You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Extend the test suite to use nmap to see what ports are accessible on the host. Done — test_host_exposed_ports is now enforced via host-side iptables (Linux) and pf (macOS).
Now that vm.py start prompts for sudo anyway, let's go ahead and run/launch the socket_vmnet for the user anyway so they don't need a separate terminal. Done — setup_network() auto-launches socket_vmnet with a justification message before the sudo prompt. The daemon is stopped on exit via teardown_network().
Let's improve the developer experience so vm.py start drops you right into an SSH session, ready to go, instead of having to have a separate terminal shell just running QEMU. Done — when stdout is a TTY, vm.py start backgrounds QEMU, waits for SSH, and drops into an interactive session. Exiting the session stops everything. Non-interactive mode (test suite) preserves the old foreground-QEMU behavior.
Evaluate alternatives to using the com.apple/agent-vm pf anchor on macOS. Evaluated — keeping com.apple/agent-vm. Alternatives (custom anchor in /etc/pf.conf, pfctl -f, LaunchDaemon) are all more invasive or dangerous. Added rationale comment and runtime verification that warns if rules aren't active.
Simple is harder than complex. Review all code and propose 3 ways it can be simplified based on what you know now. Done — (a) replaced MIME multipart user-data merge with cloud-init's native #cloud-config-archive format, (b) unified EFI preparation into a shared _prepare_efi() helper, (c) replaced 3-way ISO tool cascade with platform-explicit _build_iso().
Explore going sudoless by using QEMU's -netdev user (slirp) with guestfwd to connect the guest to the proxy. Done — replaced socket_vmnet (macOS) and TAP/bridge (Linux) with slirp restrict=on + guestfwd=tcp:10.0.2.100:PORT-cmd:nc 127.0.0.1 PORT. Removed all pf/iptables firewall code. Zero sudo prompts. The cmd:nc guestfwd mode (revisited with QEMU 10.x) works correctly — each guest TCP connection spawns a fresh nc that connects to the host-side proxy. restrict=on blocks all other outbound traffic (TCP, UDP, ICMP) at the slirp layer, providing stronger isolation than the previous firewall-based approach.