Fix UFFD panic in template build (#1088)

Author: dobrac

packages/orchestrator/internal/sandbox/block/empty.go

@@ -30,7 +30,7 @@ func NewEmpty(size int64, blockSize int64, buildID uuid.UUID) (*Empty, error) {
 func (e *Empty) ReadAt(p []byte, off int64) (int, error) {
 	slice, err := e.Slice(off, int64(len(p)))
 	if err != nil {
-		return 0, fmt.Errorf("failed to slice mmap: %w", err)
+		return 0, fmt.Errorf("failed to slice empty: %w", err)
 	}
 
 	return copy(p, slice), nil

packages/orchestrator/internal/sandbox/template/local_template.go

@@ -50,8 +50,3 @@ func (t *LocalTemplate) Snapfile() (File, error) {
 func (t *LocalTemplate) Metadata() (metadata.Template, error) {
 	return metadata.Template{}, errors.New("metadata not available in local template")
 }
-
-func (t *LocalTemplate) ReplaceMemfile(memfile block.ReadonlyDevice) error {
-	t.memfile = memfile
-	return nil
-}

packages/orchestrator/internal/sandbox/template/mask_template.go

@@ -0,0 +1,68 @@
+package template
+
+import (
+	"github.com/e2b-dev/infra/packages/orchestrator/internal/sandbox/block"
+	"github.com/e2b-dev/infra/packages/orchestrator/internal/template/metadata"
+	"github.com/e2b-dev/infra/packages/shared/pkg/storage"
+)
+
+type MaskTemplate struct {
+	template Template
+
+	memfile *block.ReadonlyDevice
+}
+
+type MaskTemplateOption func(*MaskTemplate)
+
+func WithMemfile(memfile block.ReadonlyDevice) MaskTemplateOption {
+	return func(c *MaskTemplate) {
+		c.memfile = &memfile
+	}
+}
+
+func NewMaskTemplate(
+	template Template,
+	opts ...MaskTemplateOption,
+) *MaskTemplate {
+	t := &MaskTemplate{
+		template: template,
+		memfile:  nil,
+	}
+
+	for _, opt := range opts {
+		opt(t)
+	}
+
+	return t
+}
+
+func (c *MaskTemplate) Close() error {
+	if c.memfile != nil {
+		return (*c.memfile).Close()
+	}
+
+	return nil
+}
+
+func (c *MaskTemplate) Files() storage.TemplateCacheFiles {
+	return c.template.Files()
+}
+
+func (c *MaskTemplate) Memfile() (block.ReadonlyDevice, error) {
+	if c.memfile != nil {
+		return *c.memfile, nil
+	}
+	return c.template.Memfile()
+}
+
+func (c *MaskTemplate) Rootfs() (block.ReadonlyDevice, error) {
+	return c.template.Rootfs()
+}
+
+func (c *MaskTemplate) Snapfile() (File, error) {
+	return c.template.Snapfile()
+}
+
+func (c *MaskTemplate) Metadata() (metadata.Template, error) {
+	return c.template.Metadata()
+}

packages/orchestrator/internal/sandbox/template/storage_template.go

@@ -75,7 +75,11 @@ func (t *storageTemplate) Fetch(ctx context.Context, buildStore *build.DiffStore
 
 	wg.Go(func() error {
 		if t.localSnapfile != nil {
-			return t.snapfile.SetValue(t.localSnapfile)
+			if err := t.snapfile.SetValue(t.localSnapfile); err != nil {
+				return fmt.Errorf("failed to set local snapfile: %w", err)
+			}
+
+			return nil
 		}
 
 		snapfile, snapfileErr := newStorageFile(
@@ -87,15 +91,27 @@ func (t *storageTemplate) Fetch(ctx context.Context, buildStore *build.DiffStore
 		if snapfileErr != nil {
 			errMsg := fmt.Errorf("failed to fetch snapfile: %w", snapfileErr)
 
-			return t.snapfile.SetError(errMsg)
+			if err := t.snapfile.SetError(errMsg); err != nil {
+				return fmt.Errorf("failed to set snapfile error: %w", errors.Join(errMsg, err))
+			}
+
+			return nil
 		}
 
-		return t.snapfile.SetValue(snapfile)
+		if err := t.snapfile.SetValue(snapfile); err != nil {
+			return fmt.Errorf("failed to set snapfile: %w", err)
+		}
+
+		return nil
 	})
 
 	wg.Go(func() error {
 		if t.localMetafile != nil {
-			return t.metafile.SetValue(t.localMetafile)
+			if err := t.metafile.SetValue(t.localMetafile); err != nil {
+				return fmt.Errorf("failed to set local metafile: %w", err)
+			}
+
+			return nil
 		}
 
 		meta, err := newStorageFile(
@@ -105,7 +121,12 @@ func (t *storageTemplate) Fetch(ctx context.Context, buildStore *build.DiffStore
 			t.files.CacheMetadataPath(),
 		)
 		if err != nil && !errors.Is(err, storage.ErrorObjectNotExist) {
-			return t.metafile.SetError(fmt.Errorf("failed to fetch metafile: %w", err))
+			sourceErr := fmt.Errorf("failed to fetch metafile: %w", err)
+			if err := t.metafile.SetError(sourceErr); err != nil {
+				return fmt.Errorf("failed to set metafile error: %w", errors.Join(sourceErr, err))
+			}
+
+			return nil
 		}
 
 		if err != nil {
@@ -118,15 +139,28 @@ func (t *storageTemplate) Fetch(ctx context.Context, buildStore *build.DiffStore
 			oldTemplateMetadata := metadata.V1TemplateVersion()
 			err := oldTemplateMetadata.ToFile(t.files.CacheMetadataPath())
 			if err != nil {
-				return t.metafile.SetError(fmt.Errorf("failed to write v1 template metadata to a file: %w", err))
+				sourceErr := fmt.Errorf("failed to write v1 template metadata to a file: %w", err)
+				if err := t.metafile.SetError(sourceErr); err != nil {
+					return fmt.Errorf("failed to set metafile error: %w", errors.Join(sourceErr, err))
+				}
+
+				return nil
 			}
 
-			return t.metafile.SetValue(&storageFile{
+			if err := t.metafile.SetValue(&storageFile{
 				path: t.files.CacheMetadataPath(),
-			})
+			}); err != nil {
+				return fmt.Errorf("failed to set metafile v1: %w", err)
+			}
+
+			return nil
 		}
 
-		return t.metafile.SetValue(meta)
+		if err := t.metafile.SetValue(meta); err != nil {
+			return fmt.Errorf("failed to set metafile value: %w", err)
+		}
+
+		return nil
 	})
 
 	wg.Go(func() error {
@@ -143,10 +177,18 @@ func (t *storageTemplate) Fetch(ctx context.Context, buildStore *build.DiffStore
 		if memfileErr != nil {
 			errMsg := fmt.Errorf("failed to create memfile storage: %w", memfileErr)
 
-			return t.memfile.SetError(errMsg)
+			if err := t.memfile.SetError(errMsg); err != nil {
+				return fmt.Errorf("failed to set memfile error: %w", errors.Join(errMsg, err))
+			}
+
+			return nil
+		}
+
+		if err := t.memfile.SetValue(memfileStorage); err != nil {
+			return fmt.Errorf("failed to set memfile value: %w", err)
 		}
 
-		return t.memfile.SetValue(memfileStorage)
+		return nil
 	})
 
 	wg.Go(func() error {
@@ -162,16 +204,24 @@ func (t *storageTemplate) Fetch(ctx context.Context, buildStore *build.DiffStore
 		if rootfsErr != nil {
 			errMsg := fmt.Errorf("failed to create rootfs storage: %w", rootfsErr)
 
-			return t.rootfs.SetError(errMsg)
+			if err := t.rootfs.SetError(errMsg); err != nil {
+				return fmt.Errorf("failed to set rootfs error: %w", errors.Join(errMsg, err))
+			}
+
+			return nil
+		}
+
+		if err := t.rootfs.SetValue(rootfsStorage); err != nil {
+			return fmt.Errorf("failed to set rootfs value: %w", err)
 		}
 
-		return t.rootfs.SetValue(rootfsStorage)
+		return nil
 	})
 
 	err := wg.Wait()
 	if err != nil {
 		zap.L().Error("failed to fetch template files",
-			zap.String("build_id", t.files.BuildID),
+			logger.WithBuildID(t.files.BuildID),
 			zap.Error(err),
 		)
 		return
@@ -206,10 +256,3 @@ func (t *storageTemplate) Metadata() (metadata.Template, error) {
 
 	return metadata.FromFile(metafile.Path())
 }
-
-func (t *storageTemplate) ReplaceMemfile(memfile block.ReadonlyDevice) error {
-	m := utils.NewSetOnce[block.ReadonlyDevice]()
-	m.SetValue(memfile)
-	t.memfile = m
-	return nil
-}

packages/orchestrator/internal/sandbox/template/template.go

@@ -13,7 +13,6 @@ import (
 type Template interface {
 	Files() storage.TemplateCacheFiles
 	Memfile() (block.ReadonlyDevice, error)
-	ReplaceMemfile(block.ReadonlyDevice) error
 	Rootfs() (block.ReadonlyDevice, error)
 	Snapfile() (File, error)
 	Metadata() (metadata.Template, error)

packages/orchestrator/internal/template/build/core/memory/memory.go

@@ -31,24 +31,20 @@ func NewCreateSandbox(config sandbox.Config, fcVersions fc.FirecrackerVersions)
 func (f *CreateSandbox) Sandbox(
 	ctx context.Context,
 	layerExecutor *LayerExecutor,
-	template sbxtemplate.Template,
+	sourceTemplate sbxtemplate.Template,
 ) (*sandbox.Sandbox, error) {
 	// Create new memfile with the size of the sandbox RAM, this updates the underlying memfile.
 	// This is ok as the sandbox is started from the beginning.
-	var memfile block.ReadonlyDevice
 	memfile, err := block.NewEmpty(
 		f.config.RamMB<<constants.ToMBShift,
 		config.MemfilePageSize(f.config.HugePages),
-		uuid.MustParse(template.Files().BuildID),
+		uuid.MustParse(sourceTemplate.Files().BuildID),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("create memfile: %w", err)
 	}
 
-	err = template.ReplaceMemfile(memfile)
-	if err != nil {
-		return nil, fmt.Errorf("replace memfile: %w", err)
-	}
+	template := sbxtemplate.NewMaskTemplate(sourceTemplate, sbxtemplate.WithMemfile(memfile))
 
 	// In case of a new sandbox, base template ID is now used as the potentially exported template base ID.
 	sbx, err := sandbox.CreateSandbox(

packages/orchestrator/internal/template/build/layer/create_sandbox.go

@@ -12,8 +12,8 @@ import (
 	"github.com/e2b-dev/infra/packages/orchestrator/internal/sandbox/block"
 	"github.com/e2b-dev/infra/packages/orchestrator/internal/template/build/buildcontext"
 	"github.com/e2b-dev/infra/packages/orchestrator/internal/template/build/config"
-	"github.com/e2b-dev/infra/packages/orchestrator/internal/template/build/core/memory"
 	"github.com/e2b-dev/infra/packages/orchestrator/internal/template/build/core/rootfs"
+	"github.com/e2b-dev/infra/packages/orchestrator/internal/template/constants"
 	artifactsregistry "github.com/e2b-dev/infra/packages/shared/pkg/artifacts-registry"
 )
 
@@ -26,7 +26,7 @@ func constructLayerFilesFromOCI(
 	artifactRegistry artifactsregistry.ArtifactsRegistry,
 	templateBuildDir string,
 	rootfsPath string,
-) (r *block.Local, m *block.Local, c containerregistry.Config, e error) {
+) (r *block.Local, m block.ReadonlyDevice, c containerregistry.Config, e error) {
 	childCtx, childSpan := tracer.Start(ctx, "template-build")
 	defer childSpan.End()
 
@@ -59,15 +59,14 @@ func constructLayerFilesFromOCI(
 	}
 
 	// Create empty memfile
-	memfilePath, err := memory.NewMemory(templateBuildDir, buildContext.Config.MemoryMB)
+	memfile, err := block.NewEmpty(
+		buildContext.Config.MemoryMB<<constants.ToMBShift,
+		config.MemfilePageSize(buildContext.Config.HugePages),
+		buildIDParsed,
+	)
 	if err != nil {
 		return nil, nil, containerregistry.Config{}, fmt.Errorf("error creating memfile: %w", err)
 	}
 
-	memfile, err := block.NewLocal(memfilePath, config.MemfilePageSize(buildContext.Config.HugePages), buildIDParsed)
-	if err != nil {
-		return nil, nil, containerregistry.Config{}, fmt.Errorf("error creating memfile blocks: %w", err)
-	}
-
 	return rootfs, memfile, imgConfig, nil
 }