Struct FirecrackerConfig 

pub struct FirecrackerConfig {

    pub binary_path: PathBuf,
    pub kernel_image_path: PathBuf,
    pub rootfs_image_path: PathBuf,
    pub jailer_binary_path: Option<PathBuf>,
    pub chroot_base_dir: PathBuf,
    pub socket_dir: PathBuf,
    pub jailer_uid: u32,
    pub jailer_gid: u32,
    pub scratch_dir: Option<PathBuf>,
    pub manifest_path: Option<PathBuf>,
    pub require_jailer: bool,
    pub allow_no_manifest: bool,
    pub enable_network: bool,
    pub allow_no_vsock: bool,
    pub no_vsock_timeout: Duration,
    pub no_seccomp: bool,
}

Fields

binary_path: PathBuf

kernel_image_path: PathBuf

rootfs_image_path: PathBuf

jailer_binary_path: Option<PathBuf>

chroot_base_dir: PathBuf

socket_dir: PathBuf

Directory for Firecracker API socket files; defaults to /tmp. Ignored when the jailer is active — the jailer places the API socket inside the chroot at <chroot_base>/<fc_filename>/<cell_id>/root/run/firecracker.socket.

jailer_uid: u32

Numeric uid the jailer drops to before exec’ing firecracker. Defaults to 10002. This user must exist on the host and must own no sensitive files.

jailer_gid: u32

Numeric gid the jailer drops to before exec’ing firecracker. Defaults to 10002.

scratch_dir: Option<PathBuf>

Directory where per-cell writable scratch ext4 images are created. When set, rootfs is mounted read-only and a writable scratch drive is attached as a second virtio-blk device. When None (default), rootfs is mounted read-write (v0.2 behaviour — not safe for concurrent cells sharing the same rootfs image).

manifest_path: Option<PathBuf>

Path to the artifact manifest file produced by the build pipeline. When set, create() verifies the SHA256 digest of each declared artifact (kernel, rootfs, optionally firecracker) before booting the VM. When None AND allow_no_manifest is true, verification is skipped with a loud warning — supported for development only. Otherwise, from_env() rejects the configuration outright.

require_jailer: bool

When true (the default), create() refuses to proceed unless the jailer binary is configured. Operators may opt out for development by setting CELLOS_FIRECRACKER_ALLOW_NO_JAILER=1, which logs a loud warning and downgrades this flag to false.

allow_no_manifest: bool

When true, create() will permit booting a VM without a manifest (skipping pre-boot artifact digest verification). Defaults to false — a missing CELLOS_FIRECRACKER_MANIFEST is a hard error. Operators may opt out for development by setting BOTH CELLOS_FIRECRACKER_ALLOW_NO_MANIFEST=1 AND the second escape-hatch flag CELLOS_FIRECRACKER_ALLOW_NO_MANIFEST_REALLY=1; only the combination flips this flag to true and emits a loud WARN log containing the literal string MANIFEST VERIFICATION DISABLED.

The two-flag handshake is deliberate. A single env var can be set in a shared base image, a Helm chart copied between environments, or an .env file leaking from dev to prod by mistake. Requiring a paired _REALLY flag forces the operator to make the trade-off explicit on the same line, in the same operation, so the dev opt-out cannot drift into a production deployment unnoticed.

It is an error to set both CELLOS_FIRECRACKER_MANIFEST and the two-flag opt-out — that combination is inconsistent and from_env() rejects it. Setting CELLOS_FIRECRACKER_ALLOW_NO_MANIFEST=1 without the paired _REALLY flag (or vice-versa) is also rejected with a hard error so misconfigured deployments fail closed.

enable_network: bool

When true, create() provisions a per-cell TAP interface, attaches it to the VM as virtio-net, and installs an nftables ruleset that drops all egress except destinations declared in spec.authority.egressRules. Linux-only: defaults to true on Linux and false on every other OS (the ip and nft commands and TAP devices do not exist there). Override with CELLOS_FIRECRACKER_ENABLE_NETWORK=0|1.

allow_no_vsock: bool

When true, [wait_for_command_exit] uses a short bounded timeout instead of waiting indefinitely for the in-VM vsock exit code.

Motivation: a kernel built with the wrong vsock symbol (CONFIG_VIRTIO_VSOCK is a typo for CONFIG_VIRTIO_VSOCKETS) silently has no vsock device. The supervisor then waits forever for a 4-byte exit code that no one will ever send, and the only signal the operator gets is a hung process. Set CELLOS_FIRECRACKER_ALLOW_NO_VSOCK=1 (and optionally CELLOS_FIRECRACKER_NO_VSOCK_TIMEOUT_SECS=<n> — default 5) to fail fast and surface the misconfiguration in seconds.

The terminal state for the cell will be forced (no authenticated in-VM exit was received), which is the correct audit signal.

no_vsock_timeout: Duration

Wait budget when allow_no_vsock is true. Ignored otherwise. Default: 5 seconds. Override via CELLOS_FIRECRACKER_NO_VSOCK_TIMEOUT_SECS.

no_seccomp: bool

When true, passes --no-seccomp to the Firecracker process.

Firecracker’s seccomp BPF filters are compiled with x86-64 syscall numbers. Under arm64 emulation (Rosetta/QEMU in Colima) the BPF program is rejected by the kernel with EINVAL because the syscall table doesn’t match. Set CELLOS_FIRECRACKER_NO_SECCOMP=1 to bypass seccomp for emulated development environments.

Never set this in production. Seccomp is a critical attack-surface reduction — bypassing it removes a significant isolation layer.

Implementations

impl FirecrackerConfig

pub fn from_env() -> Result<Self, CellosError>

Trait Implementations

impl Clone for FirecrackerConfig

fn clone(&self) -> FirecrackerConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for FirecrackerConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for FirecrackerConfig

fn eq(&self, other: &FirecrackerConfig) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for FirecrackerConfig

impl StructuralPartialEq for FirecrackerConfig