Remove runtime-bundle image dependencies

Hard-cut banger away from source-checkout runtime bundles as an implicit source of\nimage and host defaults. Managed images now own their full boot set,\nimage build starts from an existing registered image, and daemon startup\nno longer synthesizes a default image from host paths.\n\nResolve Firecracker from PATH or firecracker_bin, make SSH keys config-owned\nwith an auto-managed XDG default, replace the external name generator and\npackage manifests with Go code, and keep the vsock helper as a companion\nbinary instead of a user-managed runtime asset.\n\nUpdate the manual scripts, web/CLI forms, config surface, and docs around\nthe new build/manual flow and explicit image registration semantics.\n\nValidation: GOCACHE=/tmp/banger-gocache go test ./..., bash -n scripts/*.sh,\nand make build.
2026-03-21 18:34:53 -03:00 · 2026-03-21 18:34:53 -03:00 · 572bf32424
commit 572bf32424
parent 01c7cb5e65
44 changed files with 1194 additions and 3456 deletions
--- a/internal/daemon/vm_test.go
+++ b/internal/daemon/vm_test.go
@ -4,13 +4,14 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"math/big"
 	"net"
 	"net/http"
-	"net/http/httptest"
 	"os"
 	"os/exec"
 	"path/filepath"
@ -183,6 +184,7 @@ func TestRebuildDNSIncludesOnlyLiveRunningVMs(t *testing.T) {

 	server, err := vmdns.New("127.0.0.1:0", nil)
 	if err != nil {
+		skipIfSocketRestricted(t, err)
 		t.Fatalf("vmdns.New: %v", err)
 	}
 	t.Cleanup(func() {
@ -274,6 +276,7 @@ func TestHealthVMReturnsHealthyForRunningGuest(t *testing.T) {
 	vsockSock := filepath.Join(t.TempDir(), "fc.vsock")
 	listener, err := net.Listen("unix", vsockSock)
 	if err != nil {
+		skipIfSocketRestricted(t, err)
 		t.Fatalf("listen vsock: %v", err)
 	}
 	t.Cleanup(func() {
@ -367,6 +370,7 @@ func TestPingVMAliasReturnsAliveForHealthyVM(t *testing.T) {
 	vsockSock := filepath.Join(t.TempDir(), "fc.vsock")
 	listener, err := net.Listen("unix", vsockSock)
 	if err != nil {
+		skipIfSocketRestricted(t, err)
 		t.Fatalf("listen vsock: %v", err)
 	}
 	t.Cleanup(func() {
@ -441,32 +445,17 @@ func TestPortsVMReturnsEnrichedPortsAndWebSchemes(t *testing.T) {
 		_ = fake.Wait()
 	})

-	webServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	webAddr := startHTTPServerOnTCP4(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNoContent)
 	}))
-	t.Cleanup(webServer.Close)
-	webAddr, err := net.ResolveTCPAddr("tcp", strings.TrimPrefix(webServer.URL, "http://"))
-	if err != nil {
-		t.Fatalf("ResolveTCPAddr: %v", err)
-	}
-	tlsServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	tlsAddr := startHTTPSServerOnTCP4(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusAccepted)
 	}))
-	tlsListener, err := net.Listen("tcp4", "127.0.0.1:0")
-	if err != nil {
-		t.Fatalf("listen tls: %v", err)
-	}
-	tlsServer.Listener = tlsListener
-	tlsServer.StartTLS()
-	t.Cleanup(tlsServer.Close)
-	tlsAddr, err := net.ResolveTCPAddr("tcp", strings.TrimPrefix(tlsServer.URL, "https://"))
-	if err != nil {
-		t.Fatalf("ResolveTCPAddr(tls): %v", err)
-	}

 	vsockSock := filepath.Join(t.TempDir(), "fc.vsock")
 	listener, err := net.Listen("unix", vsockSock)
 	if err != nil {
+		skipIfSocketRestricted(t, err)
 		t.Fatalf("listen vsock: %v", err)
 	}
 	t.Cleanup(func() {
@ -1263,6 +1252,7 @@ func startFakeFirecrackerAPI(t *testing.T, apiSock string) {
 	}
 	listener, err := net.Listen("unix", apiSock)
 	if err != nil {
+		skipIfSocketRestricted(t, err)
 		t.Fatalf("listen unix %s: %v", apiSock, err)
 	}
 	mux := http.NewServeMux()
@ -1283,6 +1273,72 @@ func startFakeFirecrackerAPI(t *testing.T, apiSock string) {
 	})
 }

+func skipIfSocketRestricted(t *testing.T, err error) {
+	t.Helper()
+	if err == nil {
+		return
+	}
+	if strings.Contains(strings.ToLower(err.Error()), "operation not permitted") {
+		t.Skipf("socket creation is restricted in this environment: %v", err)
+	}
+}
+
+func startHTTPServerOnTCP4(t *testing.T, handler http.Handler) *net.TCPAddr {
+	t.Helper()
+	listener, err := net.Listen("tcp4", "127.0.0.1:0")
+	if err != nil {
+		skipIfSocketRestricted(t, err)
+		t.Fatalf("listen http: %v", err)
+	}
+	server := &http.Server{Handler: handler}
+	go func() {
+		_ = server.Serve(listener)
+	}()
+	t.Cleanup(func() {
+		_ = server.Close()
+	})
+	return listener.Addr().(*net.TCPAddr)
+}
+
+func startHTTPSServerOnTCP4(t *testing.T, handler http.Handler) *net.TCPAddr {
+	t.Helper()
+	privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
+	if err != nil {
+		t.Fatalf("GenerateKey: %v", err)
+	}
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		NotBefore:    time.Now().Add(-time.Hour),
+		NotAfter:     time.Now().Add(time.Hour),
+		IPAddresses:  []net.IP{net.ParseIP("127.0.0.1")},
+		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	}
+	der, err := x509.CreateCertificate(rand.Reader, template, template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		t.Fatalf("CreateCertificate: %v", err)
+	}
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)})
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		t.Fatalf("X509KeyPair: %v", err)
+	}
+	listener, err := net.Listen("tcp4", "127.0.0.1:0")
+	if err != nil {
+		skipIfSocketRestricted(t, err)
+		t.Fatalf("listen https: %v", err)
+	}
+	server := &http.Server{Handler: handler}
+	go func() {
+		_ = server.Serve(tls.NewListener(listener, &tls.Config{Certificates: []tls.Certificate{cert}}))
+	}()
+	t.Cleanup(func() {
+		_ = server.Close()
+	})
+	return listener.Addr().(*net.TCPAddr)
+}
+
 type processKillingRunner struct {
 	*scriptedRunner
 	proc *exec.Cmd