diff --git a/crates/openshell-driver-vm/scripts/openshell-vm-sandbox-init.sh b/crates/openshell-driver-vm/scripts/openshell-vm-sandbox-init.sh index a6aff191e..07f55ecc7 100644 --- a/crates/openshell-driver-vm/scripts/openshell-vm-sandbox-init.sh +++ b/crates/openshell-driver-vm/scripts/openshell-vm-sandbox-init.sh @@ -17,11 +17,11 @@ BOOT_START=$(date +%s%3N 2>/dev/null || date +%s) # gvproxy's TCP/UDP/ICMP forwarder. Use this address # (or any of the host.* hostnames below) to reach a # service the host is listening on. -# The host.containers.internal / host.docker.internal DNS records served -# by gvproxy's embedded resolver point at 192.168.127.254. We mirror that -# in /etc/hosts so the supervisor can reach the gateway even when -# gvproxy's DNS is not in resolv.conf (e.g. DHCP failed and we fell -# back to 8.8.8.8). +# The host.openshell.internal / host.containers.internal / +# host.docker.internal DNS records served by gvproxy's embedded resolver +# point at 192.168.127.254. We mirror that in /etc/hosts so the supervisor +# can reach the gateway even when gvproxy's DNS is not in resolv.conf +# (e.g. DHCP failed and we fell back to 8.8.8.8). GVPROXY_GATEWAY_IP="192.168.127.1" GVPROXY_HOST_LOOPBACK_IP="192.168.127.254" GATEWAY_IP="$GVPROXY_GATEWAY_IP" @@ -419,7 +419,12 @@ rewrite_openshell_endpoint_if_needed() { if [ "${GATEWAY_IP}" != "${GVPROXY_GATEWAY_IP}" ]; then fallback_ip="$GATEWAY_IP" fi - for candidate in host.openshell.internal host.containers.internal host.docker.internal "$fallback_ip"; do + local candidates="host.openshell.internal host.containers.internal host.docker.internal" + if [ "$scheme" != "https" ]; then + candidates="${candidates} ${fallback_ip}" + fi + + for candidate in $candidates; do if [ "$candidate" = "$host" ]; then continue fi @@ -435,6 +440,11 @@ rewrite_openshell_endpoint_if_needed() { fi done + if [ "$scheme" = "https" ]; then + ts "WARNING: could not preflight HTTPS OpenShell endpoint ${host}:${port}; preserving hostname for TLS verification" + return 0 + fi + ts "WARNING: could not reach OpenShell endpoint ${host}:${port}" } diff --git a/crates/openshell-driver-vm/src/driver.rs b/crates/openshell-driver-vm/src/driver.rs index ad5625e61..52a9729f8 100644 --- a/crates/openshell-driver-vm/src/driver.rs +++ b/crates/openshell-driver-vm/src/driver.rs @@ -91,11 +91,11 @@ const OPENSHELL_HOST_GATEWAY_ALIAS: &str = "host.openshell.internal"; /// resolves even when gvproxy's DNS is not in resolv.conf; /// * keeping a recognisable hostname makes log messages clearer than a bare /// 192.168.127.254 reference; -/// * `host.docker.internal` works the same way for Docker-flavoured tooling. +/// * package-managed gateway certificates include this SAN for guest mTLS. /// /// Both names ultimately route through the gvproxy NAT path on /// `GVPROXY_HOST_LOOPBACK_IP` — they do **not** go through the gateway IP. -const GVPROXY_HOST_LOOPBACK_ALIAS: &str = "host.containers.internal"; +const GVPROXY_HOST_LOOPBACK_ALIAS: &str = OPENSHELL_HOST_GATEWAY_ALIAS; const GUEST_SSH_SOCKET_PATH: &str = "/run/openshell/ssh.sock"; const GUEST_TLS_CA_PATH: &str = "/opt/openshell/tls/ca.crt"; const GUEST_TLS_CERT_PATH: &str = "/opt/openshell/tls/tls.crt"; @@ -3392,7 +3392,7 @@ fn merged_environment(sandbox: &Sandbox) -> HashMap { /// not the host's. Inside the guest we need a name that gvproxy will translate /// into the host's loopback address. /// -/// We rewrite to `host.containers.internal`, which gvproxy's embedded DNS resolves +/// We rewrite to `host.openshell.internal`, which gvproxy's embedded DNS resolves /// to the host-loopback IP `192.168.127.254`. gvproxy installs a default NAT entry /// rewriting that destination to the host's `127.0.0.1` and dialing out from the /// host process, so any port the host is listening on becomes reachable. The diff --git a/crates/openshell-driver-vm/src/rootfs.rs b/crates/openshell-driver-vm/src/rootfs.rs index d85a06c6d..904ed8cd3 100644 --- a/crates/openshell-driver-vm/src/rootfs.rs +++ b/crates/openshell-driver-vm/src/rootfs.rs @@ -379,6 +379,7 @@ fn prepare_sandbox_rootfs(rootfs: &Path) -> Result<(), String> { .map_err(|e| format!("write sandbox rootfs marker: {e}"))?; ensure_sandbox_guest_user(rootfs)?; create_sandbox_mountpoint(&rootfs.join("sandbox"))?; + create_sandbox_mountpoint(&rootfs.join("image-cache"))?; create_sandbox_mountpoint(&rootfs.join("lower"))?; create_sandbox_mountpoint(&rootfs.join("overlay"))?; create_sandbox_mountpoint(&rootfs.join("newroot"))?; @@ -941,6 +942,7 @@ mod tests { assert!(rootfs.join("srv/openshell-vm-sandbox-init.sh").is_file()); assert!(rootfs.join("opt/openshell/bin/umoci").is_file()); assert!(rootfs.join("sandbox").is_dir()); + assert!(rootfs.join("image-cache").is_dir()); assert!(rootfs.join("lower").is_dir()); assert!(rootfs.join("overlay").is_dir()); assert!(rootfs.join("newroot").is_dir());