vmsan 0.1.0-alpha.2 → 0.1.0-alpha.21

package/dist/_chunks/context.mjs

@@ -0,0 +1,2380 @@
+import { n as vmsanPaths } from "./paths.mjs";
+import { B as mutuallyExclusiveFlagsError, C as vmNotStoppedError, S as vmNotRunningError, U as VmsanError, _ as chrootNotFoundError, a as noKernelDirError, d as socketTimeoutError, i as noExt4RootfsError, o as noKernelError, p as defaultInterfaceNotFoundError, r as missingBinaryError, s as noRootfsDirError, u as lockTimeoutError, x as vmNotFoundError, y as snapshotNotFoundError } from "./errors.mjs";
+import { c as safeKill, f as toError, i as generateVmId, t as FileVmStateStore } from "./vm-state.mjs";
+import { t as FirecrackerClient } from "./firecracker.mjs";
+import { t as spawnTimeoutKiller } from "./timeout-killer.mjs";
+import { createHooks } from "hookable";
+import { dirname, join } from "node:path";
+import { execFileSync, execSync } from "node:child_process";
+import { copyFileSync, existsSync, linkSync, mkdirSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { consola } from "consola";
+import { randomBytes } from "node:crypto";
+import { lock, lockSync } from "proper-lockfile";
+import { connect } from "node:net";
+import { fileURLToPath } from "node:url";
+function createDefaultLogger() {
+	return wrapConsola(consola);
+}
+function wrapConsola(instance) {
+	return {
+		debug: instance.debug.bind(instance),
+		info: instance.info.bind(instance),
+		success: instance.success.bind(instance),
+		warn: instance.warn.bind(instance),
+		error: instance.error.bind(instance),
+		start: instance.start.bind(instance),
+		box: (message) => instance.box(message),
+		withTag: (tag) => wrapConsola(instance.withTag(tag))
+	};
+}
+const noop = () => {};
+function createSilentLogger() {
+	const silent = {
+		debug: noop,
+		info: noop,
+		success: noop,
+		warn: noop,
+		error: noop,
+		start: noop,
+		box: noop,
+		withTag: () => silent
+	};
+	return silent;
+}
+const DNS_RESOLVERS = ["8.8.8.8", "8.8.4.4"];
+const DOH_RESOLVER_IPS = [
+	"8.8.8.8",
+	"8.8.4.4",
+	"1.1.1.1",
+	"1.0.0.1",
+	"9.9.9.9",
+	"149.112.112.112",
+	"208.67.222.222",
+	"208.67.220.220",
+	"185.228.168.168",
+	"185.228.169.168"
+];
+function runArgs(bin, args) {
+	execFileSync(bin, args, { stdio: "pipe" });
+}
+function sudo(args) {
+	runArgs("sudo", args);
+}
+function sudoNetns(nsName, args) {
+	sudo([
+		"ip",
+		"netns",
+		"exec",
+		nsName,
+		...args
+	]);
+}
+function getDefaultInterface() {
+	const match = execFileSync("ip", [
+		"route",
+		"show",
+		"default"
+	], {
+		encoding: "utf-8",
+		stdio: "pipe"
+	}).trim().match(/dev\s+(\S+)/);
+	if (!match) throw defaultInterfaceNotFoundError();
+	return match[1];
+}
+/**
+* Detect effective policy mode:
+* - "deny-all": explicit deny-all, no outbound
+* - "custom": any of allowedDomains/allowedCidrs/deniedCidrs present
+* - "allow-all": default, unrestricted
+*/
+function effectivePolicy(config) {
+	if (config.networkPolicy === "deny-all") return "deny-all";
+	if (config.allowedDomains.length > 0 || config.allowedCidrs.length > 0 || config.deniedCidrs.length > 0) return "custom";
+	return "allow-all";
+}
+var NetworkManager = class NetworkManager {
+	config;
+	constructor(slot, networkPolicy, allowedDomains, allowedCidrs, deniedCidrs, publishedPorts, bandwidthMbit, netnsName) {
+		this.config = {
+			slot,
+			tapDevice: `fhvm${slot}`,
+			hostIp: `172.16.${slot}.1`,
+			guestIp: `172.16.${slot}.2`,
+			subnetMask: "255.255.255.252",
+			macAddress: `AA:FC:00:00:00:${(slot + 1).toString(16).padStart(2, "0").toUpperCase()}`,
+			networkPolicy,
+			allowedDomains,
+			allowedCidrs,
+			deniedCidrs,
+			publishedPorts,
+			bandwidthMbit,
+			netnsName
+		};
+	}
+	static bootArgs(slot) {
+		return `console=ttyS0 reboot=k panic=1 pci=off ip=172.16.${slot}.2::${`172.16.${slot}.1`}:255.255.255.252::eth0:off:${DNS_RESOLVERS[0]}`;
+	}
+	static fromConfig(config) {
+		const mgr = Object.create(NetworkManager.prototype);
+		mgr.config = config;
+		return mgr;
+	}
+	static fromVmNetwork(network) {
+		const slot = Number(network.hostIp.split(".")[2]);
+		if (!Number.isInteger(slot)) throw new Error(`invalid network slot derived from hostIp: ${network.hostIp}`);
+		return NetworkManager.fromConfig({
+			slot,
+			tapDevice: network.tapDevice,
+			hostIp: network.hostIp,
+			guestIp: network.guestIp,
+			subnetMask: network.subnetMask,
+			macAddress: network.macAddress,
+			networkPolicy: network.networkPolicy,
+			allowedDomains: network.allowedDomains,
+			allowedCidrs: network.allowedCidrs || [],
+			deniedCidrs: network.deniedCidrs || [],
+			publishedPorts: network.publishedPorts,
+			bandwidthMbit: network.bandwidthMbit,
+			netnsName: network.netnsName
+		});
+	}
+	nsRun(args) {
+		const { netnsName } = this.config;
+		if (netnsName) sudoNetns(netnsName, args);
+		else sudo(args);
+	}
+	setupNamespace() {
+		const { slot, netnsName } = this.config;
+		if (!netnsName) return;
+		const vethHost = `veth-h-${slot}`;
+		const vethGuest = `veth-g-${slot}`;
+		const transitHostIp = `10.200.${slot}.1`;
+		const transitGuestIp = `10.200.${slot}.2`;
+		if (existsSync(`/sys/class/net/${vethHost}`)) try {
+			sudo([
+				"ip",
+				"link",
+				"delete",
+				vethHost
+			]);
+		} catch {}
+		sudo([
+			"ip",
+			"netns",
+			"add",
+			netnsName
+		]);
+		sudo([
+			"ip",
+			"link",
+			"add",
+			vethHost,
+			"type",
+			"veth",
+			"peer",
+			"name",
+			vethGuest
+		]);
+		sudo([
+			"ip",
+			"link",
+			"set",
+			vethGuest,
+			"netns",
+			netnsName
+		]);
+		sudo([
+			"ip",
+			"addr",
+			"add",
+			`${transitHostIp}/30`,
+			"dev",
+			vethHost
+		]);
+		sudo([
+			"ip",
+			"link",
+			"set",
+			vethHost,
+			"up"
+		]);
+		sudoNetns(netnsName, [
+			"ip",
+			"addr",
+			"add",
+			`${transitGuestIp}/30`,
+			"dev",
+			vethGuest
+		]);
+		sudoNetns(netnsName, [
+			"ip",
+			"link",
+			"set",
+			vethGuest,
+			"up"
+		]);
+		sudoNetns(netnsName, [
+			"ip",
+			"link",
+			"set",
+			"lo",
+			"up"
+		]);
+		sudoNetns(netnsName, [
+			"ip",
+			"route",
+			"add",
+			"default",
+			"via",
+			transitHostIp
+		]);
+		sudoNetns(netnsName, [
+			"sysctl",
+			"-w",
+			"net.ipv4.ip_forward=1"
+		]);
+		sudo([
+			"ip",
+			"route",
+			"add",
+			`172.16.${slot}.0/30`,
+			"via",
+			transitGuestIp
+		]);
+		sudo([
+			"sysctl",
+			"-w",
+			"net.ipv4.ip_forward=1"
+		]);
+	}
+	teardownNamespace() {
+		const { slot, netnsName } = this.config;
+		if (!netnsName) return;
+		const tryRun = (args) => {
+			try {
+				sudo(args);
+			} catch {}
+		};
+		tryRun([
+			"ip",
+			"route",
+			"del",
+			`172.16.${slot}.0/30`
+		]);
+		tryRun([
+			"ip",
+			"netns",
+			"delete",
+			netnsName
+		]);
+	}
+	setupDevice() {
+		const { tapDevice, hostIp, netnsName } = this.config;
+		if (!netnsName) {
+			if (existsSync(`/sys/class/net/${tapDevice}`)) try {
+				sudo([
+					"ip",
+					"link",
+					"delete",
+					tapDevice
+				]);
+			} catch {}
+			sudo([
+				"ip",
+				"tuntap",
+				"add",
+				"dev",
+				tapDevice,
+				"mode",
+				"tap"
+			]);
+			sudo([
+				"ip",
+				"addr",
+				"add",
+				`${hostIp}/30`,
+				"dev",
+				tapDevice
+			]);
+			sudo([
+				"ip",
+				"link",
+				"set",
+				tapDevice,
+				"up"
+			]);
+			sudo([
+				"sysctl",
+				"-w",
+				"net.ipv4.ip_forward=1"
+			]);
+		} else {
+			sudoNetns(netnsName, [
+				"ip",
+				"tuntap",
+				"add",
+				"dev",
+				tapDevice,
+				"mode",
+				"tap"
+			]);
+			sudoNetns(netnsName, [
+				"ip",
+				"addr",
+				"add",
+				`${hostIp}/30`,
+				"dev",
+				tapDevice
+			]);
+			sudoNetns(netnsName, [
+				"ip",
+				"link",
+				"set",
+				tapDevice,
+				"up"
+			]);
+		}
+	}
+	setupRules() {
+		const { tapDevice, hostIp, guestIp, publishedPorts } = this.config;
+		const policy = effectivePolicy(this.config);
+		const fwd = this.nsRun.bind(this);
+		if (policy === "deny-all") {
+			fwd([
+				"iptables",
+				"-I",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-j",
+				"DROP"
+			]);
+			fwd([
+				"iptables",
+				"-I",
+				"FORWARD",
+				"-o",
+				tapDevice,
+				"-j",
+				"DROP"
+			]);
+			return;
+		}
+		const defaultIface = getDefaultInterface();
+		sudo([
+			"iptables",
+			"-t",
+			"nat",
+			"-A",
+			"POSTROUTING",
+			"-s",
+			`${guestIp}/30`,
+			"-o",
+			defaultIface,
+			"-j",
+			"MASQUERADE"
+		]);
+		if (this.config.netnsName) {
+			const vethHost = `veth-h-${this.config.slot}`;
+			sudo([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				vethHost,
+				"-o",
+				defaultIface,
+				"-s",
+				`${guestIp}/30`,
+				"-j",
+				"ACCEPT"
+			]);
+			sudo([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				defaultIface,
+				"-o",
+				vethHost,
+				"-d",
+				`${guestIp}/30`,
+				"-m",
+				"state",
+				"--state",
+				"RELATED,ESTABLISHED",
+				"-j",
+				"ACCEPT"
+			]);
+		}
+		if (policy === "custom") {
+			for (const cidr of this.config.deniedCidrs) fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-d",
+				cidr,
+				"-j",
+				"DROP"
+			]);
+			for (const dnsIp of DNS_RESOLVERS) {
+				fwd([
+					"iptables",
+					"-A",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					dnsIp,
+					"-p",
+					"udp",
+					"--dport",
+					"53",
+					"-j",
+					"ACCEPT"
+				]);
+				fwd([
+					"iptables",
+					"-A",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					dnsIp,
+					"-p",
+					"tcp",
+					"--dport",
+					"53",
+					"-j",
+					"ACCEPT"
+				]);
+			}
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"udp",
+				"--dport",
+				"53",
+				"-j",
+				"DROP"
+			]);
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"tcp",
+				"--dport",
+				"53",
+				"-j",
+				"DROP"
+			]);
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"udp",
+				"--dport",
+				"853",
+				"-j",
+				"DROP"
+			]);
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"tcp",
+				"--dport",
+				"853",
+				"-j",
+				"DROP"
+			]);
+			for (const ip of DOH_RESOLVER_IPS) {
+				fwd([
+					"iptables",
+					"-A",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					ip,
+					"-p",
+					"tcp",
+					"--dport",
+					"443",
+					"-j",
+					"DROP"
+				]);
+				fwd([
+					"iptables",
+					"-A",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					ip,
+					"-p",
+					"udp",
+					"--dport",
+					"443",
+					"-j",
+					"DROP"
+				]);
+			}
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-d",
+				"172.16.0.0/16",
+				"-j",
+				"DROP"
+			]);
+			for (const cidr of this.config.allowedCidrs) fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-d",
+				cidr,
+				"-j",
+				"ACCEPT"
+			]);
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-j",
+				"ACCEPT"
+			]);
+		} else {
+			for (const dnsIp of DNS_RESOLVERS) {
+				fwd([
+					"iptables",
+					"-A",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					dnsIp,
+					"-p",
+					"udp",
+					"--dport",
+					"53",
+					"-j",
+					"ACCEPT"
+				]);
+				fwd([
+					"iptables",
+					"-A",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					dnsIp,
+					"-p",
+					"tcp",
+					"--dport",
+					"53",
+					"-j",
+					"ACCEPT"
+				]);
+			}
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"udp",
+				"--dport",
+				"53",
+				"-j",
+				"DROP"
+			]);
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"tcp",
+				"--dport",
+				"53",
+				"-j",
+				"DROP"
+			]);
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"udp",
+				"--dport",
+				"853",
+				"-j",
+				"DROP"
+			]);
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"tcp",
+				"--dport",
+				"853",
+				"-j",
+				"DROP"
+			]);
+			for (const ip of DOH_RESOLVER_IPS) {
+				fwd([
+					"iptables",
+					"-A",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					ip,
+					"-p",
+					"tcp",
+					"--dport",
+					"443",
+					"-j",
+					"DROP"
+				]);
+				fwd([
+					"iptables",
+					"-A",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					ip,
+					"-p",
+					"udp",
+					"--dport",
+					"443",
+					"-j",
+					"DROP"
+				]);
+			}
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-d",
+				"172.16.0.0/16",
+				"-j",
+				"DROP"
+			]);
+			fwd([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-j",
+				"ACCEPT"
+			]);
+		}
+		fwd([
+			"iptables",
+			"-A",
+			"FORWARD",
+			"-o",
+			tapDevice,
+			"-m",
+			"state",
+			"--state",
+			"RELATED,ESTABLISHED",
+			"-j",
+			"ACCEPT"
+		]);
+		for (const port of publishedPorts) {
+			const portStr = String(port);
+			sudo([
+				"iptables",
+				"-t",
+				"nat",
+				"-A",
+				"PREROUTING",
+				"-i",
+				defaultIface,
+				"-p",
+				"tcp",
+				"--dport",
+				portStr,
+				"-j",
+				"DNAT",
+				"--to-destination",
+				`${guestIp}:${portStr}`
+			]);
+			sudo([
+				"iptables",
+				"-A",
+				"FORWARD",
+				"-p",
+				"tcp",
+				"-d",
+				guestIp,
+				"--dport",
+				portStr,
+				"-j",
+				"ACCEPT"
+			]);
+		}
+	}
+	setupThrottle() {
+		const { tapDevice, bandwidthMbit } = this.config;
+		if (bandwidthMbit === void 0) return;
+		const rateKbit = bandwidthMbit * 1e3;
+		const burstKb = Math.max(32, Math.floor(rateKbit / 8));
+		this.nsRun([
+			"tc",
+			"qdisc",
+			"add",
+			"dev",
+			tapDevice,
+			"root",
+			"tbf",
+			"rate",
+			`${bandwidthMbit}mbit`,
+			"burst",
+			`${burstKb}kb`,
+			"latency",
+			"400ms"
+		]);
+	}
+	teardownThrottle() {
+		const { tapDevice } = this.config;
+		try {
+			this.nsRun([
+				"tc",
+				"qdisc",
+				"del",
+				"dev",
+				tapDevice,
+				"root"
+			]);
+		} catch {}
+	}
+	teardownRules() {
+		const { tapDevice, hostIp, guestIp, publishedPorts, netnsName } = this.config;
+		let defaultIface;
+		try {
+			defaultIface = getDefaultInterface();
+		} catch {}
+		const tryRun = (args) => {
+			try {
+				sudo(args);
+			} catch {}
+		};
+		const tryFwd = (args) => {
+			try {
+				this.nsRun(args);
+			} catch {}
+		};
+		for (const port of publishedPorts) {
+			const portStr = String(port);
+			if (defaultIface) tryRun([
+				"iptables",
+				"-t",
+				"nat",
+				"-D",
+				"PREROUTING",
+				"-i",
+				defaultIface,
+				"-p",
+				"tcp",
+				"--dport",
+				portStr,
+				"-j",
+				"DNAT",
+				"--to-destination",
+				`${guestIp}:${portStr}`
+			]);
+			tryRun([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-p",
+				"tcp",
+				"-d",
+				guestIp,
+				"--dport",
+				portStr,
+				"-j",
+				"ACCEPT"
+			]);
+		}
+		if (!netnsName) {
+			for (const cidr of this.config.deniedCidrs) tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-d",
+				cidr,
+				"-j",
+				"DROP"
+			]);
+			for (const cidr of this.config.allowedCidrs) tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-d",
+				cidr,
+				"-j",
+				"ACCEPT"
+			]);
+			for (const dnsIp of DNS_RESOLVERS) {
+				tryFwd([
+					"iptables",
+					"-D",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					dnsIp,
+					"-p",
+					"udp",
+					"--dport",
+					"53",
+					"-j",
+					"ACCEPT"
+				]);
+				tryFwd([
+					"iptables",
+					"-D",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					dnsIp,
+					"-p",
+					"tcp",
+					"--dport",
+					"53",
+					"-j",
+					"ACCEPT"
+				]);
+			}
+			tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"udp",
+				"--dport",
+				"53",
+				"-j",
+				"DROP"
+			]);
+			tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"tcp",
+				"--dport",
+				"53",
+				"-j",
+				"DROP"
+			]);
+			tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"udp",
+				"--dport",
+				"853",
+				"-j",
+				"DROP"
+			]);
+			tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-p",
+				"tcp",
+				"--dport",
+				"853",
+				"-j",
+				"DROP"
+			]);
+			for (const ip of DOH_RESOLVER_IPS) {
+				tryFwd([
+					"iptables",
+					"-D",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					ip,
+					"-p",
+					"tcp",
+					"--dport",
+					"443",
+					"-j",
+					"DROP"
+				]);
+				tryFwd([
+					"iptables",
+					"-D",
+					"FORWARD",
+					"-i",
+					tapDevice,
+					"-d",
+					ip,
+					"-p",
+					"udp",
+					"--dport",
+					"443",
+					"-j",
+					"DROP"
+				]);
+			}
+			tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-d",
+				"172.16.0.0/16",
+				"-j",
+				"DROP"
+			]);
+			tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-j",
+				"ACCEPT"
+			]);
+			tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-o",
+				tapDevice,
+				"-m",
+				"state",
+				"--state",
+				"RELATED,ESTABLISHED",
+				"-j",
+				"ACCEPT"
+			]);
+			tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				tapDevice,
+				"-j",
+				"DROP"
+			]);
+			tryFwd([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-o",
+				tapDevice,
+				"-j",
+				"DROP"
+			]);
+		}
+		if (netnsName && defaultIface) {
+			const vethHost = `veth-h-${this.config.slot}`;
+			tryRun([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				vethHost,
+				"-o",
+				defaultIface,
+				"-s",
+				`${guestIp}/30`,
+				"-j",
+				"ACCEPT"
+			]);
+			tryRun([
+				"iptables",
+				"-D",
+				"FORWARD",
+				"-i",
+				defaultIface,
+				"-o",
+				vethHost,
+				"-d",
+				`${guestIp}/30`,
+				"-m",
+				"state",
+				"--state",
+				"RELATED,ESTABLISHED",
+				"-j",
+				"ACCEPT"
+			]);
+		}
+		if (defaultIface) tryRun([
+			"iptables",
+			"-t",
+			"nat",
+			"-D",
+			"POSTROUTING",
+			"-s",
+			`${guestIp}/30`,
+			"-o",
+			defaultIface,
+			"-j",
+			"MASQUERADE"
+		]);
+	}
+	teardownDevice() {
+		const { tapDevice, netnsName } = this.config;
+		if (netnsName) return;
+		try {
+			sudo([
+				"ip",
+				"link",
+				"delete",
+				tapDevice
+			]);
+		} catch {}
+	}
+	async setup() {
+		this.setupNamespace();
+		this.setupDevice();
+		this.setupRules();
+		this.setupThrottle();
+	}
+	teardown() {
+		if (this.config.netnsName) {
+			this.teardownRules();
+			this.teardownNamespace();
+		} else {
+			this.teardownThrottle();
+			this.teardownRules();
+			this.teardownDevice();
+		}
+	}
+	updatePolicy(newPolicy, newDomains, newAllowedCidrs, newDeniedCidrs) {
+		const oldConfig = { ...this.config };
+		this.teardownRules();
+		this.config.networkPolicy = newPolicy;
+		this.config.allowedDomains = newDomains;
+		this.config.allowedCidrs = newAllowedCidrs;
+		this.config.deniedCidrs = newDeniedCidrs;
+		try {
+			this.setupRules();
+		} catch (err) {
+			this.config = oldConfig;
+			try {
+				this.setupRules();
+			} catch {}
+			throw err;
+		}
+	}
+};
+const STALE_MS = 3e5;
+const RETRY_MS = 50;
+const MAX_RETRIES = 600;
+const WAIT_ARRAY = new Int32Array(new SharedArrayBuffer(4));
+var FileLock = class {
+	stale;
+	retries;
+	realpath;
+	constructor(path, name, options) {
+		this.path = path;
+		this.name = name;
+		this.stale = options?.stale ?? STALE_MS;
+		this.retries = options?.retries ?? MAX_RETRIES;
+		this.realpath = options?.realpath ?? false;
+	}
+	run(fn) {
+		mkdirSync(dirname(this.path), { recursive: true });
+		const syncOpts = {
+			stale: this.stale,
+			realpath: this.realpath
+		};
+		let release;
+		for (let attempt = 0;; attempt++) try {
+			release = lockSync(this.path, syncOpts);
+			break;
+		} catch (error) {
+			if (error.code !== "ELOCKED") throw error;
+			if (attempt >= this.retries) throw lockTimeoutError(this.name);
+			Atomics.wait(WAIT_ARRAY, 0, 0, RETRY_MS);
+		}
+		try {
+			return fn();
+		} finally {
+			release();
+		}
+	}
+	async runAsync(fn) {
+		mkdirSync(dirname(this.path), { recursive: true });
+		const asyncOpts = {
+			stale: this.stale,
+			realpath: this.realpath,
+			retries: {
+				retries: this.retries,
+				minTimeout: RETRY_MS,
+				maxTimeout: RETRY_MS,
+				factor: 1
+			}
+		};
+		let release;
+		try {
+			release = await lock(this.path, asyncOpts);
+		} catch (error) {
+			if (error.code === "ELOCKED") throw lockTimeoutError(this.name);
+			throw error;
+		}
+		try {
+			return await fn();
+		} finally {
+			await release();
+		}
+	}
+};
+/**
+* Template generators for the node22-demo runtime welcome page.
+* All functions are pure and return string content ready to write to files.
+*/
+function generateWelcomeHtml(vmId, ports) {
+	ports.map((p) => `<li>${p}</li>`).join("\n            ");
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>vmsan VM ${vmId}</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+      background: #0f172a;
+      color: #e2e8f0;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 2rem;
+    }
+    .container { max-width: 640px; width: 100%; }
+    .header { text-align: center; margin-bottom: 2rem; }
+    .logo {
+      font-size: 2.5rem;
+      font-weight: 800;
+      background: linear-gradient(135deg, #f97316, #ef4444);
+      -webkit-background-clip: text;
+      -webkit-text-fill-color: transparent;
+      background-clip: text;
+    }
+    .subtitle { color: #94a3b8; margin-top: 0.5rem; font-size: 1.1rem; }
+    .card {
+      background: #1e293b;
+      border: 1px solid #334155;
+      border-radius: 12px;
+      padding: 1.5rem;
+      margin-bottom: 1.25rem;
+    }
+    .card h2 { font-size: 1rem; color: #f97316; margin-bottom: 0.75rem; }
+    .info-row { display: flex; justify-content: space-between; padding: 0.35rem 0; }
+    .info-label { color: #94a3b8; }
+    .info-value { font-family: monospace; color: #e2e8f0; }
+    ul { list-style: none; }
+    ul li { padding: 0.25rem 0; }
+    code {
+      background: #0f172a;
+      border: 1px solid #334155;
+      border-radius: 6px;
+      padding: 0.2rem 0.5rem;
+      font-size: 0.875rem;
+      color: #f97316;
+    }
+    .steps li { padding: 0.5rem 0; color: #cbd5e1; }
+    .steps li strong { color: #e2e8f0; }
+    .footer { text-align: center; color: #475569; font-size: 0.85rem; margin-top: 1.5rem; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="header">
+      <div class="logo">vmsan</div>
+      <div class="subtitle">Your microVM is running</div>
+    </div>
+    <div class="card">
+      <h2>VM Info</h2>
+      <div class="info-row">
+        <span class="info-label">VM ID</span>
+        <span class="info-value">${vmId}</span>
+      </div>
+      <div class="info-row">
+        <span class="info-label">Runtime</span>
+        <span class="info-value">node22-demo</span>
+      </div>
+      <div class="info-row">
+        <span class="info-label">Published Ports</span>
+        <span class="info-value">${ports.join(", ")}</span>
+      </div>
+    </div>
+    <div class="card">
+      <h2>Next Steps</h2>
+      <ul class="steps">
+        <li><strong>Connect to the VM:</strong> <code>vmsan connect ${vmId}</code></li>
+        <li><strong>Deploy your app:</strong> Replace this page by stopping the welcome service and running your own server on the published port(s).</li>
+        <li><strong>Stop this page:</strong> <code>systemctl stop vmsan-welcome</code></li>
+      </ul>
+    </div>
+    <div class="footer">Powered by vmsan &middot; Firecracker microVMs</div>
+  </div>
+</body>
+</html>`;
+}
+function generateWelcomeServer(ports) {
+	return `"use strict";
+const http = require("node:http");
+const fs = require("node:fs");
+const path = require("node:path");
+
+const html = fs.readFileSync(path.join(__dirname, "index.html"), "utf-8");
+
+const server = http.createServer((req, res) => {
+  res.writeHead(200, {
+    "Content-Type": "text/html; charset=utf-8",
+    "Cache-Control": "no-cache",
+  });
+  res.end(html);
+});
+
+${ports.map((p) => `server.listen(${p}, "0.0.0.0", () => console.log("vmsan-welcome listening on 0.0.0.0:${p}"));`).join("\n")}
+`;
+}
+function generateWelcomeService(ports) {
+	return `[Unit]
+Description=${`vmsan welcome page on port(s) ${ports.join(", ")}`}
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/node /opt/vmsan/welcome/server.js
+Restart=on-failure
+RestartSec=2
+
+[Install]
+WantedBy=multi-user.target
+`;
+}
+/**
+* Template generators for the vmsan-agent systemd service.
+* Follows the same pattern as welcome-page.ts.
+*/
+function generateAgentService() {
+	return `[Unit]
+Description=Vmsan VM Agent
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/vmsan-agent
+EnvironmentFile=/etc/vmsan/agent.env
+Restart=always
+RestartSec=2
+
+[Install]
+WantedBy=multi-user.target
+`;
+}
+function generateAgentEnv(token, port, vmId) {
+	return `VMSAN_AGENT_TOKEN=${token}
+VMSAN_AGENT_PORT=${port}
+VMSAN_VM_ID=${vmId}
+VMSAN_DEFAULT_USER=ubuntu
+`;
+}
+/**
+* Extra memory (in MiB) added to the cgroup limit beyond guest memory.
+* Covers Firecracker VMM process overhead, page tables, and kernel slab.
+* Without this, the OOM killer can terminate the VM under memory pressure.
+*/
+const CGROUP_VMM_OVERHEAD_MIB = 64;
+function detectCgroupVersion() {
+	try {
+		readFileSync("/sys/fs/cgroup/cgroup.controllers", "utf-8");
+		return 2;
+	} catch {
+		return 1;
+	}
+}
+var Jailer = class {
+	paths;
+	constructor(vmId, jailerBaseDir) {
+		this.vmId = vmId;
+		const chrootBase = jailerBaseDir;
+		const chrootDir = join(chrootBase, "firecracker", vmId);
+		const rootDir = join(chrootDir, "root");
+		const kernelDir = join(rootDir, "kernel");
+		const rootfsDir = join(rootDir, "rootfs");
+		const socketDir = join(rootDir, "run");
+		const snapshotDir = join(rootDir, "snapshot");
+		this.paths = {
+			chrootBase,
+			chrootDir,
+			rootDir,
+			kernelDir,
+			kernelPath: join(kernelDir, "vmlinux"),
+			rootfsDir,
+			rootfsPath: join(rootfsDir, "rootfs.ext4"),
+			socketDir,
+			socketPath: join(socketDir, "firecracker.socket"),
+			snapshotDir
+		};
+	}
+	prepare(config) {
+		const paths = this.paths;
+		mkdirSync(paths.kernelDir, { recursive: true });
+		mkdirSync(paths.rootfsDir, { recursive: true });
+		mkdirSync(paths.socketDir, { recursive: true });
+		if (!existsSync(paths.kernelPath)) linkSync(config.kernelSrc, paths.kernelPath);
+		copyFileSync(config.rootfsSrc, paths.rootfsPath);
+		if (typeof config.diskSizeGb === "number" && Number.isFinite(config.diskSizeGb)) {
+			const targetBytes = Math.trunc(config.diskSizeGb * 1024 * 1024 * 1024);
+			if (targetBytes > statSync(paths.rootfsPath).size) {
+				execSync(`truncate -s ${targetBytes} "${paths.rootfsPath}"`, { stdio: "pipe" });
+				execSync(`sudo e2fsck -fy "${paths.rootfsPath}"; [ $? -lt 4 ]`, { stdio: "pipe" });
+				execSync(`sudo resize2fs "${paths.rootfsPath}"`, { stdio: "pipe" });
+				execSync(`sudo tune2fs -m 0 "${paths.rootfsPath}"`, { stdio: "pipe" });
+			}
+		}
+		const tmpMount = join(paths.rootDir, "tmp-mount");
+		mkdirSync(tmpMount, { recursive: true });
+		try {
+			execSync(`sudo mount -o loop "${paths.rootfsPath}" "${tmpMount}"`, { stdio: "pipe" });
+			execSync(`rm -f "${tmpMount}/etc/resolv.conf" && ln -s /proc/net/pnp "${tmpMount}/etc/resolv.conf"`, { stdio: "pipe" });
+			if (config.welcomePage) {
+				const { vmId: welcomeVmId, ports: welcomePorts } = config.welcomePage;
+				const welcomeDir = join(tmpMount, "opt", "vmsan", "welcome");
+				mkdirSync(welcomeDir, { recursive: true });
+				writeFileSync(join(welcomeDir, "index.html"), generateWelcomeHtml(welcomeVmId, welcomePorts));
+				writeFileSync(join(welcomeDir, "server.js"), generateWelcomeServer(welcomePorts));
+				const systemdDir = join(tmpMount, "etc", "systemd", "system");
+				mkdirSync(systemdDir, { recursive: true });
+				writeFileSync(join(systemdDir, "vmsan-welcome.service"), generateWelcomeService(welcomePorts));
+				const wantsDir = join(systemdDir, "multi-user.target.wants");
+				mkdirSync(wantsDir, { recursive: true });
+				execSync(`ln -sf /etc/systemd/system/vmsan-welcome.service "${join(wantsDir, "vmsan-welcome.service")}"`, { stdio: "pipe" });
+			}
+			if (config.agent) {
+				const agentDst = join(tmpMount, "usr", "local", "bin", "vmsan-agent");
+				mkdirSync(join(tmpMount, "usr", "local", "bin"), { recursive: true });
+				copyFileSync(config.agent.binaryPath, agentDst);
+				execSync(`chmod 755 "${agentDst}"`, { stdio: "pipe" });
+				const envDir = join(tmpMount, "etc", "vmsan");
+				mkdirSync(envDir, { recursive: true });
+				writeFileSync(join(envDir, "agent.env"), generateAgentEnv(config.agent.token, config.agent.port, config.agent.vmId));
+				const systemdDir = join(tmpMount, "etc", "systemd", "system");
+				mkdirSync(systemdDir, { recursive: true });
+				writeFileSync(join(systemdDir, "vmsan-agent.service"), generateAgentService());
+				const wantsDir = join(systemdDir, "multi-user.target.wants");
+				mkdirSync(wantsDir, { recursive: true });
+				execSync(`ln -sf /etc/systemd/system/vmsan-agent.service "${join(wantsDir, "vmsan-agent.service")}"`, { stdio: "pipe" });
+			}
+			execSync(`sudo umount "${tmpMount}"`, { stdio: "pipe" });
+		} catch {
+			try {
+				execSync(`sudo umount "${tmpMount}" 2>/dev/null`, { stdio: "pipe" });
+			} catch {}
+		}
+		try {
+			execSync(`rm -rf "${tmpMount}"`, { stdio: "pipe" });
+		} catch {}
+		if (config.snapshot) {
+			mkdirSync(paths.snapshotDir, { recursive: true });
+			copyFileSync(config.snapshot.snapshotFile, join(paths.snapshotDir, "snapshot_file"));
+			copyFileSync(config.snapshot.memFile, join(paths.snapshotDir, "mem_file"));
+		}
+		return paths;
+	}
+	spawn(config) {
+		const uid = config.uid ?? 0;
+		const gid = config.gid ?? 0;
+		const args = [
+			config.jailerBin,
+			"--exec-file",
+			config.firecrackerBin,
+			"--id",
+			this.vmId,
+			"--uid",
+			String(uid),
+			"--gid",
+			String(gid),
+			"--chroot-base-dir",
+			config.chrootBase,
+			"--daemonize"
+		];
+		if (config.newPidNs !== false) args.push("--new-pid-ns");
+		if (config.netns) args.push("--netns", `/var/run/netns/${config.netns}`);
+		if (config.cgroup) if (detectCgroupVersion() === 2) {
+			args.push("--cgroup-version", "2");
+			args.push("--cgroup", `cpu.max=${config.cgroup.cpuQuotaUs} ${config.cgroup.cpuPeriodUs}`);
+			args.push("--cgroup", `memory.max=${config.cgroup.memoryBytes}`);
+		} else {
+			args.push("--cgroup", `cpu.cfs_quota_us=${config.cgroup.cpuQuotaUs}`);
+			args.push("--cgroup", `cpu.cfs_period_us=${config.cgroup.cpuPeriodUs}`);
+			args.push("--cgroup", `memory.limit_in_bytes=${config.cgroup.memoryBytes}`);
+		}
+		args.push("--", "--api-sock", "run/firecracker.socket");
+		if (config.seccompFilter && existsSync(config.seccompFilter)) args.push("--seccomp-filter", config.seccompFilter);
+		else args.push("--no-seccomp");
+		execFileSync("sudo", args, { stdio: "pipe" });
+	}
+};
+function validateEnvironment(baseDir) {
+	const firecrackerPath = join(baseDir, "bin", "firecracker");
+	const jailerPath = join(baseDir, "bin", "jailer");
+	if (!existsSync(firecrackerPath)) throw missingBinaryError("Firecracker", firecrackerPath);
+	if (!existsSync(jailerPath)) throw missingBinaryError("Jailer", jailerPath);
+}
+function findKernel(baseDir) {
+	const kernelDir = join(baseDir, "kernels");
+	if (!existsSync(kernelDir)) throw noKernelDirError();
+	const files = readdirSync(kernelDir).filter((fileName) => fileName.startsWith("vmlinux"));
+	if (files.length === 0) throw noKernelError();
+	return join(kernelDir, files.sort().at(-1));
+}
+function findRootfs(baseDir) {
+	const rootfsDir = join(baseDir, "rootfs");
+	if (!existsSync(rootfsDir)) throw noRootfsDirError();
+	const files = readdirSync(rootfsDir).filter((fileName) => fileName.endsWith(".ext4"));
+	if (files.length === 0) throw noExt4RootfsError();
+	return join(rootfsDir, files.sort().at(-1));
+}
+async function waitForSocket(socketPath, timeoutMs = 5e3) {
+	const start = Date.now();
+	while (Date.now() - start < timeoutMs) {
+		if (existsSync(socketPath)) {
+			if (await new Promise((resolve) => {
+				const socket = connect(socketPath);
+				socket.on("connect", () => {
+					socket.destroy();
+					resolve(true);
+				});
+				socket.on("error", () => resolve(false));
+			})) return;
+		}
+		await new Promise((resolve) => setTimeout(resolve, 100));
+	}
+	throw socketTimeoutError(socketPath);
+}
+function getVmPid(vmId) {
+	try {
+		const entries = readdirSync("/proc").filter((entry) => /^\d+$/.test(entry));
+		for (const entry of entries) try {
+			const cmdline = readFileSync(`/proc/${entry}/cmdline`, "utf-8");
+			if (cmdline.includes("firecracker") && cmdline.includes(vmId)) return Number(entry);
+		} catch {}
+	} catch {}
+	return null;
+}
+function getVmJailerPid(vmId) {
+	try {
+		const entries = readdirSync("/proc").filter((entry) => /^\d+$/.test(entry));
+		for (const entry of entries) try {
+			const cmdline = readFileSync(`/proc/${entry}/cmdline`, "utf-8");
+			if (cmdline.includes("jailer") && cmdline.includes(vmId)) return Number(entry);
+		} catch {}
+	} catch {}
+	return null;
+}
+function assertSnapshotExists(snapshotId, paths) {
+	const snapshotDir = join(paths.snapshotsDir, snapshotId);
+	if (!existsSync(join(snapshotDir, "snapshot_file")) || !existsSync(join(snapshotDir, "mem_file"))) throw snapshotNotFoundError(snapshotId);
+}
+function killOrphanVmProcess(vmId) {
+	const orphanPid = getVmPid(vmId);
+	const orphanJailerPid = getVmJailerPid(vmId);
+	if (orphanPid) safeKill(orphanPid, "SIGKILL");
+	if (orphanJailerPid) safeKill(orphanJailerPid, "SIGKILL");
+}
+function markVmAsError(vmId, error, paths) {
+	try {
+		new FileVmStateStore(paths.vmsDir).update(vmId, {
+			status: "error",
+			error: error instanceof Error ? error.message : String(error)
+		});
+	} catch {}
+}
+function cleanupNetwork(networkConfig) {
+	if (!networkConfig) return;
+	try {
+		NetworkManager.fromConfig(networkConfig).teardown();
+	} catch {}
+}
+function cleanupChroot(chrootDir) {
+	if (!chrootDir) return;
+	const vmJailerDir = dirname(chrootDir);
+	try {
+		rmSync(chrootDir, {
+			recursive: true,
+			force: true
+		});
+	} catch {}
+	try {
+		rmSync(vmJailerDir, {
+			recursive: true,
+			force: true
+		});
+	} catch {}
+}
+function buildInitialVmState(input) {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	return {
+		id: input.vmId,
+		project: input.project,
+		runtime: input.runtime,
+		diskSizeGb: input.diskSizeGb,
+		status: "creating",
+		pid: null,
+		apiSocket: "",
+		chrootDir: "",
+		kernel: input.kernelPath,
+		rootfs: input.rootfsPath,
+		vcpuCount: input.vcpus,
+		memSizeMib: input.memMib,
+		network: {
+			tapDevice: input.tapDevice,
+			hostIp: input.hostIp,
+			guestIp: input.guestIp,
+			subnetMask: input.subnetMask,
+			macAddress: input.macAddress,
+			networkPolicy: input.networkPolicy,
+			allowedDomains: input.domains,
+			allowedCidrs: input.allowedCidrs,
+			deniedCidrs: input.deniedCidrs,
+			publishedPorts: input.ports,
+			tunnelHostname: null,
+			tunnelHostnames: [],
+			bandwidthMbit: input.bandwidthMbit,
+			netnsName: input.netnsName
+		},
+		snapshot: input.snapshotId,
+		timeoutMs: input.timeoutMs,
+		timeoutAt: input.timeoutMs ? new Date(Date.now() + input.timeoutMs).toISOString() : null,
+		createdAt: now,
+		error: null,
+		agentToken: input.agentToken,
+		agentPort: input.agentPort
+	};
+}
+function dockerUnavailableError() {
+	return /* @__PURE__ */ new Error("Docker is not available. Install Docker and ensure the daemon is running.");
+}
+const APT_PACKAGES = [
+	"bind9-utils",
+	"bzip2",
+	"findutils",
+	"git",
+	"gzip",
+	"iputils-ping",
+	"libicu-dev",
+	"libjpeg-dev",
+	"libpng-dev",
+	"ncurses-base",
+	"libssl-dev",
+	"openssh-server",
+	"openssl",
+	"procps",
+	"sudo",
+	"tar",
+	"unzip",
+	"debianutils",
+	"whois",
+	"zstd"
+];
+const DNF_PACKAGES = [
+	"bind-utils",
+	"bzip2",
+	"findutils",
+	"git",
+	"gzip",
+	"iputils",
+	"libicu",
+	"libjpeg",
+	"libpng",
+	"ncurses-libs",
+	"openssh-server",
+	"openssl",
+	"openssl-libs",
+	"procps",
+	"sudo",
+	"tar",
+	"unzip",
+	"which",
+	"whois",
+	"zstd"
+];
+const APK_PACKAGES = [
+	"bash",
+	"bind-tools",
+	"bzip2",
+	"findutils",
+	"git",
+	"gzip",
+	"iputils",
+	"icu-libs",
+	"libjpeg-turbo",
+	"libpng",
+	"ncurses-libs",
+	"openrc",
+	"openssh",
+	"openssl",
+	"procps",
+	"sudo",
+	"tar",
+	"unzip",
+	"whois",
+	"zstd"
+];
+function generateDockerfile(baseImage) {
+	return `FROM ${baseImage}
+RUN if command -v apt-get >/dev/null 2>&1; then ${`apt-get update && apt-get install -y --no-install-recommends ${APT_PACKAGES.join(" ")} && rm -rf /var/lib/apt/lists/*`}; \\
+    elif command -v dnf >/dev/null 2>&1; then ${`dnf install -y ${DNF_PACKAGES.join(" ")} && dnf clean all`}; \\
+    elif command -v yum >/dev/null 2>&1; then ${`yum install -y ${DNF_PACKAGES.join(" ")} && yum clean all`}; \\
+    elif command -v apk >/dev/null 2>&1; then ${`apk add --no-cache ${APK_PACKAGES.join(" ")}`}; \\
+    fi
+RUN if command -v apk >/dev/null 2>&1; then \\
+      id -u ubuntu >/dev/null 2>&1 || adduser -D -s /bin/bash ubuntu; \\
+    else \\
+      id -u ubuntu >/dev/null 2>&1 || useradd -m -s /bin/bash ubuntu; \\
+    fi; \\
+    echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/ubuntu; \\
+    chmod 440 /etc/sudoers.d/ubuntu; \\
+    mkdir -p /home/ubuntu/.ssh && chown -R ubuntu:ubuntu /home/ubuntu
+RUN ssh-keygen -A 2>/dev/null || true; \\
+    mkdir -p /root/.ssh && chmod 700 /root/.ssh; \\
+    if [ -f /etc/ssh/sshd_config ]; then \\
+      sed -i 's/^#*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config; \\
+    fi; \\
+    if command -v rc-update >/dev/null 2>&1; then \\
+      rc-update add devfs sysinit 2>/dev/null || true; \\
+      rc-update add mdev sysinit 2>/dev/null || true; \\
+      rc-update add hwdrivers sysinit 2>/dev/null || true; \\
+      rc-update add modules boot 2>/dev/null || true; \\
+      rc-update add sysctl boot 2>/dev/null || true; \\
+      rc-update add hostname boot 2>/dev/null || true; \\
+      rc-update add bootmisc boot 2>/dev/null || true; \\
+      rc-update add networking boot 2>/dev/null || true; \\
+      rc-update add sshd default 2>/dev/null || true; \\
+      printf '%s\\n' '::sysinit:/sbin/openrc sysinit' '::sysinit:/sbin/openrc boot' '::wait:/sbin/openrc default' '::shutdown:/sbin/openrc shutdown' 'ttyS0::respawn:/sbin/getty 115200 ttyS0' > /etc/inittab; \\
+    fi; \\
+    if command -v systemctl >/dev/null 2>&1; then systemctl enable sshd 2>/dev/null || systemctl enable ssh 2>/dev/null || true; fi
+`;
+}
+function verifyDocker() {
+	try {
+		execSync("docker info", { stdio: "pipe" });
+	} catch {
+		throw dockerUnavailableError();
+	}
+}
+function buildImageRootfs(imageRef, cacheDir) {
+	const ext4Path = join(cacheDir, "rootfs.ext4");
+	verifyDocker();
+	const buildTag = `vmsan-rootfs-${imageRef.name.replace(/[^a-z0-9._-]/gi, "-")}:${imageRef.tag}`;
+	const containerName = `vmsan-export-${Date.now()}`;
+	const tmpTar = join(cacheDir, "rootfs.tar");
+	mkdirSync(cacheDir, { recursive: true });
+	try {
+		consola.start(`Building image from ${imageRef.full}...`);
+		execSync(`docker build -t "${buildTag}" -f - . <<'DOCKERFILE'\n${generateDockerfile(imageRef.full)}\nDOCKERFILE`, {
+			stdio: "pipe",
+			shell: "/bin/bash"
+		});
+		consola.start("Exporting filesystem...");
+		execSync(`docker create --name "${containerName}" "${buildTag}"`, { stdio: "pipe" });
+		execSync(`docker export "${containerName}" -o "${tmpTar}"`, { stdio: "pipe" });
+		consola.start("Converting to ext4...");
+		const tarSizeOutput = execSync(`stat -c %s "${tmpTar}"`, { encoding: "utf-8" }).trim();
+		const tarMb = Number(tarSizeOutput) / 1024 / 1024;
+		const imageSizeMb = Math.max(1024, Math.ceil(tarMb + 512));
+		execSync(`dd if=/dev/zero of="${ext4Path}" bs=1M count=${imageSizeMb} 2>/dev/null`, { stdio: "pipe" });
+		execSync(`mkfs.ext4 -q "${ext4Path}"`, { stdio: "pipe" });
+		execSync(`tune2fs -m 0 "${ext4Path}"`, { stdio: "pipe" });
+		const tmpMount = join(cacheDir, "mnt");
+		mkdirSync(tmpMount, { recursive: true });
+		execSync(`mount -o loop "${ext4Path}" "${tmpMount}"`, { stdio: "pipe" });
+		try {
+			execSync(`tar -xf "${tmpTar}" -C "${tmpMount}"`, { stdio: "pipe" });
+		} finally {
+			execSync(`umount "${tmpMount}"`, { stdio: "pipe" });
+			execSync(`rm -rf "${tmpMount}"`, { stdio: "pipe" });
+		}
+		writeFileSync(join(cacheDir, "metadata.json"), JSON.stringify({
+			image: imageRef.full,
+			builtAt: (/* @__PURE__ */ new Date()).toISOString()
+		}, null, 2));
+		consola.success(`Rootfs built from ${imageRef.full} (${imageSizeMb} MB)`);
+		return ext4Path;
+	} finally {
+		try {
+			execSync(`docker rm -f "${containerName}" 2>/dev/null`, { stdio: "pipe" });
+		} catch {}
+		try {
+			execSync(`rm -f "${tmpTar}"`, { stdio: "pipe" });
+		} catch {}
+	}
+}
+function resolveImageRootfs(imageRef, registryDir) {
+	const cacheDir = join(registryDir, imageRef.cacheKey);
+	const ext4Path = join(cacheDir, "rootfs.ext4");
+	if (existsSync(ext4Path)) {
+		consola.info(`Using cached rootfs for ${imageRef.full}`);
+		return ext4Path;
+	}
+	return buildImageRootfs(imageRef, cacheDir);
+}
+const _dirname = dirname(fileURLToPath(import.meta.url));
+const VALID_ARCHES = ["x86_64", "aarch64"];
+const MAX_FILTER_SIZE = 1048576;
+/**
+* Compile a Firecracker seccomp JSON filter to BPF using seccompiler-bin.
+* Falls back to using the JSON filter directly if seccompiler-bin is not available.
+*/
+function compileSeccompFilter(jsonPath, outputPath, arch) {
+	const targetArch = arch ?? "x86_64";
+	if (!VALID_ARCHES.includes(targetArch)) throw new Error(`unsupported seccomp arch: ${targetArch} (allowed: ${VALID_ARCHES.join(", ")})`);
+	const stat = statSync(jsonPath);
+	if (stat.size > MAX_FILTER_SIZE) throw new Error(`seccomp filter too large: ${stat.size} bytes (max ${MAX_FILTER_SIZE})`);
+	mkdirSync(dirname(outputPath), { recursive: true });
+	execFileSync("seccompiler-bin", [
+		"--input-file",
+		jsonPath,
+		"--target-arch",
+		targetArch,
+		"--output-file",
+		outputPath
+	], { stdio: "pipe" });
+}
+/**
+* Ensure a seccomp filter is available for Firecracker.
+*
+* 1. If a compiled BPF exists at paths.seccompDir/default.bpf, return it.
+* 2. If the JSON source exists, try to compile it; return BPF path on success.
+* 3. If compilation fails (seccompiler-bin not installed), return null
+*    (Firecracker requires compiled BPF, not raw JSON).
+* 4. If no filter source exists at all, return null.
+*/
+function ensureSeccompFilter(paths) {
+	const bpfPath = join(paths.seccompDir, "default.bpf");
+	if (existsSync(bpfPath)) {
+		consola.debug(`seccomp: using compiled BPF filter at ${bpfPath}`);
+		return bpfPath;
+	}
+	const bundledJson = join(dirname(dirname(_dirname)), "seccomp", "default.json");
+	const userJson = paths.seccompFilter;
+	let sourceJson = null;
+	try {
+		const mode = statSync(userJson).mode;
+		if (mode & 18) consola.warn(`seccomp: filter at ${userJson} is group/world writable (mode ${(mode & 511).toString(8)}); consider restricting permissions`);
+		consola.debug(`seccomp: using user filter at ${userJson}`);
+		sourceJson = userJson;
+	} catch {}
+	if (!sourceJson && existsSync(bundledJson)) {
+		mkdirSync(paths.seccompDir, { recursive: true });
+		copyFileSync(bundledJson, userJson);
+		consola.debug(`seccomp: copied bundled filter to ${userJson}`);
+		sourceJson = userJson;
+	}
+	if (!sourceJson) return null;
+	try {
+		compileSeccompFilter(sourceJson, bpfPath);
+		consola.debug(`seccomp: compiled BPF filter at ${bpfPath}`);
+		return bpfPath;
+	} catch {
+		consola.warn("seccomp: BPF compilation failed (seccompiler-bin not available?); seccomp filtering disabled. Install seccompiler-bin for seccomp support.");
+		return null;
+	}
+}
+var VMService = class {
+	paths;
+	store;
+	hooks;
+	logger;
+	constructor(ctx) {
+		this.paths = ctx.paths;
+		this.store = ctx.store;
+		this.hooks = ctx.hooks;
+		this.logger = ctx.logger;
+	}
+	list() {
+		return this.store.list().sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());
+	}
+	get(vmId) {
+		return this.store.load(vmId);
+	}
+	async create(opts) {
+		const { logger, paths, hooks } = this;
+		const vmId = generateVmId();
+		const log = logger.withTag(vmId);
+		let networkConfig;
+		let chrootDir;
+		try {
+			validateEnvironment(paths.baseDir);
+			if (opts.fromImage && opts.rootfsPath) throw mutuallyExclusiveFlagsError("--from-image", "--rootfs");
+			const vcpus = opts.vcpus ?? 1;
+			const memMib = opts.memMib ?? 128;
+			const diskSizeGb = opts.diskSizeGb ?? 10;
+			const runtime = opts.runtime ?? "base";
+			const networkPolicy = opts.networkPolicy ?? "allow-all";
+			const domains = opts.domains ?? [];
+			const allowedCidrs = opts.allowedCidrs ?? [];
+			const deniedCidrs = opts.deniedCidrs ?? [];
+			const ports = opts.ports ?? [];
+			const bandwidthMbit = opts.bandwidthMbit;
+			const snapshotId = opts.snapshotId ?? null;
+			const timeoutMs = opts.timeoutMs ?? null;
+			await hooks.callHook("vm:beforeCreate", {
+				vmId,
+				options: opts
+			});
+			const kernelPath = opts.kernelPath ?? findKernel(paths.baseDir);
+			logger.debug(`Kernel resolved: ${kernelPath}`);
+			let rootfsPath;
+			if (opts.fromImage) rootfsPath = resolveImageRootfs(opts.fromImage, paths.registryDir);
+			else rootfsPath = opts.rootfsPath ?? findRootfs(paths.baseDir);
+			logger.debug(`Rootfs resolved: ${rootfsPath}`);
+			const netnsName = opts.disableNetns ? void 0 : `vmsan-${vmId}`;
+			const agentToken = existsSync(paths.agentBin) ? randomBytes(32).toString("hex") : null;
+			log.start(`Creating VM ${vmId}...`);
+			const { net } = new FileLock(join(paths.vmsDir, ".slot-lock"), "slot-alloc").run(() => {
+				const slot = this.store.allocateNetworkSlot();
+				logger.debug(`Network slot allocated: ${slot}`);
+				const net = new NetworkManager(slot, networkPolicy, domains, allowedCidrs, deniedCidrs, ports, bandwidthMbit, netnsName);
+				networkConfig = net.config;
+				const state = buildInitialVmState({
+					vmId,
+					project: opts.project || "",
+					runtime,
+					diskSizeGb,
+					kernelPath,
+					rootfsPath,
+					vcpus,
+					memMib,
+					networkPolicy,
+					domains,
+					allowedCidrs,
+					deniedCidrs,
+					ports,
+					tapDevice: net.config.tapDevice,
+					hostIp: net.config.hostIp,
+					guestIp: net.config.guestIp,
+					subnetMask: net.config.subnetMask,
+					macAddress: net.config.macAddress,
+					snapshotId,
+					timeoutMs,
+					agentToken,
+					agentPort: paths.agentPort,
+					bandwidthMbit,
+					netnsName
+				});
+				this.store.save(state);
+				return { net };
+			});
+			const netCfg = networkConfig;
+			log.start("Setting up networking...");
+			await net.setup();
+			log.success(`Network: TAP ${netCfg.tapDevice}, Host ${netCfg.hostIp}, Guest ${netCfg.guestIp}`);
+			await hooks.callHook("network:afterSetup", {
+				vmId,
+				slot: netCfg.slot,
+				networkConfig: netCfg,
+				domains,
+				networkPolicy
+			});
+			log.start("Preparing chroot...");
+			const snapshotConfig = snapshotId ? {
+				snapshotFile: join(paths.snapshotsDir, snapshotId, "snapshot_file"),
+				memFile: join(paths.snapshotsDir, snapshotId, "mem_file")
+			} : void 0;
+			const jailer = new Jailer(vmId, paths.jailerBaseDir);
+			const welcomePage = runtime === "node22-demo" && ports.length > 0 ? {
+				vmId,
+				ports
+			} : void 0;
+			const agentConfig = agentToken ? {
+				binaryPath: paths.agentBin,
+				token: agentToken,
+				port: paths.agentPort,
+				vmId
+			} : void 0;
+			const jailerPaths = jailer.prepare({
+				kernelSrc: kernelPath,
+				rootfsSrc: rootfsPath,
+				diskSizeGb,
+				snapshot: snapshotConfig,
+				welcomePage,
+				agent: agentConfig
+			});
+			chrootDir = jailerPaths.chrootDir;
+			this.store.update(vmId, {
+				chrootDir: jailerPaths.chrootDir,
+				apiSocket: jailerPaths.socketPath
+			});
+			logger.debug(`Jailer chroot: ${jailerPaths.chrootDir}`);
+			logger.debug(`API socket path: ${jailerPaths.socketPath}`);
+			log.start("Spawning Firecracker via jailer...");
+			const firecrackerBin = join(paths.binDir, "firecracker");
+			const jailerBin = join(paths.binDir, "jailer");
+			const seccompFilter = opts.disableSeccomp ? void 0 : ensureSeccompFilter(paths);
+			if (seccompFilter) logger.debug(`Seccomp filter: ${seccompFilter}`);
+			const cgroup = opts.disableCgroup ? void 0 : this.buildCgroupConfig(vcpus, memMib);
+			jailer.spawn({
+				firecrackerBin,
+				jailerBin,
+				chrootBase: jailerPaths.chrootBase,
+				seccompFilter: seccompFilter ?? void 0,
+				newPidNs: !opts.disablePidNs,
+				cgroup,
+				netns: netnsName
+			});
+			log.start("Waiting for API socket...");
+			await waitForSocket(jailerPaths.socketPath, 5e3);
+			log.success("API socket ready");
+			if (snapshotId) {
+				log.start("Restoring from snapshot...");
+				const vm = new FirecrackerClient(jailerPaths.socketPath);
+				await vm.loadSnapshot("snapshot/snapshot_file", "snapshot/mem_file");
+				await vm.resume();
+				log.success("Snapshot restored and VM resumed");
+			} else {
+				await this.bootVm(jailerPaths.socketPath, netCfg, vcpus, memMib);
+				log.start("Starting VM...");
+				await new FirecrackerClient(jailerPaths.socketPath).start();
+			}
+			const pid = getVmPid(vmId);
+			logger.debug(`Firecracker PID: ${pid ?? "unknown"}`);
+			this.store.update(vmId, {
+				status: "running",
+				pid
+			});
+			log.success(`VM ${vmId} is running (PID: ${pid || "unknown"})`);
+			if (timeoutMs && pid) spawnTimeoutKiller({
+				vmId,
+				pid,
+				timeoutMs,
+				stateFile: join(paths.vmsDir, `${vmId}.json`)
+			});
+			const finalState = this.store.load(vmId);
+			await hooks.callHook("vm:afterCreate", finalState);
+			return {
+				vmId,
+				pid,
+				state: finalState
+			};
+		} catch (error) {
+			if (vmId) await hooks.callHook("vm:error", {
+				vmId,
+				error: toError(error),
+				phase: "create"
+			});
+			killOrphanVmProcess(vmId);
+			this.markAsError(vmId, error);
+			cleanupNetwork(networkConfig);
+			cleanupChroot(chrootDir);
+			throw error;
+		}
+	}
+	async start(vmId) {
+		const { logger, paths, hooks } = this;
+		const log = logger.withTag(vmId);
+		let networkConfig;
+		try {
+			const state = this.store.load(vmId);
+			if (!state) throw vmNotFoundError(vmId);
+			if (state.status !== "stopped") throw vmNotStoppedError(vmId, state.status);
+			if (!state.chrootDir || !existsSync(state.chrootDir)) throw chrootNotFoundError(vmId);
+			validateEnvironment(paths.baseDir);
+			await hooks.callHook("vm:beforeStart", {
+				vmId,
+				state
+			});
+			log.start(`Starting VM ${vmId}...`);
+			const mgr = NetworkManager.fromVmNetwork(state.network);
+			networkConfig = mgr.config;
+			logger.debug(`Reconstructed network config: slot=${networkConfig.slot}, tap=${networkConfig.tapDevice}, host=${networkConfig.hostIp}, guest=${networkConfig.guestIp}`);
+			log.start("Setting up networking...");
+			await mgr.setup();
+			log.success(`Network: TAP ${networkConfig.tapDevice}, Host ${networkConfig.hostIp}, Guest ${networkConfig.guestIp}`);
+			await hooks.callHook("network:afterSetup", {
+				vmId,
+				slot: networkConfig.slot,
+				networkConfig,
+				domains: state.network.allowedDomains,
+				networkPolicy: state.network.networkPolicy
+			});
+			const vmRootCandidates = Array.from(new Set([
+				join(state.chrootDir, "root"),
+				state.chrootDir,
+				dirname(dirname(state.apiSocket))
+			]));
+			const removeStaleFirecrackerFiles = () => {
+				for (const rootDir of vmRootCandidates) {
+					rmSync(join(rootDir, "firecracker"), { force: true });
+					rmSync(join(rootDir, "firecracker.pid"), { force: true });
+				}
+			};
+			removeStaleFirecrackerFiles();
+			const socketPath = state.apiSocket;
+			rmSync(socketPath, { force: true });
+			const removeStaleDevTrees = () => {
+				for (const rootDir of vmRootCandidates) rmSync(join(rootDir, "dev"), {
+					recursive: true,
+					force: true
+				});
+			};
+			const removeStaleDeviceNodes = () => {
+				const staleNodes = [
+					"dev/net/tun",
+					"dev/kvm",
+					"dev/userfaultfd",
+					"dev/urandom"
+				];
+				for (const rootDir of vmRootCandidates) for (const rel of staleNodes) rmSync(join(rootDir, rel), {
+					recursive: true,
+					force: true
+				});
+			};
+			const firecrackerBin = join(paths.binDir, "firecracker");
+			const jailerBin = join(paths.binDir, "jailer");
+			const jailer = new Jailer(vmId, paths.jailerBaseDir);
+			let socketReady = false;
+			const startTag = `[start:${vmId}]`;
+			const logAttemptError = (attempt, error) => {
+				logger.error(`${startTag} ${attempt} failed: ${toError(error).message}`);
+			};
+			logger.debug(`Stale file cleanup: checked ${vmRootCandidates.length} root candidates`);
+			const logDiagnostics = () => {
+				const socketExists = existsSync(socketPath);
+				const devState = vmRootCandidates.map((rootDir) => `${join(rootDir, "dev")}=${existsSync(join(rootDir, "dev"))}`).join(", ");
+				const firecrackerPid = getVmPid(vmId);
+				const jailerPid = getVmJailerPid(vmId);
+				log.error(`${startTag} diagnostics: socketExists=${socketExists}; firecrackerPid=${firecrackerPid ?? "none"}; jailerPid=${jailerPid ?? "none"}; devDirs=[${devState}]`);
+			};
+			const isRecoverableStartError = (message) => {
+				if (message.includes("Timeout waiting for API socket")) return true;
+				if (message.includes("mknod inside the jail") && message.includes("File exists")) return true;
+				if (message.includes("MknodDev(") && message.includes("os error 17")) return true;
+				return false;
+			};
+			const cgroup = this.buildCgroupConfig(state.vcpuCount, state.memSizeMib);
+			const spawnAndWait = async (timeoutMs) => {
+				log.start("Spawning Firecracker via jailer...");
+				logger.debug(`Jailer spawn: firecracker=${firecrackerBin}, jailer=${jailerBin}, chrootBase=${jailer.paths.chrootBase}`);
+				jailer.spawn({
+					firecrackerBin,
+					jailerBin,
+					chrootBase: jailer.paths.chrootBase,
+					newPidNs: true,
+					cgroup,
+					netns: state.network.netnsName
+				});
+				log.start("Waiting for API socket...");
+				await waitForSocket(socketPath, timeoutMs);
+			};
+			try {
+				removeStaleDeviceNodes();
+				await spawnAndWait(1e4);
+				socketReady = true;
+			} catch (firstStartError) {
+				const message = toError(firstStartError).message;
+				if (!isRecoverableStartError(message)) {
+					logAttemptError("initial attempt", firstStartError);
+					logDiagnostics();
+					throw firstStartError;
+				}
+				logAttemptError("initial attempt", firstStartError);
+				killOrphanVmProcess(vmId);
+				rmSync(socketPath, { force: true });
+				removeStaleDeviceNodes();
+				removeStaleDevTrees();
+				removeStaleFirecrackerFiles();
+				try {
+					await spawnAndWait(15e3);
+					socketReady = true;
+				} catch (retryError) {
+					logAttemptError("retry attempt", retryError);
+					logDiagnostics();
+					throw new Error(`${startTag} retry failed after cleanup. First error: ${message}. Retry error: ${toError(retryError).message}`);
+				}
+			}
+			if (!socketReady) throw new Error(`Timeout waiting for API socket at ${socketPath}`);
+			log.success("API socket ready");
+			await this.bootVm(socketPath, networkConfig, state.vcpuCount, state.memSizeMib);
+			log.start("Starting VM...");
+			await new FirecrackerClient(socketPath).start();
+			const pid = getVmPid(vmId);
+			this.store.update(vmId, {
+				status: "running",
+				pid
+			});
+			log.success(`VM ${vmId} is running (PID: ${pid || "unknown"})`);
+			const finalState = this.store.load(vmId);
+			await hooks.callHook("vm:afterStart", finalState);
+			return {
+				vmId,
+				pid,
+				state: finalState,
+				success: true
+			};
+		} catch (error) {
+			await hooks.callHook("vm:error", {
+				vmId,
+				error: toError(error),
+				phase: "start"
+			});
+			killOrphanVmProcess(vmId);
+			this.markAsError(vmId, error);
+			cleanupNetwork(networkConfig);
+			return {
+				vmId,
+				pid: null,
+				state: null,
+				success: false,
+				error: error instanceof VmsanError ? error : void 0
+			};
+		}
+	}
+	async stop(vmId) {
+		const state = this.store.load(vmId);
+		if (!state) return {
+			vmId,
+			success: false,
+			error: vmNotFoundError(vmId)
+		};
+		if (state.status === "stopped") return {
+			vmId,
+			success: true,
+			alreadyStopped: true
+		};
+		try {
+			await this.hooks.callHook("vm:beforeStop", {
+				vmId,
+				state
+			});
+			const previousStatus = state.status;
+			if (state.pid) safeKill(state.pid, "SIGKILL");
+			const orphanPid = getVmPid(vmId);
+			if (orphanPid) safeKill(orphanPid, "SIGKILL");
+			const orphanJailerPid = getVmJailerPid(vmId);
+			if (orphanJailerPid) safeKill(orphanJailerPid, "SIGKILL");
+			if (state.network) {
+				const netCfg = NetworkManager.fromVmNetwork(state.network);
+				try {
+					netCfg.teardown();
+				} catch {}
+				await this.hooks.callHook("network:afterTeardown", {
+					vmId,
+					networkConfig: netCfg.config
+				});
+			}
+			this.store.update(vmId, {
+				status: "stopped",
+				pid: null
+			});
+			await this.hooks.callHook("vm:afterStop", {
+				vmId,
+				previousStatus
+			});
+			return {
+				vmId,
+				success: true
+			};
+		} catch (err) {
+			await this.hooks.callHook("vm:error", {
+				vmId,
+				error: toError(err),
+				phase: "stop"
+			});
+			return {
+				vmId,
+				success: false,
+				error: err instanceof VmsanError ? err : void 0
+			};
+		}
+	}
+	async updateNetworkPolicy(vmId, policy, domains, allowedCidrs, deniedCidrs) {
+		return new FileLock(join(this.paths.vmsDir, `${vmId}.json`), `update-policy-${vmId}`).runAsync(async () => {
+			const state = this.store.load(vmId);
+			if (!state) return {
+				vmId,
+				success: false,
+				previousPolicy: policy,
+				newPolicy: policy,
+				error: vmNotFoundError(vmId)
+			};
+			const previousPolicy = state.network.networkPolicy;
+			if (state.status !== "running") return {
+				vmId,
+				success: false,
+				previousPolicy,
+				newPolicy: policy,
+				error: vmNotRunningError(vmId)
+			};
+			try {
+				NetworkManager.fromVmNetwork(state.network).updatePolicy(policy, domains, allowedCidrs, deniedCidrs);
+				this.store.update(vmId, { network: {
+					...state.network,
+					networkPolicy: policy,
+					allowedDomains: domains,
+					allowedCidrs,
+					deniedCidrs
+				} });
+				await this.hooks.callHook("network:policyChange", {
+					vmId,
+					previousPolicy,
+					newPolicy: policy
+				});
+				return {
+					vmId,
+					success: true,
+					previousPolicy,
+					newPolicy: policy
+				};
+			} catch (err) {
+				return {
+					vmId,
+					success: false,
+					previousPolicy,
+					newPolicy: policy,
+					error: err instanceof VmsanError ? err : void 0
+				};
+			}
+		});
+	}
+	async remove(vmId, opts) {
+		const state = this.store.load(vmId);
+		if (!state) return {
+			vmId,
+			success: false,
+			error: vmNotFoundError(vmId)
+		};
+		try {
+			const force = opts?.force ?? false;
+			await this.hooks.callHook("vm:beforeRemove", {
+				vmId,
+				state,
+				force
+			});
+			if (state.status !== "stopped") {
+				if (!force) return {
+					vmId,
+					success: false,
+					error: vmNotStoppedError(vmId, state.status)
+				};
+				const stopResult = await this.stop(vmId);
+				if (!stopResult.success) return stopResult;
+			}
+			cleanupChroot(state.chrootDir);
+			this.store.delete(vmId);
+			await this.hooks.callHook("vm:afterRemove", { vmId });
+			return {
+				vmId,
+				success: true
+			};
+		} catch (err) {
+			await this.hooks.callHook("vm:error", {
+				vmId,
+				error: toError(err),
+				phase: "remove"
+			});
+			return {
+				vmId,
+				success: false,
+				error: err instanceof VmsanError ? err : void 0
+			};
+		}
+	}
+	buildCgroupConfig(vcpus, memMib) {
+		return {
+			cpuQuotaUs: vcpus * 1e5,
+			cpuPeriodUs: 1e5,
+			memoryBytes: (memMib + CGROUP_VMM_OVERHEAD_MIB) * 1024 * 1024
+		};
+	}
+	async bootVm(socketPath, netCfg, vcpus, memMib) {
+		const vm = new FirecrackerClient(socketPath);
+		const bootArgs = NetworkManager.bootArgs(netCfg.slot);
+		this.logger.debug(`Boot args: ${bootArgs}`);
+		await vm.boot("kernel/vmlinux", bootArgs);
+		await vm.addDrive("rootfs", "rootfs/rootfs.ext4", true, false);
+		await vm.configure(vcpus, memMib);
+		await vm.addNetwork("eth0", netCfg.tapDevice, netCfg.macAddress);
+	}
+	markAsError(vmId, error) {
+		try {
+			this.store.update(vmId, {
+				status: "error",
+				error: toError(error).message
+			});
+		} catch {}
+	}
+};
+async function createVmsan(options) {
+	const paths = options?.paths === void 0 ? vmsanPaths() : typeof options.paths === "string" ? vmsanPaths(options.paths) : options.paths;
+	const store = options?.store ?? new FileVmStateStore(paths.vmsDir);
+	const logger = options?.logger ?? createDefaultLogger();
+	const ctx = {
+		paths,
+		store,
+		hooks: createHooks(),
+		logger
+	};
+	const vmsan = new VMService(ctx);
+	if (options?.plugins) for (const plugin of options.plugins) await plugin.setup(ctx);
+	return vmsan;
+}
+export { createSilentLogger as C, createDefaultLogger as S, waitForSocket as _, resolveImageRootfs as a, FileLock as b, cleanupNetwork as c, assertSnapshotExists as d, findKernel as f, validateEnvironment as g, getVmPid as h, ensureSeccompFilter as i, killOrphanVmProcess as l, getVmJailerPid as m, VMService as n, buildInitialVmState as o, findRootfs as p, compileSeccompFilter as r, cleanupChroot as s, createVmsan as t, markVmAsError as u, Jailer as v, NetworkManager as x, detectCgroupVersion as y };