daemon: rewrite authsync + image seeding on ext4 toolkit

ensureAuthorizedKeyOnWorkDisk and seedAuthorizedKeyOnExt4Image both drove mount + sudo mkdir/chmod/chown/cat/install to patch /.ssh/authorized_keys into a work disk or work-seed. Both now delegate to a shared provisionAuthorizedKey helper that uses the ext4 toolkit introduced in 7704396 — EnsureExt4RootPerms + MkdirExt4 + Ext4PathExists/ReadExt4File + WriteExt4FileOwned. No mount, no sudo, no host-path staging. Drops ~10 sudo call sites from the VM create and image pull flows and deletes the TestEnsureAuthorizedKeyOnWorkDiskRepairsNestedRootLayout premise (flattenNestedWorkHome will disappear entirely in the next commit — the no-seed path no longer copies /root, and the work-seed path produces flat seeds). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 18:21:50 -03:00 · 2026-04-23 18:21:50 -03:00 · f0685366ec
commit f0685366ec
parent 0e28504892
3 changed files with 34 additions and 163 deletions
--- a/internal/daemon/vm_authsync.go
+++ b/internal/daemon/vm_authsync.go
@ -37,61 +37,12 @@ func (s *WorkspaceService) ensureAuthorizedKeyOnWorkDisk(ctx context.Context, vm
 		return fmt.Errorf("derive authorized ssh key: %w", err)
 	}
 	vmCreateStage(ctx, "prepare_work_disk", "provisioning SSH access on work disk")
-	workMount, cleanupWork, err := system.MountTempDir(ctx, s.runner, vm.Runtime.WorkDiskPath, false)
-	if err != nil {
-		return err
-	}
-	defer cleanupWork()

-	if err := flattenNestedWorkHome(ctx, s.runner, workMount); err != nil {
+	workDisk := vm.Runtime.WorkDiskPath
+	if err := provisionAuthorizedKey(ctx, s.runner, workDisk, publicKey); err != nil {
 		return err
 	}

-	// Normalise the work-disk filesystem root: inside the guest this
-	// mounts at /root, which sshd inspects when StrictModes is on (the
-	// default after the hardening drop-in). Any drift — owner != root,
-	// group/other-writable — would make sshd silently reject the key.
-	if err := normaliseHomeDirPerms(ctx, s.runner, workMount); err != nil {
-		return err
-	}
-
-	sshDir := filepath.Join(workMount, ".ssh")
-	if _, err := s.runner.RunSudo(ctx, "mkdir", "-p", sshDir); err != nil {
-		return err
-	}
-	if _, err := s.runner.RunSudo(ctx, "chmod", "700", sshDir); err != nil {
-		return err
-	}
-	if _, err := s.runner.RunSudo(ctx, "chown", "0:0", sshDir); err != nil {
-		return err
-	}
-
-	authorizedKeysPath := filepath.Join(sshDir, "authorized_keys")
-	existing, err := s.runner.RunSudo(ctx, "cat", authorizedKeysPath)
-	if err != nil {
-		existing = nil
-	}
-	merged := mergeAuthorizedKey(existing, publicKey)
-
-	tmpFile, err := os.CreateTemp("", "banger-authorized-keys-*")
-	if err != nil {
-		return err
-	}
-	tmpPath := tmpFile.Name()
-	if _, err := tmpFile.Write(merged); err != nil {
-		_ = tmpFile.Close()
-		_ = os.Remove(tmpPath)
-		return err
-	}
-	if err := tmpFile.Close(); err != nil {
-		_ = os.Remove(tmpPath)
-		return err
-	}
-	defer os.Remove(tmpPath)
-
-	if _, err := s.runner.RunSudo(ctx, "install", "-m", "600", tmpPath, authorizedKeysPath); err != nil {
-		return err
-	}
 	if prep.ClonedFromSeed && image.Managed {
 		vmCreateStage(ctx, "prepare_work_disk", "refreshing managed work seed")
 		if err := s.imageWorkSeed(ctx, image, fingerprint); err != nil {
@ -101,6 +52,37 @@ func (s *WorkspaceService) ensureAuthorizedKeyOnWorkDisk(ctx context.Context, vm
 	return nil
 }

+// provisionAuthorizedKey writes the managed SSH key into
+// /.ssh/authorized_keys on an ext4 image via the sudoless toolkit.
+// Shared between work-disk and image-seed paths — both need the same
+// sequence: normalise fs-root perms, create /.ssh, merge against any
+// existing authorized_keys, rewrite with root:root:0600.
+//
+// The fs root doubles as /root inside the guest, which sshd walks
+// under StrictModes; forcing 0755 root:root here keeps a drifted
+// seed image from silently rejecting the key at login time.
+func provisionAuthorizedKey(ctx context.Context, runner system.CommandRunner, imagePath string, publicKey []byte) error {
+	if err := system.EnsureExt4RootPerms(ctx, runner, imagePath, 0o755, 0, 0); err != nil {
+		return err
+	}
+	if err := system.MkdirExt4(ctx, runner, imagePath, "/.ssh", 0o700, 0, 0); err != nil {
+		return err
+	}
+	var existing []byte
+	exists, err := system.Ext4PathExists(ctx, runner, imagePath, "/.ssh/authorized_keys")
+	if err != nil {
+		return err
+	}
+	if exists {
+		existing, err = system.ReadExt4File(ctx, runner, imagePath, "/.ssh/authorized_keys")
+		if err != nil {
+			return err
+		}
+	}
+	merged := mergeAuthorizedKey(existing, publicKey)
+	return system.WriteExt4FileOwned(ctx, runner, imagePath, "/.ssh/authorized_keys", 0o600, 0, 0, merged)
+}
+
 // normaliseHomeDirPerms forces the home-directory mount point to
 // 0755 root:root. sshd's StrictModes (the default, re-enabled after
 // banger stopped shipping "StrictModes no") rejects authorized_keys