166 lines
4.2 KiB
Bash
Executable file
166 lines
4.2 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
log() {
|
|
printf '[spawn] %s\n' "$*"
|
|
}
|
|
|
|
log "starting"
|
|
|
|
DIR="$(pwd)"
|
|
STATE="$DIR/state"
|
|
mkdir -p "$STATE"
|
|
|
|
FC_BIN="$DIR/firecracker"
|
|
KERNEL="$DIR/vmlinux"
|
|
ROOTFS="$DIR/rootfs.ext4"
|
|
SSH_KEY="$DIR/id_ed25519"
|
|
|
|
BR_DEV="br-fc"
|
|
BR_IP="172.16.0.1"
|
|
CIDR="24"
|
|
|
|
VM_ID="$(date +%s)-$$"
|
|
VM_TAG="${VM_ID##*-}"
|
|
VM_DIR="$STATE/vm-$VM_ID"
|
|
mkdir -p "$VM_DIR"
|
|
|
|
API_SOCK="$VM_DIR/firecracker.sock"
|
|
LOG_FILE="$VM_DIR/firecracker.log"
|
|
TAP_DEV="tap-fc-$VM_TAG"
|
|
|
|
# Allocate guest IP
|
|
NEXT_IP_FILE="$STATE/next_ip"
|
|
NEXT_IP="$(cat "$NEXT_IP_FILE" 2>/dev/null || echo 2)"
|
|
GUEST_IP="172.16.0.$NEXT_IP"
|
|
echo "$((NEXT_IP + 1))" > "$NEXT_IP_FILE"
|
|
|
|
log "vm id: $VM_ID"
|
|
log "allocated guest ip: $GUEST_IP"
|
|
|
|
sudo -v
|
|
|
|
FC_USE_SUDO="${FC_USE_SUDO:-1}"
|
|
FC_RUN=("$FC_BIN")
|
|
CURL_CMD=(curl)
|
|
if [[ "$FC_USE_SUDO" == "1" ]]; then
|
|
log "running firecracker with sudo (FC_USE_SUDO=1)"
|
|
FC_RUN=(sudo -E "$FC_BIN")
|
|
CURL_CMD=(sudo -E curl)
|
|
fi
|
|
|
|
if command -v setcap >/dev/null 2>&1; then
|
|
if ! getcap "$FC_BIN" 2>/dev/null | rg -q "cap_net_admin"; then
|
|
log "granting cap_net_admin to firecracker binary"
|
|
sudo setcap cap_net_admin+ep "$FC_BIN"
|
|
fi
|
|
else
|
|
log "setcap not available; firecracker may need root to open TAP"
|
|
fi
|
|
|
|
# Host bridge
|
|
if ! ip link show "$BR_DEV" >/dev/null 2>&1; then
|
|
log "creating host bridge $BR_DEV ($BR_IP/$CIDR)"
|
|
sudo ip link add name "$BR_DEV" type bridge
|
|
sudo ip addr add "${BR_IP}/${CIDR}" dev "$BR_DEV"
|
|
sudo ip link set "$BR_DEV" up
|
|
else
|
|
log "host bridge $BR_DEV already exists"
|
|
# Ensure existing bridge is up in case it was left down.
|
|
sudo ip link set "$BR_DEV" up
|
|
fi
|
|
|
|
# Per-VM TAP
|
|
log "creating tap device $TAP_DEV"
|
|
TAP_USER="${SUDO_UID:-$(id -u)}"
|
|
TAP_GROUP="${SUDO_GID:-$(id -g)}"
|
|
sudo ip tuntap add dev "$TAP_DEV" mode tap user "$TAP_USER" group "$TAP_GROUP"
|
|
sudo ip link set "$TAP_DEV" master "$BR_DEV"
|
|
sudo ip link set "$TAP_DEV" up
|
|
sudo ip link set "$BR_DEV" up
|
|
|
|
# Start Firecracker
|
|
log "starting firecracker process"
|
|
rm -f "$API_SOCK"
|
|
nohup "${FC_RUN[@]}" --api-sock "$API_SOCK" >"$LOG_FILE" 2>&1 &
|
|
FC_PID="$!"
|
|
log "firecracker pid: $FC_PID"
|
|
|
|
# Wait for API socket
|
|
log "waiting for firecracker api socket"
|
|
for _ in $(seq 1 200); do
|
|
[[ -S "$API_SOCK" ]] && break
|
|
sleep 0.02
|
|
done
|
|
[[ -S "$API_SOCK" ]] || { log "firecracker api socket not ready"; exit 1; }
|
|
log "api socket ready"
|
|
|
|
if [[ "$FC_USE_SUDO" == "1" ]]; then
|
|
SUDO_CHILD_PID="$(pgrep -n -f "$API_SOCK" || true)"
|
|
if [[ -n "$SUDO_CHILD_PID" ]]; then
|
|
FC_PID="$SUDO_CHILD_PID"
|
|
log "firecracker child pid: $FC_PID"
|
|
fi
|
|
fi
|
|
echo "$FC_PID" > "$VM_DIR/pid"
|
|
|
|
# Machine config
|
|
log "configuring machine"
|
|
"${CURL_CMD[@]}" --unix-socket "$API_SOCK" -X PUT http://localhost/machine-config \
|
|
-H "Content-Type: application/json" \
|
|
-d '{
|
|
"vcpu_count": 2,
|
|
"mem_size_mib": 1024,
|
|
"smt": false
|
|
}' >/dev/null
|
|
|
|
# Boot source
|
|
log "configuring boot source"
|
|
KCMD="console=ttyS0 reboot=k panic=1 pci=off root=/dev/vda rw ip=${GUEST_IP}::${BR_IP}:255.255.255.0::eth0:off"
|
|
|
|
"${CURL_CMD[@]}" --unix-socket "$API_SOCK" -X PUT http://localhost/boot-source \
|
|
-H "Content-Type: application/json" \
|
|
-d "{
|
|
\"kernel_image_path\": \"$KERNEL\",
|
|
\"boot_args\": \"$KCMD\"
|
|
}" >/dev/null
|
|
|
|
# Root filesystem
|
|
log "attaching root filesystem"
|
|
"${CURL_CMD[@]}" --unix-socket "$API_SOCK" -X PUT http://localhost/drives/rootfs \
|
|
-H "Content-Type: application/json" \
|
|
-d "{
|
|
\"drive_id\": \"rootfs\",
|
|
\"path_on_host\": \"$ROOTFS\",
|
|
\"is_root_device\": true,
|
|
\"is_read_only\": false
|
|
}" >/dev/null
|
|
|
|
# Network interface
|
|
log "configuring network interface"
|
|
"${CURL_CMD[@]}" --unix-socket "$API_SOCK" -X PUT http://localhost/network-interfaces/eth0 \
|
|
-H "Content-Type: application/json" \
|
|
-d "{
|
|
\"iface_id\": \"eth0\",
|
|
\"host_dev_name\": \"$TAP_DEV\"
|
|
}" >/dev/null
|
|
|
|
# Start VM
|
|
log "starting virtual machine"
|
|
"${CURL_CMD[@]}" --unix-socket "$API_SOCK" -X PUT http://localhost/actions \
|
|
-H "Content-Type: application/json" \
|
|
-d '{ "action_type": "InstanceStart" }' >/dev/null
|
|
|
|
cat > "$VM_DIR/info" <<EOF
|
|
vm_id=$VM_ID
|
|
pid=$FC_PID
|
|
guest_ip=$GUEST_IP
|
|
tap=$TAP_DEV
|
|
api_sock=$API_SOCK
|
|
log=$LOG_FILE
|
|
EOF
|
|
|
|
log "vm started successfully"
|
|
log "guest ip: $GUEST_IP"
|
|
log "ssh: ssh -i \"$SSH_KEY\" root@$GUEST_IP"
|
|
log "logs: $LOG_FILE"
|