Phase B-2: pre-inject banger guest agents into pulled rootfs
New imagepull.InjectGuestAgents writes banger's guest-side assets straight into the pulled ext4 so systemd will start them at first boot: /usr/local/bin/banger-vsock-agent (binary, 0755) /usr/local/libexec/banger-network-bootstrap (script, 0755) /etc/systemd/system/banger-network.service (unit, 0644) /etc/systemd/system/banger-vsock-agent.service (unit, 0644) /etc/modules-load.d/banger-vsock.conf (modules, 0644) plus enable-at-boot symlinks under /etc/systemd/system/multi-user.target.wants/ All writes + ownership + symlinks go through one `debugfs -w -f -` invocation. No sudo required because the caller owns the ext4 file. Script is deterministic: shallow-first mkdir, then write, then sif, then symlink. "File exists" errors from mkdir on already-present dirs are tolerated (debugfs keeps going past them with -f, and we filter them out of the output scan). Asset content reuses the existing guestnet.BootstrapScript / SystemdServiceUnit / ConfigPath and vsockagent.ServiceUnit / ModulesLoadConfig / GuestInstallPath — one source of truth, no duplicated systemd unit strings. Daemon wiring: new d.finalizePulledRootfs seam runs both ApplyOwnership (B-1) and InjectGuestAgents as one phase between BuildExt4 and StageBootArtifacts. The companion vsock-agent binary is resolved via paths.CompanionBinaryPath. Existing daemon tests stub the seam with a no-op to avoid needing a real companion binary + debugfs in the test harness. Tests: real-ext4 round-trip that builds a minimal ext4, runs InjectGuestAgents, then verifies every expected path is present via `debugfs stat`, plus uid=0 and mode 0755 on the vsock-agent binary. Also: missing-binary rejection, ancestor-collection order test. debugfs/mkfs.ext4 tests skip on hosts without the binaries. After B-1+B-2, any OCI image that already ships sshd boots with banger-network and banger-vsock-agent running; image pull is one step from "useful rootfs primitive". B-3 (first-boot sshd install) unlocks images that don't ship sshd. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
43982a4ae3
commit
491c8e1ebb
5 changed files with 393 additions and 18 deletions
|
|
@ -39,6 +39,12 @@ func writeFakeKernelTriple(t *testing.T) (kernelPath, initrdPath, modulesDir str
|
|||
return
|
||||
}
|
||||
|
||||
// stubFinalizePulledRootfs is a no-op seam substitute that skips the real
|
||||
// debugfs + vsock-agent-binary injection machinery during daemon tests.
|
||||
func stubFinalizePulledRootfs(_ context.Context, _ string, _ imagepull.Metadata) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// stubPullAndFlatten writes a fixed file tree into destDir, simulating a
|
||||
// successful OCI pull without the network or tarball machinery.
|
||||
func stubPullAndFlatten(_ context.Context, _ string, _ string, destDir string) (imagepull.Metadata, error) {
|
||||
|
|
@ -65,10 +71,11 @@ func TestPullImageHappyPath(t *testing.T) {
|
|||
kernel, initrd, modules := writeFakeKernelTriple(t)
|
||||
|
||||
d := &Daemon{
|
||||
layout: paths.Layout{ImagesDir: imagesDir, OCICacheDir: cacheDir},
|
||||
store: openDaemonStore(t),
|
||||
runner: system.NewRunner(),
|
||||
pullAndFlatten: stubPullAndFlatten,
|
||||
layout: paths.Layout{ImagesDir: imagesDir, OCICacheDir: cacheDir},
|
||||
store: openDaemonStore(t),
|
||||
runner: system.NewRunner(),
|
||||
pullAndFlatten: stubPullAndFlatten,
|
||||
finalizePulledRootfs: stubFinalizePulledRootfs,
|
||||
}
|
||||
|
||||
image, err := d.PullImage(context.Background(), api.ImagePullParams{
|
||||
|
|
@ -109,10 +116,11 @@ func TestPullImageRejectsExistingName(t *testing.T) {
|
|||
kernel, _, _ := writeFakeKernelTriple(t)
|
||||
|
||||
d := &Daemon{
|
||||
layout: paths.Layout{ImagesDir: imagesDir, OCICacheDir: t.TempDir()},
|
||||
store: openDaemonStore(t),
|
||||
runner: system.NewRunner(),
|
||||
pullAndFlatten: stubPullAndFlatten,
|
||||
layout: paths.Layout{ImagesDir: imagesDir, OCICacheDir: t.TempDir()},
|
||||
store: openDaemonStore(t),
|
||||
runner: system.NewRunner(),
|
||||
pullAndFlatten: stubPullAndFlatten,
|
||||
finalizePulledRootfs: stubFinalizePulledRootfs,
|
||||
}
|
||||
// Seed a preexisting image with the would-be derived name.
|
||||
id, _ := model.NewID()
|
||||
|
|
@ -136,10 +144,11 @@ func TestPullImageRejectsExistingName(t *testing.T) {
|
|||
|
||||
func TestPullImageRequiresKernel(t *testing.T) {
|
||||
d := &Daemon{
|
||||
layout: paths.Layout{ImagesDir: t.TempDir(), OCICacheDir: t.TempDir()},
|
||||
store: openDaemonStore(t),
|
||||
runner: system.NewRunner(),
|
||||
pullAndFlatten: stubPullAndFlatten,
|
||||
layout: paths.Layout{ImagesDir: t.TempDir(), OCICacheDir: t.TempDir()},
|
||||
store: openDaemonStore(t),
|
||||
runner: system.NewRunner(),
|
||||
pullAndFlatten: stubPullAndFlatten,
|
||||
finalizePulledRootfs: stubFinalizePulledRootfs,
|
||||
}
|
||||
_, err := d.PullImage(context.Background(), api.ImagePullParams{
|
||||
Ref: "docker.io/library/debian:bookworm",
|
||||
|
|
@ -157,10 +166,11 @@ func TestPullImageCleansStagingOnFailure(t *testing.T) {
|
|||
}
|
||||
|
||||
d := &Daemon{
|
||||
layout: paths.Layout{ImagesDir: imagesDir, OCICacheDir: t.TempDir()},
|
||||
store: openDaemonStore(t),
|
||||
runner: system.NewRunner(),
|
||||
pullAndFlatten: failureSeam,
|
||||
layout: paths.Layout{ImagesDir: imagesDir, OCICacheDir: t.TempDir()},
|
||||
store: openDaemonStore(t),
|
||||
runner: system.NewRunner(),
|
||||
pullAndFlatten: failureSeam,
|
||||
finalizePulledRootfs: stubFinalizePulledRootfs,
|
||||
}
|
||||
_, err := d.PullImage(context.Background(), api.ImagePullParams{
|
||||
Ref: "docker.io/library/debian:bookworm",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue