firecracker: Refactoring code

Split image used for network setup with the image used as the
source for the rootfs. In the future, some of the qubesome specific
logic in the latter should also be transitioned over to the
firecracker image, so that the requirements from the workload
image are decreased.

Signed-off-by: Paulo Gomes <[email protected]>

Author: pjbgf

internal/runners/firecracker/deps.go

@@ -11,53 +11,51 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 
 	"github.com/qubesome/cli/internal/files"
+	"github.com/qubesome/cli/internal/util/dbus"
 	"golang.org/x/sys/execabs"
+
+	_ "embed"
 )
 
-const (
-	command             = "/usr/bin/firecracker"
-	runUserDir          = "/run/user/%d"
-	qubesomeDir         = "qubesome"
-	qubesomeFilemode    = 0o700
-	qubesomeCfgFilemode = 0o600
+//go:embed firecracker.config
+var configTmpl string
 
+const (
+	// kernelUrl from https://s3.amazonaws.com/spec.ccfc.min/
 	kernelURL  = "https://s3.amazonaws.com/spec.ccfc.min/firecracker-ci/v1.11/x86_64/vmlinux-6.1.102"
 	kernelFile = "vmlinux"
 
+	// light-weight image that contains the necessary tools for setting up
+	// firecracker's network taps.
+	firecrackerImg = "ghcr.io/qubesome/firecracker:latest"
+
 	MB              = 1024 * 1024
 	maxDownloadSize = 100 * MB
 
 	networkDevName = "tap1"
 )
 
-func ensureDependencies(img string) error {
-	if _, err := exec.LookPath(command); err != nil {
+func ensureDependencies() error {
+	if _, err := exec.LookPath(files.FireCrackerBinary); err != nil {
 		return err
 	}
 
-	uid := os.Getuid()
-	baseDir := fmt.Sprintf(runUserDir, uid)
-
-	_, err := os.Stat(baseDir)
-	if err != nil {
-		return err
-	}
-
-	d := filepath.Join(baseDir, qubesomeDir)
-	if err = os.MkdirAll(d, qubesomeFilemode); err != nil {
+	d := files.QubesomeDir()
+	if err := os.MkdirAll(d, files.DirMode); err != nil {
 		return err
 	}
 
 	kfile := filepath.Join(d, kernelFile)
-	_, err = os.Stat(kfile)
+	_, err := os.Stat(kfile)
 	if err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
 			return err
 		}
 
-		slog.Info("cached kernel image not found")
+		dbus.NotifyOrLog("firecracker", "downloading fresh kernel image")
 		err = download(kernelURL, kfile)
 		if err != nil {
 			return fmt.Errorf("failed to download kernel image: %w", err)
@@ -66,19 +64,44 @@ func ensureDependencies(img string) error {
 
 	_, err = net.InterfaceByName(networkDevName)
 	if err != nil {
-		return setupTaps(img)
+		return setupTaps()
 	}
 
 	return nil
 }
 
-func setupTaps(img string) error {
+func createRootFs(dir, img string) (string, error) {
+	slog.Info("creating root fs")
+	rootfs := filepath.Join(dir, "roofs.ext4")
+	bin := files.ContainerRunnerBinary("docker")
+	cmd := execabs.Command(bin,
+		"run", "--rm", "--privileged",
+		"-v", dir+":"+dir,
+		img,
+		"create_rootfs", rootfs, strconv.Itoa(os.Getuid()),
+	)
+
+	cmd.Stderr = os.Stderr
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+
+	if err := cmd.Run(); err != nil {
+		return "", err
+	}
+
+	return rootfs, nil
+}
+
+func setupTaps() error {
 	slog.Info("setting up taps")
 	bin := files.ContainerRunnerBinary("docker")
+
+	slog.Debug("setting up taps", "device name", networkDevName)
 	cmd := execabs.Command(bin,
 		"run", "--rm", "--privileged",
 		"--network", "host",
-		img,
+		"-e", fmt.Sprintf("TAP_DEV=%s", networkDevName),
+		firecrackerImg,
 		"setup_taps",
 	)
 

internal/runners/firecracker/firecracker.config

@@ -0,0 +1,39 @@
+{
+    "boot-source": {
+        "kernel_image_path": "{{.KernelImagePath}}",
+        "boot_args": "keep_bootcon console=ttyS0 reboot=k panic=1 pci=off",
+        "initrd_path": null
+    },
+    "drives": [
+        {
+            "drive_id": "rootfs",
+            "path_on_host": "{{.RootFsPath}}",
+            "is_root_device": true,
+            "is_read_only": false,
+            "partuuid": null,
+            "cache_type": "Unsafe",
+            "io_engine": "Sync",
+            "rate_limiter": null
+        }
+    ],
+    "machine-config": {
+        "vcpu_count": 2,
+        "mem_size_mib": 256,
+        "smt": false,
+        "track_dirty_pages": false
+    },
+    "cpu-config": null,
+    "balloon": null,
+    "network-interfaces": [
+        {
+            "iface_id": "eth0",
+            "guest_mac": "06:00:AC:10:00:02",
+            "host_dev_name": "{{.HostDeviceName}}"
+        }
+    ],
+    "vsock": null,
+    "logger": null,
+    "metrics": null,
+    "mmds-config": null,
+    "entropy": null
+}

internal/runners/firecracker/run.go

@@ -6,7 +6,6 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
-	"strconv"
 	"text/template"
 
 	"github.com/qubesome/cli/internal/files"
@@ -20,28 +19,6 @@ type configParams struct {
 	HostDeviceName  string
 }
 
-func createRootFs(dir, img string) (string, error) {
-	slog.Info("creating root fs")
-	rootfs := filepath.Join(dir, "roofs.ext4")
-	bin := files.ContainerRunnerBinary("docker")
-	cmd := execabs.Command(bin,
-		"run", "--rm", "--privileged",
-		"-v", "/tmp/:/tmp/",
-		img,
-		"create_rootfs", rootfs, strconv.Itoa(os.Getuid()),
-	)
-
-	cmd.Stderr = os.Stderr
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-
-	if err := cmd.Run(); err != nil {
-		return "", err
-	}
-
-	return rootfs, nil
-}
-
 func Run(ew types.EffectiveWorkload) error {
 	slog.Warn("use of firecracker is experimental")
 
@@ -53,7 +30,7 @@ func Run(ew types.EffectiveWorkload) error {
 		return fmt.Errorf("firecracker does not support single instance")
 	}
 
-	if err := ensureDependencies(ew.Workload.Image); err != nil {
+	if err := ensureDependencies(); err != nil {
 		return err
 	}
 
@@ -67,10 +44,7 @@ func Run(ew types.EffectiveWorkload) error {
 		return err
 	}
 
-	uid := os.Getuid()
-	baseDir := fmt.Sprintf(runUserDir, uid)
-	kfile := filepath.Join(baseDir, qubesomeDir, kernelFile)
-
+	kfile := filepath.Join(files.QubesomeDir(), kernelFile)
 	params := configParams{
 		KernelImagePath: kfile,
 		RootFsPath:      rootfs,
@@ -85,7 +59,7 @@ func Run(ew types.EffectiveWorkload) error {
 		return err
 	}
 
-	f, err := os.OpenFile(cfgPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, qubesomeCfgFilemode)
+	f, err := os.OpenFile(cfgPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, files.FileMode)
 	if err != nil {
 		return fmt.Errorf("failed to open firecracker config file: %w", err)
 	}
@@ -105,10 +79,10 @@ func Run(ew types.EffectiveWorkload) error {
 }
 
 func run(args []string) error {
-	slog.Debug(command, "args", args)
+	slog.Debug(files.FireCrackerBinary, "args", args)
 
 	ctx := context.Background()
-	cmd := execabs.CommandContext(ctx, command, args...)
+	cmd := execabs.CommandContext(ctx, files.FireCrackerBinary, args...)
 
 	cmd.Stdin = os.Stdin
 	cmd.Stderr = os.Stderr