feat(ecr-ecs-lambda): wire fakecloud ECR into ECS + Lambda image pull#726
Merged
vieiralucas merged 2 commits intomainfrom Apr 24, 2026
Merged
feat(ecr-ecs-lambda): wire fakecloud ECR into ECS + Lambda image pull#726vieiralucas merged 2 commits intomainfrom
vieiralucas merged 2 commits intomainfrom
Conversation
The flagship cross-service integration: images pushed to fakecloud ECR via the OCI v2 endpoint are now pulled and run by ECS tasks and Lambda functions that reference them by AWS URI. This closes the "three independent silos" gap called out in the tightening pass brief — ECR, ECS, and Lambda now act as a real local AWS instead of unconnected services that happen to coexist. - New `fakecloud_core::ecr_uri::translate_to_local` recognises `<acct>.dkr.ecr.<region>.amazonaws.com/<repo>:<tag>` and translates to `127.0.0.1:<server-port>/<repo>:<tag>`. Shared between ECS + Lambda runtimes so they resolve identically. - ECS runtime gets the server port at startup, pulls from fakecloud's local OCI v2 endpoint, retags to the AWS URI, runs. An isolated DOCKER_CONFIG tempdir carries Basic auth for `127.0.0.1:<port>` so pulls work without mutating the user's `~/.docker/config.json` or requiring a prior `aws ecr get-login-password | docker login`. - Lambda gains real `PackageType=Image` support: `Code.ImageUri` is parsed, stored on `LambdaFunction`, surfaced in `function_config_json` / `GetFunction` responses with `RepositoryType=ECR`, and runs through a new `start_image_container` path that pulls via the same ECR translator and skips the zip extraction / `docker cp` step. Rejects `PackageType=Image` without `ImageUri` with `InvalidParameterValueException`, matching AWS. - New `tests/ecr_cross_service.rs` covers the loop end-to-end: push an alpine image to fakecloud ECR via real `docker push`, then RunTask against the AWS URI and assert the captured stdout. Gated on Linux (CI) since Docker Desktop on macOS runs the daemon in a VM that can't reach `127.0.0.1:<port>` without `insecure-registries` config; on macOS the test skips with a clear message. Non-docker tests cover `ImageUri` roundtrip and the missing-URI rejection. - Docs: `website/content/docs/services/ecs.md` now documents the transparent fakecloud ECR pull path for both ECS tasks and Lambda Image functions.
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
5 issues found across 12 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="crates/fakecloud-lambda/src/service.rs">
<violation number="1" location="crates/fakecloud-lambda/src/service.rs:98">
P2: `Code.ImageUri` is accepted for non-image functions, which can make `GetFunction` return ECR code metadata for `PackageType=Zip` functions.</violation>
</file>
<file name="crates/fakecloud-ecs/src/runtime.rs">
<violation number="1" location="crates/fakecloud-ecs/src/runtime.rs:210">
P1: `localhost` URL rewriting was accidentally removed and replaced with duplicate `127.0.0.1` replacements, so container env vars using `localhost` will not be translated to `host.docker.internal`.</violation>
</file>
<file name="crates/fakecloud-core/src/ecr_uri.rs">
<violation number="1" location="crates/fakecloud-core/src/ecr_uri.rs:15">
P2: Validate the registry host before classifying an image as private ECR; the current substring check can misroute non-ECR images that contain those tokens in the repository path.</violation>
<violation number="2" location="crates/fakecloud-core/src/ecr_uri.rs:33">
P1: Preserving digest refs here breaks downstream retagging; the ECS/Lambda runtimes use `docker tag ... <aws-uri>`, which cannot target `@sha256` references.</violation>
</file>
<file name="website/content/docs/services/ecs.md">
<violation number="1" location="website/content/docs/services/ecs.md:55">
P3: Clarify the platform caveat here: the ECR pull is not daemon-config-free on every Docker setup (macOS Docker Desktop still needs insecure-registry support).</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
… ImageUri scope, host anchoring
- P1: restore `localhost` env-var -> `host.docker.internal` rewriting in
the ECS runtime; my earlier `localhost` -> `127.0.0.1` sweep
accidentally replaced the `localhost` branch with a duplicate
`127.0.0.1` branch.
- P1: digest-pinned ECR refs (`repo@sha256:...`) can't be `docker tag`
targets. `is_digest_ref` detects them; the ECS + Lambda runtimes
skip the retag and run the container under the local 127.0.0.1 URI
instead. Cosmetic tradeoff vs. failing the pull outright.
- P2: `Code.ImageUri` is now only parsed for `PackageType=Image`
functions. Zip-package functions that accidentally pass ImageUri no
longer round-trip ECR metadata via GetFunction.
- P2: `is_aws_ecr_uri` anchors on the registry host (split at first
`/`, then check `ends_with(".amazonaws.com")`). Paths that happen to
contain the ECR tokens as a substring no longer misclassify.
- P3: ECS doc clarifies the Linux-vs-Docker-Desktop caveat for the
transparent ECR pull path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Batch 1 of the ECR+ECS tightening pass — the flagship cross-service integration. Images pushed to fakecloud ECR via the OCI v2 endpoint are now pulled and run by ECS tasks and Lambda functions that reference them by AWS URI.
fakecloud-coreshared between ECS + LambdaPackageType=Imagenow wired:Code.ImageUriflows throughCreateFunction->GetFunction-> container runtime127.0.0.1:<port>so pulls work without mutating the user's docker configdocker pushalpine to fakecloud ECR -> RunTask with AWS URI -> captured stdout matches container outputTest plan
cargo test -p fakecloud-core -p fakecloud-ecs -p fakecloud-lambda -p fakecloud-ecr— all unit tests passcargo test -p fakecloud-e2e --test ecr_cross_service— four tests pass (Linux path skipped on macOS as designed)cargo test -p fakecloud-e2e --test ecs --test ecr --test ecr_oci --test lambda— no regressionscargo clippy --workspace --all-targets -- -D warnings— cleancargo fmt --all -- --check— cleanecr_cross_serviceend-to-endSummary by cubic
Wired fakecloud ECR into ECS and Lambda image pulls so images pushed to the local OCI v2 registry can be referenced by AWS ECR URIs and run end to end. Tightened URI detection, digest handling, and env var rewriting for a smoother AWS-like flow.
New Features
fakecloud_core::ecr_urito translate<acct>.dkr.ecr.<region>.amazonaws.com/<repo>[:tag|@sha256]to127.0.0.1:<port>/<repo>[:tag|@sha256].fakecloud-ecspulls via the local registry for ECR URIs, retags to the AWS name, and uses an isolatedDOCKER_CONFIGwith Basic auth.fakecloud-lambdasupportsPackageType=Image: storesCode.ImageUri, returns it inGetFunction, pulls via the same translator, and rejects Image withoutImageUri.fakecloud-serverpasses the bound port to both runtimes; new E2E test verifies push-to-ECR → ECS RunTask; ECS docs updated.Bug Fixes
localhost→host.docker.internalin the ECS runtime.@sha256) skip retagging; ECS and Lambda run under the local 127.0.0.1 URI.Code.ImageUriis parsed only forPackageType=Image; Zip functions ignore it.Written for commit 26cf0fd. Summary will update on new commits.