refactor: SKILL audit + os-image cocoon-agent/sshd unification#32
Merged
refactor: SKILL audit + os-image cocoon-agent/sshd unification#32
Conversation
- version: drop unused NAME constant (no callers, no Makefile ldflag)
- storage/json: load() now uses utils.ReadJSONFile (~6 lines saved)
- network/bridge: New on non-Linux returns errUnsupported instead of re-formatting
- progress/{oci,cloudimg}: declare Phase type before its iota const block
- hypervisor/utils, hypervisor/cloudhypervisor/helper: same type-before-const fix
- cmd/images/handler: same type-before-const fix
- images/oci/commit: flatten else-after-return to match the loop above
- utils/stream: godoc on NewPipeStreamReader to match siblings
CH had the literal in two places (helper.go runtimeFiles slice and config.go PIDFileName method). FC already centralizes via pidFileName.
- Ubuntu 22.04 / 24.04 / chrome / xface / picoclaw: install openssh-server, pull cocoon-agent v0.1.0 from upstream releases (multi-arch), drop the systemd unit, enable both ssh + cocoon-agent.service. The download + unit + enable boilerplate is centralized in os-image/ubuntu/install-agent.sh (auto-discovered as build secret cocoon_install_agent), so any future agent-version bump is a one-line change. - Android 14.0 / 15.0: stage cocoon-agent binary into /system/bin/ and install /system/etc/init/cocoon-agent.rc (auto-start on Android init `on boot`). Android stays adb-only for human shell access; no sshd. - Drop LABEL cocoon.ssh.username/password from picoclaw — credentials are now uniformly root:cocoon across all images and documented in os-image/README.md and KNOWN_ISSUES.md. - Add vsock + vmw_vsock_virtio_transport to initramfs modules list across every image so the kernel has the transport ready when cocoon-agent binds AF_VSOCK at boot, regardless of the host's hot-load behavior. KNOWN_ISSUES.md gains two entries: default credentials are dev-only and the Android cocoon-agent service may hit SELinux on stricter redroid builds. README.md / os-image/README.md updated to reflect the unified agent + sshd story. Note: removing the LABEL is a breaking change for any external tooling that scraped `cocoon.ssh.username` / `cocoon.ssh.password` (e.g. glance). Such tooling needs to switch to fixed `root:cocoon` (image default) or read whatever credential store you wire up in your fork.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three logically separate but related commits on one branch:
735362eSKILL audit — 10 file-level cleanups surfaced by a top-to-bottom personal walk-through (no agent delegation):version.NAME(no Makefile/ldflag callers)storage/json/Store.load()→utils.ReadJSONFile(saves ~6 lines)network/bridge/bridge_other.go::Newreturns the existingerrUnsupportedinstead of re-formattingprogress/oci,progress/cloudimg,hypervisor/utils,hypervisor/cloudhypervisor/helper,cmd/images/handlerimages/oci/commit.goflattens else-after-return to match the loop above itutils/stream.go::NewPipeStreamReadergains a godoc to match its siblings90bdf84ch.pid dedup — cloudhypervisor had"ch.pid"literal in two places; FC already centralizes viapidFileName. CH now mirrors the FC pattern.1139984os-image unification — every Ubuntu and Android Dockerfile now bakes:/system/etc/init/cocoon-agent.rcon Android). Pull URL is multi-arch on Ubuntu, x86_64-only on Android (Android image is amd64-only peros-image/android/platforms).PermitRootLogin yes, defaultroot:cocoonfor dev convenience.LABEL cocoon.ssh.username/passwordfrom24.04-picoclaw(the only image that had it).vsockandvmw_vsock_virtio_transportto every image'sinitramfs-tools/modulesso the kernel has the transport ready when cocoon-agent binds AF_VSOCK.The Ubuntu side factors the install + sshd-config + systemd-unit boilerplate into one shared
os-image/ubuntu/install-agent.sh, auto-discovered as build secretcocoon_install_agentby the existing workflow rules. Android keeps a small inline curl +agent.rcbecause its init system is different.Compatibility
go test ./...andmake lint(linux+darwin) clean.cocoon.ssh.username/cocoon.ssh.password(e.g. glance-style integrations). Such callers should switch to the documented defaultroot:cocoonor read whatever credential store you wire into your fork.PermitRootLogin yesis dev-only;KNOWN_ISSUES.mdflags this and the Android SELinux concern.Test plan
build-os-imagesmatrix builds all 7 Dockerfiles (amd64+arm64 where applicable)ubuntu:24.04image:cocoon vm run→cocoon vm exec <vm> -- uname -nreturns hostnamessh root@<vm-ip>withcocoonandroid:14.0image: confirm cocoon-agent shows up in logcat (and checkavc:lines if it doesn't bind)cocoon vm clone/cocoon snapshot save/ restore on a built ubuntu image