Add stopped OpenWrt VM command

2026-05-28 09:35:29 -06:00 · 2026-05-28 09:35:29 -06:00 · 072bcfdbc8
parent 912ccc14f6
commit 072bcfdbc8
3 changed files with 47 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -116,12 +116,14 @@ pipeline keeps the template current and leaves VMID `9010` alone. Set
 slot, or set `LAB_PIMOX_WORKER_COUNT=2` to manage the second slot while still
 skipping the first.

-OpenWrt firewall VM automation is opt-in because it attaches to both WAN and
-LAN bridges. Set `LAB_OPENWRT_VM=true` after `vmbr1` already exists on the
-Orange Pi. The pipeline downloads the OpenWrt ARM SystemReady EFI image, writes
-basic WAN/LAN/firewall config into the image, imports it as VM `9050`, attaches
-`vmbr0` as WAN and `vmbr1` as LAN, and stores the VM disk on `nvme_thin_pool`.
-It does not use the Debian Kubernetes golden-node template for OpenWrt.
+OpenWrt firewall VM automation is available as a standalone command because it
+attaches to both WAN and LAN bridges. Run `./lab.sh openwrt` after `vmbr1`
+already exists on the Orange Pi. The pipeline downloads the OpenWrt ARM
+SystemReady EFI image, writes basic WAN/LAN/firewall config into the image,
+imports it as VM `9100`, attaches `vmbr0` as WAN and `vmbr1` as LAN, and stores
+the VM disk on `nvme_thin_pool`. It leaves the VM stopped and not enabled for
+host boot by default. It does not use the Debian Kubernetes golden-node template
+for OpenWrt.

 The website and demos images default to `linux/arm64` because both deployments
 are pinned to the Raspberry Pi worker. Override with `WEBSITE_IMAGE_PLATFORMS`
--- a/bootstrap/provisioning/README.md
+++ b/bootstrap/provisioning/README.md
@ -135,35 +135,39 @@ OpenWrt is not built from the Debian golden-node template. The Kubernetes
 template remains Debian-only; OpenWrt uses the upstream ARM SystemReady
 `armsr/armv8` combined EFI image instead.

-The OpenWrt path is disabled by default. Enable it only after `vmbr1` exists on
-the Pimox host and the second NIC/LAN side is safe to use:
+The OpenWrt path is separate from the Kubernetes worker template. Run it only
+after `vmbr1` exists on the Pimox host and the second NIC/LAN side is safe to
+use:

 ```bash
-LAB_OPENWRT_VM=true ./lab.sh up
+./lab.sh openwrt
 ```

 Defaults:

- VMID `9050`
+- VMID `9100`
 - VM name `openwrt-firewall`
 - disk storage `nvme_thin_pool`
 - WAN bridge `vmbr0`
 - LAN bridge `vmbr1`
 - LAN address `192.168.50.1/24`
 - LAN DHCP disabled by default
+- VM start disabled by default
+- VM onboot disabled by default
 - OpenWrt version `24.10.6`

 Useful overrides:

 ```bash
-LAB_OPENWRT_VMID=9050
+LAB_OPENWRT_VMID=9100
 LAB_OPENWRT_STORAGE=nvme_thin_pool
 LAB_OPENWRT_WAN_BRIDGE=vmbr0
 LAB_OPENWRT_LAN_BRIDGE=vmbr1
 LAB_OPENWRT_LAN_IP=192.168.50.1
 LAB_OPENWRT_LAN_NETMASK=255.255.255.0
-LAB_OPENWRT_LAN_DHCP_ENABLED=true
-LAB_OPENWRT_START=true
+LAB_OPENWRT_LAN_DHCP_ENABLED=false
+LAB_OPENWRT_START=false
+LAB_OPENWRT_ONBOOT=false
 LAB_OPENWRT_VERSION=24.10.6
 LAB_OPENWRT_IMAGE_URL=https://downloads.openwrt.org/releases/24.10.6/targets/armsr/armv8/openwrt-24.10.6-armsr-armv8-generic-ext4-combined-efi.img.gz
 ```
--- a/lab.sh
+++ b/lab.sh
@ -844,7 +844,7 @@ run_openwrt_pipeline() {
    local pimox_user="${LAB_PIMOX_USER:-${TF_VAR_pimox_user:-jv}}"
    local pimox_key="${LAB_PIMOX_SSH_KEY_PATH:-${TF_VAR_pimox_ssh_key_path:-/home/jv/.ssh/id_ed25519}}"
    local qm_bin="${LAB_PIMOX_QM_BIN:-${TF_VAR_pimox_qm_bin:-/usr/sbin/qm}}"
-    local vmid="${LAB_OPENWRT_VMID:-9050}"
+    local vmid="${LAB_OPENWRT_VMID:-9100}"
    local vm_name="${LAB_OPENWRT_NAME:-openwrt-firewall}"
    local storage="${LAB_OPENWRT_STORAGE:-nvme_thin_pool}"
    local wan_bridge="${LAB_OPENWRT_WAN_BRIDGE:-vmbr0}"
@ -856,11 +856,13 @@ run_openwrt_pipeline() {
    local lan_ip="${LAB_OPENWRT_LAN_IP:-192.168.50.1}"
    local lan_netmask="${LAB_OPENWRT_LAN_NETMASK:-255.255.255.0}"
    local lan_dhcp_enabled="${LAB_OPENWRT_LAN_DHCP_ENABLED:-false}"
-    local start_vm="${LAB_OPENWRT_START:-true}"
+    local start_vm="${LAB_OPENWRT_START:-false}"
+    local onboot="${LAB_OPENWRT_ONBOOT:-false}"
    local root_key_path="${LAB_OPENWRT_ROOT_SSH_PUBLIC_KEY_PATH:-${pimox_key}.pub}"
    local root_key_b64=""
    local lan_dhcp_ignore="1"
    local start_vm_flag="false"
+    local onboot_flag="0"

    if disabled_value "${mode}"; then
        return 0
@ -896,9 +898,20 @@ run_openwrt_pipeline() {
    if truthy "${lan_dhcp_enabled}"; then
        lan_dhcp_ignore="0"
    fi
+    if ! truthy "${start_vm}" && ! disabled_value "${start_vm}"; then
+        echo "LAB_OPENWRT_START must be true or false." >&2
+        exit 1
+    fi
    if truthy "${start_vm}"; then
        start_vm_flag="true"
    fi
+    if ! truthy "${onboot}" && ! disabled_value "${onboot}"; then
+        echo "LAB_OPENWRT_ONBOOT must be true or false." >&2
+        exit 1
+    fi
+    if truthy "${onboot}"; then
+        onboot_flag="1"
+    fi
    if [[ -r "${root_key_path}" ]]; then
        root_key_b64="$(base64 <"${root_key_path}" | tr -d '\n')"
    fi
@ -919,6 +932,7 @@ lan_ip="${lan_ip}"
 lan_netmask="${lan_netmask}"
 lan_dhcp_ignore="${lan_dhcp_ignore}"
 start_vm="${start_vm_flag}"
+onboot="${onboot_flag}"
 root_key_b64="${root_key_b64}"
 qm_cmd="${qm_bin}"

@ -966,7 +980,7 @@ if sudo "\$qm_cmd" status "\$vmid" >/dev/null 2>&1; then
    --net1 "virtio,bridge=\$lan_bridge" \\
    --cores "\$cores" \\
    --memory "\$memory" \\
-    --onboot 1
+    --onboot "\$onboot"
  if [ "\$start_vm" = "true" ] && sudo "\$qm_cmd" status "\$vmid" | grep -q 'status: stopped'; then
    sudo "\$qm_cmd" start "\$vmid"
  fi
@ -1142,7 +1156,7 @@ sudo "\$qm_cmd" create "\$vmid" \\
  --scsihw virtio-scsi-pci \\
  --sockets 1 \\
  --vga virtio \\
-  --onboot 1
+  --onboot "\$onboot"

 sudo "\$qm_cmd" set "\$vmid" --efidisk0 "\$storage:1,efitype=4m,pre-enrolled-keys=0"
 sudo "\$qm_cmd" importdisk "\$vmid" "\$tmp_dir/openwrt.img" "\$storage" --format raw >/dev/null
@ -1160,6 +1174,12 @@ fi
 EOF
 }

+openwrt() {
+    require_debian_server "openwrt"
+
+    LAB_OPENWRT_VM=true run_openwrt_pipeline
+}
+
 cleanup_calico_links() {
    ip link show | awk -F: '/^[0-9]+: cali/ {print $2}' | cut -d@ -f1 | xargs -r -n1 sudo ip link delete 2>/dev/null || true
    sudo ip link delete vxlan.calico 2>/dev/null || true
@ -2741,11 +2761,14 @@ case "${1:-}" in
    install-gitea-runner)
        install_gitea_runner "${2:-}"
        ;;
+    openwrt)
+        openwrt
+        ;;
    nuke)
        nuke
        ;;
    *)
-        echo "Usage: $0 {up|rebuild-cluster|apps|deploy-gitea|bootstrap-gitea-repo|backup-gitea|drill-gitea-restore|install-gitea-runner|nuke}"
+        echo "Usage: $0 {up|rebuild-cluster|apps|deploy-gitea|bootstrap-gitea-repo|backup-gitea|drill-gitea-restore|install-gitea-runner|openwrt|nuke}"
        exit 1
        ;;
 esac