cellos-supervisor 0.5.1

CellOS execution-cell runner — boots cells in Firecracker microVMs or gVisor, enforces narrow typed authority, emits signed CloudEvents.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300

//! Helpers that translate `spec.run.limits` into cgroup v2 controller-file payloads.
//!
//! **Doctrine — D1 (no ambient defaults):**
//! - `spec.run.limits.cpuMax` is the **primary** source for the cgroup `cpu.max`
//!   controller value applied to the host-subprocess backend.
//! - `CELLOS_CGROUP_CPU_MAX` is an **explicit** operator override. It only
//!   applies when the spec did **not** set `cpuMax`. Setting the env var alone
//!   is *not* a default — operators opt in by exporting it.
//!
//! These helpers are pure (no I/O, no `std::env::var` reads at the call sites
//! that exercise them in unit tests) so the resolution + normalization rules
//! can be tested directly without a real cgroup v2 hierarchy. The actual file
//! write is performed by `supervisor::linux_cgroup_write_optional_controller_files`.
//!
//! These helpers are platform-agnostic at the type level — they operate on
//! strings — but only the Linux subprocess path consumes their output.

use cellos_core::types::RunLimits;

/// Default cgroup v2 CPU period when the spec omits `periodMicros`. Matches the
/// schema description (`Defaults to 100000 when omitted by the runtime.`) and
/// the kernel default for `cpu.max`.
pub const DEFAULT_CPU_PERIOD_MICROS: u64 = 100_000;

/// Resolve the `cpu.max` payload for the host-subprocess cgroup leaf.
///
/// Resolution order (highest priority first):
/// 1. `spec.run.limits.cpuMax` — typed source of truth from the contract.
/// 2. `env_cpu_max` — operator-supplied `CELLOS_CGROUP_CPU_MAX` override; used
///    only when the spec is silent. The caller passes the env value verbatim
///    (or `None` when unset / empty); validation/normalization happens here.
///
/// Returns `Some(payload)` when a value should be written to the leaf's
/// `cpu.max` file (without a trailing newline; the writer adds one). Returns
/// `None` when neither source produced an applicable value, or when the env
/// override was syntactically invalid (caller should warn — see
/// `cpu_max_env_validation_error` for the diagnostic string).
///
/// Accepted env-override syntaxes (per cgroup v2 `cpu.max`):
/// - `max`                              → `"max 100000"`
/// - `max <period>`                     → `"max <period>"`
/// - `<quota>`                          → `"<quota> 100000"`
/// - `<quota> <period>`                 → `"<quota> <period>"`
///
/// Whitespace is collapsed; `quota` and `period` must parse as `u64` and be
/// `>= 1` (cgroup v2 rejects 0). Anything else returns `None` here and the
/// caller is expected to log a warning.
pub fn cpu_max_to_write(
    spec_limits: Option<&RunLimits>,
    env_cpu_max: Option<&str>,
) -> Option<String> {
    // Spec wins.
    if let Some(cpu) = spec_limits.and_then(|l| l.cpu_max.as_ref()) {
        if cpu.quota_micros == 0 {
            // Spec validation should have rejected this; defend in depth.
            return None;
        }
        let period = cpu
            .period_micros
            .unwrap_or(DEFAULT_CPU_PERIOD_MICROS)
            .max(1);
        let quota = cpu.quota_micros;
        return Some(format!("{quota} {period}"));
    }
    // Fall back to explicit env override.
    let raw = env_cpu_max?.trim();
    if raw.is_empty() {
        return None;
    }
    normalize_env_cpu_max(raw)
}

/// Validate + normalize `CELLOS_CGROUP_CPU_MAX` into the cgroup v2 wire format.
///
/// Returns `None` for syntactically invalid input — the caller should warn.
fn normalize_env_cpu_max(raw: &str) -> Option<String> {
    let mut parts = raw.split_ascii_whitespace();
    let first = parts.next()?;
    let second = parts.next();
    if parts.next().is_some() {
        return None; // too many tokens
    }
    let quota = match first {
        "max" => "max".to_string(),
        n => {
            let v: u64 = n.parse().ok()?;
            if v == 0 {
                return None;
            }
            v.to_string()
        }
    };
    let period: u64 = match second {
        Some(p) => {
            let v: u64 = p.parse().ok()?;
            if v == 0 {
                return None;
            }
            v
        }
        None => DEFAULT_CPU_PERIOD_MICROS,
    };
    Some(format!("{quota} {period}"))
}

/// Whether the env override produced an unusable value. Useful for the
/// supervisor's warn log when the spec is silent and the env value is
/// malformed.
pub fn cpu_max_env_validation_error(env_cpu_max: Option<&str>) -> Option<&'static str> {
    let raw = env_cpu_max?.trim();
    if raw.is_empty() {
        return None;
    }
    if normalize_env_cpu_max(raw).is_none() {
        Some("expected `max`, `<quota_micros>`, `max <period_micros>`, or `<quota_micros> <period_micros>` (each integer >= 1)")
    } else {
        None
    }
}

/// Outcome of [`apply_cpu_max_to_leaf`] — useful for tests and structured logs.
#[derive(Debug, PartialEq, Eq)]
pub enum CpuMaxApplyOutcome {
    /// `cpu.max` was written. Carries the source label and the exact payload
    /// (without trailing newline) that hit the file.
    Wrote {
        /// Which input produced the payload (spec vs. env override).
        source: CpuMaxSource,
        /// The exact `cpu.max` payload written (no trailing newline).
        payload: String,
    },
    /// No applicable input — spec silent and env unset/empty.
    Skipped,
    /// Spec silent and env override was malformed; caller should warn.
    InvalidEnvOverride,
    /// Write failed (permissions, controller not delegated, etc.). Carries a
    /// human-readable diagnostic.
    WriteError(String),
}

/// Which source produced the `cpu.max` payload.
#[derive(Debug, PartialEq, Eq, Clone, Copy)]
pub enum CpuMaxSource {
    /// Value came from `spec.run.limits.cpuMax`.
    Spec,
    /// Value came from `CELLOS_CGROUP_CPU_MAX`.
    EnvOverride,
}

/// Apply the resolved `cpu.max` payload to `<leaf>/cpu.max`, if any.
///
/// This is the side-effecting wrapper used by the host-subprocess backend; it
/// is intentionally separated from [`cpu_max_to_write`] so the resolution
/// rules stay testable on every platform while the file write is exercised by
/// Linux-only integration tests.
///
/// The function never panics. Callers translate the returned outcome into
/// `tracing::warn!` events with their own structured fields.
pub fn apply_cpu_max_to_leaf(
    leaf: &std::path::Path,
    spec_limits: Option<&RunLimits>,
    env_cpu_max: Option<&str>,
) -> CpuMaxApplyOutcome {
    if let Some(payload) = cpu_max_to_write(spec_limits, env_cpu_max) {
        let source = if spec_limits.and_then(|l| l.cpu_max.as_ref()).is_some() {
            CpuMaxSource::Spec
        } else {
            CpuMaxSource::EnvOverride
        };
        let target = leaf.join("cpu.max");
        match std::fs::write(&target, format!("{payload}\n")) {
            Ok(()) => CpuMaxApplyOutcome::Wrote { source, payload },
            Err(e) => CpuMaxApplyOutcome::WriteError(format!("{}: {e}", target.display())),
        }
    } else if spec_limits.and_then(|l| l.cpu_max.as_ref()).is_none()
        && cpu_max_env_validation_error(env_cpu_max).is_some()
    {
        CpuMaxApplyOutcome::InvalidEnvOverride
    } else {
        CpuMaxApplyOutcome::Skipped
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use cellos_core::types::{RunCpuMax, RunLimits};

    fn limits_with_cpu(quota: u64, period: Option<u64>) -> RunLimits {
        RunLimits {
            memory_max_bytes: None,
            cpu_max: Some(RunCpuMax {
                quota_micros: quota,
                period_micros: period,
            }),
            graceful_shutdown_seconds: None,
        }
    }

    #[test]
    fn spec_with_quota_and_period_wins() {
        let l = limits_with_cpu(50_000, Some(100_000));
        assert_eq!(
            cpu_max_to_write(Some(&l), Some("max 200000")),
            Some("50000 100000".to_string())
        );
    }

    #[test]
    fn spec_quota_only_uses_default_period() {
        let l = limits_with_cpu(75_000, None);
        assert_eq!(
            cpu_max_to_write(Some(&l), None),
            Some("75000 100000".to_string())
        );
    }

    #[test]
    fn spec_quota_zero_returns_none_defense_in_depth() {
        let l = limits_with_cpu(0, None);
        assert_eq!(cpu_max_to_write(Some(&l), Some("50000 100000")), None);
    }

    #[test]
    fn env_override_used_when_spec_absent() {
        assert_eq!(
            cpu_max_to_write(None, Some("50000 100000")),
            Some("50000 100000".to_string())
        );
    }

    #[test]
    fn env_max_alone_normalizes_with_default_period() {
        assert_eq!(
            cpu_max_to_write(None, Some("max")),
            Some("max 100000".to_string())
        );
    }

    #[test]
    fn env_max_with_period() {
        assert_eq!(
            cpu_max_to_write(None, Some("max 200000")),
            Some("max 200000".to_string())
        );
    }

    #[test]
    fn env_quota_alone_uses_default_period() {
        assert_eq!(
            cpu_max_to_write(None, Some("25000")),
            Some("25000 100000".to_string())
        );
    }

    #[test]
    fn env_whitespace_collapsed() {
        assert_eq!(
            cpu_max_to_write(None, Some("  50000\t  100000  ")),
            Some("50000 100000".to_string())
        );
    }

    #[test]
    fn env_invalid_returns_none() {
        assert_eq!(cpu_max_to_write(None, Some("not-a-number")), None);
        assert_eq!(cpu_max_to_write(None, Some("0 100000")), None);
        assert_eq!(cpu_max_to_write(None, Some("50000 0")), None);
        assert_eq!(cpu_max_to_write(None, Some("50000 100000 200000")), None);
        assert_eq!(cpu_max_to_write(None, Some("-50000")), None);
    }

    #[test]
    fn env_empty_treated_as_unset() {
        assert_eq!(cpu_max_to_write(None, Some("")), None);
        assert_eq!(cpu_max_to_write(None, Some("   ")), None);
        assert_eq!(cpu_max_to_write(None, None), None);
    }

    #[test]
    fn env_validation_error_diagnostic() {
        assert!(cpu_max_env_validation_error(Some("not-a-number")).is_some());
        assert!(cpu_max_env_validation_error(Some("0")).is_some());
        assert!(cpu_max_env_validation_error(Some("50000 100000")).is_none());
        assert!(cpu_max_env_validation_error(Some("max")).is_none());
        assert!(cpu_max_env_validation_error(None).is_none());
        assert!(cpu_max_env_validation_error(Some("")).is_none());
    }

    /// Doctrine D1 — env var alone cannot create a default; spec wins when both
    /// are present.
    #[test]
    fn spec_overrides_env_when_both_present() {
        let l = limits_with_cpu(10_000, Some(50_000));
        assert_eq!(
            cpu_max_to_write(Some(&l), Some("max 200000")),
            Some("10000 50000".to_string())
        );
    }
}