vmsan 0.1.0-alpha.24 → 0.1.0-alpha.25

package/README.md

@@ -29,26 +29,30 @@ Create, manage, and connect to isolated [Firecracker](https://github.com/firecra
 - 📂 **File transfer** — upload and download without SSH
 - 🐳 **Docker images** — build rootfs from any OCI image with `--from-image`
 - 🏃 **Command execution** — run commands with streaming output, env injection, and sudo
-- 🧩 **Multiple runtimes** — `base`, `node22`, `python3.13`
+- 🧩 **Multiple runtimes** — `base`, `node22`, `node24`, `python3.13`
 - 📸 **VM snapshots** — save and restore VM state
 - 📊 **JSON output** — `--json` flag for scripting and automation
 
 ## 📋 Prerequisites
 
 - Linux (x86_64 or aarch64) with KVM support
-- [Bun](https://bun.sh) >= 1.2
-- [Go](https://go.dev) >= 1.22 (to build the in-VM agent)
 - Root/sudo access (required for TAP device networking and jailer)
-- `squashfs-tools` (for rootfs conversion during install)
+- Docker (for building runtime images and `--from-image`)
 
 ## 🚀 Install
 
-### 1. Install Firecracker, kernel, and rootfs
-
 ```bash
 curl -fsSL https://vmsan.dev/install | bash
 ```
 
+This downloads and installs everything into `~/.vmsan/`:
+
+- Firecracker + Jailer (latest release)
+- Linux kernel (vmlinux 6.1)
+- Ubuntu 24.04 rootfs (converted from squashfs to ext4)
+- vmsan CLI + in-VM agent
+- Runtime images (node22, node24, python3.13)
+
 <details>
 <summary>Uninstall</summary>
 
@@ -58,53 +62,27 @@ curl -fsSL https://vmsan.dev/install | bash -s -- --uninstall
 
 </details>
 
-This downloads and installs into `~/.vmsan/`:
-
-- Firecracker + Jailer (latest release)
-- Linux kernel (vmlinux 6.1)
-- Ubuntu 24.04 rootfs (converted from squashfs to ext4)
-
-### 2. Install vmsan CLI
-
-<!-- automd:pm-install -->
-
-```sh
-# ✨ Auto-detect
-npx nypm install vmsan
-
-# npm
-npm install vmsan
-
-# yarn
-yarn add vmsan
-
-# pnpm
-pnpm add vmsan
-
-# bun
-bun install vmsan
-
-# deno
-deno install npm:vmsan
-```
-
-<!-- /automd -->
+<details>
+<summary>Development setup</summary>
 
-### 3. Build the in-VM agent
+If you want to build from source:
 
 ```bash
-cd agent
-make install
-cd ..
-```
+# Install dependencies
+bun install
 
-### Link globally (optional)
+# Build the in-VM agent
+cd agent && make install && cd ..
 
-```bash
-bun link
+# Build the CLI
+bun run build
+
+# Link local build
+mkdir -p ~/.vmsan/bin
+ln -sf "$(pwd)/dist/bin/cli.mjs" ~/.vmsan/bin/vmsan
 ```
 
-This makes the `vmsan` command available system-wide.
+</details>
 
 ## 📖 Usage
 

package/dist/_chunks/connect.mjs

@@ -1,7 +1,6 @@
 import { n as vmsanPaths } from "./paths.mjs";
 import { l as handleCommandError } from "./errors.mjs";
 import { t as createCommandLogger } from "./logger.mjs";
-import "./vm-state.mjs";
 import { n as waitForAgent, t as resolveVmState } from "./vm-context.mjs";
 import { t as ShellSession } from "./shell.mjs";
 import { consola } from "consola";

package/dist/_chunks/context.mjs

@@ -1,8 +1,9 @@
 import { n as vmsanPaths } from "./paths.mjs";
-import { A as vmNotRunningError, B as invalidDomainPatternError, D as snapshotNotFoundError, F as invalidCidrOctetError, G as invalidNetworkPolicyError, H as invalidImageRefEmptyError, I as invalidCidrPrefixError, J as mutuallyExclusiveFlagsError, K as invalidPortError, L as invalidDiskSizeFormatError, P as invalidCidrFormatError, R as invalidDiskSizeRangeError, T as chrootNotFoundError, U as invalidImageRefTagError, W as invalidIntegerFlagError, X as portConflictError, Z as VmsanError, a as cloudflareNotConfiguredError, c as cloudflaredStartFailedError, d as missingBinaryError, f as noExt4RootfsError, h as noRootfsDirError, i as cloudflareNoZoneError, j as vmNotStoppedError, k as vmNotFoundError, m as noKernelError, n as cloudflareConfigNotFoundError, o as cloudflareTunnelNoIdError, p as noKernelDirError, q as invalidRuntimeError, r as cloudflareNoAccountsError, s as cloudflaredNotFoundError, v as lockTimeoutError, x as defaultInterfaceNotFoundError, y as socketTimeoutError, z as invalidDomainError } from "./errors.mjs";
-import { c as safeKill, i as generateVmId, l as sleepSync, m as writeSecure, o as mkdirSecure, p as toError, t as FileVmStateStore } from "./vm-state.mjs";
+import { A as vmNotRunningError, B as invalidDomainPatternError, D as snapshotNotFoundError, F as invalidCidrOctetError, G as invalidNetworkPolicyError, H as invalidImageRefEmptyError, I as invalidCidrPrefixError, J as mutuallyExclusiveFlagsError, K as invalidPortError, L as invalidDiskSizeFormatError, P as invalidCidrFormatError, R as invalidDiskSizeRangeError, T as chrootNotFoundError, U as invalidImageRefTagError, W as invalidIntegerFlagError, X as portConflictError, Z as VmsanError, a as cloudflareNotConfiguredError, c as cloudflaredStartFailedError, d as missingBinaryError, f as noExt4RootfsError, h as noRootfsDirError, i as cloudflareNoZoneError, j as vmNotStoppedError, k as vmNotFoundError, m as noKernelError, n as cloudflareConfigNotFoundError, o as cloudflareTunnelNoIdError, p as noKernelDirError, q as invalidRuntimeError, r as cloudflareNoAccountsError, s as cloudflaredNotFoundError, u as SetupError, v as lockTimeoutError, x as defaultInterfaceNotFoundError, y as socketTimeoutError, z as invalidDomainError } from "./errors.mjs";
+import { c as mkdirSecure, d as sleepSync, g as writeSecure, h as toError, n as waitForAgent, o as generateVmId, r as FileVmStateStore, u as safeKill } from "./vm-context.mjs";
 import { t as FirecrackerClient } from "./firecracker.mjs";
 import { t as spawnTimeoutKiller } from "./timeout-killer.mjs";
+import { t as AgentClient } from "./agent.mjs";
 import { createHooks } from "hookable";
 import { dirname, join } from "node:path";
 import { execFileSync, execSync, spawn } from "node:child_process";
@@ -1202,137 +1203,7 @@ var FileLock = class {
 	}
 };
 /**
-* Template generators for the node22-demo runtime welcome page.
-* All functions are pure and return string content ready to write to files.
-*/
-function generateWelcomeHtml(vmId, ports) {
-	ports.map((p) => `<li>${p}</li>`).join("\n            ");
-	return `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>vmsan VM ${vmId}</title>
-  <style>
-    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
-      background: #0f172a;
-      color: #e2e8f0;
-      min-height: 100vh;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      padding: 2rem;
-    }
-    .container { max-width: 640px; width: 100%; }
-    .header { text-align: center; margin-bottom: 2rem; }
-    .logo {
-      font-size: 2.5rem;
-      font-weight: 800;
-      background: linear-gradient(135deg, #f97316, #ef4444);
-      -webkit-background-clip: text;
-      -webkit-text-fill-color: transparent;
-      background-clip: text;
-    }
-    .subtitle { color: #94a3b8; margin-top: 0.5rem; font-size: 1.1rem; }
-    .card {
-      background: #1e293b;
-      border: 1px solid #334155;
-      border-radius: 12px;
-      padding: 1.5rem;
-      margin-bottom: 1.25rem;
-    }
-    .card h2 { font-size: 1rem; color: #f97316; margin-bottom: 0.75rem; }
-    .info-row { display: flex; justify-content: space-between; padding: 0.35rem 0; }
-    .info-label { color: #94a3b8; }
-    .info-value { font-family: monospace; color: #e2e8f0; }
-    ul { list-style: none; }
-    ul li { padding: 0.25rem 0; }
-    code {
-      background: #0f172a;
-      border: 1px solid #334155;
-      border-radius: 6px;
-      padding: 0.2rem 0.5rem;
-      font-size: 0.875rem;
-      color: #f97316;
-    }
-    .steps li { padding: 0.5rem 0; color: #cbd5e1; }
-    .steps li strong { color: #e2e8f0; }
-    .footer { text-align: center; color: #475569; font-size: 0.85rem; margin-top: 1.5rem; }
-  </style>
-</head>
-<body>
-  <div class="container">
-    <div class="header">
-      <div class="logo">vmsan</div>
-      <div class="subtitle">Your microVM is running</div>
-    </div>
-    <div class="card">
-      <h2>VM Info</h2>
-      <div class="info-row">
-        <span class="info-label">VM ID</span>
-        <span class="info-value">${vmId}</span>
-      </div>
-      <div class="info-row">
-        <span class="info-label">Runtime</span>
-        <span class="info-value">node22-demo</span>
-      </div>
-      <div class="info-row">
-        <span class="info-label">Published Ports</span>
-        <span class="info-value">${ports.join(", ")}</span>
-      </div>
-    </div>
-    <div class="card">
-      <h2>Next Steps</h2>
-      <ul class="steps">
-        <li><strong>Connect to the VM:</strong> <code>vmsan connect ${vmId}</code></li>
-        <li><strong>Deploy your app:</strong> Replace this page by stopping the welcome service and running your own server on the published port(s).</li>
-        <li><strong>Stop this page:</strong> <code>systemctl stop vmsan-welcome</code></li>
-      </ul>
-    </div>
-    <div class="footer">Powered by vmsan &middot; Firecracker microVMs</div>
-  </div>
-</body>
-</html>`;
-}
-function generateWelcomeServer(ports) {
-	return `"use strict";
-const http = require("node:http");
-const fs = require("node:fs");
-const path = require("node:path");
-
-const html = fs.readFileSync(path.join(__dirname, "index.html"), "utf-8");
-
-const server = http.createServer((req, res) => {
-  res.writeHead(200, {
-    "Content-Type": "text/html; charset=utf-8",
-    "Cache-Control": "no-cache",
-  });
-  res.end(html);
-});
-
-${ports.map((p) => `server.listen(${p}, "0.0.0.0", () => console.log("vmsan-welcome listening on 0.0.0.0:${p}"));`).join("\n")}
-`;
-}
-function generateWelcomeService(ports) {
-	return `[Unit]
-Description=${`vmsan welcome page on port(s) ${ports.join(", ")}`}
-After=network.target
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/node /opt/vmsan/welcome/server.js
-Restart=on-failure
-RestartSec=2
-
-[Install]
-WantedBy=multi-user.target
-`;
-}
-/**
 * Template generators for the vmsan-agent systemd service.
-* Follows the same pattern as welcome-page.ts.
 */
 function generateAgentService() {
 	return `[Unit]
@@ -1416,19 +1287,10 @@ var Jailer = class {
 		try {
 			execSync(`sudo mount -o loop "${paths.rootfsPath}" "${tmpMount}"`, { stdio: "pipe" });
 			execSync(`rm -f "${tmpMount}/etc/resolv.conf" && ln -s /proc/net/pnp "${tmpMount}/etc/resolv.conf"`, { stdio: "pipe" });
-			if (config.welcomePage) {
-				const { vmId: welcomeVmId, ports: welcomePorts } = config.welcomePage;
-				const welcomeDir = join(tmpMount, "opt", "vmsan", "welcome");
-				mkdirSync(welcomeDir, { recursive: true });
-				writeFileSync(join(welcomeDir, "index.html"), generateWelcomeHtml(welcomeVmId, welcomePorts));
-				writeFileSync(join(welcomeDir, "server.js"), generateWelcomeServer(welcomePorts));
-				const systemdDir = join(tmpMount, "etc", "systemd", "system");
-				mkdirSync(systemdDir, { recursive: true });
-				writeFileSync(join(systemdDir, "vmsan-welcome.service"), generateWelcomeService(welcomePorts));
-				const wantsDir = join(systemdDir, "multi-user.target.wants");
-				mkdirSync(wantsDir, { recursive: true });
-				execSync(`ln -sf /etc/systemd/system/vmsan-welcome.service "${join(wantsDir, "vmsan-welcome.service")}"`, { stdio: "pipe" });
-			}
+			writeFileSync(join(tmpMount, "etc", "hostname"), `${this.vmId}\n`);
+			const hostsPath = join(tmpMount, "etc", "hosts");
+			const hostsContent = existsSync(hostsPath) ? readFileSync(hostsPath, "utf-8") : "";
+			if (!hostsContent.includes(this.vmId)) writeFileSync(hostsPath, `${hostsContent.trimEnd()}\n127.0.1.1 ${this.vmId}\n`);
 			if (config.agent) {
 				const agentDst = join(tmpMount, "usr", "local", "bin", "vmsan-agent");
 				mkdirSync(join(tmpMount, "usr", "local", "bin"), { recursive: true });
@@ -1445,7 +1307,19 @@ var Jailer = class {
 				execSync(`ln -sf /etc/systemd/system/vmsan-agent.service "${join(wantsDir, "vmsan-agent.service")}"`, { stdio: "pipe" });
 			}
 			const ubuntuHome = join(tmpMount, "home", "ubuntu");
-			if (existsSync(ubuntuHome)) execSync(`sudo chown 1000:1000 "${ubuntuHome}"`, { stdio: "pipe" });
+			const rootfsPasswd = join(tmpMount, "etc", "passwd");
+			if (existsSync(ubuntuHome) && existsSync(rootfsPasswd)) {
+				const ubuntuEntry = readFileSync(rootfsPasswd, "utf-8").split("\n").find((l) => l.startsWith("ubuntu:"));
+				if (ubuntuEntry) {
+					const fields = ubuntuEntry.split(":");
+					if (fields.length >= 4 && /^\d+$/.test(fields[2]) && /^\d+$/.test(fields[3])) execFileSync("sudo", [
+						"chown",
+						"-R",
+						`${fields[2]}:${fields[3]}`,
+						ubuntuHome
+					], { stdio: "pipe" });
+				}
+			}
 			execSync(`sudo umount "${tmpMount}"`, { stdio: "pipe" });
 		} catch {
 			try {
@@ -1509,6 +1383,34 @@ function findKernel(baseDir) {
 	if (files.length === 0) throw noKernelError();
 	return join(kernelDir, files.sort().at(-1));
 }
+const RUNTIME_ROOTFS_MAP = {
+	node22: "node22.ext4",
+	node24: "node24.ext4",
+	"python3.13": "python3.13.ext4"
+};
+const BASE_ROOTFS_FILENAMES = ["ubuntu-24.04.ext4"];
+function findRuntimeRootfs(runtime, baseDir) {
+	const filename = RUNTIME_ROOTFS_MAP[runtime];
+	const rootfsPath = join(baseDir, "rootfs", filename);
+	if (!existsSync(rootfsPath)) throw new SetupError("ERR_SETUP_NO_EXT4_ROOTFS", {
+		message: `Runtime "${runtime}" rootfs not found at ${rootfsPath}`,
+		fix: "Run \"curl -fsSL https://vmsan.dev/install | bash\" to build runtime images."
+	});
+	return rootfsPath;
+}
+function findBaseRootfs(baseDir) {
+	const rootfsDir = join(baseDir, "rootfs");
+	if (!existsSync(rootfsDir)) throw noRootfsDirError();
+	for (const filename of BASE_ROOTFS_FILENAMES) {
+		const rootfsPath = join(rootfsDir, filename);
+		if (existsSync(rootfsPath)) return rootfsPath;
+	}
+	const files = readdirSync(rootfsDir).filter((fileName) => fileName.endsWith(".ext4"));
+	const runtimeFilenames = new Set(Object.values(RUNTIME_ROOTFS_MAP));
+	const baseFiles = files.filter((fileName) => !runtimeFilenames.has(fileName));
+	if (baseFiles.length === 0) throw noExt4RootfsError();
+	return join(rootfsDir, baseFiles.sort().at(-1));
+}
 function findRootfs(baseDir) {
 	const rootfsDir = join(baseDir, "rootfs");
 	if (!existsSync(rootfsDir)) throw noRootfsDirError();
@@ -1651,16 +1553,18 @@ const APT_PACKAGES = [
 	"findutils",
 	"git",
 	"gzip",
+	"iptables",
 	"iputils-ping",
 	"libicu-dev",
 	"libjpeg-dev",
 	"libpng-dev",
 	"ncurses-base",
 	"libssl-dev",
-	"openssh-server",
 	"openssl",
 	"procps",
 	"sudo",
+	"systemd",
+	"systemd-sysv",
 	"tar",
 	"unzip",
 	"debianutils",
@@ -1673,12 +1577,12 @@ const DNF_PACKAGES = [
 	"findutils",
 	"git",
 	"gzip",
+	"iptables",
 	"iputils",
 	"libicu",
 	"libjpeg",
 	"libpng",
 	"ncurses-libs",
-	"openssh-server",
 	"openssl",
 	"openssl-libs",
 	"procps",
@@ -1696,13 +1600,13 @@ const APK_PACKAGES = [
 	"findutils",
 	"git",
 	"gzip",
+	"iptables",
 	"iputils",
 	"icu-libs",
 	"libjpeg-turbo",
 	"libpng",
 	"ncurses-libs",
 	"openrc",
-	"openssh",
 	"openssl",
 	"procps",
 	"sudo",
@@ -1711,7 +1615,8 @@ const APK_PACKAGES = [
 	"whois",
 	"zstd"
 ];
-function generateDockerfile(baseImage) {
+function generateDockerfile(baseImage, minimal = false) {
+	if (minimal) return `FROM ${baseImage}\n`;
 	return `FROM ${baseImage}
 RUN if command -v apt-get >/dev/null 2>&1; then ${`apt-get update && apt-get install -y --no-install-recommends ${APT_PACKAGES.join(" ")} && rm -rf /var/lib/apt/lists/*`}; \\
     elif command -v dnf >/dev/null 2>&1; then ${`dnf install -y ${DNF_PACKAGES.join(" ")} && dnf clean all`}; \\
@@ -1725,13 +1630,22 @@ RUN if command -v apk >/dev/null 2>&1; then \\
     fi; \\
     echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/ubuntu; \\
     chmod 440 /etc/sudoers.d/ubuntu; \\
-    mkdir -p /home/ubuntu/.ssh && chown -R ubuntu:ubuntu /home/ubuntu
-RUN ssh-keygen -A 2>/dev/null || true; \\
-    mkdir -p /root/.ssh && chmod 700 /root/.ssh; \\
-    if [ -f /etc/ssh/sshd_config ]; then \\
-      sed -i 's/^#*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config; \\
+    chown -R ubuntu:ubuntu /home/ubuntu
+RUN EXTRA=""; \\
+    if command -v npm >/dev/null 2>&1; then \\
+      su -c 'mkdir -p /home/ubuntu/.npm-global && npm config set prefix /home/ubuntu/.npm-global' ubuntu; \\
+      EXTRA="\${EXTRA}export PATH=\\"/home/ubuntu/.npm-global/bin:\\$PATH\\"\\n"; \\
     fi; \\
-    if command -v rc-update >/dev/null 2>&1; then \\
+    if command -v pip3 >/dev/null 2>&1 || command -v pip >/dev/null 2>&1; then \\
+      EXTRA="\${EXTRA}export PATH=\\"/home/ubuntu/.local/bin:\\$PATH\\"\\n"; \\
+    fi; \\
+    if [ -n "$EXTRA" ]; then \\
+      printf '%b' "$EXTRA" >> /home/ubuntu/.profile; \\
+      { printf '%b' "$EXTRA"; cat /home/ubuntu/.bashrc; } > /home/ubuntu/.bashrc.tmp \\
+        && mv /home/ubuntu/.bashrc.tmp /home/ubuntu/.bashrc; \\
+    fi; \\
+    chown -R ubuntu:ubuntu /home/ubuntu
+RUN if command -v rc-update >/dev/null 2>&1; then \\
       rc-update add devfs sysinit 2>/dev/null || true; \\
       rc-update add mdev sysinit 2>/dev/null || true; \\
       rc-update add hwdrivers sysinit 2>/dev/null || true; \\
@@ -1740,10 +1654,8 @@ RUN ssh-keygen -A 2>/dev/null || true; \\
       rc-update add hostname boot 2>/dev/null || true; \\
       rc-update add bootmisc boot 2>/dev/null || true; \\
       rc-update add networking boot 2>/dev/null || true; \\
-      rc-update add sshd default 2>/dev/null || true; \\
       printf '%s\\n' '::sysinit:/sbin/openrc sysinit' '::sysinit:/sbin/openrc boot' '::wait:/sbin/openrc default' '::shutdown:/sbin/openrc shutdown' 'ttyS0::respawn:/sbin/getty 115200 ttyS0' > /etc/inittab; \\
-    fi; \\
-    if command -v systemctl >/dev/null 2>&1; then systemctl enable sshd 2>/dev/null || systemctl enable ssh 2>/dev/null || true; fi
+    fi
 `;
 }
 function verifyDocker() {
@@ -1753,7 +1665,7 @@ function verifyDocker() {
 		throw dockerUnavailableError();
 	}
 }
-function buildImageRootfs(imageRef, cacheDir) {
+function buildImageRootfs(imageRef, cacheDir, minimal = false) {
 	const ext4Path = join(cacheDir, "rootfs.ext4");
 	verifyDocker();
 	const buildTag = `vmsan-rootfs-${imageRef.name.replace(/[^a-z0-9._-]/gi, "-")}:${imageRef.tag}`;
@@ -1762,7 +1674,7 @@ function buildImageRootfs(imageRef, cacheDir) {
 	mkdirSync(cacheDir, { recursive: true });
 	try {
 		consola.start(`Building image from ${imageRef.full}...`);
-		execSync(`docker build -t "${buildTag}" -f - . <<'DOCKERFILE'\n${generateDockerfile(imageRef.full)}\nDOCKERFILE`, {
+		execSync(`docker build -t "${buildTag}" -f - . <<'DOCKERFILE'\n${generateDockerfile(imageRef.full, minimal)}\nDOCKERFILE`, {
 			stdio: "pipe",
 			shell: "/bin/bash"
 		});
@@ -1800,19 +1712,20 @@ function buildImageRootfs(imageRef, cacheDir) {
 		} catch {}
 	}
 }
-function resolveImageRootfs(imageRef, registryDir) {
-	const cacheDir = join(registryDir, imageRef.cacheKey);
+function resolveImageRootfs(imageRef, registryDir, minimal = false) {
+	const cacheSuffix = minimal ? "-minimal" : "";
+	const cacheDir = join(registryDir, `${imageRef.cacheKey}${cacheSuffix}`);
 	const ext4Path = join(cacheDir, "rootfs.ext4");
 	if (existsSync(ext4Path)) {
 		consola.info(`Using cached rootfs for ${imageRef.full}`);
 		return ext4Path;
 	}
-	return buildImageRootfs(imageRef, cacheDir);
+	return buildImageRootfs(imageRef, cacheDir, minimal);
 }
 const VALID_RUNTIMES = [
 	"base",
 	"node22",
-	"node22-demo",
+	"node24",
 	"python3.13"
 ];
 const VALID_NETWORK_POLICIES = [
@@ -2042,11 +1955,12 @@ var VMService = class {
 			const kernelPath = opts.kernelPath ?? findKernel(paths.baseDir);
 			logger.debug(`Kernel resolved: ${kernelPath}`);
 			let rootfsPath;
-			if (opts.fromImage) rootfsPath = resolveImageRootfs(opts.fromImage, paths.registryDir);
-			else rootfsPath = opts.rootfsPath ?? findRootfs(paths.baseDir);
+			if (opts.fromImage) rootfsPath = resolveImageRootfs(opts.fromImage, paths.registryDir, true);
+			else if (runtime !== "base" && !opts.rootfsPath) rootfsPath = findRuntimeRootfs(runtime, paths.baseDir);
+			else rootfsPath = opts.rootfsPath ?? findBaseRootfs(paths.baseDir);
 			logger.debug(`Rootfs resolved: ${rootfsPath}`);
 			const netnsName = opts.disableNetns ? void 0 : `vmsan-${vmId}`;
-			const agentToken = existsSync(paths.agentBin) ? randomBytes(32).toString("hex") : null;
+			const agentToken = !opts.fromImage && existsSync(paths.agentBin) ? randomBytes(32).toString("hex") : null;
 			log.start(`Creating VM ${vmId}...`);
 			const { net } = new FileLock(join(paths.vmsDir, ".slot-lock"), "slot-alloc").run(() => {
 				const slot = this.store.allocateNetworkSlot();
@@ -2100,10 +2014,6 @@ var VMService = class {
 				memFile: join(paths.snapshotsDir, snapshotId, "mem_file")
 			} : void 0;
 			const jailer = new Jailer(vmId, paths.jailerBaseDir);
-			const welcomePage = runtime === "node22-demo" && ports.length > 0 ? {
-				vmId,
-				ports
-			} : void 0;
 			const agentConfig = agentToken ? {
 				binaryPath: paths.agentBin,
 				token: agentToken,
@@ -2115,7 +2025,6 @@ var VMService = class {
 				rootfsSrc: rootfsPath,
 				diskSizeGb,
 				snapshot: snapshotConfig,
-				welcomePage,
 				agent: agentConfig
 			});
 			chrootDir = jailerPaths.chrootDir;
@@ -2167,6 +2076,7 @@ var VMService = class {
 				timeoutMs,
 				stateFile: join(paths.vmsDir, `${vmId}.json`)
 			});
+			if (agentToken && opts.ports?.length) await this.setupLocalhostPortForwarding(netCfg.guestIp, paths.agentPort, agentToken, opts.ports);
 			const finalState = this.store.load(vmId);
 			await hooks.callHook("vm:afterCreate", finalState);
 			return {
@@ -2321,6 +2231,7 @@ var VMService = class {
 				pid
 			});
 			log.success(`VM ${vmId} is running (PID: ${pid || "unknown"})`);
+			if (state.agentToken && state.network.publishedPorts?.length) await this.setupLocalhostPortForwarding(state.network.guestIp, state.agentPort, state.agentToken, state.network.publishedPorts);
 			const finalState = this.store.load(vmId);
 			await hooks.callHook("vm:afterStart", finalState);
 			return {
@@ -2515,6 +2426,26 @@ var VMService = class {
 		await vm.configure(vcpus, memMib);
 		await vm.addNetwork("eth0", netCfg.tapDevice, netCfg.macAddress);
 	}
+	/**
+	* Set up iptables DNAT rules inside the VM so that traffic arriving on
+	* published ports is forwarded to 127.0.0.1. Many services bind to
+	* localhost only; this lets the Cloudflare tunnel (which connects to the
+	* guest IP) reach them.
+	*/
+	async setupLocalhostPortForwarding(guestIp, agentPort, agentToken, ports) {
+		try {
+			await waitForAgent(guestIp, agentPort);
+			const agent = new AgentClient(`http://${guestIp}:${agentPort}`, agentToken);
+			const iptablesRules = ports.map((p) => `sudo iptables-legacy -t nat -A PREROUTING -i eth0 -p tcp --dport ${p} -j DNAT --to-destination 127.0.0.1:${p}`).join(" && ");
+			await agent.runCommand({
+				cmd: "/bin/bash",
+				args: ["-c", `sudo sysctl -w net.ipv4.conf.all.route_localnet=1 && ${iptablesRules}`]
+			});
+			this.logger.debug(`Localhost port forwarding set up for ports: ${ports.join(", ")}`);
+		} catch (err) {
+			this.logger.warn(`Failed to set up localhost port forwarding: ${toError(err).message}`);
+		}
+	}
 	markAsError(vmId, error) {
 		try {
 			this.store.update(vmId, {
@@ -2961,4 +2892,4 @@ async function createVmsan(options) {
 	for (const plugin of allPlugins) await plugin.setup(ctx);
 	return vmsan;
 }
-export { findKernel as A, createDefaultLogger as B, resolveImageRootfs as C, killOrphanVmProcess as D, cleanupNetwork as E, waitForSocket as F, Jailer as I, detectCgroupVersion as L, getVmJailerPid as M, getVmPid as N, markVmAsError as O, validateEnvironment as P, FileLock as R, validatePublishedPortsAvailable as S, cleanupChroot as T, createSilentLogger as V, parseNetworkPolicy as _, resolveTunnelHostnames as a, parseVcpuCount as b, VMService as c, parseBandwidth as d, parseCidrList as f, parseMemoryMib as g, parseImageReference as h, CloudflareService as i, findRootfs as j, assertSnapshotExists as k, compileSeccompFilter as l, parseDomains as m, cloudflarePlugin as n, PidFile as o, parseDiskSizeGb as p, cleanupCloudflareResources as r, definePlugin as s, createVmsan as t, ensureSeccompFilter as u, parsePublishedPorts as v, buildInitialVmState as w, validateCidr as x, parseRuntime as y, NetworkManager as z };
+export { findKernel as A, NetworkManager as B, resolveImageRootfs as C, killOrphanVmProcess as D, cleanupNetwork as E, validateEnvironment as F, createSilentLogger as H, waitForSocket as I, Jailer as L, findRuntimeRootfs as M, getVmJailerPid as N, markVmAsError as O, getVmPid as P, detectCgroupVersion as R, validatePublishedPortsAvailable as S, cleanupChroot as T, createDefaultLogger as V, parseNetworkPolicy as _, resolveTunnelHostnames as a, parseVcpuCount as b, VMService as c, parseBandwidth as d, parseCidrList as f, parseMemoryMib as g, parseImageReference as h, CloudflareService as i, findRootfs as j, assertSnapshotExists as k, compileSeccompFilter as l, parseDomains as m, cloudflarePlugin as n, PidFile as o, parseDiskSizeGb as p, cleanupCloudflareResources as r, definePlugin as s, createVmsan as t, ensureSeccompFilter as u, parsePublishedPorts as v, buildInitialVmState as w, validateCidr as x, parseRuntime as y, FileLock as z };