PHD: add tests for migration of running processes (#623)

In real life, it's likely that VM migration may occur while one or more
user processes are running on the guest. We don't have a lot of testing
for what happens to userspace processes during migration. Therefore,
I've added some tests that create a process on the guest, write a bunch
of data into variables in memory, suspend the process, migrate the
guest, and attempt to read the data back out of memory on the new host
and check that it's still correct.

In addition to a simple test that performs one migration, I've also
added tests for correctness in the face of a _failed_ migration attempt.
These tests force a migration attempt to fail while a process is
running, and then check that the process hasn't been messed up after a
successful second migration attempt.

In order facilitate testing migration after a failed migration,  this PR
introduces a test-only virtual device which can be configured to fail
during migration, either while exporting the device or while importing
it. The device can be configured to fail a set number of times, to allow
tests that force a migration failure and then perform a subsequent
migration that does not fail.

Since a virtual device whose only purpose is to break Propolis seems
like something that we don't want to create in production,
`propolis-server` will only permit the migration-failure test device to
be configured in the TOML config file, and it is *not* added to the
`InstanceSpec` public API. `propolis-server` also ignores any
migration-failure devices configured in the TOML if it was built with
the "omicron-build" feature, so we won't accidentally inject failures
into release builds.

The primary intention behind these tests is to ensure that all dirty
pages of the guest's memory are migrated correctly (see #387). With the
current approach to RAM transfer, we don't run into issues with this,
even in the case of a failed migration, because the `RamPushPrePause`
phase always offers *all* guest RAM, regardless of whether it's dirty.
However, if we change the RAM transfer behavior to only offer dirty
pages both in the `RamPushPrePause` and `RamPushPostPause` migration
phases, the migration-failure tests will now fail, because the failed
migration will have cleared dirty bits on any dirty guest pages, and we
now don't transfer the guest's memory correctly on the second migration.
These tests will allow us to verify that a fix for #387, where we no
longer offer all RAM in the `RamPushPrePause` phase, is working
correctly.

Author: hawkw

bin/propolis-server/src/lib/initializer.rs

@@ -10,7 +10,10 @@ use std::os::unix::fs::FileTypeExt;
 use std::sync::Arc;
 use std::time::{SystemTime, UNIX_EPOCH};
 
+use crate::serial::Serial;
+use crate::server::CrucibleBackendMap;
 use crucible_client_types::VolumeConstructionRequest;
+pub use nexus_client::Client as NexusClient;
 use oximeter::types::ProducerRegistry;
 use propolis::block;
 use propolis::chardev::{self, BlockingSource, Source};
@@ -31,10 +34,6 @@ use propolis::vmm::{self, Builder, Machine};
 use propolis_api_types::instance_spec::{self, v0::InstanceSpecV0};
 use slog::info;
 
-use crate::serial::Serial;
-use crate::server::CrucibleBackendMap;
-pub use nexus_client::Client as NexusClient;
-
 use anyhow::{Context, Result};
 
 // Arbitrary ROM limit for now
@@ -575,6 +574,55 @@ impl<'a> MachineInitializer<'a> {
         Ok(())
     }
 
+    #[cfg(not(feature = "omicron-build"))]
+    pub fn initialize_test_devices(
+        &self,
+        toml_cfg: &std::collections::BTreeMap<
+            String,
+            propolis_server_config::Device,
+        >,
+    ) -> Result<(), Error> {
+        use propolis::hw::testdev::{
+            MigrationFailureDevice, MigrationFailures,
+        };
+
+        if let Some(dev) = toml_cfg.get(MigrationFailureDevice::NAME) {
+            const FAIL_EXPORTS: &str = "fail_exports";
+            const FAIL_IMPORTS: &str = "fail_imports";
+            let fail_exports = dev
+                .options
+                .get(FAIL_EXPORTS)
+                .and_then(|val| val.as_integer())
+                .unwrap_or(0);
+            let fail_imports = dev
+                .options
+                .get(FAIL_IMPORTS)
+                .and_then(|val| val.as_integer())
+                .unwrap_or(0);
+
+            if fail_exports <= 0 && fail_imports <= 0 {
+                info!(
+                    self.log,
+                    "migration failure device will not fail, as both
+                    `{FAIL_EXPORTS}` and `{FAIL_IMPORTS}` are 0";
+                    FAIL_EXPORTS => ?fail_exports,
+                    FAIL_IMPORTS => ?fail_imports,
+                );
+            }
+
+            let dev = MigrationFailureDevice::create(
+                &self.log,
+                MigrationFailures {
+                    exports: fail_exports as usize,
+                    imports: fail_imports as usize,
+                },
+            );
+            self.inv.register(&dev)?;
+        }
+
+        Ok(())
+    }
+
     #[cfg(feature = "falcon")]
     pub fn initialize_softnpu_ports(
         &self,

bin/propolis-server/src/lib/server.rs

@@ -497,18 +497,15 @@ async fn instance_ensure_common(
     // admittedly a big kludge until this can be better refactored.
     let vm = {
         let properties = properties.clone();
-        let use_reservoir = server_context.static_config.use_reservoir;
-        let bootrom = server_context.static_config.vm.bootrom.clone();
+        let server_context = server_context.clone();
         let log = server_context.log.clone();
         let hdl = tokio::runtime::Handle::current();
         let ctrl_hdl = hdl.clone();
-
         let vm_hdl = hdl.spawn_blocking(move || {
             VmController::new(
                 instance_spec,
                 properties,
-                use_reservoir,
-                bootrom,
+                &server_context.static_config,
                 producer_registry,
                 nexus_client,
                 log,

bin/propolis-server/src/lib/vm/mod.rs

@@ -35,7 +35,6 @@ use std::{
     collections::{BTreeMap, VecDeque},
     fmt::Debug,
     net::SocketAddr,
-    path::PathBuf,
     pin::Pin,
     sync::{Arc, Condvar, Mutex, Weak},
     task::{Context, Poll},
@@ -66,6 +65,7 @@ use crate::{
     initializer::{build_instance, MachineInitializer},
     migrate::MigrateError,
     serial::Serial,
+    server::StaticConfig,
     vm::request_queue::ExternalRequest,
 };
 
@@ -398,14 +398,14 @@ impl VmController {
     pub fn new(
         instance_spec: VersionedInstanceSpec,
         properties: InstanceProperties,
-        use_reservoir: bool,
-        bootrom: PathBuf,
+        &StaticConfig { vm: ref toml_config, use_reservoir, .. }: &StaticConfig,
         oximeter_registry: Option<ProducerRegistry>,
         nexus_client: Option<NexusClient>,
         log: Logger,
         runtime_hdl: tokio::runtime::Handle,
         stop_ch: oneshot::Sender<()>,
     ) -> anyhow::Result<Arc<Self>> {
+        let bootrom = &toml_config.bootrom;
         info!(log, "initializing new VM";
               "spec" => #?instance_spec,
               "properties" => #?properties,
@@ -460,6 +460,15 @@ impl VmController {
         init.initialize_qemu_debug_port()?;
         init.initialize_qemu_pvpanic(properties.id)?;
         init.initialize_network_devices(&chipset)?;
+
+        #[cfg(not(feature = "omicron-build"))]
+        init.initialize_test_devices(&toml_config.devices)?;
+        #[cfg(feature = "omicron-build")]
+        info!(
+            log,
+            "`omicron-build` feature enabled, ignoring any test devices"
+        );
+
         #[cfg(feature = "falcon")]
         init.initialize_softnpu_ports(&chipset)?;
         #[cfg(feature = "falcon")]

crates/propolis-server-config/src/lib.rs

@@ -82,7 +82,7 @@ pub struct PciBridge {
 
 /// A hard-coded device, either enabled by default or accessible locally
 /// on a machine.
-#[derive(Serialize, Deserialize, Debug, PartialEq)]
+#[derive(Clone, Serialize, Deserialize, Debug, PartialEq)]
 pub struct Device {
     pub driver: String,
 

lib/propolis/src/hw/mod.rs

@@ -10,5 +10,6 @@ pub mod nvme;
 pub mod pci;
 pub mod ps2;
 pub mod qemu;
+pub mod testdev;
 pub mod uart;
 pub mod virtio;

lib/propolis/src/hw/testdev.rs

@@ -0,0 +1,121 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Devices intended for testing purposes.
+//!
+//! These devices do things which are generally unwanted in real life, such as
+//! "intentionally breaking Propolis", "intentionally breaking the guest OS", or
+//! some combination of the two.
+use std::sync::{
+    atomic::{AtomicUsize, Ordering},
+    Arc,
+};
+
+use crate::inventory::Entity;
+use crate::migrate::*;
+
+use serde::{Deserialize, Serialize};
+use slog::info;
+
+/// A test device for simulating migration failures.
+pub struct MigrationFailureDevice {
+    log: slog::Logger,
+    exports: AtomicUsize,
+    imports: AtomicUsize,
+    fail: MigrationFailures,
+}
+
+pub struct MigrationFailures {
+    pub exports: usize,
+    pub imports: usize,
+}
+
+#[derive(Clone, Default, Deserialize, Serialize)]
+struct MigrationFailurePayloadV1 {}
+
+impl MigrationFailureDevice {
+    pub const NAME: &'static str = "test-migration-failure";
+
+    pub fn create(log: &slog::Logger, fail: MigrationFailures) -> Arc<Self> {
+        let log =
+            log.new(slog::o!("component" => "testdev", "dev" => Self::NAME));
+        info!(log,
+            "Injecting simulated migration failures";
+            "fail_exports" => %fail.exports,
+            "fail_imports" => %fail.imports,
+        );
+        Arc::new(Self {
+            log,
+            exports: AtomicUsize::new(0),
+            imports: AtomicUsize::new(0),
+            fail,
+        })
+    }
+}
+
+impl Entity for MigrationFailureDevice {
+    fn type_name(&self) -> &'static str {
+        MigrationFailureDevice::NAME
+    }
+    fn migrate(&self) -> Migrator {
+        Migrator::Single(self)
+    }
+}
+
+impl MigrateSingle for MigrationFailureDevice {
+    fn export(
+        &self,
+        _ctx: &MigrateCtx,
+    ) -> Result<PayloadOutput, MigrateStateError> {
+        let export_num = self.exports.fetch_add(1, Ordering::Relaxed);
+        if export_num < self.fail.exports {
+            info!(
+                self.log,
+                "failing export";
+                "export_num" => %export_num,
+                "fail_exports" => %self.fail.exports
+            );
+            return Err(MigrateStateError::Io(std::io::Error::new(
+                std::io::ErrorKind::Other,
+                "somebody set up us the bomb",
+            )));
+        }
+
+        info!(
+            self.log,
+            "exporting device";
+            "export_num" => %export_num,
+        );
+        Ok(MigrationFailurePayloadV1 {}.into())
+    }
+
+    fn import(
+        &self,
+        mut offer: PayloadOffer,
+        _ctx: &MigrateCtx,
+    ) -> Result<(), MigrateStateError> {
+        let import_num = self.imports.fetch_add(1, Ordering::Relaxed);
+        let fail = import_num < self.fail.imports;
+        info!(
+            self.log,
+            "importing device";
+            "import_num" => %import_num,
+            "will_fail" => %fail,
+        );
+        let MigrationFailurePayloadV1 {} = offer.parse()?;
+        if fail {
+            info!(self.log, "failing import");
+            return Err(MigrateStateError::ImportFailed(
+                "you have no chance to survive, make your time".to_string(),
+            ));
+        }
+        Ok(())
+    }
+}
+
+impl Schema<'_> for MigrationFailurePayloadV1 {
+    fn id() -> SchemaId {
+        ("testdev-migration-failure", 1)
+    }
+}

phd-tests/framework/src/test_vm/config.rs

@@ -2,6 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
+use std::collections::BTreeMap;
 use std::sync::Arc;
 
 use anyhow::Context;
@@ -44,8 +45,11 @@ pub struct VmConfig {
     bootrom_artifact: String,
     boot_disk: DiskRequest,
     data_disks: Vec<DiskRequest>,
+    devices: BTreeMap<String, propolis_server_config::Device>,
 }
 
+const MIGRATION_FAILURE_DEVICE: &str = "test-migration-failure";
+
 impl VmConfig {
     pub(crate) fn new(
         vm_name: &str,
@@ -68,6 +72,7 @@ impl VmConfig {
             bootrom_artifact: bootrom.to_owned(),
             boot_disk,
             data_disks: Vec::new(),
+            devices: BTreeMap::new(),
         }
     }
 
@@ -86,6 +91,29 @@ impl VmConfig {
         self
     }
 
+    pub fn named(&mut self, name: impl ToString) -> &mut Self {
+        self.vm_name = name.to_string();
+        self
+    }
+
+    pub fn fail_migration_exports(&mut self, exports: u32) -> &mut Self {
+        self.devices
+            .entry(MIGRATION_FAILURE_DEVICE.to_owned())
+            .or_insert_with(default_migration_failure_device)
+            .options
+            .insert("fail_exports".to_string(), exports.into());
+        self
+    }
+
+    pub fn fail_migration_imports(&mut self, imports: u32) -> &mut Self {
+        self.devices
+            .entry(MIGRATION_FAILURE_DEVICE.to_owned())
+            .or_insert_with(default_migration_failure_device)
+            .options
+            .insert("fail_imports".to_string(), imports.into());
+        self
+    }
+
     pub fn boot_disk(
         &mut self,
         artifact: &str,
@@ -132,6 +160,7 @@ impl VmConfig {
         let config_toml_contents =
             toml::ser::to_string(&propolis_server_config::Config {
                 bootrom: bootrom.clone().into(),
+                devices: self.devices.clone(),
                 ..Default::default()
             })
             .context("serializing Propolis server config")?;
@@ -241,3 +270,10 @@ impl VmConfig {
         })
     }
 }
+
+fn default_migration_failure_device() -> propolis_server_config::Device {
+    propolis_server_config::Device {
+        driver: MIGRATION_FAILURE_DEVICE.to_owned(),
+        options: Default::default(),
+    }
+}

phd-tests/framework/src/test_vm/mod.rs

@@ -231,7 +231,7 @@ impl TestVm {
         self.spec.clone()
     }
 
-    pub(crate) fn environment_spec(&self) -> EnvironmentSpec {
+    pub fn environment_spec(&self) -> EnvironmentSpec {
         self.environment_spec.clone()
     }