firecracker: Refactor logic and bump to kernel 6.1.102 (#83)

Author: pjbgf

internal/qubesome/run.go

@@ -176,7 +176,7 @@ func runner(in WorkloadInfo, runnerOverride string) error {
 	if !reflect.DeepEqual(ew.Workload.HostAccess, w.HostAccess) {
 		msg := diffMessage(w, ew)
 		if len(msg) > 0 {
-			err := fmt.Errorf("workload %s tries to access more than profile allows", in.Profile)
+			err := fmt.Errorf("workload %s tries to access more than profile allows", in.Name)
 			dbus.NotifyOrLog("qubesome: access denied", err.Error()+":<br/>"+msg)
 
 			return err

internal/runners/firecracker/deps.go

@@ -11,53 +11,51 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 
 	"github.com/qubesome/cli/internal/files"
+	"github.com/qubesome/cli/internal/util/dbus"
 	"golang.org/x/sys/execabs"
+
+	_ "embed"
 )
 
-const (
-	command             = "/usr/bin/firecracker"
-	runUserDir          = "/run/user/%d"
-	qubesomeDir         = "qubesome"
-	qubesomeFilemode    = 0o700
-	qubesomeCfgFilemode = 0o600
+//go:embed firecracker.config
+var configTmpl string
 
-	kernelURL  = "https://s3.amazonaws.com/spec.ccfc.min/firecracker-ci/v1.5/x86_64/vmlinux-5.10.186"
+const (
+	// kernelUrl from https://s3.amazonaws.com/spec.ccfc.min/
+	kernelURL  = "https://s3.amazonaws.com/spec.ccfc.min/firecracker-ci/v1.11/x86_64/vmlinux-6.1.102"
 	kernelFile = "vmlinux"
 
+	// light-weight image that contains the necessary tools for setting up
+	// firecracker's network taps.
+	firecrackerImg = "ghcr.io/qubesome/firecracker:latest"
+
 	MB              = 1024 * 1024
 	maxDownloadSize = 100 * MB
 
 	networkDevName = "tap1"
 )
 
-func ensureDependencies(img string) error {
-	if _, err := exec.LookPath(command); err != nil {
+func ensureDependencies() error {
+	if _, err := exec.LookPath(files.FireCrackerBinary); err != nil {
 		return err
 	}
 
-	uid := os.Getuid()
-	baseDir := fmt.Sprintf(runUserDir, uid)
-
-	_, err := os.Stat(baseDir)
-	if err != nil {
-		return err
-	}
-
-	d := filepath.Join(baseDir, qubesomeDir)
-	if err = os.MkdirAll(d, qubesomeFilemode); err != nil {
+	d := files.QubesomeDir()
+	if err := os.MkdirAll(d, files.DirMode); err != nil {
 		return err
 	}
 
 	kfile := filepath.Join(d, kernelFile)
-	_, err = os.Stat(kfile)
+	_, err := os.Stat(kfile)
 	if err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
 			return err
 		}
 
-		slog.Info("cached kernel image not found")
+		dbus.NotifyOrLog("firecracker", "downloading fresh kernel image")
 		err = download(kernelURL, kfile)
 		if err != nil {
 			return fmt.Errorf("failed to download kernel image: %w", err)
@@ -66,19 +64,44 @@ func ensureDependencies(img string) error {
 
 	_, err = net.InterfaceByName(networkDevName)
 	if err != nil {
-		return setupTaps(img)
+		return setupTaps()
 	}
 
 	return nil
 }
 
-func setupTaps(img string) error {
+func createRootFs(dir, img string) (string, error) {
+	slog.Info("creating root fs")
+	rootfs := filepath.Join(dir, "roofs.ext4")
+	bin := files.ContainerRunnerBinary("docker")
+	cmd := execabs.Command(bin,
+		"run", "--rm", "--privileged",
+		"-v", dir+":"+dir,
+		img,
+		"create_rootfs", rootfs, strconv.Itoa(os.Getuid()),
+	)
+
+	cmd.Stderr = os.Stderr
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+
+	if err := cmd.Run(); err != nil {
+		return "", err
+	}
+
+	return rootfs, nil
+}
+
+func setupTaps() error {
 	slog.Info("setting up taps")
-	bin := files.ContainerRunnerBinary("")
+	bin := files.ContainerRunnerBinary("docker")
+
+	slog.Debug("setting up taps", "device name", networkDevName)
 	cmd := execabs.Command(bin,
 		"run", "--rm", "--privileged",
 		"--network", "host",
-		img,
+		"-e", fmt.Sprintf("TAP_DEV=%s", networkDevName),
+		firecrackerImg,
 		"setup_taps",
 	)
 

internal/runners/firecracker/firecracker.config

@@ -0,0 +1,39 @@
+{
+    "boot-source": {
+        "kernel_image_path": "{{.KernelImagePath}}",
+        "boot_args": "keep_bootcon console=ttyS0 reboot=k panic=1 pci=off",
+        "initrd_path": null
+    },
+    "drives": [
+        {
+            "drive_id": "rootfs",
+            "path_on_host": "{{.RootFsPath}}",
+            "is_root_device": true,
+            "is_read_only": false,
+            "partuuid": null,
+            "cache_type": "Unsafe",
+            "io_engine": "Sync",
+            "rate_limiter": null
+        }
+    ],
+    "machine-config": {
+        "vcpu_count": 2,
+        "mem_size_mib": 256,
+        "smt": false,
+        "track_dirty_pages": false
+    },
+    "cpu-config": null,
+    "balloon": null,
+    "network-interfaces": [
+        {
+            "iface_id": "eth0",
+            "guest_mac": "06:00:AC:10:00:02",
+            "host_dev_name": "{{.HostDeviceName}}"
+        }
+    ],
+    "vsock": null,
+    "logger": null,
+    "metrics": null,
+    "mmds-config": null,
+    "entropy": null
+}

internal/runners/firecracker/run.go

@@ -6,7 +6,6 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
-	"strconv"
 	"text/template"
 
 	"github.com/qubesome/cli/internal/files"
@@ -20,28 +19,6 @@ type configParams struct {
 	HostDeviceName  string
 }
 
-func createRootFs(dir, img string) (string, error) {
-	slog.Info("creating root fs")
-	rootfs := filepath.Join(dir, "roofs.ext4")
-	bin := files.ContainerRunnerBinary("")
-	cmd := execabs.Command(bin,
-		"run", "--rm", "--privileged",
-		"-v", "/tmp/:/tmp/",
-		img,
-		"create_rootfs", rootfs, strconv.Itoa(os.Getuid()),
-	)
-
-	cmd.Stderr = os.Stderr
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-
-	if err := cmd.Run(); err != nil {
-		return "", err
-	}
-
-	return rootfs, nil
-}
-
 func Run(ew types.EffectiveWorkload) error {
 	slog.Warn("use of firecracker is experimental")
 
@@ -53,7 +30,7 @@ func Run(ew types.EffectiveWorkload) error {
 		return fmt.Errorf("firecracker does not support single instance")
 	}
 
-	if err := ensureDependencies(ew.Workload.Image); err != nil {
+	if err := ensureDependencies(); err != nil {
 		return err
 	}
 
@@ -67,10 +44,7 @@ func Run(ew types.EffectiveWorkload) error {
 		return err
 	}
 
-	uid := os.Getuid()
-	baseDir := fmt.Sprintf(runUserDir, uid)
-	kfile := filepath.Join(baseDir, qubesomeDir, kernelFile)
-
+	kfile := filepath.Join(files.QubesomeDir(), kernelFile)
 	params := configParams{
 		KernelImagePath: kfile,
 		RootFsPath:      rootfs,
@@ -85,7 +59,7 @@ func Run(ew types.EffectiveWorkload) error {
 		return err
 	}
 
-	f, err := os.OpenFile(cfgPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, qubesomeCfgFilemode)
+	f, err := os.OpenFile(cfgPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, files.FileMode)
 	if err != nil {
 		return fmt.Errorf("failed to open firecracker config file: %w", err)
 	}
@@ -105,10 +79,10 @@ func Run(ew types.EffectiveWorkload) error {
 }
 
 func run(args []string) error {
-	slog.Debug(command, "args", args)
+	slog.Debug(files.FireCrackerBinary, "args", args)
 
 	ctx := context.Background()
-	cmd := execabs.CommandContext(ctx, command, args...)
+	cmd := execabs.CommandContext(ctx, files.FireCrackerBinary, args...)
 
 	cmd.Stdin = os.Stdin
 	cmd.Stderr = os.Stderr