[kernel][zcrx] vmtest: add extra_mounts support for sharing host directories into VM

mkutsevol · meta-codesync[bot] · commit f1dad3084c63 · 2026-03-05T20:22:55.000-08:00
Summary: Add first-class support for mounting arbitrary host directories into vmtest VMs. This enables Use Case #3 from the Zero Copy Receive testing plan (https://fburl.com/gdoc/msf9i6y0): local rapid iteration on a devserver. At the very least we'd need the kernel source mounted in, but having the ability to specify any directory makes it fit any use case. Before this change, only a single directory was shared - fbcode. Which is not enough for the kernel use case. Now, adding `extra_mounts = [("/path/to/dir", True)]` to a vm.host() target does everything automatically: - **Container level**: bind-mounts the path into the isolation container using the existing antlir2_isolate inputs/outputs mechanism (read-only or read-write based on the boolean flag). - **VM level**: feeds the path into the existing virtiofs share machinery, which starts virtiofsd, generates QEMU device args, and creates systemd .mount unit files so the directory appears at the same path inside the VM on boot. For the ZCRX test, local development is now: buck run -c zcrx.extra_share=/path/to/linux \ -c zcrx.prebuilt_vmlinux=/path/to/bzImage \ ':fbnic-zcrx-vm[container]' Design decisions: - Each mount carries a read_only flag (Buck attr is a tuple of (path, bool)), routed to inputs() for RO or outputs() for RW at the container level, and to ShareOpts.read_only at the VM level. - No canonicalize() on mount paths. Symlink resolution is left to the nspawn --bind-ro mechanism, avoiding path mismatches when /home is a symlink to /data/users (common on devservers). Test Plan: 1. Built machine_json sub-target with extra_share config, verified JSON serialization: ``` buck2 build fbcode//kernel/vmtest/iouring_zcrx:fbnic-zcrx-vm[machine_json] -c zcrx.extra_share=/tmp/test_extra_mount ``` Produces correct `{"path": ["/tmp/test_extra_mount"], "read_only": true}`. 2. Ran the VM with extra_share and verified RO enforcement: ``` buck2 run fbcode//kernel/vmtest/iouring_zcrx:fbnic-zcrx-vm \ -c zcrx.extra_share=/tmp/test_extra_mount \ -c zcrx.prebuilt_vmlinux=.../bzImage \ -- --timeout-secs 30 -- sh -c \ 'if touch /tmp/test_extra_mount/write_test 2>/dev/null; then echo FAIL; else echo PASS; fi' ``` Output: `PASS: write denied on RO mount` 3. Verified symlinked paths work correctly (no canonicalize mismatch). 4. Confirmed nspawn backend routes inputs->--bind-ro and outputs->--bind (isolate_nspawn/src/lib.rs).; 5. Confirmed working RW in `buck run -c zcrx.extra_share=/home/mkutsevol/linux ':iouring-zcrx-test[shell]'` Reviewed By: wujj123456 Differential Revision: D95386284 fbshipit-source-id: 6031019e294a8f4150fab2a3496250c8fd00c027
diff --git a/antlir/antlir2/antlir2_vm/bzl/defs.bzl b/antlir/antlir2/antlir2_vm/bzl/defs.bzl
@@ -51,6 +51,7 @@ def _machine_json(ctx: AnalysisContext) -> (Artifact, typing.Any):
             "cpus": ctx.attrs.cpus,
             "disks": [d[DiskInfo] for d in disks],
             "extra_qemu_args": ctx.attrs.extra_qemu_args,
+            "input_dirs": ctx.attrs.input_dirs,
             "machine_type": ctx.attrs.machine_type,
             "max_combined_channels": ctx.attrs.max_combined_channels,
             "mem_mib": ctx.attrs.mem_mib,
@@ -61,6 +62,7 @@ def _machine_json(ctx: AnalysisContext) -> (Artifact, typing.Any):
                 "kernel": ctx.attrs.kernel,
             } if ctx.attrs.initrd else None,
             "num_nics": ctx.attrs.num_nics,
+            "output_dirs": ctx.attrs.output_dirs,
             "qemu_binary": cmd_args(ctx.attrs.qemu_binary, delimiter = ""),
             "serial_index": ctx.attrs.serial_index,
             "sidecar_services": ctx.attrs.sidecar_services,
@@ -154,6 +156,12 @@ _vm_host = rule(
             default = None,
             doc = "initrd to boot from when not booting from disk",
         ),
+        "input_dirs": attrs.list(
+            attrs.arg(),
+            default = [],
+            doc = "additional read-only host directories to bind-mount into the VM container. " +
+                  "Useful when extra_qemu_args references paths outside the repo.",
+        ),
         "kernel": attrs.option(
             attrs.source(),
             default = None,
@@ -168,6 +176,12 @@ _vm_host = rule(
             default = True,
             doc = "Mount runtime platform (aka /usr/local/fbcode) from the host",
         ),
+        "output_dirs": attrs.list(
+            attrs.arg(),
+            default = [],
+            doc = "additional read-write host directories to bind-mount into the VM container. " +
+                  "Useful when extra_qemu_args references paths outside the repo.",
+        ),
         # Must be an arg() because it needs to accept locations.
         "qemu_binary": attrs.arg(
             default = arch_select(
diff --git a/antlir/antlir2/antlir2_vm/src/isolation.rs b/antlir/antlir2/antlir2_vm/src/isolation.rs
@@ -87,10 +87,12 @@ impl Platform {
 /// * `image` - container image that would be used to run the VM
 /// * `envs` - env vars to set inside container.
 /// * `outputs` - Additional writable directories
+/// * `inputs` - Additional read-only host directories to bind-mount
 pub(crate) fn isolated(
     image: &PathBuf,
     envs: Vec<KvPair>,
     outputs: HashSet<PathBuf>,
+    inputs: HashSet<PathBuf>,
 ) -> Result<IsolatedContext> {
     let repo = Platform::repo_root()?;
     let mut builder = IsolationContext::builder(image);
@@ -103,6 +105,7 @@ pub(crate) fn isolated(
         .outputs(outputs);
     #[cfg(facebook)]
     builder.inputs(Path::new("/var/facebook/x509_identities/server.pem"));
+    builder.inputs(inputs);
     builder.setenv(
         envs.into_iter()
             .map(|p| (p.key, p.value))
diff --git a/antlir/antlir2/antlir2_vm/src/main.rs b/antlir/antlir2/antlir2_vm/src/main.rs
@@ -96,9 +96,6 @@ struct IsolateCmdArgs {
     /// Pass through these environment variables into the container and VM, if they exist.
     #[arg(long)]
     passenv: Vec<String>,
-    /// Extra RW bind-mount into the VM for debugging purpose
-    #[arg(long)]
-    scratch_dir: Option<PathBuf>,
     /// Whether or not to dump the VM's eth0 traffic to a file. When running the test command, this will set eth0_output_file to a file that will be uploaded to tpx.
     #[arg(long, default_value_t = false)]
     dump_eth0_traffic: bool,
@@ -190,9 +187,6 @@ fn respawn(args: &IsolateCmdArgs) -> Result<()> {
     let mut vm_args = args.run_cmd_args.vm_args.clone();
     let envs = env_names_to_kvpairs(args.passenv.clone());
     vm_args.command_envs = envs.clone();
-    if let Some(scratch_dir) = args.scratch_dir.as_ref() {
-        vm_args.output_dirs.push(scratch_dir.clone());
-    }
 
     // Let's always capture console output unless it's console mode
     let _console_dir;
@@ -205,15 +199,22 @@ fn respawn(args: &IsolateCmdArgs) -> Result<()> {
     antlir2_rootless::unshare_new_userns()?;
     antlir2_isolate::unshare_and_privatize_mount_ns().context("while isolating mount ns")?;
 
-    let isolated = isolated(
-        &args.image,
-        envs,
-        vm_args
-            .get_container_output_dirs()
-            .into_iter()
-            .chain(writable_devices())
-            .collect(),
-    )?;
+    let machine_spec = &args.run_cmd_args.machine_spec;
+    let inputs: HashSet<PathBuf> = machine_spec
+        .input_dirs
+        .iter()
+        .map(|d| PathBuf::from(d.concat()))
+        .collect();
+    let mut outputs: HashSet<PathBuf> = vm_args
+        .get_container_output_dirs()
+        .into_iter()
+        .chain(writable_devices())
+        .collect();
+    for dir in &machine_spec.output_dirs {
+        outputs.insert(PathBuf::from(dir.concat()));
+    }
+
+    let isolated = isolated(&args.image, envs, outputs, inputs)?;
     let exe = env::current_exe().context("while getting argv[0]")?;
     let mut command = isolated.command(exe)?;
     command
@@ -357,11 +358,21 @@ fn writable_devices() -> HashSet<PathBuf> {
 /// to discover the tests to run. This command is not our intended test to
 /// execute, so it's unnecessarily wasteful to execute it inside the VM. We
 /// directly run it inside the container without booting VM.
-fn list_test_command(args: &IsolateCmdArgs, validated_args: &ValidatedVMArgs) -> Result<Command> {
+fn list_test_command(
+    args: &IsolateCmdArgs,
+    validated_args: &ValidatedVMArgs,
+    inputs: HashSet<PathBuf>,
+    outputs: &[Vec<String>],
+) -> Result<Command> {
+    let mut collected_outputs = writable_outputs(validated_args);
+    for dir in outputs {
+        collected_outputs.insert(PathBuf::from(dir.concat()));
+    }
     let isolated = isolated(
         &args.image,
         validated_args.inner.command_envs.clone(),
-        writable_outputs(validated_args),
+        collected_outputs,
+        inputs,
     )?;
     let mut inner_cmd = validated_args
         .inner
@@ -376,11 +387,21 @@ fn list_test_command(args: &IsolateCmdArgs, validated_args: &ValidatedVMArgs) ->
 }
 
 /// For actual test command, we spawn the VM and run it.
-fn vm_test_command(args: &IsolateCmdArgs, validated_args: &ValidatedVMArgs) -> Result<Command> {
+fn vm_test_command(
+    args: &IsolateCmdArgs,
+    validated_args: &ValidatedVMArgs,
+    inputs: HashSet<PathBuf>,
+    outputs: &[Vec<String>],
+) -> Result<Command> {
+    let mut collected_outputs = writable_outputs(validated_args);
+    for dir in outputs {
+        collected_outputs.insert(PathBuf::from(dir.concat()));
+    }
     let isolated = isolated(
         &args.image,
         validated_args.inner.command_envs.clone(),
-        writable_outputs(validated_args),
+        collected_outputs,
+        inputs,
     )?;
     let exe = env::current_exe().context("while getting argv[0]")?;
     let mut command = isolated.command(exe)?;
@@ -405,6 +426,13 @@ fn test(args: &IsolateCmdArgs) -> Result<()> {
     // The inner antlir2_vm process will need fbcode runtime to start.
     // It may then decide whether to use host's platform for the actual test.
     Platform::set(&MountPlatformDecision(true))?;
+    let machine_spec = &args.run_cmd_args.machine_spec;
+    let inputs: HashSet<PathBuf> = machine_spec
+        .input_dirs
+        .iter()
+        .map(|d| PathBuf::from(d.concat()))
+        .collect();
+    let outputs = &machine_spec.output_dirs;
 
     let validated_args = get_test_vm_args(
         &args.run_cmd_args.vm_args,
@@ -415,9 +443,9 @@ fn test(args: &IsolateCmdArgs) -> Result<()> {
     antlir2_isolate::unshare_and_privatize_mount_ns().context("while isolating mount ns")?;
 
     let mut command = if validated_args.is_list {
-        list_test_command(args, &validated_args)
+        list_test_command(args, &validated_args, inputs, outputs)
     } else {
-        vm_test_command(args, &validated_args)
+        vm_test_command(args, &validated_args, inputs, outputs)
     }?;
     let status = log_command(&mut command).status()?;
     if !status.success() {
diff --git a/antlir/antlir2/antlir2_vm/src/types.rs b/antlir/antlir2/antlir2_vm/src/types.rs
@@ -297,6 +297,16 @@ pub(crate) struct MachineOpts {
     /// Each arg is serialized as a single-element list by Buck2's attrs.arg().
     #[serde(default)]
     pub(crate) extra_qemu_args: Vec<Vec<String>>,
+    /// Additional read-only host directories to bind-mount into the VM
+    /// container. Each path is serialized as a single-element list by
+    /// Buck2's attrs.arg().
+    #[serde(default)]
+    pub(crate) input_dirs: Vec<Vec<String>>,
+    /// Additional read-write host directories to bind-mount into the VM
+    /// container. Each path is serialized as a single-element list by
+    /// Buck2's attrs.arg().
+    #[serde(default)]
+    pub(crate) output_dirs: Vec<Vec<String>>,
 }
 
 #[cfg(test)]
diff --git a/antlir/antlir2/antlir2_vm/src/vm.rs b/antlir/antlir2/antlir2_vm/src/vm.rs
@@ -130,8 +130,17 @@ impl<S: Share> VM<S> {
         let state_dir = Self::create_state_dir()?;
         let pci_bridges = PCIBridges::new(machine.disks.len())?;
         let disks = QCow2Disks::new(&machine.disks, &pci_bridges, &state_dir)?;
+        let mut all_output_dirs = args.get_vm_output_dirs();
+        for dir in &machine.output_dirs {
+            all_output_dirs.insert(PathBuf::from(dir.concat()));
+        }
+        let all_input_dirs: HashSet<PathBuf> = machine
+            .input_dirs
+            .iter()
+            .map(|d| PathBuf::from(d.concat()))
+            .collect();
         let shares = Self::create_shares(
-            Self::get_all_shares_opts(&args.get_vm_output_dirs()),
+            Self::get_all_shares_opts(&all_input_dirs, &all_output_dirs),
             &state_dir,
             machine.mem_mib,
         )?;
@@ -197,25 +206,28 @@ impl<S: Share> VM<S> {
 
     /// All platform paths needs to be mounted inside the VM as read-only shares.
     /// Collect them into ShareOpts along with others.
-    fn get_all_shares_opts(output_dirs: &HashSet<PathBuf>) -> Vec<ShareOpts> {
-        let mut shares: Vec<_> = Platform::get()
+    fn get_all_shares_opts(
+        inputs: &HashSet<PathBuf>,
+        outputs: &HashSet<PathBuf>,
+    ) -> Vec<ShareOpts> {
+        Platform::get()
             .iter()
             .map(|path| ShareOpts {
                 path: path.to_path_buf(),
                 read_only: true,
                 mount_tag: None,
             })
-            .collect();
-        let mut outputs: Vec<_> = output_dirs
-            .iter()
-            .map(|p| ShareOpts {
+            .chain(inputs.iter().map(|p| ShareOpts {
+                path: p.to_path_buf(),
+                read_only: true,
+                mount_tag: None,
+            }))
+            .chain(outputs.iter().map(|p| ShareOpts {
                 path: p.to_path_buf(),
                 read_only: false,
                 mount_tag: None,
-            })
-            .collect();
-        shares.append(&mut outputs);
-        shares
+            }))
+            .collect()
     }
 
     /// Create all shares, start virtiofsd daemon and generate necessary unit files
@@ -1151,8 +1163,23 @@ mod test {
             read_only: false,
             mount_tag: None,
         };
-        let all_opts = VM::<VirtiofsShare>::get_all_shares_opts(&outputs);
+        let all_opts = VM::<VirtiofsShare>::get_all_shares_opts(&HashSet::new(), &outputs);
         assert!(all_opts.contains(&opt));
+
+        let inputs = HashSet::from([PathBuf::from("/extra/input")]);
+        let mut extended_outputs = outputs.clone();
+        extended_outputs.insert(PathBuf::from("/extra/output"));
+        let all_opts = VM::<VirtiofsShare>::get_all_shares_opts(&inputs, &extended_outputs);
+        assert!(all_opts.contains(&ShareOpts {
+            path: PathBuf::from("/extra/input"),
+            read_only: true,
+            mount_tag: None,
+        }));
+        assert!(all_opts.contains(&ShareOpts {
+            path: PathBuf::from("/extra/output"),
+            read_only: false,
+            mount_tag: None,
+        }));
     }
 
     #[test]
