npm - fireclaw - Versions diffs - 0.1.2 → 0.2.0 - Mend

fireclaw 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/LICENSE +21 -0
package/README.md +117 -109
package/bin/fireclaw +11 -3
package/bin/vm-common.sh +244 -37
package/bin/vm-ctl +182 -37
package/bin/vm-provision +152 -18
package/bin/vm-setup +237 -94
package/package.json +5 -4
package/scripts/provision-guest.sh +134 -25

package/bin/vm-common.sh CHANGED Viewed

@@ -12,6 +12,7 @@ SUBNET_CIDR="${SUBNET_CIDR:-172.16.0.0/24}"
 OPENCLAW_IMAGE_DEFAULT="${OPENCLAW_IMAGE_DEFAULT:-ghcr.io/openclaw/openclaw:latest}"
 SSH_KEY_PATH="${SSH_KEY_PATH:-/home/ubuntu/.ssh/vmdemo_vm}"
+SSH_KEY_PATH_DEFAULT="$SSH_KEY_PATH"
 log()  { printf '==> %s\n' "$*"; }
 warn() { printf 'Warning: %s\n' "$*" >&2; }
@@ -28,6 +29,60 @@ validate_instance_id() {
   [[ "$id" =~ ^[a-z0-9_-]+$ ]] || die "instance id must match [a-z0-9_-]+"
 }
+validate_host_port() {
+  local port="$1"
+  [[ "$port" =~ ^[0-9]+$ ]] || die "host port must be numeric"
+  port=$((10#$port))
+  (( port >= 1 && port <= 65535 )) || die "host port must be in range 1-65535"
+}
+validate_base_port() {
+  [[ "$BASE_PORT" =~ ^[0-9]+$ ]] || die "BASE_PORT must be numeric"
+  local base=$((10#$BASE_PORT))
+  (( base >= 0 && base < 65535 )) || die "BASE_PORT must be in range 0-65534"
+}
+validate_ipv4() {
+  local ip="$1"
+  local label="$2"
+  local a b c d extra octet n
+  [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] || die "invalid $label: $ip"
+  IFS='.' read -r a b c d extra <<< "$ip"
+  [[ -z "${extra:-}" && -n "${a:-}" && -n "${b:-}" && -n "${c:-}" && -n "${d:-}" ]] || die "invalid $label: $ip"
+  for octet in "$a" "$b" "$c" "$d"; do
+    [[ "$octet" =~ ^[0-9]+$ ]] || die "invalid $label: $ip"
+    n=$((10#$octet))
+    (( n >= 0 && n <= 255 )) || die "invalid $label octet: $ip"
+  done
+}
+subnet_mask_bits() {
+  local mask="${SUBNET_CIDR#*/}"
+  [[ "$mask" =~ ^[0-9]+$ ]] || die "invalid SUBNET_CIDR: $SUBNET_CIDR"
+  mask=$((10#$mask))
+  (( mask == 24 )) || die "SUBNET_CIDR must use /24 for automatic IP allocation: $SUBNET_CIDR"
+  echo "$mask"
+}
+subnet_prefix() {
+  local subnet_ip="${SUBNET_CIDR%/*}"
+  validate_ipv4 "$subnet_ip" "SUBNET_CIDR network"
+  local prefix="${subnet_ip%.*}"
+  local base_octet="${subnet_ip##*.}"
+  (( 10#$base_octet == 0 )) || die "SUBNET_CIDR network must end in .0 for /24: $SUBNET_CIDR"
+  echo "$prefix"
+}
+bridge_gateway_ip() {
+  local gateway="${BRIDGE_ADDR%/*}"
+  local mask="${BRIDGE_ADDR#*/}"
+  [[ "$BRIDGE_ADDR" == */* && "$mask" =~ ^[0-9]+$ ]] || die "invalid BRIDGE_ADDR: $BRIDGE_ADDR"
+  mask=$((10#$mask))
+  (( mask == 24 )) || die "BRIDGE_ADDR must use /24: $BRIDGE_ADDR"
+  validate_ipv4 "$gateway" "BRIDGE_ADDR"
+  echo "$gateway"
+}
 instance_dir()      { printf '%s/.vm-%s\n' "$STATE_ROOT" "$1"; }
 instance_env()      { printf '%s/.env\n' "$(instance_dir "$1")"; }
 instance_token()    { printf '%s/.token\n' "$(instance_dir "$1")"; }
@@ -36,97 +91,249 @@ vm_service()        { printf 'firecracker-vmdemo-%s.service\n' "$1"; }
 proxy_service()     { printf 'vmdemo-proxy-%s.service\n' "$1"; }
 guest_health_script() { printf '/usr/local/bin/openclaw-health-%s.sh\n' "$1"; }
+# Pin the guest host key on first contact instead of discarding it; the pin
+# lives and dies with the instance state dir.
+ssh_known_hosts_file() {
+  local id="${1:-}"
+  if [[ -n "$id" && -d "$(instance_dir "$id")" ]]; then
+    printf '%s/known_hosts\n' "$(instance_dir "$id")"
+  else
+    printf '/dev/null\n'
+  fi
+}
+require_model_provider_key() {
+  local model="$1"
+  case "$model" in
+    openai/*)    [[ -n "${OPENAI_API_KEY:-}" ]]    || die "model '$model' requires an OpenAI API key (--openai-api-key or OPENAI_API_KEY)" ;;
+    anthropic/*) [[ -n "${ANTHROPIC_API_KEY:-}" ]] || die "model '$model' requires an Anthropic API key (--anthropic-api-key or ANTHROPIC_API_KEY)" ;;
+    minimax/*)   [[ -n "${MINIMAX_API_KEY:-}" ]]   || die "model '$model' requires a MiniMax API key (--minimax-api-key or MINIMAX_API_KEY)" ;;
+  esac
+}
 load_instance_env() {
   local id="$1"
   validate_instance_id "$id"
-  local f
+  local f line key value k
   f="$(instance_env "$id")"
   [[ -f "$f" ]] || die "instance '$id' not found"
-  set -a
-  source "$f"
-  set +a
+  [[ -r "$f" ]] || die "Cannot read instance state: $f (try: sudo fireclaw ...)"
+  for k in INSTANCE_ID HOST_PORT VM_IP VM_TAP VM_MAC GATEWAY_TOKEN MODEL SKILLS TELEGRAM_USERS OPENCLAW_IMAGE VM_VCPU VM_MEM_MIB DISK_SIZE API_SOCK SKIP_BROWSER_INSTALL ANTHROPIC_API_KEY OPENAI_API_KEY MINIMAX_API_KEY; do
+    printf -v "$k" '%s' ""
+  done
+  SSH_KEY_PATH="$SSH_KEY_PATH_DEFAULT"
+  while IFS= read -r line || [[ -n "$line" ]]; do
+    [[ -n "$line" && "$line" != \#* ]] || continue
+    [[ "$line" == *=* ]] || die "invalid state entry in $f: $line"
+    key="${line%%=*}"
+    value="${line#*=}"
+    case "$key" in
+      FIRECLAW_STATE_FORMAT)
+        ;;
+      INSTANCE_ID|HOST_PORT|VM_IP|VM_TAP|VM_MAC|GATEWAY_TOKEN|MODEL|SKILLS|TELEGRAM_USERS|OPENCLAW_IMAGE|VM_VCPU|VM_MEM_MIB|DISK_SIZE|API_SOCK|SSH_KEY_PATH|SKIP_BROWSER_INSTALL|ANTHROPIC_API_KEY|OPENAI_API_KEY|MINIMAX_API_KEY)
+        printf -v "$key" '%s' "$value"
+        ;;
+      *)
+        die "unknown state key in $f: $key"
+        ;;
+    esac
+  done < "$f"
 }
-next_port() {
-  local max="$BASE_PORT"
+_host_port_allocated() {
+  local candidate="$1"
+  local nullglob_was_set=0 found=1
+  shopt -q nullglob && nullglob_was_set=1
   shopt -s nullglob
   local f p
   for f in "$STATE_ROOT"/.vm-*/.env; do
     p="$(grep '^HOST_PORT=' "$f" | cut -d= -f2 || true)"
-    if [[ -n "${p:-}" && "$p" -gt "$max" ]]; then
-      max="$p"
+    if [[ "$p" == "$candidate" ]]; then
+      found=0
+      break
     fi
   done
-  shopt -u nullglob
-  echo $((max + 1))
+  (( nullglob_was_set )) || shopt -u nullglob
+  return "$found"
+}
+_host_port_in_use() {
+  local candidate="$1"
+  if command -v ss >/dev/null 2>&1; then
+    ss -H -ltn "sport = :$candidate" 2>/dev/null | grep -q .
+    return $?
+  fi
+  if command -v lsof >/dev/null 2>&1; then
+    lsof -nP -iTCP:"$candidate" -sTCP:LISTEN >/dev/null 2>&1
+    return $?
+  fi
+  warn "neither ss nor lsof found; cannot check if port $candidate is already in use"
+  return 1
+}
+ensure_host_port_available() {
+  local candidate="$1"
+  validate_host_port "$candidate"
+  (( 10#$candidate >= 1024 )) || die "host port must be >= 1024 (the proxy runs unprivileged): $candidate"
+  _host_port_allocated "$candidate" && die "Host port is already assigned to an existing instance: $candidate"
+  _host_port_in_use "$candidate" && die "Host port is already in use on this host: $candidate"
+  return 0
+}
+next_port() {
+  validate_base_port
+  local base candidate
+  base=$((10#$BASE_PORT))
+  for ((candidate=base + 1; candidate<=65535; candidate++)); do
+    if _host_port_allocated "$candidate"; then
+      continue
+    fi
+    if _host_port_in_use "$candidate"; then
+      continue
+    fi
+    echo "$candidate"
+    return 0
+  done
+  die "No available host port found above BASE_PORT=$BASE_PORT"
 }
 next_ip() {
-  local max_octet=1
+  local prefix gateway gateway_octet mask
+  prefix="$(subnet_prefix)"
+  gateway="$(bridge_gateway_ip)"
+  mask="$(subnet_mask_bits)"
+  [[ "$gateway" == "$prefix".* ]] || die "BRIDGE_ADDR gateway ($gateway) must be in SUBNET_CIDR ($SUBNET_CIDR)"
+  gateway_octet="${gateway##*.}"
+  gateway_octet=$((10#$gateway_octet))
+  local -a used=()
+  used["$gateway_octet"]=1
+  local nullglob_was_set=0
+  shopt -q nullglob && nullglob_was_set=1
   shopt -s nullglob
   local f ip oct
   for f in "$STATE_ROOT"/.vm-*/.env; do
     ip="$(grep '^VM_IP=' "$f" | cut -d= -f2 || true)"
+    [[ "$ip" == "$prefix".* ]] || continue
     oct="${ip##*.}"
-    if [[ "$oct" =~ ^[0-9]+$ ]] && (( oct > max_octet )); then
-      max_octet="$oct"
-    fi
+    [[ "$oct" =~ ^[0-9]+$ ]] || continue
+    oct=$((10#$oct))
+    (( oct >= 0 && oct <= 255 )) || continue
+    used["$oct"]=1
   done
-  shopt -u nullglob
-  local next=$((max_octet + 1))
-  (( next < 255 )) || die "IP pool exhausted"
-  echo "172.16.0.$next"
-}
+  local candidate chosen=""
+  for ((candidate=2; candidate<=254; candidate++)); do
+    [[ -n "${used[$candidate]:-}" ]] && continue
+    chosen="$prefix.$candidate"
+    break
+  done
+  (( nullglob_was_set )) || shopt -u nullglob
-ensure_bridge_and_nat() {
-  if ! ip link show "$BRIDGE_NAME" >/dev/null 2>&1; then
-    ip link add "$BRIDGE_NAME" type bridge
+  if [[ -n "$chosen" ]]; then
+    echo "$chosen"
+    return 0
   fi
-  ip addr add "$BRIDGE_ADDR" dev "$BRIDGE_NAME" 2>/dev/null || true
-  ip link set "$BRIDGE_NAME" up
-  sysctl -w net.ipv4.ip_forward=1 >/dev/null
-  iptables -t nat -C POSTROUTING -s "$SUBNET_CIDR" ! -o "$BRIDGE_NAME" -j MASQUERADE 2>/dev/null \
-    || iptables -t nat -A POSTROUTING -s "$SUBNET_CIDR" ! -o "$BRIDGE_NAME" -j MASQUERADE
+  die "IP pool exhausted for subnet $prefix.0/$mask"
 }
 wait_for_ssh() {
   local ip="$1"
   local key="${2:-$SSH_KEY_PATH}"
   local retries="${3:-120}"
+  local instance_id="${4:-${INSTANCE_ID:-}}"
+  local vm_svc=""
   if [[ ! -r "$key" ]]; then
     if [[ $EUID -ne 0 ]]; then
-      die "Cannot read SSH key: $key (try: sudo fireclaw ...)"
+      warn "Cannot read SSH key: $key (try: sudo fireclaw ...)"
     else
-      die "SSH key not found: $key"
+      warn "SSH key not found: $key"
     fi
+    return 1
   fi
-  local vm_svc vm_state
-  vm_svc="$(vm_service "${INSTANCE_ID:-}")"
+  if [[ -n "$instance_id" ]]; then
+    vm_svc="$(vm_service "$instance_id")"
+  fi
+  local known_hosts vm_state
+  known_hosts="$(ssh_known_hosts_file "$instance_id")"
+  # Probe with /dev/null so a guest that regenerates host keys mid-boot (or
+  # accepts connections before authorized_keys lands) cannot poison the pin;
+  # the pin is recorded/verified only after the first successful login.
   local i
   for ((i=1; i<=retries; i++)); do
     if ssh -i "$key" -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 "ubuntu@$ip" true >/dev/null 2>&1; then
+      if [[ "$known_hosts" != "/dev/null" ]] && \
+         ! ssh -i "$key" -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile="$known_hosts" -o ConnectTimeout=3 "ubuntu@$ip" true >/dev/null 2>&1; then
+        warn "Guest SSH host key does not match the pinned key in $known_hosts. If the change is expected (rebuilt VM), remove that file and retry."
+        return 1
+      fi
       return 0
     fi
-    vm_state="$(systemctl is-active "$vm_svc" 2>/dev/null)" || vm_state="inactive"
-    if [[ "$vm_state" != "active" ]]; then
-      die "VM is not running ($(printf '\033[31m%s\033[0m' "$vm_state")). Start it with: sudo fireclaw start ${INSTANCE_ID:-<id>}"
+    if [[ -n "$vm_svc" ]]; then
+      vm_state="$(systemctl is-active "$vm_svc" 2>/dev/null || true)"
+      case "$vm_state" in
+        active|activating|reloading|deactivating) ;;
+        *)
+          warn "VM is not running ($(printf '\033[31m%s\033[0m' "${vm_state:-inactive}")). Start it with: sudo fireclaw start $instance_id"
+          return 1
+          ;;
+      esac
     fi
     sleep 2
   done
-  die "VM is running but SSH did not become reachable at ubuntu@$ip after $((retries * 2))s"
+  warn "VM is running but SSH did not become reachable at ubuntu@$ip after $((retries * 2))s"
+  return 1
+}
+ssh_reachable() {
+  local ip="$1"
+  local key="${2:-$SSH_KEY_PATH}"
+  local instance_id="${3:-${INSTANCE_ID:-}}"
+  [[ -r "$key" ]] || return 1
+  ssh -i "$key" -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile="$(ssh_known_hosts_file "$instance_id")" -o ConnectTimeout=3 "ubuntu@$ip" true >/dev/null 2>&1
 }
 check_guest_health() {
   local id="$1"
   local ip="$2"
   local key="${3:-$SSH_KEY_PATH}"
+  validate_instance_id "$id"
   local script
   script="$(guest_health_script "$id")"
-  ssh -i "$key" -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 "ubuntu@$ip" "if [[ -x '$script' ]]; then sudo '$script'; else curl -fsS http://127.0.0.1:18789/health >/dev/null; fi" >/dev/null 2>&1
+  ssh -i "$key" -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile="$(ssh_known_hosts_file "$id")" -o ConnectTimeout=3 "ubuntu@$ip" "if [[ -x '$script' ]]; then sudo '$script'; else curl -fsS http://127.0.0.1:18789/health >/dev/null; fi" >/dev/null 2>&1
+}
+wait_for_instance_health() {
+  local id="$1"
+  local ip="$2"
+  local port="$3"
+  local key="${4:-$SSH_KEY_PATH}"
+  local retries="${5:-30}"
+  local host_ok="false"
+  local guest_ok="false"
+  validate_instance_id "$id"
+  validate_host_port "$port"
+  local i
+  for ((i=1; i<=retries; i++)); do
+    host_ok="false"
+    guest_ok="false"
+    curl -fsS "http://127.0.0.1:$port/health" >/dev/null 2>&1 && host_ok="true"
+    if check_guest_health "$id" "$ip" "$key"; then
+      guest_ok="true"
+    fi
+    if [[ "$host_ok" == "true" && "$guest_ok" == "true" ]]; then
+      return 0
+    fi
+    sleep 2
+  done
+  return 1
 }