Skip to content

Releases: vicondoa/d2b

v1.4.1

Choose a tag to compare

@github-actions github-actions released this 13 Jul 04:28
9bfbf38

Added

  • Added ADR 0045, defining parent-owned workload-hosted realm
    controllers; explicit runtime, infrastructure, transport, substrate,
    credential, and display provider responsibilities; type-first sortable
    provider crates; generic Unix/vsock/direct/Azure-Relay byte transports;
    Noise-authenticated component sessions with ttrpc/protobuf control services;
    Entra and YubiKey credential placement; and policy-authorized peer shortcuts
    over inherited shared transport fabrics.

Fixed

  • Fixed unsafe-local persistent shells inheriting TERM=dumb from the systemd
    user manager by supplying a fixed true-color terminal baseline while
    preserving the rest of the manager environment and login-shell startup.

  • Made the mkfs diagnostic bound test exercise the formatter directly instead
    of depending on unrelated existing-image repair stages.

  • Made output-ring wake coverage observe data and EOF as separate valid
    notifications instead of racing both producer events into one read.

  • Made disk-init test directories use exclusive process-local IDs so parallel
    tests cannot silently share and remove each other's scratch state.

  • Made failed-fd-send coverage track the original pipe identity so concurrent
    numeric fd reuse cannot produce a false leak report.

  • Stabilized shell-supervisor teardown coverage by allowing its asynchronous
    socket cleanup the same bounded reconciliation horizon used by the runtime,
    waking the supervisor accept loop so its owned listener unlinks before forced
    scope teardown, and ensuring a missing/replaced control socket cannot block
    verified scope collection or ledger cleanup.

  • Fixed the provider-neutral launch command missing from the public
    authorization matrix and generated privileges schema. Configured launches
    remain scoped per workload/realm to launcher or admin callers, audited, and
    broker-free.

v1.4.0

Choose a tag to compare

@github-actions github-actions released this 12 Jul 09:53
bc29f63

Added

  • Added the realm-native control plane under d2b.realms.<realm>, including
    canonical <workload>.<realm-path>.d2b targets, provider-neutral workload
    identity, realm network and UI metadata, generated realm artifacts, bounded
    realm/operation inspection commands, and metadata-only topology, access, and
    resource-allocation layers.
  • Added the explicit, default-denied unsafe-local provider for host-user
    workloads. Generic typed exec and shell launcher items now work across
    local VMs, qemu-media, and unsafe-local targets through d2b launch, with
    persistent host shells, same-UID helper supervision, Wayland identity rails,
    and visible no-isolation posture.
  • Added daemon-owned serial-console and audio operations, including
    provider-capability dispatch and host/guest mute and volume controls.
  • Added an opt-in FIDO2/WebAuthn security-key proxy that presents a host device
    to opted-in guests as virtual HID over vsock without transferring USB
    ownership, plus status, session, cancellation, test, and notification
    commands.
  • Added explicit USB attachment for any physically present device to an
    eligible VM, with preflight validation, audited ownership, and rollback.
  • Added the opt-in d2b-clipd clipboard authority, picker-driven cross-realm
    paste, virtualized guest clipboard transport, and Niri focused-window
    attribution.
  • Added a compositor-agnostic UI color contract rendered as
    /etc/d2b/ui-colors.json and /etc/d2b/ui-colors.css, with a Niri VM-border
    backend and per-realm accent metadata.
  • Added macvtap-backed external network attachment for env net VMs, including
    independent egress NAT, port forwards, and mDNS/.local reflection.
  • Added generated storage and synchronization contracts, read-only startup
    validation, d2b host doctor --read-only, and
    d2b host migrate-storage --dry-run.
  • Added provider-aware graceful VM shutdown with configurable global and per-VM
    timeouts, plus explicit --force lifecycle overrides.
  • Added experimental remote full-host and provider-managed Azure Container Apps
    adapters with capability matrices, bounded backoff/circuit behavior, and
    redacted diagnostics. Production remote transport remains out of scope.
  • Added release automation that creates a version tag and GitHub release with
    host binaries, checksums, and a Nix hash manifest when a dated changelog
    section reaches main.

Changed

  • Breaking: Renamed the project to d2b: Double Dutch Bus. Commands,
    packages, services, sockets, Nix options, paths, schemas, and telemetry now
    use only d2b naming; no legacy aliases are provided.
  • Breaking: Removed the legacy d2b.gateways and nested gateway/ACA sandbox
    configuration surfaces. Configurations must migrate to d2b.realms.
  • Breaking: Explicit d2b:// targets must include the reserved .d2b
    suffix; omitted suffixes no longer fall back to local VM routing.
  • Breaking: Unsupported constellation streams and operations now return
    typed unsupported errors instead of falling back to generic byte streams.
  • Breaking: VMs using usbip.yubikey = true must enable guest control;
    USBIP attach and detach no longer have an SSH fallback.
  • Advanced the public manifest schema to version 7 and the private bundle
    contract to version 11. The release adds runtime/provider capabilities,
    graceful-shutdown metadata, realm artifacts, configured launcher items,
    unsafe-local helper policy, and storage/synchronization contracts.
  • Renamed the Wayland proxy package and binary to d2b-wayland-proxy and the
    configuration surface to graphics.waylandProxy.*. The former option path is
    retained as a compatibility alias for this release.
  • Moved audio process identity entirely into the daemon-managed audio runner and
    retired the former audio service path.
  • Changed live VM activation to a broker-prepare, guest-control activation, and
    broker-commit flow. Offline activation now fails closed except for explicit
    boot staging.
  • Changed daemon list/status handling to use request-scoped artifact snapshots
    and parallel per-VM status probes, improving consistency and desktop-client
    latency.
  • Changed runtime/state creation to rely on tmpfiles-owned parents and
    narrowly-scoped ACLs instead of activation-time permission repair.
  • Changed d2b-priv-broker.service default logging from debug to info.

Fixed

  • Fixed unsafe-local graphical launches by supervising the proxy and configured
    app in one verified user scope with private runtime paths, typed readiness,
    first-client gating, bounded socket names, exact child reaping, canonical
    realm colors, and no direct-compositor fallback.
  • Fixed picker/clipboard protocol compatibility, focus restoration, proxied
    virtual-keyboard replay, endpoint payload handling, cancellation, and
    backpressure while preserving picker-only transfer authority.
  • Fixed USBIP claim, bind/unbind, firewall, ACL rollback, restart reconciliation,
    and revocation races; hardened security-key UHID framing, socket lifetime, and
    udev behavior.
  • Fixed console and audio session ownership, QMP chardev handling, PipeWire
    targeting, and provider dispatch.
  • Fixed daemon restart and host-switch continuity: d2bd.service reports ready
    only after socket bind and runner adoption, while running VMs remain alive.
  • Fixed guest exec and GUI launch establishment timeouts under heavy virtiofs
    load.
  • Fixed runtime, state, guest-control, observability, and per-role ACL ordering
    so daemon and runner access survives reboot and host switches without local
    overrides.
  • Fixed net-VM cold-boot host preparation, qemu-media synchronization contract
    rendering, broker child reaping, and existing disk-image validation.
  • Fixed realm controller and workload identity JSON field names and nesting to
    match their Rust DTOs.
  • Fixed realm workload CLI routing, bare-VM migration hints, persistent-shell
    owner framing, and guest journal sizing.

Removed

  • Removed d2b usb enroll; qemu-media USB boot selection now uses
    qemuMedia.source.usbSelector.byIdName and d2b usb probe.

Security

  • Kept realm relay/provider credentials, remote registries, and realm audit out
    of the host daemon, broker, and bundle; relay identity is never mapped to
    local lifecycle authorization.
  • Enforced same-UID unsafe-local helper registration, private proxy/readiness
    sockets, immutable proxy binaries, operation fingerprint parity, fail-closed
    group eligibility, and explicit logout/login after new group assignment.
  • Enforced picker/clipd-only cross-realm clipboard transfer, strict bounded and
    redacted protocol metadata, destination-focus verification, and proxy-safe
    synthetic paste ordering.
  • Tightened broker, runtime, qemu-media, observability, and per-role path
    ownership so diagnostics remain redacted and mutable host state stays within
    its declared authority.

v1.3.1

Choose a tag to compare

@github-actions github-actions released this 19 Jun 06:39
6e269c7

Fixed

  • USBIP lock acquire is now idempotent for the same VM: when a VM is
    restarted (nixling down + nixling up), the broker no longer
    refuses to re-bind a busid that the same VM already owns. Previously,
    every VM restart required a manual nixling usb detach + nixling usb attach cycle because the lock file persisted across the stop/start.