feat: auto-pull images in broker when creating containers

echobt · echobt · commit f0ef63df4ac3 · 2026-01-04T23:42:14.000Z
When creating a container, the broker now checks if the image exists
locally and automatically pulls it if necessary. This prevents
'No such image' errors when task images haven't been pre-pulled.

The ensure_image() method:
1. Checks if image exists locally via inspect
2. If not found (404), pulls the image
3. Returns any errors for proper handling
diff --git a/crates/secure-container-runtime/src/broker.rs b/crates/secure-container-runtime/src/broker.rs
@@ -234,6 +234,23 @@ impl ContainerBroker {
             return Response::error(request_id, e);
         }
 
+        // Auto-pull image if it doesn't exist locally
+        if let Err(e) = self.ensure_image(&config.image).await {
+            self.audit(
+                AuditAction::ImagePull,
+                &config.challenge_id,
+                &config.owner_id,
+                None,
+                false,
+                Some(e.to_string()),
+            )
+            .await;
+            return Response::error(
+                request_id.clone(),
+                ContainerError::DockerError(e.to_string()),
+            );
+        }
+
         // Check container limits
         {
             let by_challenge = self.containers_by_challenge.read().await;
@@ -811,6 +828,50 @@ impl ContainerBroker {
         }
     }
 
+    /// Ensure an image exists locally, pulling it if necessary
+    async fn ensure_image(&self, image: &str) -> anyhow::Result<()> {
+        // Check if image exists locally
+        match self.docker.inspect_image(image).await {
+            Ok(_) => {
+                debug!(image = %image, "Image already exists locally");
+                return Ok(());
+            }
+            Err(bollard::errors::Error::DockerResponseServerError {
+                status_code: 404, ..
+            }) => {
+                // Image not found, need to pull
+                info!(image = %image, "Image not found locally, pulling...");
+            }
+            Err(e) => {
+                return Err(anyhow::anyhow!("Failed to inspect image: {}", e));
+            }
+        }
+
+        // Pull the image
+        let options = CreateImageOptions {
+            from_image: image,
+            ..Default::default()
+        };
+
+        let mut stream = self.docker.create_image(Some(options), None, None);
+
+        while let Some(result) = stream.next().await {
+            match result {
+                Ok(info) => {
+                    if let Some(status) = info.status {
+                        debug!(image = %image, status = %status, "Pull progress");
+                    }
+                }
+                Err(e) => {
+                    return Err(anyhow::anyhow!("Failed to pull image: {}", e));
+                }
+            }
+        }
+
+        info!(image = %image, "Image pulled successfully");
+        Ok(())
+    }
+
     /// Ensure the challenge network exists
     async fn ensure_network(&self) -> anyhow::Result<()> {
         let networks = self.docker.list_networks::<String>(None).await?;
