feat: streamline Azure login and fix Windows sync#77
Merged
Conversation
Add a new `crabbox azure login` subcommand that detects the active Azure subscription from the `az` CLI (`az account show`), validates credentials through `DefaultAzureCredential`, and persists subscription ID, tenant ID, and location to the user config file. This eliminates the need to manually export AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID environment variables for direct-mode local development. Changes: CLI: - internal/cli/azure_cli.go: new azAccountShow() helper that runs `az account show --output json` and parses subscription/tenant/name. - internal/cli/azure_login.go: new `crabbox azure login` command with --subscription, --location, and --json flags. Validates token acquisition before writing config. - internal/cli/azure.go: NewAzureClient now auto-resolves subscription from `az account show` when AzureSubscription is empty, before erroring. Includes the underlying error in the message for diagnostics. - internal/cli/cli_kong.go: registered `azure` command group with `login` subcommand; added `azure` to isKongCommandGroup. - internal/cli/app.go: added `crabbox azure login` to CLI help text. Tests: - internal/cli/azure_cli_test.go: JSON parsing and missing `az` CLI tests. - internal/cli/azure_login_test.go: config write round-trip and existing config preservation tests. - internal/cli/azure_test.go: TestNewAzureClientAutoResolvesSubscription verifies the fallback error mentions `az login`. Docs: - docs/commands/azure.md: new command reference for `crabbox azure login`. - docs/providers/azure.md: added Quick Start with `az login` section. - docs/features/azure.md: added quick-start section. The service-principal environment variable path is unchanged. This is a purely additive change. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
When connecting through a VPN to the Azure virtual network, outbound SSH to public IPs may be blocked by corporate firewalls. This adds an azure.network config option (public|private) that selects whether Crabbox uses the VM public IP or NIC private IP for SSH. - Add PrivateNet.IPv4.IP field to Server struct - Read NIC private IP in Azure provider (WaitForServerIP, GetServer, List) - Add AzureServerHost helper to select IP based on config - Support config (azure.network), env (CRABBOX_AZURE_NETWORK) - Update Azure backend Acquire/Resolve to use configured network - Add tests for IP selection and private IP population - Document in provider and feature docs Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Windows OpenSSH does not support Unix domain sockets used by ControlMaster=auto for connection multiplexing. This causes 'getsockname failed: Not a socket' errors on every SSH probe, preventing warmup, run, and all SSH-based operations from working. Disable ControlMaster on Windows (runtime.GOOS == windows) the same way it is already disabled for AuthSecret targets. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MSYS2/Cygwin rsync interprets the colon in Windows drive paths like C:/foo as a remote host separator, causing 'source and destination cannot both be remote' errors. Convert drive paths to POSIX style (/c/foo) before passing to rsync on Windows. Also disable SSH ControlMaster on Windows since Windows OpenSSH does not support Unix domain sockets for connection multiplexing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MSYS2/Cygwin rsync has broken signal handling with Windows SSH child processes (sigpacket::process: Suppressing signal 30), causing every remote rsync transfer to fail with code 12. When WSL is available, delegate rsync to WSL which has native Linux rsync without these interop issues. SSH keys are copied to WSL /tmp with chmod 600, and source paths are converted from /c/... to /mnt/c/... format. Falls back to native rsync with MSYS2_ARG_CONV_EXCL when WSL is not available. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The -e 'ssh -i C:\path\key ...' argument embeds Windows paths that WSL ssh cannot read. Replace drive-letter paths (C:/...) with WSL mount paths (/mnt/c/...) anywhere in the string, not just when the whole arg starts with a drive letter. Copy SSH keys to WSL /tmp with chmod 600 since /mnt/c filesystem has 0777 permissions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove t.Parallel from Azure tests that call t.Setenv so Go's test runner no longer panics on process-wide environment mutation. Document that Azure shared vnet, subnet, and NSG resources are regional. Reusing the default shared resource names requires azure.location to match the existing resources, or distinct names must be used for a new region.
steipete
force-pushed
the
dev/galin/azure-cli
branch
from
d0b6918 to
032a97e
Compare
This was referenced May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR improves Azure direct-mode setup and fixes several Windows SSH/rsync sync issues.
The main Azure change is that users can now authenticate with the Azure CLI instead of configuring service-principal environment variables. After
az login, users can runcrabbox azure loginto persist the active subscription, tenant, and location into Crabbox config, or Crabbox can auto-resolve the active subscription fromaz account showat runtime.This also adds Azure private-network selection for VPN/private VNet use, and documents the regional constraints around shared Azure network infrastructure.
Significant Changes
Azure CLI login flow
crabbox azure login.az account showto detect the active Azure subscription, tenant, and subscription name.DefaultAzureCredential.provider: azurewhen no provider is already configured.--subscription <id|name>,--location <region>, and--json.AZURE_SUBSCRIPTION_ID,AZURE_TENANT_ID,AZURE_CLIENT_ID, orAZURE_CLIENT_SECRETfor the commonaz loginworkflow.Azure private network support
azure.networkconfig andCRABBOX_AZURE_NETWORK.azure.network: privateis configured, Crabbox uses the VM NIC private IP when available.private_net.ipv4.ip.Azure docs
crabbox azure login.az loginsetup path.CRABBOX_AZURE_NETWORKandazure.network.azure.locationto match the existing resource region, or distinct vnet/subnet/NSG names must be used for a new region.Windows SSH and rsync fixes
ControlMasteron Windows.getsockname failed: Not a socket.C:\OpenClaw\crabbox/C:/OpenClaw/crabboxinto rsync-safe/c/OpenClaw/crabboxform.wsl.exeis available to avoid MSYS2/Cygwin rsync signal-handling issues with Windows SSH child processes./mnt/c/....-e "ssh ..."argument, including SSH key and known_hosts paths./tmpand applieschmod 600so WSL OpenSSH can use it safely.Test fixes
t.Parallel()from Azure tests that callt.Setenv.Verification
Also manually validated Azure config behavior locally with:
using Azure provider config and
azure.network: private.