rcloud: Add experimental private cloud infrastructure for bare metal

This introduces rcloud - an experimental Rust-based REST API server and
Terraform provider for managing virtual machines on bare metal servers
using libvirt and kdevops guestfs base images. NixOS support can be
added later.

Problem Statement:

For a long time one of the most difficult things to support on kdevops
is users with different distributions and the different libvirt setting
requirements. While one possibility is to build distribution packages
(rpms/debs) for a pre-defined kdevops setup, another alternative is to
abstract away guest management entirely and let users interact with a
private local cloud solution via REST API and Terraform.

Existing options evaluated:
 * OpenStack - heavy, complex, dated architecture
 * Ubicloud - Ruby-based

rcloud provides a lightweight, Rust-based alternative designed
specifically for kernel development and testing workflows.

Administrator Setup:

System administrators install rcloud once per bare metal server:

```bash
make defconfig-rcloud
make
make rcloud
```

This deploys:
- rcloud REST API server (systemd service on port 8765)
- Terraform provider for Infrastructure as Code
- Integration with kdevops guestfs base images
- Prometheus metrics endpoint for monitoring

The admin is responsible for creating base images that users will
consume:

```bash
make rcloud-base-images
```

User Testing Workflow:

Once rcloud is installed by an admin, users can provision VMs without
requiring root access or libvirt configuration knowledge:

```bash
make defconfig-rcloud-guest-test
make
make bringup
```

This enables:
- REST API access for VM lifecycle management (create, start, stop, destroy)
- Terraform-based VM provisioning
- Base image discovery and selection
- Health monitoring and status reporting

Implementation Details:

The rcloud implementation leverages:
- REST API for VM lifecycle management
- kdevops guestfs base images (no rebuilding required)
- libvirt for underlying VM management
- Rust for performance, safety, and reliability
- Prometheus metrics endpoint for observability
- Systemd integration for service management

All Rust code is formatted using Linux kernel rustfmt standards from
.rustfmt.toml (added in install-rust-deps commit) and verified with
cargo clippy for code quality.

Documentation:
- Architecture and design: workflows/rcloud/design.md
- Testing guide: workflows/rcloud/docs/testing.md
- Authentication (future): workflows/rcloud/docs/authentication.md

Generated-by: Claude AI
Acked-by: Chuck Lever <[email protected]>
Signed-off-by: Luis Chamberlain <[email protected]>

Author: mcgrof

Makefile

@@ -179,6 +179,7 @@ endif # WORKFLOW_KOTD_ENABLE
 DEFAULT_DEPS += $(DEFAULT_DEPS_REQS_EXTRA_VARS)
 
 include scripts/install-menuconfig-deps.Makefile
+include scripts/install-rcloud-deps.Makefile
 
 include Makefile.btrfs_progs
 
@@ -197,6 +198,10 @@ endif # CONFIG_HYPERVISOR_TUNING
 include Makefile.linux-mirror
 include Makefile.docker-mirror
 
+ifeq (y,$(CONFIG_RCLOUD))
+include workflows/rcloud/Makefile
+endif
+
 ifeq (y,$(CONFIG_KDEVOPS_DISTRO_REG_METHOD_TWOLINE))
 DEFAULT_DEPS += playbooks/secret.yml
 endif

README.md

@@ -377,6 +377,7 @@ want to just use the kernel that comes with your Linux distribution.
   * [kdevops CXL docs](docs/cxl.md)
   * [kdevops NFS docs](docs/nfs.md)
   * [kdevops selftests docs](docs/selftests.md)
+  * [kdevops rcloud docs](workflows/rcloud/docs/TESTING.md)
   * [kdevops reboot-limit docs](docs/reboot-limit.md)
   * [kdevops AI workflow docs](docs/ai/README.md)
   * [kdevops vLLM workflow docs](workflows/vllm/)

defconfigs/rcloud

@@ -0,0 +1,53 @@
+# rcloud server-only configuration
+#
+# PURPOSE: Production deployment of rcloud REST API server
+#
+# Use this when:
+#   - Deploying rcloud to a dedicated server
+#   - Base images already exist (created elsewhere or separately)
+#   - You only need the rcloud server component
+#
+# For testing/development, use 'defconfig-rcloud-guest-test' instead,
+# which includes both base image creation AND rcloud server setup.
+#
+# This defconfig:
+#   - Installs the rcloud REST API server
+#   - Enables the Terraform provider
+#   - Configures the systemd service
+#   - Does NOT create base images (assumes they exist)
+#   - Does NOT create test VMs (rcloud creates them on demand via API)
+#
+# After 'make rcloud', the API will be available at:
+#   http://localhost:8765/api/v1/health
+#
+# Test with:
+#   make rcloud-status                    # Check health
+#   curl http://localhost:8765/api/v1/vms # List VMs
+#   terraform apply                       # Use Terraform provider
+
+# Skip interactive bringup (rcloud server doesn't need test VMs)
+CONFIG_SKIP_BRINGUP=y
+
+# Disable test workflows (this is a cloud infrastructure server)
+CONFIG_WORKFLOWS=n
+
+# Enable guestfs for base image management
+CONFIG_GUESTFS=y
+
+# Use Debian nocloud variant for local VM testing
+# The nocloud variant doesn't have cloud-init and is designed for bare metal/local use
+# The generic variant requires cloud-init which virt-builder removes, breaking networking
+CONFIG_GUESTFS_DEBIAN_TRIXIE_NOCLOUD_AMD64=y
+
+# Don't copy host APT sources to guest base images
+# Base images should use standard Debian repositories for reliability
+# Custom repositories can be added during per-user VM customization
+# Note: Must disable GUESTFS_DEBIAN_COPY_HOST_SOURCES (not COPY_SOURCES directly)
+# because Kconfig 'select' cannot be overridden
+CONFIG_GUESTFS_DEBIAN_COPY_HOST_SOURCES=n
+
+# Enable rcloud REST API server
+CONFIG_RCLOUD=y
+CONFIG_RCLOUD_SERVER_BIND="127.0.0.1:8765"
+CONFIG_RCLOUD_WORKERS=4
+CONFIG_RCLOUD_ENABLE_TERRAFORM_PROVIDER=y

defconfigs/rcloud-guest-test

@@ -0,0 +1,58 @@
+# rcloud user/client configuration
+#
+# PURPOSE: Provision VMs through rcloud REST API using Terraform
+#
+# This defconfig is for USERS who want to provision VMs through an existing
+# rcloud server. The admin must have already set up the rcloud server using
+# defconfig-rcloud.
+#
+# Typical workflow:
+#   # Admin setup (one time):
+#   make defconfig-rcloud
+#   make
+#   make rcloud            # Sets up rcloud server and base images
+#
+#   # User workflow (on same system or remotely):
+#   make defconfig-rcloud-guest-test
+#   make
+#   make bringup           # Provisions VMs through rcloud API using Terraform
+#
+# This treats rcloud as a local cloud provider, just like AWS or Azure.
+# Users provision VMs through the standard Terraform workflow.
+
+# Basic system configuration
+CONFIG_KDEVOPS_HOSTS_PREFIX="rcloud-test"
+
+# Number of VMs to create
+CONFIG_KDEVOPS_NODES=1
+
+# VM resources (requested from rcloud)
+CONFIG_LIBVIRT_MACHINE_TYPE_Q35=y
+CONFIG_LIBVIRT_HOST_PASSTHROUGH=y
+CONFIG_LIBVIRT_MEMORY_MB=4096
+CONFIG_LIBVIRT_VCPUS=2
+
+# Disk configuration
+CONFIG_LIBVIRT_EXTRA_STORAGE_DRIVE_NVME=y
+CONFIG_LIBVIRT_NVME_DISK_SIZE_GIB=50
+
+# Disable test workflows (rcloud provides the infrastructure)
+CONFIG_WORKFLOWS=n
+
+# Use Terraform to provision VMs through rcloud API
+# This treats rcloud as a local cloud provider, similar to AWS/Azure
+CONFIG_TERRAFORM=y
+CONFIG_TERRAFORM_RCLOUD=y
+CONFIG_TERRAFORM_RCLOUD_API_URL="http://localhost:8765"
+# Use nocloud variant to match the base image created by defconfig-rcloud
+# The nocloud variant doesn't have cloud-init and works better for local testing
+CONFIG_TERRAFORM_RCLOUD_BASE_IMAGE="debian-13-nocloud-amd64-daily.raw"
+
+# IMPORTANT: SSH key configuration for rcloud service
+# The rcloud service cannot access files in ~/.ssh/ due to directory permissions.
+# You MUST configure the SSH key path to a location accessible by the rcloud service.
+# Recommended: Store keys in your kdevops directory, for example:
+#   CONFIG_TERRAFORM_SSH_CONFIG_PUBKEY_FILE="/path/to/kdevops/kdevops_terraform.pub"
+# The private key path will automatically derive from the public key path (removes .pub suffix).
+# After loading this defconfig, run 'make menuconfig' and update the SSH paths under:
+#   "Bring up methods" -> "Terraform ssh configuration" -> "SSH public key file"

kconfigs/workflows/Kconfig

@@ -614,3 +614,5 @@ config KDEVOPS_WORKFLOW_NAME
 endif
 
 endif # WORKFLOWS
+
+source "workflows/rcloud/Kconfig"

playbooks/install-rcloud-deps.yml

@@ -0,0 +1,5 @@
+---
+- name: Install rcloud build dependencies
+  hosts: localhost
+  roles:
+    - role: install-rcloud-deps

playbooks/rcloud.yml

@@ -0,0 +1,107 @@
+---
+- name: Install and configure rcloud REST API server
+  hosts: localhost
+  become: yes
+  become_method: sudo
+  tasks:
+    - name: Ensure rcloud binary was built
+      stat:
+        path: "{{ playbook_dir }}/../workflows/rcloud/target/release/rcloud"
+      register: rcloud_binary
+      failed_when: not rcloud_binary.stat.exists
+
+    - name: Install rcloud binary
+      copy:
+        src: "{{ playbook_dir }}/../workflows/rcloud/target/release/rcloud"
+        dest: /usr/local/bin/rcloud
+        mode: '0755'
+        owner: root
+        group: root
+
+    - name: Create rcloud system user
+      user:
+        name: rcloud
+        system: yes
+        shell: /usr/sbin/nologin
+        home: /var/lib/rcloud
+        create_home: yes
+
+    - name: Create rcloud configuration directory
+      file:
+        path: /etc/rcloud
+        state: directory
+        mode: '0755'
+        owner: root
+        group: root
+
+    - name: Create systemd service file
+      copy:
+        dest: /etc/systemd/system/rcloud.service
+        mode: '0644'
+        owner: root
+        group: root
+        content: |
+          [Unit]
+          Description=rcloud REST API server for VM management
+          Documentation=https://github.com/linux-kdevops/kdevops
+          After=network.target libvirtd.service
+          Requires=libvirtd.service
+
+          [Service]
+          Type=simple
+          User=rcloud
+          Group=rcloud
+          WorkingDirectory={{ topdir_path }}
+          Environment="KDEVOPS_ROOT={{ topdir_path }}"
+          Environment="RUST_LOG=info"
+          Environment="RCLOUD_STORAGE_POOL_PATH={{ kdevops_storage_pool_path | default(libvirt_storage_pool_path) }}"
+          Environment="RCLOUD_BASE_IMAGES_DIR={{ guestfs_base_image_dir }}"
+          Environment="RCLOUD_LIBVIRT_URI={{ libvirt_uri | default('qemu:///system') }}"
+          Environment="RCLOUD_NETWORK_BRIDGE={{ libvirt_bridge_name | default('default') }}"
+          ExecStart=/usr/local/bin/rcloud
+          Restart=on-failure
+          RestartSec=5s
+
+          # Security hardening
+          NoNewPrivileges=true
+          PrivateTmp=true
+          ProtectSystem=strict
+          ProtectHome=true
+          ReadWritePaths=/var/lib/rcloud {{ kdevops_storage_pool_path | default(libvirt_storage_pool_path) }}
+          ReadOnlyPaths={{ topdir_path }} {{ kdevops_storage_pool_path | default(libvirt_storage_pool_path) }}/guestfs
+
+          [Install]
+          WantedBy=multi-user.target
+
+    - name: Add rcloud user to libvirt-qemu group
+      user:
+        name: rcloud
+        groups: "{{ libvirt_qemu_group | default('libvirt-qemu') }}"
+        append: yes
+
+    - name: Reload systemd daemon
+      systemd:
+        daemon_reload: yes
+
+    - name: Enable rcloud service
+      systemd:
+        name: rcloud
+        enabled: yes
+
+    - name: Extract port from bind address
+      set_fact:
+        rcloud_port: "{{ (rcloud_server_bind | default('127.0.0.1:8765')).split(':')[1] }}"
+
+    - name: Display service status instructions
+      debug:
+        msg:
+          - "rcloud service installed successfully"
+          - "Start the service with: sudo systemctl start rcloud"
+          - "Check status with: sudo systemctl status rcloud"
+          - "View logs with: sudo journalctl -u rcloud -f"
+          - ""
+          - "API will be available at: http://{{ rcloud_server_bind | default('127.0.0.1:8765') }}"
+          - ""
+          - "Test with:"
+          - "  curl http://localhost:{{ rcloud_port }}/api/v1/health"
+          - "  curl http://localhost:{{ rcloud_port }}/api/v1/status"

playbooks/roles/base_image/templates/virt-builder.j2

@@ -34,12 +34,16 @@ sm-unregister
 {% if guestfs_debian is defined and guestfs_debian %}
 {# Ugh, debian has to be told to bring up the network and regenerate ssh keys #}
 {# Hope we get that interface name right! #}
-install isc-dhcp-client,ifupdown
+install isc-dhcp-client,ifupdown,openssh-server
 mkdir /etc/network/interfaces.d/
 append-line /etc/network/interfaces.d/enp1s0:auto enp1s0
 append-line /etc/network/interfaces.d/enp1s0:allow-hotplug enp1s0
 append-line /etc/network/interfaces.d/enp1s0:iface enp1s0 inet dhcp
-firstboot-command systemctl disable systemd-networkd-wait-online.service
+run-command systemctl disable systemd-networkd.service
+run-command systemctl disable systemd-networkd-wait-online.service
+run-command systemctl mask systemd-networkd.service
+run-command systemctl enable networking.service
+run-command systemctl enable [email protected]
 firstboot-command systemctl stop ssh
 firstboot-command DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure -p low --force openssh-server
 firstboot-command systemctl start ssh

playbooks/roles/gen_tfvars/templates/rcloud/terraform.tfvars.j2

@@ -0,0 +1,16 @@
+# rcloud Terraform provider configuration
+rcloud_api_url = "{{ terraform_rcloud_api_url }}"
+rcloud_base_image = "{{ terraform_rcloud_base_image }}"
+
+# SSH configuration
+ssh_config_pubkey_file = "{{ kdevops_terraform_ssh_config_pubkey_file }}"
+ssh_config_privkey_file = "{{ kdevops_terraform_ssh_config_privkey_file }}"
+ssh_config_user = "{{ kdevops_terraform_ssh_config_user }}"
+ssh_config = "{{ sshconfig }}"
+ssh_config_port = {{ ansible_cfg_ssh_port }}
+# Use unique SSH config file per directory to avoid conflicts
+ssh_config_name = "{{ kdevops_ssh_config_prefix }}{{ topdir_path_sha256sum[:8] }}"
+
+ssh_config_update = {{ kdevops_terraform_ssh_config_update | lower }}
+ssh_config_use_strict_settings = {{ kdevops_terraform_ssh_config_update_strict | lower }}
+ssh_config_backup = {{ kdevops_terraform_ssh_config_update_backup | lower }}

playbooks/roles/install-rcloud-deps/tasks/install-deps/debian/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Install rcloud-specific build dependencies
+  become: true
+  become_method: sudo
+  ansible.builtin.apt:
+    name:
+      - libvirt-dev
+    state: present
+    update_cache: false
+  tags: ["rcloud", "deps"]