vmsan 0.1.0-alpha.25 → 0.1.0-alpha.27

package/README.md

@@ -180,7 +180,7 @@ docs/           Documentation site (vmsan.dev)
 ### How it works
 
 1. **vmsan** uses [Firecracker](https://github.com/firecracker-microvm/firecracker) to create lightweight microVMs with a jailer for security isolation
-2. Each VM gets a TAP network device with its own `/30` subnet (`172.16.{slot}.0/30`)
+2. Each VM gets a TAP network device with its own `/30` subnet (`198.19.{slot}.0/30`)
 3. A Go-based **agent** runs inside the VM, exposing an HTTP API for command execution, file operations, and shell access
 4. The CLI communicates with the agent over the host-guest network
 

package/dist/_chunks/context.mjs

@@ -1,6 +1,6 @@
 import { n as vmsanPaths } from "./paths.mjs";
 import { A as vmNotRunningError, B as invalidDomainPatternError, D as snapshotNotFoundError, F as invalidCidrOctetError, G as invalidNetworkPolicyError, H as invalidImageRefEmptyError, I as invalidCidrPrefixError, J as mutuallyExclusiveFlagsError, K as invalidPortError, L as invalidDiskSizeFormatError, P as invalidCidrFormatError, R as invalidDiskSizeRangeError, T as chrootNotFoundError, U as invalidImageRefTagError, W as invalidIntegerFlagError, X as portConflictError, Z as VmsanError, a as cloudflareNotConfiguredError, c as cloudflaredStartFailedError, d as missingBinaryError, f as noExt4RootfsError, h as noRootfsDirError, i as cloudflareNoZoneError, j as vmNotStoppedError, k as vmNotFoundError, m as noKernelError, n as cloudflareConfigNotFoundError, o as cloudflareTunnelNoIdError, p as noKernelDirError, q as invalidRuntimeError, r as cloudflareNoAccountsError, s as cloudflaredNotFoundError, u as SetupError, v as lockTimeoutError, x as defaultInterfaceNotFoundError, y as socketTimeoutError, z as invalidDomainError } from "./errors.mjs";
-import { c as mkdirSecure, d as sleepSync, g as writeSecure, h as toError, n as waitForAgent, o as generateVmId, r as FileVmStateStore, u as safeKill } from "./vm-context.mjs";
+import { S as vmLinkCidrFromIp, _ as SUPPORTED_VM_ADDRESS_BLOCKS, b as vmGuestIp, c as mkdirSecure, d as sleepSync, g as writeSecure, h as toError, n as waitForAgent, o as generateVmId, r as FileVmStateStore, u as safeKill, v as VM_SUBNET_MASK, x as vmHostIp, y as slotFromVmHostIp } from "./vm-context.mjs";
 import { t as FirecrackerClient } from "./firecracker.mjs";
 import { t as spawnTimeoutKiller } from "./timeout-killer.mjs";
 import { t as AgentClient } from "./agent.mjs";
@@ -101,9 +101,9 @@ var NetworkManager = class NetworkManager {
 		this.config = {
 			slot,
 			tapDevice: `fhvm${slot}`,
-			hostIp: `172.16.${slot}.1`,
-			guestIp: `172.16.${slot}.2`,
-			subnetMask: "255.255.255.252",
+			hostIp: vmHostIp(slot),
+			guestIp: vmGuestIp(slot),
+			subnetMask: VM_SUBNET_MASK,
 			macAddress: `AA:FC:00:00:00:${(slot + 1).toString(16).padStart(2, "0").toUpperCase()}`,
 			networkPolicy,
 			allowedDomains,
@@ -115,8 +115,8 @@ var NetworkManager = class NetworkManager {
 			skipDnat
 		};
 	}
-	static bootArgs(slot) {
-		return `console=ttyS0 reboot=k panic=1 pci=off ip=172.16.${slot}.2::${`172.16.${slot}.1`}:255.255.255.252::eth0:off:${DNS_RESOLVERS[0]}`;
+	static bootArgs(config) {
+		return `console=ttyS0 reboot=k panic=1 pci=off ip=${config.guestIp}::${config.hostIp}:${config.subnetMask}::eth0:off:${DNS_RESOLVERS[0]}`;
 	}
 	static fromConfig(config) {
 		const mgr = Object.create(NetworkManager.prototype);
@@ -124,8 +124,12 @@ var NetworkManager = class NetworkManager {
 		return mgr;
 	}
 	static fromVmNetwork(network) {
-		const slot = Number(network.hostIp.split(".")[2]);
-		if (!Number.isInteger(slot)) throw new Error(`invalid network slot derived from hostIp: ${network.hostIp}`);
+		let slot;
+		try {
+			slot = slotFromVmHostIp(network.hostIp);
+		} catch {
+			throw new Error(`invalid network slot derived from hostIp: ${network.hostIp}`);
+		}
 		return NetworkManager.fromConfig({
 			slot,
 			tapDevice: network.tapDevice,
@@ -149,8 +153,9 @@ var NetworkManager = class NetworkManager {
 		else sudo(args);
 	}
 	setupNamespace() {
-		const { slot, netnsName } = this.config;
+		const { guestIp, netnsName } = this.config;
 		if (!netnsName) return;
+		const slot = this.config.slot;
 		const vethHost = `veth-h-${slot}`;
 		const vethGuest = `veth-g-${slot}`;
 		const transitHostIp = `10.200.${slot}.1`;
@@ -244,7 +249,7 @@ var NetworkManager = class NetworkManager {
 			"ip",
 			"route",
 			"add",
-			`172.16.${slot}.0/30`,
+			vmLinkCidrFromIp(guestIp),
 			"via",
 			transitGuestIp
 		]);
@@ -255,7 +260,7 @@ var NetworkManager = class NetworkManager {
 		]);
 	}
 	teardownNamespace() {
-		const { slot, netnsName } = this.config;
+		const { guestIp, netnsName } = this.config;
 		if (!netnsName) return;
 		const tryRun = (args) => {
 			try {
@@ -268,7 +273,7 @@ var NetworkManager = class NetworkManager {
 			"ip",
 			"route",
 			"del",
-			`172.16.${slot}.0/30`
+			vmLinkCidrFromIp(guestIp)
 		]);
 		tryRun([
 			"ip",
@@ -347,10 +352,45 @@ var NetworkManager = class NetworkManager {
 		}
 	}
 	setupRules() {
-		const { tapDevice, hostIp, guestIp, publishedPorts } = this.config;
+		const { tapDevice, guestIp, publishedPorts } = this.config;
 		const policy = effectivePolicy(this.config);
+		const vethGuest = this.config.netnsName ? `veth-g-${this.config.slot}` : void 0;
 		const fwd = this.nsRun.bind(this);
+		sudo([
+			"iptables",
+			"-I",
+			"OUTPUT",
+			"1",
+			"-d",
+			guestIp,
+			"-j",
+			"ACCEPT"
+		]);
+		sudo([
+			"iptables",
+			"-I",
+			"INPUT",
+			"1",
+			"-s",
+			guestIp,
+			"-j",
+			"ACCEPT"
+		]);
 		if (policy === "deny-all") {
+			if (vethGuest) fwd([
+				"iptables",
+				"-I",
+				"FORWARD",
+				"1",
+				"-i",
+				vethGuest,
+				"-o",
+				tapDevice,
+				"-d",
+				guestIp,
+				"-j",
+				"ACCEPT"
+			]);
 			fwd([
 				"iptables",
 				"-I",
@@ -546,14 +586,14 @@ var NetworkManager = class NetworkManager {
 					"DROP"
 				]);
 			}
-			fwd([
+			for (const vmAddressBlock of SUPPORTED_VM_ADDRESS_BLOCKS) fwd([
 				"iptables",
 				"-A",
 				"FORWARD",
 				"-i",
 				tapDevice,
 				"-d",
-				"172.16.0.0/16",
+				vmAddressBlock,
 				"-j",
 				"DROP"
 			]);
@@ -694,14 +734,14 @@ var NetworkManager = class NetworkManager {
 					"DROP"
 				]);
 			}
-			fwd([
+			for (const vmAddressBlock of SUPPORTED_VM_ADDRESS_BLOCKS) fwd([
 				"iptables",
 				"-A",
 				"FORWARD",
 				"-i",
 				tapDevice,
 				"-d",
-				"172.16.0.0/16",
+				vmAddressBlock,
 				"-j",
 				"DROP"
 			]);
@@ -761,6 +801,20 @@ var NetworkManager = class NetworkManager {
 				"ACCEPT"
 			]);
 		}
+		if (vethGuest) fwd([
+			"iptables",
+			"-I",
+			"FORWARD",
+			"1",
+			"-i",
+			vethGuest,
+			"-o",
+			tapDevice,
+			"-d",
+			guestIp,
+			"-j",
+			"ACCEPT"
+		]);
 	}
 	setupThrottle() {
 		const { tapDevice, bandwidthMbit } = this.config;
@@ -799,7 +853,8 @@ var NetworkManager = class NetworkManager {
 		}
 	}
 	teardownRules() {
-		const { tapDevice, hostIp, guestIp, publishedPorts, netnsName } = this.config;
+		const { tapDevice, guestIp, publishedPorts, netnsName } = this.config;
+		const vethGuest = netnsName ? `veth-g-${this.config.slot}` : void 0;
 		let defaultIface;
 		try {
 			defaultIface = getDefaultInterface();
@@ -813,6 +868,24 @@ var NetworkManager = class NetworkManager {
 				consola.debug(`iptables host cleanup failed (${args.slice(0, 4).join(" ")}): ${toError(err).message}`);
 			}
 		};
+		tryRun([
+			"iptables",
+			"-D",
+			"OUTPUT",
+			"-d",
+			guestIp,
+			"-j",
+			"ACCEPT"
+		]);
+		tryRun([
+			"iptables",
+			"-D",
+			"INPUT",
+			"-s",
+			guestIp,
+			"-j",
+			"ACCEPT"
+		]);
 		const tryFwd = (args) => {
 			try {
 				this.nsRun(args);
@@ -992,14 +1065,14 @@ var NetworkManager = class NetworkManager {
 					"DROP"
 				]);
 			}
-			tryFwd([
+			for (const vmAddressBlock of SUPPORTED_VM_ADDRESS_BLOCKS) tryFwd([
 				"iptables",
 				"-D",
 				"FORWARD",
 				"-i",
 				tapDevice,
 				"-d",
-				"172.16.0.0/16",
+				vmAddressBlock,
 				"-j",
 				"DROP"
 			]);
@@ -1044,6 +1117,19 @@ var NetworkManager = class NetworkManager {
 				"DROP"
 			]);
 		}
+		if (vethGuest) tryFwd([
+			"iptables",
+			"-D",
+			"FORWARD",
+			"-i",
+			vethGuest,
+			"-o",
+			tapDevice,
+			"-d",
+			guestIp,
+			"-j",
+			"ACCEPT"
+		]);
 		if (netnsName && defaultIface) {
 			const vethHost = `veth-h-${this.config.slot}`;
 			tryRun([
@@ -1284,6 +1370,7 @@ var Jailer = class {
 		}
 		const tmpMount = join(paths.rootDir, "tmp-mount");
 		mkdirSync(tmpMount, { recursive: true });
+		let prepareError;
 		try {
 			execSync(`sudo mount -o loop "${paths.rootfsPath}" "${tmpMount}"`, { stdio: "pipe" });
 			execSync(`rm -f "${tmpMount}/etc/resolv.conf" && ln -s /proc/net/pnp "${tmpMount}/etc/resolv.conf"`, { stdio: "pipe" });
@@ -1321,7 +1408,8 @@ var Jailer = class {
 				}
 			}
 			execSync(`sudo umount "${tmpMount}"`, { stdio: "pipe" });
-		} catch {
+		} catch (error) {
+			prepareError = error;
 			try {
 				execSync(`sudo umount "${tmpMount}" 2>/dev/null`, { stdio: "pipe" });
 			} catch {}
@@ -1329,6 +1417,7 @@ var Jailer = class {
 		try {
 			execSync(`rm -rf "${tmpMount}"`, { stdio: "pipe" });
 		} catch {}
+		if (prepareError) throw prepareError;
 		if (config.snapshot) {
 			mkdirSync(paths.snapshotDir, { recursive: true });
 			copyFileSync(config.snapshot.snapshotFile, join(paths.snapshotDir, "snapshot_file"));
@@ -1685,18 +1774,11 @@ function buildImageRootfs(imageRef, cacheDir, minimal = false) {
 		const tarSizeOutput = execSync(`stat -c %s "${tmpTar}"`, { encoding: "utf-8" }).trim();
 		const tarMb = Number(tarSizeOutput) / 1024 / 1024;
 		const imageSizeMb = Math.max(1024, Math.ceil(tarMb + 512));
-		execSync(`dd if=/dev/zero of="${ext4Path}" bs=1M count=${imageSizeMb} 2>/dev/null`, { stdio: "pipe" });
-		execSync(`mkfs.ext4 -q "${ext4Path}"`, { stdio: "pipe" });
+		const tmpExtract = join(cacheDir, "rootfs-extracted");
+		mkdirSync(tmpExtract, { recursive: true });
+		execSync(`tar -xf "${tmpTar}" -C "${tmpExtract}"`, { stdio: "pipe" });
+		execSync(`mkfs.ext4 -q -d "${tmpExtract}" "${ext4Path}" "${imageSizeMb}M"`, { stdio: "pipe" });
 		execSync(`tune2fs -m 0 "${ext4Path}"`, { stdio: "pipe" });
-		const tmpMount = join(cacheDir, "mnt");
-		mkdirSync(tmpMount, { recursive: true });
-		execSync(`mount -o loop "${ext4Path}" "${tmpMount}"`, { stdio: "pipe" });
-		try {
-			execSync(`tar -xf "${tmpTar}" -C "${tmpMount}"`, { stdio: "pipe" });
-		} finally {
-			execSync(`umount "${tmpMount}"`, { stdio: "pipe" });
-			execSync(`rm -rf "${tmpMount}"`, { stdio: "pipe" });
-		}
 		writeFileSync(join(cacheDir, "metadata.json"), JSON.stringify({
 			image: imageRef.full,
 			builtAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -1706,10 +1788,19 @@ function buildImageRootfs(imageRef, cacheDir, minimal = false) {
 	} finally {
 		try {
 			execSync(`docker rm -f "${containerName}" 2>/dev/null`, { stdio: "pipe" });
-		} catch {}
+		} catch (err) {
+			consola.debug(`Failed to remove docker container ${containerName}: ${toError(err).message}`);
+		}
 		try {
 			execSync(`rm -f "${tmpTar}"`, { stdio: "pipe" });
-		} catch {}
+		} catch (err) {
+			consola.debug(`Failed to remove temp tar ${tmpTar}: ${toError(err).message}`);
+		}
+		try {
+			execSync(`rm -rf "${join(cacheDir, "rootfs-extracted")}"`, { stdio: "pipe" });
+		} catch (err) {
+			consola.debug(`Failed to remove extraction dir: ${toError(err).message}`);
+		}
 	}
 }
 function resolveImageRootfs(imageRef, registryDir, minimal = false) {
@@ -2419,7 +2510,7 @@ var VMService = class {
 	}
 	async bootVm(socketPath, netCfg, vcpus, memMib) {
 		const vm = new FirecrackerClient(socketPath);
-		const bootArgs = NetworkManager.bootArgs(netCfg.slot);
+		const bootArgs = NetworkManager.bootArgs(netCfg);
 		this.logger.debug(`Boot args: ${bootArgs}`);
 		await vm.boot("kernel/vmlinux", bootArgs);
 		await vm.addDrive("rootfs", "rootfs/rootfs.ext4", true, false);

package/dist/_chunks/exec.mjs

@@ -13,7 +13,7 @@ function shellEscape(s) {
 	if (/^[a-zA-Z0-9._\-/=:@]+$/.test(s)) return s;
 	return "'" + s.replace(/'/g, "'\\''") + "'";
 }
-function parseEnvFlags(targetCommand) {
+function parseEnvFlags(_targetCommand) {
 	const env = {};
 	const argv = process.argv;
 	let positionalCount = 0;

package/dist/_chunks/vm-context.mjs

@@ -4,6 +4,50 @@ import { execSync } from "node:child_process";
 import { chmodSync, chownSync, existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from "node:fs";
 import { randomBytes } from "node:crypto";
 import { stripAnsi } from "consola/utils";
+const VM_NETWORK_FIRST_OCTET = 198;
+const VM_NETWORK_SECOND_OCTET = 19;
+const VM_SUBNET_MASK = "255.255.255.252";
+const VM_NETWORK_PREFIX = `${VM_NETWORK_FIRST_OCTET}.${VM_NETWORK_SECOND_OCTET}`;
+const SUPPORTED_VM_ADDRESS_BLOCKS = ["198.19.0.0/16", "172.16.0.0/16"];
+function assertValidSlot(slot) {
+	if (!Number.isInteger(slot) || slot < 0 || slot > 254) throw new Error(`invalid VM network slot: ${slot}`);
+}
+function parseIpv4OrNull(ip) {
+	const octets = ip.split(".");
+	if (octets.length !== 4 || octets.some((part) => !/^\d+$/.test(part))) return null;
+	const parts = octets.map((part) => Number.parseInt(part, 10));
+	if (parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return null;
+	return parts;
+}
+function parseIpv4(ip) {
+	const parts = parseIpv4OrNull(ip);
+	if (!parts) throw new Error(`invalid IPv4 address: ${ip}`);
+	return parts;
+}
+function vmHostIp(slot) {
+	assertValidSlot(slot);
+	return `${VM_NETWORK_PREFIX}.${slot}.1`;
+}
+function vmGuestIp(slot) {
+	assertValidSlot(slot);
+	return `${VM_NETWORK_PREFIX}.${slot}.2`;
+}
+function slotFromVmHostIpOrNull(hostIp) {
+	const parts = parseIpv4OrNull(hostIp);
+	if (!parts) return null;
+	const slot = parts[2];
+	if (!Number.isInteger(slot) || slot < 0 || slot > 254) return null;
+	return slot;
+}
+function slotFromVmHostIp(hostIp) {
+	const slot = slotFromVmHostIpOrNull(hostIp);
+	if (slot === null) throw new Error(`invalid VM host IP: ${hostIp}`);
+	return slot;
+}
+function vmLinkCidrFromIp(ip) {
+	const [first, second, third] = parseIpv4(ip);
+	return `${first}.${second}.${third}.0/30`;
+}
 /**
 * Resolve the UID/GID of the real (non-root) user when running under sudo.
 * Returns null when not running under sudo or when env vars are missing.
@@ -183,10 +227,12 @@ function table(opts) {
 	return [`\x1b[1m${titles.map(padded).join(sep)}\x1b[0m`, ...data.map((row) => row.map(padded).join(sep))].join("\n");
 }
 function findFreeNetworkSlot(states) {
-	const usedSlots = new Set(states.filter((s) => s.status === "running" || s.status === "creating").map((s) => {
-		const parts = s.network.hostIp.split(".");
-		return Number(parts[2]);
-	}));
+	const usedSlots = /* @__PURE__ */ new Set();
+	for (const state of states) {
+		if (state.status === "error") continue;
+		const slot = slotFromVmHostIpOrNull(state.network.hostIp);
+		if (slot !== null) usedSlots.add(slot);
+	}
 	for (const slot of getActiveTapSlots()) usedSlots.add(slot);
 	for (let slot = 0; slot <= 254; slot++) if (!usedSlots.has(slot)) return slot;
 	throw networkSlotsExhaustedError();
@@ -270,4 +316,4 @@ async function waitForAgent(guestIp, port, timeoutMs = 6e4) {
 	}
 	throw agentTimeoutError(guestIp, timeoutMs);
 }
-export { getActiveTapSlots as a, mkdirSecure as c, sleepSync as d, table as f, writeSecure as g, toError as h, findFreeNetworkSlot as i, parseDuration as l, timeRemaining as m, waitForAgent as n, generateVmId as o, timeAgo as p, FileVmStateStore as r, isProcessAlive as s, resolveVmState as t, safeKill as u };
+export { vmLinkCidrFromIp as S, SUPPORTED_VM_ADDRESS_BLOCKS as _, getActiveTapSlots as a, vmGuestIp as b, mkdirSecure as c, sleepSync as d, table as f, writeSecure as g, toError as h, findFreeNetworkSlot as i, parseDuration as l, timeRemaining as m, waitForAgent as n, generateVmId as o, timeAgo as p, FileVmStateStore as r, isProcessAlive as s, resolveVmState as t, safeKill as u, VM_SUBNET_MASK as v, vmHostIp as x, slotFromVmHostIp as y };

package/dist/index.d.mts

@@ -102,7 +102,7 @@ interface NetworkConfig {
 declare class NetworkManager {
   config: NetworkConfig;
   constructor(slot: number, networkPolicy: string, allowedDomains: string[], allowedCidrs: string[], deniedCidrs: string[], publishedPorts: number[], bandwidthMbit?: number, netnsName?: string, skipDnat?: boolean);
-  static bootArgs(slot: number): string;
+  static bootArgs(config: Pick<NetworkConfig, "guestIp" | "hostIp" | "subnetMask">): string;
   static fromConfig(config: NetworkConfig): NetworkManager;
   static fromVmNetwork(network: VmNetwork): NetworkManager;
   private nsRun;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vmsan",
-  "version": "0.1.0-alpha.25",
+  "version": "0.1.0-alpha.27",
   "description": "Firecracker microVM sandbox toolkit",
   "homepage": "https://github.com/angelorc/vmsan",
   "bugs": "https://github.com/angelorc/vmsan/issues",
@@ -27,10 +27,10 @@
   "scripts": {
     "build": "obuild",
     "dev": "obuild --stub",
-    "lint": "oxlint . && oxfmt --check '!**/*.md' '!docs/**' .",
-    "lint:fix": "oxlint . --fix && oxfmt '!**/*.md' '!docs/**' .",
-    "fmt": "oxfmt '!**/*.md' '!docs/**' .",
-    "fmt:check": "oxfmt --check '!**/*.md' '!docs/**' .",
+    "lint": "bunx oxlint . && bunx oxfmt --check '!**/*.md' '!docs/**' '!.changeset/pre.json' .",
+    "lint:fix": "bunx oxlint . --fix && bunx oxfmt '!**/*.md' '!docs/**' '!.changeset/pre.json' .",
+    "fmt": "bunx oxfmt '!**/*.md' '!docs/**' '!.changeset/pre.json' .",
+    "fmt:check": "bunx oxfmt --check '!**/*.md' '!docs/**' '!.changeset/pre.json' .",
     "test": "vitest run --passWithNoTests",
     "typecheck": "tsc --noEmit",
     "prepack": "bun run build",