Split wrapper into identity-free and identity-bound phases

Boot now layers as:
  Phase A: xorg/xvfb, dbus, chromedriver + envoy cert install
           (cert generation/CA trust/NSS DB - no per-instance envs read)
  Phase B: mutter, chromium, neko (X/dbus consumers, identity-free)
  Phase C: envoy template render + envoy and kernel-images-api restart
           (gated on INST_NAME/METRO_NAME/XDS_SERVER/KERNEL_INSTANCE_JWT)

init-envoy.sh now takes a phase argument (certs|config|all). The wrapper
calls certs early so chromium can boot with the proxy cert in trust, and
defers config (template render + supervisorctl start) until Phase C.

A FORK HOOK comment marks the Phase B/C boundary: post-snapshot restore,
fresh identity envs need to be received from the host before Phase C
runs, and `supervisorctl restart` makes the same Phase C code path safe
on both boot (start cold service) and fork (stop+start to drop stale
identity).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: sjmiller609

server/cmd/wrapper/main.go

@@ -128,24 +128,24 @@ func main() {
 	}
 	waitForSocket(supervisorSock, 10*time.Second)
 
-	// Envoy bootstrap: cert generation, NSS DB, template render, and
-	// `supervisorctl start envoy`. Run concurrently with Phase A so the
-	// shell-out work (openssl, certutil, update-ca-certificates) overlaps
-	// xorg/dbus/chromedriver bring-up. Phase B (chromium) gates on this
-	// because chromium reads the system CA trust store at process start
-	// and needs the envoy self-signed cert in place. The envoy listener
-	// itself (port 3128) is probed in waitAllReady, not here.
-	envoyDone := make(chan struct{})
+	// Envoy cert work (openssl, update-ca-certificates, certutil) is the
+	// only piece of Envoy bring-up that's identity-free, and it has to land
+	// before chromium starts because chromium reads the system CA trust
+	// store at process start. Run it concurrently with Phase A so the
+	// shell-out cost overlaps xorg/dbus/chromedriver bring-up. Template
+	// render and `supervisorctl start envoy` happen later in Phase C —
+	// those depend on INST_NAME/METRO_NAME/XDS_SERVER/KERNEL_INSTANCE_JWT.
+	envoyCertsDone := make(chan struct{})
 	if isExecutable("/usr/local/bin/init-envoy.sh") {
 		go func() {
-			defer close(envoyDone)
-			runStream("envoy-init", "/usr/local/bin/init-envoy.sh")
+			defer close(envoyCertsDone)
+			runStream("envoy-init", "/usr/local/bin/init-envoy.sh", "certs")
 		}()
 	} else {
-		close(envoyDone)
+		close(envoyCertsDone)
 	}
 
-	// Phase A: services with no X/dbus/chromium dependency. chromedriver
+	// Phase A: identity-free services with no X/dbus dependency. chromedriver
 	// listens on 9225 immediately and only attaches to chromium on session
 	// creation, so it can come up alongside the display stack.
 	xServer := "xorg"
@@ -161,25 +161,52 @@ func main() {
 	// parallel with chromium.
 	_ = os.WriteFile(filepath.Join(supervisordLogD, "chromium"), nil, 0o644)
 
-	// Gate chromium on envoy cert/template work being done.
-	<-envoyDone
+	// Gate chromium on the envoy cert being installed in the trust store.
+	<-envoyCertsDone
 
-	// Phase B: everything that needs X+dbus, started in a single supervisorctl
-	// invocation. On headful, mutter is the compositor and neko/api come up
-	// alongside chromium so their bring-up overlaps with chromium boot rather
-	// than trailing CDP. Headless has no compositor and no neko.
+	// Phase B: identity-free X/dbus consumers. Chromium itself doesn't read
+	// any per-instance identity envs — it just needs the envoy cert (Phase A)
+	// in trust. mutter is the compositor on headful; neko is the WebRTC
+	// streamer when ENABLE_WEBRTC=true.
 	webrtc := prof == profileHeadful && os.Getenv("ENABLE_WEBRTC") == "true"
 	var phaseB []string
 	if prof == profileHeadful {
-		phaseB = []string{"mutter", "chromium", "kernel-images-api"}
+		phaseB = []string{"mutter", "chromium"}
 		if webrtc {
 			phaseB = append(phaseB, "neko")
 		}
 	} else {
-		phaseB = []string{"chromium", "kernel-images-api"}
+		phaseB = []string{"chromium"}
 	}
 	startAll(phaseB...)
 
+	// FORK HOOK:
+	//   When this binary runs as a forked snapshot restore, the per-fork
+	//   identity envs (INST_NAME, METRO_NAME, XDS_SERVER, KERNEL_INSTANCE_JWT,
+	//   plus any future per-tenant secrets) won't be set yet at this point —
+	//   the snapshot was taken from a different instance. Insert the
+	//   following sequence here once the env-delivery channel exists:
+	//     1. Block on the host-pushed env bundle (vsock socket, virtio-fs
+	//        drop file, or whatever transport the control plane settles on).
+	//     2. Apply the bundle to this process's environ via os.Setenv so
+	//        Phase C below picks them up via the existing $VAR expansion in
+	//        init-envoy.sh and the supervisorctl-spawned services inherit
+	//        them.
+	//     3. Phase C uses `supervisorctl restart envoy` (idempotent — start
+	//        on first boot, stop+start on a re-render after fork) so a
+	//        restored snapshot drops its stale identity cleanly.
+	//   Boot path keeps running through unchanged: the wait simply no-ops
+	//   when there's no fork bundle to receive.
+
+	// Phase C: identity-bound. Render envoy bootstrap with INST_NAME/JWT/etc
+	// and (re)start envoy + kernel-images-api. Both services use `restart`
+	// so the same code path works for boot (start a stopped service) and
+	// post-fork (stop+start to force a re-read of refreshed envs).
+	if isExecutable("/usr/local/bin/init-envoy.sh") {
+		runStream("envoy-init", "/usr/local/bin/init-envoy.sh", "config")
+	}
+	restartAll("kernel-images-api")
+
 	// Wait for the union of caller-visible ready signals. Each probe runs
 	// concurrently and logs as soon as its target is reachable.
 	waitAllReady(t0, webrtc)
@@ -219,10 +246,22 @@ func main() {
 // supervisorctl once (it accepts multiple args) so we don't pay python
 // cold-start costs per service.
 func startAll(progs ...string) {
+	supervisorctl("start", progs...)
+}
+
+// restartAll is the start-or-stop+start variant. It's used for services
+// that may already be running from a snapshot restore (post-fork, see the
+// FORK HOOK in main) so they pick up refreshed envs cleanly. supervisorctl
+// `restart` is a no-op stop on cold programs followed by a normal start.
+func restartAll(progs ...string) {
+	supervisorctl("restart", progs...)
+}
+
+func supervisorctl(verb string, progs ...string) {
 	if len(progs) == 0 {
 		return
 	}
-	args := append([]string{"-c", supervisorConf, "start"}, progs...)
+	args := append([]string{"-c", supervisorConf, verb}, progs...)
 	cmd := exec.Command("supervisorctl", args...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr

shared/envoy/init-envoy.sh

@@ -2,30 +2,37 @@
 
 set -o pipefail -o errexit -o nounset
 
-# The browser instance JWT is the sole token contract for xDS and host-local
-# services in the image runtime.
-INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-}"
-
-# Check for required environment variables, to see if envoy is enabled
-if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${INSTANCE_JWT:-}" ]]; then
-  echo "[envoy-init] Required environment variables not set. Skipping Envoy initialization."
-  exit 0
-fi
-
-# Also check for template file
-if [[ ! -f /etc/envoy/templates/bootstrap.yaml ]]; then
-  echo "[envoy-init] Template file /etc/envoy/templates/bootstrap.yaml not found. Skipping Envoy initialization."
-  exit 0
-fi
-
-echo "[envoy-init] Preparing Envoy bootstrap configuration"
-mkdir -p /etc/envoy
-
-# Generate self-signed certificates for TLS forward proxy
-echo "[envoy-init] Generating self-signed certificates for TLS forward proxy"
-mkdir -p /etc/envoy/certs
-
-if [[ ! -f /etc/envoy/certs/proxy.crt || ! -f /etc/envoy/certs/proxy.key ]]; then
+# Phase argument lets the Go wrapper split the script into an identity-free
+# stage (certs/CA trust/NSS DB — runs early so chromium boots with the cert
+# already trusted) and an identity-bound stage (template render with
+# INST_NAME/METRO_NAME/XDS_SERVER/KERNEL_INSTANCE_JWT, then envoy start).
+#   certs   — generate self-signed cert and install it in trust stores
+#   config  — render bootstrap template and start envoy via supervisord
+#   all     — both phases (default; preserves legacy single-call behavior)
+PHASE="${1:-all}"
+
+case "$PHASE" in
+  certs|config|all) ;;
+  *)
+    echo "[envoy-init] Unknown phase: $PHASE (expected certs|config|all)" >&2
+    exit 2
+    ;;
+esac
+
+run_certs() {
+  if [[ ! -f /etc/envoy/templates/bootstrap.yaml ]]; then
+    echo "[envoy-init] Template file /etc/envoy/templates/bootstrap.yaml not found. Skipping cert generation."
+    return 0
+  fi
+
+  echo "[envoy-init] Generating self-signed certificates for TLS forward proxy"
+  mkdir -p /etc/envoy/certs
+
+  if [[ -f /etc/envoy/certs/proxy.crt && -f /etc/envoy/certs/proxy.key ]]; then
+    echo "[envoy-init] Certificates already exist, skipping generation"
+    return 0
+  fi
+
   echo "[envoy-init] Creating new self-signed certificate"
   openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
     -keyout /etc/envoy/certs/proxy.key \
@@ -34,46 +41,75 @@ if [[ ! -f /etc/envoy/certs/proxy.crt || ! -f /etc/envoy/certs/proxy.key ]]; the
     -addext "subjectAltName = DNS:localhost,IP:127.0.0.1" \
     2>&1 | sed 's/^/[envoy-init] /'
   echo "[envoy-init] Certificate generated successfully"
-  
-  # Add certificate to system trust store for Chrome/Chromium
- echo "[envoy-init] Adding certificate to system trust store"
- cp /etc/envoy/certs/proxy.crt /usr/local/share/ca-certificates/kernel-envoy-proxy.crt
- cp /etc/envoy/certs/proxy.crt /kernel-envoy-proxy.crt
- update-ca-certificates 2>&1 | sed 's/^/[envoy-init] /'
- echo "[envoy-init] Certificate added to system trust store"
-if [[ "${RUN_AS_ROOT:-}" == "true" ]]; then
+
+  echo "[envoy-init] Adding certificate to system trust store"
+  cp /etc/envoy/certs/proxy.crt /usr/local/share/ca-certificates/kernel-envoy-proxy.crt
+  cp /etc/envoy/certs/proxy.crt /kernel-envoy-proxy.crt
+  update-ca-certificates 2>&1 | sed 's/^/[envoy-init] /'
+  echo "[envoy-init] Certificate added to system trust store"
+
+  if [[ "${RUN_AS_ROOT:-}" == "true" ]]; then
     mkdir -p /root/.pki/nssdb
     certutil -d /root/.pki/nssdb -N --empty-password 2>/dev/null || true
     certutil -d /root/.pki/nssdb -A -t "C,," -n "Kernel Envoy Proxy" -i /etc/envoy/certs/proxy.crt
     echo "[envoy-init] Certificate added to nssdb as root"
- else
-  mkdir -p /home/kernel/.pki/nssdb
-  certutil -d /home/kernel/.pki/nssdb -N --empty-password 2>/dev/null || true
-  certutil -d /home/kernel/.pki/nssdb -A -t "C,," -n "Kernel Envoy Proxy" -i /etc/envoy/certs/proxy.crt
-  chown -R kernel:kernel /home/kernel/.pki
-  echo "[envoy-init] Certificate added to nssdb as kernel"
- fi
- echo "[envoy-init] Certificate added to nssdb"
-else
-  echo "[envoy-init] Certificates already exist, skipping generation"
-fi
-
-# Render template with provided environment variables
-echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, KERNEL_INSTANCE_JWT=***"
-inst_esc=$(printf '%s' "$INST_NAME" | sed -e 's/[\/&]/\\&/g')
-metro_esc=$(printf '%s' "$METRO_NAME" | sed -e 's/[\/&]/\\&/g')
-xds_esc=$(printf '%s' "$XDS_SERVER" | sed -e 's/[\/&]/\\&/g')
-jwt_esc=$(printf '%s' "$INSTANCE_JWT" | sed -e 's/[\/&]/\\&/g')
-sed -e "s|{INST_NAME}|$inst_esc|g" \
-    -e "s|{METRO_NAME}|$metro_esc|g" \
-    -e "s|{XDS_SERVER}|$xds_esc|g" \
-    -e "s|{KERNEL_INSTANCE_JWT}|$jwt_esc|g" \
-    /etc/envoy/templates/bootstrap.yaml > /etc/envoy/bootstrap.yaml
-
-echo "[envoy-init] Starting Envoy via supervisord"
-supervisorctl -c /etc/supervisor/supervisord.conf start envoy
-
-# Readiness (port 3128 reachable) is now probed by the Go wrapper's
-# waitAllReady alongside CDP/chromedriver, so this script returns as soon
-# as the start request has been issued. Removing the in-script poll lets
-# init-envoy.sh run concurrently with Phase A bring-up.
+  else
+    mkdir -p /home/kernel/.pki/nssdb
+    certutil -d /home/kernel/.pki/nssdb -N --empty-password 2>/dev/null || true
+    certutil -d /home/kernel/.pki/nssdb -A -t "C,," -n "Kernel Envoy Proxy" -i /etc/envoy/certs/proxy.crt
+    chown -R kernel:kernel /home/kernel/.pki
+    echo "[envoy-init] Certificate added to nssdb as kernel"
+  fi
+}
+
+run_config() {
+  # Identity envs gate the config phase: without them xDS can't bind, so
+  # render+start is a no-op on images that don't run with a JWT.
+  INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-}"
+  if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${INSTANCE_JWT:-}" ]]; then
+    echo "[envoy-init] Required environment variables not set. Skipping Envoy config/start."
+    return 0
+  fi
+
+  if [[ ! -f /etc/envoy/templates/bootstrap.yaml ]]; then
+    echo "[envoy-init] Template file /etc/envoy/templates/bootstrap.yaml not found. Skipping Envoy config/start."
+    return 0
+  fi
+
+  echo "[envoy-init] Preparing Envoy bootstrap configuration"
+  mkdir -p /etc/envoy
+
+  echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, KERNEL_INSTANCE_JWT=***"
+  inst_esc=$(printf '%s' "$INST_NAME" | sed -e 's/[\/&]/\\&/g')
+  metro_esc=$(printf '%s' "$METRO_NAME" | sed -e 's/[\/&]/\\&/g')
+  xds_esc=$(printf '%s' "$XDS_SERVER" | sed -e 's/[\/&]/\\&/g')
+  jwt_esc=$(printf '%s' "$INSTANCE_JWT" | sed -e 's/[\/&]/\\&/g')
+  sed -e "s|{INST_NAME}|$inst_esc|g" \
+      -e "s|{METRO_NAME}|$metro_esc|g" \
+      -e "s|{XDS_SERVER}|$xds_esc|g" \
+      -e "s|{KERNEL_INSTANCE_JWT}|$jwt_esc|g" \
+      /etc/envoy/templates/bootstrap.yaml > /etc/envoy/bootstrap.yaml
+
+  echo "[envoy-init] Starting Envoy via supervisord"
+  # `restart` is start-or-stop+start: on first boot this just starts envoy,
+  # on a re-render (e.g. post-fork env refresh) it forces a clean re-read
+  # of the rendered bootstrap. Either way no callers see stale identity.
+  supervisorctl -c /etc/supervisor/supervisord.conf restart envoy
+
+  # Readiness (port 3128 reachable) is probed by the Go wrapper's
+  # waitAllReady alongside CDP/chromedriver, so this script returns as soon
+  # as the start request has been issued.
+}
+
+case "$PHASE" in
+  certs)
+    run_certs
+    ;;
+  config)
+    run_config
+    ;;
+  all)
+    run_certs
+    run_config
+    ;;
+esac