Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Save Firecracker PID in Jailer's root directory #4442

Merged
merged 7 commits into from Feb 13, 2024
Merged

Save Firecracker PID in Jailer's root directory #4442

merged 7 commits into from Feb 13, 2024

Conversation

sudanl0
Copy link
Contributor

@sudanl0 sudanl0 commented Feb 11, 2024
edited

Changes

  • Always save Firecracker PID in Jailer root directory regardless of whether new_pid-ns flag was set.
  • Modify the CI to kill Firecracker using the PID saved in the file in Jailer's root directory.
  • Add new tests to try all verify the Microvm.kill behaviour is same for all combinations of daemonize/new_pid_ns flags.

Reason

  • There was a change in behaviour introduced in Jailer because of which Firecracker pid will always be different from the Jailer PID. So we need to suggested a reliable workaround to fetch Firecracker PID.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • If a specific issue led to this PR, this PR closes the issue.
  • The description of changes is clear and encompassing.
  • Any required documentation changes (code and docs) are included in this
    PR.
  • API changes follow the Runbook for Firecracker API changes.
  • User-facing changes are mentioned in CHANGELOG.md.
  • All added/changed functionality is tested.
  • New TODOs link to an issue.
  • Commits meet
    contribution quality standards.
  • This functionality cannot be added in rust-vmm.

@codecov Codecov
Copy link

codecov bot commented Feb 11, 2024
edited

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (aa6d25d) 81.39% compared to head (3872d22) 81.39%.

Files Patch % Lines
src/jailer/src/env.rs 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4442      +/-   ##
==========================================
- Coverage   81.39%   81.39%   -0.01%     
==========================================
  Files         243      243              
  Lines       29430    29431       +1     
==========================================
  Hits        23955    23955              
- Misses       5475     5476       +1
Flag Coverage Δ
4.14-c5n.metal 78.67% <0.00%> (-0.01%) ⬇️
4.14-c7g.metal ?
4.14-m5d.metal ?
4.14-m5n.metal 78.66% <0.00%> (-0.01%) ⬇️
4.14-m6a.metal 77.78% <0.00%> (-0.01%) ⬇️
4.14-m6g.metal 76.74% <0.00%> (-0.01%) ⬇️
4.14-m6i.metal 78.65% <0.00%> (-0.01%) ⬇️
4.14-m7g.metal 76.74% <0.00%> (-0.01%) ⬇️
5.10-c5n.metal 81.34% <0.00%> (-0.01%) ⬇️
5.10-c7g.metal ?
5.10-m5d.metal ?
5.10-m5n.metal 81.33% <0.00%> (-0.01%) ⬇️
5.10-m6a.metal 80.55% <0.00%> (-0.01%) ⬇️
5.10-m6g.metal 79.65% <0.00%> (-0.01%) ⬇️
5.10-m6i.metal 81.33% <0.00%> (-0.01%) ⬇️
5.10-m7g.metal 79.65% <0.00%> (-0.01%) ⬇️
6.1-c5n.metal 81.34% <0.00%> (-0.01%) ⬇️
6.1-c7g.metal ?
6.1-m5d.metal ?
6.1-m5n.metal 81.33% <0.00%> (-0.01%) ⬇️
6.1-m6a.metal 80.55% <0.00%> (-0.01%) ⬇️
6.1-m6g.metal 79.65% <0.00%> (-0.01%) ⬇️
6.1-m6i.metal 81.33% <0.00%> (-0.01%) ⬇️
6.1-m7g.metal 79.65% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@sudanl0 sudanl0 force-pushed the jailer_pid branch 6 times, most recently from 9cb5eea to 8b704c0 Compare February 12, 2024 12:13
@sudanl0 sudanl0 changed the title Jailer pid Save Firecracker PID in Jailer's root directory Feb 12, 2024
@sudanl0 sudanl0 marked this pull request as ready for review February 12, 2024 12:19
@sudanl0 sudanl0 force-pushed the jailer_pid branch 3 times, most recently from fd48fc2 to 8bc03e4 Compare February 12, 2024 13:06
@sudanl0 sudanl0 self-assigned this Feb 12, 2024
@sudanl0 sudanl0 added the Status: Awaiting review Indicates that a pull request is ready to be reviewed label Feb 12, 2024
@sudanl0 sudanl0 force-pushed the jailer_pid branch 2 times, most recently from d5caba8 to 428cc61 Compare February 12, 2024 14:10
pb8o
pb8o reviewed Feb 12, 2024
View reviewed changes
tests/framework/utils.py Outdated Show resolved Hide resolved
tests/framework/microvm.py Outdated Show resolved Hide resolved
tests/integration_tests/security/test_jail.py Show resolved Hide resolved
CHANGELOG.md Outdated Show resolved Hide resolved
@sudanl0 sudanl0 force-pushed the jailer_pid branch 2 times, most recently from 6464dbb to 178b4b6 Compare February 12, 2024 15:59
@sudanl0 sudanl0 requested a review from pb8o February 12, 2024 16:01
@zulinx86 zulinx86 self-requested a review February 12, 2024 17:03
zulinx86
zulinx86 reviewed Feb 12, 2024
View reviewed changes
docs/jailer.md Outdated Show resolved Hide resolved
CHANGELOG.md Outdated Show resolved Hide resolved
docs/jailer.md Outdated Show resolved Hide resolved
docs/jailer.md Outdated Show resolved Hide resolved
pb8o
pb8o reviewed Feb 12, 2024
View reviewed changes
tests/framework/utils.py Outdated Show resolved Hide resolved
tests/framework/microvm.py Outdated Show resolved Hide resolved
tests/integration_tests/security/test_jail.py Outdated Show resolved Hide resolved
tests/integration_tests/security/test_jail.py Show resolved Hide resolved
@sudanl0 sudanl0 force-pushed the jailer_pid branch 2 times, most recently from 383ae83 to ea58249 Compare February 13, 2024 11:28
@sudanl0
fix: save Firecracker PID in Jailer root directory
d63eb7a 
da92bf6 commit changed behaviour of
the PID returned by the Jailer such that when passing the --daemonize
option to Firecracker without the --new-ns-pid option,
the Firecracker process will have a different PID than the Jailer.
This makes it difficult to find the PID of Firecracker process from
the system so, save the Firecracker PID in Jailer root directory as a
reliable workaround to fetch Firecracker PID.

With this change, Firecracker process's PID will always be available
in Jailer's root directory regardless of whether new_pid_ns was set.

Signed-off-by: Sudan Landge <sudanl@amazon.com>
@sudanl0
tests: always collect Firecracker PID from file
a3bcd1d 
Jailer now saves Firecracker PID in a file in
Jailer's root directory so refactor the code to
read the FC pid always from this file regardless
of whether the new_pid_ns flag was set.

Signed-off-by: Sudan Landge <sudanl@amazon.com>
@sudanl0
refactor: remove usage of _screen_firecracker_pid
6bf4432 
For the case where Jailer is no daemonized but new_pid_ns
flag is set, we won't be able to fetch Firecracker pid from
the screen process and the right way to get Firecracker PID
is by calling Microvm's self.firecracker_pid so,
remove usage _screen_firecracker_pid.

The change to kill screen process if screen_pid is valid is done to
make the next commit more readable.

Signed-off-by: Sudan Landge <sudanl@amazon.com>
@sudanl0
refactor: use common method to kill and detect Firecracker
22b1019 
Since Microvm's self.firecracker_pid is valid in all cases,
use it to kill Firecracker in all cases.
Use screen_pid to identify and kill if screen process was used.
Make the logic, which detect if Firecracker PID was killed,
common for all (daemonize or not) cases.

Signed-off-by: Sudan Landge <sudanl@amazon.com>
@sudanl0 sudanl0 force-pushed the jailer_pid branch 3 times, most recently from 2475af8 to e20053a Compare February 13, 2024 13:05
pb8o
pb8o reviewed Feb 13, 2024
View reviewed changes
docs/jailer.md Show resolved Hide resolved
tests/integration_tests/security/test_jail.py Show resolved Hide resolved
@sudanl0
refactor: explicitly set new_pid_ns wherever required
c30632f 
The code assumed that if daemonize is set to False for the Jailer
then, new_pid_ns should also be set to False.
This assumption makes it difficult to add tests which require
"daemonize=False and new_pid_ns=True".
So remove the assumption and call enable_console() to explicitly
which explicitly explains what functionality is needed.
Note: apart from setting daemonize and new_pid_ns to False,
`help.enable_console()` also appends default boot args to the
vm object but the testing calling enable_console() replace the
boot args while calling basic_config().

Signed-off-by: Sudan Landge <sudanl@amazon.com>
@sudanl0
tests: test all combinations of daemonize and new_pid_ns
49ab17b 
Microvm kill() has the logic to detect if Firecracker was actually
killed using the PID stored in the Jailers root directory but,
not all combinations of Jailers daemonize/new_pid_ns flags are
tested so add new a test to try all 4 use cases.

Signed-off-by: Sudan Landge <sudanl@amazon.com>
@sudanl0 sudanl0 requested a review from pb8o February 13, 2024 14:40
@sudanl0 sudanl0 force-pushed the jailer_pid branch 2 times, most recently from 080b5de to c2e1ee7 Compare February 13, 2024 14:56
pb8o
pb8o previously approved these changes Feb 13, 2024
View reviewed changes
zulinx86
zulinx86 reviewed Feb 13, 2024
View reviewed changes
docs/jailer.md Outdated Show resolved Hide resolved
@sudanl0
changelog: update Jailer limitations and suggestions
3872d22 
There was a change in behaviour introduced in Jailer because of which
killing the Jailer does not kill the Firecracker process.
Highlight the change in behaviour and suggested workaround in the
CHANGELOG and Jailer doc.

Signed-off-by: Sudan Landge <sudanl@amazon.com>
zulinx86
zulinx86 approved these changes Feb 13, 2024
View reviewed changes
Copy link
Contributor

@zulinx86 zulinx86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for addressing the series of fixes!!

@sudanl0 sudanl0 merged commit 55a7f8b into firecracker-microvm:main Feb 13, 2024
5 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zulinx86 zulinx86 zulinx86 approved these changes

@pb8o pb8o pb8o approved these changes

@xmarcalx xmarcalx Awaiting requested review from xmarcalx xmarcalx is a code owner

@kalyazin kalyazin Awaiting requested review from kalyazin kalyazin is a code owner

Assignees

@sudanl0 sudanl0

Labels
Status: Awaiting review Indicates that a pull request is ready to be reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sudanl0 @zulinx86 @pb8o