On Sat, Mar 4, 2023 at 12:41 PM David Michael <fedora.dm0(a)gmail.com> wrote:
Hi,
Firecracker[0] is a minimal virtual machine manager (a la QEMU)
written in Rust that uses KVM to start Linux VMs extremely quickly and
securely. It is used by AWS Lambda and Fargate among other things to
make VM startup time comparable to containers. I've built it for
Fedora x86_64 and shared it in a Copr repository[1] which includes
some example commands for starting VMs.
Making it build for Fedora required changes across a few components,
so I'm writing to ask if this is acceptable for inclusion in Fedora.
The Copr specs are all dumped in a Git repository[2] for readability.
Changes include:
- The musl package adds /usr paths for compatibility with the
compiler --sysroot option.
As the musl package maintainer, I don't particularly want Fedora
packages depending on it unless they absolutely have to. I originally
maintained it in Copr, but brought it into Fedora for the Enarx folks.
I still maintain that generally you don't want to use this unless you
*really* know what you're doing and can deal with the consequences of
using an alternative libc.
That said, the changes you make are not currently compatible with the
packaging guidelines. Can't you just use --prefix /usr/<target>
instead?
- The rust compiler adds musl target subpackages.
This will require discussion with the Fedora Rust SIG.
- The kernel must set CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y to be
usable as a guest.
This will require talking to the kernel maintainers to add the flag.
- About two dozen Rust crates must be added to Fedora (but a
handful
are just new versions of existing packages).
- Unrelated, but in the Copr repo anyway: The musl package is fixed
to allow multilib installs, and Rust includes both 32- and 64-bit
targets.
I used upstream-preferred settings when adding things, but they may be
in conflict with Fedora guidelines. Here are some concerns:
- Firecracker can be built with Fedora's libc (glibc), but it is
officially unsupported upstream[3]. Functionality would be harmed by
not using musl, e.g. seccomp filters are not used.
Why not drive this to be fixed upstream? Also, openSUSE builds
Firecracker against glibc and I see the seccomp stuff is also produced
and shipped[1]. I am not sure whether this means openSUSE's package is
broken or something else.
[1]:
https://code.opensuse.org/package/firecracker/blob/master/f/firecracker.spec
- Upstream Rust wants musl targets to be statically linked by
default[4]. It can be changed by patching (Gentoo does this) if
dynamic linking is still a priority with Rust binaries, but I haven't
tested that.
As in musl is statically linked into the binaries? Or the Rust code is
statically linked. The former is not okay, the latter is what we do
already.
- Firecracker uses two crates forked from crates.io, but they are
not vendored/bundled nor published to a registry. I'm currently
manually bundling them as if they were vendored to avoid package name
conflicts since nothing else uses them, but I don't know the preferred
way to deal with those.
That's probably the right way to deal with it.
So does any of that sound like a showstopper for being included in
Fedora? Is there any other interest in the project from the
community?
It'd be interesting to have in Fedora, for sure, but this should be
done as an opportunity to bring our integration concerns upstream.
--
真実はいつも一つ!/ Always, there's only one truth!