superradcompany · Leay15 · Jan 18, 2026 · Jan 18, 2026 · Jan 18, 2026 · Jan 18, 2026
@@ -161,7 +161,7 @@ uninstall:
 	fi
 
 build_libkrun:
-	./scripts/build_libkrun.sh --no-clean --build-dir "$(BUILD_DIR)"
+	bash ./scripts/build_libkrun.sh --no-clean --build-dir "$(BUILD_DIR)"
 
 # Catch-all target to allow example names and arguments
 %:

@@ -646,6 +646,15 @@ msb pull [--image] [--image-group] <name> [options]
 **Examples:**
 
 ```bash
+# Pull a private image using env credentials (token)
+export MSB_REGISTRY_TOKEN=token123
+msb pull registry.example.com/org/app:1.0
+
+# Pull a private image using env credentials (username/password)
+export MSB_REGISTRY_USERNAME=user
+export MSB_REGISTRY_PASSWORD=pass
+msb pull registry.example.com/org/app:1.0
+
 # Pull an image
 msb pull --image python:3.11
 
@@ -686,6 +695,66 @@ msb push myapp:latest
 
 ===
 
+==- `msb login`
+Set registry credentials (persisted in microsandbox home).
+
+```bash
+msb login [registry] [--username <user>] [--password-stdin] [--token <token>]
+```
+
+| Option            | Description                        |
+| ----------------- | ---------------------------------- |
+| `--username`      | Registry username                  |
+| `--password-stdin`| Read password from stdin           |
+| `--token`         | Registry access token (bearer)     |
+
+**Examples:**
+
+```bash
+# Provide a token
+msb login ghcr.io --token token123
+
+# Provide username and password via stdin
+echo "pass" | msb login docker.io --username user --password-stdin
+
+# Use env fallback if CLI is invalid
+export MSB_REGISTRY_TOKEN=token123
+msb login ghcr.io --username user --password-stdin
+```
+
+!!!note
+`msb login` stores credentials locally but does not validate them against the registry.
+!!!
+
+!!!warning Security
+Credentials are stored in `~/.microsandbox/registry_auth.json`. Restrict file permissions and avoid sharing it.
+!!!
+
+===
+
+==- `msb logout`
+Remove stored registry credentials.
+
+```bash
+msb logout [registry] [--all]
+```
+
+| Option    | Description                              |
+| --------- | ---------------------------------------- |
+| `--all`   | Remove all stored registry credentials   |
+
+**Examples:**
+
+```bash
+# Remove credentials for a registry
+msb logout ghcr.io
+
+# Remove all stored credentials
+msb logout --all
+```
+
+===
+
 ---
 
 ### Maintenance

@@ -11,8 +11,12 @@ use microsandbox_core::{
     oci::Reference,
 };
 use microsandbox_server::MicrosandboxServerResult;
-use microsandbox_utils::{NAMESPACES_SUBDIR, env};
+use microsandbox_utils::{
+    NAMESPACES_SUBDIR, StoredRegistryCredentials, clear_registry_credentials, env,
+    remove_registry_credentials, store_registry_credentials,
+};
 use std::{collections::HashMap, path::PathBuf};
+use tokio::io::{self, AsyncReadExt};
 use typed_path::Utf8UnixPathBuf;
 
 //--------------------------------------------------------------------------------------------------
@@ -54,7 +58,7 @@ pub async fn add_subcommand(
     names: Vec<String>,
     image: String,
     memory: Option<u32>,
-    cpus: Option<u32>,
+    cpus: Option<f32>,
     volumes: Vec<String>,
     ports: Vec<String>,
     envs: Vec<String>,
@@ -219,7 +223,7 @@ pub async fn script_run_subcommand(
 #[allow(clippy::too_many_arguments)]
 pub async fn exe_subcommand(
     name: String,
-    cpus: Option<u8>,
+    cpus: Option<f32>,
     memory: Option<u32>,
     volumes: Vec<String>,
     ports: Vec<String>,
@@ -472,7 +476,7 @@ pub async fn self_subcommand(action: SelfAction) -> MicrosandboxCliResult<()> {
 pub async fn install_subcommand(
     name: String,
     alias: Option<String>,
-    cpus: Option<u8>,
+    cpus: Option<f32>,
     memory: Option<u32>,
     volumes: Vec<String>,
     ports: Vec<String>,
@@ -671,11 +675,60 @@ pub async fn server_status_subcommand(
     Ok(())
 }
 
-pub async fn login_subcommand() -> MicrosandboxCliResult<()> {
-    println!(
-        "{} login functionality is not yet implemented",
-        "error:".error()
-    );
+pub async fn login_subcommand(
+    registry: Option<String>,
+    username: Option<String>,
+    password_stdin: bool,
+    token: Option<String>,
+) -> MicrosandboxCliResult<()> {
+    let registry = resolve_registry_host(registry);
+    let creds = resolve_login_credentials(username, password_stdin, token).await?;
+
+    match creds {
+        LoginCredentials::Basic { username, password } => {
+            store_registry_credentials(
+                &registry,
+                StoredRegistryCredentials::Basic { username, password },
+            )
+            .map_err(|err| MicrosandboxCliError::ConfigError(err.to_string()))?;
+            println!(
+                "info: credentials saved for registry {} (not validated)",
+                registry
+            );
+        }
+        LoginCredentials::Token { token } => {
+            store_registry_credentials(&registry, StoredRegistryCredentials::Token { token })
+                .map_err(|err| MicrosandboxCliError::ConfigError(err.to_string()))?;
+            println!(
+                "info: token saved for registry {} (not validated)",
+                registry
+            );
+        }
+    }
+
+    Ok(())
+}
+
+pub async fn logout_subcommand(registry: Option<String>, all: bool) -> MicrosandboxCliResult<()> {
+    if all {
+        clear_registry_credentials()
+            .map_err(|err| MicrosandboxCliError::ConfigError(err.to_string()))?;
+        println!("info: cleared all stored registry credentials");
+        return Ok(());
+    }
+
+    let registry = resolve_registry_host(registry);
+    let removed = remove_registry_credentials(&registry)
+        .map_err(|err| MicrosandboxCliError::ConfigError(err.to_string()))?;
+    if removed {
+        println!("info: removed stored credentials for registry {}", registry);
+    } else {
+        println!(
+            "info: no stored credentials found for registry {}",
+            registry
+        );
+    }
+
     Ok(())
 }
 
@@ -741,6 +794,100 @@ fn parse_name_and_script(name_and_script: &str) -> (&str, Option<&str>) {
     (name, script)
 }
 
+//--------------------------------------------------------------------------------------------------
+// Functions: Login Helpers
+//--------------------------------------------------------------------------------------------------
+
+enum LoginCredentials {
+    Basic { username: String, password: String },
+    Token { token: String },
+}
+
+fn resolve_registry_host(registry: Option<String>) -> String {
+    registry
+        .or_else(env::get_registry_host)
+        .unwrap_or_else(env::get_oci_registry)
+}
+
+async fn resolve_login_credentials(
+    username: Option<String>,
+    password_stdin: bool,
+    token: Option<String>,
+) -> MicrosandboxCliResult<LoginCredentials> {
+    let cli_password = if password_stdin {
+        Some(read_password_from_stdin().await?)
+    } else {
+        None
+    };
+
+    let cli_provided = token.is_some() || username.is_some() || password_stdin;
+    if cli_provided {
+        let cli_result = if token.is_some() && (username.is_some() || cli_password.is_some()) {
+            Err(MicrosandboxCliError::InvalidArgument(
+                "token cannot be combined with username/password".to_string(),
+            ))
+        } else if let Some(token) = token {
+            Ok(LoginCredentials::Token { token })
+        } else {
+            match (username, cli_password) {
+                (Some(username), Some(password)) => {
+                    Ok(LoginCredentials::Basic { username, password })
+                }
+                (None, None) => Err(MicrosandboxCliError::InvalidArgument(
+                    "no credentials provided; use flags or environment variables".to_string(),
+                )),
+                _ => Err(MicrosandboxCliError::InvalidArgument(
+                    "both username and password are required".to_string(),
+                )),
+            }
+        };
+
+        if let Ok(creds) = cli_result {
+            return Ok(creds);
+        }
+
+        // CLI was provided but invalid; attempt env fallback.
+        tracing::debug!("login: CLI credentials invalid, falling back to environment variables");
+    }
+
+    let env_token = env::get_registry_token();
+    let env_username = env::get_registry_username();
+    let env_password = env::get_registry_password();
+
+    if env_token.is_some() && (env_username.is_some() || env_password.is_some()) {
+        return Err(MicrosandboxCliError::InvalidArgument(
+            "token cannot be combined with username/password".to_string(),
+        ));
+    }
+
+    if let Some(token) = env_token {
+        return Ok(LoginCredentials::Token { token });
+    }
+
+    match (env_username, env_password) {
+        (Some(username), Some(password)) => Ok(LoginCredentials::Basic { username, password }),
+        (None, None) => Err(MicrosandboxCliError::InvalidArgument(
+            "no credentials provided; use flags or environment variables".to_string(),
+        )),
+        _ => Err(MicrosandboxCliError::InvalidArgument(
+            "both username and password are required".to_string(),
+        )),
+    }
+}
+
+async fn read_password_from_stdin() -> MicrosandboxCliResult<String> {
+    let mut input = String::new();
+    let mut stdin = io::stdin();
+    stdin.read_to_string(&mut input).await?;
+    let password = input.trim_end_matches(&['\n', '\r'][..]).to_string();
+    if password.is_empty() {
+        return Err(MicrosandboxCliError::InvalidArgument(
+            "password provided via stdin is empty".to_string(),
+        ));
+    }
+    Ok(password)
+}
+
 /// Parse a file path into project path and config file name.
 ///
 /// If the file path is a directory, it is treated as the project path.

@@ -259,8 +259,16 @@ async fn main() -> MicrosandboxCliResult<()> {
                 handlers::server_ssh_subcommand(namespace, sandbox, name).await?;
             }
         },
-        Some(MicrosandboxSubcommand::Login) => {
-            handlers::login_subcommand().await?;
+        Some(MicrosandboxSubcommand::Login {
+            registry,
+            username,
+            password_stdin,
+            token,
+        }) => {
+            handlers::login_subcommand(registry, username, password_stdin, token).await?;
+        }
+        Some(MicrosandboxSubcommand::Logout { registry, all }) => {
+            handlers::logout_subcommand(registry, all).await?;
         }
         Some(MicrosandboxSubcommand::Push { image, name }) => {
             handlers::push_subcommand(image, name).await?;

@@ -17,7 +17,7 @@
 //!     --log-level=3 \
 //!     --native-rootfs=/path/to/rootfs \
 //!     --overlayfs-rootfs=/path/to/rootfs \
-//!     --num-vcpus=2 \
+//!     --num-vcpus=0.5 \
 //!     --memory-mib=1024 \
 //!     --workdir-path=/app \
 //!     --exec-path=/usr/bin/python3 \
@@ -41,7 +41,7 @@
 //!     --log-level=3 \
 //!     --native-rootfs=/path/to/rootfs \
 //!     --overlayfs-rootfs=/path/to/rootfs \
-//!     --num-vcpus=2 \
+//!     --num-vcpus=0.5 \
 //!     --memory-mib=1024 \
 //!     --workdir-path=/app \
 //!     --exec-path=/usr/bin/python3 \
@@ -256,6 +256,7 @@ async fn main() -> Result<()> {
                 log_dir.clone(),
                 rootfs.clone(),
                 forward_output,
+                num_vcpus,
             )
             .await?;
 

@@ -41,11 +41,20 @@ pub async fn main() -> MicrosandboxCliResult<()> {
         args.dev_mode,
     )?);
 
-    // Get namespace directory from config
+    // Get namespace directory and port range from config
     let namespace_dir = config.get_namespace_dir().clone();
+    let port_range = (
+        config.get_port_range_min().as_ref().copied(),
+        config.get_port_range_max().as_ref().copied(),
+    );
 
-    // Initialize the port manager
-    let port_manager = PortManager::new(namespace_dir).await.map_err(|e| {
+    // Initialize the port manager with the configured port range
+    let port_manager = if let (Some(min), Some(max)) = port_range {
+        PortManager::new_with_range(namespace_dir, Some((min, max))).await
+    } else {
+        PortManager::new(namespace_dir).await
+    }
+    .map_err(|e| {
         eprintln!("Error initializing port manager: {}", e);
         e
     })?;