Merge pull request #21 from stacklok/feat/userns-support

Enable user namespace for runner to fix virtiofs EPERM

Author: JAORMX

.github/workflows/build.yml

@@ -9,6 +9,9 @@ on:
 permissions:
   contents: read
 
+env:
+  GOPRIVATE: github.com/stacklok/*
+
 jobs:
   build:
     name: Build and Test
@@ -23,6 +26,10 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
 
+      - name: Configure Git for private modules
+        run: |
+          git config --global url."https://${{ github.actor }}:${{ secrets.GO_MODULE_TOKEN }}@github.com/".insteadOf "https://github.com/"
+
       - name: Install Task
         uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
         with:

.github/workflows/lint.yml

@@ -9,6 +9,9 @@ on:
 permissions:
   contents: read
 
+env:
+  GOPRIVATE: github.com/stacklok/*
+
 jobs:
   lint:
     name: Lint
@@ -22,6 +25,10 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
 
+      - name: Configure Git for private modules
+        run: |
+          git config --global url."https://${{ github.actor }}:${{ secrets.GO_MODULE_TOKEN }}@github.com/".insteadOf "https://github.com/"
+
       - name: Install Task
         uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
         with:

.github/workflows/release.yml

@@ -10,6 +10,9 @@ on:
 
 permissions: {}
 
+env:
+  GOPRIVATE: github.com/stacklok/*
+
 jobs:
   release:
     name: Release Container
@@ -24,19 +27,16 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Checkout propolis (sibling dependency)
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-        with:
-          repository: stacklok/propolis
-          ref: 6a81046b0472c54c877b965c34c97c094f373d74 # v0.1.0
-          path: ../propolis
-
       - name: Set up Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: 'go.mod'
           cache: true
 
+      - name: Configure Git for private modules
+        run: |
+          git config --global url."https://${{ github.actor }}:${{ secrets.GO_MODULE_TOKEN }}@github.com/".insteadOf "https://github.com/"
+
       - name: Install Task
         uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
         with:

.github/workflows/run-on-main.yml

@@ -15,9 +15,12 @@ jobs:
   linting:
     name: Linting
     uses: ./.github/workflows/lint.yml
+    secrets: inherit
   tests:
     name: Tests
     uses: ./.github/workflows/test.yml
+    secrets: inherit
   build:
     name: Build
     uses: ./.github/workflows/build.yml
+    secrets: inherit

.github/workflows/run-on-pr.yml

@@ -14,6 +14,8 @@ jobs:
   linting:
     name: Linting
     uses: ./.github/workflows/lint.yml
+    secrets: inherit
   tests:
     name: Tests
     uses: ./.github/workflows/test.yml
+    secrets: inherit

.github/workflows/test.yml

@@ -9,6 +9,9 @@ on:
 permissions:
   contents: read
 
+env:
+  GOPRIVATE: github.com/stacklok/*
+
 jobs:
   test:
     name: Test
@@ -22,6 +25,10 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
 
+      - name: Configure Git for private modules
+        run: |
+          git config --global url."https://${{ github.actor }}:${{ secrets.GO_MODULE_TOKEN }}@github.com/".insteadOf "https://github.com/"
+
       - name: Install Task
         uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
         with:

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/adrg/xdg v0.5.3
 	github.com/google/uuid v1.6.0
 	github.com/mark3labs/mcp-go v0.44.0
-	github.com/stacklok/propolis v0.0.16
+	github.com/stacklok/propolis v0.0.18
 )
 
 require (
@@ -63,9 +63,9 @@ require (
 	go.opentelemetry.io/otel v1.40.0 // indirect
 	go.opentelemetry.io/otel/metric v1.40.0 // indirect
 	go.opentelemetry.io/otel/trace v1.40.0 // indirect
-	golang.org/x/crypto v0.48.0 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
 	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/net v0.50.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/time v0.5.0 // indirect

go.sum

@@ -130,8 +130,8 @@ github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w
 github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
 github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/stacklok/propolis v0.0.16 h1:dC/knkrY7e6XpsWxmxtxBnAgRw+Lvbw4TJyM9lMYjOM=
-github.com/stacklok/propolis v0.0.16/go.mod h1:f0k7aMlo4EC6BhFMWasYs/RJTHc2Qb37bZu5GJvuJU0=
+github.com/stacklok/propolis v0.0.18 h1:WzAqNAg2sSd7q6bJZUfEMilkzy8q/R7Ii7VtlM29dAE=
+github.com/stacklok/propolis v0.0.18/go.mod h1:C727m7ggN78TJ0vok+68e+YKnZMlm1L4GlY63P4IReA=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
@@ -170,16 +170,16 @@ go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
 golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
@@ -189,11 +189,11 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=

pkg/infra/vm/propolis.go

@@ -256,6 +256,10 @@ func (p *PropolisProvider) buildBackendOpts(opts CreateVMOpts) []libkrun.Option
 	if runtimeSrc != nil || firmwareSrc != nil {
 		out = append(out, libkrun.WithCacheDir(cacheDir))
 	}
+	// Spawn the runner in a user namespace so libkrun's virtiofs passthrough
+	// gains CAP_SETGID within the namespace. Without this, set_creds() fails
+	// with EPERM when host GID != guest GID.
+	out = append(out, libkrun.WithUserNamespaceUID(1000, 1000))
 	return out
 }
 

pkg/infra/vm/propolis_test.go

@@ -63,129 +63,6 @@ func TestNewPropolisProvider(t *testing.T) {
 	})
 }
 
-// TestBuildBackendOpts verifies the merging logic in buildBackendOpts.
-// Since libkrun.Option is an opaque func type, we assert on option count
-// to verify which branches were taken. Each configuration produces a
-// unique count.
-func TestBuildBackendOpts(t *testing.T) {
-	t.Parallel()
-
-	rtSrc := extract.Dir(t.TempDir())
-	fwSrc := extract.Dir(t.TempDir())
-	altSrc := extract.Dir(t.TempDir())
-
-	tests := []struct {
-		name      string
-		provider  *PropolisProvider
-		opts      CreateVMOpts
-		wantCount int
-	}{
-		{
-			name:      "no sources no paths",
-			provider:  NewPropolisProvider(),
-			opts:      CreateVMOpts{DataDir: "/tmp"},
-			wantCount: 0,
-		},
-		{
-			name:     "runner path only",
-			provider: NewPropolisProvider(),
-			opts: CreateVMOpts{
-				RunnerPath: "/usr/bin/propolis-runner",
-				DataDir:    "/tmp",
-			},
-			wantCount: 1,
-		},
-		{
-			name:     "runner path and lib dir",
-			provider: NewPropolisProvider(),
-			opts: CreateVMOpts{
-				RunnerPath: "/usr/bin/propolis-runner",
-				LibDir:     "/usr/lib",
-				DataDir:    "/tmp",
-			},
-			wantCount: 2,
-		},
-		{
-			name:     "provider runtime source only",
-			provider: NewPropolisProvider(WithRuntimeSource(rtSrc)),
-			opts:     CreateVMOpts{DataDir: "/tmp"},
-			// WithRuntime + WithCacheDir = 2
-			wantCount: 2,
-		},
-		{
-			name:     "provider firmware source only",
-			provider: NewPropolisProvider(WithFirmwareSource(fwSrc)),
-			opts:     CreateVMOpts{DataDir: "/tmp"},
-			// WithFirmware + WithCacheDir = 2
-			wantCount: 2,
-		},
-		{
-			name: "provider both sources",
-			provider: NewPropolisProvider(
-				WithRuntimeSource(rtSrc),
-				WithFirmwareSource(fwSrc),
-			),
-			opts: CreateVMOpts{DataDir: "/tmp"},
-			// WithRuntime + WithFirmware + WithCacheDir = 3
-			wantCount: 3,
-		},
-		{
-			name:     "runtime source suppresses runner path and lib dir",
-			provider: NewPropolisProvider(WithRuntimeSource(rtSrc)),
-			opts: CreateVMOpts{
-				RunnerPath: "/usr/bin/propolis-runner",
-				LibDir:     "/usr/lib",
-				DataDir:    "/tmp",
-			},
-			// WithRuntime + WithCacheDir = 2 (RunnerPath/LibDir ignored)
-			wantCount: 2,
-		},
-		{
-			name:     "per-call runtime source overrides provider",
-			provider: NewPropolisProvider(WithRuntimeSource(rtSrc)),
-			opts: CreateVMOpts{
-				RuntimeSource: altSrc,
-				DataDir:       "/tmp",
-			},
-			// WithRuntime(altSrc) + WithCacheDir = 2
-			wantCount: 2,
-		},
-		{
-			name:     "per-call firmware source overrides provider",
-			provider: NewPropolisProvider(WithFirmwareSource(fwSrc)),
-			opts: CreateVMOpts{
-				FirmwareSource: altSrc,
-				DataDir:        "/tmp",
-			},
-			// WithFirmware(altSrc) + WithCacheDir = 2
-			wantCount: 2,
-		},
-		{
-			name: "explicit cache dir used over data dir",
-			provider: NewPropolisProvider(
-				WithRuntimeSource(rtSrc),
-				WithFirmwareSource(fwSrc),
-			),
-			opts: CreateVMOpts{
-				DataDir:  "/tmp/data",
-				CacheDir: "/tmp/cache",
-			},
-			// WithRuntime + WithFirmware + WithCacheDir = 3
-			wantCount: 3,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-			got := tt.provider.buildBackendOpts(tt.opts)
-			if len(got) != tt.wantCount {
-				t.Errorf("buildBackendOpts returned %d options, want %d", len(got), tt.wantCount)
-			}
-		})
-	}
-}
-
 func TestInitInjector(t *testing.T) {
 	t.Parallel()