thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions

daemon: persist teardown fallbacks and reject unsafe import paths

Browse source 
Preserve cleanup after daemon restarts and harden OCI and tar imports
against filenames that debugfs cannot encode safely.

Mirror tap, loop, and dm teardown identity onto VM.Runtime, teach
cleanup and reconcile to fall back to those persisted fields when
handles.json is missing or corrupt, and clear the recovery state on
stop, error, and delete paths.

Reject debugfs-hostile entry names during flattening and in
ApplyOwnership itself, then add regression coverage for corrupt
handles.json recovery and unsafe import paths.

Verified with targeted go tests, make lint-go, make lint-shell, and
make build.
This commit is contained in:
Thales Maciel 2026-04-23 16:21:59 -03:00
parent 86a56fedb3
commit d743a8ba4b
No known key found for this signature in database
GPG key ID: 33112E6833C34679
15 changed files with 272 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

17
internal/model/vm_handles.go
View file

@ -3,11 +3,11 @@ package model
// VMHandles captures the transient, per-boot kernel/process handles
// that banger obtains while starting a VM and releases when stopping
// it. Unlike VMRuntime (durable spec + identity + derived paths),
// nothing in VMHandles survives a daemon restart in authoritative
// form: each value is either rediscovered from the OS (PID from the
// firecracker api socket, DM name deterministically from the VM ID)
// or read from a per-VM scratch file that the daemon rebuilds at
// every start.
// VMHandles is the authoritative live-handle view while the daemon is
// up. On restart, the daemon rebuilds it from the OS plus the per-VM
// scratch file; teardown-critical fields are also mirrored onto
// VMRuntime so cleanup can still proceed if that scratch file is
// missing or corrupt.
//
// The daemon keeps an in-memory cache keyed by VM ID. Lifecycle
// transitions update the cache and a small `handles.json` scratch
@ -16,10 +16,9 @@ package model
// OS state. If anything is stale the VM is marked stopped and the
// cache entry is dropped.
//
// VMHandles never appears in the `vms` SQLite rows. Keeping it off
// the durable schema was the whole point of the split — persistent
// records describe what a VM SHOULD be; handles describe what is
// currently true about it.
// VMHandles itself never appears in the `vms` SQLite rows. Some fields
// are mirrored onto VMRuntime as crash-recovery fallback state, but the
// cache + scratch file remain the canonical live source.
type VMHandles struct {
// PID is the firecracker process PID. Zero means "not running
// (from our perspective)". Always verifiable via