feat(vlab): add vlab development scripts

Add scripts for running a local virtual lab (vlab) development environment.
The vlab provides an isolated environment for testing dataplane images
against a simulated Hedgehog fabric without requiring physical hardware.

Components:
- Dockerfile: development container based on Ubuntu with QEMU, docker, and
  OCI tooling (zot registry, oras, skopeo)
- run.sh: orchestrates vlab lifecycle -- builds the container, generates TLS
  certificates for the local zot registry, and starts the environment
- control.sh: provides SSH access into the running vlab VM for interactive
  debugging (defaults to launching k9s)
- zot config: local OCI registry configuration with TLS for serving
  container images to the vlab VMs

Co-Authored-By: Manish Vachharajani <manish@githedgehog.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

scripts/vlab/Dockerfile

@@ -0,0 +1,49 @@
+ARG BASE_IMAGE=ubuntu:25.10
+FROM $BASE_IMAGE
+
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
+RUN \
+    apt update; \
+    apt upgrade --yes; \
+:;
+
+RUN \
+    apt update; \
+    apt upgrade --yes; \
+    apt install --yes --no-install-recommends \
+      ca-certificates \
+      curl \
+      docker.io \
+      git \
+      iproute2 \
+      jq \
+      less \
+      neovim \
+      openssh-client \
+      openssl \
+      qemu-kvm \
+      qemu-utils `#for qemu-img` \
+      socat \
+      sudo \
+      wget \
+      yq \
+    ; \
+:;
+
+RUN \
+    mkdir /vlab; \
+:;
+
+WORKDIR /vlab
+VOLUME ["/vlab"]
+
+RUN \
+    wget -O /usr/bin/zot 'https://github.com/project-zot/zot/releases/download/v2.1.15/zot-linux-amd64'; \
+    chmod +x /usr/bin/zot; \
+    chown root:root /usr/bin/zot; \
+:;
+
+RUN \
+    curl -fsSL 'https://i.hhdev.io/oras' | bash; \
+:;

scripts/vlab/control.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
+# Copyright Open Network Fabric Authors
+
+if [ -z "$*" ]; then
+    declare -r cmd="k9s --namespace fab --command pod"
+else
+    declare -r cmd="$*"
+fi
+
+docker exec -it vlab \
+    ssh \
+        -o StrictHostKeyChecking=no \
+        -o UserKnownHostsFile=/dev/null \
+        -t \
+        -p 22000 \
+        -i /vlab/vlab/sshkey \
+        core@localhost "export PATH=\"/usr/bin:/bin:/opt/bin\"; $cmd"

scripts/vlab/root/etc/zot/cert.ini

@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+
+[dn]
+C = US
+ST = CO
+L = Longmont
+O = Hedgehog
+OU = Dev
+CN = zot.loc
+
+[req_ext]
+subjectAltName = IP:192.168.19.1

scripts/vlab/root/etc/zot/config.json

@@ -0,0 +1,37 @@
+{
+    "log": {
+        "level": "debug"
+    },
+    "storage": {
+        "rootDirectory": "/zot"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "30000",
+        "realm": "zot",
+        "tls": {
+            "cert": "/etc/zot/zot.crt",
+            "key": "/etc/zot/zot.key"
+        }
+    },
+    "extensions": {
+        "sync": {
+            "enable": true,
+            "credentialsFile": "/etc/zot/creds.json",
+            "registries": [
+                {
+                    "urls": ["https://ghcr.io"],
+                    "onDemand": true,
+                    "tlsVerify": true,
+                    "content": [
+                        {
+                            "prefix": "/githedgehog/**",
+                            "destination": "/githedgehog",
+                            "stripPrefix": true
+                        }
+                    ]
+                }
+            ]
+        }
+    }
+}

scripts/vlab/run.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
+# Copyright Open Network Fabric Authors
+
+set -euxo pipefail
+
+# Config params
+
+declare -ri RSA_BIT_LENGTH="${RSA_BIT_LENGTH:-4096}"
+declare -ri CERT_DAYS="${CERT_DAYS:-30}"
+
+# end config
+
+declare SOURCE_DIR
+SOURCE_DIR="$(dirname "${BASH_SOURCE}")"
+declare -r SOURCE_DIR
+
+declare -r CERTS_DIR="${SOURCE_DIR}/root/etc/zot"
+
+mkdir -p "${CERTS_DIR}"
+
+pushd "${SOURCE_DIR}"
+
+chmod go=rw "${SOURCE_DIR}/root//etc/zot/"{*.key,*.crt,*.csr}
+
+openssl genrsa \
+  -out "${CERTS_DIR}/ca.key" \
+  "${RSA_BIT_LENGTH}"
+
+chmod u=rw,go= "${CERTS_DIR}/ca.key"
+
+openssl req \
+  -x509 \
+  -new \
+  -nodes \
+  -sha256 \
+  -days "${CERT_DAYS}" \
+  -key "${CERTS_DIR}/ca.key" \
+  -subj "/CN=loc" \
+  -out "${CERTS_DIR}/ca.crt"
+
+openssl req \
+   -new \
+   -nodes \
+   -sha256 \
+   -newkey "rsa:${RSA_BIT_LENGTH}" \
+   -keyout "${CERTS_DIR}/zot.key" \
+   -out "${CERTS_DIR}/zot.csr" \
+   -config "${CERTS_DIR}/cert.ini"
+
+openssl x509 \
+  -req \
+  -in "${CERTS_DIR}/zot.csr" \
+  -CA "${CERTS_DIR}/ca.crt" \
+  -CAkey "${CERTS_DIR}/ca.key" \
+  -CAcreateserial \
+  -subj "/C=CN/ST=GD/L=SZ/O=githedgehog/CN=zot.loc" \
+  -extfile <(printf "subjectAltName=DNS:zot,DNS:zot.loc,IP:192.168.19.1") \
+  -out "${CERTS_DIR}/zot.crt" \
+  -days "${CERT_DAYS}" \
+  -sha256
+
+
+docker stop vlab || true
+docker network rm zot || true
+docker rm vlab || true
+
+docker network create --attachable --driver bridge --ipv4 --ip-range 192.168.19.0/31 --subnet 192.168.19.0/31 zot
+
+declare -r base="${1:-"ubuntu:25.10"}"
+
+docker pull "${base}"
+
+docker build \
+    --build-arg BASE_IMAGE="${base}" \
+    --tag vlab \
+    "${SOURCE_DIR}"
+
+docker run \
+  --network zot \
+  --privileged \
+  --mount type=bind,source="${CERTS_DIR}",target=/etc/zot/,readonly \
+  --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
+  --mount type=volume,source=vlab,target=/vlab \
+  --mount type=volume,source=zot,target=/zot \
+  --env DOCKER_HOST="unix:///var/run/docker.sock" \
+  --volume ~/.docker:/root/.docker:ro \
+  --name vlab \
+  --add-host zot:192.168.19.1 \
+  --add-host zot.loc:192.168.19.1 \
+  --rm \
+  --interactive \
+  --tty \
+  --detach \
+  vlab \
+  zot serve /etc/zot/config.json
+
+### part 2 (in container)
+
+docker exec vlab cp /etc/zot/ca.crt /usr/local/share/ca-certificates/
+docker exec vlab update-ca-certificates
+docker exec vlab /bin/bash -c "curl -fsSL 'https://i.hhdev.io/hhfab' | USE_SUDO=false INSTALL_DIR=. VERSION=master bash;"
+docker exec vlab /vlab/hhfab init --dev --registry-repo 192.168.19.1:30000 --gateway --import-host-upstream --force
+docker exec vlab mv fab.yaml fab.orig.yaml
+docker exec vlab bash -euxo pipefail -c "
+  yq . fab.orig.yaml \
+    | jq --slurp '
+      . as \$input |
+      \$input |
+      ([\$input[0] | setpath([\"spec\", \"config\", \"registry\", \"upstream\", \"noTLSVerify\"]; true)] +  \$input[1:])
+    ' \
+    | yq -y '.[]' \
+    | tee fab.yaml
+"
+docker exec vlab /vlab/hhfab vlab gen
+docker exec vlab /vlab/hhfab vlab up -v --controls-restricted=false -m=manual --recreate