fix firecracker compile + run-dir flow; use reachable default image ref

Author: lox

cleanroom.yaml

@@ -1,7 +1,7 @@
 version: 1
 sandbox:
   image:
-    ref: ghcr.io/buildkite/cleanroom-base/alpine@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+    ref: docker.io/library/alpine@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
   network:
     default: deny
     allow:

internal/backend/firecracker/backend.go

@@ -15,6 +15,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/buildkite/cleanroom/internal/backend"
@@ -238,38 +239,17 @@ func (a *Adapter) run(ctx context.Context, req backend.RunRequest, stream backen
 			return nil, err
 		}
 
-		if !req.HostPassthrough {
-			observation.PlanPath = planPath
-			observation.RunDir = runDir
-			return &backend.RunResult{
-				RunID:       req.RunID,
-				ExitCode:    0,
-				LaunchedVM:  false,
-				PlanPath:    planPath,
-				RunDir:      runDir,
-				ImageRef:    req.Policy.ImageRef,
-				ImageDigest: req.Policy.ImageDigest,
-				Message:     "firecracker execution plan generated; command not executed (set --dry-run or --host-passthrough for non-launch modes)",
-			}, nil
-		}
-
-		exitCode, stdout, stderr, err := runHostPassthrough(ctx, req.CWD, req.Command, req.TTY, stream)
-		if err != nil {
-			return nil, err
-		}
 		observation.PlanPath = planPath
 		observation.RunDir = runDir
 		return &backend.RunResult{
 			RunID:       req.RunID,
-			ExitCode:    exitCode,
+			ExitCode:    0,
 			LaunchedVM:  false,
 			PlanPath:    planPath,
 			RunDir:      runDir,
 			ImageRef:    req.Policy.ImageRef,
 			ImageDigest: req.Policy.ImageDigest,
-			Message:     "host passthrough execution complete (not sandboxed)",
-			Stdout:      stdout,
-			Stderr:      stderr,
+			Message:     "firecracker execution plan generated; command not executed",
 		}, nil
 	}
 
@@ -283,7 +263,7 @@ func (a *Adapter) run(ctx context.Context, req backend.RunRequest, stream backen
 	}
 
 	if req.KernelImagePath == "" {
-		return nil, errors.New("kernel_image must be configured for launched execution; use --dry-run or --host-passthrough for non-launch modes")
+		return nil, errors.New("kernel_image must be configured for launched execution")
 	}
 	observation.Phase = "launch"
 

internal/controlservice/service.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"path/filepath"
 	"sort"
 	"strings"
 	"sync"
@@ -12,6 +13,7 @@ import (
 	"github.com/buildkite/cleanroom/internal/backend"
 	"github.com/buildkite/cleanroom/internal/controlapi"
 	cleanroomv1 "github.com/buildkite/cleanroom/internal/gen/cleanroom/v1"
+	"github.com/buildkite/cleanroom/internal/paths"
 	"github.com/buildkite/cleanroom/internal/policy"
 	"github.com/buildkite/cleanroom/internal/runtimeconfig"
 	"github.com/charmbracelet/log"
@@ -853,6 +855,14 @@ func (s *Service) runExecution(sandboxID, executionID string) {
 	})
 
 	firecrackerCfg := sb.Firecracker
+	if strings.TrimSpace(firecrackerCfg.RunDir) == "" {
+		if runBaseDir, err := paths.RunBaseDir(); err == nil {
+			firecrackerCfg.RunDir = filepath.Join(runBaseDir, ex.RunID)
+		}
+	}
+	if ex.Options.ReadOnlyWorkspace {
+		firecrackerCfg.WorkspaceAccess = "ro"
+	}
 	if ex.Options.LaunchSeconds != 0 {
 		firecrackerCfg.LaunchSeconds = ex.Options.LaunchSeconds
 	}

internal/controlservice/service_test.go

@@ -3,13 +3,15 @@ package controlservice
 import (
 	"context"
 	"errors"
+	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/buildkite/cleanroom/internal/backend"
 	"github.com/buildkite/cleanroom/internal/controlapi"
 	cleanroomv1 "github.com/buildkite/cleanroom/internal/gen/cleanroom/v1"
+	"github.com/buildkite/cleanroom/internal/paths"
 	"github.com/buildkite/cleanroom/internal/policy"
 )
 
@@ -185,8 +187,12 @@ func TestLaunchRunTerminateLifecycle(t *testing.T) {
 	if runResp.ImageDigest == "" {
 		t.Fatal("expected run response to include image digest")
 	}
-	if !strings.HasPrefix(adapter.req.RunDir, "/tmp/cleanrooms/") {
-		t.Fatalf("expected run dir under run root, got %q", adapter.req.RunDir)
+	runBaseDir, err := paths.RunBaseDir()
+	if err != nil {
+		t.Fatalf("resolve run base dir: %v", err)
+	}
+	if got, want := filepath.Dir(adapter.req.RunDir), filepath.Clean(runBaseDir); got != want {
+		t.Fatalf("expected run dir under %q, got %q", want, adapter.req.RunDir)
 	}
 	if adapter.runCalls != 1 {
 		t.Fatalf("expected exactly one run call, got %d", adapter.runCalls)