Thales Maciel
35bfac3f13
Frontier models tend to discover a CLI by running --help, scanning the Long description, and inferring the dominant workflow from the examples. Today's banger help reads like a man page index — every verb has a one-line Short and nothing else. This rewrites the groups (banger, vm, vm workspace, image, kernel, system, ssh-config) so each landing page answers "what is this for, what's the 80% command, what comes next" in three to ten lines, with runnable examples. Also disambiguates the near-twin lifecycle commands so a model reading the subcommand index can tell stop/kill/delete apart at a glance: start Start a stopped VM stop Stop a running VM gracefully restart Stop then start a VM kill Force-kill a VM (use when 'vm stop' hangs) delete Stop a VM and remove its disks (irreversible) vm create / vm ssh / vm logs / vm show pick up Long descriptions and examples for the same reason. No behaviour changes; help text only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
411 lines
13 KiB
Go
411 lines
13 KiB
Go
package cli
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"path/filepath"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"banger/internal/buildinfo"
|
|
"banger/internal/installmeta"
|
|
"banger/internal/model"
|
|
"banger/internal/paths"
|
|
"banger/internal/system"
|
|
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
const (
|
|
systemBangerBin = "/usr/local/bin/banger"
|
|
systemBangerdBin = "/usr/local/bin/bangerd"
|
|
systemCompanionDir = "/usr/local/lib/banger"
|
|
systemCompanionAgent = systemCompanionDir + "/banger-vsock-agent"
|
|
systemdUserUnitPath = "/etc/systemd/system/" + installmeta.DefaultService
|
|
systemdRootUnitPath = "/etc/systemd/system/" + installmeta.DefaultRootHelperService
|
|
systemCoverDirEnv = "BANGER_SYSTEM_GOCOVERDIR"
|
|
rootCoverDirEnv = "BANGER_ROOT_HELPER_GOCOVERDIR"
|
|
)
|
|
|
|
func (d *deps) newSystemCommand() *cobra.Command {
|
|
var owner string
|
|
var purge bool
|
|
cmd := &cobra.Command{
|
|
Use: "system",
|
|
Short: "Install banger's owner-daemon and root-helper systemd units",
|
|
Long: strings.TrimSpace(`
|
|
Banger ships as two services: an owner-user daemon for
|
|
orchestration and a narrow root helper for bridge/tap, NAT, and
|
|
Firecracker launch. 'banger system' installs, restarts, inspects,
|
|
and removes them.
|
|
|
|
First-run flow (must be run as root):
|
|
|
|
sudo banger system install --owner $USER install both services
|
|
banger system status confirm they're up
|
|
banger doctor check host readiness
|
|
|
|
After 'install', the owner user can run 'banger ...' day to day
|
|
without sudo. Subsequent invocations:
|
|
|
|
sudo banger system restart bounce both services
|
|
sudo banger system uninstall remove services + binaries
|
|
sudo banger system uninstall --purge also delete /var/lib/banger
|
|
|
|
See docs/privileges.md for the full trust model.
|
|
`),
|
|
Example: strings.TrimSpace(`
|
|
sudo banger system install --owner alice
|
|
banger system status
|
|
sudo banger system uninstall --purge
|
|
`),
|
|
RunE: helpNoArgs,
|
|
}
|
|
installCmd := &cobra.Command{
|
|
Use: "install",
|
|
Short: "Install or refresh the owner daemon and root helper",
|
|
Args: noArgsUsage("usage: banger system install [--owner USER]"),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
return d.runSystemInstall(cmd.Context(), cmd.OutOrStdout(), owner)
|
|
},
|
|
}
|
|
installCmd.Flags().StringVar(&owner, "owner", "", "login user who will operate banger day-to-day")
|
|
|
|
statusCmd := &cobra.Command{
|
|
Use: "status",
|
|
Short: "Show owner-daemon and root-helper status",
|
|
Args: noArgsUsage("usage: banger system status"),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
return d.runSystemStatus(cmd.Context(), cmd.OutOrStdout())
|
|
},
|
|
}
|
|
|
|
restartCmd := &cobra.Command{
|
|
Use: "restart",
|
|
Short: "Restart the installed banger services",
|
|
Args: noArgsUsage("usage: banger system restart"),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
if err := requireRoot(); err != nil {
|
|
return err
|
|
}
|
|
if err := d.runSystemctl(cmd.Context(), "restart", installmeta.DefaultRootHelperService); err != nil {
|
|
return err
|
|
}
|
|
if err := d.runSystemctl(cmd.Context(), "restart", installmeta.DefaultService); err != nil {
|
|
return err
|
|
}
|
|
_, err := fmt.Fprintln(cmd.OutOrStdout(), "restarted")
|
|
return err
|
|
},
|
|
}
|
|
|
|
uninstallCmd := &cobra.Command{
|
|
Use: "uninstall",
|
|
Short: "Remove the installed banger services",
|
|
Args: noArgsUsage("usage: banger system uninstall [--purge]"),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
return d.runSystemUninstall(cmd.Context(), cmd.OutOrStdout(), purge)
|
|
},
|
|
}
|
|
uninstallCmd.Flags().BoolVar(&purge, "purge", false, "also delete system-owned banger state and cache")
|
|
|
|
cmd.AddCommand(installCmd, statusCmd, restartCmd, uninstallCmd)
|
|
return cmd
|
|
}
|
|
|
|
func (d *deps) runSystemInstall(ctx context.Context, out io.Writer, ownerFlag string) error {
|
|
if err := requireRoot(); err != nil {
|
|
return err
|
|
}
|
|
meta, err := resolveInstallOwner(ownerFlag)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
info := buildinfo.Current()
|
|
meta.Version = info.Version
|
|
meta.Commit = info.Commit
|
|
meta.BuiltAt = info.BuiltAt
|
|
meta.InstalledAt = model.Now()
|
|
|
|
bangerBin, err := paths.BangerPath()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
bangerdBin, err := paths.BangerdPath()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
agentBin, err := paths.CompanionBinaryPath("banger-vsock-agent")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err := os.MkdirAll(filepath.Dir(systemBangerBin), 0o755); err != nil {
|
|
return err
|
|
}
|
|
if err := os.MkdirAll(systemCompanionDir, 0o755); err != nil {
|
|
return err
|
|
}
|
|
if err := installFile(bangerBin, systemBangerBin, 0o755); err != nil {
|
|
return err
|
|
}
|
|
if err := installFile(bangerdBin, systemBangerdBin, 0o755); err != nil {
|
|
return err
|
|
}
|
|
if err := installFile(agentBin, systemCompanionAgent, 0o755); err != nil {
|
|
return err
|
|
}
|
|
if err := installmeta.Save(installmeta.DefaultPath, meta); err != nil {
|
|
return err
|
|
}
|
|
if err := paths.EnsureSystem(paths.ResolveSystem()); err != nil {
|
|
return err
|
|
}
|
|
if err := os.WriteFile(systemdRootUnitPath, []byte(renderRootHelperSystemdUnit()), 0o644); err != nil {
|
|
return err
|
|
}
|
|
if err := os.WriteFile(systemdUserUnitPath, []byte(renderSystemdUnit(meta)), 0o644); err != nil {
|
|
return err
|
|
}
|
|
if err := d.runSystemctl(ctx, "daemon-reload"); err != nil {
|
|
return err
|
|
}
|
|
if err := d.runSystemctl(ctx, "enable", installmeta.DefaultRootHelperService); err != nil {
|
|
return err
|
|
}
|
|
if err := d.runSystemctl(ctx, "enable", installmeta.DefaultService); err != nil {
|
|
return err
|
|
}
|
|
if err := d.runSystemctl(ctx, "restart", installmeta.DefaultRootHelperService); err != nil {
|
|
return err
|
|
}
|
|
if err := d.runSystemctl(ctx, "restart", installmeta.DefaultService); err != nil {
|
|
return err
|
|
}
|
|
_, err = fmt.Fprintf(out, "installed\nowner: %s\nsocket: %s\nhelper_socket: %s\nservice: %s\nhelper_service: %s\n", meta.OwnerUser, installmeta.DefaultSocketPath, installmeta.DefaultRootHelperSocketPath, installmeta.DefaultService, installmeta.DefaultRootHelperService)
|
|
return err
|
|
}
|
|
|
|
func (d *deps) runSystemStatus(ctx context.Context, out io.Writer) error {
|
|
layout := paths.ResolveSystem()
|
|
active := d.systemctlQuery(ctx, "is-active", installmeta.DefaultService)
|
|
if active == "" {
|
|
active = "unknown"
|
|
}
|
|
enabled := d.systemctlQuery(ctx, "is-enabled", installmeta.DefaultService)
|
|
if enabled == "" {
|
|
enabled = "unknown"
|
|
}
|
|
helperActive := d.systemctlQuery(ctx, "is-active", installmeta.DefaultRootHelperService)
|
|
if helperActive == "" {
|
|
helperActive = "unknown"
|
|
}
|
|
helperEnabled := d.systemctlQuery(ctx, "is-enabled", installmeta.DefaultRootHelperService)
|
|
if helperEnabled == "" {
|
|
helperEnabled = "unknown"
|
|
}
|
|
fmt.Fprintf(out, "service: %s\nenabled: %s\nactive: %s\nhelper_service: %s\nhelper_enabled: %s\nhelper_active: %s\nsocket: %s\nhelper_socket: %s\nlog: journalctl -u %s -u %s\n",
|
|
installmeta.DefaultService, enabled, active,
|
|
installmeta.DefaultRootHelperService, helperEnabled, helperActive,
|
|
layout.SocketPath, installmeta.DefaultRootHelperSocketPath,
|
|
installmeta.DefaultService, installmeta.DefaultRootHelperService)
|
|
if ping, err := d.daemonPing(ctx, layout.SocketPath); err == nil {
|
|
info := buildinfo.Normalize(ping.Version, ping.Commit, ping.BuiltAt)
|
|
_, err = fmt.Fprintf(out, "pid: %d\n%s", ping.PID, formatBuildInfoBlock(info))
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (d *deps) runSystemUninstall(ctx context.Context, out io.Writer, purge bool) error {
|
|
if err := requireRoot(); err != nil {
|
|
return err
|
|
}
|
|
_ = d.runSystemctl(ctx, "disable", "--now", installmeta.DefaultService, installmeta.DefaultRootHelperService)
|
|
_ = os.Remove(systemdUserUnitPath)
|
|
_ = os.Remove(systemdRootUnitPath)
|
|
_ = os.Remove(installmeta.DefaultPath)
|
|
_ = os.Remove(installmeta.DefaultDir)
|
|
_ = d.runSystemctl(ctx, "daemon-reload")
|
|
_ = os.Remove(systemBangerdBin)
|
|
_ = os.Remove(systemBangerBin)
|
|
_ = os.RemoveAll(systemCompanionDir)
|
|
if purge {
|
|
_ = os.RemoveAll(paths.ResolveSystem().StateDir)
|
|
_ = os.RemoveAll(paths.ResolveSystem().CacheDir)
|
|
_ = os.RemoveAll(paths.ResolveSystem().RuntimeDir)
|
|
}
|
|
msg := "uninstalled"
|
|
if purge {
|
|
msg += " (purged state)"
|
|
}
|
|
_, err := fmt.Fprintln(out, msg)
|
|
return err
|
|
}
|
|
|
|
func resolveInstallOwner(ownerFlag string) (installmeta.Metadata, error) {
|
|
owner := strings.TrimSpace(ownerFlag)
|
|
if owner == "" {
|
|
owner = strings.TrimSpace(os.Getenv("SUDO_USER"))
|
|
}
|
|
if owner == "" {
|
|
return installmeta.Metadata{}, errors.New("owner is required; pass --owner USER when installing without sudo")
|
|
}
|
|
if owner == "root" {
|
|
return installmeta.Metadata{}, errors.New("refusing to install with root as the banger owner")
|
|
}
|
|
return installmeta.LookupOwner(owner)
|
|
}
|
|
|
|
func renderSystemdUnit(meta installmeta.Metadata) string {
|
|
lines := []string{
|
|
"[Unit]",
|
|
"Description=banger daemon",
|
|
"After=network-online.target",
|
|
"Wants=network-online.target " + installmeta.DefaultRootHelperService,
|
|
"After=" + installmeta.DefaultRootHelperService,
|
|
"Requires=" + installmeta.DefaultRootHelperService,
|
|
"",
|
|
"[Service]",
|
|
"Type=simple",
|
|
"User=" + meta.OwnerUser,
|
|
"ExecStart=" + systemBangerdBin + " --system",
|
|
"Restart=on-failure",
|
|
"RestartSec=1s",
|
|
"Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
|
"Environment=TMPDIR=/run/banger",
|
|
"UMask=0077",
|
|
"NoNewPrivileges=yes",
|
|
"PrivateMounts=yes",
|
|
"ProtectSystem=strict",
|
|
"ProtectHome=read-only",
|
|
"ProtectControlGroups=yes",
|
|
"ProtectKernelLogs=yes",
|
|
"ProtectKernelModules=yes",
|
|
"ProtectClock=yes",
|
|
"ProtectHostname=yes",
|
|
"RestrictSUIDSGID=yes",
|
|
"LockPersonality=yes",
|
|
"SystemCallArchitectures=native",
|
|
"RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_VSOCK",
|
|
"StateDirectory=banger",
|
|
"StateDirectoryMode=0700",
|
|
"CacheDirectory=banger",
|
|
"CacheDirectoryMode=0700",
|
|
"RuntimeDirectory=banger",
|
|
"RuntimeDirectoryMode=0700",
|
|
}
|
|
if coverDir := strings.TrimSpace(os.Getenv(systemCoverDirEnv)); coverDir != "" {
|
|
lines = append(lines, "Environment=GOCOVERDIR="+systemdQuote(coverDir))
|
|
}
|
|
if home := strings.TrimSpace(meta.OwnerHome); home != "" {
|
|
lines = append(lines, "ReadOnlyPaths="+systemdQuote(home))
|
|
}
|
|
lines = append(lines,
|
|
"",
|
|
"[Install]",
|
|
"WantedBy=multi-user.target",
|
|
"",
|
|
)
|
|
return strings.Join(lines, "\n")
|
|
}
|
|
|
|
func renderRootHelperSystemdUnit() string {
|
|
lines := []string{
|
|
"[Unit]",
|
|
"Description=banger root helper",
|
|
"After=network-online.target",
|
|
"Wants=network-online.target",
|
|
"",
|
|
"[Service]",
|
|
"Type=simple",
|
|
"ExecStart=" + systemBangerdBin + " --root-helper",
|
|
"Restart=on-failure",
|
|
"RestartSec=1s",
|
|
"Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
|
"Environment=TMPDIR=" + installmeta.DefaultRootHelperRuntimeDir,
|
|
"UMask=0077",
|
|
"NoNewPrivileges=yes",
|
|
"PrivateTmp=yes",
|
|
"PrivateMounts=yes",
|
|
"ProtectSystem=strict",
|
|
"ProtectHome=yes",
|
|
"ProtectControlGroups=yes",
|
|
"ProtectKernelLogs=yes",
|
|
"ProtectKernelModules=yes",
|
|
"ProtectClock=yes",
|
|
"ProtectHostname=yes",
|
|
"RestrictSUIDSGID=yes",
|
|
"LockPersonality=yes",
|
|
"SystemCallArchitectures=native",
|
|
"RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_VSOCK",
|
|
"CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN",
|
|
"ReadWritePaths=/var/lib/banger",
|
|
"RuntimeDirectory=banger-root",
|
|
"RuntimeDirectoryMode=0711",
|
|
}
|
|
if coverDir := strings.TrimSpace(os.Getenv(rootCoverDirEnv)); coverDir != "" {
|
|
lines = append(lines, "Environment=GOCOVERDIR="+systemdQuote(coverDir))
|
|
}
|
|
lines = append(lines,
|
|
"",
|
|
"[Install]",
|
|
"WantedBy=multi-user.target",
|
|
"",
|
|
)
|
|
return strings.Join(lines, "\n")
|
|
}
|
|
|
|
func systemdQuote(value string) string {
|
|
return strconv.Quote(strings.TrimSpace(value))
|
|
}
|
|
|
|
func installFile(sourcePath, targetPath string, mode os.FileMode) error {
|
|
if err := os.MkdirAll(filepath.Dir(targetPath), 0o755); err != nil {
|
|
return err
|
|
}
|
|
tempPath := targetPath + ".tmp"
|
|
_ = os.Remove(tempPath)
|
|
if err := system.CopyFilePreferClone(sourcePath, tempPath); err != nil {
|
|
return err
|
|
}
|
|
if err := os.Chmod(tempPath, mode); err != nil {
|
|
_ = os.Remove(tempPath)
|
|
return err
|
|
}
|
|
if err := os.Rename(tempPath, targetPath); err != nil {
|
|
_ = os.Remove(tempPath)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func requireRoot() error {
|
|
if os.Geteuid() == 0 {
|
|
return nil
|
|
}
|
|
return errors.New("this command requires root; run it with sudo")
|
|
}
|
|
|
|
func (d *deps) runSystemctl(ctx context.Context, args ...string) error {
|
|
_, err := d.hostCommandOutput(ctx, "systemctl", args...)
|
|
return err
|
|
}
|
|
|
|
func (d *deps) systemctlQuery(ctx context.Context, args ...string) string {
|
|
output, err := d.hostCommandOutput(ctx, "systemctl", args...)
|
|
if err == nil {
|
|
return strings.TrimSpace(string(output))
|
|
}
|
|
msg := strings.TrimSpace(string(output))
|
|
if msg != "" {
|
|
return msg
|
|
}
|
|
msg = strings.TrimSpace(err.Error())
|
|
if idx := strings.LastIndex(msg, ": "); idx >= 0 {
|
|
return strings.TrimSpace(msg[idx+2:])
|
|
}
|
|
return msg
|
|
}
|