vmsan 0.1.0-alpha.2 → 0.1.0-alpha.21

package/dist/_chunks/validation.mjs

@@ -1,4 +1,4 @@
-import { A as invalidDomainError, D as invalidCidrPrefixError, E as invalidCidrOctetError, F as invalidIntegerFlagError, I as invalidNetworkPolicyError, L as invalidPortError, N as invalidImageRefEmptyError, O as invalidDiskSizeFormatError, P as invalidImageRefTagError, R as invalidRuntimeError, T as invalidCidrFormatError, V as portConflictError, j as invalidDomainPatternError, k as invalidDiskSizeRangeError } from "./errors.mjs";
+import { A as invalidDiskSizeRangeError, D as invalidCidrOctetError, E as invalidCidrFormatError, F as invalidImageRefTagError, H as portConflictError, I as invalidIntegerFlagError, L as invalidNetworkPolicyError, M as invalidDomainPatternError, O as invalidCidrPrefixError, P as invalidImageRefEmptyError, R as invalidPortError, j as invalidDomainError, k as invalidDiskSizeFormatError, z as invalidRuntimeError } from "./errors.mjs";
 import { t as FileVmStateStore } from "./vm-state.mjs";
 const VALID_RUNTIMES = [
 	"base",

package/dist/_chunks/vm-context.mjs

@@ -0,0 +1,34 @@
+import { S as vmNotRunningError, b as vmNoAgentTokenError, l as agentTimeoutError, x as vmNotFoundError } from "./errors.mjs";
+import { t as FileVmStateStore } from "./vm-state.mjs";
+/**
+* Load VM state and validate it's running with an agent token.
+* Throws VmError on failure (handled by handleCommandError in the caller).
+*/
+function resolveVmState(vmId, paths) {
+	const store = new FileVmStateStore(paths.vmsDir);
+	const state = store.load(vmId);
+	if (!state) throw vmNotFoundError(vmId);
+	if (state.status !== "running") throw vmNotRunningError(vmId, state.status);
+	if (!state.agentToken) throw vmNoAgentTokenError(vmId);
+	return {
+		state,
+		guestIp: state.network.guestIp,
+		port: state.agentPort || paths.agentPort,
+		store
+	};
+}
+/**
+* Poll the agent health endpoint until it responds OK.
+*/
+async function waitForAgent(guestIp, port, timeoutMs = 6e4) {
+	const start = Date.now();
+	const url = `http://${guestIp}:${port}/health`;
+	while (Date.now() - start < timeoutMs) {
+		try {
+			if ((await fetch(url, { signal: AbortSignal.timeout(2e3) })).ok) return;
+		} catch {}
+		await new Promise((r) => setTimeout(r, 500));
+	}
+	throw agentTimeoutError(guestIp, timeoutMs);
+}
+export { waitForAgent as n, resolveVmState as t };

package/dist/_chunks/vm-state.mjs

@@ -1,10 +1,36 @@
-import { C as vmStateNotFoundError, M as invalidDurationError, v as networkSlotsExhaustedError } from "./errors.mjs";
+import { N as invalidDurationError, v as networkSlotsExhaustedError, w as vmStateNotFoundError } from "./errors.mjs";
 import { join } from "node:path";
 import { execSync } from "node:child_process";
-import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from "node:fs";
+import { chmodSync, chownSync, existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from "node:fs";
 import { randomBytes } from "node:crypto";
 import { stripAnsi } from "consola/utils";
 /**
+* Resolve the UID/GID of the real (non-root) user when running under sudo.
+* Returns null when not running under sudo or when env vars are missing.
+*/
+function getSudoOwner() {
+	const uid = process.env.SUDO_UID;
+	const gid = process.env.SUDO_GID;
+	if (!uid || !gid) return null;
+	const numUid = Number(uid);
+	const numGid = Number(gid);
+	if (!Number.isInteger(numUid) || !Number.isInteger(numGid)) return null;
+	return {
+		uid: numUid,
+		gid: numGid
+	};
+}
+function chownToSudoUser(path) {
+	const owner = getSudoOwner();
+	if (!owner) return;
+	try {
+		chownSync(path, owner.uid, owner.gid);
+	} catch {}
+}
+function toError(err) {
+	return err instanceof Error ? err : new Error(String(err));
+}
+/**
 * Send a signal to a process. Returns true if delivered, false if
 * the process is already dead (ESRCH). Falls back to sudo for
 * root-owned processes (EPERM). Re-throws unexpected errors.
@@ -80,6 +106,7 @@ function mkdirSecure(path) {
 	} catch (error) {
 		if (error.code !== "ENOENT") throw error;
 	}
+	chownToSudoUser(path);
 }
 function writeSecure(path, contents) {
 	writeFileSync(path, contents, { mode: 384 });
@@ -88,6 +115,7 @@ function writeSecure(path, contents) {
 	} catch (error) {
 		if (error.code !== "ENOENT") throw error;
 	}
+	chownToSudoUser(path);
 }
 const TIME_UNITS = [
 	[
@@ -150,7 +178,16 @@ function table(opts) {
 	const sep = "   ";
 	return [`\x1b[1m${titles.map(padded).join(sep)}\x1b[0m`, ...data.map((row) => row.map(padded).join(sep))].join("\n");
 }
-var FileVmStateStore = class FileVmStateStore {
+function findFreeNetworkSlot(states) {
+	const usedSlots = new Set(states.filter((s) => s.status === "running" || s.status === "creating").map((s) => {
+		const parts = s.network.hostIp.split(".");
+		return Number(parts[2]);
+	}));
+	for (const slot of getActiveTapSlots()) usedSlots.add(slot);
+	for (let slot = 0; slot <= 254; slot++) if (!usedSlots.has(slot)) return slot;
+	throw networkSlotsExhaustedError();
+}
+var FileVmStateStore = class {
 	constructor(dir) {
 		this.dir = dir;
 	}
@@ -181,26 +218,21 @@ var FileVmStateStore = class FileVmStateStore {
 		if (existsSync(filePath)) unlinkSync(filePath);
 	}
 	allocateNetworkSlot() {
-		const states = this.list();
-		const usedSlots = new Set(states.filter((s) => s.status === "running" || s.status === "creating").map((s) => {
-			const parts = s.network.hostIp.split(".");
-			return Number(parts[2]);
-		}));
-		for (const slot of FileVmStateStore.getActiveTapSlots()) usedSlots.add(slot);
-		for (let slot = 0; slot <= 254; slot++) if (!usedSlots.has(slot)) return slot;
-		throw networkSlotsExhaustedError();
-	}
-	static getActiveTapSlots() {
-		const slots = /* @__PURE__ */ new Set();
-		try {
-			for (const iface of readdirSync("/sys/class/net")) {
-				const match = /^fhvm(\d+)$/.exec(iface);
-				if (!match) continue;
-				const slot = Number(match[1]);
-				if (Number.isInteger(slot) && slot >= 0 && slot <= 254) slots.add(slot);
-			}
-		} catch {}
-		return slots;
+		return findFreeNetworkSlot(this.list());
 	}
 };
-export { parseDuration as a, timeAgo as c, mkdirSecure as i, timeRemaining as l, generateVmId as n, safeKill as o, isProcessAlive as r, table as s, FileVmStateStore as t, writeSecure as u };
+function getActiveTapSlots() {
+	const slots = /* @__PURE__ */ new Set();
+	try {
+		for (const iface of readdirSync("/sys/class/net")) {
+			const tapMatch = /^fhvm(\d+)$/.exec(iface);
+			const vethMatch = /^veth-h-(\d+)$/.exec(iface);
+			const match = tapMatch || vethMatch;
+			if (!match) continue;
+			const slot = Number(match[1]);
+			if (Number.isInteger(slot) && slot >= 0 && slot <= 254) slots.add(slot);
+		}
+	} catch {}
+	return slots;
+}
+export { isProcessAlive as a, safeKill as c, timeRemaining as d, toError as f, generateVmId as i, table as l, findFreeNetworkSlot as n, mkdirSecure as o, writeSecure as p, getActiveTapSlots as r, parseDuration as s, FileVmStateStore as t, timeAgo as u };

package/dist/bin/cli.mjs

@@ -1,7 +1,20 @@
 #!/usr/bin/env node
 import { i as initVmsanLogger } from "../_chunks/logger.mjs";
+import { dirname, join } from "node:path";
+import { existsSync, readFileSync } from "node:fs";
 import { consola } from "consola";
+import { fileURLToPath } from "node:url";
 import { defineCommand, runMain } from "citty";
+function findPackageVersion() {
+	let dir = dirname(fileURLToPath(import.meta.url));
+	while (dir !== dirname(dir)) {
+		const pkgPath = join(dir, "package.json");
+		if (existsSync(pkgPath)) return JSON.parse(readFileSync(pkgPath, "utf8")).version;
+		dir = dirname(dir);
+	}
+	return "0.0.0";
+}
+const version = findPackageVersion();
 const SUDO_COMMANDS = new Set([
 	"create",
 	"start",
@@ -17,7 +30,7 @@ if (subCommand && SUDO_COMMANDS.has(subCommand) && process.getuid?.() !== 0) {
 runMain(defineCommand({
 	meta: {
 		name: "vmsan",
-		version: "0.1.0",
+		version,
 		description: "Firecracker microVM sandbox toolkit"
 	},
 	args: {
@@ -43,9 +56,10 @@ runMain(defineCommand({
 		stop: () => import("../_chunks/stop.mjs").then((m) => m.default),
 		remove: () => import("../_chunks/remove.mjs").then((m) => m.default),
 		rm: () => import("../_chunks/remove.mjs").then((m) => m.default),
-		connect: () => import("../_chunks/connect2.mjs").then((m) => m.default),
+		connect: () => import("../_chunks/connect.mjs").then((m) => m.default),
 		upload: () => import("../_chunks/upload.mjs").then((m) => m.default),
 		download: () => import("../_chunks/download.mjs").then((m) => m.default),
+		exec: () => import("../_chunks/exec.mjs").then((m) => m.default),
 		network: () => import("../_chunks/network.mjs").then((m) => m.default)
 	}
 }));