Simplify CI to 3 make targets

.config/nextest.toml

@@ -42,23 +42,36 @@ retries = 0
 [test-groups.stress-tests]
 max-threads = 1
 
+# Snapshot tests limited to 3 concurrent (each snapshot is ~5.6GB on disk)
+[test-groups.snapshot-tests]
+max-threads = 3
+
 # VM tests run at full parallelism (num-cpus)
-# Previously limited to 16 threads due to namespace holder process deaths,
-# but root cause was rootless tests running under sudo. Now that privileged
-# tests filter out rootless tests (-E '!test(/rootless/)'), full parallelism works.
 [test-groups.vm-tests]
 max-threads = "num-cpus"
 
 [[profile.default.overrides]]
 filter = "package(fcvm) & test(/stress_100/)"
 test-group = "stress-tests"
-slow-timeout = { period = "300s", terminate-after = 1 }
+slow-timeout = { period = "600s", terminate-after = 1 }
+
+# Snapshot tests: limited to 3 concurrent (each creates ~5.6GB snapshot on disk)
+[[profile.default.overrides]]
+filter = "package(fcvm) & (test(/snapshot/) | test(/clone/))"
+test-group = "snapshot-tests"
+slow-timeout = { period = "600s", terminate-after = 1 }
+
+# VM tests get 10 minute timeout (non-snapshot tests)
+[[profile.default.overrides]]
+filter = "package(fcvm) & test(/test_/) & !test(/stress_100/) & !test(/pjdfstest_vm/) & !test(/snapshot/) & !test(/clone/)"
+test-group = "vm-tests"
+slow-timeout = { period = "600s", terminate-after = 1 }
 
-# VM tests run with limited parallelism to avoid resource exhaustion
+# In-VM pjdfstest needs 15 minutes (image import via FUSE over vsock is slow)
 [[profile.default.overrides]]
-filter = "package(fcvm) & test(/test_/) & !test(/stress_100/)"
+filter = "package(fcvm) & test(/pjdfstest_vm/)"
 test-group = "vm-tests"
-slow-timeout = { period = "300s", terminate-after = 1 }
+slow-timeout = { period = "900s", terminate-after = 1 }
 
 # fuse-pipe tests can run with full parallelism
 [[profile.default.overrides]]

.github/workflows/ci.yml

@@ -6,16 +6,23 @@ on:
   push:
     branches: [main]
 
+# Cancel in-progress runs when a new revision is pushed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   CARGO_TERM_COLOR: always
   FUSE_BACKEND_RS: ${{ github.workspace }}/fuse-backend-rs
   FUSER: ${{ github.workspace }}/fuser
   CONTAINER_ARCH: x86_64
 
 jobs:
-  container-rootless:
-    name: Container (rootless)
-    runs-on: ubuntu-latest
+  # Runner 1: Host (bare metal with KVM)
+  # Runs: test-unit → test-fast → test-root (sequential)
+  host:
+    name: Host
+    runs-on: buildjet-32vcpu-ubuntu-2204
     steps:
       - uses: actions/checkout@v4
         with:
@@ -30,33 +37,80 @@ jobs:
           repository: ejc3/fuser
           ref: master
           path: fuser
-      - name: make ci-container-rootless
-        working-directory: fcvm
-        run: make ci-container-rootless
-
-  container-sudo:
-    name: Container (sudo)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          path: fcvm
-      - uses: actions/checkout@v4
-        with:
-          repository: ejc3/fuse-backend-rs
-          ref: master
-          path: fuse-backend-rs
-      - uses: actions/checkout@v4
+      - name: Install Rust
+        run: |
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+      - uses: Swatinem/rust-cache@v2
         with:
-          repository: ejc3/fuser
-          ref: master
-          path: fuser
-      - name: make ci-container-sudo
+          cache-provider: buildjet
+          workspaces: fcvm -> target
+          cache-on-failure: "true"
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y fuse3 libfuse3-dev libclang-dev clang musl-tools \
+            iproute2 iptables slirp4netns dnsmasq qemu-utils e2fsprogs parted \
+            podman skopeo busybox-static cpio zstd autoconf automake libtool
+      - name: Install Firecracker
+        run: |
+          curl -L -o /tmp/firecracker.tgz \
+            https://github.com/firecracker-microvm/firecracker/releases/download/v1.14.0/firecracker-v1.14.0-x86_64.tgz
+          sudo tar -xzf /tmp/firecracker.tgz -C /usr/local/bin --strip-components=1 \
+            release-v1.14.0-x86_64/firecracker-v1.14.0-x86_64 \
+            release-v1.14.0-x86_64/jailer-v1.14.0-x86_64
+          sudo mv /usr/local/bin/firecracker-v1.14.0-x86_64 /usr/local/bin/firecracker
+          sudo mv /usr/local/bin/jailer-v1.14.0-x86_64 /usr/local/bin/jailer
+      - name: Install cargo tools
+        # cargo-audit >= 0.22.0 required for CVSS 4.0 support
+        # Use --force to override any stale cached versions
+        run: cargo install cargo-nextest@0.9.115 cargo-audit@0.22.0 cargo-deny@0.18.9 --locked --force
+      - name: Setup KVM and networking
+        run: |
+          sudo chmod 666 /dev/kvm
+          sudo mkdir -p /var/run/netns
+          sudo iptables -P FORWARD ACCEPT
+          sudo iptables -t nat -A POSTROUTING -s 172.30.0.0/16 -o eth0 -j MASQUERADE || true
+          if [ ! -e /dev/userfaultfd ]; then
+            sudo mknod /dev/userfaultfd c 10 126
+          fi
+          sudo chmod 666 /dev/userfaultfd
+          sudo sysctl -w vm.unprivileged_userfaultfd=1
+          # Enable FUSE allow_other for tests
+          echo "user_allow_other" | sudo tee /etc/fuse.conf
+      - name: Create test log directory
+        run: mkdir -p /tmp/fcvm-test-logs
+      - name: test-unit
         working-directory: fcvm
-        run: make ci-container-sudo
+        run: make test-unit
+      - name: setup-fcvm
+        working-directory: fcvm
+        run: make setup-fcvm
+      - name: test-fast
+        working-directory: fcvm
+        run: make test-fast
+      - name: test-root
+        working-directory: fcvm
+        run: make test-root
+      - name: Capture kernel logs
+        if: always()
+        run: |
+          # Filter dmesg for UFFD/memory/VM related messages only
+          sudo dmesg | grep -iE 'userfault|uffd|kvm|firecracker|oom|killed|segfault|page.fault' > /tmp/fcvm-test-logs/dmesg-filtered.log || true
+      - name: Upload test logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-logs-host
+          path: /tmp/fcvm-test-logs/
+          if-no-files-found: ignore
+          retention-days: 7
 
-  vm:
-    name: Host (sudo+rootless)
+  # Runner 2: Container (podman)
+  # Runs same tests as Host but inside a container
+  # Needs KVM for VM tests (container mounts /dev/kvm)
+  container:
+    name: Container
     runs-on: buildjet-32vcpu-ubuntu-2204
     steps:
       - uses: actions/checkout@v4
@@ -72,17 +126,49 @@ jobs:
           repository: ejc3/fuser
           ref: master
           path: fuser
-      - name: Setup KVM and networking
+      - name: Setup KVM and rootless podman
         run: |
           sudo chmod 666 /dev/kvm
-          sudo mkdir -p /var/run/netns
-          sudo iptables -P FORWARD ACCEPT
-          sudo iptables -t nat -A POSTROUTING -s 172.30.0.0/16 -o eth0 -j MASQUERADE || true
-          if [ ! -e /dev/userfaultfd ]; then
-            sudo mknod /dev/userfaultfd c 10 126
-          fi
-          sudo chmod 666 /dev/userfaultfd
+          # Enable userfaultfd syscall for snapshot cloning
           sudo sysctl -w vm.unprivileged_userfaultfd=1
-      - name: make container-test-vm
+          # Configure rootless podman to use cgroupfs (no systemd session on CI)
+          mkdir -p ~/.config/containers
+          printf '[engine]\ncgroup_manager = "cgroupfs"\nevents_logger = "file"\n' > ~/.config/containers/containers.conf
+          # Create cargo cache directory for container
+          mkdir -p ${{ github.workspace }}/cargo-cache/registry ${{ github.workspace }}/cargo-cache/target
+      - name: Cache container cargo
+        uses: actions/cache@v4
+        with:
+          path: ${{ github.workspace }}/cargo-cache
+          key: container-cargo-${{ hashFiles('fcvm/Cargo.lock') }}
+          restore-keys: container-cargo-
+      - name: Create test log directory
+        run: mkdir -p /tmp/fcvm-test-logs
+      - name: container-test-unit
+        env:
+          CARGO_CACHE_DIR: ${{ github.workspace }}/cargo-cache
+        working-directory: fcvm
+        run: make container-test-unit
+      - name: container-setup-fcvm
+        env:
+          CARGO_CACHE_DIR: ${{ github.workspace }}/cargo-cache
         working-directory: fcvm
-        run: make container-test-vm
+        run: make container-setup-fcvm
+      - name: container-test
+        env:
+          CARGO_CACHE_DIR: ${{ github.workspace }}/cargo-cache
+        working-directory: fcvm
+        run: make container-test
+      - name: Capture kernel logs
+        if: always()
+        run: |
+          # Filter dmesg for UFFD/memory/VM related messages only
+          sudo dmesg | grep -iE 'userfault|uffd|kvm|firecracker|oom|killed|segfault|page.fault' > /tmp/fcvm-test-logs/dmesg-filtered.log || true
+      - name: Upload test logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-logs-container
+          path: /tmp/fcvm-test-logs/
+          if-no-files-found: ignore
+          retention-days: 7

.gitignore

@@ -8,3 +8,5 @@ sync-test/
 # Local settings (machine-specific)
 *.local.*
 *.local
+cargo-home/
+.local/

CONTRIBUTING.md

@@ -40,12 +40,16 @@ Have an idea? [Open an issue](https://github.com/ejc3/fcvm/issues/new) describin
 # Build everything
 make build
 
+# First-time setup (downloads kernel + creates rootfs, ~5-10 min)
+make setup-btrfs
+fcvm setup
+
 # Run lints (must pass before PR)
 make lint
 
 # Run tests
 make test              # fuse-pipe tests
-make test-vm           # VM integration tests (requires KVM)
+make test-root         # VM tests (requires sudo + KVM)
 
 # Format code
 make fmt

Cargo.toml

@@ -4,6 +4,8 @@ members = [".", "fuse-pipe", "fc-agent"]
 default-members = [".", "fuse-pipe", "fc-agent"]
 # Exclude sync-test (used only for Makefile sync verification)
 exclude = ["sync-test"]
+# Resolver v2 makes --no-default-features work across all workspace members
+resolver = "2"
 
 [package]
 name = "fcvm"
@@ -12,7 +14,6 @@ edition = "2021"
 
 [dependencies]
 anyhow = "1"
-atty = "0.2"
 clap = { version = "4", features = ["derive", "env"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
@@ -42,11 +43,18 @@ fuse-pipe = { path = "fuse-pipe", default-features = false }
 url = "2"
 tokio-util = "0.7"
 regex = "1.12.2"
+fs2 = "0.4.3"
 
 [features]
-# Test category - only gate tests that require sudo
-# Unprivileged tests run by default (no feature flag needed)
-privileged-tests = []  # Tests requiring sudo (iptables, root podman storage)
+# Default: all integration tests that work without sudo (rootless networking)
+default = ["integration-fast", "integration-slow"]
+
+# Test speed tiers (unit tests always run, no feature flag needed)
+integration-fast = []        # Quick VM tests, < 30s each (sanity, signal, exec, port forward)
+integration-slow = []        # Slow VM tests, > 30s each (clone, snapshot, fuse posix, egress)
+
+# Privileged tests require sudo (bridged networking, pjdfstest, iptables)
+privileged-tests = []
 
 [dev-dependencies]
 serial_test = "3"