Distro CLI: Add proxy device infrastructure for testing

- Add Docker-based proxy device container simulating FBOSS services
- Add btrfs snapshot support for service root directories
- Add systemd service templates for FBOSS services
- Add device initialization and entrypoint scripts
- Update device_test.py with proxy device integration tests

This enables end-to-end testing of device update functionality.

Author: raghav-nexthop

fboss-image/distro_cli/tests/device_test.py

@@ -100,20 +100,14 @@ def tearDownClass(cls):
         shutil.rmtree(cls.container_temp_dir, ignore_errors=True)
 
     def setup_image_command_test(self):
-        """Set up PXE boot infrastructure for image command tests.
-
-        Waits for the container's run_distro_infra.sh script to create the cache
-        directory and copy iPXE boot files.
-        """
+        """Wait for container to create PXE boot infrastructure."""
         cache_dir = self.container_persistent_dir / "cache"
 
-        # Wait for cache directory to be created by container
         waitfor(
             cache_dir.exists,
             lambda: self.fail("Timed out waiting for cache directory to be created"),
         )
 
-        # Wait for all iPXE files to be created by container
         for filename in self.IPXE_FILES:
             cache_file = cache_dir / filename
             waitfor(

fboss-image/distro_cli/tests/proxy_device/Dockerfile

@@ -0,0 +1,71 @@
+FROM quay.io/centos/centos:stream9
+
+# Install systemd and clean up
+RUN dnf install -y systemd systemd-libs && \
+    dnf clean all && \
+    rm -rf /var/cache/dnf && \
+    # Remove unnecessary systemd units
+    rm -f /etc/systemd/system/*.wants/* \
+          /lib/systemd/system/multi-user.target.wants/* \
+          /lib/systemd/system/local-fs.target.wants/* \
+          /lib/systemd/system/sockets.target.wants/*udev* \
+          /lib/systemd/system/sockets.target.wants/*initctl* \
+          /lib/systemd/system/basic.target.wants/* \
+          /lib/systemd/system/anaconda.target.wants/*
+
+# Install EPEL for btrfs-progs
+RUN dnf install -y epel-release && dnf clean all && rm -rf /var/cache/dnf
+
+# Install SSH server and btrfs tools
+RUN dnf install -y \
+    openssh-server openssh-clients \
+    btrfs-progs \
+    tar zstd \
+    procps-ng \
+    rsync \
+    && dnf clean all && rm -rf /var/cache/dnf
+
+# Configure SSH
+RUN ssh-keygen -A && \
+    mkdir -p /root/.ssh && \
+    chmod 700 /root/.ssh
+
+# Allow passwordless root login since it is only used in integration tests
+RUN sed -i 's/^root:[^:]*:/root::/' /etc/shadow && \
+    sed -i 's/#PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config && \
+    sed -i 's/#PermitEmptyPasswords.*/PermitEmptyPasswords yes/' /etc/ssh/sshd_config && \
+    sed -i 's/#PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config && \
+    sed -i 's/^UsePAM yes/UsePAM no/' /etc/ssh/sshd_config.d/50-redhat.conf
+
+# Create FBOSS directory structure
+RUN mkdir -p /opt/fboss/bin /opt/fboss/lib /updates
+
+# Copy service template and create all service scripts from it
+COPY parts/services/service_template.sh /tmp/service_template.sh
+RUN for svc in wedge_agent fsdb qsfp_service platform_manager sensor_service fan_service data_corral_service; do \
+        cp /tmp/service_template.sh /opt/fboss/bin/$svc; \
+    done && \
+    rm /tmp/service_template.sh
+
+# Copy setup scripts
+COPY parts/systemd/ /etc/systemd/system/
+COPY parts/setup_btrfs.sh /usr/local/bin/
+COPY parts/entrypoint.sh /usr/local/bin/
+
+RUN chmod +x /opt/fboss/bin/* /usr/local/bin/*.sh
+
+# Enable services, SSH, and device init
+RUN systemctl enable sshd && \
+    systemctl enable device-init && \
+    systemctl enable wedge_agent && \
+    systemctl enable fsdb && \
+    systemctl enable qsfp_service && \
+    systemctl enable platform_manager && \
+    systemctl enable sensor_service && \
+    systemctl enable fan_service && \
+    systemctl enable data_corral_service
+
+EXPOSE 22
+
+# Use systemd as init
+CMD ["/sbin/init"]

fboss-image/distro_cli/tests/proxy_device/README.md

@@ -0,0 +1,150 @@
+# Proxy Device
+
+A Docker container that simulates a FBOSS device for testing the `fboss-image` CLI commands, particularly the `device update` functionality.
+
+## Purpose
+
+The `device update` command creates btrfs subvolumes, installs artifacts, and restarts services. Testing this against real hardware is slow and impractical during development.
+
+This container provides a lightweight simulation that:
+- Runs systemd as init (like a real device)
+- Creates a btrfs filesystem on a loopback file
+- Runs proxy FBOSS services in per-service btrfs subvolumes
+- Accepts SSH connections for CLI commands
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│  proxy_device                                               │
+│                                                             │
+│  ┌─────────────────────────────────────────────────────┐    │
+│  │  systemd (PID 1)                                    │    │
+│  │                                                     │    │
+│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  │    │
+│  │  │ wedge_agent │  │    fsdb     │  │ qsfp_service│  │    │
+│  │  │ (subvol)    │  │ (subvol)    │  │ (subvol)    │  │    │
+│  │  └─────────────┘  └─────────────┘  └─────────────┘  │    │
+│  │                                                     │    │
+│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  │    │
+│  │  │platform_mgr │  │ sensor_svc  │  │ fan_service │  │    │
+│  │  │ (subvol)    │  │ (subvol)    │  │ (subvol)    │  │    │
+│  │  └─────────────┘  └─────────────┘  └─────────────┘  │    │
+│  │                                                     │    │
+│  │  ┌─────────────┐                                    │    │
+│  │  │data_corral  │        sshd (port 22)              │    │
+│  │  │ (subvol)    │                                    │    │
+│  │  └─────────────┘                                    │    │
+│  └─────────────────────────────────────────────────────┘    │
+│                                                             │
+│  /mnt/btrfs/                                                │
+│  ├── distro-base/          (base subvolume)                 │
+│  └── updates/                                               │
+│      ├── wedge_agent-<ts>/  (service subvolume)             │
+│      ├── fsdb-<ts>/                                         │
+│      ├── qsfp_service-<ts>/                                 │
+│      └── ...                                                │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Directory Structure Within Subvolumes
+
+Each btrfs subvolume contains the FBOSS directory structure:
+
+```
+/opt/fboss/
+├── bin/
+│   └── <service>       # Service script (replaced by update)
+└── lib/                # Shared libraries
+```
+
+- **Service scripts** (`/opt/fboss/bin/`) are stub scripts that write their version to `/var/run/<service>.version` and loop forever.
+- Updates replace these scripts with new versions.
+- Tests verify updates by checking the version file contents.
+
+## Key Components
+
+### Dockerfile
+Builds a CentOS Stream 9 image with:
+- systemd as init
+- btrfs-progs for filesystem operations
+- SSH server with passwordless root access
+- FBOSS service scripts at `/opt/fboss/bin/`
+
+### parts/setup_btrfs.sh
+Runs at first boot via `device-init.service`:
+1. Creates a 512MB loopback file at `/var/btrfs.img`
+2. Formats it as btrfs and mounts at `/mnt/btrfs`
+3. Creates `distro-base` subvolume with FBOSS directory structure
+4. Snapshots base into per-service subvolumes under `/updates/`
+5. Creates systemd drop-ins setting `RootDirectory=` for each service
+
+### parts/services/<service>
+Each service script (wedge_agent, fsdb, etc.) is a simple stub that:
+1. Writes its VERSION to `/var/run/<service>.version`
+2. Logs startup to `/var/log/<service>.log`
+3. Loops forever with `sleep 60`
+
+The initial version is "1.0.0". Updates replace the script with a new version.
+
+### Version Verification
+
+Each service writes its version to `/var/run/<service>.version` **inside its btrfs subvolume**.
+
+To verify from outside the service:
+```bash
+# Find the service's subvolume and check version
+SUBVOL=$(ls -d /mnt/btrfs/updates/wedge_agent-* | head -1)
+cat $SUBVOL/var/run/wedge_agent.version
+# Output: 1.0.0 (before update) or 2.0.0 (after update)
+```
+
+Integration tests use this flow:
+1. Start container → services run with VERSION="1.0.0"
+2. Deploy update with VERSION="2.0.0" artifacts
+3. Restart service
+4. Verify version file changed to "2.0.0"
+
+## Usage
+
+```bash
+# Build the container image
+./build.sh
+
+# Run standalone (for debugging)
+docker run -d --privileged --cgroupns=host --name proxy-device \
+    fboss_proxy_device /sbin/init
+
+# SSH into it (passwordless root login)
+ssh root@<container-ip>
+
+# Check services
+docker exec proxy-device systemctl status wedge_agent
+
+# Check subvolumes
+docker exec proxy-device ls /mnt/btrfs/updates/
+
+# Check service version
+docker exec proxy-device bash -c 'cat /mnt/btrfs/updates/wedge_agent-*/var/run/wedge_agent.version'
+```
+
+## Testing Updates
+
+The `update` command replaces service scripts and restarts services.
+
+**How it works:**
+
+1. Service scripts start with VERSION="1.0.0" at `/opt/fboss/bin/<service>`
+2. Systemd runs these scripts: `ExecStart=/opt/fboss/bin/<service>`
+3. Updates replace scripts with new versions (e.g., VERSION="2.0.0")
+4. Service restarts and writes new version to `/var/run/<service>.version`
+
+Tests verify updates by checking:
+- Version file contains expected version
+- Service is running (via systemctl status)
+- Log file shows new startup entry
+
+## Requirements
+
+- Docker with `--privileged` support (for systemd and loopback mounts)
+- `--cgroupns=host` for proper cgroup management

fboss-image/distro_cli/tests/proxy_device/build.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+cd "$(dirname "$0")"
+
+DOCKER_BUILDKIT=1 docker build . -t fboss_proxy_device

fboss-image/distro_cli/tests/proxy_device/parts/entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# Entrypoint script for device container
+# This is called by systemd after boot
+
+set -e
+
+# Setup btrfs loopback filesystem if not already done
+if [ ! -f /var/btrfs.img ]; then
+  /usr/local/bin/setup_btrfs.sh
+fi
+
+echo "Device container ready"

fboss-image/distro_cli/tests/proxy_device/parts/services/service_template.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+VERSION="1.0.0"
+SERVICE_NAME=$(basename "$0")
+VERSION_FILE="/var/run/${SERVICE_NAME}.version"
+LOG_FILE="/var/log/${SERVICE_NAME}.log"
+
+mkdir -p /var/run /var/log
+echo "$VERSION" >"$VERSION_FILE"
+echo "$(date): $SERVICE_NAME v$VERSION started (pid $$)" >>"$LOG_FILE"
+
+while true; do sleep 60; done

fboss-image/distro_cli/tests/proxy_device/parts/setup_btrfs.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+# Setup btrfs loopback filesystem with base snapshot and per-stack volumes
+set -euo pipefail
+
+# Remove nologin file to allow SSH login (systemd creates this during boot)
+rm -f /run/nologin /var/run/nologin
+
+BTRFS_IMG=/var/btrfs.img
+BTRFS_MOUNT=/mnt/btrfs
+
+# Skip btrfs setup if already mounted (but nologin removal above always runs)
+if mountpoint -q "$BTRFS_MOUNT" 2>/dev/null; then
+  echo "btrfs already mounted, skipping"
+  exit 0
+fi
+DISTRO_BASE=/distro-base
+
+# Clean up any stale loop devices from previous container runs
+# (loop devices are shared with host and persist after container exit)
+for dev in $(losetup -j "$BTRFS_IMG" 2>/dev/null | cut -d: -f1); do
+  losetup -d "$dev" 2>/dev/null || true
+done
+
+# Clean up any existing file from previous failed runs
+rm -f $BTRFS_IMG
+
+# Create loopback file (1GB to accommodate full root filesystem copy)
+dd if=/dev/zero of=$BTRFS_IMG bs=1M count=1024
+
+# Set up loop device first, then format and mount
+mkdir -p $BTRFS_MOUNT
+LOOP_DEV=$(losetup -f --show $BTRFS_IMG)
+mkfs.btrfs $LOOP_DEV
+mount $LOOP_DEV $BTRFS_MOUNT
+
+# Copy the container's root filesystem to btrfs (mimics ONIE extracting rootfs)
+# Exclude special filesystems and the btrfs image itself to avoid recursion
+echo "Copying root filesystem to btrfs..."
+rsync -aAX \
+  --exclude=/dev/* \
+  --exclude=/proc/* \
+  --exclude=/sys/* \
+  --exclude=/run/* \
+  --exclude=/mnt/* \
+  --exclude=/tmp/* \
+  --exclude=/var/btrfs.img \
+  / $BTRFS_MOUNT/
+
+# Create base snapshot from the root copy (mimics real device installation)
+# This is what install.sh.tmpl does: btrfs subvolume snapshot ${demo_mnt} ${demo_mnt}/distro-base
+echo "Creating base snapshot..."
+btrfs subvolume snapshot $BTRFS_MOUNT $BTRFS_MOUNT/distro-base
+
+# Fix /var/run symlink: replace with real directory so services can write version files
+# when running with RootDirectory isolation
+if [ -L $BTRFS_MOUNT/distro-base/var/run ]; then
+  rm $BTRFS_MOUNT/distro-base/var/run
+  mkdir -p $BTRFS_MOUNT/distro-base/var/run
+fi
+
+# Create symlinks for easy access (remove existing dirs first)
+rm -rf $DISTRO_BASE /updates
+ln -sf $BTRFS_MOUNT/distro-base $DISTRO_BASE
+
+# Create updates directory on btrfs
+mkdir -p $BTRFS_MOUNT/updates
+ln -sf $BTRFS_MOUNT/updates /updates
+
+echo "Base snapshot created at $DISTRO_BASE (snapshot of root filesystem)"
+
+# Create initial per-service subvolumes (mimics first update)
+# This allows integration tests to verify services run in subvolumes
+echo "Creating initial service subvolumes..."
+SERVICES="wedge_agent fsdb qsfp_service platform_manager sensor_service fan_service data_corral_service"
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+
+for svc in $SERVICES; do
+  SUBVOL_PATH="$BTRFS_MOUNT/updates/${svc}-${TIMESTAMP}"
+  echo "  Creating subvolume for $svc at $SUBVOL_PATH"
+  btrfs subvolume snapshot $BTRFS_MOUNT/distro-base "$SUBVOL_PATH"
+
+  # Convert /var/run symlink to real directory so version files persist in subvolume
+  # (by default /var/run -> ../run which points to tmpfs outside the subvolume)
+  rm -f "$SUBVOL_PATH/var/run"
+  mkdir -p "$SUBVOL_PATH/var/run"
+
+  # Create systemd drop-in to run service in its subvolume
+  DROPIN_DIR="/etc/systemd/system/${svc}.service.d"
+  mkdir -p "$DROPIN_DIR"
+  cat >"$DROPIN_DIR/root-override.conf" <<EOF
+[Service]
+RootDirectory=$SUBVOL_PATH
+EOF
+done
+
+# Reload systemd to pick up the drop-ins
+systemctl daemon-reload
+
+echo "btrfs setup complete: Base=$DISTRO_BASE, Services in subvolumes"

fboss-image/distro_cli/tests/proxy_device/parts/systemd/data_corral_service.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Data Corral Service
+After=network.target device-init.service
+Requires=device-init.service
+
+[Service]
+Type=simple
+ExecStart=/opt/fboss/bin/data_corral_service
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target