daemon: rewrite authsync + image seeding on ext4 toolkit

ensureAuthorizedKeyOnWorkDisk and seedAuthorizedKeyOnExt4Image both drove mount + sudo mkdir/chmod/chown/cat/install to patch /.ssh/authorized_keys into a work disk or work-seed. Both now delegate to a shared provisionAuthorizedKey helper that uses the ext4 toolkit introduced in 7704396 — EnsureExt4RootPerms + MkdirExt4 + Ext4PathExists/ReadExt4File + WriteExt4FileOwned. No mount, no sudo, no host-path staging. Drops ~10 sudo call sites from the VM create and image pull flows and deletes the TestEnsureAuthorizedKeyOnWorkDiskRepairsNestedRootLayout premise (flattenNestedWorkHome will disappear entirely in the next commit — the no-seed path no longer copies /root, and the work-seed path produces flat seeds). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 18:21:50 -03:00 · 2026-04-23 18:21:50 -03:00 · f0685366ec
commit f0685366ec
parent 0e28504892
3 changed files with 34 additions and 163 deletions
--- a/internal/daemon/vm_test.go
+++ b/internal/daemon/vm_test.go
@ -847,65 +847,6 @@ func TestFlattenNestedWorkHomeCopiesEntriesIndividually(t *testing.T) {
 	runner.assertExhausted()
 }

-func TestEnsureAuthorizedKeyOnWorkDiskRepairsNestedRootLayout(t *testing.T) {
-	t.Parallel()
-
-	workDiskDir := t.TempDir()
-	nestedHome := filepath.Join(workDiskDir, "root")
-	if err := os.MkdirAll(filepath.Join(nestedHome, ".ssh"), 0o700); err != nil {
-		t.Fatalf("MkdirAll(.ssh): %v", err)
-	}
-	if err := os.WriteFile(filepath.Join(nestedHome, ".bashrc"), []byte("export TEST_PROMPT=1\n"), 0o644); err != nil {
-		t.Fatalf("WriteFile(.bashrc): %v", err)
-	}
-	existingKey := "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILEgacykey existing@test\n"
-	if err := os.WriteFile(filepath.Join(nestedHome, ".ssh", "authorized_keys"), []byte(existingKey), 0o600); err != nil {
-		t.Fatalf("WriteFile(authorized_keys): %v", err)
-	}
-
-	privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
-	if err != nil {
-		t.Fatalf("GenerateKey: %v", err)
-	}
-	privateKeyPEM := pem.EncodeToMemory(&pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
-	})
-	sshKeyPath := filepath.Join(t.TempDir(), "id_rsa")
-	if err := os.WriteFile(sshKeyPath, privateKeyPEM, 0o600); err != nil {
-		t.Fatalf("WriteFile(private key): %v", err)
-	}
-
-	d := &Daemon{
-		runner: &filesystemRunner{t: t},
-		config: model.DaemonConfig{SSHKeyPath: sshKeyPath},
-	}
-	wireServices(d)
-	vm := testVM("seed-repair", "image-seed-repair", "172.16.0.61")
-	vm.Runtime.WorkDiskPath = workDiskDir
-
-	if err := d.ws.ensureAuthorizedKeyOnWorkDisk(context.Background(), &vm, model.Image{}, workDiskPreparation{}); err != nil {
-		t.Fatalf("ensureAuthorizedKeyOnWorkDisk: %v", err)
-	}
-	if _, err := os.Stat(filepath.Join(workDiskDir, "root")); !os.IsNotExist(err) {
-		t.Fatalf("nested root still exists: %v", err)
-	}
-	if _, err := os.Stat(filepath.Join(workDiskDir, ".bashrc")); err != nil {
-		t.Fatalf(".bashrc missing at top level: %v", err)
-	}
-	data, err := os.ReadFile(filepath.Join(workDiskDir, ".ssh", "authorized_keys"))
-	if err != nil {
-		t.Fatalf("ReadFile(authorized_keys): %v", err)
-	}
-	content := string(data)
-	if !strings.Contains(content, strings.TrimSpace(existingKey)) {
-		t.Fatalf("authorized_keys missing pre-existing key: %q", content)
-	}
-	if !strings.Contains(content, "ssh-rsa ") {
-		t.Fatalf("authorized_keys missing managed key: %q", content)
-	}
-}
-
 func TestEnsureGitIdentityOnWorkDiskCopiesHostGlobalIdentity(t *testing.T) {
 	if _, err := exec.LookPath("git"); err != nil {
 		t.Skip("git not installed")