Add experimental Void guest workflow and vsock agent

Make iterating on a Firecracker-friendly Void guest practical without replacing the Debian default image path.

Add local Void rootfs build/register/verify plumbing, a language-agnostic dev package baseline, and guest SSH/work-disk hardening so new images use the runtime bundle key, keep a normal root bash environment, and repair stale nested /root layouts on restart.

Replace the guest PING/PONG responder with an HTTP /healthz agent over vsock, rename the runtime bundle and config surface from ping helper to agent while still accepting the legacy keys, and route the post-SSH reminder through the new vm.health path.

Validated with GOCACHE=/tmp/banger-gocache go test ./..., make build, bash -n customize.sh make-rootfs-void.sh, and git diff --check.

internal/vsockagent/vsockagent.go

@@ -0,0 +1,158 @@
+package vsockagent
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"net"
+	"net/http"
+	"time"
+
+	sdkvsock "github.com/firecracker-microvm/firecracker-go-sdk/vsock"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	Port             uint32 = 42070
+	HealthPath              = "/healthz"
+	HealthyStatus           = "ok"
+	GuestBinaryName         = "banger-vsock-agent"
+	GuestInstallPath        = "/usr/local/bin/" + GuestBinaryName
+	ServiceName             = "banger-vsock-agent.service"
+	serviceUnit             = `[Unit]
+Description=Banger vsock agent
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/banger-vsock-agent
+Restart=on-failure
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
+`
+	modulesLoadConfig = "vsock\nvmw_vsock_virtio_transport\n"
+)
+
+type HealthResponse struct {
+	Status string `json:"status"`
+}
+
+func NewHandler() http.Handler {
+	mux := http.NewServeMux()
+	mux.HandleFunc(HealthPath, func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet {
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(HealthResponse{Status: HealthyStatus})
+	})
+	return mux
+}
+
+func Health(ctx context.Context, logger *slog.Logger, socketPath string) error {
+	transport := &http.Transport{
+		DisableKeepAlives: true,
+		DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+			return sdkvsock.DialContext(
+				ctx,
+				socketPath,
+				Port,
+				sdkvsock.WithRetryTimeout(3*time.Second),
+				sdkvsock.WithRetryInterval(100*time.Millisecond),
+				sdkvsock.WithLogger(newLogger(logger)),
+			)
+		},
+	}
+	defer transport.CloseIdleConnections()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://vsock"+HealthPath, nil)
+	if err != nil {
+		return err
+	}
+	resp, err := (&http.Client{Transport: transport}).Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 1024))
+		return fmt.Errorf("unexpected health status %d: %s", resp.StatusCode, string(body))
+	}
+	var payload HealthResponse
+	if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+		return err
+	}
+	if payload.Status != HealthyStatus {
+		return fmt.Errorf("unexpected health response status %q", payload.Status)
+	}
+	if logger != nil {
+		logger.Debug("vsock health ok", "vsock_path", socketPath, "vsock_port", Port)
+	}
+	return nil
+}
+
+func ServiceUnit() string {
+	return serviceUnit
+}
+
+func ModulesLoadConfig() string {
+	return modulesLoadConfig
+}
+
+func ReminderMessage(name string) string {
+	return fmt.Sprintf("session ended; %s is still running (stop it with 'banger vm stop %s')", name, name)
+}
+
+func WarningMessage(name string, err error) string {
+	if err == nil {
+		return ""
+	}
+	return fmt.Sprintf("warning: failed to check whether %s is still running: %v", name, err)
+}
+
+func newLogger(base *slog.Logger) *logrus.Entry {
+	logger := logrus.New()
+	logger.SetOutput(io.Discard)
+	logger.SetLevel(logrus.DebugLevel)
+	logger.AddHook(slogHook{logger: base})
+	return logrus.NewEntry(logger)
+}
+
+type slogHook struct {
+	logger *slog.Logger
+}
+
+func (h slogHook) Levels() []logrus.Level {
+	return logrus.AllLevels
+}
+
+func (h slogHook) Fire(entry *logrus.Entry) error {
+	if h.logger == nil {
+		return nil
+	}
+	level := slog.LevelDebug
+	switch entry.Level {
+	case logrus.ErrorLevel, logrus.FatalLevel, logrus.PanicLevel:
+		level = slog.LevelError
+	case logrus.WarnLevel:
+		level = slog.LevelWarn
+	case logrus.InfoLevel:
+		level = slog.LevelInfo
+	}
+	attrs := make([]any, 0, len(entry.Data)*2)
+	for key, value := range entry.Data {
+		attrs = append(attrs, key, value)
+	}
+	h.logger.Log(context.Background(), level, entry.Message, attrs...)
+	return nil
+}
+
+func IsServerClosed(err error) bool {
+	return errors.Is(err, http.ErrServerClosed)
+}

internal/vsockagent/vsockagent_test.go

@@ -0,0 +1,133 @@
+package vsockagent
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"net"
+	"net/http"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestNewHandlerHealthz(t *testing.T) {
+	t.Parallel()
+
+	req, err := http.NewRequest(http.MethodGet, HealthPath, nil)
+	if err != nil {
+		t.Fatalf("NewRequest: %v", err)
+	}
+	rr := newTestResponseRecorder()
+	NewHandler().ServeHTTP(rr, req)
+
+	if rr.status != http.StatusOK {
+		t.Fatalf("status = %d, want %d", rr.status, http.StatusOK)
+	}
+	if got := rr.headers.Get("Content-Type"); got != "application/json" {
+		t.Fatalf("content-type = %q", got)
+	}
+	var payload HealthResponse
+	if err := json.Unmarshal(rr.body.Bytes(), &payload); err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	if payload.Status != HealthyStatus {
+		t.Fatalf("status = %q, want %q", payload.Status, HealthyStatus)
+	}
+}
+
+func TestHealth(t *testing.T) {
+	t.Parallel()
+
+	dir := t.TempDir()
+	socketPath := filepath.Join(dir, "fc.vsock")
+	listener, err := net.Listen("unix", socketPath)
+	if err != nil {
+		t.Fatalf("Listen: %v", err)
+	}
+	defer listener.Close()
+
+	done := make(chan error, 1)
+	go func() {
+		conn, err := listener.Accept()
+		if err != nil {
+			done <- err
+			return
+		}
+		defer conn.Close()
+
+		buf := make([]byte, 0, 256)
+		tmp := make([]byte, 256)
+		for {
+			n, err := conn.Read(tmp)
+			if err != nil {
+				done <- err
+				return
+			}
+			buf = append(buf, tmp[:n]...)
+			if strings.Contains(string(buf), "\n") {
+				break
+			}
+		}
+		if got := string(buf); got != "CONNECT 42070\n" {
+			done <- unexpectedStringError(got)
+			return
+		}
+		if _, err := conn.Write([]byte("OK 55\n")); err != nil {
+			done <- err
+			return
+		}
+
+		buf = buf[:0]
+		for {
+			n, err := conn.Read(tmp)
+			if err != nil {
+				done <- err
+				return
+			}
+			buf = append(buf, tmp[:n]...)
+			if strings.Contains(string(buf), "\r\n\r\n") {
+				break
+			}
+		}
+		req := string(buf)
+		if !strings.Contains(req, "GET /healthz HTTP/1.1\r\n") {
+			done <- unexpectedStringError(req)
+			return
+		}
+		_, err = conn.Write([]byte("HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nContent-Length: 15\r\n\r\n{\"status\":\"ok\"}"))
+		done <- err
+	}()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+	if err := Health(ctx, nil, socketPath); err != nil {
+		t.Fatalf("Health: %v", err)
+	}
+	if err := <-done; err != nil {
+		t.Fatalf("server: %v", err)
+	}
+}
+
+type testResponseRecorder struct {
+	headers http.Header
+	body    bytes.Buffer
+	status  int
+}
+
+func newTestResponseRecorder() *testResponseRecorder {
+	return &testResponseRecorder{headers: make(http.Header), status: http.StatusOK}
+}
+
+func (r *testResponseRecorder) Header() http.Header { return r.headers }
+
+func (r *testResponseRecorder) Write(data []byte) (int, error) { return r.body.Write(data) }
+
+func (r *testResponseRecorder) WriteHeader(status int) { r.status = status }
+
+type unexpectedStringError string
+
+func (e unexpectedStringError) Error() string {
+	return "unexpected string: " + string(e)
+}