cellos-supervisor 0.5.0

CellOS execution-cell runner — boots cells in Firecracker microVMs or gVisor, enforces narrow typed authority, emits signed CloudEvents.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

//! Linux-only: optional `unshare(2)`, loopback ioctl for `net`, and cgroup v2 (`CELLOS_SUBPROCESS_UNSHARE`, `CELLOS_CGROUP_PARENT`, `CellHandle.cgroup_path`).

#![cfg(target_os = "linux")]

mod linux {
    use std::fs::File;
    use std::io::Write;
    use std::path::{Path, PathBuf};
    use std::process::Command;

    fn supervisor_exe() -> PathBuf {
        if let Some(p) = std::env::var_os("CARGO_BIN_EXE_cellos_supervisor") {
            return PathBuf::from(p);
        }
        let root = Path::new(env!("CARGO_MANIFEST_DIR"))
            .parent()
            .and_then(|p| p.parent())
            .expect("cellos-supervisor crate under workspace root");
        let profile = std::env::var("PROFILE").unwrap_or_else(|_| "debug".into());
        root.join("target").join(profile).join("cellos-supervisor")
    }

    /// Returns true when the running process can create the full default namespace set.
    ///
    /// `CELLOS_SUBPROCESS_UNSHARE=1` uses CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET.
    /// PID namespaces require CAP_SYS_ADMIN which github-hosted runners may not expose.
    /// Guard the test so it skips rather than fails.
    fn unshare_full_available() -> bool {
        Command::new("unshare")
            .args(["--pid", "--ipc", "--mount", "--net", "--fork", "/bin/true"])
            .status()
            .map(|s| s.success())
            .unwrap_or(false)
    }

    #[test]
    fn supervisor_runs_true_with_default_unshare_stub() {
        if !unshare_full_available() {
            return; // CAP_SYS_ADMIN / PID namespace unavailable (e.g. github-hosted runner)
        }
        let dir = tempfile::tempdir().expect("tempdir");
        let spec_path = dir.path().join("spec.json");
        let json = r#"{"apiVersion":"cellos.io/v1","kind":"ExecutionCell","spec":{"id":"t-unshare","authority":{"secretRefs":[]},"lifetime":{"ttlSeconds":60},"run":{
"secretDelivery": "env","argv":["/usr/bin/true"]}}}"#;
        let mut f = File::create(&spec_path).expect("create spec");
        f.write_all(json.as_bytes()).expect("write spec");
        drop(f);

        let exe = supervisor_exe();
        assert!(
            exe.is_file(),
            "supervisor binary missing at {}",
            exe.display()
        );

        let status = Command::new(exe)
            .env("CELLOS_DEPLOYMENT_PROFILE", "portable")
            .env("CELL_OS_USE_NOOP_SINK", "1")
            .env("CELLOS_CELL_BACKEND", "stub")
            .env("CELLOS_SUBPROCESS_UNSHARE", "1")
            .current_dir(env!("CARGO_MANIFEST_DIR"))
            .arg(&spec_path)
            .status()
            .expect("spawn cellos-supervisor");

        assert!(
            status.success(),
            "supervisor with unshare should run /usr/bin/true: {status:?}"
        );
    }

    /// Stub backend: supervisor creates a cgroup leaf under `CELLOS_CGROUP_PARENT` and writes `cgroup.procs` after spawn.
    /// Requires a **writable** cgroup v2 directory (delegated slice, root, or CI-only path).
    /// Example: `CELLOS_TEST_CGROUP_PARENT=/sys/fs/cgroup/cellos.test cargo test -p cellos-supervisor --test supervisor_linux_unshare -- --ignored`
    #[test]
    #[ignore = "set CELLOS_TEST_CGROUP_PARENT to a writable cgroup v2 directory"]
    fn supervisor_runs_true_with_cgroup_stub_backend() {
        let parent = std::env::var("CELLOS_TEST_CGROUP_PARENT")
            .expect("CELLOS_TEST_CGROUP_PARENT must be set for this test");
        let parent = Path::new(parent.trim());
        assert!(
            parent.is_dir(),
            "CELLOS_TEST_CGROUP_PARENT must exist: {}",
            parent.display()
        );

        let dir = tempfile::tempdir().expect("tempdir");
        let spec_path = dir.path().join("spec.json");
        let json = r#"{"apiVersion":"cellos.io/v1","kind":"ExecutionCell","spec":{"id":"t-cgroup","authority":{"secretRefs":[]},"lifetime":{"ttlSeconds":60},"run":{
"secretDelivery": "env","argv":["/usr/bin/true"]}}}"#;
        let mut f = File::create(&spec_path).expect("create spec");
        f.write_all(json.as_bytes()).expect("write spec");
        drop(f);

        let exe = supervisor_exe();
        let status = Command::new(exe)
            .env("CELLOS_DEPLOYMENT_PROFILE", "portable")
            .env("CELL_OS_USE_NOOP_SINK", "1")
            .env("CELLOS_CELL_BACKEND", "stub")
            .env("CELLOS_CGROUP_PARENT", parent.as_os_str())
            .current_dir(env!("CARGO_MANIFEST_DIR"))
            .arg(&spec_path)
            .status()
            .expect("spawn cellos-supervisor");

        assert!(
            status.success(),
            "supervisor with cgroup should run /usr/bin/true: {status:?}"
        );
    }

    /// Default `ProprietaryCellBackend`: cgroup leaf is created at `create` (`CellHandle.cgroup_path`); supervisor attaches the `spec.run` child after `spawn`.
    #[test]
    #[ignore = "set CELLOS_TEST_CGROUP_PARENT to a writable cgroup v2 directory"]
    fn supervisor_runs_true_with_cgroup_proprietary_backend() {
        let parent = std::env::var("CELLOS_TEST_CGROUP_PARENT")
            .expect("CELLOS_TEST_CGROUP_PARENT must be set for this test");
        let parent = Path::new(parent.trim());
        assert!(
            parent.is_dir(),
            "CELLOS_TEST_CGROUP_PARENT must exist: {}",
            parent.display()
        );

        let dir = tempfile::tempdir().expect("tempdir");
        let spec_path = dir.path().join("spec.json");
        let json = r#"{"apiVersion":"cellos.io/v1","kind":"ExecutionCell","spec":{"id":"t-cg-prop","authority":{"secretRefs":[]},"lifetime":{"ttlSeconds":60},"run":{
"secretDelivery": "env","argv":["/usr/bin/true"]}}}"#;
        let mut f = File::create(&spec_path).expect("create spec");
        f.write_all(json.as_bytes()).expect("write spec");
        drop(f);

        let exe = supervisor_exe();
        let status = Command::new(exe)
            .env("CELLOS_DEPLOYMENT_PROFILE", "portable")
            .env("CELL_OS_USE_NOOP_SINK", "1")
            .env("CELLOS_CGROUP_PARENT", parent.as_os_str())
            .current_dir(env!("CARGO_MANIFEST_DIR"))
            .arg(&spec_path)
            .status()
            .expect("spawn cellos-supervisor");

        assert!(
            status.success(),
            "proprietary backend with cgroup should run /usr/bin/true: {status:?}"
        );
    }
}