94 lines
3.7 KiB
Python
94 lines
3.7 KiB
Python
"""Install the per-bottle MITM CA into the smolmachines guest's
|
|
trust store (PRD 0023 chunk 4d).
|
|
|
|
Mirrors `backend.docker.provision.ca`: select the right CA (egress
|
|
when the bottle has routes, else pipelock), `smolvm machine cp` it
|
|
to Debian's `/usr/local/share/ca-certificates/` path,
|
|
`update-ca-certificates` to rebuild the trust bundle, and log the
|
|
fingerprint once. The selected cert depends on the agent's
|
|
HTTP_PROXY target — same logic as the docker backend, since the
|
|
agent dials the same daemons through the same bundle.
|
|
|
|
`smolvm machine exec` runs commands as root in the VM (no `-u`
|
|
flag exists; the VM init is root), so we don't need the explicit
|
|
`-u 0` the docker backend uses on its `docker exec` calls."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import time
|
|
|
|
from ....log import die
|
|
from ...util import (
|
|
AGENT_CA_BUNDLE,
|
|
AGENT_CA_PATH,
|
|
log_ca_fingerprint,
|
|
select_ca_cert,
|
|
)
|
|
from .. import smolvm as _smolvm
|
|
from ..bottle_plan import SmolmachinesBottlePlan
|
|
|
|
|
|
_SIGKILL_EXIT = 128 + 9
|
|
|
|
|
|
def provision_ca(plan: SmolmachinesBottlePlan, target: str) -> None:
|
|
"""Copy the agent-facing CA cert into the guest, rebuild the
|
|
trust bundle, emit a one-line fingerprint log. Called from
|
|
`BottleBackend.provision` after the smolvm guest is up."""
|
|
cert_host_path, label = select_ca_cert(plan.egress_plan, plan.proxy_plan)
|
|
|
|
_smolvm.machine_cp(str(cert_host_path), f"{target}:{AGENT_CA_PATH}")
|
|
# Mode 0644 — readable to non-root tools in the guest.
|
|
# update-ca-certificates rebuilds the bundle at AGENT_CA_BUNDLE,
|
|
# which is what curl / Python ssl / OpenSSL-based tools read by
|
|
# default. The env trio (NODE_EXTRA_CA_CERTS / SSL_CERT_FILE /
|
|
# REQUESTS_CA_BUNDLE) on the guest_env covers Node + Python
|
|
# `requests` / libraries that don't load the system bundle.
|
|
#
|
|
r = _install_ca(target)
|
|
if r.returncode == _SIGKILL_EXIT:
|
|
# smolvm/libkrun can SIGKILL an otherwise-normal exec
|
|
# during early-VM provisioning. `update-ca-certificates`
|
|
# is idempotent, so retry the same install once after a
|
|
# short settle delay before treating it as fatal.
|
|
time.sleep(1.0)
|
|
r = _install_ca(target)
|
|
|
|
if r.returncode != 0:
|
|
# update-ca-certificates not adding our cert is fatal —
|
|
# claude-code's TLS handshake against the egress-MITM'd
|
|
# api.anthropic.com would fail downstream. Bail early
|
|
# with what we can see (output is captured by smolvm so
|
|
# we can surface it).
|
|
die(
|
|
f"update-ca-certificates didn't add the agent CA "
|
|
f"(exit {r.returncode}): "
|
|
f"stdout={(r.stdout or '').strip()!r} "
|
|
f"stderr={(r.stderr or '').strip()!r}"
|
|
)
|
|
|
|
log_ca_fingerprint(cert_host_path, label)
|
|
|
|
|
|
def _install_ca(target: str) -> _smolvm.SmolvmRunResult:
|
|
# chown + chmod + update-ca-certificates + bundle
|
|
# verification run in one `sh -c` so we only pay one
|
|
# machine_exec round trip; the `&&` chaining surfaces the
|
|
# first failure as the return code. The verify check is more
|
|
# stable than requiring "1 added" in stdout: a retry after a
|
|
# partially-completed first run may legitimately report "0
|
|
# added" while the cert is already installed.
|
|
return _smolvm.machine_exec(target, [
|
|
"sh", "-c",
|
|
f"chown root:root {AGENT_CA_PATH} && "
|
|
f"chmod 644 {AGENT_CA_PATH} && "
|
|
f"update-ca-certificates && "
|
|
f"openssl verify -CAfile {AGENT_CA_BUNDLE} {AGENT_CA_PATH}",
|
|
])
|
|
|
|
|
|
# Re-exported for the launch/provision_ca caller + tests. The path
|
|
# constants live in the shared `backend.util` (Debian's
|
|
# `update-ca-certificates` layout is the same in both backends).
|
|
__all__ = ["AGENT_CA_BUNDLE", "AGENT_CA_PATH", "provision_ca"]
|