Merge branch 'main' into rollup

tests/framework/microvm.py

@@ -420,16 +420,25 @@ def guest_kernel_version(self):
             return None
         return tuple(int(x) for x in splits[1].split("."))
 
+    def get_metrics(self):
+        """Return iterator to metric data points written by FC"""
+        with self.metrics_file.open() as fd:
+            for line in fd:
+                if not line.endswith("}\n"):
+                    LOG.warning("Line is not a proper JSON object. Partial write?")
+                    continue
+                yield json.loads(line)
+
+    def get_all_metrics(self):
+        """Return all metric data points written by FC."""
+        return list(self.get_metrics())
+
     def flush_metrics(self):
         """Flush the microvm metrics and get the latest datapoint"""
         self.api.actions.put(action_type="FlushMetrics")
         # get the latest metrics
         return self.get_all_metrics()[-1]
 
-    def get_all_metrics(self):
-        """Return all metric data points written by FC."""
-        return [json.loads(line) for line in self.metrics_file.read_text().splitlines()]
-
     def create_jailed_resource(self, path):
         """Create a hard link to some resource inside this microvm."""
         return self.jailer.jailed_path(path, create=True)

tests/framework/microvm_helpers.py

@@ -54,7 +54,9 @@ class MicrovmHelpers:
 
     # keep track of assigned subnets
     shared_subnet_ctr = 0
-    _supernet = ipaddress.IPv4Network("10.0.0.0/16")
+    # Try not to collide with anything by using the last /16 of the 10.x.x.x
+    # private block
+    _supernet = ipaddress.IPv4Network("10.255.0.0/16")
     _subnets_gen = _supernet.subnets(new_prefix=30)
 
     def __init__(self, vm):
@@ -110,9 +112,11 @@ def how_to_ssh(self):
         ip = self.vm.iface["eth0"]["iface"].guest_ip
         return f"{self.vm.netns.cmd_prefix()} ssh -o StrictHostKeyChecking=no -i {self.vm.ssh_key} root@{ip}"
 
-    def tmux_ssh(self):
+    def tmux_ssh(self, cmd=""):
         """Open a tmux window with an SSH session to the VM"""
-        return self.tmux_neww(self.how_to_ssh())
+        if len(cmd) > 0:
+            cmd = f" {cmd}"
+        return self.tmux_neww(self.how_to_ssh() + cmd)
 
     def enable_console(self):
         """Helper method to attach a console, before the machine boots"""
@@ -138,9 +142,6 @@ def how_to_docker(self):
 
     def enable_ip_forwarding(self, iface="eth0"):
         """Enables IP forwarding in the guest"""
-        if DOCKER.in_docker:
-            docker_apt_install("iptables")
-
         i = MicrovmHelpers.shared_subnet_ctr
         MicrovmHelpers.shared_subnet_ctr += 1
         netns = self.vm.netns.id

tests/integration_tests/functional/test_rng.py

@@ -16,15 +16,18 @@
 
 
 @pytest.fixture(params=[None])
-def uvm_with_rng(uvm_nano, request):
+def uvm_with_rng(uvm_plain, request):
     """Fixture of a microvm with virtio-rng configured"""
     rate_limiter = request.param
-    uvm_nano.add_net_iface()
-    uvm_nano.api.entropy.put(rate_limiter=rate_limiter)
-    uvm_nano.start()
+    uvm = uvm_plain
+    uvm.spawn(log_level="INFO")
+    uvm.basic_config(vcpu_count=2, mem_size_mib=256)
+    uvm.add_net_iface()
+    uvm.api.entropy.put(rate_limiter=rate_limiter)
+    uvm.start()
     # Just stuff it in the microvm so we can look at it later
-    uvm_nano.rng_rate_limiter = rate_limiter
-    return uvm_nano
+    uvm.rng_rate_limiter = rate_limiter
+    return uvm
 
 
 def test_rng_not_present(uvm_nano):

tests/integration_tests/security/test_custom_seccomp.py

@@ -197,13 +197,15 @@ def test_failing_filter(uvm_plain):
     )
 
     # Check the metrics
-    datapoints = test_microvm.get_all_metrics()
-
+    datapoints = test_microvm.get_metrics()
     num_faults = 0
     for datapoint in datapoints:
         num_faults += datapoint["seccomp"]["num_faults"]
+        # exit early to avoid potentially broken JSON entries in the logs
+        if num_faults > 0:
+            break
 
-    assert num_faults >= 1
+    assert num_faults == 1
 
     # assert that the process was killed
     assert not psutil.pid_exists(test_microvm.firecracker_pid)

tests/integration_tests/security/test_vulnerabilities.py

@@ -353,13 +353,10 @@ def test_spectre_meltdown_checker_on_restored_guest_with_custom_template(
     spectre_meltdown_checker,
     build_microvm_with_custom_template,
     microvm_factory,
-    custom_cpu_template,
 ):
     """
     Test with the spectre / meltdown checker on a restored guest with a custom CPU template.
     """
-    if custom_cpu_template["name"] == "aarch64_with_sve_and_pac":
-        pytest.skip("does not work yet")
     git_ab_test_guest_command_if_pr(
         with_checker(
             with_restore(build_microvm_with_custom_template, microvm_factory),
@@ -518,13 +515,11 @@ def test_vulnerabilities_files_on_restored_guest_with_template(
 
 
 def test_vulnerabilities_files_on_restored_guest_with_custom_template(
-    build_microvm_with_custom_template, microvm_factory, custom_cpu_template
+    build_microvm_with_custom_template, microvm_factory
 ):
     """
     Test vulnerabilities files on a restored guest with a custom CPU template.
     """
-    if custom_cpu_template["name"] == "aarch64_with_sve_and_pac":
-        pytest.skip("does not work yet")
     check_vulnerabilities_files_ab(
         with_restore(build_microvm_with_custom_template, microvm_factory)
     )

tools/devtool

@@ -413,8 +413,11 @@ cmd_help() {
     test_debug [-- [<pytest args>]]
         Run tests in a debugging environment
 
-    test_sandbox
-        Run Firecracker in an IPython REPL
+    sandbox
+        Run Firecracker in an IPython REPL (in devctr)
+
+    sandbox_native
+        Run Firecracker in an IPython REPL (AL2023/Ubuntu)
 
     mkdocs
         Use 'cargo doc' to generate rustdoc documentation
@@ -851,6 +854,26 @@ cmd_sandbox() {
     cmd_sh "tmux new env PYTEST_ADDOPTS=--pdbcls=IPython.terminal.debugger:TerminalPdb PYTHONPATH=tests IPYTHONDIR=\$PWD/.ipython ipython -i ./tools/sandbox.py $@"
 }
 
+cmd_sandbox_native() {
+    cmd_build --release
+
+    source /etc/os-release
+    case $ID-$VERSION_ID in
+        ubuntu-22.04)
+            sudo apt install python3-pip python3.11-dev gcc tmux
+            ;;
+        al2023)
+            sudo yum -y install python3.11-pip python3.11-devel gcc tmux
+            ;;
+    esac
+    python3.11 -m venv sandbox
+    source sandbox/bin/activate
+    pip3.11 install ipython requests requests_unixsocket "urllib3<2" psutil tenacity filelock
+    pip3.11 install packaging pytest
+    ensure_ci_artifacts
+    tmux neww sudo --preserve-env=HOME,PATH,TMUX env PYTHONPATH=tests IPYTHONDIR=\$PWD/.ipython ipython -i ./tools/sandbox.py $@
+}
+
 cmd_test_debug() {
     cmd_sh "tmux new ./tools/test.sh --pdb $@"
 }

tools/sandbox.py

@@ -9,6 +9,7 @@
 """
 
 import argparse
+import json
 import re
 from pathlib import Path
 
@@ -36,12 +37,14 @@ def parse_byte_size(param):
 parser = argparse.ArgumentParser()
 parser.add_argument(
     "--kernel",
+    type=Path,
     choices=kernels,
     default=kernels[-1],
     help=f"Kernel to use. [{kernels[-1]}]",
 )
 parser.add_argument(
     "--rootfs",
+    type=Path,
     choices=rootfs,
     default=rootfs[-1],
     help=f"Rootfs to use. [{rootfs[-1]}]",
@@ -54,6 +57,7 @@ def parse_byte_size(param):
 )
 parser.add_argument("--rootfs-size", type=parse_byte_size, default=1 * 2**30)  # 1GB
 parser.add_argument("--binary-dir", help="Path to the firecracker binaries")
+parser.add_argument("--cpu-template-path", help="CPU template to use", type=Path)
 args = parser.parse_args()
 print(args)
 
@@ -65,13 +69,19 @@ def parse_byte_size(param):
     bins = get_firecracker_binaries()
 
 print("This step may take a while to compile Firecracker ...")
+cpu_template = None
+if args.cpu_template_path is not None:
+    cpu_template = json.loads(args.cpu_template_path.read_text())
 vmfcty = MicroVMFactory(*bins)
 uvm = vmfcty.build(args.kernel, args.rootfs)
 uvm.help.enable_console()
 uvm.help.resize_disk(uvm.rootfs_file, args.rootfs_size)
-uvm.spawn()
+uvm.spawn(log_show_level=True)
 uvm.help.print_log()
 uvm.add_net_iface()
 uvm.basic_config(vcpu_count=args.vcpus, mem_size_mib=args.guest_mem_size // 2**20)
+if cpu_template is not None:
+    uvm.api.cpu_config.put(**cpu_template)
+    print(cpu_template)
 uvm.start()
 uvm.get_all_metrics()