feat: rewrite envd guest agent in Rust (envd-rs)

Complete Rust rewrite of the Go envd guest daemon that runs as PID 1 inside Firecracker microVMs. Feature-complete across all 8 phases: - Health, metrics, and env var endpoints - Crypto (SHA-256/512, HMAC), auth (secure token, signing), init/snapshot - Connect RPC via connectrpc + buffa (process + filesystem services) - File transfer (GET/POST /files) with gzip, multipart, chown, ENOSPC - Port subsystem (/proc/net/tcp scanner, socat forwarder) - Cgroup2 manager with noop fallback - Snapshot/restore lifecycle (conntracker, port subsystem stop/restart) - SIGTERM graceful shutdown, --cmd initial process spawn - MMDS metadata polling for Firecracker mode 42 source files, ~4200 LOC, 4.1MB stripped release binary. Makefile updated: build-envd now targets Rust (musl static), build-envd-go preserved for Go builds.
2026-05-03 02:47:15 +06:00
parent 3deecbff89
commit 0b53d34417
54 changed files with 7089 additions and 17 deletions
--- a/envd-rs/src/rpc/entry.rs
+++ b/envd-rs/src/rpc/entry.rs
@ -0,0 +1,142 @@
+use std::os::unix::fs::MetadataExt;
+use std::path::Path;
+
+use connectrpc::{ConnectError, ErrorCode};
+
+use crate::permissions::user::{lookup_groupname_by_gid, lookup_username_by_uid};
+use crate::rpc::pb::filesystem::{EntryInfo, FileType};
+use nix::unistd::{Gid, Uid};
+
+const NFS_SUPER_MAGIC: i64 = 0x6969;
+const CIFS_MAGIC: i64 = 0xFF534D42;
+const SMB_SUPER_MAGIC: i64 = 0x517B;
+const SMB2_MAGIC_NUMBER: i64 = 0xFE534D42;
+const FUSE_SUPER_MAGIC: i64 = 0x65735546;
+
+pub fn is_network_mount(path: &str) -> Result<bool, String> {
+    let c_path = std::ffi::CString::new(path).map_err(|e| e.to_string())?;
+    let mut stat: libc::statfs = unsafe { std::mem::zeroed() };
+    let ret = unsafe { libc::statfs(c_path.as_ptr(), &mut stat) };
+    if ret != 0 {
+        return Err(format!(
+            "statfs {path}: {}",
+            std::io::Error::last_os_error()
+        ));
+    }
+    let fs_type = stat.f_type as i64;
+    Ok(matches!(
+        fs_type,
+        NFS_SUPER_MAGIC | CIFS_MAGIC | SMB_SUPER_MAGIC | SMB2_MAGIC_NUMBER | FUSE_SUPER_MAGIC
+    ))
+}
+
+pub fn build_entry_info(path: &str) -> Result<EntryInfo, ConnectError> {
+    let p = Path::new(path);
+
+    let lstat = std::fs::symlink_metadata(p).map_err(|e| {
+        if e.kind() == std::io::ErrorKind::NotFound {
+            ConnectError::new(ErrorCode::NotFound, format!("file not found: {e}"))
+        } else {
+            ConnectError::new(ErrorCode::Internal, format!("error getting file info: {e}"))
+        }
+    })?;
+
+    let is_symlink = lstat.file_type().is_symlink();
+
+    let (file_type, mode, symlink_target) = if is_symlink {
+        let target = std::fs::canonicalize(p)
+            .map(|t| t.to_string_lossy().to_string())
+            .unwrap_or_else(|_| path.to_string());
+
+        let target_type = match std::fs::metadata(p) {
+            Ok(meta) => meta_to_file_type(&meta),
+            Err(_) => FileType::FILE_TYPE_UNSPECIFIED,
+        };
+
+        let target_mode = std::fs::metadata(p)
+            .map(|m| m.mode() & 0o7777)
+            .unwrap_or(0);
+
+        (target_type, target_mode, Some(target))
+    } else {
+        let ft = meta_to_file_type(&lstat);
+        let mode = lstat.mode() & 0o7777;
+        (ft, mode, None)
+    };
+
+    let uid = lstat.uid();
+    let gid = lstat.gid();
+    let owner = lookup_username_by_uid(Uid::from_raw(uid));
+    let group = lookup_groupname_by_gid(Gid::from_raw(gid));
+
+    let modified_time = {
+        let mtime_sec = lstat.mtime();
+        let mtime_nsec = lstat.mtime_nsec() as i32;
+        if mtime_sec == 0 && mtime_nsec == 0 {
+            None
+        } else {
+            Some(buffa_types::google::protobuf::Timestamp {
+                seconds: mtime_sec,
+                nanos: mtime_nsec,
+                ..Default::default()
+            })
+        }
+    };
+
+    let name = p
+        .file_name()
+        .map(|n| n.to_string_lossy().to_string())
+        .unwrap_or_default();
+
+    let permissions = format_permissions(lstat.mode());
+
+    Ok(EntryInfo {
+        name,
+        r#type: buffa::EnumValue::Known(file_type),
+        path: path.to_string(),
+        size: lstat.len() as i64,
+        mode,
+        permissions,
+        owner,
+        group,
+        modified_time: modified_time.into(),
+        symlink_target: symlink_target,
+        ..Default::default()
+    })
+}
+
+fn meta_to_file_type(meta: &std::fs::Metadata) -> FileType {
+    if meta.is_file() {
+        FileType::FILE_TYPE_FILE
+    } else if meta.is_dir() {
+        FileType::FILE_TYPE_DIRECTORY
+    } else if meta.file_type().is_symlink() {
+        FileType::FILE_TYPE_SYMLINK
+    } else {
+        FileType::FILE_TYPE_UNSPECIFIED
+    }
+}
+
+fn format_permissions(mode: u32) -> String {
+    let file_type = match mode & libc::S_IFMT {
+        libc::S_IFDIR => 'd',
+        libc::S_IFLNK => 'L',
+        libc::S_IFREG => '-',
+        libc::S_IFBLK => 'b',
+        libc::S_IFCHR => 'c',
+        libc::S_IFIFO => 'p',
+        libc::S_IFSOCK => 'S',
+        _ => '?',
+    };
+
+    let perms = mode & 0o777;
+    let mut s = String::with_capacity(10);
+    s.push(file_type);
+    for shift in [6, 3, 0] {
+        let bits = (perms >> shift) & 7;
+        s.push(if bits & 4 != 0 { 'r' } else { '-' });
+        s.push(if bits & 2 != 0 { 'w' } else { '-' });
+        s.push(if bits & 1 != 0 { 'x' } else { '-' });
+    }
+    s
+}
--- a/envd-rs/src/rpc/filesystem_service.rs
+++ b/envd-rs/src/rpc/filesystem_service.rs
@ -0,0 +1,402 @@
+use std::path::{Path, PathBuf};
+use std::pin::Pin;
+use std::sync::{Arc, Mutex};
+
+use connectrpc::{ConnectError, Context, ErrorCode};
+use dashmap::DashMap;
+use futures::Stream;
+
+use crate::permissions::path::{ensure_dirs, expand_and_resolve};
+use crate::permissions::user::lookup_user;
+use crate::rpc::entry::build_entry_info;
+use crate::rpc::pb::filesystem::*;
+use crate::state::AppState;
+
+pub struct FilesystemServiceImpl {
+    state: Arc<AppState>,
+    watchers: DashMap<String, WatcherHandle>,
+}
+
+struct WatcherHandle {
+    events: Arc<Mutex<Vec<FilesystemEvent>>>,
+    _watcher: notify::RecommendedWatcher,
+}
+
+impl FilesystemServiceImpl {
+    pub fn new(state: Arc<AppState>) -> Self {
+        Self {
+            state,
+            watchers: DashMap::new(),
+        }
+    }
+
+    fn resolve_path(&self, path: &str, ctx: &Context) -> Result<String, ConnectError> {
+        let username = extract_username(ctx).unwrap_or_else(|| self.state.defaults.user.clone());
+        let user = lookup_user(&username).map_err(|e| {
+            ConnectError::new(ErrorCode::Unauthenticated, format!("invalid user: {e}"))
+        })?;
+
+        let home_dir = format!("/home/{}", user.name);
+        let default_workdir = self.state.defaults.workdir.as_deref();
+
+        expand_and_resolve(path, &home_dir, default_workdir)
+            .map_err(|e| ConnectError::new(ErrorCode::InvalidArgument, e))
+    }
+}
+
+fn extract_username(ctx: &Context) -> Option<String> {
+    ctx.extensions.get::<AuthUser>().map(|u| u.0.clone())
+}
+
+#[derive(Clone)]
+pub struct AuthUser(pub String);
+
+impl Filesystem for FilesystemServiceImpl {
+    async fn stat(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<StatRequestView<'static>>,
+    ) -> Result<(StatResponse, Context), ConnectError> {
+        let path = self.resolve_path(request.path, &ctx)?;
+        let entry = build_entry_info(&path)?;
+        Ok((
+            StatResponse {
+                entry: entry.into(),
+                ..Default::default()
+            },
+            ctx,
+        ))
+    }
+
+    async fn make_dir(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<MakeDirRequestView<'static>>,
+    ) -> Result<(MakeDirResponse, Context), ConnectError> {
+        let path = self.resolve_path(request.path, &ctx)?;
+
+        match std::fs::metadata(&path) {
+            Ok(meta) => {
+                if meta.is_dir() {
+                    return Err(ConnectError::new(
+                        ErrorCode::AlreadyExists,
+                        format!("directory already exists: {path}"),
+                    ));
+                }
+                return Err(ConnectError::new(
+                    ErrorCode::InvalidArgument,
+                    format!("path exists but is not a directory: {path}"),
+                ));
+            }
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {}
+            Err(e) => {
+                return Err(ConnectError::new(
+                    ErrorCode::Internal,
+                    format!("error getting file info: {e}"),
+                ));
+            }
+        }
+
+        let username = extract_username(&ctx).unwrap_or_else(|| self.state.defaults.user.clone());
+        let user =
+            lookup_user(&username).map_err(|e| ConnectError::new(ErrorCode::Internal, e))?;
+
+        ensure_dirs(&path, user.uid, user.gid)
+            .map_err(|e| ConnectError::new(ErrorCode::Internal, e))?;
+
+        let entry = build_entry_info(&path)?;
+        Ok((
+            MakeDirResponse {
+                entry: entry.into(),
+                ..Default::default()
+            },
+            ctx,
+        ))
+    }
+
+    async fn r#move(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<MoveRequestView<'static>>,
+    ) -> Result<(MoveResponse, Context), ConnectError> {
+        let source = self.resolve_path(request.source, &ctx)?;
+        let destination = self.resolve_path(request.destination, &ctx)?;
+
+        let username = extract_username(&ctx).unwrap_or_else(|| self.state.defaults.user.clone());
+        let user =
+            lookup_user(&username).map_err(|e| ConnectError::new(ErrorCode::Internal, e))?;
+
+        if let Some(parent) = Path::new(&destination).parent() {
+            ensure_dirs(&parent.to_string_lossy(), user.uid, user.gid)
+                .map_err(|e| ConnectError::new(ErrorCode::Internal, e))?;
+        }
+
+        std::fs::rename(&source, &destination).map_err(|e| {
+            if e.kind() == std::io::ErrorKind::NotFound {
+                ConnectError::new(ErrorCode::NotFound, format!("source not found: {e}"))
+            } else {
+                ConnectError::new(ErrorCode::Internal, format!("error renaming: {e}"))
+            }
+        })?;
+
+        let entry = build_entry_info(&destination)?;
+        Ok((
+            MoveResponse {
+                entry: entry.into(),
+                ..Default::default()
+            },
+            ctx,
+        ))
+    }
+
+    async fn list_dir(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<ListDirRequestView<'static>>,
+    ) -> Result<(ListDirResponse, Context), ConnectError> {
+        let mut depth = request.depth as usize;
+        if depth == 0 {
+            depth = 1;
+        }
+
+        let path = self.resolve_path(request.path, &ctx)?;
+
+        let resolved = std::fs::canonicalize(&path).map_err(|e| {
+            if e.kind() == std::io::ErrorKind::NotFound {
+                ConnectError::new(ErrorCode::NotFound, format!("path not found: {e}"))
+            } else {
+                ConnectError::new(ErrorCode::Internal, format!("error resolving path: {e}"))
+            }
+        })?;
+        let resolved_str = resolved.to_string_lossy().to_string();
+
+        let meta = std::fs::metadata(&resolved).map_err(|e| {
+            ConnectError::new(ErrorCode::Internal, format!("error getting file info: {e}"))
+        })?;
+        if !meta.is_dir() {
+            return Err(ConnectError::new(
+                ErrorCode::InvalidArgument,
+                format!("path is not a directory: {path}"),
+            ));
+        }
+
+        let entries = walk_dir(&path, &resolved_str, depth)?;
+        Ok((
+            ListDirResponse {
+                entries,
+                ..Default::default()
+            },
+            ctx,
+        ))
+    }
+
+    async fn remove(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<RemoveRequestView<'static>>,
+    ) -> Result<(RemoveResponse, Context), ConnectError> {
+        let path = self.resolve_path(request.path, &ctx)?;
+
+        if let Err(e1) = std::fs::remove_dir_all(&path) {
+            if let Err(e2) = std::fs::remove_file(&path) {
+                return Err(ConnectError::new(
+                    ErrorCode::Internal,
+                    format!("error removing: {e1}; also tried as file: {e2}"),
+                ));
+            }
+        }
+
+        Ok((RemoveResponse { ..Default::default() }, ctx))
+    }
+
+    async fn watch_dir(
+        &self,
+        _ctx: Context,
+        _request: buffa::view::OwnedView<WatchDirRequestView<'static>>,
+    ) -> Result<
+        (
+            Pin<Box<dyn Stream<Item = Result<WatchDirResponse, ConnectError>> + Send>>,
+            Context,
+        ),
+        ConnectError,
+    > {
+        Err(ConnectError::new(
+            ErrorCode::Unimplemented,
+            "watch_dir streaming not yet implemented",
+        ))
+    }
+
+    async fn create_watcher(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<CreateWatcherRequestView<'static>>,
+    ) -> Result<(CreateWatcherResponse, Context), ConnectError> {
+        use notify::{RecursiveMode, Watcher};
+
+        let path = self.resolve_path(request.path, &ctx)?;
+        let recursive = request.recursive;
+
+        if let Ok(true) = crate::rpc::entry::is_network_mount(&path) {
+            return Err(ConnectError::new(
+                ErrorCode::FailedPrecondition,
+                "watching network mounts is not supported",
+            ));
+        }
+
+        let watcher_id = simple_id();
+        let events: Arc<Mutex<Vec<FilesystemEvent>>> = Arc::new(Mutex::new(Vec::new()));
+        let events_cb = Arc::clone(&events);
+
+        let mut watcher = notify::recommended_watcher(
+            move |res: Result<notify::Event, notify::Error>| {
+                if let Ok(event) = res {
+                    let event_type = match event.kind {
+                        notify::EventKind::Create(_) => EventType::EVENT_TYPE_CREATE,
+                        notify::EventKind::Modify(notify::event::ModifyKind::Data(_)) => {
+                            EventType::EVENT_TYPE_WRITE
+                        }
+                        notify::EventKind::Modify(notify::event::ModifyKind::Metadata(_)) => {
+                            EventType::EVENT_TYPE_CHMOD
+                        }
+                        notify::EventKind::Remove(_) => EventType::EVENT_TYPE_REMOVE,
+                        notify::EventKind::Modify(notify::event::ModifyKind::Name(_)) => {
+                            EventType::EVENT_TYPE_RENAME
+                        }
+                        _ => return,
+                    };
+
+                    for p in &event.paths {
+                        if let Ok(mut guard) = events_cb.lock() {
+                            guard.push(FilesystemEvent {
+                                name: p.to_string_lossy().to_string(),
+                                r#type: buffa::EnumValue::Known(event_type),
+                                ..Default::default()
+                            });
+                        }
+                    }
+                }
+            },
+        )
+        .map_err(|e| {
+            ConnectError::new(ErrorCode::Internal, format!("failed to create watcher: {e}"))
+        })?;
+
+        let mode = if recursive {
+            RecursiveMode::Recursive
+        } else {
+            RecursiveMode::NonRecursive
+        };
+
+        watcher.watch(Path::new(&path), mode).map_err(|e| {
+            ConnectError::new(ErrorCode::Internal, format!("failed to watch path: {e}"))
+        })?;
+
+        self.watchers.insert(
+            watcher_id.clone(),
+            WatcherHandle {
+                events,
+                _watcher: watcher,
+            },
+        );
+
+        Ok((
+            CreateWatcherResponse {
+                watcher_id,
+                ..Default::default()
+            },
+            ctx,
+        ))
+    }
+
+    async fn get_watcher_events(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<GetWatcherEventsRequestView<'static>>,
+    ) -> Result<(GetWatcherEventsResponse, Context), ConnectError> {
+        let watcher_id: &str = request.watcher_id;
+        let handle = self.watchers.get(watcher_id).ok_or_else(|| {
+            ConnectError::new(
+                ErrorCode::NotFound,
+                format!("watcher not found: {watcher_id}"),
+            )
+        })?;
+
+        let events = {
+            let mut guard = handle.events.lock().unwrap();
+            std::mem::take(&mut *guard)
+        };
+
+        Ok((
+            GetWatcherEventsResponse {
+                events,
+                ..Default::default()
+            },
+            ctx,
+        ))
+    }
+
+    async fn remove_watcher(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<RemoveWatcherRequestView<'static>>,
+    ) -> Result<(RemoveWatcherResponse, Context), ConnectError> {
+        let watcher_id: &str = request.watcher_id;
+        self.watchers.remove(watcher_id);
+        Ok((RemoveWatcherResponse { ..Default::default() }, ctx))
+    }
+}
+
+fn walk_dir(
+    requested_path: &str,
+    resolved_path: &str,
+    depth: usize,
+) -> Result<Vec<EntryInfo>, ConnectError> {
+    let mut entries = Vec::new();
+    let base = Path::new(resolved_path);
+
+    for result in walkdir::WalkDir::new(resolved_path)
+        .min_depth(1)
+        .max_depth(depth)
+        .follow_links(false)
+    {
+        let dir_entry = match result {
+            Ok(e) => e,
+            Err(e) => {
+                if e.io_error()
+                    .is_some_and(|io| io.kind() == std::io::ErrorKind::NotFound)
+                {
+                    continue;
+                }
+                return Err(ConnectError::new(
+                    ErrorCode::Internal,
+                    format!("error reading directory: {e}"),
+                ));
+            }
+        };
+
+        let entry_path = dir_entry.path();
+        let mut entry = match build_entry_info(&entry_path.to_string_lossy()) {
+            Ok(e) => e,
+            Err(e) if e.code == ErrorCode::NotFound => continue,
+            Err(e) => return Err(e),
+        };
+
+        if let Ok(rel) = entry_path.strip_prefix(base) {
+            let remapped = PathBuf::from(requested_path).join(rel);
+            entry.path = remapped.to_string_lossy().to_string();
+        }
+
+        entries.push(entry);
+    }
+
+    Ok(entries)
+}
+
+fn simple_id() -> String {
+    use std::time::{SystemTime, UNIX_EPOCH};
+    let nanos = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap()
+        .as_nanos();
+    format!("w-{nanos:x}")
+}
--- a/envd-rs/src/rpc/mod.rs
+++ b/envd-rs/src/rpc/mod.rs
@ -0,0 +1,26 @@
+pub mod pb;
+pub mod entry;
+pub mod process_handler;
+pub mod process_service;
+pub mod filesystem_service;
+
+use std::sync::Arc;
+
+use crate::rpc::process_service::ProcessServiceImpl;
+use crate::rpc::filesystem_service::FilesystemServiceImpl;
+use crate::state::AppState;
+
+use pb::process::ProcessExt;
+use pb::filesystem::FilesystemExt;
+
+/// Build the connect-rust Router with both RPC services registered.
+pub fn rpc_router(state: Arc<AppState>) -> connectrpc::Router {
+    let process_svc = Arc::new(ProcessServiceImpl::new(Arc::clone(&state)));
+    let filesystem_svc = Arc::new(FilesystemServiceImpl::new(Arc::clone(&state)));
+
+    let router = connectrpc::Router::new();
+    let router = process_svc.register(router);
+    let router = filesystem_svc.register(router);
+
+    router
+}
--- a/envd-rs/src/rpc/pb.rs
+++ b/envd-rs/src/rpc/pb.rs
@ -0,0 +1,10 @@
+#![allow(dead_code, non_camel_case_types, unused_imports, clippy::derivable_impls)]
+
+use ::buffa;
+use ::buffa_types;
+use ::connectrpc;
+use ::futures;
+use ::http_body;
+use ::serde;
+
+include!(concat!(env!("OUT_DIR"), "/_connectrpc.rs"));
--- a/envd-rs/src/rpc/process_handler.rs
+++ b/envd-rs/src/rpc/process_handler.rs
@ -0,0 +1,400 @@
+use std::io::Read;
+use std::os::unix::process::CommandExt;
+use std::process::Stdio;
+use std::sync::{Arc, Mutex};
+
+use connectrpc::{ConnectError, ErrorCode};
+use nix::pty::{openpty, Winsize};
+use nix::sys::signal::{self, Signal};
+use nix::unistd::Pid;
+use tokio::sync::broadcast;
+
+use crate::rpc::pb::process::*;
+
+const STD_CHUNK_SIZE: usize = 32768;
+const PTY_CHUNK_SIZE: usize = 16384;
+const BROADCAST_CAPACITY: usize = 4096;
+
+#[derive(Clone)]
+pub enum DataEvent {
+    Stdout(Vec<u8>),
+    Stderr(Vec<u8>),
+    Pty(Vec<u8>),
+}
+
+#[derive(Clone)]
+pub struct EndEvent {
+    pub exit_code: i32,
+    pub exited: bool,
+    pub status: String,
+    pub error: Option<String>,
+}
+
+pub struct ProcessHandle {
+    pub config: ProcessConfig,
+    pub tag: Option<String>,
+    pub pid: u32,
+
+    data_tx: broadcast::Sender<DataEvent>,
+    end_tx: broadcast::Sender<EndEvent>,
+
+    stdin: Mutex<Option<std::process::ChildStdin>>,
+    pty_master: Mutex<Option<std::fs::File>>,
+}
+
+impl ProcessHandle {
+    pub fn subscribe_data(&self) -> broadcast::Receiver<DataEvent> {
+        self.data_tx.subscribe()
+    }
+
+    pub fn subscribe_end(&self) -> broadcast::Receiver<EndEvent> {
+        self.end_tx.subscribe()
+    }
+
+    pub fn send_signal(&self, sig: Signal) -> Result<(), ConnectError> {
+        signal::kill(Pid::from_raw(self.pid as i32), sig).map_err(|e| {
+            ConnectError::new(ErrorCode::Internal, format!("error sending signal: {e}"))
+        })
+    }
+
+    pub fn write_stdin(&self, data: &[u8]) -> Result<(), ConnectError> {
+        use std::io::Write;
+        let mut guard = self.stdin.lock().unwrap();
+        match guard.as_mut() {
+            Some(stdin) => stdin.write_all(data).map_err(|e| {
+                ConnectError::new(ErrorCode::Internal, format!("error writing to stdin: {e}"))
+            }),
+            None => Err(ConnectError::new(
+                ErrorCode::FailedPrecondition,
+                "stdin not enabled or closed",
+            )),
+        }
+    }
+
+    pub fn write_pty(&self, data: &[u8]) -> Result<(), ConnectError> {
+        use std::io::Write;
+        let mut guard = self.pty_master.lock().unwrap();
+        match guard.as_mut() {
+            Some(master) => master.write_all(data).map_err(|e| {
+                ConnectError::new(ErrorCode::Internal, format!("error writing to pty: {e}"))
+            }),
+            None => Err(ConnectError::new(
+                ErrorCode::FailedPrecondition,
+                "pty not assigned to process",
+            )),
+        }
+    }
+
+    pub fn close_stdin(&self) -> Result<(), ConnectError> {
+        if self.pty_master.lock().unwrap().is_some() {
+            return Err(ConnectError::new(
+                ErrorCode::FailedPrecondition,
+                "cannot close stdin for PTY process — send Ctrl+D (0x04) instead",
+            ));
+        }
+        let mut guard = self.stdin.lock().unwrap();
+        *guard = None;
+        Ok(())
+    }
+
+    pub fn resize_pty(&self, cols: u16, rows: u16) -> Result<(), ConnectError> {
+        let guard = self.pty_master.lock().unwrap();
+        match guard.as_ref() {
+            Some(master) => {
+                use std::os::unix::io::AsRawFd;
+                let ws = libc::winsize {
+                    ws_row: rows,
+                    ws_col: cols,
+                    ws_xpixel: 0,
+                    ws_ypixel: 0,
+                };
+                let ret = unsafe { libc::ioctl(master.as_raw_fd(), libc::TIOCSWINSZ, &ws) };
+                if ret != 0 {
+                    return Err(ConnectError::new(
+                        ErrorCode::Internal,
+                        format!(
+                            "ioctl TIOCSWINSZ failed: {}",
+                            std::io::Error::last_os_error()
+                        ),
+                    ));
+                }
+                Ok(())
+            }
+            None => Err(ConnectError::new(
+                ErrorCode::FailedPrecondition,
+                "tty not assigned to process",
+            )),
+        }
+    }
+}
+
+pub fn spawn_process(
+    cmd_str: &str,
+    args: &[String],
+    envs: &std::collections::HashMap<String, String>,
+    cwd: &str,
+    pty_opts: Option<(u16, u16)>,
+    enable_stdin: bool,
+    tag: Option<String>,
+    user: &nix::unistd::User,
+    default_env_vars: &dashmap::DashMap<String, String>,
+) -> Result<Arc<ProcessHandle>, ConnectError> {
+    let mut env: Vec<(String, String)> = Vec::new();
+    env.push(("PATH".into(), std::env::var("PATH").unwrap_or_default()));
+    let home = format!("/home/{}", user.name);
+    env.push(("HOME".into(), home));
+    env.push(("USER".into(), user.name.clone()));
+    env.push(("LOGNAME".into(), user.name.clone()));
+
+    default_env_vars.iter().for_each(|entry| {
+        env.push((entry.key().clone(), entry.value().clone()));
+    });
+
+    for (k, v) in envs {
+        env.push((k.clone(), v.clone()));
+    }
+
+    let nice_delta = 0 - current_nice();
+    let oom_script = format!(
+        r#"echo 100 > /proc/$$/oom_score_adj && exec /usr/bin/nice -n {} "${{@}}""#,
+        nice_delta
+    );
+    let mut wrapper_args = vec![
+        "-c".to_string(),
+        oom_script,
+        "--".to_string(),
+        cmd_str.to_string(),
+    ];
+    wrapper_args.extend_from_slice(args);
+
+    let uid = user.uid.as_raw();
+    let gid = user.gid.as_raw();
+
+    let (data_tx, _) = broadcast::channel(BROADCAST_CAPACITY);
+    let (end_tx, _) = broadcast::channel(16);
+
+    let config = ProcessConfig {
+        cmd: cmd_str.to_string(),
+        args: args.to_vec(),
+        envs: envs.clone(),
+        cwd: Some(cwd.to_string()),
+        ..Default::default()
+    };
+
+    if let Some((cols, rows)) = pty_opts {
+        let pty_result = openpty(
+            Some(&Winsize {
+                ws_row: rows,
+                ws_col: cols,
+                ws_xpixel: 0,
+                ws_ypixel: 0,
+            }),
+            None,
+        )
+        .map_err(|e| ConnectError::new(ErrorCode::Internal, format!("openpty failed: {e}")))?;
+
+        let master_fd = pty_result.master;
+        let slave_fd = pty_result.slave;
+
+        let mut command = std::process::Command::new("/bin/sh");
+        command
+            .args(&wrapper_args)
+            .env_clear()
+            .envs(env.iter().map(|(k, v)| (k.as_str(), v.as_str())))
+            .current_dir(cwd);
+
+        unsafe {
+            use std::os::unix::io::AsRawFd;
+            let slave_raw = slave_fd.as_raw_fd();
+            command.pre_exec(move || {
+                nix::unistd::setsid()
+                    .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))?;
+                libc::ioctl(slave_raw, libc::TIOCSCTTY, 0);
+                libc::dup2(slave_raw, 0);
+                libc::dup2(slave_raw, 1);
+                libc::dup2(slave_raw, 2);
+                if slave_raw > 2 {
+                    libc::close(slave_raw);
+                }
+                libc::setgid(gid);
+                libc::setuid(uid);
+                Ok(())
+            });
+        }
+
+        command.stdin(Stdio::null());
+        command.stdout(Stdio::null());
+        command.stderr(Stdio::null());
+
+        let child = command.spawn().map_err(|e| {
+            ConnectError::new(ErrorCode::Internal, format!("error starting pty process: {e}"))
+        })?;
+
+        drop(slave_fd);
+
+        let pid = child.id();
+        let master_file: std::fs::File = master_fd.into();
+        let master_clone = master_file.try_clone().unwrap();
+
+        let handle = Arc::new(ProcessHandle {
+            config,
+            tag,
+            pid,
+            data_tx: data_tx.clone(),
+            end_tx: end_tx.clone(),
+            stdin: Mutex::new(None),
+            pty_master: Mutex::new(Some(master_file)),
+        });
+
+        let data_tx_clone = data_tx.clone();
+        std::thread::spawn(move || {
+            let mut master = master_clone;
+            let mut buf = vec![0u8; PTY_CHUNK_SIZE];
+            loop {
+                match master.read(&mut buf) {
+                    Ok(0) => break,
+                    Ok(n) => {
+                        let _ = data_tx_clone.send(DataEvent::Pty(buf[..n].to_vec()));
+                    }
+                    Err(_) => break,
+                }
+            }
+        });
+
+        let end_tx_clone = end_tx.clone();
+        std::thread::spawn(move || {
+            let mut child = child;
+            match child.wait() {
+                Ok(s) => {
+                    let _ = end_tx_clone.send(EndEvent {
+                        exit_code: s.code().unwrap_or(-1),
+                        exited: s.code().is_some(),
+                        status: format!("{s}"),
+                        error: None,
+                    });
+                }
+                Err(e) => {
+                    let _ = end_tx_clone.send(EndEvent {
+                        exit_code: -1,
+                        exited: false,
+                        status: "error".into(),
+                        error: Some(e.to_string()),
+                    });
+                }
+            }
+        });
+
+        tracing::info!(pid, cmd = cmd_str, "process started (pty)");
+        Ok(handle)
+    } else {
+        let mut command = std::process::Command::new("/bin/sh");
+        command
+            .args(&wrapper_args)
+            .env_clear()
+            .envs(env.iter().map(|(k, v)| (k.as_str(), v.as_str())))
+            .current_dir(cwd)
+            .stdout(Stdio::piped())
+            .stderr(Stdio::piped());
+
+        if enable_stdin {
+            command.stdin(Stdio::piped());
+        } else {
+            command.stdin(Stdio::null());
+        }
+
+        unsafe {
+            command.pre_exec(move || {
+                libc::setgid(gid);
+                libc::setuid(uid);
+                Ok(())
+            });
+        }
+
+        let mut child = command.spawn().map_err(|e| {
+            ConnectError::new(ErrorCode::Internal, format!("error starting process: {e}"))
+        })?;
+
+        let pid = child.id();
+        let stdin = child.stdin.take();
+        let stdout = child.stdout.take();
+        let stderr = child.stderr.take();
+
+        let handle = Arc::new(ProcessHandle {
+            config,
+            tag,
+            pid,
+            data_tx: data_tx.clone(),
+            end_tx: end_tx.clone(),
+            stdin: Mutex::new(stdin),
+            pty_master: Mutex::new(None),
+        });
+
+        if let Some(mut out) = stdout {
+            let tx = data_tx.clone();
+            std::thread::spawn(move || {
+                let mut buf = vec![0u8; STD_CHUNK_SIZE];
+                loop {
+                    match out.read(&mut buf) {
+                        Ok(0) => break,
+                        Ok(n) => {
+                            let _ = tx.send(DataEvent::Stdout(buf[..n].to_vec()));
+                        }
+                        Err(_) => break,
+                    }
+                }
+            });
+        }
+
+        if let Some(mut err_pipe) = stderr {
+            let tx = data_tx.clone();
+            std::thread::spawn(move || {
+                let mut buf = vec![0u8; STD_CHUNK_SIZE];
+                loop {
+                    match err_pipe.read(&mut buf) {
+                        Ok(0) => break,
+                        Ok(n) => {
+                            let _ = tx.send(DataEvent::Stderr(buf[..n].to_vec()));
+                        }
+                        Err(_) => break,
+                    }
+                }
+            });
+        }
+
+        let end_tx_clone = end_tx.clone();
+        std::thread::spawn(move || {
+            match child.wait() {
+                Ok(s) => {
+                    let _ = end_tx_clone.send(EndEvent {
+                        exit_code: s.code().unwrap_or(-1),
+                        exited: s.code().is_some(),
+                        status: format!("{s}"),
+                        error: None,
+                    });
+                }
+                Err(e) => {
+                    let _ = end_tx_clone.send(EndEvent {
+                        exit_code: -1,
+                        exited: false,
+                        status: "error".into(),
+                        error: Some(e.to_string()),
+                    });
+                }
+            }
+        });
+
+        tracing::info!(pid, cmd = cmd_str, "process started (pipe)");
+        Ok(handle)
+    }
+}
+
+fn current_nice() -> i32 {
+    unsafe {
+        *libc::__errno_location() = 0;
+        let prio = libc::getpriority(libc::PRIO_PROCESS, 0);
+        if *libc::__errno_location() != 0 {
+            return 0;
+        }
+        20 - prio
+    }
+}
--- a/envd-rs/src/rpc/process_service.rs
+++ b/envd-rs/src/rpc/process_service.rs
@ -0,0 +1,438 @@
+use std::collections::HashMap;
+use std::pin::Pin;
+use std::sync::Arc;
+
+use connectrpc::{ConnectError, Context, ErrorCode};
+use dashmap::DashMap;
+use futures::Stream;
+
+use crate::permissions::path::expand_and_resolve;
+use crate::permissions::user::lookup_user;
+use crate::rpc::pb::process::*;
+use crate::rpc::process_handler::{self, DataEvent, ProcessHandle};
+use crate::state::AppState;
+
+pub struct ProcessServiceImpl {
+    state: Arc<AppState>,
+    processes: DashMap<u32, Arc<ProcessHandle>>,
+}
+
+impl ProcessServiceImpl {
+    pub fn new(state: Arc<AppState>) -> Self {
+        Self {
+            state,
+            processes: DashMap::new(),
+        }
+    }
+
+    fn get_process_by_selector(
+        &self,
+        selector: &ProcessSelectorView,
+    ) -> Result<Arc<ProcessHandle>, ConnectError> {
+        match &selector.selector {
+            Some(process_selector::SelectorView::Pid(pid)) => {
+                let pid_val = *pid;
+                self.processes
+                    .get(&pid_val)
+                    .map(|entry| Arc::clone(entry.value()))
+                    .ok_or_else(|| {
+                        ConnectError::new(
+                            ErrorCode::NotFound,
+                            format!("process with pid {pid_val} not found"),
+                        )
+                    })
+            }
+            Some(process_selector::SelectorView::Tag(tag)) => {
+                let tag_str: &str = tag;
+                for entry in self.processes.iter() {
+                    if let Some(ref t) = entry.value().tag {
+                        if t == tag_str {
+                            return Ok(Arc::clone(entry.value()));
+                        }
+                    }
+                }
+                Err(ConnectError::new(
+                    ErrorCode::NotFound,
+                    format!("process with tag {tag_str} not found"),
+                ))
+            }
+            None => Err(ConnectError::new(
+                ErrorCode::InvalidArgument,
+                "process selector required",
+            )),
+        }
+    }
+
+    fn spawn_from_request(
+        &self,
+        request: &StartRequestView<'_>,
+    ) -> Result<Arc<ProcessHandle>, ConnectError> {
+        let proc_config = request.process.as_option().ok_or_else(|| {
+            ConnectError::new(ErrorCode::InvalidArgument, "process config required")
+        })?;
+
+        let username = self.state.defaults.user.clone();
+        let user =
+            lookup_user(&username).map_err(|e| ConnectError::new(ErrorCode::Internal, e))?;
+
+        let cmd: &str = proc_config.cmd;
+        let args: Vec<String> = proc_config.args.iter().map(|s| s.to_string()).collect();
+        let envs: HashMap<String, String> = proc_config
+            .envs
+            .iter()
+            .map(|(k, v)| (k.to_string(), v.to_string()))
+            .collect();
+
+        let home_dir = format!("/home/{}", user.name);
+        let cwd_str: &str = proc_config.cwd.unwrap_or("");
+        let cwd = expand_and_resolve(cwd_str, &home_dir, self.state.defaults.workdir.as_deref())
+            .map_err(|e| ConnectError::new(ErrorCode::InvalidArgument, e))?;
+
+        let effective_cwd = if cwd.is_empty() { "/" } else { &cwd };
+        if let Err(_) = std::fs::metadata(effective_cwd) {
+            return Err(ConnectError::new(
+                ErrorCode::InvalidArgument,
+                format!("cwd '{effective_cwd}' does not exist"),
+            ));
+        }
+
+        let pty_opts = request.pty.as_option().and_then(|pty| {
+            pty.size
+                .as_option()
+                .map(|sz| (sz.cols as u16, sz.rows as u16))
+        });
+
+        let enable_stdin = request.stdin.unwrap_or(true);
+        let tag = request.tag.map(|s| s.to_string());
+
+        let handle = process_handler::spawn_process(
+            cmd,
+            &args,
+            &envs,
+            effective_cwd,
+            pty_opts,
+            enable_stdin,
+            tag,
+            &user,
+            &self.state.defaults.env_vars,
+        )?;
+
+        self.processes.insert(handle.pid, Arc::clone(&handle));
+
+        let processes = self.processes.clone();
+        let pid = handle.pid;
+        let mut end_rx = handle.subscribe_end();
+        tokio::spawn(async move {
+            let _ = end_rx.recv().await;
+            processes.remove(&pid);
+        });
+
+        Ok(handle)
+    }
+}
+
+impl Process for ProcessServiceImpl {
+    async fn list(
+        &self,
+        ctx: Context,
+        _request: buffa::view::OwnedView<ListRequestView<'static>>,
+    ) -> Result<(ListResponse, Context), ConnectError> {
+        let processes: Vec<ProcessInfo> = self
+            .processes
+            .iter()
+            .map(|entry| {
+                let h = entry.value();
+                ProcessInfo {
+                    config: buffa::MessageField::some(h.config.clone()),
+                    pid: h.pid,
+                    tag: h.tag.clone(),
+                    ..Default::default()
+                }
+            })
+            .collect();
+
+        Ok((
+            ListResponse {
+                processes,
+                ..Default::default()
+            },
+            ctx,
+        ))
+    }
+
+    async fn start(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<StartRequestView<'static>>,
+    ) -> Result<
+        (
+            Pin<Box<dyn Stream<Item = Result<StartResponse, ConnectError>> + Send>>,
+            Context,
+        ),
+        ConnectError,
+    > {
+        let handle = self.spawn_from_request(&request)?;
+        let pid = handle.pid;
+
+        let mut data_rx = handle.subscribe_data();
+        let mut end_rx = handle.subscribe_end();
+
+        let stream = async_stream::stream! {
+            yield Ok(make_start_response(pid));
+
+            loop {
+                match data_rx.recv().await {
+                    Ok(ev) => yield Ok(make_data_start_response(ev)),
+                    Err(tokio::sync::broadcast::error::RecvError::Lagged(_)) => continue,
+                    Err(tokio::sync::broadcast::error::RecvError::Closed) => break,
+                }
+            }
+
+            if let Ok(end) = end_rx.recv().await {
+                yield Ok(make_end_start_response(end));
+            }
+        };
+
+        Ok((Box::pin(stream), ctx))
+    }
+
+    async fn connect(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<ConnectRequestView<'static>>,
+    ) -> Result<
+        (
+            Pin<Box<dyn Stream<Item = Result<ConnectResponse, ConnectError>> + Send>>,
+            Context,
+        ),
+        ConnectError,
+    > {
+        let selector = request.process.as_option().ok_or_else(|| {
+            ConnectError::new(ErrorCode::InvalidArgument, "process selector required")
+        })?;
+        let handle = self.get_process_by_selector(selector)?;
+        let pid = handle.pid;
+
+        let mut data_rx = handle.subscribe_data();
+        let mut end_rx = handle.subscribe_end();
+
+        let stream = async_stream::stream! {
+            yield Ok(ConnectResponse {
+                event: buffa::MessageField::some(ProcessEvent {
+                    event: Some(process_event::Event::Start(Box::new(
+                        process_event::StartEvent { pid, ..Default::default() },
+                    ))),
+                    ..Default::default()
+                }),
+                ..Default::default()
+            });
+
+            loop {
+                match data_rx.recv().await {
+                    Ok(ev) => {
+                        yield Ok(ConnectResponse {
+                            event: buffa::MessageField::some(make_data_event(ev)),
+                            ..Default::default()
+                        });
+                    }
+                    Err(tokio::sync::broadcast::error::RecvError::Lagged(_)) => continue,
+                    Err(tokio::sync::broadcast::error::RecvError::Closed) => break,
+                }
+            }
+
+            if let Ok(end) = end_rx.recv().await {
+                yield Ok(ConnectResponse {
+                    event: buffa::MessageField::some(make_end_event(end)),
+                    ..Default::default()
+                });
+            }
+        };
+
+        Ok((Box::pin(stream), ctx))
+    }
+
+    async fn update(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<UpdateRequestView<'static>>,
+    ) -> Result<(UpdateResponse, Context), ConnectError> {
+        let selector = request.process.as_option().ok_or_else(|| {
+            ConnectError::new(ErrorCode::InvalidArgument, "process selector required")
+        })?;
+        let handle = self.get_process_by_selector(selector)?;
+
+        if let Some(pty) = request.pty.as_option() {
+            if let Some(size) = pty.size.as_option() {
+                handle.resize_pty(size.cols as u16, size.rows as u16)?;
+            }
+        }
+
+        Ok((UpdateResponse { ..Default::default() }, ctx))
+    }
+
+    async fn stream_input(
+        &self,
+        ctx: Context,
+        mut requests: Pin<
+            Box<
+                dyn Stream<
+                    Item = Result<
+                        buffa::view::OwnedView<StreamInputRequestView<'static>>,
+                        ConnectError,
+                    >,
+                > + Send,
+            >,
+        >,
+    ) -> Result<(StreamInputResponse, Context), ConnectError> {
+        use futures::StreamExt;
+
+        let mut handle: Option<Arc<ProcessHandle>> = None;
+
+        while let Some(result) = requests.next().await {
+            let req = result?;
+            match &req.event {
+                Some(stream_input_request::EventView::Start(start)) => {
+                    if let Some(selector) = start.process.as_option() {
+                        handle = Some(self.get_process_by_selector(selector)?);
+                    }
+                }
+                Some(stream_input_request::EventView::Data(data)) => {
+                    let h = handle.as_ref().ok_or_else(|| {
+                        ConnectError::new(ErrorCode::FailedPrecondition, "no start event received")
+                    })?;
+                    if let Some(input) = data.input.as_option() {
+                        write_input(h, input)?;
+                    }
+                }
+                Some(stream_input_request::EventView::Keepalive(_)) => {}
+                None => {}
+            }
+        }
+
+        Ok((StreamInputResponse { ..Default::default() }, ctx))
+    }
+
+    async fn send_input(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<SendInputRequestView<'static>>,
+    ) -> Result<(SendInputResponse, Context), ConnectError> {
+        let selector = request.process.as_option().ok_or_else(|| {
+            ConnectError::new(ErrorCode::InvalidArgument, "process selector required")
+        })?;
+        let handle = self.get_process_by_selector(selector)?;
+
+        if let Some(input) = request.input.as_option() {
+            write_input(&handle, input)?;
+        }
+
+        Ok((SendInputResponse { ..Default::default() }, ctx))
+    }
+
+    async fn send_signal(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<SendSignalRequestView<'static>>,
+    ) -> Result<(SendSignalResponse, Context), ConnectError> {
+        let selector = request.process.as_option().ok_or_else(|| {
+            ConnectError::new(ErrorCode::InvalidArgument, "process selector required")
+        })?;
+        let handle = self.get_process_by_selector(selector)?;
+
+        let sig = match request.signal.as_known() {
+            Some(Signal::SIGNAL_SIGKILL) => nix::sys::signal::Signal::SIGKILL,
+            Some(Signal::SIGNAL_SIGTERM) => nix::sys::signal::Signal::SIGTERM,
+            _ => {
+                return Err(ConnectError::new(
+                    ErrorCode::InvalidArgument,
+                    "invalid or unspecified signal",
+                ))
+            }
+        };
+
+        handle.send_signal(sig)?;
+        Ok((SendSignalResponse { ..Default::default() }, ctx))
+    }
+
+    async fn close_stdin(
+        &self,
+        ctx: Context,
+        request: buffa::view::OwnedView<CloseStdinRequestView<'static>>,
+    ) -> Result<(CloseStdinResponse, Context), ConnectError> {
+        let selector = request.process.as_option().ok_or_else(|| {
+            ConnectError::new(ErrorCode::InvalidArgument, "process selector required")
+        })?;
+        let handle = self.get_process_by_selector(selector)?;
+        handle.close_stdin()?;
+        Ok((CloseStdinResponse { ..Default::default() }, ctx))
+    }
+}
+
+fn write_input(handle: &ProcessHandle, input: &ProcessInputView) -> Result<(), ConnectError> {
+    match &input.input {
+        Some(process_input::InputView::Pty(d)) => handle.write_pty(d),
+        Some(process_input::InputView::Stdin(d)) => handle.write_stdin(d),
+        None => Ok(()),
+    }
+}
+
+fn make_start_response(pid: u32) -> StartResponse {
+    StartResponse {
+        event: buffa::MessageField::some(ProcessEvent {
+            event: Some(process_event::Event::Start(Box::new(
+                process_event::StartEvent {
+                    pid,
+                    ..Default::default()
+                },
+            ))),
+            ..Default::default()
+        }),
+        ..Default::default()
+    }
+}
+
+fn make_data_event(ev: DataEvent) -> ProcessEvent {
+    let output = match ev {
+        DataEvent::Stdout(d) => Some(process_event::data_event::Output::Stdout(d.into())),
+        DataEvent::Stderr(d) => Some(process_event::data_event::Output::Stderr(d.into())),
+        DataEvent::Pty(d) => Some(process_event::data_event::Output::Pty(d.into())),
+    };
+    ProcessEvent {
+        event: Some(process_event::Event::Data(Box::new(
+            process_event::DataEvent {
+                output,
+                ..Default::default()
+            },
+        ))),
+        ..Default::default()
+    }
+}
+
+fn make_data_start_response(ev: DataEvent) -> StartResponse {
+    StartResponse {
+        event: buffa::MessageField::some(make_data_event(ev)),
+        ..Default::default()
+    }
+}
+
+fn make_end_event(end: process_handler::EndEvent) -> ProcessEvent {
+    ProcessEvent {
+        event: Some(process_event::Event::End(Box::new(
+            process_event::EndEvent {
+                exit_code: end.exit_code,
+                exited: end.exited,
+                status: end.status,
+                error: end.error,
+                ..Default::default()
+            },
+        ))),
+        ..Default::default()
+    }
+}
+
+fn make_end_start_response(end: process_handler::EndEvent) -> StartResponse {
+    StartResponse {
+        event: buffa::MessageField::some(make_end_event(end)),
+        ..Default::default()
+    }
+}