Skip to content

Commit 2e0afea

Browse files
drewdrew
authored
feat(vm): derive guest rootfs from sandbox images (#957)
1 parent 08001ca commit 2e0afea

35 files changed

Lines changed: 3569 additions & 565 deletions

File tree

.github/workflows/driver-vm-linux.yml

Lines changed: 20 additions & 68 deletions
Original file line numberDiff line numberDiff line change
@@ -75,80 +75,22 @@ jobs:
7575
path: runtime-artifacts/vm-runtime-*.tar.zst
7676
retention-days: 1
7777

78-
build-rootfs:
79-
name: Build Rootfs (${{ matrix.arch }})
80-
strategy:
81-
matrix:
82-
include:
83-
- arch: arm64
84-
runner: build-arm64
85-
guest_arch: aarch64
86-
- arch: amd64
87-
runner: build-amd64
88-
guest_arch: x86_64
89-
runs-on: ${{ matrix.runner }}
90-
timeout-minutes: 30
91-
container:
92-
image: ghcr.io/nvidia/openshell/ci:latest
93-
credentials:
94-
username: ${{ github.actor }}
95-
password: ${{ secrets.GITHUB_TOKEN }}
96-
options: --privileged
97-
volumes:
98-
- /var/run/docker.sock:/var/run/docker.sock
99-
env:
100-
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
101-
OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }}
102-
steps:
103-
- uses: actions/checkout@v4
104-
with:
105-
ref: ${{ inputs['checkout-ref'] }}
106-
107-
- name: Mark workspace safe for git
108-
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
109-
110-
- name: Log in to GHCR
111-
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
112-
113-
- name: Install tools
114-
run: mise install --locked
115-
116-
- name: Install zstd
117-
run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/*
118-
119-
- name: Build base rootfs tarball
120-
run: |
121-
set -euo pipefail
122-
crates/openshell-vm/scripts/build-rootfs.sh \
123-
--base \
124-
--arch ${{ matrix.guest_arch }} \
125-
target/rootfs-build
126-
127-
mkdir -p target/vm-runtime-compressed
128-
tar -C target/rootfs-build -cf - . \
129-
| zstd -19 -T0 -o target/vm-runtime-compressed/rootfs.tar.zst
130-
131-
- name: Upload rootfs artifact
132-
uses: actions/upload-artifact@v4
133-
with:
134-
name: driver-vm-rootfs-${{ matrix.arch }}
135-
path: target/vm-runtime-compressed/rootfs.tar.zst
136-
retention-days: 1
137-
13878
build-driver-vm-linux:
13979
name: Build Driver VM (Linux ${{ matrix.arch }})
140-
needs: [download-kernel-runtime, build-rootfs]
80+
needs: [download-kernel-runtime]
14181
strategy:
14282
matrix:
14383
include:
14484
- arch: arm64
14585
runner: build-arm64
14686
target: aarch64-unknown-linux-gnu
14787
platform: linux-aarch64
88+
guest_arch: aarch64
14889
- arch: amd64
14990
runner: build-amd64
15091
target: x86_64-unknown-linux-gnu
15192
platform: linux-x86_64
93+
guest_arch: x86_64
15294
runs-on: ${{ matrix.runner }}
15395
timeout-minutes: 30
15496
container:
@@ -192,12 +134,6 @@ jobs:
192134
name: driver-vm-kernel-runtime-tarballs
193135
path: runtime-download/
194136

195-
- name: Download rootfs tarball
196-
uses: actions/download-artifact@v4
197-
with:
198-
name: driver-vm-rootfs-${{ matrix.arch }}
199-
path: rootfs-download/
200-
201137
- name: Stage compressed runtime for embedding
202138
run: |
203139
set -euo pipefail
@@ -208,16 +144,32 @@ jobs:
208144
zstd -d "runtime-download/vm-runtime-${{ matrix.platform }}.tar.zst" --stdout \
209145
| tar -xf - -C "$EXTRACT_DIR"
210146
147+
echo "Extracted runtime files:"
148+
ls -lah "$EXTRACT_DIR"
149+
211150
for file in "$EXTRACT_DIR"/*; do
212151
[ -f "$file" ] || continue
213152
name=$(basename "$file")
214153
[ "$name" = "provenance.json" ] && continue
215154
zstd -19 -f -q -T0 -o "${COMPRESSED_DIR}/${name}.zst" "$file"
216155
done
217156
218-
cp rootfs-download/rootfs.tar.zst "${COMPRESSED_DIR}/rootfs.tar.zst"
157+
echo "Staged compressed runtime artifacts:"
219158
ls -lah "$COMPRESSED_DIR"
220159
160+
- name: Build bundled supervisor
161+
run: |
162+
set -euo pipefail
163+
OPENSHELL_VM_RUNTIME_COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed" \
164+
tasks/scripts/vm/build-supervisor-bundle.sh --arch "${{ matrix.guest_arch }}"
165+
166+
- name: Verify embedded driver inputs
167+
run: |
168+
set -euo pipefail
169+
for file in libkrun.so.zst libkrunfw.so.5.zst gvproxy.zst openshell-sandbox.zst; do
170+
test -s "target/vm-runtime-compressed/${file}"
171+
done
172+
221173
- name: Scope workspace to driver-vm crates
222174
run: |
223175
set -euo pipefail

.github/workflows/release-vm-dev.yml

Lines changed: 24 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -421,7 +421,7 @@ jobs:
421421
# ---------------------------------------------------------------------------
422422
build-driver-vm-linux:
423423
name: Build Driver VM (Linux ${{ matrix.arch }})
424-
needs: [compute-versions, download-kernel-runtime, build-rootfs]
424+
needs: [compute-versions, download-kernel-runtime]
425425
strategy:
426426
matrix:
427427
include:
@@ -477,12 +477,6 @@ jobs:
477477
name: kernel-runtime-tarballs
478478
path: runtime-download/
479479

480-
- name: Download rootfs tarball
481-
uses: actions/download-artifact@v4
482-
with:
483-
name: rootfs-${{ matrix.arch }}
484-
path: rootfs-download/
485-
486480
- name: Stage compressed runtime for embedding
487481
run: |
488482
set -euo pipefail
@@ -504,12 +498,15 @@ jobs:
504498
zstd -19 -f -q -T0 -o "${COMPRESSED_DIR}/${name}.zst" "$file"
505499
done
506500
507-
# Copy rootfs tarball (already zstd-compressed)
508-
cp rootfs-download/rootfs.tar.zst "${COMPRESSED_DIR}/rootfs.tar.zst"
509-
510501
echo "Staged compressed artifacts:"
511502
ls -lah "$COMPRESSED_DIR"
512503
504+
- name: Build bundled supervisor
505+
run: |
506+
set -euo pipefail
507+
OPENSHELL_VM_RUNTIME_COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed" \
508+
tasks/scripts/vm/build-supervisor-bundle.sh --arch "${{ matrix.guest_arch }}"
509+
513510
- name: Scope workspace to driver-vm crates
514511
run: |
515512
set -euo pipefail
@@ -551,7 +548,7 @@ jobs:
551548
# ---------------------------------------------------------------------------
552549
build-driver-vm-macos:
553550
name: Build Driver VM (macOS)
554-
needs: [compute-versions, download-kernel-runtime, build-rootfs]
551+
needs: [compute-versions, download-kernel-runtime]
555552
runs-on: build-amd64
556553
timeout-minutes: 60
557554
container:
@@ -591,12 +588,6 @@ jobs:
591588
name: kernel-runtime-tarballs
592589
path: runtime-download/
593590

594-
- name: Download rootfs tarball (arm64)
595-
uses: actions/download-artifact@v4
596-
with:
597-
name: rootfs-arm64
598-
path: rootfs-download/
599-
600591
- name: Prepare compressed runtime directory
601592
run: |
602593
set -euo pipefail
@@ -619,12 +610,24 @@ jobs:
619610
zstd -19 -f -q -T0 -o "${COMPRESSED_DIR}/${name}.zst" "$file"
620611
done
621612
622-
# The macOS VM guest is always Linux ARM64, so use the arm64 rootfs
623-
cp rootfs-download/rootfs.tar.zst "${COMPRESSED_DIR}/rootfs.tar.zst"
624-
625613
echo "Staged macOS compressed artifacts:"
626614
ls -lah "$COMPRESSED_DIR"
627615
616+
- name: Build bundled supervisor
617+
run: |
618+
set -euo pipefail
619+
docker buildx build \
620+
--file deploy/docker/Dockerfile.images \
621+
--platform linux/arm64 \
622+
--build-arg OPENSHELL_CARGO_VERSION="${{ needs.compute-versions.outputs.cargo_version }}" \
623+
--build-arg OPENSHELL_IMAGE_TAG=dev \
624+
--target supervisor-output \
625+
--output type=local,dest=supervisor-out/ \
626+
.
627+
628+
zstd -19 -T0 -f supervisor-out/openshell-sandbox \
629+
-o "${PWD}/target/vm-runtime-compressed-macos/openshell-sandbox.zst"
630+
628631
- name: Build macOS binary via Docker (osxcross)
629632
run: |
630633
set -euo pipefail
@@ -776,7 +779,7 @@ jobs:
776779
777780
### VM Compute Driver Binaries
778781
779-
`openshell-driver-vm` binaries with embedded kernel runtime and sandbox rootfs.
782+
`openshell-driver-vm` binaries with embedded kernel runtime and bundled sandbox supervisor.
780783
Launched by the gateway when `--drivers=vm` is configured. Rebuilt on every
781784
push to main alongside the openshell-vm binaries.
782785

0 commit comments

Comments
 (0)