Add log rotation for swtpm

[shjala]

Description

This PR adds log rotation for swtpm instances and and the necessary build and packaging changes to make sure vtpm unit tests are run in CI.

The swtpm process writes its logs to a FIFO, and a log forwarder reads from that FIFO and writes to a log file on disk. When the log file exceeds 10MB it is automatically rotated and the old copy is compressed with gzip. This prevents swtpm logs from growing without bound on long-running systems. A simpler approach using logrotate was considered first but swtpm never resets its file position after rotation, so it would seek to the last offset and leave the new log file with a large gap of zeros. This could still cause issues with the disk monitoring service.

The vtpm unit tests were never included in the make test target, so they were never picked up by CI either. Commit 688a02c fixes that.

PR dependencies

None

How to test and validate this PR

Manual test

1. Deploy an Ubuntu VM with a virtual TPM enabled (this is the default).

2. Inside the VM, generate continuous TPM traffic:

   while true; do tpm2_getcap properties-fixed >/dev/null 2>&1; done

3. While that loop is running, SSH into the EVE host and inspect the swtpm log directory:

   ls -lh /persist/swtpm/tpm-state-<uuid>/swtpm.log*

4. Verify:

   • swtpm.log exists and is actively being written to (size and timestamp change).
   • Rotated logs are present (e.g. swtpm.log.1, swtpm.log.2.gz, etc.).
   • The active log file is bounded in size and it never grows indefinitely.
   • Older rotated logs are overwritten on each rotation cycle, not accumulated forever.

Automated test

There is a self-contained test harness. It builds EVE from a PR branch, and runs the test automatically:

# as a one-liner (downloads everything to a temp dir, runs the test, reports, cleans up after) or clone https://github.com/shjala/eve-with-a-bullet.git and execute ru.sh without `--standalone` arg.
curl -sL https://raw.githubusercontent.com/shjala/eve-with-a-bullet/main/run.sh \
  | bash -s -- --standalone --pr 5838 --test vtpm-log-rotation

The vtpm-log-rotation test:

1. Launches an swtpm instance through vtpmd interface (same way we do it for VMs).
2. Initializes the TPM (CMD_INIT) using ctrl socket (like what qemu does).
3. Repeatedly sends CMD_GET_CAPABILITY to generate log output.
4. Waits until 3 rotated log files appear in the state directory.
5. Continues spamming for several more rotation cycles, verifying on each iteration that:
   • The rotated log count never exceeds 3.
   • The active log file is truncated on rotation (never grows unbounded).
6. Reports PASS only if rotation stays correctly bounded through the entire run.

Changelog notes

Add log rotation for swtpm to prevent unbounded log growth.

PR Backports

• 16.0-stable: To be backported.
• 14.5-stable: To be backported, as part of [14.5-stable] Backport vTPM fixes #5797
• 13.4-stable: To be backported, as part of [13.4-stable] Backport vTPM fixes #5796

Checklist

• I've provided a proper description
• I've added the proper documentation
• I've tested my PR on amd64 device
• I've tested my PR on arm64 device
• I've written the test verification instructions
• I've set the proper labels to this PR

For backport PRs (remove it if it's not a backport):

• I've added a reference link to the original PR
• PR's title follows the template

And the last but not least:

• I've checked the boxes above, or I've provided a good reason why I didn't
  check them.

Please, check the boxes above after submitting the PR in interactive mode.

[shjala]

@naiming-zededa could you please review 1e74fd2? I fixed a similar issue for vtpm in this PR, so I added edgeview to this PR too.

[codecov]

Codecov Report

❌ Patch coverage is 45.54455% with 55 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.07%. Comparing base (2281599) to head (52a6709).
⚠️ Report is 589 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/vtpm/swtpm-vtpm/src/fifolog.go	45.54%	48 Missing and 7 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5838      +/-   ##
==========================================
- Coverage   19.52%   17.07%   -2.46%     
==========================================
  Files          19      478     +459     
  Lines        3021    85863   +82842     
==========================================
+ Hits          590    14659   +14069     
- Misses       2310    69688   +67378     
- Partials      121     1516    +1395     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[eriknordmark]

Run tests.

Please add text to the "How to test and validate this PR" section in the description

[shjala]

Please add text to the "How to test and validate this PR" section in the description

It is a bit complicated, I'm working on a easy way to test it, I'll add the instruction today.

[shjala]

Please add text to the "How to test and validate this PR" section in the description

@eriknordmark done.

[Copilot]

Pull request overview

This PR introduces a FIFO-based log forwarder with size-bounded rotation for swtpm logs, and updates build/test plumbing so the vTPM (pkg/vtpm) unit tests are executed by the repository’s main make test target.

Changes:

• Add a per-instance SWTPM log forwarder that writes FIFO output to swtpm.log and rotates/compresses when it exceeds 10MB.
• Refactor vTPM runtime state tracking from a PID map to an instances map holding PID + log forwarder, and adjust paths.
• Add pkg/vtpm test target + Docker test stage; wire pkg/vtpm test into the root make test target.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
pkg/vtpm/swtpm-vtpm/src/main.go	Introduces per-instance log-forwarder lifecycle and refactors instance tracking/paths.
pkg/vtpm/swtpm-vtpm/src/fifolog.go	Adds FIFO reader, log writer, rotation + gzip compression implementation.
pkg/vtpm/swtpm-vtpm/src/vtpm_test.go	Updates tests for new paths/behavior and adds backup capability gating + VM-attach simulation.
pkg/vtpm/Makefile	Adds a docker-based make test harness for vTPM unit tests with coverage output.
pkg/vtpm/Dockerfile	Adds a test build stage used by the new vTPM test harness.
Makefile	Runs pkg/vtpm tests under the top-level make test target (and also adds an edgeview test invocation).

Comments suppressed due to low confidence (1)

pkg/vtpm/swtpm-vtpm/src/vtpm_test.go:52

• TestMain calls m.Run() but does not pass its result to os.Exit. With a custom TestMain, failing tests won’t reliably propagate a non-zero exit status unless os.Exit(m.Run()) is used.

func TestMain(m *testing.M) {
	log = base.NewSourceLogObject(logrus.StandardLogger(), "vtpm", os.Getpid())
	maxPidWaitTime = 15
	maxInstances = 3
	os.MkdirAll(baseDir, 0755)

	stateEncryptionKey = baseDir + "/%s.binkey"
	stateIsEncryptedPath = baseDir + "/%s.encrypted"
	workDir = baseDir + "/tpm-state-%s"
	instanceLogFifoPath = baseDir + "/%s.log.fifo"
	swtpmCtrlSockPath = baseDir + "/%s.ctrl.sock"
	swtpmPidPath = baseDir + "/%s.pid"
	vtpmdCtrlSockPath = baseDir + "/vtpmd.ctrl.sock"

	client = &http.Client{
		Transport: UnixSocketTransport(vtpmdCtrlSockPath),
		Timeout:   60 * time.Second,
	}

	go startServing()
	time.Sleep(1 * time.Second)
	m.Run()
}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[eriknordmark]

@shjala makes sense to review the copilot comments. The one about reading from the fifo seems particularly pertinent.

[shjala]

@shjala makes sense to review the copilot comments. The one about reading from the fifo seems particularly pertinent.

Every single copilot review comment, except the typo, was incorrect.

[shjala]

Rebased on master and fixed the merge conflict.

[christoph-zededa]

Wouldn't it be easier to just let swtpm write the log to stdout and capture it from there? Then no code is needed to remove, create, ... this file.

[shjala]

well, too late I guess :D