Add experimental Void guest workflow and vsock agent

Make iterating on a Firecracker-friendly Void guest practical without replacing the Debian default image path. Add local Void rootfs build/register/verify plumbing, a language-agnostic dev package baseline, and guest SSH/work-disk hardening so new images use the runtime bundle key, keep a normal root bash environment, and repair stale nested /root layouts on restart. Replace the guest PING/PONG responder with an HTTP /healthz agent over vsock, rename the runtime bundle and config surface from ping helper to agent while still accepting the legacy keys, and route the post-SSH reminder through the new vm.health path. Validated with GOCACHE=/tmp/banger-gocache go test ./..., make build, bash -n customize.sh make-rootfs-void.sh, and git diff --check.
2026-03-19 14:51:25 -03:00 · 2026-03-19 14:51:25 -03:00 · 3ed78fdcfc
commit 3ed78fdcfc
parent c8d9a122f9
42 changed files with 2222 additions and 388 deletions
--- a/verify.sh
+++ b/verify.sh
@ -22,6 +22,17 @@ if [[ ! -f "$SSH_KEY" ]]; then
  exit 1
 fi
 DAEMON_LOG="${XDG_STATE_HOME:-$HOME/.local/state}/banger/bangerd.log"
+SSH_COMMON_ARGS=(
+  -F /dev/null
+  -i "$SSH_KEY"
+  -o IdentitiesOnly=yes
+  -o BatchMode=yes
+  -o PreferredAuthentications=publickey
+  -o PasswordAuthentication=no
+  -o KbdInteractiveAuthentication=no
+  -o StrictHostKeyChecking=no
+  -o UserKnownHostsFile=/dev/null
+)

 firecracker_running() {
  local pid="$1"
@ -48,8 +59,7 @@ wait_for_ssh() {
  local deadline="$2"

  while ((SECONDS < deadline)); do
-    if ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-      -o ConnectTimeout=2 "root@${guest_ip}" "true" >/dev/null 2>&1; then
+    if ssh "${SSH_COMMON_ARGS[@]}" -o ConnectTimeout=2 "root@${guest_ip}" "true" >/dev/null 2>&1; then
      return 0
    fi
    sleep 1
@ -127,23 +137,37 @@ dump_diagnostics() {

 usage() {
  cat <<'EOF'
-Usage: ./verify.sh [--nat]
+Usage: ./verify.sh [--nat] [--image <name>]

 Run a basic smoke test for the Go VM workflow.
 Use --nat to additionally verify outbound NAT and host rule cleanup.
+Use --image to verify a non-default image such as void-exp.
 EOF
 }

 NAT_ENABLED=0
+IMAGE_NAME=""
 BOOT_TIMEOUT_SECS="${VERIFY_BOOT_TIMEOUT_SECS:-90}"
-if [[ "${1:-}" == "--nat" ]]; then
-  NAT_ENABLED=1
-  shift
-fi
-if (($# != 0)); then
-  usage
-  exit 1
-fi
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --nat)
+      NAT_ENABLED=1
+      shift
+      ;;
+    --image)
+      IMAGE_NAME="${2:-}"
+      if [[ -z "$IMAGE_NAME" ]]; then
+        usage
+        exit 1
+      fi
+      shift 2
+      ;;
+    *)
+      usage
+      exit 1
+      ;;
+  esac
+done

 VM_NAME="verify-$(date +%s)"
 VM_JSON=""
@ -172,6 +196,9 @@ trap cleanup EXIT

 log "starting VM"
 CREATE_ARGS=(./banger vm create --name "$VM_NAME")
+if [[ -n "$IMAGE_NAME" ]]; then
+  CREATE_ARGS+=(--image "$IMAGE_NAME")
+fi
 if (( NAT_ENABLED )); then
  CREATE_ARGS+=(--nat)
 fi
@ -211,13 +238,11 @@ if ! wait_for_ssh "$GUEST_IP" "$BOOT_DEADLINE"; then
  dump_diagnostics
  exit 1
 fi
-ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-  "root@${GUEST_IP}" "uname -a" >/dev/null
+ssh "${SSH_COMMON_ARGS[@]}" "root@${GUEST_IP}" "uname -a" >/dev/null

 if (( NAT_ENABLED )); then
  log "asserting VM has outbound network access"
-  ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-    "root@${GUEST_IP}" "curl -fsS https://example.com >/dev/null" >/dev/null
+  ssh "${SSH_COMMON_ARGS[@]}" "root@${GUEST_IP}" "curl -fsS https://example.com >/dev/null" >/dev/null
 fi

 log "cleaning up VM"