WIP

ibetitsmike · ibetitsmike · commit 4996ebe077ad · 2025-08-20T12:38:36.000Z
diff --git a/agent/agent.go b/agent/agent.go
@@ -70,44 +70,13 @@ const (
 	EnvProcOOMScore = "CODER_PROC_OOM_SCORE"
 )
 
-// agentImmortalDialer is a custom dialer for immortal streams that can
-// connect to the agent's own services via tailnet addresses.
+// agentImmortalDialer wraps the standard dialer for immortal streams.
+// Agent services are available on both tailnet and localhost interfaces.
 type agentImmortalDialer struct {
-	agent          *agent
 	standardDialer *net.Dialer
 }
 
 func (d *agentImmortalDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
-	host, portStr, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, xerrors.Errorf("split host port %q: %w", address, err)
-	}
-
-	port, err := strconv.Atoi(portStr)
-	if err != nil {
-		return nil, xerrors.Errorf("parse port %q: %w", portStr, err)
-	}
-
-	// Check if this is a connection to one of the agent's own services
-	isLocalhost := host == "localhost" || host == "127.0.0.1" || host == "::1"
-	isAgentPort := port == int(workspacesdk.AgentSSHPort) || port == int(workspacesdk.AgentHTTPAPIServerPort) ||
-		port == int(workspacesdk.AgentReconnectingPTYPort) || port == int(workspacesdk.AgentSpeedtestPort)
-
-	if isLocalhost && isAgentPort {
-		// Get the agent ID from the current manifest
-		manifest := d.agent.manifest.Load()
-		if manifest == nil || manifest.AgentID == uuid.Nil {
-			// Fallback to standard dialing if no manifest available yet
-			return d.standardDialer.DialContext(ctx, network, address)
-		}
-
-		// Connect to the agent's own tailnet address instead of localhost
-		agentAddr := tailnet.TailscaleServicePrefix.AddrFromUUID(manifest.AgentID)
-		agentAddress := net.JoinHostPort(agentAddr.String(), portStr)
-		return d.standardDialer.DialContext(ctx, network, agentAddress)
-	}
-
-	// For other addresses, use standard dialing
 	return d.standardDialer.DialContext(ctx, network, address)
 }
 
@@ -392,10 +361,8 @@ func (a *agent) init() {
 
 	a.containerAPI = agentcontainers.NewAPI(a.logger.Named("containers"), containerAPIOpts...)
 
-	// Initialize immortal streams manager with a custom dialer
-	// that can connect to the agent's own services
+	// Initialize immortal streams manager
 	immortalDialer := &agentImmortalDialer{
-		agent:          a,
 		standardDialer: &net.Dialer{},
 	}
 	a.immortalStreamsManager = immortalstreams.New(a.logger.Named("immortal-streams"), immortalDialer)
@@ -1531,6 +1498,7 @@ func (a *agent) createTailnet(
 	}
 
 	for _, port := range []int{workspacesdk.AgentSSHPort, workspacesdk.AgentStandardSSHPort} {
+		// Listen on tailnet interface for external connections
 		sshListener, err := network.Listen("tcp", ":"+strconv.Itoa(port))
 		if err != nil {
 			return nil, xerrors.Errorf("listen on the ssh port (%v): %w", port, err)
@@ -1546,6 +1514,25 @@ func (a *agent) createTailnet(
 		}); err != nil {
 			return nil, err
 		}
+
+		// Also listen on localhost for immortal streams (only for SSH port 1)
+		if port == workspacesdk.AgentSSHPort {
+			localhostListener, err := net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(port))
+			if err != nil {
+				return nil, xerrors.Errorf("listen on localhost ssh port (%v): %w", port, err)
+			}
+			// nolint:revive // We do want to run the deferred functions when createTailnet returns.
+			defer func() {
+				if err != nil {
+					_ = localhostListener.Close()
+				}
+			}()
+			if err = a.trackGoroutine(func() {
+				_ = a.sshServer.Serve(localhostListener)
+			}); err != nil {
+				return nil, err
+			}
+		}
 	}
 
 	reconnectingPTYListener, err := network.Listen("tcp", ":"+strconv.Itoa(workspacesdk.AgentReconnectingPTYPort))
@@ -1616,6 +1603,7 @@ func (a *agent) createTailnet(
 		return nil, err
 	}
 
+	// Listen on tailnet interface for external connections
 	apiListener, err := network.Listen("tcp", ":"+strconv.Itoa(workspacesdk.AgentHTTPAPIServerPort))
 	if err != nil {
 		return nil, xerrors.Errorf("api listener: %w", err)
@@ -1652,6 +1640,43 @@ func (a *agent) createTailnet(
 		return nil, err
 	}
 
+	// Also listen on localhost for immortal streams WebSocket connections
+	localhostAPIListener, err := net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(workspacesdk.AgentHTTPAPIServerPort))
+	if err != nil {
+		return nil, xerrors.Errorf("localhost api listener: %w", err)
+	}
+	defer func() {
+		if err != nil {
+			_ = localhostAPIListener.Close()
+		}
+	}()
+	if err = a.trackGoroutine(func() {
+		defer localhostAPIListener.Close()
+		apiHandler := a.apiHandler()
+		server := &http.Server{
+			BaseContext:       func(net.Listener) context.Context { return ctx },
+			Handler:           apiHandler,
+			ReadTimeout:       20 * time.Second,
+			ReadHeaderTimeout: 20 * time.Second,
+			WriteTimeout:      20 * time.Second,
+			ErrorLog:          slog.Stdlib(ctx, a.logger.Named("http_api_server_localhost"), slog.LevelInfo),
+		}
+		go func() {
+			select {
+			case <-ctx.Done():
+			case <-a.hardCtx.Done():
+			}
+			_ = server.Close()
+		}()
+
+		apiServErr := server.Serve(localhostAPIListener)
+		if apiServErr != nil && !xerrors.Is(apiServErr, http.ErrServerClosed) && !strings.Contains(apiServErr.Error(), "use of closed network connection") {
+			a.logger.Critical(ctx, "serve localhost HTTP API server", slog.Error(apiServErr))
+		}
+	}); err != nil {
+		return nil, err
+	}
+
 	return network, nil
 }
 
diff --git a/cli/ssh.go b/cli/ssh.go
@@ -440,8 +440,10 @@ func (r *RootCmd) ssh() *serpent.Command {
 						// Connect to the immortal stream via WebSocket
 						rawSSH, err = connectToImmortalStreamWebSocket(ctx, conn, stream.ID, logger)
 						if err != nil {
-							// Clean up the stream if connection fails
-							_ = immortalStreamClient.deleteStream(ctx, stream.ID)
+							// Only clean up the stream if it's a permanent failure
+							if !isNetworkError(err) {
+								_ = immortalStreamClient.deleteStream(ctx, stream.ID)
+							}
 							return xerrors.Errorf("connect to immortal stream: %w", err)
 						}
 					}
@@ -481,25 +483,25 @@ func (r *RootCmd) ssh() *serpent.Command {
 					}
 				}
 
-				// Set up cleanup for immortal stream
+				// Set up signal-based cleanup for immortal stream
+				// Only delete on explicit user termination (SIGINT, SIGTERM), not network errors
 				if immortalStreamClient != nil && streamID != nil {
-					defer func() {
-						if err := immortalStreamClient.deleteStream(context.Background(), *streamID); err != nil {
-							logger.Error(context.Background(), "failed to cleanup immortal stream", slog.Error(err))
-						}
+					// Create a signal-only context for cleanup
+					signalCtx, signalStop := inv.SignalNotifyContext(context.Background(), StopSignals...)
+					defer signalStop()
+
+					go func() {
+						<-signalCtx.Done()
+						// User sent termination signal - clean up the stream
+						_ = immortalStreamClient.deleteStream(context.Background(), *streamID)
 					}()
 				}
 
 				wg.Add(1)
 				go func() {
 					defer wg.Done()
 					watchAndClose(ctx, func() error {
-						// Clean up immortal stream on termination
-						if immortalStreamClient != nil && streamID != nil {
-							if err := immortalStreamClient.deleteStream(context.Background(), *streamID); err != nil {
-								logger.Error(context.Background(), "failed to cleanup immortal stream on termination", slog.Error(err))
-							}
-						}
+						// Don't delete immortal stream here - let signal handler do it
 						stack.close(xerrors.New("watchAndClose"))
 						return nil
 					}, logger, client, workspace, errCh)
@@ -557,8 +559,10 @@ func (r *RootCmd) ssh() *serpent.Command {
 					// Connect to the immortal stream and create SSH client
 					rawConn, err := connectToImmortalStreamWebSocket(ctx, conn, stream.ID, logger)
 					if err != nil {
-						// Clean up the stream if connection fails
-						_ = immortalStreamClient.deleteStream(ctx, stream.ID)
+						// Only clean up the stream if it's a permanent failure
+						if !isNetworkError(err) {
+							_ = immortalStreamClient.deleteStream(ctx, stream.ID)
+						}
 						return xerrors.Errorf("connect to immortal stream: %w", err)
 					}
 
@@ -569,7 +573,10 @@ func (r *RootCmd) ssh() *serpent.Command {
 					})
 					if err != nil {
 						rawConn.Close()
-						_ = immortalStreamClient.deleteStream(ctx, stream.ID)
+						// Only clean up the stream if it's a permanent failure
+						if !isNetworkError(err) {
+							_ = immortalStreamClient.deleteStream(ctx, stream.ID)
+						}
 						return xerrors.Errorf("ssh handshake over immortal stream: %w", err)
 					}
 
@@ -603,12 +610,17 @@ func (r *RootCmd) ssh() *serpent.Command {
 				}
 			}
 
-			// Set up cleanup for immortal stream in regular SSH mode
+			// Set up signal-based cleanup for immortal stream
+			// Only delete on explicit user termination (SIGINT, SIGTERM), not network errors
 			if immortalStreamClient != nil && streamID != nil {
-				defer func() {
-					if err := immortalStreamClient.deleteStream(context.Background(), *streamID); err != nil {
-						logger.Error(context.Background(), "failed to cleanup immortal stream", slog.Error(err))
-					}
+				// Create a signal-only context for cleanup
+				signalCtx, signalStop := inv.SignalNotifyContext(context.Background(), StopSignals...)
+				defer signalStop()
+
+				go func() {
+					<-signalCtx.Done()
+					// User sent termination signal - clean up the stream
+					_ = immortalStreamClient.deleteStream(context.Background(), *streamID)
 				}()
 			}
 
@@ -618,12 +630,7 @@ func (r *RootCmd) ssh() *serpent.Command {
 				watchAndClose(
 					ctx,
 					func() error {
-						// Clean up immortal stream on termination
-						if immortalStreamClient != nil && streamID != nil {
-							if err := immortalStreamClient.deleteStream(context.Background(), *streamID); err != nil {
-								logger.Error(context.Background(), "failed to cleanup immortal stream on termination", slog.Error(err))
-							}
-						}
+						// Don't delete immortal stream here - let signal handler do it
 						stack.close(xerrors.New("watchAndClose"))
 						return nil
 					},
@@ -923,66 +930,63 @@ func (r *RootCmd) ssh() *serpent.Command {
 	return cmd
 }
 
-// connectToImmortalStreamWebSocket connects to an immortal stream via WebSocket and returns a net.Conn
+// connectToImmortalStreamWebSocket connects to an immortal stream via WebSocket
+// The immortal stream infrastructure handles reconnection automatically
 func connectToImmortalStreamWebSocket(ctx context.Context, agentConn *workspacesdk.AgentConn, streamID uuid.UUID, logger slog.Logger) (net.Conn, error) {
 	// Build the target address for the agent's HTTP API server
-	// We'll let the WebSocket dialer handle the actual connection through the agent
 	apiServerAddr := fmt.Sprintf("127.0.0.1:%d", workspacesdk.AgentHTTPAPIServerPort)
 	wsURL := fmt.Sprintf("ws://%s/api/v0/immortal-stream/%s", apiServerAddr, streamID)
 
 	// Create WebSocket connection using the agent's tailnet connection
-	// The key is to use a custom dialer that routes through the agent connection
 	dialOptions := &websocket.DialOptions{
 		HTTPClient: &http.Client{
 			Transport: &http.Transport{
 				DialContext: func(dialCtx context.Context, network, addr string) (net.Conn, error) {
-					// Route all connections through the agent connection
-					// The agent connection will handle routing to the correct internal address
-
-					conn, err := agentConn.DialContext(dialCtx, network, addr)
-					if err != nil {
-						return nil, err
-					}
-
-					return conn, nil
+					return agentConn.DialContext(dialCtx, network, addr)
 				},
 			},
 		},
-		// Disable compression for raw TCP data
 		CompressionMode: websocket.CompressionDisabled,
 	}
 
 	// Connect to the WebSocket endpoint
-	conn, res, err := websocket.Dial(ctx, wsURL, dialOptions)
+	conn, _, err := websocket.Dial(ctx, wsURL, dialOptions)
 	if err != nil {
-		if res != nil {
-			logger.Error(ctx, "WebSocket dial failed",
-				slog.F("stream_id", streamID),
-				slog.F("websocket_url", wsURL),
-				slog.F("status", res.StatusCode),
-				slog.F("status_text", res.Status),
-				slog.Error(err))
-		} else {
-			logger.Error(ctx, "WebSocket dial failed (no response)",
-				slog.F("stream_id", streamID),
-				slog.F("websocket_url", wsURL),
-				slog.Error(err))
-		}
 		return nil, xerrors.Errorf("dial immortal stream WebSocket: %w", err)
 	}
 
-	logger.Info(ctx, "successfully connected to immortal stream WebSocket",
-		slog.F("stream_id", streamID))
-
 	// Convert WebSocket to net.Conn for SSH usage
-	// Use MessageBinary for raw TCP data transport
+	// The immortal stream's BackedPipe handles reconnection automatically
 	netConn := websocket.NetConn(ctx, conn, websocket.MessageBinary)
 
-	logger.Debug(ctx, "converted WebSocket to net.Conn for SSH usage")
-
 	return netConn, nil
 }
 
+// isNetworkError checks if an error is a temporary network error
+func isNetworkError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	errStr := err.Error()
+	networkErrors := []string{
+		"connection refused",
+		"network is unreachable",
+		"connection reset",
+		"broken pipe",
+		"timeout",
+		"no route to host",
+	}
+
+	for _, netErr := range networkErrors {
+		if strings.Contains(errStr, netErr) {
+			return true
+		}
+	}
+
+	return false
+}
+
 // findWorkspaceAndAgentByHostname parses the hostname from the commandline and finds the workspace and agent it
 // corresponds to, taking into account any name prefixes or suffixes configured (e.g. myworkspace.coder, or
 // vscode-coder--myusername--myworkspace).
