Merge branch 'main' into codex/guestmemory-reclaim

Author: sjmiller609

.github/workflows/test.yml

@@ -38,7 +38,19 @@ jobs:
             sudo apt-get install -y erofs-utils e2fsprogs iptables
           fi
           go mod download
-      
+
+      - name: Verify Linux test toolchain
+        run: |
+          set -euo pipefail
+          TEST_PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH"
+          for bin in mkfs.erofs mkfs.ext4 iptables; do
+            if ! sudo env "PATH=$TEST_PATH" bash -lc "command -v '$bin' >/dev/null"; then
+              echo "missing required binary under sudo PATH: $bin"
+              exit 1
+            fi
+            sudo env "PATH=$TEST_PATH" bash -lc "command -v '$bin'"
+          done
+
       # Avoids rate limits when running the tests
       # Tests includes pulling, then converting to disk images
       - name: Login to Docker Hub

cmd/api/api/builds.go

@@ -13,6 +13,7 @@ import (
 	"github.com/kernel/hypeman/lib/images"
 	"github.com/kernel/hypeman/lib/logger"
 	"github.com/kernel/hypeman/lib/oapi"
+	"github.com/kernel/hypeman/lib/tags"
 )
 
 // ListBuilds returns all builds
@@ -28,9 +29,12 @@ func (s *ApiService) ListBuilds(ctx context.Context, request oapi.ListBuildsRequ
 		}, nil
 	}
 
-	oapiBuilds := make([]oapi.Build, len(domainBuilds))
-	for i, b := range domainBuilds {
-		oapiBuilds[i] = buildToOAPI(b)
+	oapiBuilds := make([]oapi.Build, 0, len(domainBuilds))
+	for _, b := range domainBuilds {
+		if b == nil || !matchesMetadataFilter(b.Metadata, request.Params.Metadata) {
+			continue
+		}
+		oapiBuilds = append(oapiBuilds, buildToOAPI(b))
 	}
 
 	return oapi.ListBuilds200JSONResponse(oapiBuilds), nil
@@ -46,6 +50,7 @@ func (s *ApiService) CreateBuild(ctx context.Context, request oapi.CreateBuildRe
 	var timeoutSeconds, memoryMB, cpus int
 	var isAdminBuild bool
 	var secrets []builds.SecretRef
+	var metadata map[string]string
 
 	for {
 		part, err := request.Body.NextPart()
@@ -169,6 +174,22 @@ func (s *ApiService) CreateBuild(ctx context.Context, request oapi.CreateBuildRe
 				}, nil
 			}
 			imageName = string(data)
+		case "metadata":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read metadata field",
+				}, nil
+			}
+			parsed, err := parseMetadataJSON(string(data))
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "metadata must be a JSON object with string key-value pairs",
+				}, nil
+			}
+			metadata = parsed
 		}
 		part.Close()
 	}
@@ -203,6 +224,7 @@ func (s *ApiService) CreateBuild(ctx context.Context, request oapi.CreateBuildRe
 		IsAdminBuild:    isAdminBuild,
 		GlobalCacheKey:  globalCacheKey,
 		ImageName:       imageName,
+		Metadata:        metadata,
 	}
 
 	// Apply build policy if any field was provided
@@ -223,6 +245,11 @@ func (s *ApiService) CreateBuild(ctx context.Context, request oapi.CreateBuildRe
 	build, err := s.BuildManager.CreateBuild(ctx, domainReq, sourceData)
 	if err != nil {
 		switch {
+		case errors.Is(err, tags.ErrInvalidMetadata):
+			return oapi.CreateBuild400JSONResponse{
+				Code:    "invalid_request",
+				Message: err.Error(),
+			}, nil
 		case errors.Is(err, builds.ErrDockerfileRequired):
 			return oapi.CreateBuild400JSONResponse{
 				Code:    "dockerfile_required",
@@ -359,6 +386,7 @@ func buildToOAPI(b *builds.Build) oapi.Build {
 	oapiBuild := oapi.Build{
 		Id:                b.ID,
 		Status:            oapi.BuildStatus(b.Status),
+		Metadata:          toOAPIMetadata(b.Metadata),
 		QueuePosition:     b.QueuePosition,
 		ImageDigest:       b.ImageDigest,
 		ImageRef:          b.ImageRef,

cmd/api/api/devices.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/kernel/hypeman/lib/devices"
 	"github.com/kernel/hypeman/lib/oapi"
+	"github.com/kernel/hypeman/lib/tags"
 )
 
 // ListDevices returns all registered devices
@@ -18,9 +19,12 @@ func (s *ApiService) ListDevices(ctx context.Context, request oapi.ListDevicesRe
 		}, nil
 	}
 
-	result := make([]oapi.Device, len(deviceList))
-	for i, d := range deviceList {
-		result[i] = deviceToOAPI(d)
+	result := make([]oapi.Device, 0, len(deviceList))
+	for _, d := range deviceList {
+		if !matchesMetadataFilter(d.Metadata, request.Params.Metadata) {
+			continue
+		}
+		result = append(result, deviceToOAPI(d))
 	}
 
 	return oapi.ListDevices200JSONResponse(result), nil
@@ -53,11 +57,17 @@ func (s *ApiService) CreateDevice(ctx context.Context, request oapi.CreateDevice
 	req := devices.CreateDeviceRequest{
 		Name:       name,
 		PCIAddress: request.Body.PciAddress,
+		Metadata:   toMapMetadata(request.Body.Metadata),
 	}
 
 	device, err := s.DeviceManager.CreateDevice(ctx, req)
 	if err != nil {
 		switch {
+		case errors.Is(err, tags.ErrInvalidMetadata):
+			return oapi.CreateDevice400JSONResponse{
+				Code:    "invalid_request",
+				Message: err.Error(),
+			}, nil
 		case errors.Is(err, devices.ErrInvalidName):
 			return oapi.CreateDevice400JSONResponse{
 				Code:    "invalid_name",
@@ -142,6 +152,7 @@ func deviceToOAPI(d devices.Device) oapi.Device {
 		Id:          d.Id,
 		Name:        &d.Name,
 		Type:        deviceType,
+		Metadata:    toOAPIMetadata(d.Metadata),
 		PciAddress:  d.PCIAddress,
 		VendorId:    d.VendorID,
 		DeviceId:    d.DeviceID,

cmd/api/api/images.go

@@ -8,6 +8,7 @@ import (
 	"github.com/kernel/hypeman/lib/logger"
 	mw "github.com/kernel/hypeman/lib/middleware"
 	"github.com/kernel/hypeman/lib/oapi"
+	"github.com/kernel/hypeman/lib/tags"
 )
 
 func (s *ApiService) ListImages(ctx context.Context, request oapi.ListImagesRequestObject) (oapi.ListImagesResponseObject, error) {
@@ -22,24 +23,32 @@ func (s *ApiService) ListImages(ctx context.Context, request oapi.ListImagesRequ
 		}, nil
 	}
 
-	oapiImages := make([]oapi.Image, len(domainImages))
-	for i, img := range domainImages {
-		oapiImages[i] = imageToOAPI(img)
+	oapiImages := make([]oapi.Image, 0, len(domainImages))
+	for _, img := range domainImages {
+		if !matchesMetadataFilter(img.Metadata, request.Params.Metadata) {
+			continue
+		}
+		oapiImages = append(oapiImages, imageToOAPI(img))
 	}
-
 	return oapi.ListImages200JSONResponse(oapiImages), nil
 }
 
 func (s *ApiService) CreateImage(ctx context.Context, request oapi.CreateImageRequestObject) (oapi.CreateImageResponseObject, error) {
 	log := logger.FromContext(ctx)
 
 	domainReq := images.CreateImageRequest{
-		Name: request.Body.Name,
+		Name:     request.Body.Name,
+		Metadata: toMapMetadata(request.Body.Metadata),
 	}
 
 	img, err := s.ImageManager.CreateImage(ctx, domainReq)
 	if err != nil {
 		switch {
+		case errors.Is(err, tags.ErrInvalidMetadata):
+			return oapi.CreateImage400JSONResponse{
+				Code:    "invalid_request",
+				Message: err.Error(),
+			}, nil
 		case errors.Is(err, images.ErrInvalidName):
 			return oapi.CreateImage400JSONResponse{
 				Code:    "invalid_name",
@@ -117,6 +126,9 @@ func imageToOAPI(img images.Image) oapi.Image {
 	if len(img.Env) > 0 {
 		oapiImg.Env = &img.Env
 	}
+	if len(img.Metadata) > 0 {
+		oapiImg.Metadata = toOAPIMetadata(img.Metadata)
+	}
 	if img.WorkingDir != "" {
 		oapiImg.WorkingDir = &img.WorkingDir
 	}

cmd/api/api/ingress.go

@@ -23,9 +23,12 @@ func (s *ApiService) ListIngresses(ctx context.Context, request oapi.ListIngress
 		}, nil
 	}
 
-	oapiIngresses := make([]oapi.Ingress, len(ingresses))
-	for i, ing := range ingresses {
-		oapiIngresses[i] = ingressToOAPI(ing)
+	oapiIngresses := make([]oapi.Ingress, 0, len(ingresses))
+	for _, ing := range ingresses {
+		if !matchesMetadataFilter(ing.Metadata, request.Params.Metadata) {
+			continue
+		}
+		oapiIngresses = append(oapiIngresses, ingressToOAPI(ing))
 	}
 
 	return oapi.ListIngresses200JSONResponse(oapiIngresses), nil
@@ -37,8 +40,9 @@ func (s *ApiService) CreateIngress(ctx context.Context, request oapi.CreateIngre
 
 	// Convert OAPI request to domain request
 	domainReq := ingress.CreateIngressRequest{
-		Name:  request.Body.Name,
-		Rules: make([]ingress.IngressRule, len(request.Body.Rules)),
+		Name:     request.Body.Name,
+		Metadata: toMapMetadata(request.Body.Metadata),
+		Rules:    make([]ingress.IngressRule, len(request.Body.Rules)),
 	}
 
 	for i, rule := range request.Body.Rules {
@@ -180,6 +184,7 @@ func ingressToOAPI(ing ingress.Ingress) oapi.Ingress {
 	return oapi.Ingress{
 		Id:        ing.ID,
 		Name:      ing.Name,
+		Metadata:  toOAPIMetadata(ing.Metadata),
 		Rules:     rules,
 		CreatedAt: ing.CreatedAt,
 	}

cmd/api/api/instances.go

@@ -34,7 +34,7 @@ func (s *ApiService) ListInstances(ctx context.Context, request oapi.ListInstanc
 			filter.State = &state
 		}
 		if request.Params.Metadata != nil {
-			filter.Metadata = *request.Params.Metadata
+			filter.Metadata = toMapMetadata(request.Params.Metadata)
 		}
 	}
 
@@ -127,7 +127,7 @@ func (s *ApiService) CreateInstance(ctx context.Context, request oapi.CreateInst
 
 	metadata := make(map[string]string)
 	if request.Body.Metadata != nil {
-		metadata = *request.Body.Metadata
+		metadata = toMapMetadata(request.Body.Metadata)
 	}
 
 	// Parse network enabled (default: true)
@@ -288,6 +288,11 @@ func (s *ApiService) CreateInstance(ctx context.Context, request oapi.CreateInst
 				Code:    "insufficient_resources",
 				Message: err.Error(),
 			}, nil
+		case errors.Is(err, instances.ErrInvalidRequest):
+			return oapi.CreateInstance400JSONResponse{
+				Code:    "invalid_request",
+				Message: err.Error(),
+			}, nil
 		default:
 			log.ErrorContext(ctx, "failed to create instance", "error", err, "image", request.Body.Image)
 			return oapi.CreateInstance500JSONResponse{
@@ -791,23 +796,21 @@ func instanceToOAPI(inst instances.Instance) oapi.Instance {
 		uploadBwStr = &s
 	}
 
-	// Build network object with ip/mac and bandwidth nested inside
-	netObj := &struct {
-		BandwidthDownload *string `json:"bandwidth_download,omitempty"`
-		BandwidthUpload   *string `json:"bandwidth_upload,omitempty"`
-		Enabled           *bool   `json:"enabled,omitempty"`
-		Ip                *string `json:"ip"`
-		Mac               *string `json:"mac"`
-		Name              *string `json:"name,omitempty"`
-	}{
-		Enabled:           lo.ToPtr(inst.NetworkEnabled),
-		BandwidthDownload: downloadBwStr,
-		BandwidthUpload:   uploadBwStr,
+	// Build network payload as JSON to avoid compile-time coupling to
+	// generated anonymous struct tags in oapi.Instance.Network.
+	networkPayload := map[string]any{
+		"enabled": inst.NetworkEnabled,
+	}
+	if downloadBwStr != nil {
+		networkPayload["bandwidth_download"] = *downloadBwStr
+	}
+	if uploadBwStr != nil {
+		networkPayload["bandwidth_upload"] = *uploadBwStr
 	}
 	if inst.NetworkEnabled {
-		netObj.Name = lo.ToPtr("default")
-		netObj.Ip = lo.ToPtr(inst.IP)
-		netObj.Mac = lo.ToPtr(inst.MAC)
+		networkPayload["name"] = "default"
+		networkPayload["ip"] = inst.IP
+		networkPayload["mac"] = inst.MAC
 	}
 
 	// Convert hypervisor type
@@ -831,7 +834,7 @@ func instanceToOAPI(inst instances.Instance) oapi.Instance {
 		OverlaySize: lo.ToPtr(overlaySizeStr),
 		Vcpus:       lo.ToPtr(inst.Vcpus),
 		DiskIoBps:   diskIoBpsStr,
-		Network:     netObj,
+		Network:     nil,
 		CreatedAt:   inst.CreatedAt,
 		StartedAt:   inst.StartedAt,
 		StoppedAt:   inst.StoppedAt,
@@ -840,6 +843,10 @@ func instanceToOAPI(inst instances.Instance) oapi.Instance {
 		Hypervisor:  &hvType,
 	}
 
+	if b, err := json.Marshal(networkPayload); err == nil {
+		_ = json.Unmarshal(b, &oapiInst.Network)
+	}
+
 	if inst.ExitMessage != "" {
 		oapiInst.ExitMessage = lo.ToPtr(inst.ExitMessage)
 	}
@@ -849,7 +856,7 @@ func instanceToOAPI(inst instances.Instance) oapi.Instance {
 	}
 
 	if len(inst.Metadata) > 0 {
-		oapiInst.Metadata = &inst.Metadata
+		oapiInst.Metadata = toOAPIMetadata(inst.Metadata)
 	}
 
 	// Convert volume attachments

cmd/api/api/metadata.go

@@ -0,0 +1,42 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/kernel/hypeman/lib/oapi"
+	"github.com/kernel/hypeman/lib/tags"
+)
+
+func toMapMetadata(metadata *oapi.MetadataTags) map[string]string {
+	if metadata == nil {
+		return nil
+	}
+	return tags.Clone(map[string]string(*metadata))
+}
+
+func toOAPIMetadata(metadata map[string]string) *oapi.MetadataTags {
+	if len(metadata) == 0 {
+		return nil
+	}
+	cloned := oapi.MetadataTags(tags.Clone(metadata))
+	return &cloned
+}
+
+func matchesMetadataFilter(metadata map[string]string, filter *oapi.MetadataTags) bool {
+	if filter == nil {
+		return true
+	}
+	return tags.Matches(metadata, map[string]string(*filter))
+}
+
+func parseMetadataJSON(raw string) (map[string]string, error) {
+	if raw == "" {
+		return nil, nil
+	}
+	var metadata map[string]string
+	if err := json.Unmarshal([]byte(raw), &metadata); err != nil {
+		return nil, fmt.Errorf("parse metadata JSON: %w", err)
+	}
+	return metadata, nil
+}