package cli import ( "context" "errors" "fmt" "io" "os" "path/filepath" "strconv" "strings" "text/tabwriter" "banger/internal/buildinfo" "banger/internal/installmeta" "banger/internal/model" "banger/internal/paths" "banger/internal/system" "github.com/spf13/cobra" ) const ( systemBangerBin = "/usr/local/bin/banger" systemBangerdBin = "/usr/local/bin/bangerd" systemCompanionDir = "/usr/local/lib/banger" systemCompanionAgent = systemCompanionDir + "/banger-vsock-agent" systemdUserUnitPath = "/etc/systemd/system/" + installmeta.DefaultService systemdRootUnitPath = "/etc/systemd/system/" + installmeta.DefaultRootHelperService systemCoverDirEnv = "BANGER_SYSTEM_GOCOVERDIR" rootCoverDirEnv = "BANGER_ROOT_HELPER_GOCOVERDIR" ) func (d *deps) newSystemCommand() *cobra.Command { var owner string var purge bool cmd := &cobra.Command{ Use: "system", Short: "Install banger's owner-daemon and root-helper systemd units", Long: strings.TrimSpace(` Banger ships as two services: an owner-user daemon for orchestration and a narrow root helper for bridge/tap, NAT, and Firecracker launch. 'banger system' installs, restarts, inspects, and removes them. First-run flow (must be run as root): sudo banger system install --owner $USER install both services banger system status confirm they're up banger doctor check host readiness After 'install', the owner user can run 'banger ...' day to day without sudo. Subsequent invocations: sudo banger system restart bounce both services sudo banger system uninstall remove services + binaries sudo banger system uninstall --purge also delete /var/lib/banger See docs/privileges.md for the full trust model. `), Example: strings.TrimSpace(` sudo banger system install --owner alice banger system status sudo banger system uninstall --purge `), RunE: helpNoArgs, } installCmd := &cobra.Command{ Use: "install", Short: "Install or refresh the owner daemon and root helper", Args: noArgsUsage("usage: banger system install [--owner USER]"), RunE: func(cmd *cobra.Command, args []string) error { return d.runSystemInstall(cmd.Context(), cmd.OutOrStdout(), owner) }, } installCmd.Flags().StringVar(&owner, "owner", "", "login user who will operate banger day-to-day") statusCmd := &cobra.Command{ Use: "status", Short: "Show owner-daemon and root-helper status", Args: noArgsUsage("usage: banger system status"), RunE: func(cmd *cobra.Command, args []string) error { return d.runSystemStatus(cmd.Context(), cmd.OutOrStdout()) }, } restartCmd := &cobra.Command{ Use: "restart", Short: "Restart the installed banger services", Args: noArgsUsage("usage: banger system restart"), RunE: func(cmd *cobra.Command, args []string) error { if err := requireRoot(); err != nil { return err } if err := d.runSystemctl(cmd.Context(), "restart", installmeta.DefaultRootHelperService); err != nil { return err } if err := d.runSystemctl(cmd.Context(), "restart", installmeta.DefaultService); err != nil { return err } if err := d.waitForDaemonReady(cmd.Context(), paths.ResolveSystem().SocketPath); err != nil { return err } _, err := fmt.Fprintln(cmd.OutOrStdout(), "restarted") return err }, } uninstallCmd := &cobra.Command{ Use: "uninstall", Short: "Remove the installed banger services", Args: noArgsUsage("usage: banger system uninstall [--purge]"), RunE: func(cmd *cobra.Command, args []string) error { return d.runSystemUninstall(cmd.Context(), cmd.OutOrStdout(), purge) }, } uninstallCmd.Flags().BoolVar(&purge, "purge", false, "also delete system-owned banger state and cache") cmd.AddCommand(installCmd, statusCmd, restartCmd, uninstallCmd) return cmd } func (d *deps) runSystemInstall(ctx context.Context, out io.Writer, ownerFlag string) error { if err := requireRoot(); err != nil { return err } meta, err := resolveInstallOwner(ownerFlag) if err != nil { return err } info := buildinfo.Current() meta.Version = info.Version meta.Commit = info.Commit meta.BuiltAt = info.BuiltAt meta.InstalledAt = model.Now() bangerBin, err := paths.BangerPath() if err != nil { return err } bangerdBin, err := paths.BangerdPath() if err != nil { return err } agentBin, err := paths.CompanionBinaryPath("banger-vsock-agent") if err != nil { return err } if err := os.MkdirAll(filepath.Dir(systemBangerBin), 0o755); err != nil { return err } if err := os.MkdirAll(systemCompanionDir, 0o755); err != nil { return err } if err := installFile(bangerBin, systemBangerBin, 0o755); err != nil { return err } if err := installFile(bangerdBin, systemBangerdBin, 0o755); err != nil { return err } if err := installFile(agentBin, systemCompanionAgent, 0o755); err != nil { return err } if err := installmeta.Save(installmeta.DefaultPath, meta); err != nil { return err } if err := paths.EnsureSystem(paths.ResolveSystem()); err != nil { return err } if err := os.WriteFile(systemdRootUnitPath, []byte(renderRootHelperSystemdUnit()), 0o644); err != nil { return err } if err := os.WriteFile(systemdUserUnitPath, []byte(renderSystemdUnit(meta)), 0o644); err != nil { return err } if err := d.runSystemctl(ctx, "daemon-reload"); err != nil { return err } if err := d.runSystemctl(ctx, "enable", installmeta.DefaultRootHelperService); err != nil { return err } if err := d.runSystemctl(ctx, "enable", installmeta.DefaultService); err != nil { return err } if err := d.runSystemctl(ctx, "restart", installmeta.DefaultRootHelperService); err != nil { return err } if err := d.runSystemctl(ctx, "restart", installmeta.DefaultService); err != nil { return err } if err := d.waitForDaemonReady(ctx, installmeta.DefaultSocketPath); err != nil { return err } if _, err := fmt.Fprintln(out, "installed"); err != nil { return err } w := tabwriter.NewWriter(out, 0, 8, 2, ' ', 0) fmt.Fprintf(w, "owner\t%s\n", meta.OwnerUser) fmt.Fprintf(w, "socket\t%s\n", installmeta.DefaultSocketPath) fmt.Fprintf(w, "helper_socket\t%s\n", installmeta.DefaultRootHelperSocketPath) fmt.Fprintf(w, "service\t%s\n", installmeta.DefaultService) fmt.Fprintf(w, "helper_service\t%s\n", installmeta.DefaultRootHelperService) return w.Flush() } func (d *deps) runSystemStatus(ctx context.Context, out io.Writer) error { layout := paths.ResolveSystem() active := d.systemctlQuery(ctx, "is-active", installmeta.DefaultService) if active == "" { active = "unknown" } enabled := d.systemctlQuery(ctx, "is-enabled", installmeta.DefaultService) if enabled == "" { enabled = "unknown" } helperActive := d.systemctlQuery(ctx, "is-active", installmeta.DefaultRootHelperService) if helperActive == "" { helperActive = "unknown" } helperEnabled := d.systemctlQuery(ctx, "is-enabled", installmeta.DefaultRootHelperService) if helperEnabled == "" { helperEnabled = "unknown" } w := tabwriter.NewWriter(out, 0, 8, 2, ' ', 0) fmt.Fprintf(w, "service\t%s\n", installmeta.DefaultService) fmt.Fprintf(w, "enabled\t%s\n", enabled) fmt.Fprintf(w, "active\t%s\n", active) fmt.Fprintf(w, "helper_service\t%s\n", installmeta.DefaultRootHelperService) fmt.Fprintf(w, "helper_enabled\t%s\n", helperEnabled) fmt.Fprintf(w, "helper_active\t%s\n", helperActive) fmt.Fprintf(w, "socket\t%s\n", layout.SocketPath) fmt.Fprintf(w, "helper_socket\t%s\n", installmeta.DefaultRootHelperSocketPath) fmt.Fprintf(w, "log\tjournalctl -u %s -u %s\n", installmeta.DefaultService, installmeta.DefaultRootHelperService) if ping, err := d.daemonPing(ctx, layout.SocketPath); err == nil { info := buildinfo.Normalize(ping.Version, ping.Commit, ping.BuiltAt) fmt.Fprintf(w, "pid\t%d\n", ping.PID) fmt.Fprintf(w, "version\t%s\n", info.Version) if info.Commit != "" { fmt.Fprintf(w, "commit\t%s\n", info.Commit) } if info.BuiltAt != "" { fmt.Fprintf(w, "built_at\t%s\n", info.BuiltAt) } } return w.Flush() } func (d *deps) runSystemUninstall(ctx context.Context, out io.Writer, purge bool) error { if err := requireRoot(); err != nil { return err } _ = d.runSystemctl(ctx, "disable", "--now", installmeta.DefaultService, installmeta.DefaultRootHelperService) _ = os.Remove(systemdUserUnitPath) _ = os.Remove(systemdRootUnitPath) _ = os.Remove(installmeta.DefaultPath) _ = os.Remove(installmeta.DefaultDir) _ = d.runSystemctl(ctx, "daemon-reload") _ = os.Remove(systemBangerdBin) _ = os.Remove(systemBangerBin) _ = os.RemoveAll(systemCompanionDir) if purge { _ = os.RemoveAll(paths.ResolveSystem().StateDir) _ = os.RemoveAll(paths.ResolveSystem().CacheDir) _ = os.RemoveAll(paths.ResolveSystem().RuntimeDir) } msg := "uninstalled" if purge { msg += " (purged state)" } _, err := fmt.Fprintln(out, msg) return err } func resolveInstallOwner(ownerFlag string) (installmeta.Metadata, error) { owner := strings.TrimSpace(ownerFlag) if owner == "" { owner = strings.TrimSpace(os.Getenv("SUDO_USER")) } if owner == "" { return installmeta.Metadata{}, errors.New("owner is required; pass --owner USER when installing without sudo") } if owner == "root" { return installmeta.Metadata{}, errors.New("refusing to install with root as the banger owner") } return installmeta.LookupOwner(owner) } func renderSystemdUnit(meta installmeta.Metadata) string { lines := []string{ "[Unit]", "Description=banger daemon", "After=network-online.target", "Wants=network-online.target " + installmeta.DefaultRootHelperService, "After=" + installmeta.DefaultRootHelperService, "Requires=" + installmeta.DefaultRootHelperService, "", "[Service]", "Type=simple", "User=" + meta.OwnerUser, "ExecStart=" + systemBangerdBin + " --system", "Restart=on-failure", "RestartSec=1s", // KillMode=process: only signal the main PID on stop/restart. // The default (control-group) sends SIGKILL to every process in // the unit's cgroup, including descendants — and during `banger // update` we restart this unit, which would terminate any // in-flight subprocesses spawned by the daemon. The daemon // shuts its own children down explicitly when needed. "KillMode=process", "Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "Environment=TMPDIR=/run/banger", "UMask=0077", "NoNewPrivileges=yes", "PrivateMounts=yes", "ProtectSystem=strict", "ProtectHome=read-only", "ProtectControlGroups=yes", "ProtectKernelLogs=yes", "ProtectKernelModules=yes", "ProtectClock=yes", "ProtectHostname=yes", "RestrictSUIDSGID=yes", "LockPersonality=yes", "SystemCallArchitectures=native", "RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_VSOCK", "StateDirectory=banger", "StateDirectoryMode=0700", "CacheDirectory=banger", "CacheDirectoryMode=0700", "RuntimeDirectory=banger", "RuntimeDirectoryMode=0700", // Keep /run/banger across stop/restart so the api-sock symlinks // the helper creates for live VMs aren't wiped between the daemon // stopping and the new daemon's reconcile re-attaching to them. // Without this, `banger update` restarts the daemon, /run/banger // is wiped, the api-sock symlinks vanish, and rediscoverHandles // can't resolve the chroot path it needs to read jailer's pidfile. "RuntimeDirectoryPreserve=yes", } if coverDir := strings.TrimSpace(os.Getenv(systemCoverDirEnv)); coverDir != "" { lines = append(lines, "Environment=GOCOVERDIR="+systemdQuote(coverDir)) } if home := strings.TrimSpace(meta.OwnerHome); home != "" { lines = append(lines, "ReadOnlyPaths="+systemdQuote(home)) } lines = append(lines, "", "[Install]", "WantedBy=multi-user.target", "", ) return strings.Join(lines, "\n") } func renderRootHelperSystemdUnit() string { lines := []string{ "[Unit]", "Description=banger root helper", "After=network-online.target", "Wants=network-online.target", "", "[Service]", "Type=simple", "ExecStart=" + systemBangerdBin + " --root-helper", "Restart=on-failure", "RestartSec=1s", // KillMode=process + SendSIGKILL=no together make the helper // safe to restart while banger-launched firecrackers are // running. firecracker lives in this unit's cgroup (jailer // doesn't open a sub-cgroup), so: // // - Default control-group mode SIGKILLs every process in // the cgroup on stop. // - KillMode=process limits the initial SIGTERM to the // helper main PID; systemd leaves remaining cgroup // processes alone (and logs "Unit process N (firecracker) // remains running after unit stopped"). // - SendSIGKILL=no disables the FinalKillSignal escalation // that would otherwise SIGKILL leftovers after the timeout. // // One more pitfall: the firecracker SDK installs a default // signal-forwarding goroutine in the helper that catches // SIGTERM (etc.) and forwards it to every firecracker child. // We disable that explicitly via ForwardSignals: []os.Signal{} // in firecracker.buildConfig — without that override, systemd // signaling the helper main would propagate to every running // VM regardless of what these directives do. // // `banger system uninstall` and the daemon's vm-stop path // explicitly stop firecracker processes when actually needed, // so we don't lose the systemd-driven kill as a real safety // net — banger drives those kills itself. "KillMode=process", "SendSIGKILL=no", "Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "Environment=TMPDIR=" + installmeta.DefaultRootHelperRuntimeDir, "UMask=0077", "NoNewPrivileges=yes", "PrivateTmp=yes", "PrivateMounts=yes", "ProtectSystem=strict", "ProtectHome=yes", "ProtectControlGroups=yes", "ProtectKernelLogs=yes", "ProtectKernelModules=yes", "ProtectClock=yes", "ProtectHostname=yes", "RestrictSUIDSGID=yes", "LockPersonality=yes", "SystemCallArchitectures=native", "RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_VSOCK", "CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT", "ReadWritePaths=/var/lib/banger", "RuntimeDirectory=banger-root", "RuntimeDirectoryMode=0711", // Same rationale as bangerd.service: the helper-managed // /run/banger-root holds the helper's RPC socket and any // per-VM scratch state; preserving it across restart keeps // the daemon's reconnect path and reconcile re-attachment // from racing against systemd's runtime-dir cleanup. "RuntimeDirectoryPreserve=yes", } if coverDir := strings.TrimSpace(os.Getenv(rootCoverDirEnv)); coverDir != "" { lines = append(lines, "Environment=GOCOVERDIR="+systemdQuote(coverDir)) } lines = append(lines, "", "[Install]", "WantedBy=multi-user.target", "", ) return strings.Join(lines, "\n") } func systemdQuote(value string) string { return strconv.Quote(strings.TrimSpace(value)) } func installFile(sourcePath, targetPath string, mode os.FileMode) error { if err := os.MkdirAll(filepath.Dir(targetPath), 0o755); err != nil { return err } tempPath := targetPath + ".tmp" _ = os.Remove(tempPath) if err := system.CopyFilePreferClone(sourcePath, tempPath); err != nil { return err } if err := os.Chmod(tempPath, mode); err != nil { _ = os.Remove(tempPath) return err } if err := os.Rename(tempPath, targetPath); err != nil { _ = os.Remove(tempPath) return err } return nil } func requireRoot() error { if os.Geteuid() == 0 { return nil } return errors.New("this command requires root; run it with sudo") } func (d *deps) runSystemctl(ctx context.Context, args ...string) error { _, err := d.hostCommandOutput(ctx, "systemctl", args...) return err } func (d *deps) systemctlQuery(ctx context.Context, args ...string) string { output, err := d.hostCommandOutput(ctx, "systemctl", args...) if err == nil { return strings.TrimSpace(string(output)) } msg := strings.TrimSpace(string(output)) if msg != "" { return msg } msg = strings.TrimSpace(err.Error()) if idx := strings.LastIndex(msg, ": "); idx >= 0 { return strings.TrimSpace(msg[idx+2:]) } return msg }