portacode 1.4.15__py3-none-any.whl → 1.4.15.dev1__py3-none-any.whl

portacode/connection/handlers/proxmox_infra.py

@@ -5,7 +5,6 @@ from __future__ import annotations
 import asyncio
 import json
 import logging
-import math
 import os
 import secrets
 import shlex
@@ -16,7 +15,8 @@ import sys
 import tempfile
 import time
 import threading
-from datetime import datetime, timezone
+import urllib.request
+from datetime import datetime
 from pathlib import Path
 from typing import Any, Callable, Dict, Iterable, List, Optional, Sequence, Tuple
 
@@ -41,13 +41,15 @@ BRIDGE_IP = SUBNET_CIDR.split("/", 1)[0]
 DHCP_START = "10.10.0.100"
 DHCP_END = "10.10.0.200"
 DNS_SERVER = "1.1.1.1"
+CLOUDFLARE_DEB_URL = "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb"
 IFACES_PATH = Path("/etc/network/interfaces")
 SYSCTL_PATH = Path("/etc/sysctl.d/99-portacode-forward.conf")
 UNIT_DIR = Path("/etc/systemd/system")
 _MANAGED_CONTAINERS_CACHE_TTL_S = 30.0
 _MANAGED_CONTAINERS_CACHE: Dict[str, Any] = {"timestamp": 0.0, "summary": None}
 _MANAGED_CONTAINERS_CACHE_LOCK = threading.Lock()
-TEMPLATES_REFRESH_INTERVAL_S = 300
+_CLOUDFLARE_TUNNEL_PROCESSES: Dict[str, subprocess.Popen] = {}
+_CLOUDFLARE_TUNNELS_LOCK = threading.Lock()
 
 ProgressCallback = Callable[[int, int, Dict[str, Any], str, Optional[Dict[str, Any]]], None]
 
@@ -64,7 +66,6 @@ def _emit_progress_event(
     phase: str,
     request_id: Optional[str],
     details: Optional[Dict[str, Any]] = None,
-    on_behalf_of_device: Optional[str] = None,
 ) -> None:
     loop = handler.context.get("event_loop")
     if not loop or loop.is_closed():
@@ -89,8 +90,6 @@ def _emit_progress_event(
         payload["request_id"] = request_id
     if details:
         payload["details"] = details
-    if on_behalf_of_device:
-        payload["on_behalf_of_device"] = str(on_behalf_of_device)
 
     future = asyncio.run_coroutine_threadsafe(handler.send_response(payload), loop)
     future.add_done_callback(
@@ -180,64 +179,6 @@ def _list_templates(client: Any, node: str, storages: Iterable[Dict[str, Any]])
     return templates
 
 
-def _build_proxmox_client_from_config(config: Dict[str, Any]):
-    user = config.get("user")
-    token_name = config.get("token_name")
-    token_value = config.get("token_value")
-    if not user or not token_name or not token_value:
-        raise RuntimeError("Proxmox API credentials are missing")
-    ProxmoxAPI = _ensure_proxmoxer()
-    return ProxmoxAPI(
-        config.get("host", DEFAULT_HOST),
-        user=user,
-        token_name=token_name,
-        token_value=token_value,
-        verify_ssl=config.get("verify_ssl", False),
-        timeout=30,
-    )
-
-
-def _current_time_iso() -> str:
-    return datetime.now(timezone.utc).isoformat()
-
-
-def _parse_iso_timestamp(value: str) -> Optional[datetime]:
-    if not value:
-        return None
-    text = value
-    if text.endswith("Z"):
-        text = text[:-1] + "+00:00"
-    try:
-        return datetime.fromisoformat(text)
-    except ValueError:
-        return None
-
-
-def _templates_need_refresh(config: Dict[str, Any]) -> bool:
-    if not config or not config.get("token_value"):
-        return False
-    last = _parse_iso_timestamp(config.get("templates_last_refreshed") or "")
-    if not last:
-        return True
-    return (datetime.now(timezone.utc) - last).total_seconds() >= TEMPLATES_REFRESH_INTERVAL_S
-
-
-def _ensure_templates_refreshed_on_startup(config: Dict[str, Any]) -> None:
-    if not _templates_need_refresh(config):
-        return
-    try:
-        client = _build_proxmox_client_from_config(config)
-        node = config.get("node") or _pick_node(client)
-        storages = client.nodes(node).storage.get()
-        templates = _list_templates(client, node, storages)
-        if templates:
-            config["templates"] = templates
-            config["templates_last_refreshed"] = _current_time_iso()
-            _save_config(config)
-    except Exception as exc:
-        logger.warning("Unable to refresh Proxmox templates on startup: %s", exc)
-
-
 def _pick_storage(storages: Iterable[Dict[str, Any]]) -> str:
     candidates = [s for s in storages if "rootdir" in s.get("content", "") and s.get("avail", 0) > 0]
     if not candidates:
@@ -342,6 +283,25 @@ def _ensure_bridge(bridge: str = DEFAULT_BRIDGE) -> Dict[str, Any]:
     return {"applied": True, "bridge": bridge, "message": f"Bridge {bridge} configured"}
 
 
+def _ensure_cloudflared_installed() -> None:
+    if shutil.which("cloudflared"):
+        return
+    apt = shutil.which("apt-get")
+    if not apt:
+        raise RuntimeError("cloudflared is missing and apt-get is unavailable to install it")
+    download_dir = Path(tempfile.mkdtemp())
+    deb_path = download_dir / "cloudflared.deb"
+    try:
+        urllib.request.urlretrieve(CLOUDFLARE_DEB_URL, deb_path)
+        try:
+            _call_subprocess(["dpkg", "-i", str(deb_path)], check=True)
+        except subprocess.CalledProcessError:
+            _call_subprocess([apt, "install", "-f", "-y"], check=True)
+            _call_subprocess(["dpkg", "-i", str(deb_path)], check=True)
+    finally:
+        shutil.rmtree(download_dir, ignore_errors=True)
+
+
 def _verify_connectivity(timeout: float = 5.0) -> bool:
     try:
         _call_subprocess(["/bin/ping", "-c", "2", "1.1.1.1"], check=True, timeout=timeout)
@@ -418,6 +378,7 @@ def _build_managed_containers_summary(records: List[Dict[str, Any]]) -> Dict[str
                 "cpu_share": cpu_share,
                 "created_at": record.get("created_at"),
                 "status": status,
+                "tunnel": record.get("tunnel"),
             }
         )
 
@@ -496,171 +457,48 @@ def _friendly_step_label(step_name: str) -> str:
     return normalized.capitalize()
 
 
-_NETWORK_WAIT_CMD = (
-    "count=0; "
-    "while [ \"$count\" -lt 20 ]; do "
-    "  if command -v ip >/dev/null 2>&1 && ip route get 1.1.1.1 >/dev/null 2>&1; then break; fi; "
-    "  if [ -f /proc/net/route ] && grep -q '^00000000' /proc/net/route >/dev/null 2>&1; then break; fi; "
-    "  sleep 1; "
-    "  count=$((count+1)); "
-    "done"
-)
-
-_PACKAGE_MANAGER_PROFILES: Dict[str, Dict[str, Any]] = {
-    "apt": {
-        "update_cmd": "apt-get update -y",
-        "update_step_name": "apt_update",
-        "install_cmd": "apt-get install -y python3 python3-pip sudo --fix-missing",
-        "install_step_name": "install_deps",
-        "update_retries": 4,
-        "install_retries": 5,
-    },
-    "dnf": {
-        "update_cmd": "dnf check-update || true",
-        "update_step_name": "dnf_update",
-        "install_cmd": "dnf install -y python3 python3-pip sudo",
-        "install_step_name": "install_deps",
-        "update_retries": 3,
-        "install_retries": 5,
-    },
-    "yum": {
-        "update_cmd": "yum makecache",
-        "update_step_name": "yum_update",
-        "install_cmd": "yum install -y python3 python3-pip sudo",
-        "install_step_name": "install_deps",
-        "update_retries": 3,
-        "install_retries": 5,
-    },
-    "apk": {
-        "update_cmd": "apk update",
-        "update_step_name": "apk_update",
-        "install_cmd": "apk add --no-cache python3 py3-pip sudo shadow",
-        "install_step_name": "install_deps",
-        "update_retries": 3,
-        "install_retries": 5,
-    },
-    "pacman": {
-        "update_cmd": "pacman -Sy --noconfirm",
-        "update_step_name": "pacman_update",
-        "install_cmd": "pacman -S --noconfirm python python-pip sudo",
-        "install_step_name": "install_deps",
-        "update_retries": 3,
-        "install_retries": 5,
-    },
-    "zypper": {
-        "update_cmd": "zypper refresh",
-        "update_step_name": "zypper_update",
-        "install_cmd": "zypper install -y python3 python3-pip sudo",
-        "install_step_name": "install_deps",
-        "update_retries": 3,
-        "install_retries": 5,
-    },
-}
-
-_UPDATE_RETRY_ON = [
-    "Temporary failure resolving",
-    "Could not resolve",
-    "Failed to fetch",
-]
-
-_INSTALL_RETRY_ON = [
-    "lock-frontend",
-    "Unable to acquire the dpkg frontend lock",
-    "Temporary failure resolving",
-    "Could not resolve",
-    "Failed to fetch",
-]
-
-
 def _build_bootstrap_steps(
     user: str,
     password: str,
     ssh_key: str,
     include_portacode_connect: bool = True,
-    package_manager: str = "apt",
 ) -> List[Dict[str, Any]]:
-    profile = _PACKAGE_MANAGER_PROFILES.get(package_manager, _PACKAGE_MANAGER_PROFILES["apt"])
-    steps: List[Dict[str, Any]] = [
-        {"name": "wait_for_network", "cmd": _NETWORK_WAIT_CMD, "retries": 0},
-    ]
-    update_cmd = profile.get("update_cmd")
-    if update_cmd:
-        steps.append(
-            {
-                "name": profile.get("update_step_name", "package_update"),
-                "cmd": update_cmd,
-                "retries": profile.get("update_retries", 3),
-                "retry_delay_s": 5,
-                "retry_on": _UPDATE_RETRY_ON,
-            }
-        )
-    install_cmd = profile.get("install_cmd")
-    if install_cmd:
-        steps.append(
-            {
-                "name": profile.get("install_step_name", "install_deps"),
-                "cmd": install_cmd,
-                "retries": profile.get("install_retries", 5),
-                "retry_delay_s": 5,
-                "retry_on": _INSTALL_RETRY_ON,
-            }
-        )
-    steps.extend(
-        [
-            {
-                "name": "user_exists",
-                "cmd": (
-                    f"id -u {user} >/dev/null 2>&1 || "
-                    f"(if command -v adduser >/dev/null 2>&1 && adduser --disabled-password --help >/dev/null 2>&1; then "
-                    f"    adduser --disabled-password --gecos '' {user}; "
-                    "else "
-                    f"    useradd -m -s /bin/sh {user}; "
-                    "fi)"
-                ),
-                "retries": 0,
-            },
-            {
-                "name": "add_sudo",
-                "cmd": (
-                    f"if command -v usermod >/dev/null 2>&1; then "
-                    "  if ! getent group sudo >/dev/null 2>&1; then "
-                    "    if command -v groupadd >/dev/null 2>&1; then "
-                    "      groupadd sudo >/dev/null 2>&1 || true; "
-                    "    fi; "
-                    "  fi; "
-                    f"  usermod -aG sudo {user}; "
-                    "else "
-                    "  for grp in wheel sudo; do "
-                    "    if ! getent group \"$grp\" >/dev/null 2>&1 && command -v groupadd >/dev/null 2>&1; then "
-                    "      groupadd \"$grp\" >/dev/null 2>&1 || true; "
-                    "    fi; "
-                    "    addgroup \"$grp\" >/dev/null 2>&1 || true; "
-                    f"    addgroup {user} \"$grp\" >/dev/null 2>&1 || true; "
-                    "  done; "
-                    "fi"
-                ),
-                "retries": 0,
-            },
+    steps = [
         {
-            "name": "add_sudoers",
-            "cmd": (
-                f"printf '%s ALL=(ALL) NOPASSWD:ALL\\n' {shlex.quote(user)} >/etc/sudoers.d/portacode && "
-                "chmod 0440 /etc/sudoers.d/portacode"
-            ),
-            "retries": 0,
+            "name": "apt_update",
+            "cmd": "apt-get update -y",
+            "retries": 4,
+            "retry_delay_s": 5,
+            "retry_on": [
+                "Temporary failure resolving",
+                "Could not resolve",
+                "Failed to fetch",
+            ],
         },
-        ]
-    )
+        {
+            "name": "install_deps",
+            "cmd": "apt-get install -y python3 python3-pip sudo --fix-missing",
+            "retries": 5,
+            "retry_delay_s": 5,
+            "retry_on": [
+                "lock-frontend",
+                "Unable to acquire the dpkg frontend lock",
+                "Temporary failure resolving",
+                "Could not resolve",
+                "Failed to fetch",
+            ],
+        },
+        {"name": "user_exists", "cmd": f"id -u {user} >/dev/null 2>&1 || adduser --disabled-password --gecos '' {user}", "retries": 0},
+        {"name": "add_sudo", "cmd": f"usermod -aG sudo {user}", "retries": 0},
+    ]
     if password:
         steps.append({"name": "set_password", "cmd": f"echo '{user}:{password}' | chpasswd", "retries": 0})
     if ssh_key:
-        steps.append(
-            {
-                "name": "add_ssh_key",
-                "cmd": f"install -d -m 700 /home/{user}/.ssh && echo '{ssh_key}' >> /home/{user}/.ssh/authorized_keys && chown -R {user}:{user} /home/{user}/.ssh",
-                "retries": 0,
-            }
-        )
+        steps.append({
+            "name": "add_ssh_key",
+            "cmd": f"install -d -m 700 /home/{user}/.ssh && echo '{ssh_key}' >> /home/{user}/.ssh/authorized_keys && chown -R {user}:{user} /home/{user}/.ssh",
+            "retries": 0,
+        })
     steps.extend(
         [
             {"name": "pip_upgrade", "cmd": "python3 -m pip install --upgrade pip", "retries": 0},
@@ -672,45 +510,6 @@ def _build_bootstrap_steps(
     return steps
 
 
-def _guess_package_manager_from_template(template: str) -> str:
-    normalized = (template or "").lower()
-    if "alpine" in normalized:
-        return "apk"
-    if "archlinux" in normalized:
-        return "pacman"
-    if "centos-7" in normalized:
-        return "yum"
-    if any(keyword in normalized for keyword in ("centos-8", "centos-9", "centos-9-stream", "centos-8-stream")):
-        return "dnf"
-    if any(keyword in normalized for keyword in ("rockylinux", "almalinux", "fedora")):
-        return "dnf"
-    if "opensuse" in normalized or "suse" in normalized:
-        return "zypper"
-    if any(keyword in normalized for keyword in ("debian", "ubuntu", "devuan", "turnkeylinux")):
-        return "apt"
-    if normalized.startswith("system/") and "linux" in normalized:
-        return "apt"
-    return "apt"
-
-
-def _detect_package_manager(vmid: int) -> str:
-    candidates = [
-        ("apt", "apt-get"),
-        ("dnf", "dnf"),
-        ("yum", "yum"),
-        ("apk", "apk"),
-        ("pacman", "pacman"),
-        ("zypper", "zypper"),
-    ]
-    for name, binary in candidates:
-        res = _run_pct(vmid, f"command -v {binary} >/dev/null 2>&1")
-        if res.get("returncode") == 0:
-            logger.debug("Detected package manager %s inside container %s", name, vmid)
-            return name
-    logger.warning("Unable to detect package manager inside container %s; defaulting to apt", vmid)
-    return "apt"
-
-
 def _get_storage_type(storages: Iterable[Dict[str, Any]], storage_name: str) -> str:
     for entry in storages:
         if entry.get("storage") == storage_name:
@@ -817,6 +616,88 @@ def _remove_container_record(vmid: int) -> None:
         _invalidate_managed_containers_cache()
 
 
+def _update_container_tunnel(vmid: int, tunnel: Optional[Dict[str, Any]]) -> None:
+    record = _read_container_record(vmid)
+    if tunnel:
+        record["tunnel"] = tunnel
+    else:
+        record.pop("tunnel", None)
+    _write_container_record(vmid, record)
+
+
+def _ensure_cloudflare_token(config: Dict[str, Any]) -> str:
+    cloudflare = config.get("cloudflare") or {}
+    token = cloudflare.get("api_token")
+    if not token:
+        raise RuntimeError("Cloudflare API token is not configured.")
+    return token
+
+
+def _launch_container_tunnel(proxmox: Any, node: str, vmid: int, tunnel: Dict[str, Any]) -> Dict[str, Any]:
+    port = int(tunnel.get("container_port") or 0)
+    if not port:
+        raise ValueError("container_port is required to create a tunnel.")
+    hostname = tunnel.get("url")
+    if not hostname:
+        raise ValueError("cloudflare_url is required to expose the tunnel.")
+    protocol = (tunnel.get("protocol") or "http").lower()
+    ip_address = _resolve_container_ip(proxmox, node, vmid)
+    target_url = f"{protocol}://{ip_address}:{port}"
+    name = tunnel.get("name") or _build_tunnel_name(vmid, port)
+    _stop_cloudflare_process(name)
+    proc = _start_cloudflare_process(name, hostname, target_url)
+    updated = {
+        "name": name,
+        "container_port": port,
+        "url": hostname,
+        "protocol": protocol,
+        "status": "running",
+        "pid": proc.pid,
+        "target_ip": ip_address,
+        "target_url": target_url,
+        "last_updated": datetime.utcnow().isoformat() + "Z",
+    }
+    _update_container_tunnel(vmid, updated)
+    return updated
+
+
+def _stop_container_tunnel(vmid: int) -> None:
+    try:
+        record = _read_container_record(vmid)
+    except FileNotFoundError:
+        return
+    tunnel = record.get("tunnel")
+    if not tunnel:
+        return
+    name = tunnel.get("name") or _build_tunnel_name(vmid, int(tunnel.get("container_port") or 0))
+    stopped = _stop_cloudflare_process(name)
+    if stopped or tunnel.get("status") != "stopped":
+        tunnel_update = {
+            **tunnel,
+            "status": "stopped",
+            "pid": None,
+            "last_updated": datetime.utcnow().isoformat() + "Z",
+        }
+    _update_container_tunnel(vmid, tunnel_update)
+
+
+def _remove_container_tunnel_state(vmid: int) -> None:
+    _stop_container_tunnel(vmid)
+    _update_container_tunnel(vmid, None)
+
+
+def _ensure_container_tunnel_running(proxmox: Any, node: str, vmid: int) -> None:
+    try:
+        record = _read_container_record(vmid)
+    except FileNotFoundError:
+        return
+    tunnel = record.get("tunnel")
+    if not tunnel:
+        return
+    _ensure_cloudflare_token(_load_config())
+    _launch_container_tunnel(proxmox, node, vmid, tunnel)
+
+
 def _build_container_payload(message: Dict[str, Any], config: Dict[str, Any]) -> Dict[str, Any]:
     templates = config.get("templates") or []
     default_template = templates[0] if templates else ""
@@ -898,8 +779,7 @@ def _connect_proxmox(config: Dict[str, Any]) -> Any:
 
 
 def _run_pct(vmid: int, cmd: str, input_text: Optional[str] = None) -> Dict[str, Any]:
-    shell = "/bin/sh"
-    full = ["pct", "exec", str(vmid), "--", shell, "-c", cmd]
+    full = ["pct", "exec", str(vmid), "--", "bash", "-lc", cmd]
     start = time.time()
     proc = subprocess.run(full, text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, input=input_text)
     return {
@@ -911,10 +791,6 @@ def _run_pct(vmid: int, cmd: str, input_text: Optional[str] = None) -> Dict[str,
     }
 
 
-def _su_command(user: str, command: str) -> str:
-    return f"su - {user} -s /bin/sh -c {shlex.quote(command)}"
-
-
 def _run_pct_check(vmid: int, cmd: str) -> Dict[str, Any]:
     res = _run_pct(vmid, cmd)
     if res["returncode"] != 0:
@@ -937,6 +813,74 @@ def _run_pct_push(vmid: int, src: str, dest: str) -> subprocess.CompletedProcess
     return _call_subprocess(["pct", "push", str(vmid), src, dest])
 
 
+def _build_tunnel_name(vmid: int, port: int) -> str:
+    return f"portacode-ct{vmid}-{port}"
+
+
+def _get_cloudflared_binary() -> str:
+    binary = shutil.which("cloudflared")
+    if not binary:
+        raise RuntimeError(
+            "cloudflared is required for Cloudflare tunnels but was not found on PATH. "
+            "Install cloudflared and run 'cloudflared tunnel login' before creating tunnels."
+        )
+    return binary
+
+
+def _start_cloudflare_process(name: str, hostname: str, target_url: str) -> subprocess.Popen:
+    binary = _get_cloudflared_binary()
+    cmd = [
+        binary,
+        "tunnel",
+        "--hostname",
+        hostname,
+        "--url",
+        target_url,
+        "--no-autoupdate",
+    ]
+    proc = subprocess.Popen(
+        cmd,
+        stdout=subprocess.DEVNULL,
+        stderr=subprocess.DEVNULL,
+    )
+    with _CLOUDFLARE_TUNNELS_LOCK:
+        _CLOUDFLARE_TUNNEL_PROCESSES[name] = proc
+    return proc
+
+
+def _stop_cloudflare_process(name: str) -> bool:
+    with _CLOUDFLARE_TUNNELS_LOCK:
+        proc = _CLOUDFLARE_TUNNEL_PROCESSES.pop(name, None)
+    if not proc:
+        return False
+    try:
+        proc.terminate()
+        proc.wait(timeout=5)
+    except subprocess.TimeoutExpired:
+        proc.kill()
+        proc.wait()
+    return True
+
+
+def _resolve_container_ip(proxmox: Any, node: str, vmid: int) -> str:
+    status = proxmox.nodes(node).lxc(vmid).status.current.get()
+    if status:
+        ip_field = status.get("ip")
+        if isinstance(ip_field, list):
+            for entry in ip_field:
+                if isinstance(entry, str) and "." in entry:
+                    return entry.split("/")[0]
+        elif isinstance(ip_field, str) and "." in ip_field:
+            return ip_field.split("/")[0]
+    res = _run_pct_exec(vmid, ["ip", "-4", "-o", "addr", "show", "eth0"])
+    line = res.stdout.splitlines()[0] if res.stdout else ""
+    parts = line.split()
+    if len(parts) >= 4:
+        addr = parts[3]
+        return addr.split("/")[0]
+    raise RuntimeError("Unable to determine container IP address")
+
+
 def _push_bytes_to_container(
     vmid: int, user: str, path: str, data: bytes, mode: int = 0o600
 ) -> None:
@@ -974,7 +918,7 @@ def _push_bytes_to_container(
 
 
 def _resolve_portacode_key_dir(vmid: int, user: str) -> str:
-    data_dir_cmd = _su_command(user, "echo -n ${XDG_DATA_HOME:-$HOME/.local/share}")
+    data_dir_cmd = f"su - {user} -c 'echo -n ${{XDG_DATA_HOME:-$HOME/.local/share}}'"
     data_home = _run_pct_check(vmid, data_dir_cmd)["stdout"].strip()
     portacode_dir = f"{data_home}/portacode"
     _run_pct_exec_check(vmid, ["mkdir", "-p", portacode_dir])
@@ -991,19 +935,18 @@ def _deploy_device_keypair(vmid: int, user: str, private_key: str, public_key: s
 
 
 def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -> Dict[str, Any]:
-    su_connect_cmd = _su_command(user, "portacode connect")
-    cmd = ["pct", "exec", str(vmid), "--", "/bin/sh", "-c", su_connect_cmd]
+    cmd = ["pct", "exec", str(vmid), "--", "bash", "-lc", f"su - {user} -c 'portacode connect'"]
     proc = subprocess.Popen(cmd, text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     start = time.time()
 
-    data_dir_cmd = _su_command(user, "echo -n ${XDG_DATA_HOME:-$HOME/.local/share}")
+    data_dir_cmd = f"su - {user} -c 'echo -n ${{XDG_DATA_HOME:-$HOME/.local/share}}'"
     data_dir = _run_pct_check(vmid, data_dir_cmd)["stdout"].strip()
     key_dir = f"{data_dir}/portacode/keys"
     pub_path = f"{key_dir}/id_portacode.pub"
     priv_path = f"{key_dir}/id_portacode"
 
     def file_size(path: str) -> Optional[int]:
-        stat_cmd = _su_command(user, f"test -s {path} && stat -c %s {path}")
+        stat_cmd = f"su - {user} -c 'test -s {path} && stat -c %s {path}'"
         res = _run_pct(vmid, stat_cmd)
         if res["returncode"] != 0:
             return None
@@ -1061,7 +1004,7 @@ def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -
     final_pub = file_size(pub_path)
     final_priv = file_size(priv_path)
     if final_pub and final_priv:
-        key_res = _run_pct(vmid, _su_command(user, f"cat {pub_path}"))
+        key_res = _run_pct(vmid, f"su - {user} -c 'cat {pub_path}'")
         if not process_exited:
             proc.terminate()
             try:
@@ -1101,7 +1044,7 @@ def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -
     except subprocess.TimeoutExpired:
         proc.kill()
 
-    key_res = _run_pct(vmid, _su_command(user, f"cat {pub_path}"))
+    key_res = _run_pct(vmid, f"su - {user} -c 'cat {pub_path}'")
     return {
         "ok": True,
         "public_key": key_res["stdout"].strip(),
@@ -1194,16 +1137,7 @@ def _bootstrap_portacode(
     total_steps: Optional[int] = None,
     default_public_key: Optional[str] = None,
 ) -> Tuple[str, List[Dict[str, Any]]]:
-    if steps is not None:
-        actual_steps = steps
-    else:
-        detected_manager = _detect_package_manager(vmid)
-        actual_steps = _build_bootstrap_steps(
-            user,
-            password,
-            ssh_key,
-            package_manager=detected_manager,
-        )
+    actual_steps = steps if steps is not None else _build_bootstrap_steps(user, password, ssh_key)
     results, ok = _run_setup_steps(
         vmid,
         actual_steps,
@@ -1227,15 +1161,6 @@ def _bootstrap_portacode(
             else:
                 command_text = str(command)
         command_suffix = f" command={command_text}" if command_text else ""
-        stdout = details.get("stdout")
-        stderr = details.get("stderr")
-        if stdout or stderr:
-            logger.debug(
-                "Bootstrap command output%s%s%s",
-                f" stdout={stdout!r}" if stdout else "",
-                " " if stdout and stderr else "",
-                f"stderr={stderr!r}" if stderr else "",
-            )
         if summary:
             logger.warning(
                 "Portacode bootstrap failure summary=%s%s%s",
@@ -1243,15 +1168,10 @@ def _bootstrap_portacode(
                 f" history_len={len(history)}" if history else "",
                 f" command={command_text}" if command_text else "",
             )
-        logger.error(
-            "Portacode bootstrap command failed%s%s%s",
-            f" command={command_text}" if command_text else "",
-            f" stdout={stdout!r}" if stdout else "",
-            f" stderr={stderr!r}" if stderr else "",
-        )
-        raise RuntimeError(
-            f"Portacode bootstrap steps failed: {summary}{history_snippet}{command_suffix}"
-        )
+            raise RuntimeError(
+                f"Portacode bootstrap steps failed: {summary}{history_snippet}{command_suffix}"
+            )
+        raise RuntimeError("Portacode bootstrap steps failed.")
     key_step = next((entry for entry in results if entry.get("name") == "portacode_connect"), None)
     public_key = key_step.get("public_key") if key_step else default_public_key
     if not public_key:
@@ -1259,6 +1179,12 @@ def _bootstrap_portacode(
     return public_key, results
 
 
+def _build_cloudflare_snapshot(cloudflare_config: Dict[str, Any] | None) -> Dict[str, Any]:
+    if not cloudflare_config:
+        return {"configured": False}
+    return {"configured": bool(cloudflare_config.get("api_token"))}
+
+
 def build_snapshot(config: Dict[str, Any]) -> Dict[str, Any]:
     network = config.get("network", {})
     base_network = {
@@ -1266,9 +1192,13 @@ def build_snapshot(config: Dict[str, Any]) -> Dict[str, Any]:
         "message": network.get("message"),
         "bridge": network.get("bridge", DEFAULT_BRIDGE),
     }
+    cloudflare_snapshot = _build_cloudflare_snapshot(config.get("cloudflare"))
     if not config:
-        return {"configured": False, "network": base_network}
-    _ensure_templates_refreshed_on_startup(config)
+        return {
+            "configured": False,
+            "network": base_network,
+            "cloudflare": cloudflare_snapshot,
+        }
     return {
         "configured": True,
         "host": config.get("host"),
@@ -1279,18 +1209,54 @@ def build_snapshot(config: Dict[str, Any]) -> Dict[str, Any]:
         "templates": config.get("templates") or [],
         "last_verified": config.get("last_verified"),
         "network": base_network,
+        "cloudflare": cloudflare_snapshot,
     }
 
 
-def configure_infrastructure(token_identifier: str, token_value: str, verify_ssl: bool = False) -> Dict[str, Any]:
+def _resolve_proxmox_credentials(
+    token_identifier: Optional[str],
+    token_value: Optional[str],
+    existing: Dict[str, Any],
+) -> Tuple[str, str, str]:
+    if token_identifier:
+        if not token_value:
+            raise ValueError("token_value is required when providing a new token_identifier")
+        user, token_name = _parse_token(token_identifier)
+        return user, token_name, token_value
+    if existing and existing.get("user") and existing.get("token_name") and existing.get("token_value"):
+        return existing["user"], existing["token_name"], existing["token_value"]
+    raise ValueError("Proxmox token identifier and value are required when no existing configuration is available")
+
+
+def _build_cloudflare_config(existing: Dict[str, Any], api_token: Optional[str]) -> Dict[str, Any]:
+    cloudflare: Dict[str, Any] = dict(existing.get("cloudflare", {}) or {})
+    if api_token:
+        cloudflare["api_token"] = api_token
+    if cloudflare.get("api_token"):
+        cloudflare["configured"] = True
+    elif "configured" in cloudflare:
+        cloudflare.pop("configured", None)
+    return cloudflare
+
+
+def configure_infrastructure(
+    token_identifier: Optional[str] = None,
+    token_value: Optional[str] = None,
+    verify_ssl: Optional[bool] = None,
+    cloudflare_api_token: Optional[str] = None,
+) -> Dict[str, Any]:
     ProxmoxAPI = _ensure_proxmoxer()
-    user, token_name = _parse_token(token_identifier)
+    existing = _load_config()
+    user, token_name, resolved_token_value = _resolve_proxmox_credentials(
+        token_identifier, token_value, existing
+    )
+    actual_verify_ssl = verify_ssl if verify_ssl is not None else existing.get("verify_ssl", False)
     client = ProxmoxAPI(
         DEFAULT_HOST,
         user=user,
         token_name=token_name,
-        token_value=token_value,
-        verify_ssl=verify_ssl,
+        token_value=resolved_token_value,
+        verify_ssl=actual_verify_ssl,
         timeout=30,
     )
     node = _pick_node(client)
@@ -1298,32 +1264,36 @@ def configure_infrastructure(token_identifier: str, token_value: str, verify_ssl
     storages = client.nodes(node).storage.get()
     default_storage = _pick_storage(storages)
     templates = _list_templates(client, node, storages)
-    network: Dict[str, Any] = {}
-    try:
-        network = _ensure_bridge()
-        # Wait for network convergence before validating connectivity
-        time.sleep(2)
-        if not _verify_connectivity():
-            raise RuntimeError("Connectivity check failed; bridge reverted")
-        network["health"] = "healthy"
-    except Exception as exc:
-        logger.warning("Bridge setup failed; reverting previous changes: %s", exc)
-        _revert_bridge()
-        raise
+    network = dict(existing.get("network", {}) or {})
+    _ensure_cloudflared_installed()
+    if not network.get("applied"):
+        try:
+            network = _ensure_bridge()
+            # Wait for network convergence before validating connectivity
+            time.sleep(2)
+            if not _verify_connectivity():
+                raise RuntimeError("Connectivity check failed; bridge reverted")
+            network["health"] = "healthy"
+        except Exception as exc:
+            logger.warning("Bridge setup failed; reverting previous changes: %s", exc)
+            _revert_bridge()
+            raise
     config = {
         "host": DEFAULT_HOST,
         "node": node,
         "user": user,
         "token_name": token_name,
-        "token_value": token_value,
-        "verify_ssl": verify_ssl,
+        "token_value": resolved_token_value,
+        "verify_ssl": actual_verify_ssl,
         "default_storage": default_storage,
-        "last_verified": datetime.utcnow().isoformat() + "Z",
         "templates": templates,
-        "templates_last_refreshed": _current_time_iso(),
+        "last_verified": datetime.utcnow().isoformat() + "Z",
         "network": network,
         "node_status": status,
     }
+    cloudflare = _build_cloudflare_config(existing, cloudflare_api_token)
+    if cloudflare:
+        config["cloudflare"] = cloudflare
     _save_config(config)
     snapshot = build_snapshot(config)
     snapshot["node_status"] = status
@@ -1374,7 +1344,7 @@ def _instantiate_container(proxmox: Any, node: str, payload: Dict[str, Any]) ->
             memory=int(payload["ram_mib"]),
             swap=int(payload.get("swap_mb", 0)),
             cores=max(int(payload.get("cores", 1)), 1),
-            cpulimit=float(payload.get("cpulimit", payload.get("cpus", 1))),
+            cpuunits=int(payload.get("cpuunits", 256)),
             net0=payload["net0"],
             unprivileged=int(payload.get("unprivileged", 1)),
             description=payload.get("description", MANAGED_MARKER),
@@ -1382,13 +1352,6 @@ def _instantiate_container(proxmox: Any, node: str, payload: Dict[str, Any]) ->
             ssh_public_keys=payload.get("ssh_public_key") or None,
         )
         status, elapsed = _wait_for_task(proxmox, node, upid)
-        exitstatus = (status or {}).get("exitstatus")
-        if exitstatus and exitstatus.upper() != "OK":
-            msg = status.get("status") or "unknown error"
-            details = status.get("error") or status.get("errmsg") or status.get("description") or status
-            raise RuntimeError(
-                f"Container creation task failed ({exitstatus}): {msg} details={details}"
-            )
         return vmid, elapsed
     except ResourceException as exc:
         raise RuntimeError(f"Failed to create container: {exc}") from exc
@@ -1404,24 +1367,16 @@ class CreateProxmoxContainerHandler(SyncHandler):
     def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
         logger.info("create_proxmox_container command received")
         request_id = message.get("request_id")
-        raw_device_id = message.get("device_id")
-        device_id = str(raw_device_id or "").strip()
-        if not device_id:
-            raise ValueError("device_id is required to create a container")
+        device_id = message.get("device_id")
         device_public_key = (message.get("device_public_key") or "").strip()
         device_private_key = (message.get("device_private_key") or "").strip()
         has_device_keypair = bool(device_public_key and device_private_key)
-        config_guess = _load_config()
-        template_candidates = config_guess.get("templates") or []
-        template_hint = (message.get("template") or (template_candidates[0] if template_candidates else "")).strip()
-        package_manager = _guess_package_manager_from_template(template_hint)
         bootstrap_user, bootstrap_password, bootstrap_ssh_key = _get_provisioning_user_info(message)
         bootstrap_steps = _build_bootstrap_steps(
             bootstrap_user,
             bootstrap_password,
             bootstrap_ssh_key,
             include_portacode_connect=not has_device_keypair,
-            package_manager=package_manager,
         )
         total_steps = 3 + len(bootstrap_steps) + 2
         current_step_index = 1
@@ -1444,7 +1399,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 message=start_message,
                 phase="lifecycle",
                 request_id=request_id,
-                on_behalf_of_device=device_id,
             )
             try:
                 result = action()
@@ -1460,7 +1414,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
                     phase="lifecycle",
                     request_id=request_id,
                     details={"error": str(exc)},
-                    on_behalf_of_device=device_id,
                 )
                 raise
             _emit_progress_event(
@@ -1473,7 +1426,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 message=success_message,
                 phase="lifecycle",
                 request_id=request_id,
-                on_behalf_of_device=device_id,
             )
             current_step_index += 1
             return result
@@ -1500,8 +1452,7 @@ class CreateProxmoxContainerHandler(SyncHandler):
             proxmox = _connect_proxmox(config)
             node = config.get("node") or DEFAULT_NODE_NAME
             payload = _build_container_payload(message, config)
-            payload["cpulimit"] = float(payload["cpus"])
-            payload["cores"] = int(max(math.ceil(payload["cpus"]), 1))
+            payload["cpuunits"] = max(int(payload["cpus"] * 1024), 10)
             payload["memory"] = int(payload["ram_mib"])
             payload["node"] = node
             logger.debug(
@@ -1516,7 +1467,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
             payload["vmid"] = vmid
             payload["created_at"] = datetime.utcnow().isoformat() + "Z"
             payload["status"] = "creating"
-            payload["device_id"] = device_id
             _write_container_record(vmid, payload)
             return proxmox, node, vmid, payload
 
@@ -1577,7 +1527,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 phase="bootstrap",
                 request_id=request_id,
                 details=details or None,
-                on_behalf_of_device=device_id,
             )
 
         public_key, steps = _bootstrap_portacode(
@@ -1621,7 +1570,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 message="Notifying the server of the new device…",
                 phase="service",
                 request_id=request_id,
-                on_behalf_of_device=device_id,
             )
             _emit_progress_event(
                 self,
@@ -1633,7 +1581,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 message="Authentication metadata recorded.",
                 phase="service",
                 request_id=request_id,
-                on_behalf_of_device=device_id,
             )
 
             install_step = service_start_index + 1
@@ -1648,10 +1595,9 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 message="Running sudo portacode service install…",
                 phase="service",
                 request_id=request_id,
-                on_behalf_of_device=device_id,
             )
 
-            cmd = _su_command(payload["username"], "sudo -S portacode service install")
+            cmd = f"su - {payload['username']} -c 'sudo -S portacode service install'"
             res = _run_pct(vmid, cmd, input_text=payload["password"] + "\n")
 
             if res["returncode"] != 0:
@@ -1669,7 +1615,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
                         "stderr": res.get("stderr"),
                         "stdout": res.get("stdout"),
                     },
-                    on_behalf_of_device=device_id,
                 )
                 raise RuntimeError(res.get("stderr") or res.get("stdout") or "Service install failed")
 
@@ -1683,7 +1628,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 message="Portacode service install finished.",
                 phase="service",
                 request_id=request_id,
-                on_behalf_of_device=device_id,
             )
 
             logger.info("create_proxmox_container: portacode service install completed inside ct %s", vmid)
@@ -1707,7 +1651,6 @@ class CreateProxmoxContainerHandler(SyncHandler):
             },
             "setup_steps": steps,
             "device_id": device_id,
-            "on_behalf_of_device": device_id,
             "service_installed": service_installed,
         }
 
@@ -1733,9 +1676,6 @@ class StartPortacodeServiceHandler(SyncHandler):
         password = record.get("password")
         if not user or not password:
             raise RuntimeError("Container credentials unavailable")
-        on_behalf_of_device = record.get("device_id")
-        if on_behalf_of_device:
-            on_behalf_of_device = str(on_behalf_of_device)
 
         start_index = int(message.get("step_index", 1))
         total_steps = int(message.get("total_steps", start_index + 2))
@@ -1753,7 +1693,6 @@ class StartPortacodeServiceHandler(SyncHandler):
             message="Notifying the server of the new device…",
             phase="service",
             request_id=request_id,
-            on_behalf_of_device=on_behalf_of_device,
         )
         _emit_progress_event(
             self,
@@ -1765,7 +1704,6 @@ class StartPortacodeServiceHandler(SyncHandler):
             message="Authentication metadata recorded.",
             phase="service",
             request_id=request_id,
-            on_behalf_of_device=on_behalf_of_device,
         )
 
         install_step = start_index + 1
@@ -1780,10 +1718,9 @@ class StartPortacodeServiceHandler(SyncHandler):
             message="Running sudo portacode service install…",
             phase="service",
             request_id=request_id,
-            on_behalf_of_device=on_behalf_of_device,
         )
 
-        cmd = _su_command(user, "sudo -S portacode service install")
+        cmd = f"su - {user} -c 'sudo -S portacode service install'"
         res = _run_pct(vmid, cmd, input_text=password + "\n")
 
         if res["returncode"] != 0:
@@ -1801,7 +1738,6 @@ class StartPortacodeServiceHandler(SyncHandler):
                     "stderr": res.get("stderr"),
                     "stdout": res.get("stdout"),
                 },
-                on_behalf_of_device=on_behalf_of_device,
             )
             raise RuntimeError(res.get("stderr") or res.get("stdout") or "Service install failed")
 
@@ -1815,7 +1751,6 @@ class StartPortacodeServiceHandler(SyncHandler):
             message="Portacode service install finished.",
             phase="service",
             request_id=request_id,
-            on_behalf_of_device=on_behalf_of_device,
         )
 
         return {
@@ -1842,6 +1777,10 @@ class StartProxmoxContainerHandler(SyncHandler):
 
         status, elapsed = _start_container(proxmox, node, vmid)
         _update_container_record(vmid, {"status": "running"})
+        try:
+            _ensure_container_tunnel_running(proxmox, node, vmid)
+        except Exception as exc:
+            raise RuntimeError(f"Failed to start Cloudflare tunnel for container {vmid}: {exc}") from exc
 
         infra = get_infra_snapshot()
         return {
@@ -1871,6 +1810,7 @@ class StopProxmoxContainerHandler(SyncHandler):
         _ensure_container_managed(proxmox, node, vmid)
 
         status, elapsed = _stop_container(proxmox, node, vmid)
+        _stop_container_tunnel(vmid)
         final_status = status.get("status") or "stopped"
         _update_container_record(vmid, {"status": final_status})
 
@@ -1906,8 +1846,13 @@ class RemoveProxmoxContainerHandler(SyncHandler):
         node = _get_node_from_config(config)
         _ensure_container_managed(proxmox, node, vmid)
 
+        _stop_container_tunnel(vmid)
         stop_status, stop_elapsed = _stop_container(proxmox, node, vmid)
         delete_status, delete_elapsed = _delete_container(proxmox, node, vmid)
+        try:
+            _update_container_tunnel(vmid, None)
+        except FileNotFoundError:
+            pass
         _remove_container_record(vmid)
 
         infra = get_infra_snapshot()
@@ -1926,6 +1871,107 @@ class RemoveProxmoxContainerHandler(SyncHandler):
         }
 
 
+class CreateCloudflareTunnelHandler(SyncHandler):
+    """Create a Cloudflare tunnel for a container."""
+
+    @property
+    def command_name(self) -> str:
+        return "create_cloudflare_tunnel"
+
+    def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
+        vmid = _parse_ctid(message)
+        container_port = int(message.get("container_port") or 0)
+        if container_port <= 0:
+            raise ValueError("container_port is required and must be greater than zero.")
+        hostname = (message.get("cloudflare_url") or message.get("hostname") or "").strip()
+        if not hostname:
+            raise ValueError("cloudflare_url is required.")
+        protocol = (message.get("protocol") or "http").strip().lower()
+        if protocol not in {"http", "https", "tcp"}:
+            raise ValueError("protocol must be one of http, https, or tcp.")
+        config = _ensure_infra_configured()
+        _ensure_cloudflare_token(config)
+        proxmox = _connect_proxmox(config)
+        node = _get_node_from_config(config)
+        _ensure_container_managed(proxmox, node, vmid)
+        status = proxmox.nodes(node).lxc(vmid).status.current.get().get("status")
+        if status != "running":
+            raise RuntimeError("Container must be running to create a tunnel.")
+        tunnel = {
+            "container_port": container_port,
+            "url": hostname,
+            "protocol": protocol,
+        }
+        created = _launch_container_tunnel(proxmox, node, vmid, tunnel)
+        return {
+            "event": "cloudflare_tunnel_created",
+            "ctid": str(vmid),
+            "success": True,
+            "message": f"Created Cloudflare tunnel for container {vmid}.",
+            "tunnel": created,
+        }
+
+
+class UpdateCloudflareTunnelHandler(SyncHandler):
+    """Update an existing Cloudflare tunnel for a container."""
+
+    @property
+    def command_name(self) -> str:
+        return "update_cloudflare_tunnel"
+
+    def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
+        vmid = _parse_ctid(message)
+        config = _ensure_infra_configured()
+        _ensure_cloudflare_token(config)
+        proxmox = _connect_proxmox(config)
+        node = _get_node_from_config(config)
+        _ensure_container_managed(proxmox, node, vmid)
+        record = _read_container_record(vmid)
+        tunnel = record.get("tunnel")
+        if not tunnel:
+            raise RuntimeError("No Cloudflare tunnel configured for this container.")
+        container_port = int(message.get("container_port") or tunnel.get("container_port") or 0)
+        if container_port <= 0:
+            raise ValueError("container_port must be greater than zero.")
+        hostname = (message.get("cloudflare_url") or tunnel.get("url") or "").strip()
+        if not hostname:
+            raise ValueError("cloudflare_url is required.")
+        protocol = (message.get("protocol") or tunnel.get("protocol") or "http").strip().lower()
+        if protocol not in {"http", "https", "tcp"}:
+            raise ValueError("protocol must be one of http, https, or tcp.")
+        updated_tunnel = {
+            "container_port": container_port,
+            "url": hostname,
+            "protocol": protocol,
+        }
+        result = _launch_container_tunnel(proxmox, node, vmid, updated_tunnel)
+        return {
+            "event": "cloudflare_tunnel_updated",
+            "ctid": str(vmid),
+            "success": True,
+            "message": f"Updated Cloudflare tunnel for container {vmid}.",
+            "tunnel": result,
+        }
+
+
+class RemoveCloudflareTunnelHandler(SyncHandler):
+    """Remove any Cloudflare tunnel associated with a container."""
+
+    @property
+    def command_name(self) -> str:
+        return "remove_cloudflare_tunnel"
+
+    def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
+        vmid = _parse_ctid(message)
+        _remove_container_tunnel_state(vmid)
+        return {
+            "event": "cloudflare_tunnel_removed",
+            "ctid": str(vmid),
+            "success": True,
+            "message": f"Removed Cloudflare tunnel state for container {vmid}.",
+        }
+
+
 class ConfigureProxmoxInfraHandler(SyncHandler):
     @property
     def command_name(self) -> str:
@@ -1934,10 +1980,13 @@ class ConfigureProxmoxInfraHandler(SyncHandler):
     def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
         token_identifier = message.get("token_identifier")
         token_value = message.get("token_value")
-        verify_ssl = bool(message.get("verify_ssl"))
-        if not token_identifier or not token_value:
-            raise ValueError("token_identifier and token_value are required")
-        snapshot = configure_infrastructure(token_identifier, token_value, verify_ssl=verify_ssl)
+        verify_ssl = message.get("verify_ssl")
+        snapshot = configure_infrastructure(
+            token_identifier=token_identifier,
+            token_value=token_value,
+            verify_ssl=verify_ssl,
+            cloudflare_api_token=message.get("cloudflare_api_token"),
+        )
         return {
             "event": "proxmox_infra_configured",
             "success": True,