embed init binary in the build for easy self extraction

Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

Author: JAORMX

.gitignore

@@ -4,6 +4,7 @@ bin/
 coverage.out
 coverage.html
 .task/
+pkg/infra/vm/initbin/waggle-init
 
 # IDE
 .idea/

Taskfile.yaml

@@ -22,10 +22,11 @@ vars:
     -X main.buildDate={{.BUILD_DATE}}
 
 # Quick reference:
-#   task build   → Build waggle binary
-#   task test    → Run tests with race detector
-#   task lint    → Run linter
-#   task verify  → fmt + lint + test
+#   task build     → Build waggle binary
+#   task build-dev → Build waggle + propolis-runner
+#   task test      → Run tests with race detector
+#   task lint      → Run linter
+#   task verify    → fmt + lint + test
 
 tasks:
   default:
@@ -35,6 +36,7 @@ tasks:
 
   build:
     desc: Build the waggle binary
+    deps: [build-init]
     cmds:
       - mkdir -p {{.BUILD_DIR}}
       - CGO_ENABLED=0 go build -ldflags "{{.LDFLAGS}}" -o {{.BUILD_DIR}}/{{.BINARY_NAME}} {{.MAIN_PACKAGE}}
@@ -45,24 +47,34 @@ tasks:
     generates:
       - '{{.BUILD_DIR}}/{{.BINARY_NAME}}'
 
+  build-dev:
+    desc: Build waggle + propolis-runner (requires libkrun-devel)
+    platforms: [linux]
+    cmds:
+      - task: build
+      - mkdir -p {{.BUILD_DIR}}
+      - cd ../propolis && CGO_ENABLED=1 go build -o "$OLDPWD/{{.BUILD_DIR}}/propolis-runner" ./runner/cmd/propolis-runner
+
   build-init:
     desc: Build the waggle-init binary (guest VM init)
     cmds:
-      - mkdir -p {{.BUILD_DIR}}
-      - CGO_ENABLED=0 GOOS=linux go build -ldflags "{{.LDFLAGS}}" -o {{.BUILD_DIR}}/waggle-init ./cmd/waggle-init
+      - mkdir -p pkg/infra/vm/initbin
+      - CGO_ENABLED=0 GOOS=linux go build -ldflags "{{.LDFLAGS}}" -o pkg/infra/vm/initbin/waggle-init ./cmd/waggle-init
     sources:
       - cmd/waggle-init/**/*.go
+      - pkg/infra/vm/initbin/embed.go
       - go.mod
       - go.sum
     generates:
-      - '{{.BUILD_DIR}}/waggle-init'
+      - pkg/infra/vm/initbin/waggle-init
 
   build-all:
     desc: Build all binaries
     deps: [build, build-init]
 
   test:
     desc: Run unit tests with race detector
+    deps: [build-init]
     cmds:
       - go test -v -race ./...
 
@@ -75,6 +87,7 @@ tasks:
 
   lint:
     desc: Run linter
+    deps: [build-init]
     cmds:
       - golangci-lint run ./...
 
@@ -118,6 +131,7 @@ tasks:
     cmds:
       - rm -rf {{.BUILD_DIR}}/
       - rm -f coverage.out coverage.html
+      - rm -f pkg/infra/vm/initbin/waggle-init
 
   build-image-python:
     desc: Build Python runtime image

pkg/infra/vm/hooks.go

@@ -0,0 +1,26 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package vm
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/stacklok/propolis/image"
+
+	"github.com/stacklok/waggle/pkg/infra/vm/initbin"
+)
+
+// InjectInitBinary returns a RootFS hook that writes the embedded waggle-init
+// binary to /waggle-init in the guest rootfs.
+func InjectInitBinary() func(string, *image.OCIConfig) error {
+	return func(rootfsPath string, _ *image.OCIConfig) error {
+		initPath := filepath.Join(rootfsPath, "waggle-init")
+		if err := os.WriteFile(initPath, initbin.Binary, 0o755); err != nil { //nolint:gosec // needs to be executable in the guest
+			return fmt.Errorf("writing init binary: %w", err)
+		}
+		return nil
+	}
+}

pkg/infra/vm/initbin/embed.go

@@ -0,0 +1,14 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package initbin embeds the pre-compiled waggle-init binary.
+// The binary is built by `task build-init` and placed at
+// pkg/infra/vm/initbin/waggle-init before compiling waggle.
+package initbin
+
+import _ "embed"
+
+// Binary contains the embedded waggle-init binary.
+//
+//go:embed waggle-init
+var Binary []byte

pkg/infra/vm/propolis.go

@@ -66,6 +66,19 @@ func (p *PropolisProvider) CreateVM(ctx context.Context, env *environment.Enviro
 		"ssh_port", env.SSHPort,
 	)
 
+	rootfsHooks := []propolis.RootFSHook{
+		hooks.InjectAuthorizedKeys(pubKeyContent, hooks.WithKeyUser("/home/sandbox", 1000, 1000)),
+	}
+	if opts.InitPath != "" {
+		hook, err := initInjector(opts.InitPath)
+		if err != nil {
+			return nil, err
+		}
+		rootfsHooks = append(rootfsHooks, hook)
+	} else {
+		rootfsHooks = append(rootfsHooks, InjectInitBinary())
+	}
+
 	// Build propolis options.
 	propolisOpts := []propolis.Option{
 		propolis.WithName("waggle-" + env.ID),
@@ -77,24 +90,14 @@ func (p *PropolisProvider) CreateVM(ctx context.Context, env *environment.Enviro
 		}),
 		propolis.WithDataDir(envDataDir),
 
-		// Inject SSH authorized_keys into the rootfs before boot.
-		propolis.WithRootFSHook(hooks.InjectAuthorizedKeys(pubKeyContent, hooks.WithKeyUser("/home/sandbox", 1000, 1000))),
+		// Inject SSH authorized_keys and waggle-init into the rootfs before boot.
+		propolis.WithRootFSHook(rootfsHooks...),
+		propolis.WithInitOverride("/waggle-init"),
 
 		// Wait for SSH to become ready after boot.
 		propolis.WithPostBoot(sshReadyWaiter(env.SSHPort, privateKeyPath)),
 	}
 
-	if opts.InitPath != "" {
-		hook, err := initInjector(opts.InitPath)
-		if err != nil {
-			return nil, err
-		}
-		propolisOpts = append(propolisOpts,
-			propolis.WithRootFSHook(hook),
-			propolis.WithInitOverride("/waggle-init"),
-		)
-	}
-
 	var backendOpts []libkrun.Option
 	if opts.RunnerPath != "" {
 		backendOpts = append(backendOpts, libkrun.WithRunnerPath(opts.RunnerPath))