fix: build firecracker-debug with the gdb feature actually enabled

[kalyazin]

Problem

The published firecracker-debug (added in #26) is not actually gdb-enabled. It was built with:

tools/devtool -y build --release -- --bin firecracker --features gdb

but firecracker's tools/devtool cmd_build discards everything after -- (it does "--") shift; break then runs a fixed tools/release.sh --libc --profile), and release.sh runs cargo build --workspace --bins with no --features. So --features gdb silently never reaches cargo — the "debug" binary has no gdb stub and is byte-for-byte a plain build.

Consequence: Firecracker never binds the gdb socket on resume, so resume-build -gdb cannot attach.

Evidence (same source, three builds)

build	FIRECRACKER_GDB_SOCKET literal	size
cargo build --features gdb (direct)	present	larger (+gdbstub)
devtool build -- --features gdb (= old build.sh)	absent	3,566,832 B
published firecracker-debug	absent	3,566,832 B

The published binary is byte-size identical to a plain (non-gdb) build.

Fix

Enable the feature in a way the unmodified firecracker tooling honors: add gdb to the firecracker crate's default features before the build (devtool/release.sh/cmd_shell all build default features and can't take --features). One line, editing only the throwaway clone — no backup/restore needed since the prod binary is already built and copied above.

Also adds a build-time sanity check that the produced firecracker-debug actually contains the gdb feature (the FIRECRACKER_GDB_SOCKET literal), so a featureless build fails the release loudly instead of shipping silently — the guard that would have caught the original bug.

Verification (no real release)

End-to-end build.sh run for v1.14.1_084e75f / amd64:

artifact	size	gdb
firecracker (prod)	3,566,832 B	no (unchanged)
firecracker-debug	3,713,176 B	yes
firecracker-debug.debug	2,258,360 B	n/a

The resulting firecracker-debug was then used to drive resume-build -gdb against a real snapshot on a dev node: Firecracker bound the gdb socket, gdb attached, and DWARF source-level symbols resolved.

Follow-up

The currently published firecracker-debug artifacts are still the broken non-gdb binaries — a re-release is needed after this merges. The underlying footgun (devtool/release.sh dropping --features) lives in the firecracker repo and could be fixed there separately.

🤖 Generated with Claude Code

[cursor]

PR Summary

Low Risk
Changes only the dev-only debug build path in build.sh; the production firecracker artifact is built and copied before the Cargo.toml edit.

Overview
Fixes firecracker-debug so it is actually compiled with the gdb feature. build.sh no longer passes --features gdb through devtool (those args are dropped); it temporarily sets default = ["gdb"] in the throwaway clone’s src/firecracker/Cargo.toml before the second release build, after the prod firecracker binary is already copied.

Adds a build-time guard that fails if strings on firecracker-debug does not contain FIRECRACKER_GDB_SOCKET, so a gdb-less “debug” binary cannot ship silently.

^{Reviewed by Cursor Bugbot for commit 10e28a4. Bugbot is set up for automated code reviews on this repo. Configure here.}