mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-30 21:01:54 +08:00
37ee5ec320
## Summary
`stack emulator start` now resumes a fully-warm VM snapshot instead of
cold-booting, bringing startup from 30–120s down to ~5–8s with
per-install secret rotation, or ~2.5s with rotation opt-out. The
snapshot is captured **locally on first `stack emulator pull`**, not
shipped from CI — QEMU migration state isn't portable across
accelerators (KVM/HVF/TCG) or `-cpu max` feature sets, so a CI-captured
snapshot couldn't resume reliably on arbitrary user hardware.
Also bundles a pile of CLI QoL fixes (progress bars, PR/run artifact
pulls, PR-build download, native-TS ISO writer replacing
`hdiutil`/`mkisofs`/`genisoimage` host dep, unit tests).
| Scenario | Before | After |
|---|---|---|
| Cold boot (no snapshot) | 30–120s | same, works as fallback |
| `stack emulator pull` (one-time, includes local snapshot capture) |
~30s download | ~30s download + ~1–3 min cold-boot capture |
| Snapshot resume, normal start | — | **~5–8s** |
| Snapshot resume, `EMULATOR_NO_ROTATION=1` | — | **~2.5s** |
Backend (`/health?db=1`) and dashboard (`/handler/sign-in`) return 200
on all paths. Two successive snapshot resumes produce different rotated
PCK/SSK/SAK/CRON_SECRET values per install.
## How it works
**Build (CI)** — `docker/local-emulator/qemu/build-image.sh`:
1. Cloud-init provisioning runs to completion (migrations, seed,
slim-image) producing `stack-emulator-<arch>.qcow2`.
2. Image is built with a topology compatible with later snapshot capture
(pinned SMP=4, phantom seed/bundle ISOs, STACKCFG runtime ISO mounted at
build time, qemu-guest-agent running, placeholder hex secrets baked in
under `STACK_EMULATOR_BUILD_SNAPSHOT=1`).
3. CI publishes **only the qcow2** — no `.savevm.zst` ships.
**Pull (user's machine)** —
`packages/stack-cli/src/commands/emulator.ts` + `run-emulator.sh
capture`:
1. `stack emulator pull` downloads the qcow2 with a progress bar (or
from a PR / workflow run via `--pr` / `--run`).
2. CLI invokes `run-emulator.sh capture`: cold-boots the qcow2 with a
matching device layout (phantom ISOs, fsdev, pcie-root-port, virtfs
detached — migration-incompatible), waits for backend+dashboard health,
then drives QMP: `stop` → set `mapped-ram` + `multifd` caps → `migrate
file:state.raw` → poll `query-migrate` → `quit`. Raw mapped-ram file is
zstd-compressed to `stack-emulator-<arch>.savevm.zst` in the images dir.
3. `--skip-snapshot` opts out (first `start` will then cold-boot).
**Runtime** — `run-emulator.sh start`:
1. Launch QEMU with `-incoming defer` when a `.savevm.zst` is present;
decompress on first use, keep the `.raw` cached for subsequent starts.
2. QMP: same `mapped-ram` + `multifd` caps → `migrate-incoming
file:<.raw>` → poll for `paused` → `cont`.
3. Generate fresh per-install secrets on the host; pipe them
base64-encoded through QGA `guest-exec input-data` →
`trigger-fast-rotate` in the guest → `docker exec -e … rotate-secrets`.
4. `rotate-secrets` in the container: validate keys (hex-only), targeted
`sed` on the placeholder PCK across built JS, `UPDATE ApiKeySet`,
`supervisorctl restart stack-app cron-jobs` (with
`stopasgroup`/`killasgroup` so the Node children actually die and
release their ports).
5. Poll backend+dashboard health; if anything fails, clean up and fall
back to cold boot transparently.
**Security model**: placeholder hex values are baked into the snapshot
(`00…ff` PCK, `00…ee` SSK, `00…dd` SAK, `00…cc` CRON_SECRET). They are
non-secret by construction. Real per-install secrets are generated at
each `emulator start` and never leave the host.
## CLI changes (`packages/stack-cli`)
- **`src/lib/iso.ts`** (new): native TypeScript ISO 9660 + Joliet
writer, replacing the host-side `hdiutil`/`mkisofs`/`genisoimage`
dependency for generating the STACKCFG runtime config disk. Unit tests
in `src/lib/iso.test.ts`.
- **`src/commands/emulator.ts`**:
- `pull`: streamed downloads with progress bar + ETA; `--pr <number>`
and `--run <id>` to pull from a PR build's CI artifacts (uses
`extract-zip` for the nested zip); `--skip-snapshot` to opt out of the
one-time local capture.
- `start` (existing, extended): auto-pulls AND auto-captures when no
image exists, so first-ever `start` is self-bootstrapping; emits
`STACK_EMULATOR_CLI_WROTE_ISO=1` so the shell helper skips its own ISO
regen (avoids the genisoimage host dep).
- `capture` (new, invoked by `pull` and the auto-pull path of `start`):
drives the local snapshot capture via `run-emulator.sh`.
- `status`, `stop`, `reset`, `list-releases`: preflight +
path-resolution tightening (`STACK_EMULATOR_HOME` → images/run dirs).
- Unit tests in `src/commands/emulator.test.ts`.
- **`EMULATOR_NO_ROTATION=1`** env var skips the post-resume rotation
(intended for tests/CI where the placeholder secrets are fine — comes
with a loud warning).
## CI (`.github/workflows/qemu-emulator-build.yaml`)
- Builds **QEMU 10.2.2 from source** (cached), because
`mapped-ram`/`multifd` migration capabilities aren't available in the
distro's QEMU. Enables KVM on ubicloud runners so amd64 boots at
hardware speed.
- amd64 + arm64 both build on the same amd64 matrix
(`ubicloud-standard-8`); arm64 runs under cross-arch TCG (provisioning
only — boot/verify smoke test is amd64-only).
- Verification now runs through the CLI: `emulator start` → `emulator
status` → `emulator stop` against the freshly-built qcow2 (via
`STACK_EMULATOR_HOME` pointing at the workspace, so the CLI doesn't
silently auto-pull a prior release).
- Packages **only** the qcow2. No `.savevm.zst` upload / publish.
- Release notes updated.
## Key files
**Shell / guest:**
- `docker/local-emulator/qemu/build-image.sh` — snapshot-compatible
device topology + STACKCFG runtime ISO at build time
- `docker/local-emulator/qemu/run-emulator.sh` — `start`, `capture`,
`stop`, `reset`, `status`; `-incoming defer`, `.raw` cache, QGA-driven
rotation, cold-boot fallback
- `docker/local-emulator/qemu/common.sh` (new) — shared `qmp_session` +
`capture_vm_state` (factored out so build-image.sh and run-emulator.sh
share the capture path)
- `docker/local-emulator/qemu/cloud-init/emulator/user-data` —
placeholder secrets in snapshot mode, `wait-for-stack-ready`,
`trigger-fast-rotate`, qemu-guest-agent enabled
- `docker/local-emulator/rotate-secrets.sh` (new) — in-container
rotation (sed + UPDATE + supervisorctl)
- `docker/local-emulator/supervisord.conf` — `stopasgroup`/`killasgroup`
on `stack-app` and `cron-jobs`
- `docker/local-emulator/entrypoint.sh` — only mint CRON_SECRET if unset
(placeholder supplied in snapshot mode via --env-file)
- `docker/local-emulator/Dockerfile` — ships `rotate-secrets` to
`/usr/local/bin`
- `docker/server/entrypoint.sh` — source
`/run/stack-auth/rotated-secrets.env`; skip full-tree sentinel scan on
warm restarts via marker
**CLI:**
- `packages/stack-cli/src/lib/iso.ts` (new) + `iso.test.ts` (new)
- `packages/stack-cli/src/commands/emulator.ts` + `emulator.test.ts`
(new)
- `packages/stack-cli/vitest.config.ts` (new)
**CI:**
- `.github/workflows/qemu-emulator-build.yaml`
## Test plan
- [x] `docker/local-emulator/qemu/build-image.sh {amd64,arm64}` produces
`stack-emulator-<arch>.qcow2` with snapshot-compatible topology
- [x] `stack emulator pull` downloads qcow2 with progress, then captures
locally (~1–3 min) and writes `stack-emulator-<arch>.savevm.zst` in the
images dir
- [x] `stack emulator pull --skip-snapshot` stops after download
- [x] `stack emulator pull --pr <n>` / `--run <id>` pull from PR /
workflow run artifacts
- [x] `stack emulator start` on a fresh dir auto-pulls **and**
auto-captures, then starts; subsequent starts fast-resume in ~5–8s;
backend + dashboard return 200
- [x] `EMULATOR_NO_ROTATION=1 stack emulator start` completes in ~2.5s;
backend + dashboard return 200 with warning printed
- [x] Two consecutive `emulator start` invocations produce different PCK
values in the internal `ApiKeySet` row
- [x] `stack emulator status` / `stop` / `reset` resolve paths from
`STACK_EMULATOR_HOME`
- [x] Verified end-to-end on arm64 macOS under HVF (capture ~50s,
fast-resume ~6.5s)
- [x] `pnpm lint` and `pnpm typecheck` pass; stack-cli unit tests (iso +
emulator) pass
- [ ] CI green on this PR (qemu-emulator-build matrix, smoke test)
- [ ] `gh release download emulator-<branch>-latest` contains only
`stack-emulator-<arch>.qcow2` once this PR merges and publish runs
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Snapshot fast-start/resume with optional warm-snapshot assets, runtime
ISO generation, and a cached QEMU build to speed emulator setup.
* CLI: streamed artifact downloads with progress, improved release/asset
handling, stronger preflight checks, and start/status/stop emulator
commands.
* Automated secret rotation and ability to apply rotated secrets at
container startup; supervisor control socket enabled.
* **Bug Fixes**
* More robust start/stop/resume flows with automatic fallback to cold
boot and improved process-group shutdown behavior.
* **Tests**
* New tests for CLI utilities and ISO image generation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
210 lines
6.9 KiB
Bash
Executable File
210 lines
6.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Shared helpers for QEMU emulator scripts.
|
|
# Source this file; do not execute it directly.
|
|
|
|
AARCH64_FIRMWARE_PATHS=(
|
|
/opt/homebrew/share/qemu/edk2-aarch64-code.fd
|
|
/usr/share/qemu/edk2-aarch64-code.fd
|
|
/usr/share/AAVMF/AAVMF_CODE.fd
|
|
/usr/share/qemu-efi-aarch64/QEMU_EFI.fd
|
|
)
|
|
|
|
detect_host() {
|
|
case "$(uname -m)" in
|
|
arm64|aarch64) HOST_ARCH="arm64" ;;
|
|
x86_64|amd64) HOST_ARCH="amd64" ;;
|
|
*) echo "Unsupported host architecture: $(uname -m)" >&2; exit 1 ;;
|
|
esac
|
|
|
|
case "$(uname -s)" in
|
|
Darwin) HOST_OS="darwin" ;;
|
|
Linux) HOST_OS="linux" ;;
|
|
MINGW*|MSYS*|CYGWIN*) HOST_OS="windows" ;;
|
|
*) HOST_OS="unknown" ;;
|
|
esac
|
|
}
|
|
|
|
qemu_binary_for_arch() {
|
|
case "$1" in
|
|
arm64) echo "qemu-system-aarch64" ;;
|
|
amd64) echo "qemu-system-x86_64" ;;
|
|
*) return 1 ;;
|
|
esac
|
|
}
|
|
|
|
find_aarch64_firmware() {
|
|
local p
|
|
for p in "${AARCH64_FIRMWARE_PATHS[@]}"; do
|
|
if [ -f "$p" ]; then
|
|
echo "$p"
|
|
return 0
|
|
fi
|
|
done
|
|
echo "No aarch64 UEFI firmware found." >&2
|
|
return 1
|
|
}
|
|
|
|
make_iso_from_dir() {
|
|
local iso_path="$1"
|
|
local volume_name="$2"
|
|
local source_dir="$3"
|
|
|
|
rm -f "$iso_path" "${iso_path}.iso"
|
|
if command -v hdiutil >/dev/null 2>&1; then
|
|
local tmp_dir
|
|
tmp_dir="$(mktemp -d /tmp/stack-emulator-iso-XXXXXX)"
|
|
cp -R "$source_dir/." "$tmp_dir/"
|
|
hdiutil makehybrid -o "$iso_path" "$tmp_dir" -joliet -iso -default-volume-name "$volume_name" 2>/dev/null
|
|
if [ -f "${iso_path}.iso" ]; then
|
|
mv "${iso_path}.iso" "$iso_path"
|
|
fi
|
|
rm -rf "$tmp_dir"
|
|
elif command -v mkisofs >/dev/null 2>&1; then
|
|
mkisofs -output "$iso_path" -volid "$volume_name" -joliet -rock "$source_dir" >/dev/null 2>&1
|
|
elif command -v genisoimage >/dev/null 2>&1; then
|
|
genisoimage -output "$iso_path" -volid "$volume_name" -joliet -rock "$source_dir" >/dev/null 2>&1
|
|
else
|
|
echo "Missing ISO creation tool (need hdiutil, mkisofs, or genisoimage)" >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Send one or more QMP commands over the monitor socket. Stdin is a stream of
|
|
# JSON objects; qmp_capabilities is always sent first to exit negotiation mode.
|
|
# Keep stdin open briefly after writing so socat doesn't close before QEMU
|
|
# responds — QMP replies in milliseconds so 0.5s is plenty.
|
|
#
|
|
# Callers: build-image.sh capture flow, run-emulator.sh cmd_capture.
|
|
qmp_session() {
|
|
local sock="$1"
|
|
local payload
|
|
payload="$(cat)"
|
|
( printf '%s\n' "$payload"; sleep 0.5 ) | socat -t30 - "UNIX-CONNECT:${sock}"
|
|
}
|
|
|
|
# Drive the snapshot capture over QMP:
|
|
# 1. qmp_capabilities — exit negotiation mode.
|
|
# 2. stop — pause the VM so no more disk writes happen.
|
|
# 3. migrate-set-capabilities — enable mapped-ram + multifd for fast resume.
|
|
# 4. migrate to file:<path> — streams RAM/device state out.
|
|
# 5. Poll query-migrate until status=completed (or failed).
|
|
# 6. quit — terminate QEMU cleanly.
|
|
#
|
|
# Depends on log/err/warn being defined by the sourcing script.
|
|
capture_vm_state() {
|
|
local sock="$1"
|
|
local guest_path="$2"
|
|
|
|
if [ ! -S "$sock" ]; then
|
|
err "QMP monitor socket missing: $sock"
|
|
return 1
|
|
fi
|
|
|
|
log " QMP: stopping VM..."
|
|
{
|
|
printf '%s\n' '{"execute":"qmp_capabilities"}'
|
|
printf '%s\n' '{"execute":"stop"}'
|
|
} | qmp_session "$sock" >/dev/null || {
|
|
err "QMP stop failed"
|
|
return 1
|
|
}
|
|
|
|
log " QMP: enabling mapped-ram + multifd for fast resume..."
|
|
# mapped-ram: writes each RAM page to a fixed offset in the output file
|
|
# (vs the legacy streamed format). This lets the target QEMU mmap the file
|
|
# and fault pages lazily — and combined with multifd, load RAM in parallel.
|
|
# multifd-channels=4 matches our pinned SMP so the channels don't starve
|
|
# each other on the target's 4 vCPUs.
|
|
local caps_cmd params_cmd
|
|
caps_cmd='{"execute":"migrate-set-capabilities","arguments":{"capabilities":[{"capability":"mapped-ram","state":true},{"capability":"multifd","state":true}]}}'
|
|
params_cmd='{"execute":"migrate-set-parameters","arguments":{"multifd-channels":4}}'
|
|
local setup_resp
|
|
setup_resp=$({
|
|
printf '%s\n' '{"execute":"qmp_capabilities"}'
|
|
printf '%s\n' "$caps_cmd"
|
|
printf '%s\n' "$params_cmd"
|
|
} | qmp_session "$sock") || {
|
|
err "QMP capabilities setup failed"
|
|
return 1
|
|
}
|
|
if printf '%s' "$setup_resp" | grep -q '"error"[[:space:]]*:'; then
|
|
err "QMP capabilities returned error: $setup_resp"
|
|
return 1
|
|
fi
|
|
|
|
log " QMP: migrating RAM state to ${guest_path}..."
|
|
# Use file: migration (native QEMU) instead of exec: to avoid relying on a
|
|
# spawned shell finding zstd in PATH. Compressed as a separate host step
|
|
# after migrate completes.
|
|
local migrate_cmd
|
|
migrate_cmd=$(printf '{"execute":"migrate","arguments":{"uri":"file:%s"}}' "$guest_path")
|
|
local migrate_resp
|
|
migrate_resp=$({
|
|
printf '%s\n' '{"execute":"qmp_capabilities"}'
|
|
printf '%s\n' "$migrate_cmd"
|
|
} | qmp_session "$sock") || {
|
|
err "QMP migrate failed"
|
|
return 1
|
|
}
|
|
if printf '%s' "$migrate_resp" | grep -q '"error"[[:space:]]*:'; then
|
|
err "QMP migrate returned error: $migrate_resp"
|
|
return 1
|
|
fi
|
|
|
|
# Poll migration status. Migration runs in the background after the
|
|
# migrate command returns; we watch for "completed" or "failed".
|
|
local migrate_timeout=600
|
|
local waited=0
|
|
local last_heartbeat=0
|
|
while [ "$waited" -lt "$migrate_timeout" ]; do
|
|
local status_line status
|
|
status_line=$({
|
|
printf '%s\n' '{"execute":"qmp_capabilities"}'
|
|
printf '%s\n' '{"execute":"query-migrate"}'
|
|
} | qmp_session "$sock" 2>/dev/null || true)
|
|
status="$(printf '%s\n' "$status_line" | grep -o '"status"[[:space:]]*:[[:space:]]*"[a-z-]*"' | head -1 | sed -E 's/.*"([a-z-]+)".*/\1/')"
|
|
case "$status" in
|
|
completed)
|
|
log " QMP: migrate completed (${waited}s)"
|
|
break
|
|
;;
|
|
failed|cancelled)
|
|
err " QMP: migrate ended with status=$status"
|
|
err " QMP response: $status_line"
|
|
return 1
|
|
;;
|
|
active|setup|device|"")
|
|
# still running
|
|
if [ "$((waited - last_heartbeat))" -ge 30 ]; then
|
|
local transferred
|
|
transferred=$(printf '%s' "$status_line" | grep -o '"transferred"[[:space:]]*:[[:space:]]*[0-9]*' | head -1 | sed -E 's/.*:[[:space:]]*([0-9]+).*/\1/')
|
|
log " QMP: migrate in progress (${waited}s, status=${status:-init}, transferred=${transferred:-0})"
|
|
last_heartbeat=$waited
|
|
fi
|
|
;;
|
|
*)
|
|
log " QMP: migrate status=$status (${waited}s)"
|
|
;;
|
|
esac
|
|
sleep 2
|
|
waited=$((waited + 2))
|
|
done
|
|
|
|
if [ "$waited" -ge "$migrate_timeout" ]; then
|
|
err "QMP migrate timed out after ${migrate_timeout}s"
|
|
err "Last query-migrate response: $({
|
|
printf '%s\n' '{"execute":"qmp_capabilities"}'
|
|
printf '%s\n' '{"execute":"query-migrate"}'
|
|
} | qmp_session "$sock" 2>/dev/null || true)"
|
|
return 1
|
|
fi
|
|
|
|
log " QMP: quitting VM..."
|
|
{
|
|
printf '%s\n' '{"execute":"qmp_capabilities"}'
|
|
printf '%s\n' '{"execute":"quit"}'
|
|
} | qmp_session "$sock" >/dev/null || true
|
|
|
|
return 0
|
|
}
|