,
+    pub config: ImageConfig,
+}
+
+/// Parsed image configuration (Entrypoint, Cmd, Env, etc.)
+#[derive(Debug, Clone, Default)]
+pub struct ImageConfig {
+    pub entrypoint: Vec<String>,
+    pub cmd: Vec<String>,
+    pub env: Vec<String>,
+    pub working_dir: String,
 }
 
 /// Information about a cached image.
@@ -51,6 +61,7 @@ pub struct ImageInfo {
     pub image_ref: String,
     pub rootfs_path: String,
     pub state: ImageState,
+    pub config: ImageConfig,
 }
 
 /// State of an image in the cache.
@@ -75,3 +86,41 @@ pub struct PulledLayer {
     pub media_type: String,
     pub data: Vec<u8>,
 }
+
+/// Parse image config from OCI image config JSON blob.
+pub fn parse_image_config(config_json: &[u8]) -> ImageConfig {
+    use serde::Deserialize;
+
+    #[derive(Deserialize, Default)]
+    struct OciImageSpec {
+        config: Option<OciImageConfigInner>,
+    }
+
+    #[derive(Deserialize, Default)]
+    struct OciImageConfigInner {
+        #[serde(rename = "Entrypoint")]
+        entrypoint: Option<Vec<String>>,
+        #[serde(rename = "Cmd")]
+        cmd: Option<Vec<String>>,
+        #[serde(rename = "Env")]
+        env: Option<Vec<String>>,
+        #[serde(rename = "WorkingDir")]
+        working_dir: Option<String>,
+    }
+
+    match serde_json::from_slice::<OciImageSpec>(config_json) {
+        Ok(spec) => {
+            let config = spec.config.unwrap_or_default();
+            ImageConfig {
+                entrypoint: config.entrypoint.unwrap_or_default(),
+                cmd: config.cmd.unwrap_or_default(),
+                env: config.env.unwrap_or_default(),
+                working_dir: config.working_dir.unwrap_or_default(),
+            }
+        }
+        Err(e) => {
+            log::warn!("Failed to parse image config: {}", e);
+            ImageConfig::default()
+        }
+    }
+}

mvirt-one/src/services/image/mod.rs

@@ -4,7 +4,7 @@
 
 use super::filestore::{FileCommand, FileStore};
 use super::puller::pull_oci_image;
-use super::{Command, ImageInfo, ImageState, PullResponse};
+use super::{Command, ImageConfig, ImageInfo, ImageState, PullResponse, parse_image_config};
 use crate::error::ImageError;
 use log::{error, info};
 use std::collections::HashMap;
@@ -74,6 +74,7 @@ impl ImageOrchestrator {
                         let _ = responder.send(Ok(PullResponse {
                             image_id: id.clone(),
                             rootfs_path: info.rootfs_path.clone(),
+                            config: info.config.clone(),
                         }));
                         return;
                     }
@@ -93,6 +94,7 @@ impl ImageOrchestrator {
                         image_ref: image_ref.clone(),
                         rootfs_path: String::new(),
                         state: ImageState::Downloading,
+                        config: ImageConfig::default(),
                     },
                 );
 
@@ -109,9 +111,13 @@ impl ImageOrchestrator {
                     }
                 };
 
-                // Update state to extracting
+                // Parse image config (Entrypoint, Cmd, Env, etc.)
+                let image_config = parse_image_config(&image_data.config);
+
+                // Update state to extracting and store config
                 if let Some(info) = self.store.get_mut(&image_id) {
                     info.state = ImageState::Extracting;
+                    info.config = image_config.clone();
                 }
 
                 // Store the image
@@ -144,6 +150,7 @@ impl ImageOrchestrator {
                         let _ = responder.send(Ok(PullResponse {
                             image_id,
                             rootfs_path,
+                            config: image_config,
                         }));
                     }
                     Ok(Err(e)) => {