Add experimental Void guest workflow and vsock agent

Make iterating on a Firecracker-friendly Void guest practical without replacing the Debian default image path. Add local Void rootfs build/register/verify plumbing, a language-agnostic dev package baseline, and guest SSH/work-disk hardening so new images use the runtime bundle key, keep a normal root bash environment, and repair stale nested /root layouts on restart. Replace the guest PING/PONG responder with an HTTP /healthz agent over vsock, rename the runtime bundle and config surface from ping helper to agent while still accepting the legacy keys, and route the post-SSH reminder through the new vm.health path. Validated with GOCACHE=/tmp/banger-gocache go test ./..., make build, bash -n customize.sh make-rootfs-void.sh, and git diff --check.
2026-03-19 14:51:25 -03:00 · 2026-03-19 14:51:25 -03:00 · 3ed78fdcfc
commit 3ed78fdcfc
parent c8d9a122f9
42 changed files with 2222 additions and 388 deletions
--- a/internal/guest/ssh.go
+++ b/internal/guest/ssh.go
@ -129,6 +129,14 @@ func privateKeySigner(path string) (ssh.Signer, error) {
 	return ssh.ParsePrivateKey(data)
 }

+func AuthorizedPublicKey(path string) ([]byte, error) {
+	signer, err := privateKeySigner(path)
+	if err != nil {
+		return nil, err
+	}
+	return ssh.MarshalAuthorizedKey(signer.PublicKey()), nil
+}
+
 func shellQuote(value string) string {
 	return "'" + strings.ReplaceAll(value, "'", `'"'"'`) + "'"
 }
--- a/internal/guest/ssh_test.go
+++ b/internal/guest/ssh_test.go
@ -3,10 +3,16 @@ package guest
 import (
 	"archive/tar"
 	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
 	"io"
 	"os"
 	"path/filepath"
 	"testing"
+
+	"golang.org/x/crypto/ssh"
 )

 func TestWriteTarArchiveKeepsTopLevelDirectory(t *testing.T) {
@ -56,3 +62,32 @@ func TestWriteTarArchiveKeepsTopLevelDirectory(t *testing.T) {
 		}
 	}
 }
+
+func TestAuthorizedPublicKey(t *testing.T) {
+	t.Parallel()
+
+	privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
+	if err != nil {
+		t.Fatalf("GenerateKey: %v", err)
+	}
+	privateKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
+	})
+	keyPath := filepath.Join(t.TempDir(), "id_rsa")
+	if err := os.WriteFile(keyPath, privateKeyPEM, 0o600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	publicKey, err := AuthorizedPublicKey(keyPath)
+	if err != nil {
+		t.Fatalf("AuthorizedPublicKey: %v", err)
+	}
+	parsed, _, _, _, err := ssh.ParseAuthorizedKey(publicKey)
+	if err != nil {
+		t.Fatalf("ParseAuthorizedKey: %v", err)
+	}
+	if parsed.Type() != ssh.KeyAlgoRSA {
+		t.Fatalf("key type = %q, want %q", parsed.Type(), ssh.KeyAlgoRSA)
+	}
+}