From 072bcfdbc81a433681390a70be1d55fc4bdae1d1 Mon Sep 17 00:00:00 2001
From: juvdiaz <juvenal.diaz@oracle.com>
Date: Thu, 28 May 2026 09:35:29 -0600
Subject: [PATCH] Add stopped OpenWrt VM command

---
 README.md                        | 14 ++++++++------
 bootstrap/provisioning/README.md | 18 ++++++++++-------
 lab.sh                           | 33 +++++++++++++++++++++++++++-----
 3 files changed, 47 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index f9b2236..6a34c53 100644
--- a/README.md
+++ b/README.md
@@ -116,12 +116,14 @@ pipeline keeps the template current and leaves VMID `9010` alone. Set
 slot, or set `LAB_PIMOX_WORKER_COUNT=2` to manage the second slot while still
 skipping the first.
 
-OpenWrt firewall VM automation is opt-in because it attaches to both WAN and
-LAN bridges. Set `LAB_OPENWRT_VM=true` after `vmbr1` already exists on the
-Orange Pi. The pipeline downloads the OpenWrt ARM SystemReady EFI image, writes
-basic WAN/LAN/firewall config into the image, imports it as VM `9050`, attaches
-`vmbr0` as WAN and `vmbr1` as LAN, and stores the VM disk on `nvme_thin_pool`.
-It does not use the Debian Kubernetes golden-node template for OpenWrt.
+OpenWrt firewall VM automation is available as a standalone command because it
+attaches to both WAN and LAN bridges. Run `./lab.sh openwrt` after `vmbr1`
+already exists on the Orange Pi. The pipeline downloads the OpenWrt ARM
+SystemReady EFI image, writes basic WAN/LAN/firewall config into the image,
+imports it as VM `9100`, attaches `vmbr0` as WAN and `vmbr1` as LAN, and stores
+the VM disk on `nvme_thin_pool`. It leaves the VM stopped and not enabled for
+host boot by default. It does not use the Debian Kubernetes golden-node template
+for OpenWrt.
 
 The website and demos images default to `linux/arm64` because both deployments
 are pinned to the Raspberry Pi worker. Override with `WEBSITE_IMAGE_PLATFORMS`
diff --git a/bootstrap/provisioning/README.md b/bootstrap/provisioning/README.md
index e959cc9..a90f327 100644
--- a/bootstrap/provisioning/README.md
+++ b/bootstrap/provisioning/README.md
@@ -135,35 +135,39 @@ OpenWrt is not built from the Debian golden-node template. The Kubernetes
 template remains Debian-only; OpenWrt uses the upstream ARM SystemReady
 `armsr/armv8` combined EFI image instead.
 
-The OpenWrt path is disabled by default. Enable it only after `vmbr1` exists on
-the Pimox host and the second NIC/LAN side is safe to use:
+The OpenWrt path is separate from the Kubernetes worker template. Run it only
+after `vmbr1` exists on the Pimox host and the second NIC/LAN side is safe to
+use:
 
 ```bash
-LAB_OPENWRT_VM=true ./lab.sh up
+./lab.sh openwrt
 ```
 
 Defaults:
 
-- VMID `9050`
+- VMID `9100`
 - VM name `openwrt-firewall`
 - disk storage `nvme_thin_pool`
 - WAN bridge `vmbr0`
 - LAN bridge `vmbr1`
 - LAN address `192.168.50.1/24`
 - LAN DHCP disabled by default
+- VM start disabled by default
+- VM onboot disabled by default
 - OpenWrt version `24.10.6`
 
 Useful overrides:
 
 ```bash
-LAB_OPENWRT_VMID=9050
+LAB_OPENWRT_VMID=9100
 LAB_OPENWRT_STORAGE=nvme_thin_pool
 LAB_OPENWRT_WAN_BRIDGE=vmbr0
 LAB_OPENWRT_LAN_BRIDGE=vmbr1
 LAB_OPENWRT_LAN_IP=192.168.50.1
 LAB_OPENWRT_LAN_NETMASK=255.255.255.0
-LAB_OPENWRT_LAN_DHCP_ENABLED=true
-LAB_OPENWRT_START=true
+LAB_OPENWRT_LAN_DHCP_ENABLED=false
+LAB_OPENWRT_START=false
+LAB_OPENWRT_ONBOOT=false
 LAB_OPENWRT_VERSION=24.10.6
 LAB_OPENWRT_IMAGE_URL=https://downloads.openwrt.org/releases/24.10.6/targets/armsr/armv8/openwrt-24.10.6-armsr-armv8-generic-ext4-combined-efi.img.gz
 ```
diff --git a/lab.sh b/lab.sh
index 7361d16..7a01964 100755
--- a/lab.sh
+++ b/lab.sh
@@ -844,7 +844,7 @@ run_openwrt_pipeline() {
     local pimox_user="${LAB_PIMOX_USER:-${TF_VAR_pimox_user:-jv}}"
     local pimox_key="${LAB_PIMOX_SSH_KEY_PATH:-${TF_VAR_pimox_ssh_key_path:-/home/jv/.ssh/id_ed25519}}"
     local qm_bin="${LAB_PIMOX_QM_BIN:-${TF_VAR_pimox_qm_bin:-/usr/sbin/qm}}"
-    local vmid="${LAB_OPENWRT_VMID:-9050}"
+    local vmid="${LAB_OPENWRT_VMID:-9100}"
     local vm_name="${LAB_OPENWRT_NAME:-openwrt-firewall}"
     local storage="${LAB_OPENWRT_STORAGE:-nvme_thin_pool}"
     local wan_bridge="${LAB_OPENWRT_WAN_BRIDGE:-vmbr0}"
@@ -856,11 +856,13 @@ run_openwrt_pipeline() {
     local lan_ip="${LAB_OPENWRT_LAN_IP:-192.168.50.1}"
     local lan_netmask="${LAB_OPENWRT_LAN_NETMASK:-255.255.255.0}"
     local lan_dhcp_enabled="${LAB_OPENWRT_LAN_DHCP_ENABLED:-false}"
-    local start_vm="${LAB_OPENWRT_START:-true}"
+    local start_vm="${LAB_OPENWRT_START:-false}"
+    local onboot="${LAB_OPENWRT_ONBOOT:-false}"
     local root_key_path="${LAB_OPENWRT_ROOT_SSH_PUBLIC_KEY_PATH:-${pimox_key}.pub}"
     local root_key_b64=""
     local lan_dhcp_ignore="1"
     local start_vm_flag="false"
+    local onboot_flag="0"
 
     if disabled_value "${mode}"; then
         return 0
@@ -896,9 +898,20 @@ run_openwrt_pipeline() {
     if truthy "${lan_dhcp_enabled}"; then
         lan_dhcp_ignore="0"
     fi
+    if ! truthy "${start_vm}" && ! disabled_value "${start_vm}"; then
+        echo "LAB_OPENWRT_START must be true or false." >&2
+        exit 1
+    fi
     if truthy "${start_vm}"; then
         start_vm_flag="true"
     fi
+    if ! truthy "${onboot}" && ! disabled_value "${onboot}"; then
+        echo "LAB_OPENWRT_ONBOOT must be true or false." >&2
+        exit 1
+    fi
+    if truthy "${onboot}"; then
+        onboot_flag="1"
+    fi
     if [[ -r "${root_key_path}" ]]; then
         root_key_b64="$(base64 <"${root_key_path}" | tr -d '\n')"
     fi
@@ -919,6 +932,7 @@ lan_ip="${lan_ip}"
 lan_netmask="${lan_netmask}"
 lan_dhcp_ignore="${lan_dhcp_ignore}"
 start_vm="${start_vm_flag}"
+onboot="${onboot_flag}"
 root_key_b64="${root_key_b64}"
 qm_cmd="${qm_bin}"
 
@@ -966,7 +980,7 @@ if sudo "\$qm_cmd" status "\$vmid" >/dev/null 2>&1; then
     --net1 "virtio,bridge=\$lan_bridge" \\
     --cores "\$cores" \\
     --memory "\$memory" \\
-    --onboot 1
+    --onboot "\$onboot"
   if [ "\$start_vm" = "true" ] && sudo "\$qm_cmd" status "\$vmid" | grep -q 'status: stopped'; then
     sudo "\$qm_cmd" start "\$vmid"
   fi
@@ -1142,7 +1156,7 @@ sudo "\$qm_cmd" create "\$vmid" \\
   --scsihw virtio-scsi-pci \\
   --sockets 1 \\
   --vga virtio \\
-  --onboot 1
+  --onboot "\$onboot"
 
 sudo "\$qm_cmd" set "\$vmid" --efidisk0 "\$storage:1,efitype=4m,pre-enrolled-keys=0"
 sudo "\$qm_cmd" importdisk "\$vmid" "\$tmp_dir/openwrt.img" "\$storage" --format raw >/dev/null
@@ -1160,6 +1174,12 @@ fi
 EOF
 }
 
+openwrt() {
+    require_debian_server "openwrt"
+
+    LAB_OPENWRT_VM=true run_openwrt_pipeline
+}
+
 cleanup_calico_links() {
     ip link show | awk -F: '/^[0-9]+: cali/ {print $2}' | cut -d@ -f1 | xargs -r -n1 sudo ip link delete 2>/dev/null || true
     sudo ip link delete vxlan.calico 2>/dev/null || true
@@ -2741,11 +2761,14 @@ case "${1:-}" in
     install-gitea-runner)
         install_gitea_runner "${2:-}"
         ;;
+    openwrt)
+        openwrt
+        ;;
     nuke)
         nuke
         ;;
     *)
-        echo "Usage: $0 {up|rebuild-cluster|apps|deploy-gitea|bootstrap-gitea-repo|backup-gitea|drill-gitea-restore|install-gitea-runner|nuke}"
+        echo "Usage: $0 {up|rebuild-cluster|apps|deploy-gitea|bootstrap-gitea-repo|backup-gitea|drill-gitea-restore|install-gitea-runner|openwrt|nuke}"
         exit 1
         ;;
 esac