Add experimental Void guest workflow and vsock agent

Make iterating on a Firecracker-friendly Void guest practical without replacing the Debian default image path. Add local Void rootfs build/register/verify plumbing, a language-agnostic dev package baseline, and guest SSH/work-disk hardening so new images use the runtime bundle key, keep a normal root bash environment, and repair stale nested /root layouts on restart. Replace the guest PING/PONG responder with an HTTP /healthz agent over vsock, rename the runtime bundle and config surface from ping helper to agent while still accepting the legacy keys, and route the post-SSH reminder through the new vm.health path. Validated with GOCACHE=/tmp/banger-gocache go test ./..., make build, bash -n customize.sh make-rootfs-void.sh, and git diff --check.
2026-03-19 14:51:25 -03:00 · 2026-03-19 14:51:25 -03:00 · 3ed78fdcfc
commit 3ed78fdcfc
parent c8d9a122f9
42 changed files with 2222 additions and 388 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -22,6 +22,7 @@ type fileConfig struct {
 	SSHKeyPath         string `toml:"ssh_key_path"`
 	NamegenPath        string `toml:"namegen_path"`
 	CustomizeScript    string `toml:"customize_script"`
+	VSockAgent         string `toml:"vsock_agent_path"`
 	VSockPingHelper    string `toml:"vsock_ping_helper_path"`
 	DefaultWorkSeed    string `toml:"default_work_seed"`
 	DefaultImageName   string `toml:"default_image_name"`
@ -83,17 +84,16 @@ func Load(layout paths.Layout) (model.DaemonConfig, error) {
 	if file.LogLevel != "" {
 		cfg.LogLevel = file.LogLevel
 	}
-	if file.SSHKeyPath != "" {
-		cfg.SSHKeyPath = file.SSHKeyPath
-	}
 	if file.NamegenPath != "" {
 		cfg.NamegenPath = file.NamegenPath
 	}
 	if file.CustomizeScript != "" {
 		cfg.CustomizeScript = file.CustomizeScript
 	}
-	if file.VSockPingHelper != "" {
-		cfg.VSockPingHelperPath = file.VSockPingHelper
+	if file.VSockAgent != "" {
+		cfg.VSockAgentPath = file.VSockAgent
+	} else if file.VSockPingHelper != "" {
+		cfg.VSockAgentPath = file.VSockPingHelper
 	}
 	if file.DefaultWorkSeed != "" {
 		cfg.DefaultWorkSeed = file.DefaultWorkSeed
@ -197,7 +197,7 @@ func applyBundleMetadataDefaults(cfg *model.DaemonConfig, runtimeDir string, met
 	cfg.SSHKeyPath = defaultRuntimePath(cfg.SSHKeyPath, runtimeDir, meta.SSHKeyPath)
 	cfg.NamegenPath = defaultRuntimePath(cfg.NamegenPath, runtimeDir, meta.NamegenPath)
 	cfg.CustomizeScript = defaultRuntimePath(cfg.CustomizeScript, runtimeDir, meta.CustomizeScript)
-	cfg.VSockPingHelperPath = defaultRuntimePath(cfg.VSockPingHelperPath, runtimeDir, meta.VSockPingHelperPath)
+	cfg.VSockAgentPath = defaultRuntimePath(cfg.VSockAgentPath, runtimeDir, meta.VSockAgentPath)
 	cfg.DefaultWorkSeed = defaultRuntimePath(cfg.DefaultWorkSeed, runtimeDir, meta.DefaultWorkSeed)
 	cfg.DefaultKernel = defaultRuntimePath(cfg.DefaultKernel, runtimeDir, meta.DefaultKernel)
 	cfg.DefaultInitrd = defaultRuntimePath(cfg.DefaultInitrd, runtimeDir, meta.DefaultInitrd)
@ -212,7 +212,10 @@ func applyLegacyRuntimeDefaults(cfg *model.DaemonConfig) {
 	cfg.SSHKeyPath = defaultRuntimePath(cfg.SSHKeyPath, cfg.RuntimeDir, "id_ed25519")
 	cfg.NamegenPath = defaultRuntimePath(cfg.NamegenPath, cfg.RuntimeDir, "namegen")
 	cfg.CustomizeScript = defaultRuntimePath(cfg.CustomizeScript, cfg.RuntimeDir, "customize.sh")
-	cfg.VSockPingHelperPath = defaultRuntimePath(cfg.VSockPingHelperPath, cfg.RuntimeDir, "banger-vsock-pingd")
+	cfg.VSockAgentPath = firstExistingRuntimePath(
+		defaultRuntimePath(cfg.VSockAgentPath, cfg.RuntimeDir, "banger-vsock-agent"),
+		filepath.Join(cfg.RuntimeDir, "banger-vsock-pingd"),
+	)
 	cfg.DefaultWorkSeed = defaultRuntimePath(cfg.DefaultWorkSeed, cfg.RuntimeDir, "rootfs-docker.work-seed.ext4")
 	cfg.DefaultKernel = defaultRuntimePath(cfg.DefaultKernel, cfg.RuntimeDir, "wtf/root/boot/vmlinux-6.8.0-94-generic")
 	cfg.DefaultInitrd = defaultRuntimePath(cfg.DefaultInitrd, cfg.RuntimeDir, "wtf/root/boot/initrd.img-6.8.0-94-generic")
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@ -13,24 +13,24 @@ import (
 func TestLoadDerivesArtifactPathsFromRuntimeDir(t *testing.T) {
 	runtimeDir := t.TempDir()
 	meta := runtimebundle.BundleMetadata{
-		FirecrackerBin:      "bin/firecracker",
-		SSHKeyPath:          "keys/id_ed25519",
-		NamegenPath:         "bin/namegen",
-		CustomizeScript:     "scripts/customize.sh",
-		VSockPingHelperPath: "bin/banger-vsock-pingd",
-		DefaultPackages:     "config/packages.apt",
-		DefaultRootfs:       "images/rootfs-docker.ext4",
-		DefaultWorkSeed:     "images/rootfs-docker.work-seed.ext4",
-		DefaultKernel:       "kernels/vmlinux",
-		DefaultInitrd:       "kernels/initrd.img",
-		DefaultModulesDir:   "modules/current",
+		FirecrackerBin:    "bin/firecracker",
+		SSHKeyPath:        "keys/id_ed25519",
+		NamegenPath:       "bin/namegen",
+		CustomizeScript:   "scripts/customize.sh",
+		VSockAgentPath:    "bin/banger-vsock-agent",
+		DefaultPackages:   "config/packages.apt",
+		DefaultRootfs:     "images/rootfs-docker.ext4",
+		DefaultWorkSeed:   "images/rootfs-docker.work-seed.ext4",
+		DefaultKernel:     "kernels/vmlinux",
+		DefaultInitrd:     "kernels/initrd.img",
+		DefaultModulesDir: "modules/current",
 	}
 	for _, rel := range []string{
 		meta.FirecrackerBin,
 		meta.SSHKeyPath,
 		meta.NamegenPath,
 		meta.CustomizeScript,
-		meta.VSockPingHelperPath,
+		meta.VSockAgentPath,
 		meta.DefaultPackages,
 		meta.DefaultRootfs,
 		meta.DefaultWorkSeed,
@ -75,8 +75,8 @@ func TestLoadDerivesArtifactPathsFromRuntimeDir(t *testing.T) {
 	if cfg.CustomizeScript != filepath.Join(runtimeDir, meta.CustomizeScript) {
 		t.Fatalf("CustomizeScript = %q", cfg.CustomizeScript)
 	}
-	if cfg.VSockPingHelperPath != filepath.Join(runtimeDir, meta.VSockPingHelperPath) {
-		t.Fatalf("VSockPingHelperPath = %q", cfg.VSockPingHelperPath)
+	if cfg.VSockAgentPath != filepath.Join(runtimeDir, meta.VSockAgentPath) {
+		t.Fatalf("VSockAgentPath = %q", cfg.VSockAgentPath)
 	}
 	if cfg.DefaultRootfs != filepath.Join(runtimeDir, meta.DefaultRootfs) {
 		t.Fatalf("DefaultRootfs = %q", cfg.DefaultRootfs)
@ -108,7 +108,7 @@ func TestLoadFallsBackToLegacyRuntimeLayoutWithoutBundleMetadata(t *testing.T) {
 		"id_ed25519",
 		"namegen",
 		"customize.sh",
-		"banger-vsock-pingd",
+		"banger-vsock-agent",
 		"packages.apt",
 		"rootfs-docker.ext4",
 		"rootfs-docker.work-seed.ext4",
@ -134,8 +134,8 @@ func TestLoadFallsBackToLegacyRuntimeLayoutWithoutBundleMetadata(t *testing.T) {
 	if cfg.FirecrackerBin != filepath.Join(runtimeDir, "firecracker") {
 		t.Fatalf("FirecrackerBin = %q", cfg.FirecrackerBin)
 	}
-	if cfg.VSockPingHelperPath != filepath.Join(runtimeDir, "banger-vsock-pingd") {
-		t.Fatalf("VSockPingHelperPath = %q", cfg.VSockPingHelperPath)
+	if cfg.VSockAgentPath != filepath.Join(runtimeDir, "banger-vsock-agent") {
+		t.Fatalf("VSockAgentPath = %q", cfg.VSockAgentPath)
 	}
 	if cfg.DefaultWorkSeed != filepath.Join(runtimeDir, "rootfs-docker.work-seed.ext4") {
 		t.Fatalf("DefaultWorkSeed = %q", cfg.DefaultWorkSeed)
@ -167,3 +167,125 @@ func TestLoadDefaultsLogLevelToInfo(t *testing.T) {
 		t.Fatalf("LogLevel = %q, want info", cfg.LogLevel)
 	}
 }
+
+func TestLoadIgnoresConfigSSHKeyOverrideForGuestAccess(t *testing.T) {
+	runtimeDir := t.TempDir()
+	meta := runtimebundle.BundleMetadata{
+		FirecrackerBin:    "bin/firecracker",
+		SSHKeyPath:        "keys/id_ed25519",
+		NamegenPath:       "bin/namegen",
+		CustomizeScript:   "scripts/customize.sh",
+		VSockAgentPath:    "bin/banger-vsock-agent",
+		DefaultPackages:   "config/packages.apt",
+		DefaultRootfs:     "images/rootfs.ext4",
+		DefaultWorkSeed:   "images/rootfs.work-seed.ext4",
+		DefaultKernel:     "kernels/vmlinux",
+		DefaultModulesDir: "modules/current",
+	}
+	for _, rel := range []string{
+		meta.FirecrackerBin,
+		meta.SSHKeyPath,
+		meta.NamegenPath,
+		meta.CustomizeScript,
+		meta.VSockAgentPath,
+		meta.DefaultPackages,
+		meta.DefaultRootfs,
+		meta.DefaultWorkSeed,
+		meta.DefaultKernel,
+		filepath.Join(meta.DefaultModulesDir, "modules.dep"),
+	} {
+		path := filepath.Join(runtimeDir, rel)
+		if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+			t.Fatalf("mkdir %s: %v", filepath.Dir(path), err)
+		}
+		if err := os.WriteFile(path, []byte("test"), 0o644); err != nil {
+			t.Fatalf("write %s: %v", path, err)
+		}
+	}
+	data, err := json.Marshal(meta)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(runtimeDir, runtimebundle.BundleMetadataFile), data, 0o644); err != nil {
+		t.Fatalf("write bundle metadata: %v", err)
+	}
+
+	configDir := t.TempDir()
+	if err := os.WriteFile(filepath.Join(configDir, "config.toml"), []byte("ssh_key_path = \"/tmp/override-key\"\n"), 0o644); err != nil {
+		t.Fatalf("write config.toml: %v", err)
+	}
+
+	t.Setenv("BANGER_RUNTIME_DIR", runtimeDir)
+	cfg, err := Load(paths.Layout{ConfigDir: configDir})
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+
+	want := filepath.Join(runtimeDir, meta.SSHKeyPath)
+	if cfg.SSHKeyPath != want {
+		t.Fatalf("SSHKeyPath = %q, want runtime key %q", cfg.SSHKeyPath, want)
+	}
+}
+
+func TestLoadAcceptsLegacyBundleVsockPingHelperPath(t *testing.T) {
+	runtimeDir := t.TempDir()
+	meta := runtimebundle.BundleMetadata{
+		FirecrackerBin:      "bin/firecracker",
+		SSHKeyPath:          "keys/id_ed25519",
+		NamegenPath:         "bin/namegen",
+		CustomizeScript:     "scripts/customize.sh",
+		VSockPingHelperPath: "bin/banger-vsock-pingd",
+		DefaultPackages:     "config/packages.apt",
+		DefaultRootfs:       "images/rootfs.ext4",
+		DefaultKernel:       "kernels/vmlinux",
+	}
+	for _, rel := range []string{
+		meta.FirecrackerBin,
+		meta.SSHKeyPath,
+		meta.NamegenPath,
+		meta.CustomizeScript,
+		meta.VSockPingHelperPath,
+		meta.DefaultPackages,
+		meta.DefaultRootfs,
+		meta.DefaultKernel,
+	} {
+		path := filepath.Join(runtimeDir, rel)
+		if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+			t.Fatalf("mkdir %s: %v", filepath.Dir(path), err)
+		}
+		if err := os.WriteFile(path, []byte("test"), 0o644); err != nil {
+			t.Fatalf("write %s: %v", path, err)
+		}
+	}
+	data, err := json.Marshal(meta)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(runtimeDir, runtimebundle.BundleMetadataFile), data, 0o644); err != nil {
+		t.Fatalf("write bundle metadata: %v", err)
+	}
+
+	t.Setenv("BANGER_RUNTIME_DIR", runtimeDir)
+	cfg, err := Load(paths.Layout{ConfigDir: t.TempDir()})
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+	if cfg.VSockAgentPath != filepath.Join(runtimeDir, meta.VSockPingHelperPath) {
+		t.Fatalf("VSockAgentPath = %q", cfg.VSockAgentPath)
+	}
+}
+
+func TestLoadAcceptsLegacyConfigVsockPingHelperPath(t *testing.T) {
+	configDir := t.TempDir()
+	if err := os.WriteFile(filepath.Join(configDir, "config.toml"), []byte("vsock_ping_helper_path = \"/tmp/legacy-agent\"\n"), 0o644); err != nil {
+		t.Fatalf("write config.toml: %v", err)
+	}
+
+	cfg, err := Load(paths.Layout{ConfigDir: configDir})
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+	if cfg.VSockAgentPath != "/tmp/legacy-agent" {
+		t.Fatalf("VSockAgentPath = %q", cfg.VSockAgentPath)
+	}
+}