feat: add mkosi based AL2023 images (#1716)

* Changes

- disable sshOverVsock for VZ driver
- update finch-core to latest main
consume al2023 images & lima 2.1.0-beta
- add a test for rosetta emulation

Signed-off-by: Swapnanil-Gupta <swpnlg@amazon.com>

* fix rosetta config

Signed-off-by: Swapnanil-Gupta <swpnlg@amazon.com>

* update golangci-lint to v2.11.3

Signed-off-by: Swapnanil-Gupta <swpnlg@amazon.com>

* fix lint issues

Signed-off-by: Swapnanil-Gupta <swpnlg@amazon.com>

* bump finch-core submodule again to consume new lima builds with symlink patch applied

Signed-off-by: Swapnanil-Gupta <swpnlg@amazon.com>

* skip rosetta emulation on macos < 26

Signed-off-by: Swapnanil-Gupta <swpnlg@amazon.com>

* add warning for rosetta on macos < 26

Signed-off-by: Swapnanil-Gupta <swpnlg@amazon.com>

---------

Signed-off-by: Swapnanil-Gupta <swpnlg@amazon.com>

Author: Swapnanil-Gupta

.github/workflows/ci-docs.yaml

@@ -113,7 +113,7 @@ jobs:
           # Pin the version in case all the builds start to fail at the same time.
           # There may not be an automatic way (e.g., dependabot) to update a specific parameter of a GitHub Action,
           # so we will just update it manually whenever it makes sense (e.g., a feature that we want is added).
-          version: v2.7.0
+          version: v2.11.3
           args: --fix=false --timeout=5m
       - name: set GOOS env to darwin
         run: |
@@ -124,7 +124,7 @@ jobs:
           # Pin the version in case all the builds start to fail at the same time.
           # There may not be an automatic way (e.g., dependabot) to update a specific parameter of a GitHub Action,
           # so we will just update it manually whenever it makes sense (e.g., a feature that we want is added).
-          version: v2.7.0
+          version: v2.11.3
           args: --fix=false --timeout=5m --skip-dirs="(^|/)deps($|/)"
   go-mod-tidy-check:
     runs-on: ubuntu-latest

.github/workflows/ci.yaml

@@ -138,7 +138,7 @@ jobs:
           # Pin the version in case all the builds start to fail at the same time.
           # There may not be an automatic way (e.g., dependabot) to update a specific parameter of a GitHub Action,
           # so we will just update it manually whenever it makes sense (e.g., a feature that we want is added).
-          version: v2.7.0
+          version: v2.11.3
           args: --fix=false --timeout=5m
       - name: set GOOS env to darwin
         run: |
@@ -149,7 +149,7 @@ jobs:
           # Pin the version in case all the builds start to fail at the same time.
           # There may not be an automatic way (e.g., dependabot) to update a specific parameter of a GitHub Action,
           # so we will just update it manually whenever it makes sense (e.g., a feature that we want is added).
-          version: v2.7.0
+          version: v2.11.3
           args: --fix=false --timeout=5m --skip-dirs="(^|/)deps($|/)"
   shellcheck:
     name: ShellCheck

cmd/credserver/main.go

@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"strings"
 	"syscall"
 	"time"
@@ -31,9 +32,9 @@ func main() {
 	if len(os.Args) < 4 {
 		logrus.Fatal("Usage: credserver <socket-path> <pid-file> <log-file>")
 	}
-	socketPath := os.Args[1]
-	pidFile := os.Args[2]
-	logPath := os.Args[3]
+	socketPath := filepath.Clean(os.Args[1])
+	pidFile := filepath.Clean(os.Args[2])
+	logPath := filepath.Clean(os.Args[3])
 
 	// Setup file logging with rotation
 	// #nosec G302 -- Log file needs to be readable for debugging
@@ -162,7 +163,7 @@ func handleCredentials(w http.ResponseWriter, r *http.Request) {
 
 	// Encode credentials to JSON
 	var buf bytes.Buffer
-	if err := json.NewEncoder(&buf).Encode(creds); err != nil {
+	if err := json.NewEncoder(&buf).Encode(creds); err != nil { //nolint:gosec // G117: intentional
 		logrus.Errorf("Failed to encode credentials to JSON: %v", err)
 		http.Error(w, "Failed to encode credentials", http.StatusInternalServerError)
 		return

cmd/credserver/main_test.go

@@ -7,6 +7,7 @@ package main
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -106,7 +107,7 @@ func TestHandleCredentials(t *testing.T) {
 		t.Parallel()
 		req := httptest.NewRequest(http.MethodGet, "/credentials?server=registry.example.com", nil)
 		for i := 0; i < 100; i++ {
-			req.Header.Set("X-Finch-Env-"+string(rune('A'+i)), "value")
+			req.Header.Set(fmt.Sprintf("X-Finch-Env-%c", 'A'+i), "value")
 		}
 		w := httptest.NewRecorder()
 
@@ -163,7 +164,7 @@ func TestHandleCredentials(t *testing.T) {
 		for i := 0; i < numRequests; i++ {
 			go func(id int) {
 				req := httptest.NewRequest(http.MethodGet, "/credentials?server=registry.example.com", nil)
-				req.Header.Set("X-Finch-Env-ID", string(rune('0'+id)))
+				req.Header.Set("X-Finch-Env-ID", fmt.Sprintf("%d", id))
 				w := httptest.NewRecorder()
 
 				handleCredentials(w, req)

cmd/finch/virtual_machine.go

@@ -127,5 +127,6 @@ func virtualMachineCommands(
 		fp,
 		fs,
 		disk.NewUserDataDiskManager(ncc, ecc, &afero.OsFs{}, fp, finchRootPath, fc, logger),
+		fc,
 	)
 }

cmd/finch/virtual_machine_darwin.go

@@ -42,6 +42,7 @@ func newVirtualMachineCommand(
 	fp path.Finch,
 	fs afero.Fs,
 	diskManager disk.UserDataDiskManager,
+	finchConfig *config.Finch,
 ) *cobra.Command {
 	virtualMachineCommand := &cobra.Command{
 		Use:   virtualMachineRootCmd,
@@ -54,7 +55,7 @@ func newVirtualMachineCommand(
 		newRemoveVMCommand(limaCmdCreator, diskManager, logger),
 		newStatusVMCommand(limaCmdCreator, logger, os.Stdout),
 		newInitVMCommand(limaCmdCreator, logger, optionalDepGroups, lca, nca, fp.BaseYamlFilePath(), fs,
-			fp.LimaSSHPrivateKeyPath(), diskManager),
+			fp.LimaSSHPrivateKeyPath(), diskManager, finchConfig),
 		newSettingsVMCommand(logger, lca, fs, os.Stdout),
 		newDiskVMCommand(limaCmdCreator, logger),
 	)

cmd/finch/virtual_machine_init.go

@@ -31,11 +31,12 @@ func newInitVMCommand(
 	fs afero.Fs,
 	privateKeyPath string,
 	diskManager disk.UserDataDiskManager,
+	finchConfig *config.Finch,
 ) *cobra.Command {
 	initVMCommand := &cobra.Command{
 		Use:      "init",
 		Short:    "Initialize the virtual machine",
-		RunE:     newInitVMAction(ncc, logger, optionalDepGroups, lca, baseYamlFilePath, diskManager).runAdapter,
+		RunE:     newInitVMAction(ncc, logger, optionalDepGroups, lca, baseYamlFilePath, diskManager, finchConfig).runAdapter,
 		PostRunE: newPostVMStartInitAction(logger, ncc, fs, privateKeyPath, nca).runAdapter,
 	}
 
@@ -49,6 +50,7 @@ type initVMAction struct {
 	optionalDepGroups []*dependency.Group
 	limaConfigApplier config.LimaConfigApplier
 	diskManager       disk.UserDataDiskManager
+	finchConfig       *config.Finch
 }
 
 func newInitVMAction(
@@ -58,6 +60,7 @@ func newInitVMAction(
 	lca config.LimaConfigApplier,
 	baseYamlFilePath string,
 	diskManager disk.UserDataDiskManager,
+	finchConfig *config.Finch,
 ) *initVMAction {
 	return &initVMAction{
 		creator:           creator,
@@ -66,6 +69,7 @@ func newInitVMAction(
 		limaConfigApplier: lca,
 		baseYamlFilePath:  baseYamlFilePath,
 		diskManager:       diskManager,
+		finchConfig:       finchConfig,
 	}
 }
 
@@ -79,7 +83,7 @@ func (iva *initVMAction) run() error {
 		return err
 	}
 
-	err = iva.limaConfigApplier.ConfigureDefaultLimaYaml()
+	err = iva.limaConfigApplier.ConfigureDefaultLimaYaml(iva.logger)
 	if err != nil {
 		return err
 	}
@@ -103,7 +107,15 @@ func (iva *initVMAction) run() error {
 	}
 
 	instanceName := fmt.Sprintf("--name=%v", limaInstanceName)
-	limaCmd := iva.creator.CreateWithoutStdio("start", instanceName, iva.baseYamlFilePath, "--tty=false")
+	startOpts := []string{"start", instanceName, iva.baseYamlFilePath, "--tty=false"}
+	if iva.finchConfig == nil || *iva.finchConfig.VMType == "vz" {
+		// Starting with 2.0, Lima uses ssh over vsock by default on systemd >= 256 (https://github.com/lima-vm/lima/pull/3979)
+		// which is causing a ssh "permission denied" issue with VZ driver.
+		// So, disabling this feature for VZ driver for now.
+		// This still works with QEMU driver.
+		startOpts = append(startOpts, "--set", ".ssh.overVsock=false")
+	}
+	limaCmd := iva.creator.CreateWithoutStdio(startOpts...)
 
 	iva.logger.Info("Initializing and starting Finch virtual machine...")
 	logs, err := limaCmd.CombinedOutput()

cmd/finch/virtual_machine_init_test.go

@@ -25,7 +25,7 @@ const mockBaseYamlFilePath = "/os/os.yaml"
 func TestNewInitVMCommand(t *testing.T) {
 	t.Parallel()
 
-	cmd := newInitVMCommand(nil, nil, nil, nil, nil, "", nil, "", nil)
+	cmd := newInitVMCommand(nil, nil, nil, nil, nil, "", nil, "", nil, nil)
 	assert.Equal(t, cmd.Name(), "init")
 }
 
@@ -75,12 +75,12 @@ func TestInitVMAction_runAdapter(t *testing.T) {
 				logger.EXPECT().Debugf("Status of virtual machine: %s", "")
 
 				command := mocks.NewCommand(ctrl)
-				lca.EXPECT().ConfigureDefaultLimaYaml().Return(nil)
+				lca.EXPECT().ConfigureDefaultLimaYaml(logger).Return(nil)
 				lca.EXPECT().ConfigureOverrideLimaYaml().Return(nil)
 				dm.EXPECT().DetachUserDataDisk().Return(nil)
 				dm.EXPECT().EnsureUserDataDisk().Return(nil)
 				ncc.EXPECT().CreateWithoutStdio("start", fmt.Sprintf("--name=%s", limaInstanceName),
-					mockBaseYamlFilePath, "--tty=false").Return(command)
+					mockBaseYamlFilePath, "--tty=false", "--set", ".ssh.overVsock=false").Return(command)
 				command.EXPECT().CombinedOutput()
 
 				logger.EXPECT().Info("Initializing and starting Finch virtual machine...")
@@ -107,7 +107,7 @@ func TestInitVMAction_runAdapter(t *testing.T) {
 			groups := tc.groups(ctrl)
 			tc.mockSvc(ncc, logger, lca, dm, ctrl)
 
-			assert.NoError(t, newInitVMAction(ncc, logger, groups, lca, mockBaseYamlFilePath, dm).runAdapter(tc.command, tc.args))
+			assert.NoError(t, newInitVMAction(ncc, logger, groups, lca, mockBaseYamlFilePath, dm, nil).runAdapter(tc.command, tc.args))
 		})
 	}
 }
@@ -145,14 +145,14 @@ func TestInitVMAction_run(t *testing.T) {
 				getVMStatusC.EXPECT().Output().Return([]byte(""), nil)
 				logger.EXPECT().Debugf("Status of virtual machine: %s", "")
 
-				lca.EXPECT().ConfigureDefaultLimaYaml().Return(nil)
+				lca.EXPECT().ConfigureDefaultLimaYaml(logger).Return(nil)
 				lca.EXPECT().ConfigureOverrideLimaYaml().Return(nil)
 				dm.EXPECT().DetachUserDataDisk().Return(nil)
 				dm.EXPECT().EnsureUserDataDisk().Return(nil)
 
 				command := mocks.NewCommand(ctrl)
 				ncc.EXPECT().CreateWithoutStdio("start", fmt.Sprintf("--name=%s", limaInstanceName),
-					mockBaseYamlFilePath, "--tty=false").Return(command)
+					mockBaseYamlFilePath, "--tty=false", "--set", ".ssh.overVsock=false").Return(command)
 				command.EXPECT().CombinedOutput()
 
 				logger.EXPECT().Info("Initializing and starting Finch virtual machine...")
@@ -269,7 +269,7 @@ func TestInitVMAction_run(t *testing.T) {
 				getVMStatusC.EXPECT().Output().Return([]byte(""), nil)
 				logger.EXPECT().Debugf("Status of virtual machine: %s", "")
 
-				lca.EXPECT().ConfigureDefaultLimaYaml().Return(nil)
+				lca.EXPECT().ConfigureDefaultLimaYaml(logger).Return(nil)
 				lca.EXPECT().ConfigureOverrideLimaYaml().Return(nil)
 
 				logger.EXPECT().Errorf("Dependency error: %v",
@@ -282,7 +282,7 @@ func TestInitVMAction_run(t *testing.T) {
 
 				command := mocks.NewCommand(ctrl)
 				ncc.EXPECT().CreateWithoutStdio("start", fmt.Sprintf("--name=%s", limaInstanceName),
-					mockBaseYamlFilePath, "--tty=false").Return(command)
+					mockBaseYamlFilePath, "--tty=false", "--set", ".ssh.overVsock=false").Return(command)
 				command.EXPECT().CombinedOutput()
 
 				logger.EXPECT().Info("Initializing and starting Finch virtual machine...")
@@ -314,7 +314,7 @@ func TestInitVMAction_run(t *testing.T) {
 				getVMStatusC.EXPECT().Output().Return([]byte(""), nil)
 				logger.EXPECT().Debugf("Status of virtual machine: %s", "")
 
-				lca.EXPECT().ConfigureDefaultLimaYaml().Return(errors.New("load config fails"))
+				lca.EXPECT().ConfigureDefaultLimaYaml(logger).Return(errors.New("load config fails"))
 			},
 		},
 
@@ -336,7 +336,7 @@ func TestInitVMAction_run(t *testing.T) {
 				getVMStatusC.EXPECT().Output().Return([]byte(""), nil)
 				logger.EXPECT().Debugf("Status of virtual machine: %s", "")
 
-				lca.EXPECT().ConfigureDefaultLimaYaml().Return(nil)
+				lca.EXPECT().ConfigureDefaultLimaYaml(logger).Return(nil)
 				lca.EXPECT().ConfigureOverrideLimaYaml().Return(nil)
 				dm.EXPECT().DetachUserDataDisk().Return(nil)
 				dm.EXPECT().EnsureUserDataDisk().Return(nil)
@@ -345,7 +345,7 @@ func TestInitVMAction_run(t *testing.T) {
 				command := mocks.NewCommand(ctrl)
 				command.EXPECT().CombinedOutput().Return(logs, errors.New("failed to init instance"))
 				ncc.EXPECT().CreateWithoutStdio("start", fmt.Sprintf("--name=%s", limaInstanceName),
-					mockBaseYamlFilePath, "--tty=false").Return(command)
+					mockBaseYamlFilePath, "--tty=false", "--set", ".ssh.overVsock=false").Return(command)
 
 				logger.EXPECT().Info("Initializing and starting Finch virtual machine...")
 				logger.EXPECT().SetFormatter(flog.TextWithoutTruncation)
@@ -369,7 +369,7 @@ func TestInitVMAction_run(t *testing.T) {
 			groups := tc.groups(ctrl)
 			tc.mockSvc(ncc, logger, lca, dm, ctrl)
 
-			err := newInitVMAction(ncc, logger, groups, lca, mockBaseYamlFilePath, dm).run()
+			err := newInitVMAction(ncc, logger, groups, lca, mockBaseYamlFilePath, dm, nil).run()
 			assert.Equal(t, err, tc.wantErr)
 		})
 	}

cmd/finch/virtual_machine_test.go

@@ -20,7 +20,7 @@ import (
 func TestVirtualMachineCommand(t *testing.T) {
 	t.Parallel()
 
-	cmd := newVirtualMachineCommand(nil, nil, nil, nil, nil, "", nil, nil)
+	cmd := newVirtualMachineCommand(nil, nil, nil, nil, nil, "", nil, nil, nil)
 	assert.Equal(t, cmd.Use, virtualMachineRootCmd)
 
 	// check the number of subcommand for vm

cmd/finch/virtual_machine_windows.go

@@ -28,6 +28,7 @@ func newVirtualMachineCommand(
 	fp path.Finch,
 	fs afero.Fs,
 	diskManager disk.UserDataDiskManager,
+	finchConfig *config.Finch,
 ) *cobra.Command {
 	virtualMachineCommand := &cobra.Command{
 		Use:   virtualMachineRootCmd,
@@ -40,7 +41,7 @@ func newVirtualMachineCommand(
 		newRemoveVMCommand(limaCmdCreator, diskManager, logger),
 		newStatusVMCommand(limaCmdCreator, logger, os.Stdout),
 		newInitVMCommand(limaCmdCreator, logger, optionalDepGroups, lca, nca, fp.BaseYamlFilePath(), fs,
-			fp.LimaSSHPrivateKeyPath(), diskManager),
+			fp.LimaSSHPrivateKeyPath(), diskManager, finchConfig),
 		newSettingsVMCommand(logger, lca, fs, os.Stdout),
 	)