Skip to content

Update feature/secret-hiding with more recent iterations of patch series #5293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 14, 2025
Merged

Update feature/secret-hiding with more recent iterations of patch series #5293

merged 6 commits into from
Jul 14, 2025

Conversation

@roypat
Copy link
Contributor

@roypat roypat commented Jul 7, 2025

Upgrade the base "mmap support for guest_memfd" series from Fuad's v4 to v12, and do all the Firecracker changes that come with it.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • If a specific issue led to this PR, this PR closes the issue.
  • When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@roypat roypat changed the base branch from main to feature/secret-hiding July 7, 2025 13:39
@codecov
Copy link

codecov bot commented Jul 7, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 40.90909% with 13 lines in your changes missing coverage. Please review.

Project coverage is 81.81%. Comparing base (26b2922) to head (d006372).
Report is 6 commits behind head on feature/secret-hiding.

Files with missing lines Patch % Lines
src/vmm/src/builder.rs 27.77% 13 Missing ⚠️
Additional details and impacted files 
@@                    Coverage Diff                    @@
##           feature/secret-hiding    #5293      +/-   ##
=========================================================
- Coverage                  81.81%   81.81%   -0.01%     
=========================================================
  Files                        250      250              
  Lines                      27666    27635      -31     
=========================================================
- Hits                       22635    22609      -26     
+ Misses                      5031     5026       -5
Flag Coverage Δ
5.10-c5n.metal 81.99% <40.90%> (+0.05%) ⬆️
5.10-m5n.metal 81.99% <40.90%> (+0.05%) ⬆️
5.10-m6a.metal 81.15% <40.90%> (+0.05%) ⬆️
5.10-m6g.metal 77.96% <40.90%> (+0.06%) ⬆️
5.10-m6i.metal 81.98% <40.90%> (+0.04%) ⬆️
5.10-m7a.metal-48xl 81.14% <40.90%> (+0.05%) ⬆️
5.10-m7g.metal 77.96% <40.90%> (+0.06%) ⬆️
5.10-m7i.metal-24xl 81.94% <40.90%> (+0.05%) ⬆️
5.10-m7i.metal-48xl 81.94% <40.90%> (+0.04%) ⬆️
5.10-m8g.metal-24xl 77.96% <40.90%> (+0.06%) ⬆️
5.10-m8g.metal-48xl 77.96% <40.90%> (+0.06%) ⬆️
6.1-c5n.metal 82.03% <40.90%> (+0.05%) ⬆️
6.1-m5n.metal 82.03% <40.90%> (+0.04%) ⬆️
6.1-m6a.metal 81.19% <40.90%> (+0.04%) ⬆️
6.1-m6g.metal 77.96% <40.90%> (+0.06%) ⬆️
6.1-m6i.metal 82.02% <40.90%> (+0.04%) ⬆️
6.1-m7a.metal-48xl 81.19% <40.90%> (+0.06%) ⬆️
6.1-m7g.metal 77.96% <40.90%> (+0.06%) ⬆️
6.1-m7i.metal-24xl 82.04% <40.90%> (+0.05%) ⬆️
6.1-m7i.metal-48xl 82.04% <40.90%> (+0.05%) ⬆️
6.1-m8g.metal-24xl 77.96% <40.90%> (+0.06%) ⬆️
6.1-m8g.metal-48xl 77.96% <40.90%> (+0.06%) ⬆️
6.14-c5n.metal ?
6.14-m5n.metal ?
6.14-m6a.metal ?
6.14-m6i.metal ?
6.14-m7a.metal-48xl ?
6.14-m7i.metal-24xl ?
6.14-m7i.metal-48xl ?
6.16-c5n.metal 82.06% <40.90%> (?)
6.16-m5n.metal 82.06% <40.90%> (?)
6.16-m6a.metal 81.22% <40.90%> (?)
6.16-m6g.metal 77.98% <40.90%> (+0.04%) ⬆️
6.16-m6i.metal 82.05% <40.90%> (?)
6.16-m7a.metal-48xl 81.21% <40.90%> (?)
6.16-m7g.metal 77.99% <40.90%> (+0.05%) ⬆️
6.16-m7i.metal-24xl 82.07% <40.90%> (?)
6.16-m7i.metal-48xl 82.07% <40.90%> (?)
6.16-m8g.metal-24xl 77.99% <40.90%> (+0.06%) ⬆️
6.16-m8g.metal-48xl 77.99% <40.90%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@roypat roypat force-pushed the updated-patch-series branch 3 times, most recently from 6441b62 to a33921e Compare July 7, 2025 15:14
kalyazin
kalyazin reviewed Jul 8, 2025
View reviewed changes
@roypat roypat force-pushed the updated-patch-series branch 3 times, most recently from b6a218f to 1e6c8eb Compare July 9, 2025 14:00
@roypat roypat changed the title Update feature/secret-hiding with more recent iterations of patch seires Update feature/secret-hiding with more recent iterations of patch series Jul 9, 2025
@roypat roypat mentioned this pull request Jul 9, 2025
Closed
10 tasks
@roypat roypat force-pushed the updated-patch-series branch 2 times, most recently from ff1c5d5 to 22ceb08 Compare July 10, 2025 06:27
roypat added 2 commits July 10, 2025 15:03
@roypat
firecracker adjustments for v12
77be912 
- Drop setting memory attributes to private (workaround was needed to
  get KVM to fault non-coco VMs through guest_memfd always)
- Drop no-kvmclock (we have a workaround patch now)
- Drop VM types (guest_memfd is now supported on all vm types).
- Update kvm capability numbers

Signed-off-by: Patrick Roy <[email protected]>
@roypat
chore: drop now-nonexistant kernel configs
3c52a87 
CONFIG_KVM_PRIVATE_MEM is dead, and CONFIG_KVM_GMEM which replaces it is
automatically selected.

Signed-off-by: Patrick Roy <[email protected]>
@roypat roypat force-pushed the updated-patch-series branch 6 times, most recently from 170ce9d to 11970a6 Compare July 11, 2025 11:46
roypat added 2 commits July 11, 2025 13:24
@roypat
fix(test): renable huge pages tests on arm64
9ed1c1d 
With the updated host kernel, the bug that made them fail seems to have
been fixed.

Signed-off-by: Patrick Roy <[email protected]>
@roypat
tmp: Stop tweaking turbo/pstates in perf tests
8dd1215 
Writing to the noturbo sysfs immediately locks up the entire instance,
so stop doing this for now.

Signed-off-by: Patrick Roy <[email protected]>
@roypat roypat force-pushed the updated-patch-series branch from 11970a6 to 8dd1215 Compare July 11, 2025 12:25
@roypat
tmp: disable test_kvm_ptp.py on ARM
c5b40a1 
It's currently broken on the host kernel we're using.

Signed-off-by: Patrick Roy <[email protected]>
@roypat roypat force-pushed the updated-patch-series branch 5 times, most recently from 79d3271 to 0b268ce Compare July 14, 2025 08:56
@roypat roypat force-pushed the updated-patch-series branch from 0b268ce to cd04eff Compare July 14, 2025 09:03
@roypat
fix: update base commit to -rc6
d006372 
Linus fixed an issue introduced between -rc4 and -rc5 that shows up as
random userspace processes hanging without and kernel logs to show what
might be going from [1]. This pretty much exactly matches what we are
seeing with docekr just random hanging sometimes. Let's try updating to
-rc6 to see if that makes the issue go away.

On aarch64, this kernel needs some additional dependencies to build
(hexdump), which we do not have in the docker container, so add a
"instlal build dependencies" step to the kernel building script.

[1]: https://lore.kernel.org/all/CAHk-=wiMJWwgJ4HYsLzJ4_OkhzJ75ah0HrfBBk+W-RGjk4-h2g@mail.gmail.com/

Signed-off-by: Patrick Roy <[email protected]>
@roypat roypat force-pushed the updated-patch-series branch from cd04eff to d006372 Compare July 14, 2025 09:05
@roypat roypat marked this pull request as ready for review July 14, 2025 10:50
@roypat roypat enabled auto-merge (rebase) July 14, 2025 12:15
@roypat roypat merged commit 48890ef into firecracker-microvm:feature/secret-hiding Jul 14, 2025
5 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kalyazin kalyazin kalyazin left review comments

@JackThomson2 JackThomson2 JackThomson2 approved these changes

@zulinx86 zulinx86 zulinx86 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@roypat @kalyazin @JackThomson2 @zulinx86