From 66a5c6d16f00498b52f591849d5175a76be8fefd Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 7 Nov 2025 18:57:53 +0000 Subject: [PATCH 1/7] refactor: Use systemd-nspawn directly instead of machinectl - Replace machinectl shell with systemd-nspawn -q -D - Add systemd-nspawn to sudoers permissions - Simpler and more direct container entry - No dependency on systemd-machined service --- build.zsh | 2 +- cfg/setup-user.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.zsh b/build.zsh index 1cbfd54..449c83e 100755 --- a/build.zsh +++ b/build.zsh @@ -65,7 +65,7 @@ cp -rf ./cfg/os-release root.x86_64/etc/os-release # Configure sudoers for wheel group echo "Configuring sudoers..." -arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /bin/bash" >> /etc/sudoers' +arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /usr/bin/systemd-nspawn, /bin/bash" >> /etc/sudoers' # Install aigpt (aios core package) echo "Installing aigpt..." diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh index ee2afb7..59e0c36 100755 --- a/cfg/setup-user.sh +++ b/cfg/setup-user.sh @@ -75,7 +75,7 @@ if [[ -o login ]] && [[ -o interactive ]]; then if [[ -z "$INSIDE_WORKSPACE" ]]; then # Running as ai user on aios OS - enter workspace container export INSIDE_WORKSPACE=1 - exec sudo machinectl shell workspace + exec sudo systemd-nspawn -q -D /var/lib/machines/workspace /bin/zsh else # Running as root inside workspace container - start claude if command -v claude &>/dev/null; then From 30ebfcf933db1f88ed58b175e8902b0fad8b1579 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 7 Nov 2025 18:59:08 +0000 Subject: [PATCH 2/7] refactor: Use chroot instead of systemd-nspawn for workspace entry - Replace systemd-nspawn with chroot to avoid nested container audit errors - Add manual bind mount setup for /home/ai:/root sharing - Add mount and chroot to sudoers permissions - chroot avoids kernel audit subsystem conflicts in nested containers --- build.zsh | 2 +- cfg/setup-user.sh | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/build.zsh b/build.zsh index 449c83e..29d8899 100755 --- a/build.zsh +++ b/build.zsh @@ -65,7 +65,7 @@ cp -rf ./cfg/os-release root.x86_64/etc/os-release # Configure sudoers for wheel group echo "Configuring sudoers..." -arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /usr/bin/systemd-nspawn, /bin/bash" >> /etc/sudoers' +arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /usr/bin/systemd-nspawn, /usr/bin/mount, /usr/bin/chroot, /bin/bash" >> /etc/sudoers' # Install aigpt (aios core package) echo "Installing aigpt..." diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh index 59e0c36..b80c936 100755 --- a/cfg/setup-user.sh +++ b/cfg/setup-user.sh @@ -75,7 +75,11 @@ if [[ -o login ]] && [[ -o interactive ]]; then if [[ -z "$INSIDE_WORKSPACE" ]]; then # Running as ai user on aios OS - enter workspace container export INSIDE_WORKSPACE=1 - exec sudo systemd-nspawn -q -D /var/lib/machines/workspace /bin/zsh + # Setup bind mount for shared user directory + sudo mkdir -p /var/lib/machines/workspace/root 2>/dev/null || true + sudo mount --bind /home/ai /var/lib/machines/workspace/root 2>/dev/null || true + # Enter workspace via chroot (avoiding nested systemd-nspawn audit issues) + exec sudo chroot /var/lib/machines/workspace /bin/zsh else # Running as root inside workspace container - start claude if command -v claude &>/dev/null; then From 66f3fe4045007fbf032730ad5f6f29f6f116a3d0 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 7 Nov 2025 19:02:01 +0000 Subject: [PATCH 3/7] Revert to systemd-nspawn without manual bind mount - Remove chroot approach - Use systemd-nspawn -q -D directly - workspace.nspawn config (Bind mount) will be automatically applied - Simpler and cleaner approach --- cfg/setup-user.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh index b80c936..59e0c36 100755 --- a/cfg/setup-user.sh +++ b/cfg/setup-user.sh @@ -75,11 +75,7 @@ if [[ -o login ]] && [[ -o interactive ]]; then if [[ -z "$INSIDE_WORKSPACE" ]]; then # Running as ai user on aios OS - enter workspace container export INSIDE_WORKSPACE=1 - # Setup bind mount for shared user directory - sudo mkdir -p /var/lib/machines/workspace/root 2>/dev/null || true - sudo mount --bind /home/ai /var/lib/machines/workspace/root 2>/dev/null || true - # Enter workspace via chroot (avoiding nested systemd-nspawn audit issues) - exec sudo chroot /var/lib/machines/workspace /bin/zsh + exec sudo systemd-nspawn -q -D /var/lib/machines/workspace /bin/zsh else # Running as root inside workspace container - start claude if command -v claude &>/dev/null; then From d3ea2cc78de4ee280f56ae7dce6d3a93e3569624 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 7 Nov 2025 19:06:30 +0000 Subject: [PATCH 4/7] Revert: Restore Boot=yes and machinectl start workspace - Restore Boot=yes in workspace.nspawn - Restore machinectl start workspace in .zshrc - Boot method is necessary for proper systemd environment --- cfg/setup-user.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh index 59e0c36..bf386f2 100755 --- a/cfg/setup-user.sh +++ b/cfg/setup-user.sh @@ -35,6 +35,7 @@ echo "Creating workspace container configuration..." mkdir -p $ROOTFS/etc/systemd/nspawn cat > $ROOTFS/etc/systemd/nspawn/workspace.nspawn <<'EOF' [Exec] +Boot=yes ResolvConf=copy-host [Files] @@ -75,7 +76,9 @@ if [[ -o login ]] && [[ -o interactive ]]; then if [[ -z "$INSIDE_WORKSPACE" ]]; then # Running as ai user on aios OS - enter workspace container export INSIDE_WORKSPACE=1 - exec sudo systemd-nspawn -q -D /var/lib/machines/workspace /bin/zsh + sudo machinectl start workspace 2>/dev/null || true + sleep 1 + exec sudo machinectl shell workspace else # Running as root inside workspace container - start claude if command -v claude &>/dev/null; then From f965547b6ce0dd1fed36acb31aa365a9e5dcbfd1 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 7 Nov 2025 19:54:07 +0000 Subject: [PATCH 5/7] fix: Add nested container support to workspace.nspawn - Add Capability=all for full capabilities - Add SystemCallFilter=@keyring bpf for required syscalls - Set PrivateUsers=no to avoid user namespace issues - Set SuppressSync=false for Docker compatibility - Fixes audit errors in nested systemd-nspawn containers --- cfg/setup-user.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh index bf386f2..c298876 100755 --- a/cfg/setup-user.sh +++ b/cfg/setup-user.sh @@ -37,9 +37,13 @@ cat > $ROOTFS/etc/systemd/nspawn/workspace.nspawn <<'EOF' [Exec] Boot=yes ResolvConf=copy-host +Capability=all +SystemCallFilter=@keyring bpf +PrivateUsers=no [Files] Bind=/home/ai:/root +SuppressSync=false [Network] VirtualEthernet=no From 2162463382d746ce8bf4d37d5bdd8c87fa3c7fb8 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 7 Nov 2025 20:00:21 +0000 Subject: [PATCH 6/7] Revert workspace.nspawn to simple configuration - Remove incorrect nested container settings - Audit error cannot be solved with nspawn config (kernel issue) - Keep simple config: Boot=yes, Bind mount, no VirtualEthernet - Works in production (aios as OS), not in test (nested container) --- cfg/setup-user.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh index c298876..bf386f2 100755 --- a/cfg/setup-user.sh +++ b/cfg/setup-user.sh @@ -37,13 +37,9 @@ cat > $ROOTFS/etc/systemd/nspawn/workspace.nspawn <<'EOF' [Exec] Boot=yes ResolvConf=copy-host -Capability=all -SystemCallFilter=@keyring bpf -PrivateUsers=no [Files] Bind=/home/ai:/root -SuppressSync=false [Network] VirtualEthernet=no From 5d7f06282ed266f2ca949963cd0adad726221b34 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 8 Nov 2025 13:04:28 +0000 Subject: [PATCH 7/7] refactor: Simplify startup - user manages containers and MCP Changes: - Delete cfg/setup-claude.sh (MCP setup now manual) - Remove restore container creation (user manages backups) - Remove workspace auto-entry from .zshrc - Remove MCP auto-registration - Change ai user .zshrc to run claude once on login (not exec) - User now manually starts containers and registers MCP as needed New flow: 1. ai user auto-login 2. claude starts once (not exec, returns to shell after exit) 3. User manually starts workspace container if needed 4. User manually registers MCP servers --- build.zsh | 9 +------- cfg/setup-claude.sh | 50 -------------------------------------------- cfg/setup-user.sh | 24 ++++----------------- cfg/user-continer.sh | 10 +++------ 4 files changed, 8 insertions(+), 85 deletions(-) delete mode 100755 cfg/setup-claude.sh diff --git a/build.zsh b/build.zsh index 29d8899..24f71f7 100755 --- a/build.zsh +++ b/build.zsh @@ -86,14 +86,7 @@ bash ./cfg/setup-user.sh echo "" # ============================================ -# 3. Claude & aigpt Setup -# ============================================ - -bash ./cfg/setup-claude.sh -echo "" - -# ============================================ -# 4. Create child containers (after all configuration) +# 3. Create workspace container (after all configuration) # ============================================ bash ./cfg/user-continer.sh diff --git a/cfg/setup-claude.sh b/cfg/setup-claude.sh deleted file mode 100755 index e6ae470..0000000 --- a/cfg/setup-claude.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash -# Claude Code MCP setup for aios -# Configures MCP, sets up shared memory - -ROOTFS="root.x86_64" - -echo "=== Claude MCP Setup ===" - -# Setup Claude Code MCP configuration (shared via symlink) -echo "Configuring MCP..." -# Create actual config in syui/ai/claude (bind-mounted) -arch-chroot $ROOTFS /bin/sh -c 'mkdir -p /root/.config/syui/ai/claude' -cat > $ROOTFS/root/.config/syui/ai/claude/claude_desktop_config.json <<'EOF' -{ - "mcpServers": { - "aigpt": { - "command": "aigpt", - "args": ["server", "--enable-layer4"] - } - } -} -EOF - -# Create symlink for root -arch-chroot $ROOTFS /bin/sh -c 'ln -sf /root/.config/syui/ai/claude /root/.config/claude' - -# Setup for ai user too -arch-chroot $ROOTFS /bin/sh -c 'mkdir -p /home/ai/.config/syui/ai/claude' -arch-chroot $ROOTFS /bin/sh -c 'cp /root/.config/syui/ai/claude/claude_desktop_config.json /home/ai/.config/syui/ai/claude/' -arch-chroot $ROOTFS /bin/sh -c 'ln -sf /home/ai/.config/syui/ai/claude /home/ai/.config/claude' -arch-chroot $ROOTFS /bin/sh -c 'chown -R ai:ai /home/ai/.config/syui' - -# Create config directory -arch-chroot $ROOTFS /bin/sh -c 'mkdir -p /root/.config/syui/ai/gpt' - -# Copy MCP and aios configuration -echo "Copying configuration files..." -cp -rf ./cfg/mcp.json $ROOTFS/root/.config/syui/ai/mcp.json -cp -rf ./cfg/config.toml $ROOTFS/root/.config/syui/ai/config.toml - -# Initialize aigpt database with WAL mode -echo "Initializing aigpt database..." -arch-chroot $ROOTFS /bin/sh -c 'aigpt server --enable-layer4 &' -sleep 2 -arch-chroot $ROOTFS /bin/sh -c 'pkill aigpt' -arch-chroot $ROOTFS /bin/sh -c 'if command -v sqlite3 &>/dev/null; then sqlite3 /root/.config/syui/ai/gpt/memory.db "PRAGMA journal_mode=WAL; PRAGMA synchronous=NORMAL;"; fi' - -# Note: claude auto-start is configured in ai user's .zshrc (shared with workspace root via bind mount) - -echo "✓ Claude MCP setup complete" diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh index bf386f2..68a7bcb 100755 --- a/cfg/setup-user.sh +++ b/cfg/setup-user.sh @@ -61,29 +61,13 @@ cp -rf ./cfg/zshrc $ROOTFS/root/.zshrc # Copy .zshrc for user 'ai' cp -rf ./cfg/zshrc $ROOTFS/home/ai/.zshrc -# Add workspace container auto-start and entry (shared .zshrc for ai user and workspace root) +# Add claude auto-start on login (once, not exec) cat >> $ROOTFS/home/ai/.zshrc <<'EOF' -# MCP auto-setup (run once after .claude.json is created) -if [[ -f ~/.claude.json ]] && ! grep -q '"aigpt"' ~/.claude.json 2>/dev/null; then - if command -v claude &>/dev/null && command -v aigpt &>/dev/null; then - claude mcp add aigpt aigpt server &>/dev/null || true - fi -fi - -# aios concept: container from start (ai user and workspace root share this .zshrc) +# Start claude on login (once) if [[ -o login ]] && [[ -o interactive ]]; then - if [[ -z "$INSIDE_WORKSPACE" ]]; then - # Running as ai user on aios OS - enter workspace container - export INSIDE_WORKSPACE=1 - sudo machinectl start workspace 2>/dev/null || true - sleep 1 - exec sudo machinectl shell workspace - else - # Running as root inside workspace container - start claude - if command -v claude &>/dev/null; then - claude - fi + if command -v claude &>/dev/null; then + claude fi fi EOF diff --git a/cfg/user-continer.sh b/cfg/user-continer.sh index 8f12161..ff74bfc 100644 --- a/cfg/user-continer.sh +++ b/cfg/user-continer.sh @@ -1,10 +1,10 @@ #!/bin/bash -# Create child containers inside aios for ai user +# Create workspace container inside aios for ai user # Backup aios before creating /var/lib/machines to avoid recursion ROOTFS="root.x86_64" -echo "=== Creating child containers ===" +echo "=== Creating workspace container ===" # Backup current aios to temp location (before creating /var/lib/machines) echo "Backing up aios..." @@ -17,11 +17,7 @@ mkdir -p $ROOTFS/var/lib/machines echo "Creating workspace container..." cp -a /tmp/aios-backup-$$ $ROOTFS/var/lib/machines/workspace -# Copy backup as restore -echo "Creating restore container..." -cp -a /tmp/aios-backup-$$ $ROOTFS/var/lib/machines/restore - # Cleanup temp backup rm -rf /tmp/aios-backup-$$ -echo "✓ Child containers created" +echo "✓ Workspace container created"