[confcom] Add containers from_image command (#9505)

* Restore the behaviour of `--upload-fragment` for acifragmentgen (#13)

### Why

Addresses 
- #9222

### How

- [x] Update the code to restore the "attach to first image in input" behaviour
- [x] Add two new commands: `fragment push` and `fragment attach` to allow the user to explicitly do one or the other (or both!)
- [x] Add new tests which run a local docker registry, and test that the fragments are generated, signed, pushed and attached as expected (as well as the default behaviour)

---

This checklist is used to make sure that common guidelines for a pull request are followed.

### Related command
<!--- Please provide the related command with az {command} if you can, so that we can quickly route to the related person to review. --->


### General Guidelines

- [x] Have you run `azdev style <YOUR_EXT>` locally? (`pip install azdev` required)
- [x] Have you run `python scripts/ci/test_index.py -q` locally? (`pip install wheel==0.30.0` required)
- [x] My extension version conforms to the [Extension version schema](https://github.com/Azure/azure-cli/blob/release/doc/extensions/versioning_guidelines.md)

* Add containers from_image command

* Satisfy azdev style

* Add tests

* Split command lib versions of command

* Rename the containers lib code file

* Build images with buildkit for deterministic hashes

* Revert "Build images with buildkit for deterministic hashes"

This reverts commit e8f7637.

* Change the working_dir sample for extra_layers

* .

* Remove extra layers test

* Review tidy ups

* Restore the behaviour of `--upload-fragment` for acifragmentgen (#13)

Addresses
- #9222

- [x] Update the code to restore the "attach to first image in input" behaviour
- [x] Add two new commands: `fragment push` and `fragment attach` to allow the user to explicitly do one or the other (or both!)
- [x] Add new tests which run a local docker registry, and test that the fragments are generated, signed, pushed and attached as expected (as well as the default behaviour)

---

This checklist is used to make sure that common guidelines for a pull request are followed.

<!--- Please provide the related command with az {command} if you can, so that we can quickly route to the related person to review. --->

- [x] Have you run `azdev style <YOUR_EXT>` locally? (`pip install azdev` required)
- [x] Have you run `python scripts/ci/test_index.py -q` locally? (`pip install wheel==0.30.0` required)
- [x] My extension version conforms to the [Extension version schema](https://github.com/Azure/azure-cli/blob/release/doc/extensions/versioning_guidelines.md)

* Bump confcom version

* Address review comments

Author: DomAyre

linter_exclusions.yml

@@ -3525,3 +3525,9 @@ confcom fragment attach:
     signed_fragment:
       rule_exclusions:
         - no_positional_parameters
+
+confcom containers from_image:
+  parameters:
+    image:
+      rule_exclusions:
+        - no_positional_parameters

src/confcom/HISTORY.rst

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+1.6.0
+++++++
+* Added confcom containers from_image command to generate container definitions from an image reference
+
 1.5.1
 ++++++
 * Bumped the Kata genpolicy version to gen4

src/confcom/azext_confcom/_help.py

@@ -321,3 +321,28 @@
         - name: Attach the output of acifragmentgen to a registry
           text: az confcom acifragmentgen --chain my.cert.pem --key my_key.pem --svn "1" --namespace contoso --feed "test-feed" --input ./fragment_spec.json | az confcom fragment attach --manifest-tag myregistry.azurecr.io/image:latest
 """
+
+helps[
+    "confcom containers"
+] = """
+    type: group
+    short-summary: Commands which generate Security Policy Container Definitions.
+"""
+
+
+helps[
+    "confcom containers from_image"
+] = """
+    type: command
+    short-summary: Create a Security Policy Container Definition based on an image reference.
+
+    parameters:
+        - name: --platform
+          type: str
+          short-summary: 'The name of the platform the container definition will run on'
+
+
+    examples:
+        - name: Input an image reference and generate container definitions
+          text: az confcom containers from_image my.azurecr.io/myimage:tag
+"""

src/confcom/azext_confcom/_params.py

@@ -469,3 +469,18 @@ def load_arguments(self, _):
             help="Path to containerd socket if not using the default",
             validator=validate_katapolicygen_input,
         )
+
+    with self.argument_context("confcom containers from_image") as c:
+        c.positional(
+            "image",
+            type=str,
+            help="Image to create container definition from",
+        )
+        c.argument(
+            "platform",
+            options_list=("--platform",),
+            required=False,
+            default="aci",
+            type=str,
+            help="Platform to create container definition for",
+        )

src/confcom/azext_confcom/command/containers_from_image.py

@@ -0,0 +1,12 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import json
+
+from azext_confcom.lib.containers import from_image as lib_containers_from_image
+
+
+def containers_from_image(image: str, platform: str) -> None:
+    print(json.dumps(lib_containers_from_image(image, platform)))

src/confcom/azext_confcom/commands.py

@@ -17,3 +17,6 @@ def load_command_table(self, _):
 
     with self.command_group("confcom"):
         pass
+
+    with self.command_group("confcom containers") as g:
+        g.custom_command("from_image", "containers_from_image")

src/confcom/azext_confcom/custom.py

@@ -25,6 +25,7 @@
     print_existing_policy_from_yaml, print_func, str_to_sha256)
 from azext_confcom.command.fragment_attach import fragment_attach as _fragment_attach
 from azext_confcom.command.fragment_push import fragment_push as _fragment_push
+from azext_confcom.command.containers_from_image import containers_from_image as _containers_from_image
 from knack.log import get_logger
 from pkg_resources import parse_version
 
@@ -552,3 +553,13 @@ def fragment_push(
         signed_fragment=signed_fragment,
         manifest_tag=manifest_tag
     )
+
+
+def containers_from_image(
+    image: str,
+    platform: str,
+) -> None:
+    _containers_from_image(
+        image=image,
+        platform=platform,
+    )

src/confcom/azext_confcom/lib/containers.py

@@ -0,0 +1,23 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from dataclasses import asdict
+from azext_confcom.lib.images import get_image_layers, get_image_config
+from azext_confcom.lib.platform import ACI_MOUNTS
+
+
+def from_image(image: str, platform: str) -> dict:
+
+    mounts = {
+        "aci": [asdict(mount) for mount in ACI_MOUNTS],
+    }.get(platform, None)
+
+    return {
+        "id": image,
+        "name": image,
+        "layers": get_image_layers(image),
+        **({"mounts": mounts} if mounts else {}),
+        **get_image_config(image),
+    }

src/confcom/azext_confcom/lib/images.py

@@ -0,0 +1,65 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import functools
+import subprocess
+import docker
+
+from pathlib import Path
+
+
+@functools.lru_cache()
+def get_image(image_ref: str) -> docker.models.images.Image:
+
+    client = docker.from_env()
+
+    try:
+        image = client.images.get(image_ref)
+    except docker.errors.ImageNotFound:
+        client.images.pull(image_ref)
+
+    image = client.images.get(image_ref)
+    return image
+
+
+def get_image_layers(image: str) -> list[str]:
+
+    binary_path = Path(__file__).parent.parent / "bin" / "dmverity-vhd"
+
+    get_image(image)
+    result = subprocess.run(
+        [binary_path.as_posix(), "-d", "roothash", "-i", image],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.DEVNULL,
+        check=True,
+        text=True,
+    )
+
+    return [line.split("hash: ")[-1] for line in result.stdout.splitlines()]
+
+
+def get_image_config(image: str) -> dict:
+
+    image_config = get_image(image).attrs.get("Config")
+
+    config = {}
+
+    if image_config.get("Cmd") or image_config.get("Entrypoint"):
+        config["command"] = (
+            image_config.get("Entrypoint") or [] +
+            image_config.get("Cmd") or []
+        )
+
+    if image_config.get("Env"):
+        config["env_rules"] = [{
+            "pattern": p,
+            "strategy": "string",
+            "required": False,
+        } for p in image_config.get("Env")]
+
+    if image_config.get("WorkingDir"):
+        config["working_dir"] = image_config.get("WorkingDir")
+
+    return config

src/confcom/azext_confcom/lib/platform.py

@@ -0,0 +1,19 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from azext_confcom.lib.policy import ContainerMount
+
+ACI_MOUNTS = [
+    ContainerMount(
+        destination="/etc/resolv.conf",
+        options=[
+            "rbind",
+            "rshared",
+            "rw"
+        ],
+        source="sandbox:///tmp/atlas/resolvconf/.+",
+        type="bind"
+    )
+]