vmsan 0.1.0-alpha.2 → 0.1.0-alpha.21

package/dist/_chunks/image-rootfs.mjs

@@ -1,329 +0,0 @@
-import { B as policyConflictError } from "./errors.mjs";
-import { a as parseDuration } from "./vm-state.mjs";
-import { t as assertSnapshotExists } from "./environment.mjs";
-import { c as parsePublishedPorts, d as validateCidr, f as validatePublishedPortsAvailable, i as parseDomains, l as parseRuntime, n as parseCidrList, o as parseMemoryMib, r as parseDiskSizeGb, s as parseNetworkPolicy, u as parseVcpuCount } from "./validation.mjs";
-import { dirname, join } from "node:path";
-import { execFileSync, execSync } from "node:child_process";
-import { consola } from "consola";
-import { copyFileSync, existsSync, mkdirSync, statSync, writeFileSync } from "node:fs";
-function parseCreateInput(args, paths) {
-	const vcpus = parseVcpuCount(args.vcpus);
-	const memMib = parseMemoryMib(args.memory);
-	const runtime = parseRuntime(args.runtime);
-	const networkPolicy = parseNetworkPolicy(args["network-policy"]);
-	const ports = parsePublishedPorts(args["publish-port"]);
-	const domains = parseDomains(args["allowed-domain"]);
-	const allowedCidrs = parseCidrList(args["allowed-cidr"]);
-	const deniedCidrs = parseCidrList(args["denied-cidr"]);
-	const timeoutMs = typeof args.timeout === "string" ? parseDuration(args.timeout) : null;
-	const snapshotId = typeof args.snapshot === "string" ? args.snapshot : null;
-	const diskSizeGb = parseDiskSizeGb(args.disk);
-	validatePublishedPortsAvailable(ports, paths);
-	for (const cidr of allowedCidrs) validateCidr(cidr);
-	for (const cidr of deniedCidrs) validateCidr(cidr);
-	if (networkPolicy === "deny-all" && (domains.length || allowedCidrs.length || deniedCidrs.length)) throw policyConflictError();
-	if (snapshotId) assertSnapshotExists(snapshotId, paths);
-	return {
-		vcpus,
-		memMib,
-		runtime,
-		networkPolicy: networkPolicy === "allow-all" && (domains.length > 0 || allowedCidrs.length > 0 || deniedCidrs.length > 0) ? "custom" : networkPolicy,
-		ports,
-		domains,
-		allowedCidrs,
-		deniedCidrs,
-		timeoutMs,
-		snapshotId,
-		diskSizeGb
-	};
-}
-function buildInitialVmState(input) {
-	const now = (/* @__PURE__ */ new Date()).toISOString();
-	return {
-		id: input.vmId,
-		project: input.project,
-		runtime: input.runtime,
-		diskSizeGb: input.diskSizeGb,
-		status: "creating",
-		pid: null,
-		apiSocket: "",
-		chrootDir: "",
-		kernel: input.kernelPath,
-		rootfs: input.rootfsPath,
-		vcpuCount: input.vcpus,
-		memSizeMib: input.memMib,
-		network: {
-			tapDevice: input.tapDevice,
-			hostIp: input.hostIp,
-			guestIp: input.guestIp,
-			subnetMask: input.subnetMask,
-			macAddress: input.macAddress,
-			networkPolicy: input.networkPolicy,
-			allowedDomains: input.domains,
-			allowedCidrs: input.allowedCidrs,
-			deniedCidrs: input.deniedCidrs,
-			publishedPorts: input.ports,
-			tunnelHostname: null,
-			tunnelHostnames: [],
-			bandwidthMbit: input.bandwidthMbit,
-			netnsName: input.netnsName
-		},
-		snapshot: input.snapshotId,
-		timeoutMs: input.timeoutMs,
-		timeoutAt: input.timeoutMs ? new Date(Date.now() + input.timeoutMs).toISOString() : null,
-		createdAt: now,
-		error: null,
-		agentToken: input.agentToken,
-		agentPort: input.agentPort
-	};
-}
-function buildCreateSummaryLines(input) {
-	return [
-		`VM Created: ${input.vmId}`,
-		"",
-		"  Status:   running",
-		`  PID:      ${input.pid || "unknown"}`,
-		`  vCPUs:    ${input.vcpus}`,
-		`  Memory:   ${input.memMib} MiB`,
-		`  Runtime:  ${input.runtime}`,
-		`  Disk:     ${input.diskSizeGb} GB`,
-		...input.project ? [`  Project:  ${input.project}`] : [],
-		"",
-		"  Network:",
-		`    TAP:    ${input.tapDevice}`,
-		`    Host:   ${input.hostIp}`,
-		`    Guest:  ${input.guestIp}`,
-		`    MAC:    ${input.macAddress}`,
-		`    Policy: ${input.networkPolicy}`,
-		...input.domains.length > 0 ? [`    Domains: ${input.domains.join(", ")}`] : [],
-		...input.allowedCidrs.length > 0 ? [`    Allowed CIDRs: ${input.allowedCidrs.join(", ")}`] : [],
-		...input.deniedCidrs.length > 0 ? [`    Denied CIDRs:  ${input.deniedCidrs.join(", ")}`] : [],
-		...input.ports.length > 0 ? [`    Ports:  ${input.ports.join(", ")}`] : [],
-		"",
-		`  Kernel:   ${input.kernelPath}`,
-		`  Rootfs:   ${input.rootfsPath}`,
-		...input.snapshotId ? [`  Snapshot: ${input.snapshotId}`] : [],
-		...input.timeout ? [`  Timeout:  ${input.timeout}`] : [],
-		"",
-		`  Socket:   ${input.socketPath}`,
-		`  Chroot:   ${input.chrootDir}`,
-		`  State:    ${input.stateFilePath}`
-	];
-}
-const VALID_ARCHES = ["x86_64", "aarch64"];
-const MAX_FILTER_SIZE = 1048576;
-/**
-* Compile a Firecracker seccomp JSON filter to BPF using seccompiler-bin.
-* Falls back to using the JSON filter directly if seccompiler-bin is not available.
-*/
-function compileSeccompFilter(jsonPath, outputPath, arch) {
-	const targetArch = arch ?? "x86_64";
-	if (!VALID_ARCHES.includes(targetArch)) throw new Error(`unsupported seccomp arch: ${targetArch} (allowed: ${VALID_ARCHES.join(", ")})`);
-	const stat = statSync(jsonPath);
-	if (stat.size > MAX_FILTER_SIZE) throw new Error(`seccomp filter too large: ${stat.size} bytes (max ${MAX_FILTER_SIZE})`);
-	mkdirSync(dirname(outputPath), { recursive: true });
-	execFileSync("seccompiler-bin", [
-		"--input-file",
-		jsonPath,
-		"--target-arch",
-		targetArch,
-		"--output-file",
-		outputPath
-	], { stdio: "pipe" });
-}
-/**
-* Ensure a seccomp filter is available for Firecracker.
-*
-* 1. If a compiled BPF exists at paths.seccompDir/default.bpf, return it.
-* 2. If the JSON source exists, try to compile it; return BPF path on success.
-* 3. If compilation fails (seccompiler-bin not installed), return null
-*    (Firecracker requires compiled BPF, not raw JSON).
-* 4. If no filter source exists at all, return null.
-*/
-function ensureSeccompFilter(paths) {
-	const bpfPath = join(paths.seccompDir, "default.bpf");
-	if (existsSync(bpfPath)) {
-		consola.debug(`seccomp: using compiled BPF filter at ${bpfPath}`);
-		return bpfPath;
-	}
-	const bundledJson = join(dirname(dirname(__dirname)), "seccomp", "default.json");
-	const userJson = paths.seccompFilter;
-	let sourceJson = null;
-	try {
-		const mode = statSync(userJson).mode;
-		if (mode & 18) consola.warn(`seccomp: filter at ${userJson} is group/world writable (mode ${(mode & 511).toString(8)}); consider restricting permissions`);
-		consola.debug(`seccomp: using user filter at ${userJson}`);
-		sourceJson = userJson;
-	} catch {}
-	if (!sourceJson && existsSync(bundledJson)) {
-		mkdirSync(paths.seccompDir, { recursive: true });
-		copyFileSync(bundledJson, userJson);
-		consola.debug(`seccomp: copied bundled filter to ${userJson}`);
-		sourceJson = userJson;
-	}
-	if (!sourceJson) return null;
-	try {
-		compileSeccompFilter(sourceJson, bpfPath);
-		consola.debug(`seccomp: compiled BPF filter at ${bpfPath}`);
-		return bpfPath;
-	} catch {
-		consola.warn("seccomp: BPF compilation failed (seccompiler-bin not available?); seccomp filtering disabled. Install seccompiler-bin for seccomp support.");
-		return null;
-	}
-}
-function dockerUnavailableError() {
-	return /* @__PURE__ */ new Error("Docker is not available. Install Docker and ensure the daemon is running.");
-}
-const APT_PACKAGES = [
-	"bind9-utils",
-	"bzip2",
-	"findutils",
-	"git",
-	"gzip",
-	"iputils-ping",
-	"libicu-dev",
-	"libjpeg-dev",
-	"libpng-dev",
-	"ncurses-base",
-	"libssl-dev",
-	"openssh-server",
-	"openssl",
-	"procps",
-	"tar",
-	"unzip",
-	"debianutils",
-	"whois",
-	"zstd"
-];
-const DNF_PACKAGES = [
-	"bind-utils",
-	"bzip2",
-	"findutils",
-	"git",
-	"gzip",
-	"iputils",
-	"libicu",
-	"libjpeg",
-	"libpng",
-	"ncurses-libs",
-	"openssh-server",
-	"openssl",
-	"openssl-libs",
-	"procps",
-	"tar",
-	"unzip",
-	"which",
-	"whois",
-	"zstd"
-];
-const APK_PACKAGES = [
-	"bind-tools",
-	"bzip2",
-	"findutils",
-	"git",
-	"gzip",
-	"iputils",
-	"icu-libs",
-	"libjpeg-turbo",
-	"libpng",
-	"ncurses-libs",
-	"openrc",
-	"openssh",
-	"openssl",
-	"procps",
-	"tar",
-	"unzip",
-	"whois",
-	"zstd"
-];
-function generateDockerfile(baseImage) {
-	return `FROM ${baseImage}
-RUN if command -v apt-get >/dev/null 2>&1; then ${`apt-get update && apt-get install -y --no-install-recommends ${APT_PACKAGES.join(" ")} && rm -rf /var/lib/apt/lists/*`}; \\
-    elif command -v dnf >/dev/null 2>&1; then ${`dnf install -y ${DNF_PACKAGES.join(" ")} && dnf clean all`}; \\
-    elif command -v yum >/dev/null 2>&1; then ${`yum install -y ${DNF_PACKAGES.join(" ")} && yum clean all`}; \\
-    elif command -v apk >/dev/null 2>&1; then ${`apk add --no-cache ${APK_PACKAGES.join(" ")}`}; \\
-    fi
-RUN ssh-keygen -A 2>/dev/null || true; \\
-    mkdir -p /root/.ssh && chmod 700 /root/.ssh; \\
-    if [ -f /etc/ssh/sshd_config ]; then \\
-      sed -i 's/^#*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config; \\
-    fi; \\
-    if command -v rc-update >/dev/null 2>&1; then \\
-      rc-update add devfs sysinit 2>/dev/null || true; \\
-      rc-update add mdev sysinit 2>/dev/null || true; \\
-      rc-update add hwdrivers sysinit 2>/dev/null || true; \\
-      rc-update add modules boot 2>/dev/null || true; \\
-      rc-update add sysctl boot 2>/dev/null || true; \\
-      rc-update add hostname boot 2>/dev/null || true; \\
-      rc-update add bootmisc boot 2>/dev/null || true; \\
-      rc-update add networking boot 2>/dev/null || true; \\
-      rc-update add sshd default 2>/dev/null || true; \\
-      printf '%s\\n' '::sysinit:/sbin/openrc sysinit' '::sysinit:/sbin/openrc boot' '::wait:/sbin/openrc default' '::shutdown:/sbin/openrc shutdown' 'ttyS0::respawn:/sbin/getty 115200 ttyS0' > /etc/inittab; \\
-    fi; \\
-    if command -v systemctl >/dev/null 2>&1; then systemctl enable sshd 2>/dev/null || systemctl enable ssh 2>/dev/null || true; fi
-`;
-}
-function verifyDocker() {
-	try {
-		execSync("docker info", { stdio: "pipe" });
-	} catch {
-		throw dockerUnavailableError();
-	}
-}
-function buildImageRootfs(imageRef, cacheDir) {
-	const ext4Path = join(cacheDir, "rootfs.ext4");
-	verifyDocker();
-	const buildTag = `vmsan-rootfs-${imageRef.name.replace(/[^a-z0-9._-]/gi, "-")}:${imageRef.tag}`;
-	const containerName = `vmsan-export-${Date.now()}`;
-	const tmpTar = join(cacheDir, "rootfs.tar");
-	mkdirSync(cacheDir, { recursive: true });
-	try {
-		consola.start(`Building image from ${imageRef.full}...`);
-		execSync(`docker build -t "${buildTag}" -f - . <<'DOCKERFILE'\n${generateDockerfile(imageRef.full)}\nDOCKERFILE`, {
-			stdio: "pipe",
-			shell: "/bin/bash"
-		});
-		consola.start("Exporting filesystem...");
-		execSync(`docker create --name "${containerName}" "${buildTag}"`, { stdio: "pipe" });
-		execSync(`docker export "${containerName}" -o "${tmpTar}"`, { stdio: "pipe" });
-		consola.start("Converting to ext4...");
-		const tarSizeOutput = execSync(`stat -c %s "${tmpTar}"`, { encoding: "utf-8" }).trim();
-		const tarMb = Number(tarSizeOutput) / 1024 / 1024;
-		const imageSizeMb = Math.max(1024, Math.ceil(tarMb + 512));
-		execSync(`dd if=/dev/zero of="${ext4Path}" bs=1M count=${imageSizeMb} 2>/dev/null`, { stdio: "pipe" });
-		execSync(`mkfs.ext4 -q "${ext4Path}"`, { stdio: "pipe" });
-		execSync(`tune2fs -m 0 "${ext4Path}"`, { stdio: "pipe" });
-		const tmpMount = join(cacheDir, "mnt");
-		mkdirSync(tmpMount, { recursive: true });
-		execSync(`mount -o loop "${ext4Path}" "${tmpMount}"`, { stdio: "pipe" });
-		try {
-			execSync(`tar -xf "${tmpTar}" -C "${tmpMount}"`, { stdio: "pipe" });
-		} finally {
-			execSync(`umount "${tmpMount}"`, { stdio: "pipe" });
-			execSync(`rm -rf "${tmpMount}"`, { stdio: "pipe" });
-		}
-		writeFileSync(join(cacheDir, "metadata.json"), JSON.stringify({
-			image: imageRef.full,
-			builtAt: (/* @__PURE__ */ new Date()).toISOString()
-		}, null, 2));
-		consola.success(`Rootfs built from ${imageRef.full} (${imageSizeMb} MB)`);
-		return ext4Path;
-	} finally {
-		try {
-			execSync(`docker rm -f "${containerName}" 2>/dev/null`, { stdio: "pipe" });
-		} catch {}
-		try {
-			execSync(`rm -f "${tmpTar}"`, { stdio: "pipe" });
-		} catch {}
-	}
-}
-function resolveImageRootfs(imageRef, registryDir) {
-	const cacheDir = join(registryDir, imageRef.cacheKey);
-	const ext4Path = join(cacheDir, "rootfs.ext4");
-	if (existsSync(ext4Path)) {
-		consola.info(`Using cached rootfs for ${imageRef.full}`);
-		return ext4Path;
-	}
-	return buildImageRootfs(imageRef, cacheDir);
-}
-export { buildInitialVmState as a, buildCreateSummaryLines as i, compileSeccompFilter as n, parseCreateInput as o, ensureSeccompFilter as r, resolveImageRootfs as t };

package/dist/_chunks/vm.mjs

@@ -1,208 +0,0 @@
-import { H as VmsanError, S as vmNotStoppedError, b as vmNotFoundError, u as lockTimeoutError, x as vmNotRunningError } from "./errors.mjs";
-import { o as safeKill, t as FileVmStateStore } from "./vm-state.mjs";
-import { a as getVmPid, c as NetworkManager, i as getVmJailerPid } from "./environment.mjs";
-import { dirname, join } from "node:path";
-import { mkdirSync, rmSync } from "node:fs";
-import { lock, lockSync } from "proper-lockfile";
-const STALE_MS = 3e5;
-const RETRY_MS = 50;
-const MAX_RETRIES = 600;
-const WAIT_ARRAY = new Int32Array(new SharedArrayBuffer(4));
-var FileLock = class {
-	stale;
-	retries;
-	realpath;
-	constructor(path, name, options) {
-		this.path = path;
-		this.name = name;
-		this.stale = options?.stale ?? STALE_MS;
-		this.retries = options?.retries ?? MAX_RETRIES;
-		this.realpath = options?.realpath ?? false;
-	}
-	run(fn) {
-		mkdirSync(dirname(this.path), { recursive: true });
-		const syncOpts = {
-			stale: this.stale,
-			realpath: this.realpath
-		};
-		let release;
-		for (let attempt = 0;; attempt++) try {
-			release = lockSync(this.path, syncOpts);
-			break;
-		} catch (error) {
-			if (error.code !== "ELOCKED") throw error;
-			if (attempt >= this.retries) throw lockTimeoutError(this.name);
-			Atomics.wait(WAIT_ARRAY, 0, 0, RETRY_MS);
-		}
-		try {
-			return fn();
-		} finally {
-			release();
-		}
-	}
-	async runAsync(fn) {
-		mkdirSync(dirname(this.path), { recursive: true });
-		const asyncOpts = {
-			stale: this.stale,
-			realpath: this.realpath,
-			retries: {
-				retries: this.retries,
-				minTimeout: RETRY_MS,
-				maxTimeout: RETRY_MS,
-				factor: 1
-			}
-		};
-		let release;
-		try {
-			release = await lock(this.path, asyncOpts);
-		} catch (error) {
-			if (error.code === "ELOCKED") throw lockTimeoutError(this.name);
-			throw error;
-		}
-		try {
-			return await fn();
-		} finally {
-			await release();
-		}
-	}
-};
-var VMService = class {
-	store;
-	constructor(paths) {
-		this.paths = paths;
-		this.store = new FileVmStateStore(paths.vmsDir);
-	}
-	list() {
-		return this.store.list().sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());
-	}
-	get(vmId) {
-		return this.store.load(vmId);
-	}
-	async stop(vmId) {
-		const state = this.store.load(vmId);
-		if (!state) return {
-			vmId,
-			success: false,
-			error: vmNotFoundError(vmId)
-		};
-		if (state.status === "stopped") return {
-			vmId,
-			success: true,
-			alreadyStopped: true
-		};
-		try {
-			if (state.pid) safeKill(state.pid, "SIGKILL");
-			const orphanPid = getVmPid(vmId);
-			if (orphanPid) safeKill(orphanPid, "SIGKILL");
-			const orphanJailerPid = getVmJailerPid(vmId);
-			if (orphanJailerPid) safeKill(orphanJailerPid, "SIGKILL");
-			if (state.network) try {
-				NetworkManager.fromVmNetwork(state.network).teardown();
-			} catch {}
-			this.store.update(vmId, {
-				status: "stopped",
-				pid: null
-			});
-			return {
-				vmId,
-				success: true
-			};
-		} catch (err) {
-			return {
-				vmId,
-				success: false,
-				error: err instanceof VmsanError ? err : void 0
-			};
-		}
-	}
-	async updateNetworkPolicy(vmId, policy, domains, allowedCidrs, deniedCidrs) {
-		return new FileLock(join(this.paths.vmsDir, `${vmId}.json`), `update-policy-${vmId}`).run(() => {
-			const state = this.store.load(vmId);
-			if (!state) return {
-				vmId,
-				success: false,
-				previousPolicy: "",
-				newPolicy: policy,
-				error: vmNotFoundError(vmId)
-			};
-			if (state.status !== "running") return {
-				vmId,
-				success: false,
-				previousPolicy: state.network.networkPolicy,
-				newPolicy: policy,
-				error: vmNotRunningError(vmId)
-			};
-			const previousPolicy = state.network.networkPolicy;
-			try {
-				NetworkManager.fromVmNetwork(state.network).updatePolicy(policy, domains, allowedCidrs, deniedCidrs);
-				this.store.update(vmId, { network: {
-					...state.network,
-					networkPolicy: policy,
-					allowedDomains: domains,
-					allowedCidrs,
-					deniedCidrs
-				} });
-				return {
-					vmId,
-					success: true,
-					previousPolicy,
-					newPolicy: policy
-				};
-			} catch (err) {
-				return {
-					vmId,
-					success: false,
-					previousPolicy,
-					newPolicy: policy,
-					error: err instanceof VmsanError ? err : void 0
-				};
-			}
-		});
-	}
-	async remove(vmId, opts) {
-		const state = this.store.load(vmId);
-		if (!state) return {
-			vmId,
-			success: false,
-			error: vmNotFoundError(vmId)
-		};
-		try {
-			if (state.status !== "stopped") {
-				if (!opts?.force) return {
-					vmId,
-					success: false,
-					error: vmNotStoppedError(vmId, state.status)
-				};
-				const stopResult = await this.stop(vmId);
-				if (!stopResult.success) return stopResult;
-			}
-			if (state.chrootDir) {
-				const vmJailerDir = dirname(state.chrootDir);
-				try {
-					rmSync(state.chrootDir, {
-						recursive: true,
-						force: true
-					});
-				} catch {}
-				try {
-					rmSync(vmJailerDir, {
-						recursive: true,
-						force: true
-					});
-				} catch {}
-			}
-			this.store.delete(vmId);
-			return {
-				vmId,
-				success: true
-			};
-		} catch (err) {
-			return {
-				vmId,
-				success: false,
-				error: err instanceof VmsanError ? err : void 0
-			};
-		}
-	}
-};
-export { FileLock as n, VMService as t };