Merge branch 'main' into allow-snapshot-tap-changes

CHANGELOG.md

@@ -16,6 +16,9 @@ and this project adheres to
   unnecessary fields (`max_connections` and `max_pending_resets`) from the
   snapshot format, bumping the snapshot version to 5.0.0. Users need to
   regenerate snapshots.
+- [#4926](https://github.com/firecracker-microvm/firecracker/pull/4926): Replace
+  underlying implementation for seccompiler from in house one in favor of
+  `libseccomp` which produces smaller and more optimized BPF code.
 
 ### Deprecated
 
@@ -28,6 +31,10 @@ and this project adheres to
 - [#4916](https://github.com/firecracker-microvm/firecracker/pull/4916): Fixed
   `IovDeque` implementation to work with any host page size. This fixes
   virtio-net device on non 4K host kernels.
+- [#4991](https://github.com/firecracker-microvm/firecracker/pull/4991): Fixed
+  `mem_size_mib` and `track_dirty_pages` being mandatory for all
+  `PATCH /machine-config` requests. Now, they can be omitted which leaves these
+  parts of the machine configuration unchanged.
 
 ## [1.10.1]
 

NOTICE

@@ -5,3 +5,8 @@ SPDX-License-Identifier: Apache-2.0
 Portions Copyright 2017 The Chromium OS Authors. All rights reserved.
 Use of this source code is governed by a BSD-style license that can be
 found in the THIRD-PARTY file.
+
+The Firecracker release bundle includes libseccomp which is available
+under the LGPLv2.1 license. This is used in the Firecracker build process
+to produce cBPF bytecode that is shipped alongside Firecracker for use by
+the Linux kernel.

src/cpu-template-helper/src/main.rs

@@ -161,7 +161,7 @@ fn run(cli: Cli) -> Result<(), HelperError> {
                 let (vmm, vm_resources) = utils::build_microvm_from_config(config, template)?;
 
                 let cpu_template = vm_resources
-                    .vm_config
+                    .machine_config
                     .cpu_template
                     .get_cpu_template()?
                     .into_owned();

src/cpu-template-helper/src/utils/mod.rs

@@ -12,7 +12,7 @@ use std::sync::{Arc, Mutex};
 use vmm::builder::{build_microvm_for_boot, StartMicrovmError};
 use vmm::cpu_config::templates::{CustomCpuTemplate, Numeric};
 use vmm::resources::VmResources;
-use vmm::seccomp_filters::get_empty_filters;
+use vmm::seccomp::get_empty_filters;
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};
 use vmm::{EventManager, Vmm, HTTP_MAX_PAYLOAD_SIZE};
 use vmm_sys_util::tempfile::TempFile;

src/firecracker/Cargo.toml

@@ -22,7 +22,6 @@ libc = "0.2.169"
 log-instrument = { path = "../log-instrument", optional = true }
 micro_http = { git = "https://github.com/firecracker-microvm/micro-http" }
 
-seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.217", features = ["derive"] }
 serde_derive = "1.0.136"
 serde_json = "1.0.135"
@@ -42,13 +41,12 @@ serde = { version = "1.0.217", features = ["derive"] }
 userfaultfd = "0.8.1"
 
 [build-dependencies]
-bincode = "1.2.1"
 seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.217" }
 serde_json = "1.0.135"
 
 [features]
-tracing = ["log-instrument", "seccompiler/tracing", "utils/tracing", "vmm/tracing"]
+tracing = ["log-instrument", "utils/tracing", "vmm/tracing"]
 gdb = ["vmm/gdb"]
 
 [lints]

src/firecracker/build.rs

@@ -1,13 +1,8 @@
 // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-use std::collections::BTreeMap;
-use std::fs::File;
 use std::path::Path;
 
-use seccompiler::common::BpfProgram;
-use seccompiler::compiler::{Compiler, JsonFile};
-
 const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";
 
 const JSON_DIR: &str = "../../resources/seccomp";
@@ -44,19 +39,7 @@ fn main() {
     // Also retrigger the build script on any seccompiler source code change.
     println!("cargo:rerun-if-changed={}", SECCOMPILER_SRC_DIR);
 
-    let input = std::fs::read_to_string(seccomp_json_path).expect("Correct input file");
-    let filters: JsonFile = serde_json::from_str(&input).expect("Input read");
-
-    let arch = target_arch.as_str().try_into().expect("Target");
-    let compiler = Compiler::new(arch);
-
-    // transform the IR into a Map of BPFPrograms
-    let bpf_data: BTreeMap<String, BpfProgram> = compiler
-        .compile_blob(filters.0, false)
-        .expect("Successfull compilation");
-
-    // serialize the BPF programs & output them to a file
     let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME);
-    let output_file = File::create(out_path).expect("Create seccompiler output path");
-    bincode::serialize_into(output_file, &bpf_data).expect("Seccompiler serialization");
+    seccompiler::compile_bpf(&seccomp_json_path, &target_arch, &out_path, false)
+        .expect("Cannot compile seccomp filters");
 }

src/firecracker/examples/seccomp/jailer.rs

@@ -5,7 +5,7 @@ use std::fs::File;
 use std::os::unix::process::CommandExt;
 use std::process::{Command, Stdio};
 
-use seccompiler::{apply_filter, deserialize_binary};
+use vmm::seccomp::{apply_filter, deserialize_binary};
 
 fn main() {
     let args: Vec<String> = args().collect();

src/firecracker/examples/seccomp/panic.rs

@@ -3,7 +3,7 @@
 use std::env::args;
 use std::fs::File;
 
-use seccompiler::{apply_filter, deserialize_binary};
+use vmm::seccomp::{apply_filter, deserialize_binary};
 
 fn main() {
     let args: Vec<String> = args().collect();

src/firecracker/examples/uffd/fault_all_handler.rs

@@ -24,6 +24,7 @@ fn main() {
     let (stream, _) = listener.accept().expect("Cannot listen on UDS socket");
 
     let mut runtime = Runtime::new(stream, file);
+    runtime.install_panic_hook();
     runtime.run(|uffd_handler: &mut UffdHandler| {
         // Read an event from the userfaultfd.
         let event = uffd_handler

src/firecracker/examples/uffd/uffd_utils.rs

@@ -208,6 +208,43 @@ impl Runtime {
         }
     }
 
+    fn peer_process_credentials(&self) -> libc::ucred {
+        let mut creds: libc::ucred = libc::ucred {
+            pid: 0,
+            gid: 0,
+            uid: 0,
+        };
+        let mut creds_size = size_of::<libc::ucred>() as u32;
+        let ret = unsafe {
+            libc::getsockopt(
+                self.stream.as_raw_fd(),
+                libc::SOL_SOCKET,
+                libc::SO_PEERCRED,
+                &mut creds as *mut _ as *mut _,
+                &mut creds_size as *mut libc::socklen_t,
+            )
+        };
+        if ret != 0 {
+            panic!("Failed to get peer process credentials");
+        }
+        creds
+    }
+
+    pub fn install_panic_hook(&self) {
+        let peer_creds = self.peer_process_credentials();
+
+        let default_panic_hook = std::panic::take_hook();
+        std::panic::set_hook(Box::new(move |panic_info| {
+            let r = unsafe { libc::kill(peer_creds.pid, libc::SIGKILL) };
+
+            if r != 0 {
+                eprintln!("Failed to kill Firecracker process from panic hook");
+            }
+
+            default_panic_hook(panic_info);
+        }));
+    }
+
     /// Polls the `UnixStream` and UFFD fds in a loop.
     /// When stream is polled, new uffd is retrieved.
     /// When uffd is polled, page fault is handled by

src/firecracker/examples/uffd/valid_handler.rs

@@ -24,6 +24,7 @@ fn main() {
     let (stream, _) = listener.accept().expect("Cannot listen on UDS socket");
 
     let mut runtime = Runtime::new(stream, file);
+    runtime.install_panic_hook();
     runtime.run(|uffd_handler: &mut UffdHandler| {
         // Read an event from the userfaultfd.
         let event = uffd_handler

src/firecracker/src/api_server/mod.rs

@@ -14,13 +14,13 @@ use std::sync::mpsc;
 
 pub use micro_http::{Body, HttpServer, Request, Response, ServerError, StatusCode, Version};
 use parsed_request::{ParsedRequest, RequestAction};
-use seccompiler::BpfProgramRef;
 use serde_json::json;
 use utils::time::{get_time_us, ClockType};
 use vmm::logger::{
     debug, error, info, update_metric_with_elapsed_time, warn, ProcessTimeReporter, METRICS,
 };
 use vmm::rpc_interface::{ApiRequest, ApiResponse, VmmAction};
+use vmm::seccomp::BpfProgramRef;
 use vmm::vmm_config::snapshot::SnapshotType;
 use vmm_sys_util::eventfd::EventFd;
 
@@ -78,7 +78,7 @@ impl ApiServer {
         // Load seccomp filters on the API thread.
         // Execution panics if filters cannot be loaded, use --no-seccomp if skipping filters
         // altogether is the desired behaviour.
-        if let Err(err) = seccompiler::apply_filter(seccomp_filter) {
+        if let Err(err) = vmm::seccomp::apply_filter(seccomp_filter) {
             panic!(
                 "Failed to set the requested seccomp filters on the API thread: {}",
                 err
@@ -208,7 +208,7 @@ mod tests {
     use vmm::builder::StartMicrovmError;
     use vmm::logger::StoreMetric;
     use vmm::rpc_interface::{VmmActionError, VmmData};
-    use vmm::seccomp_filters::get_empty_filters;
+    use vmm::seccomp::get_empty_filters;
     use vmm::vmm_config::instance_info::InstanceInfo;
     use vmm::vmm_config::snapshot::CreateSnapshotParams;
     use vmm_sys_util::tempfile::TempFile;

src/firecracker/src/api_server/parsed_request.rs

@@ -163,8 +163,8 @@ impl ParsedRequest {
                     info!("The request was executed successfully. Status code: 204 No Content.");
                     Response::new(Version::Http11, StatusCode::NoContent)
                 }
-                VmmData::MachineConfiguration(vm_config) => {
-                    Self::success_response_with_data(vm_config)
+                VmmData::MachineConfiguration(machine_config) => {
+                    Self::success_response_with_data(machine_config)
                 }
                 VmmData::MmdsValue(value) => Self::success_response_with_mmds_value(value),
                 VmmData::BalloonConfig(balloon_config) => {

src/firecracker/src/api_server/request/machine_configuration.rs

@@ -31,7 +31,8 @@ pub(crate) fn parse_put_machine_config(body: &Body) -> Result<ParsedRequest, Req
     let config_update = MachineConfigUpdate::from(config);
 
     // Construct the `ParsedRequest` object.
-    let mut parsed_req = ParsedRequest::new_sync(VmmAction::UpdateVmConfiguration(config_update));
+    let mut parsed_req =
+        ParsedRequest::new_sync(VmmAction::UpdateMachineConfiguration(config_update));
     // If `cpu_template` was present, set the deprecation message in `parsing_info`.
     if let Some(msg) = deprecation_message {
         parsed_req.parsing_info().append_deprecation_message(msg);
@@ -60,7 +61,8 @@ pub(crate) fn parse_patch_machine_config(body: &Body) -> Result<ParsedRequest, R
     }
 
     // Construct the `ParsedRequest` object.
-    let mut parsed_req = ParsedRequest::new_sync(VmmAction::UpdateVmConfiguration(config_update));
+    let mut parsed_req =
+        ParsedRequest::new_sync(VmmAction::UpdateMachineConfiguration(config_update));
     // If `cpu_template` was present, set the deprecation message in `parsing_info`.
     if let Some(msg) = deprecation_message {
         parsed_req.parsing_info().append_deprecation_message(msg);
@@ -124,7 +126,7 @@ mod tests {
             };
             assert_eq!(
                 vmm_action_from_request(parse_put_machine_config(&Body::new(body)).unwrap()),
-                VmmAction::UpdateVmConfiguration(expected_config)
+                VmmAction::UpdateMachineConfiguration(expected_config)
             );
         }
 
@@ -143,7 +145,7 @@ mod tests {
         };
         assert_eq!(
             vmm_action_from_request(parse_put_machine_config(&Body::new(body)).unwrap()),
-            VmmAction::UpdateVmConfiguration(expected_config)
+            VmmAction::UpdateMachineConfiguration(expected_config)
         );
 
         let body = r#"{
@@ -162,7 +164,7 @@ mod tests {
         };
         assert_eq!(
             vmm_action_from_request(parse_put_machine_config(&Body::new(body)).unwrap()),
-            VmmAction::UpdateVmConfiguration(expected_config)
+            VmmAction::UpdateMachineConfiguration(expected_config)
         );
 
         // 4. Test that applying a CPU template is successful on x86_64 while on aarch64, it is not.
@@ -185,7 +187,7 @@ mod tests {
             };
             assert_eq!(
                 vmm_action_from_request(parse_put_machine_config(&Body::new(body)).unwrap()),
-                VmmAction::UpdateVmConfiguration(expected_config)
+                VmmAction::UpdateMachineConfiguration(expected_config)
             );
         }
         #[cfg(target_arch = "aarch64")]
@@ -210,7 +212,7 @@ mod tests {
         };
         assert_eq!(
             vmm_action_from_request(parse_put_machine_config(&Body::new(body)).unwrap()),
-            VmmAction::UpdateVmConfiguration(expected_config)
+            VmmAction::UpdateMachineConfiguration(expected_config)
         );
 
         // 6. Test nonsense values for huge page size

src/firecracker/src/api_server_adapter.rs

@@ -8,13 +8,13 @@ use std::sync::{Arc, Mutex};
 use std::thread;
 
 use event_manager::{EventOps, Events, MutEventSubscriber, SubscriberOps};
-use seccompiler::BpfThreadMap;
 use vmm::logger::{error, warn, ProcessTimeReporter};
 use vmm::resources::VmResources;
 use vmm::rpc_interface::{
     ApiRequest, ApiResponse, BuildMicrovmFromRequestsError, PrebootApiController,
     RuntimeApiController, VmmAction,
 };
+use vmm::seccomp::BpfThreadMap;
 use vmm::vmm_config::instance_info::InstanceInfo;
 use vmm::{EventManager, FcExitCode, Vmm};
 use vmm_sys_util::epoll::EventSet;

src/firecracker/src/main.rs

@@ -17,7 +17,6 @@ use std::{io, panic};
 use api_server_adapter::ApiServerError;
 use event_manager::SubscriberOps;
 use seccomp::FilterError;
-use seccompiler::BpfThreadMap;
 use utils::arg_parser::{ArgParser, Argument};
 use utils::validators::validate_instance_id;
 use vmm::arch::host_page_size;
@@ -27,6 +26,7 @@ use vmm::logger::{
 };
 use vmm::persist::SNAPSHOT_VERSION;
 use vmm::resources::VmResources;
+use vmm::seccomp::BpfThreadMap;
 use vmm::signal_handler::register_signal_handlers;
 use vmm::snapshot::{Snapshot, SnapshotError};
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};

src/firecracker/src/seccomp.rs

@@ -5,8 +5,7 @@ use std::fs::File;
 use std::io::{BufReader, Read};
 use std::path::Path;
 
-use seccompiler::{deserialize_binary, BpfThreadMap, DeserializationError};
-use vmm::seccomp_filters::get_empty_filters;
+use vmm::seccomp::{deserialize_binary, get_empty_filters, BpfThreadMap, DeserializationError};
 
 const THREAD_CATEGORIES: [&str; 3] = ["vmm", "api", "vcpu"];
 
@@ -118,7 +117,7 @@ fn filter_thread_categories(map: BpfThreadMap) -> Result<BpfThreadMap, FilterErr
 mod tests {
     use std::sync::Arc;
 
-    use seccompiler::BpfThreadMap;
+    use vmm::seccomp::BpfThreadMap;
     use vmm_sys_util::tempfile::TempFile;
 
     use super::*;