Measure jailer startup performance #5282

ShadowCurse · 2025-06-26T16:01:56Z

Changes

Update jailer requirements on the executable name and permissions. Now it does not need to contain firecracker in it's name, but must be marked as executable.
Add jailer startup performance test. The test is parametrized on the number of jailers started and the number of bind mounts present in the system.

Reason

We want to know what is the overhead of a jailer in isolation. Since usually there are multiple jailed VMs on the system, the test is parametrized by the number of jailers started.
The reason for adding measurements with bind mounts is because it slows down the jailer startup time. The more bind mounts are present, the more contention there is in the kernel. At the same time, bind mounts are frequently created per VM in the production environment.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

I have read and understand CONTRIBUTING.md.
I have run tools/devtool checkstyle to verify that the PR passes the
automated style checks.
I have described what is done in these changes, why they are needed, and
how they are solving the problem in a clear and encompassing way.
I have updated any relevant documentation (both in code and in the docs)
in the PR.
I have mentioned all user-facing changes in CHANGELOG.md.
If a specific issue led to this PR, this PR closes the issue.
When making API changes, I have followed the
Runbook for Firecracker API changes.
I have tested all new and changed functionalities in unit tests and/or
integration tests.
I have linked an issue to every new TODO.

This functionality cannot be added in rust-vmm.

Now jailer will not complain if the executable does not contain `firecracker` in it's name. This restriction was unnecessary and it's removal is not a breaking change. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>

codecov · 2025-06-27T11:49:47Z

Codecov Report

Attention: Patch coverage is 87.50000% with 1 line in your changes missing coverage. Please review.

Project coverage is 82.92%. Comparing base (504b94d) to head (9e5b112).

Files with missing lines	Patch %	Lines
src/jailer/src/main.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5282      +/-   ##
==========================================
+ Coverage   82.86%   82.92%   +0.05%     
==========================================
  Files         250      250              
  Lines       26902    26903       +1     
==========================================
+ Hits        22292    22308      +16     
+ Misses       4610     4595      -15

Flag	Coverage Δ
5.10-c5n.metal	`83.36% <87.50%> (+<0.01%)`	⬆️
5.10-m5n.metal	`?`
5.10-m6a.metal	`82.57% <87.50%> (+<0.01%)`	⬆️
5.10-m6g.metal	`79.18% <87.50%> (+<0.01%)`	⬆️
5.10-m6i.metal	`83.34% <87.50%> (+<0.01%)`	⬆️
5.10-m7a.metal-48xl	`82.55% <87.50%> (?)`
5.10-m7g.metal	`?`
5.10-m7i.metal-24xl	`83.31% <87.50%> (?)`
5.10-m7i.metal-48xl	`83.31% <87.50%> (?)`
5.10-m8g.metal-24xl	`79.18% <87.50%> (?)`
5.10-m8g.metal-48xl	`79.17% <87.50%> (?)`
6.1-c5n.metal	`83.40% <87.50%> (+0.01%)`	⬆️
6.1-m5n.metal	`83.39% <87.50%> (+<0.01%)`	⬆️
6.1-m6a.metal	`82.62% <87.50%> (+<0.01%)`	⬆️
6.1-m6g.metal	`79.18% <87.50%> (+<0.01%)`	⬆️
6.1-m6i.metal	`83.39% <87.50%> (+<0.01%)`	⬆️
6.1-m7a.metal-48xl	`82.60% <87.50%> (?)`
6.1-m7g.metal	`79.18% <87.50%> (+<0.01%)`	⬆️
6.1-m7i.metal-24xl	`83.41% <87.50%> (?)`
6.1-m8g.metal-24xl	`79.17% <87.50%> (?)`
6.1-m8g.metal-48xl	`79.17% <87.50%> (?)`

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

The executable passed to the jailer must have exec permissions set. Update the jailer executable check unit tests with `match!`. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>

Add note about new jailer executable requirements. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>

Remove explicit panic on error. Let the error be returned from the main. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>

This binary just outputs the start and end time of the jailer startup. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>

Manciukic · 2025-06-27T13:19:46Z

src/jailer/src/env.rs

+        let metadata = std::fs::metadata(&exec_file_path).unwrap();
+
+        // Check that it is executable
+        if metadata.permissions().mode() & 0o111 == 0 {


isn't this requiring that's executable by all users, while in reality it just needs to be executable by the jailer? Is there any issues with just having the execve fail with permission error?

This checks that there is at least some executable bit set.
Personally, I added this as I though it was already a requirement, just not explicitly checked and failing with a bit nicer message is better. I can drop it if people find it not necessary.

Manciukic · 2025-06-27T13:23:44Z