Add vsock-backed VM port inspection

Let the host ask the guest vsock agent to run ss so open ports can be surfaced without SSHing in manually. Add a narrow /ports agent endpoint, a daemon vm.ports RPC that enriches listeners with <hostname>.vm endpoints and best-effort HTTP links, and a concurrent 'banger vm ports' CLI table for one or more VMs. Update the guest package contract to include ss for rebuilt Debian images, allow the guest agent package in the shell-out policy, and cover the new parsing/RPC/CLI flow in tests. Verified with GOCACHE=/tmp/banger-gocache go test ./... outside the sandbox, make build, bash -n customize.sh make-rootfs-void.sh verify.sh, and ./banger vm ports --help.
2026-03-19 15:52:11 -03:00 · 2026-03-19 15:52:11 -03:00 · c298ed2fc1
commit c298ed2fc1
parent 3ed78fdcfc
11 changed files with 1029 additions and 23 deletions
--- a/internal/daemon/vm_test.go
+++ b/internal/daemon/vm_test.go
@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/http/httptest"
 	"os"
 	"os/exec"
 	"path/filepath"
@ -427,6 +428,145 @@ func TestHealthVMReturnsFalseForStoppedVM(t *testing.T) {
 	}
 }

+func TestPortsVMReturnsEnrichedPortsAndWebURL(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	db := openDaemonStore(t)
+	apiSock := filepath.Join(t.TempDir(), "fc.sock")
+	fake := startFakeFirecrackerProcess(t, apiSock)
+	t.Cleanup(func() {
+		_ = fake.Process.Kill()
+		_ = fake.Wait()
+	})
+
+	webServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	t.Cleanup(webServer.Close)
+	webAddr, err := net.ResolveTCPAddr("tcp", strings.TrimPrefix(webServer.URL, "http://"))
+	if err != nil {
+		t.Fatalf("ResolveTCPAddr: %v", err)
+	}
+
+	vsockSock := filepath.Join(t.TempDir(), "fc.vsock")
+	listener, err := net.Listen("unix", vsockSock)
+	if err != nil {
+		t.Fatalf("listen vsock: %v", err)
+	}
+	t.Cleanup(func() {
+		_ = listener.Close()
+		_ = os.Remove(vsockSock)
+	})
+	serverDone := make(chan error, 1)
+	go func() {
+		conn, err := listener.Accept()
+		if err != nil {
+			serverDone <- err
+			return
+		}
+		defer conn.Close()
+		buf := make([]byte, 1024)
+		n, err := conn.Read(buf)
+		if err != nil {
+			serverDone <- err
+			return
+		}
+		if got := string(buf[:n]); got != "CONNECT 42070\n" {
+			serverDone <- fmt.Errorf("unexpected connect message %q", got)
+			return
+		}
+		if _, err := conn.Write([]byte("OK 1\n")); err != nil {
+			serverDone <- err
+			return
+		}
+		reqBuf := make([]byte, 0, 1024)
+		for {
+			n, err = conn.Read(buf)
+			if err != nil {
+				serverDone <- err
+				return
+			}
+			reqBuf = append(reqBuf, buf[:n]...)
+			if strings.Contains(string(reqBuf), "\r\n\r\n") {
+				break
+			}
+		}
+		if got := string(reqBuf); !strings.Contains(got, "GET /ports HTTP/1.1\r\n") {
+			serverDone <- fmt.Errorf("unexpected ports payload %q", got)
+			return
+		}
+		body := fmt.Sprintf(`{"listeners":[{"proto":"tcp","bind_address":"0.0.0.0","port":%d,"pid":44,"process":"python3","command":"python3 -m http.server %d"},{"proto":"udp","bind_address":"0.0.0.0","port":53,"pid":1,"process":"dnsd","command":"dnsd --foreground"}]}`, webAddr.Port, webAddr.Port)
+		resp := fmt.Sprintf("HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nContent-Length: %d\r\n\r\n%s", len(body), body)
+		_, err = conn.Write([]byte(resp))
+		serverDone <- err
+	}()
+
+	vm := testVM("ports", "image-ports", "127.0.0.1")
+	vm.State = model.VMStateRunning
+	vm.Runtime.State = model.VMStateRunning
+	vm.Runtime.PID = fake.Process.Pid
+	vm.Runtime.APISockPath = apiSock
+	vm.Runtime.VSockPath = vsockSock
+	vm.Runtime.VSockCID = 10043
+	upsertDaemonVM(t, ctx, db, vm)
+
+	runner := &scriptedRunner{
+		t: t,
+		steps: []runnerStep{
+			sudoStep("", nil, "chown", fmt.Sprintf("%d:%d", os.Getuid(), os.Getgid()), vsockSock),
+			sudoStep("", nil, "chmod", "600", vsockSock),
+		},
+	}
+	d := &Daemon{store: db, runner: runner}
+
+	result, err := d.PortsVM(ctx, vm.Name)
+	if err != nil {
+		t.Fatalf("PortsVM: %v", err)
+	}
+	if result.Name != vm.Name || result.DNSName != vm.Runtime.DNSName {
+		t.Fatalf("result = %+v, want name/dns", result)
+	}
+	if len(result.Ports) != 2 {
+		t.Fatalf("ports = %+v, want 2 entries", result.Ports)
+	}
+	wantWeb := fmt.Sprintf("http://ports.vm:%d/", webAddr.Port)
+	var tcpPort, udpPort api.VMPort
+	for _, port := range result.Ports {
+		switch port.Proto {
+		case "tcp":
+			tcpPort = port
+		case "udp":
+			udpPort = port
+		}
+	}
+	if udpPort.Endpoint != "ports.vm:53" || udpPort.WebURL != "" {
+		t.Fatalf("udp port = %+v, want endpoint only", udpPort)
+	}
+	if tcpPort.Endpoint != net.JoinHostPort("ports.vm", strconv.Itoa(webAddr.Port)) || tcpPort.WebURL != wantWeb {
+		t.Fatalf("tcp port = %+v, want web url %q", tcpPort, wantWeb)
+	}
+	runner.assertExhausted()
+	if err := <-serverDone; err != nil {
+		t.Fatalf("server: %v", err)
+	}
+}
+
+func TestPortsVMReturnsErrorForStoppedVM(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	db := openDaemonStore(t)
+	vm := testVM("stopped-ports", "image-stopped", "172.16.0.50")
+	upsertDaemonVM(t, ctx, db, vm)
+
+	d := &Daemon{store: db}
+	_, err := d.PortsVM(ctx, vm.Name)
+	if err == nil || !strings.Contains(err.Error(), "is not running") {
+		t.Fatalf("PortsVM error = %v, want not running", err)
+	}
+}
+
 func TestSetVMDiskResizeFailsPreflightWhenToolsMissing(t *testing.T) {
 	ctx := context.Background()
 	db := openDaemonStore(t)