Deep Review: 20260408-163819-pr-280

Date	2026-04-08 16:38
Repo	rancher-sandbox/rancher-desktop-daemon
Round	2 (of PR 280)
Mode	Standard
Author	@jandubois
PR	#280 — Add host-switch virtual network for WSL2 instances
Branch	`host-switch`
Commits	`6eee65c` Add host-switch virtual network for WSL2 instances
Reviewers	Claude Opus 4.6, Codex GPT 5.4, Gemini 3.1 Pro
Verdict	Merge with fixes — concurrency bugs in the vsock handshake and a missing cleanup call need attention
Wall-clock time	`24 min 15 s`

Executive Summary ¶

This PR ports the host-switch virtual network from rancher-desktop's networking module into the LimaVM controller as an in-process goroutine, enabling WSL2 instances to get network connectivity via gvisor-tap-vsock over AF_VSOCK. The implementation is well-structured with clean lifecycle integration and thorough documentation. The main risks are concurrency bugs in the vsock handshake protocol — nested goroutines that can panic on a closed channel, missing read deadlines that leak goroutines, and a signalListenerReady call that ignores context — plus one missing stopHostSwitch call in a lifecycle branch.

Critical Issues ¶

None.

Important Issues ¶

I1. Missing stopHostSwitch in handleWatchedState default case Claude ¶

When the hostagent exits while shouldRun is false, the watcher is stopped at line 267 but the host-switch goroutine is not. The host-switch holds a vsock listener, a gvisor-tap-vsock virtual network, and an HTTP server — all permanently leaked. If the VM restarts later, startHostSwitch at line 116 overwrites the hostSwitchStates entry, making the old goroutine unreachable.

Every other teardown path calls stopHostSwitch: handleDeletion (line 40), crash recovery in phaseStopped && shouldRun (line 213), handleRestartNeeded (line 333), stopInstance (line 505), and shutdownAllHostagents (line 543). This branch is the sole gap.

pkg/controllers/lima/limavm/controllers/limavm_lifecycle.go

		if inst == nil {
			return ctrl.Result{}, errors.New("instance not found")
		}
		return r.stopInstance(ctx, limaVM, inst)

	default:
		// phase == phaseStopped && !shouldRun
		r.stopWatcher(limaVM.Name)
		if !base.HasConditionWithReason(limaVM.Status.Conditions, ConditionRunning, metav1.ConditionFalse, ReasonStopped) {
			if err := r.updateCondition(ctx, limaVM, ConditionRunning, metav1.ConditionFalse, ReasonStopped, "Lima instance is stopped"); err != nil {
				logger.Error(err, "Failed to update stopped condition")
				return ctrl.Result{}, err
			}
		}
		return ctrl.Result{}, nil
	}
}

Fix:

 	default:
 		// phase == phaseStopped && !shouldRun
 		r.stopWatcher(limaVM.Name)
+		r.stopHostSwitch(limaVM.Name)
 		if !base.HasConditionWithReason(limaVM.Status.Conditions, ConditionRunning, metav1.ConditionFalse, ReasonStopped) {

I2. Nested handshake goroutines can panic on closed found channel Codex ¶

getVMGUID closes found at line 333 after the per-VM attemptHandshake goroutines finish (wg.Wait()), but attemptHandshake spawns a nested goroutine every second that is not tracked by the WaitGroup. When context cancellation causes attemptHandshake to return, wg.Wait() completes and close(found) fires while nested goroutines are still in-flight. Any goroutine that passed the ctx.Err() check at line 363 before cancellation, then completes readSignature after close(found), will send on a closed channel and panic.

In Go, sending on a closed channel panics even inside a select with a default case. The one-second ticker guarantees multiple in-flight goroutines during normal operation, making this race plausible during startup.

pkg/controllers/lima/limavm/controllers/hostswitch_windows.go

	found := make(chan hvsock.GUID, len(names))
	var wg sync.WaitGroup

	for _, name := range names {
		vmGUID, err := hvsock.GUIDFromString(name)
		if err != nil {
			logger.V(1).Info("Skipping invalid VM GUID", "name", name, "error", err)
			continue
		}
		wg.Add(1)
		go func() {
			defer wg.Done()
			attemptHandshake(ctx, logger, vmGUID, found)
		}()
	}

	// Close found channel when all handshake goroutines finish, so the
	// select below can detect "no match" without blocking forever.
	go func() {
		wg.Wait()
		close(found)
	}()

	select {
	case vmGUID, ok := <-found:
		if !ok {
			return hvsock.GUIDZero, errors.New("no VM matched the signature phrase")
		}
		return vmGUID, nil
	case <-ctx.Done():
		return hvsock.GUIDZero, fmt.Errorf("VM GUID discovery timed out: %w", ctx.Err())
	}
}

// attemptHandshake polls a single VM GUID once per second, trying to match
// the signature phrase.
func attemptHandshake(ctx context.Context, logger logr.Logger, vmGUID hvsock.GUID, found chan<- hvsock.GUID) {
	ticker := time.NewTicker(time.Second)
	defer ticker.Stop()

	for {
		select {
		case <-ctx.Done():
			return
		case <-ticker.C:
			// Dial in a goroutine to avoid blocking on hvsock.Dial timeout.
			go func() {
				conn, err := getVsockConnection(vmGUID, vsockHandshakePort)
				if ctx.Err() != nil {
					if conn != nil {
						conn.Close()
					}
					return
				}
				if err != nil {
					logger.V(1).Info("Handshake dial failed", "vmGUID", vmGUID.String(), "error", err)
					return
				}

				sig, err := readSignature(conn)
				conn.Close()
				if err != nil {
					logger.V(1).Info("Handshake read failed", "vmGUID", vmGUID.String(), "error", err)
					return
				}
				if sig == signaturePhrase {
					logger.V(1).Info("Signature matched", "vmGUID", vmGUID.String())
					select {
					case found <- vmGUID:
					default:
					}
				}
			}()
		}
	}
}

Fix: Remove the nested goroutine and perform the dial synchronously within the ticker loop. This limits concurrency to one outstanding probe per VM, which also addresses the goroutine accumulation issue (see I3).

         case <-ticker.C:
-            go func() {
-                conn, err := getVsockConnection(vmGUID, vsockHandshakePort)
-                if ctx.Err() != nil {
-                    if conn != nil {
-                        conn.Close()
-                    }
-                    return
-                }
+                conn, err := getVsockConnection(vmGUID, vsockHandshakePort)
+                if ctx.Err() != nil {
+                    if conn != nil {
+                        conn.Close()
+                    }
+                    continue
+                }

I3. Missing read deadline on readSignature causes goroutine leak Claude Gemini ¶

io.ReadFull at line 395 has no read deadline. If a VM accepts the connection but sends no data (or sends partial data), the goroutine blocks forever. Combined with the nested goroutine spawning in attemptHandshake, multiple goroutines can accumulate over the 5-minute handshake timeout — up to 300 per VM GUID.

pkg/controllers/lima/limavm/controllers/hostswitch_windows.go

// readSignature reads the signature phrase from the peer.
func readSignature(conn net.Conn) (string, error) {
	buf := make([]byte, len(signaturePhrase))
	if _, err := io.ReadFull(conn, buf); err != nil {
		return "", err
	}
	return string(buf), nil
}

Fix: Set a read deadline before the read:

 func readSignature(conn net.Conn) (string, error) {
+    if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
+        return "", err
+    }
     buf := make([]byte, len(signaturePhrase))

I4. Host-switch failure has no recovery path Codex Gemini ¶

If runHostSwitch fails after startup (handshake timeout, virtual network failure, listener error), it logs the error and exits silently. Unlike the hostagent watcher, which enqueues reconciles on state changes, the host-switch has no mechanism to notify the controller. The guest's network-setup.service blocks on the handshake during boot, so the VM hangs permanently without triggering a restart.

pkg/controllers/lima/limavm/controllers/hostswitch_windows.go

	})

	logger.Info("Host-switch running", "subnet", subnet.SubnetCIDR, "gateway", subnet.GatewayIP)

	if err := g.Wait(); err != nil {
		logger.Error(err, "Host-switch exited with error")
	} else {
		logger.Info("Host-switch stopped")
	}
}

Fix: When runHostSwitch exits unexpectedly (context not cancelled), enqueue a reconcile so the controller can restart the host-switch or the entire instance.

I5. signalListenerReady does not respect context or timeout Gemini ¶

signalListenerReady calls hvsock.Dial (via getVsockConnection at line 403) without any timeout or context. The handshakeTimeout applied to getVMGUID at line 268 does not cover this call. If the VM becomes unresponsive between discovery and signaling, hvsock.Dial can hang indefinitely. This blocks runHostSwitch from exiting, which blocks stopHostSwitch on <-state.done, which stalls the controller's reconcile loop.

pkg/controllers/lima/limavm/controllers/hostswitch_windows.go

// signalListenerReady tells the guest that the data listener is ready.
func signalListenerReady(vmGUID hvsock.GUID) error {
	conn, err := getVsockConnection(vmGUID, vsockHandshakePort)
	if err != nil {
		return err
	}
	defer conn.Close()
	_, err = conn.Write([]byte(readySignal))
	return err
}

Fix: Pass a context and enforce a timeout:

-func signalListenerReady(vmGUID hvsock.GUID) error {
-    conn, err := getVsockConnection(vmGUID, vsockHandshakePort)
+func signalListenerReady(ctx context.Context, vmGUID hvsock.GUID) error {
+    type result struct {
+        err error
+    }
+    ch := make(chan result, 1)
+    go func() {
+        conn, err := getVsockConnection(vmGUID, vsockHandshakePort)
+        if err != nil {
+            ch <- result{err}
+            return
+        }
+        defer conn.Close()
+        _, err = conn.Write([]byte(readySignal))
+        ch <- result{err}
+    }()
+    select {
+    case r := <-ch:
+        return r.err
+    case <-ctx.Done():
+        return ctx.Err()
+    }
+}

Suggestions ¶

S1. Defensive double-start guard in startHostSwitch Claude Gemini ¶

If startHostSwitch is called while a host-switch already exists for the same instance, the old entry is silently overwritten, leaking the old goroutine. Current call sites prevent this by calling stopHostSwitch first, but a defensive check would catch future regressions.

pkg/controllers/lima/limavm/controllers/hostswitch_windows.go

	}

	hsCtx, hsCancel := context.WithCancel(ctx)
	done := make(chan struct{})

	r.hostSwitchMu.Lock()
	r.hostSwitchStates[name] = &hostSwitchState{
		cancel: hsCancel,
		done:   done,
	}
	r.hostSwitchMu.Unlock()

	logger := logr.FromContextOrDiscard(ctx).WithValues("instance", name, "component", "host-switch")
	go r.runHostSwitch(hsCtx, logger, done)
}

Fix:

 r.hostSwitchMu.Lock()
+if old, exists := r.hostSwitchStates[name]; exists {
+    r.hostSwitchMu.Unlock()
+    old.cancel()
+    <-old.done
+    r.hostSwitchMu.Lock()
+}
 r.hostSwitchStates[name] = &hostSwitchState{

S2. Design doc references non-existent hostswitch.go Claude ¶

The file table describes a platform-independent hostswitch.go, but only hostswitch_windows.go and hostswitch_other.go exist. Either update the table to match reality, or extract validateSubnet, hostSwitchSubnet, and newVirtualNetworkConfig into a platform-independent file (which would also allow the unit tests to run on all platforms).

S3. Timeout increase from 60s to 150s lacks comment Claude ¶

The Created condition timeout was increased 2.5x, presumably because downloading the opensuse distro image is slower than the Finch rootfs. A brief comment would prevent someone from reverting it without understanding the reason.

S4. Exclude non-matching VMs from further handshake attempts Gemini ¶

When readSignature reads a valid but non-matching signature, attemptHandshake loops and dials the same VM again one second later. It bombards that VM for the full 5-minute timeout. If the signature does not match, exit the loop — the VM cannot be the target distro.

S5. Synchronous AcceptStdio blocks concurrent connections Gemini ¶

AcceptStdio blocks until the connection closes, so the accept loop can serve only one connection at a time. In the normal case there is exactly one data connection from vm-switch, so this works. If vm-switch crashes and reconnects before the host detects the disconnect (half-open connection), the new connection waits behind the old one. Processing connections concurrently would handle this edge case.

pkg/controllers/lima/limavm/controllers/hostswitch_windows.go

	// Accept vsock connections and feed them into the virtual network.
	g.Go(func() error {
		for {
			conn, err := ln.Accept()
			if err != nil {
				// Listener closed (context cancelled).
				return nil //nolint:nilerr // Expected on shutdown.
			}
			if err := vn.AcceptStdio(ctx, conn); err != nil {
				logger.Error(err, "Failed to accept connection into virtual network")
			} else {
				logger.Info("Accepted vsock connection")
			}
		}
	})

Design Observations ¶

Concerns ¶

Host-switch lifecycle is coupled by convention, not structure (future) Claude — The host-switch goroutine's context derives from the reconciler context, not from the hostagent's lifecycle. Cleanup depends on every teardown path remembering to call both stopWatcher and stopHostSwitch. A single missed call leaks the goroutine (I1). Tying the host-switch context to the watcher's context would provide structural safety instead of relying on convention.

Host-switch introduces a second unmonitored long-lived component (in-scope) Codex — The hostagent has a watcher that enqueues reconciles on state changes. The host-switch has no equivalent. Extending the existing per-instance state machine to include host-switch health (I4) would remove the need for bespoke recovery logic.

Strengths ¶

Clean platform abstraction via embedded hostSwitchPlatform struct with no-op stubs for non-Windows. The build-tag split is minimal and idiomatic. Claude Codex
Correct lifecycle ordering: the host-switch starts before the hostagent (matching the guest's boot dependency) and stops after it. Claude Codex
The design doc (networking.md) is thorough — clear sequence diagrams, address table, and lifecycle documentation that will pay dividends for future maintainers. Claude Gemini

Testing Assessment ¶

No test for the closed-channel panic (I2) — Multiple in-flight probes to the same VM, followed by cancellation, can trigger a panic. No test exercises this race.
No integration test for host-switch lifecycle — The unit tests cover validateSubnet and newVirtualNetworkConfig, but the goroutine lifecycle (startHostSwitch/stopHostSwitch with the mutex and map) has no coverage.
Unit tests are Windows-only — validateSubnet and newVirtualNetworkConfig contain no Windows-specific logic, but because they live in hostswitch_windows.go, the tests only run on Windows. Extracting them to a platform-independent file (S2) would enable cross-platform testing.
No end-to-end network verification — The BATS timeout increase confirms the VM needs more time to boot, but no test verifies that the network actually works (DHCP assignment, DNS resolution).

Documentation Assessment ¶

docs/design/networking.md is well-written and comprehensive. The file table at line 174 references a non-existent hostswitch.go (S2). The dependency section states the packages are transitive via Lima, but go.mod now lists them as direct requirements.
docs/design/api_lima.md correctly links to the new networking doc under the LimaNetwork section.

Acknowledged Limitations ¶

Sequential hostagent shutdown — limavm_controller.go:508 describes a TODO to wait on hostagents in parallel. The new stopHostSwitch call at line 543 adds to per-instance shutdown time, slightly worsening this existing limitation.
Windows signal support — The project memory notes that os.Signal sending is not implemented on Windows. The host-switch uses context cancellation instead of signals, so this does not affect the new code.

Unresolved Feedback ¶

Both inline comments from Nino-K have been addressed in the current revision:

return after vn.Listen failure skips g.Wait() (comment) — The code was restructured so that the API listener setup now occurs before the errgroup is created (lines 170-182). The errgroup starts at line 183, after the early return. The concern no longer applies.
Missing ln.Close() before return after virtualnetwork.New failure (comment) — The current code at line 163 calls ln.Close() before returning. Addressed.

Agent Performance Retro ¶

[Claude]

Claude produced the most thorough lifecycle analysis, tracing every stopHostSwitch call site with git blame (8 blame calls) to identify the sole missing cleanup in I1. It also identified the read-deadline gap in readSignature (I3) and several documentation issues (S2, S3). Claude's findings were accurate with no false positives.

Tool call highlights: Claude ran 8 git blame commands covering all lifecycle paths — the most blame-intensive of the three agents. It read the lifecycle file 7 times at different offsets, demonstrating systematic tracing. 35 total tool calls with a good mix of Read (20), Bash (9), Grep (5), and Glob (1).

[Codex]

Codex identified the most subtle bug — the closed-channel panic in I2. This required tracing the interaction between getVMGUID's WaitGroup/close pattern and attemptHandshake's nested goroutines, a cross-function concurrency analysis that neither Claude nor Gemini performed. Codex also identified the host-switch recovery gap (I4) and traced into the hostagent watcher to contrast its reconcile-on-exit pattern.

Codex rated I2 as CRITICAL. The severity was downgraded to IMPORTANT because the panic requires specific timing — a nested goroutine must pass the ctx.Err() check before cancellation, then complete after close(found). However, this is the most important finding in the review: a real panic that would crash the controller.

Tool call highlights: Codex used 47 tool calls, the most of the three. It traced into dependency source code (gvisor-tap-vsock's stdio.go, gvproxy/main.go, and virtsock's hvsock_windows.go) to verify AcceptStdio blocking behavior and hvsock.Dial timeout semantics. Also ran go test to verify unit tests pass. 6 git blame calls.

[Gemini]

Gemini identified four findings in the host-switch protocol code: the signalListenerReady timeout gap (I5), the unbounded dial concurrency (contributing to I3), the synchronous AcceptStdio concern (S5), and the readSignature deadline gap (I3, shared with Claude). It also traced into gvisor-tap-vsock's source (11 shell commands exploring dependency code).

Gemini rated I5 as CRITICAL. The severity was downgraded to IMPORTANT because the scenario (VM unresponsive between successful discovery and ready signal) is low probability.

Gemini did not run git blame, consistent with the known behavior that its daily Pro quota is too low for blame calls. This means it could not distinguish regressions from pre-existing issues — all findings were classified as "gap" rather than "regression."

Tool call highlights: 21 total tool calls — the fewest, but focused on dependency analysis. 5 read_file calls, 5 grep_search calls, 11 shell commands. Gemini explored AcceptStdio source code in depth (5 shell commands on gvisor-tap-vsock internals), leading to the S5 finding that other agents missed.

Summary ¶

	Claude Opus 4.6	Codex GPT 5.4	Gemini 3.1 Pro
Duration	331s	289s	261s
Findings	0C 2I 4S	0C 2I 0S	0C 4I 2S
Tool calls	35 (Read 20, Bash 9)	47 (exec_command 45)	21 (shell 11, read 5)
Design observations	1	1	1
False positives	0	0	0
Unique insights	I1, S2, S3	I2	I5, S4, S5
Files reviewed	10/10	10/10	10/10
Coverage misses	0	0	0

Reconciliation:

Codex P1 closed-channel panic: CRITICAL → IMPORTANT I2 (timing-dependent race, controller restarts on panic)
Gemini P1 signalListenerReady timeout: CRITICAL → IMPORTANT I5 (low-probability scenario — VM was responsive moments before)
Gemini P1 synchronous AcceptStdio: IMPORTANT → SUGGESTION S5 (single-connection is the normal case; reconnect works once broken connection detected)

All three agents achieved full coverage with no false positives. Codex provided the deepest concurrency analysis (I2). Claude provided the most thorough lifecycle tracing (I1). Gemini provided the broadest protocol analysis (I5, S4, S5) by reading dependency source code.

Review Process Notes ¶

No process improvements identified.