microsandbox 0.4.6

`microsandbox` is the core library for the microsandbox project.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

//! Integration tests for `Sandbox::builder(...).replace().create()`.
//!
//! Mirrors the bug pattern from PR #587 review: a second create with
//! the same name and `.replace()` while the first `Sandbox` handle is
//! still alive previously hung for ~30s because libkrun's SIGTERM
//! handler did a slow graceful shutdown of the VM and the loop polled
//! `kill(pid, 0)` against a process that was genuinely still alive.
//! The replace path now SIGTERMs with a configurable grace, then
//! escalates to SIGKILL — bounded by kernel time, not by handler
//! latency — so a second `.replace().create()` returns in the time it
//! takes to boot a VM rather than the 30s timeout.

use std::time::{Duration, Instant};

use microsandbox::{MicrosandboxError, Sandbox};
use test_utils::msb_test;

const IMAGE: &str = "mirror.gcr.io/library/alpine";

async fn cleanup(name: &str) {
    if let Ok(mut h) = Sandbox::get(name).await {
        let _ = h.kill().await;
        let _ = h.remove().await;
    }
}

/// First create succeeds; second create with `.replace()` while sb1 is
/// still alive completes promptly. The session timeout is generous
/// enough to also cover slow boots, but well under the legacy 30s
/// SIGTERM-poll deadline that was the bug's hallmark.
#[msb_test]
async fn replace_with_live_handle_does_not_hang() {
    let name = "replace-live-handle";
    cleanup(name).await;

    let sb1 = Sandbox::builder(name)
        .image(IMAGE)
        .cpus(1)
        .memory(256)
        .replace()
        .create()
        .await
        .expect("first create");

    let started = Instant::now();
    let result = tokio::time::timeout(
        Duration::from_secs(120),
        Sandbox::builder(name)
            .image(IMAGE)
            .cpus(1)
            .memory(256)
            .replace()
            .create(),
    )
    .await;
    let elapsed = started.elapsed();

    let sb2 = match result {
        Err(_) => {
            // Best-effort cleanup before failing the assertion.
            drop(sb1);
            cleanup(name).await;
            panic!(
                "second .replace().create() did not return within 120s — bug regressed (was the 30s SIGTERM-poll path)"
            );
        }
        Ok(Err(err)) => {
            drop(sb1);
            cleanup(name).await;
            panic!("second .replace().create() failed: {err}");
        }
        Ok(Ok(sb2)) => sb2,
    };

    assert!(
        elapsed < Duration::from_secs(60),
        "second create took {elapsed:?}; expected sub-30s with SIGKILL escalation"
    );

    drop(sb2);
    drop(sb1);
    cleanup(name).await;
}

/// Without `.replace()`, a second create with the same name while sb1
/// is alive errors immediately with `SandboxAlreadyExists` instead of
/// blocking or surfacing a generic `Custom` error.
#[msb_test]
async fn create_without_replace_returns_typed_already_exists() {
    let name = "replace-typed-error";
    cleanup(name).await;

    let sb1 = Sandbox::builder(name)
        .image(IMAGE)
        .cpus(1)
        .memory(256)
        .replace()
        .create()
        .await
        .expect("first create");

    let result = Sandbox::builder(name)
        .image(IMAGE)
        .cpus(1)
        .memory(256)
        .create()
        .await;
    let err = match result {
        Ok(_) => {
            drop(sb1);
            cleanup(name).await;
            panic!("second create without .replace() should error, got Ok");
        }
        Err(e) => e,
    };

    assert!(
        matches!(err, MicrosandboxError::SandboxAlreadyExists(_)),
        "expected SandboxAlreadyExists, got {err:?}"
    );

    drop(sb1);
    cleanup(name).await;
}

/// `.replace_with_grace(0)` skips SIGTERM and goes straight to SIGKILL.
/// Should be at least as fast as the default 10-second grace.
#[msb_test]
async fn replace_with_grace_zero_succeeds() {
    let name = "replace-with-grace-zero";
    cleanup(name).await;

    let sb1 = Sandbox::builder(name)
        .image(IMAGE)
        .cpus(1)
        .memory(256)
        .replace()
        .create()
        .await
        .expect("first create");

    let result = tokio::time::timeout(
        Duration::from_secs(120),
        Sandbox::builder(name)
            .image(IMAGE)
            .cpus(1)
            .memory(256)
            .replace_with_grace(Duration::from_secs(0))
            .create(),
    )
    .await
    .expect("did not hang")
    .expect("create");

    drop(result);
    drop(sb1);
    cleanup(name).await;
}