Skip to content

feat(vm): add openshell-vm crate with libkrun microVM gateway#611

Draft
drew wants to merge 11 commits intomainfrom
start-openshell-vm
Draft

feat(vm): add openshell-vm crate with libkrun microVM gateway#611
drew wants to merge 11 commits intomainfrom
start-openshell-vm

Conversation

@drew
Copy link
Copy Markdown
Collaborator

@drew drew commented Mar 25, 2026

Summary

Adds the openshell-vm crate — a new microVM runtime that uses libkrun to boot lightweight VMs with hardware isolation. On macOS ARM64 it leverages Apple's Hypervisor.framework; on Linux it uses KVM. This provides a single-binary alternative to the Docker/k3s-based gateway deployment.

Changes

  • New crates/openshell-vm/ crate with:
    • lib.rs: VmConfig builder, libkrun FFI wrapper, VM lifecycle (launch, exec, reset)
    • ffi.rs: Dynamic loading of libkrun.dylib/libkrun.so via libloading
    • exec.rs: openshell-vm exec support to run commands inside a running VM via vsock
    • main.rs: Standalone CLI binary with --exec, --port, --vcpus, --mem, --net, --reset flags
  • Runtime scripts: build-rootfs.sh, openshell-vm-init.sh, sync-vm-rootfs.sh, check-vm-capabilities.sh, helper Python scripts
  • Build/packaging tasks in tasks/vm.toml and associated scripts
  • Helm chart and deployment manifest updates for VM-based gateway support
  • Architecture documentation in architecture/custom-vm-runtime.md
  • Path helpers in openshell-core and openshell-bootstrap for VM rootfs/runtime directories
  • Integration test in tests/gateway_integration.rs

Testing

  • Integration test added (crates/openshell-vm/tests/gateway_integration.rs)
  • mise run pre-commit passes
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (architecture/custom-vm-runtime.md)

@drew drew requested a review from a team as a code owner March 25, 2026 15:13
@drew drew self-assigned this Mar 25, 2026
areporeporepo

This comment was marked as off-topic.

Sign in to view

@drew drew marked this pull request as draft March 25, 2026 18:50
@areporeporepo areporeporepo mentioned this pull request Mar 26, 2026
Open
drew added 7 commits March 30, 2026 21:26
@drew
feat(vm): add openshell-vm crate with libkrun microVM gateway
da57ba3
@drew
fix(vm): address review findings in openshell-vm crate
f881471 
Fix targeted gvproxy kill to use tracked PID from runtime state instead
of pkill, gate diagnostic dump behind OPENSHELL_VM_DIAG env var, stream
SHA-256 hashing to avoid buffering entire files, clarify operator
precedence in env var validation, replace hand-rolled JSON parser with
serde_json, deduplicate required_runtime_lib_name(), and add openshell-vm
to AGENTS.md architecture table.
@drew
wip
f721839
@drew
wip
e014513
@drew
wip
7ae955d
@drew
wip
d5fdd01
@drew
wip
d06b90b
@drew drew force-pushed the start-openshell-vm branch from 3cc1759 to d06b90b Compare March 31, 2026 04:34
drew added 4 commits March 31, 2026 20:37
@drew
feat(vm): add Linux networking support and recover stale kine DB on boot
ab2c884 
- Gate krun_add_net_unixgram FFI type, struct field, and VmContext method
  behind #[cfg(target_os = "macos")] to eliminate dead_code warnings on Linux
- Add krun_add_net_unixstream FFI binding and add_net_unixstream VmContext
  method for Linux SOCK_STREAM networking via gvproxy QEMU listener
- Switch gvproxy launch flags: -listen-qemu (Linux) vs -listen-vfkit (macOS)
- Add recover_stale_kine_db: removes corrupt or bootstrap-locked SQLite kine
  database before boot so k3s always starts with a clean schema
- Drop version segment from rootfs and runtime cache paths to avoid stale
  directories accumulating across upgrades
- Improve build-libkrun.sh: two-phase kernel config merge using merge_config.sh
  and auto-detect LIBCLANG_PATH for clang-sys on Debian/Ubuntu
- Ensure libkrunfw.so.5 soname file is present alongside versioned artifact
- Add bundle-vm-runtime.sh task and vm:bundle-runtime mise target
- Pin AGENT_SANDBOX_IMAGE to updated digest
- Add pyelftools dev dependency
@drew
refactor(vm): extract per-gateway rootfs instead of cloning from shar…
9c510a4 
…ed template

Each gateway instance now gets its own rootfs extracted directly from the
embedded tarball, eliminating the shared template rootfs that all instances
previously cloned from. The default (unnamed) gateway is now treated as a
named instance with name "default", removing all Option-based branching.

- Replace ensure_rootfs_extracted() with extract_rootfs_to(dest) in embedded.rs
- Rewrite ensure_named_rootfs() to extract instead of clone
- Remove clone_rootfs() and DEFAULT_GATEWAY_NAME
- Default --name CLI arg to "default", simplifying all call sites
- Remove dead default_rootfs_dir() from paths.rs
@drew
wip
c2c6e8c
@drew
style(vm): fix rustfmt line length in launch() conditional
795e861
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@areporeporepo areporeporepo areporeporepo left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@drew drew

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@drew @areporeporepo