Skip to content

feat(firecracker): add direct microVM provider#358

Merged
vincentkoc merged 17 commits into
openclaw:mainfrom
coygeek:firecracker-provider
Jun 24, 2026
Merged

feat(firecracker): add direct microVM provider#358
vincentkoc merged 17 commits into
openclaw:mainfrom
coygeek:firecracker-provider

Conversation

@coygeek

@coygeek coygeek commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Closes #359

Summary

Adds a first-class firecracker provider that provisions direct local/self-hosted Firecracker microVMs as normal Crabbox SSH leases.

The provider includes:

  • provider registration, metadata, flags, env/config handling, and trust-gating for host execution paths
  • Linux-only Firecracker lifecycle using the Go SDK, per-lease state, SSH keys, rootfs copies, cloud-init metadata, CNI networking, resolve/list/release/cleanup, and rollback cleanup
  • structured doctor --provider firecracker --json readiness checks
  • provider docs, provider matrix updates, command docs, and a host-gated live smoke helper

Review Fixes

Structured review found and the branch fixes the following lifecycle and config issues:

  • acquire rollback now cleans network artifacts and terminates recorded Firecracker processes
  • KVM/CNI/jailer readiness checks are stricter and actionable
  • VM launch startup is bounded without canceling successful leases
  • Firecracker host execution paths are trust-gated for untrusted repo-local config
  • persisted state records use the effective SSH user
  • default kernel args boot from a writable /dev/vda rootfs
  • rootfs is attached before the cloud-init drive
  • ~ paths expand for Firecracker binary and jailer flags
  • retained-release cleanup is idempotent

Verification

  • gofmt -w $(git ls-files '*.go')
  • git diff --check
  • go vet ./...
  • go test ./internal/providers/firecracker
  • go test ./internal/cli -run 'Test.*Firecracker|TestProvidersJSONIncludesBuiltIns|TestLoadConfigFirecracker'
  • go test -race ./...
  • go build -trimpath -o bin/crabbox ./cmd/crabbox
  • node scripts/check-provider-matrix.mjs
  • node scripts/check-docs-links.mjs
  • node scripts/check-command-docs.mjs
  • node --test scripts/live-firecracker-smoke.test.js
  • CRABBOX_BIN=./bin/crabbox scripts/live-firecracker-smoke.sh --dry-run
  • CRABBOX_BIN=./bin/crabbox scripts/live-firecracker-smoke.sh
  • ~/.agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main

The live Firecracker smoke script was executed on a non-Linux/non-KVM host and correctly classified the result as environment_blocked with blocked host, binary, kernel, rootfs, and network checks. The dry-run and readiness-contract smoke tests passed.

Autoreview result: clean, no accepted/actionable findings reported.

@clawsweeper

clawsweeper Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs real behavior proof before merge. Reviewed June 23, 2026, 11:04 PM ET / 03:04 UTC.

Summary
The branch adds a built-in Firecracker SSH-lease provider with config and flags, Linux SDK/CNI lifecycle state, cleanup, docs, tests, new Go dependencies, and a readiness smoke helper.

Reproducibility: not applicable. as a feature PR. The useful validation path is a successful real Linux/KVM Firecracker warmup, run or SSH, stop, and cleanup smoke, and the current evidence only reports an environment-blocked host check.

Review metrics: 2 noteworthy metrics.

  • Diff size: 38 files, +5408/-10. This is a broad provider addition spanning CLI config, provider lifecycle, docs, tests, scripts, and dependencies.
  • Direct Go dependencies: 3 added. The Firecracker SDK, CNI, and logrus dependencies expand the CLI runtime and supply-chain surface.

Root-cause cluster
Relationship: fixed_by_candidate
Canonical: #359
Summary: This PR is the open implementation candidate for the canonical Firecracker provider issue; the AGX microVM PR is adjacent provider work, not a replacement.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P1] Add redacted successful Linux/KVM Firecracker warmup, run or SSH, stop, and cleanup proof.
  • [P1] Resolve, replace, or explicitly accept the Socket archived-transitive-dependency warnings before merge.

Proof guidance:

  • [P1] Needs stronger real behavior proof before merge: The PR body reports tests and a non-KVM environment_blocked smoke, but not a successful real Linux/KVM Firecracker lease; add redacted terminal output, logs, or a recording and update the PR body for re-review.

Risk before merge

  • [P1] No successful real Linux/KVM Firecracker proof is posted yet, so warmup, SSH readiness, run or ssh, stop, and cleanup remain unproven in the target environment.
  • [P1] The PR introduces local Firecracker binary execution, KVM access, kernel/rootfs handling, CNI plugin execution, network namespace cleanup, and process signaling behind a built-in provider.
  • [P1] Socket flagged archived transitive packages pulled by the new dependency path, so maintainers need to accept, replace, or reduce that supply-chain risk before merge.
  • [P1] This is a first-class provider and config/docs surface, so product scope approval is separate from code correctness.

Maintainer options:

  1. Require real-host proof and dependency review (recommended)
    Ask for redacted terminal output, logs, or a recording from a Linux/KVM Firecracker host and decide whether to accept or replace the archived transitive dependency path before merge.
  2. Accept experimental provider risk
    Maintainers may intentionally merge with environment-blocked proof and Socket warnings if they are prepared to own first real-host validation and dependency follow-up after merge.
  3. Pause or narrow the provider
    If no suitable KVM host or dependency-risk decision is available, pause this broad built-in provider or replace it with a smaller maintainer-approved slice.

Next step before merge

  • [P1] The next action is contributor proof plus maintainer approval for built-in provider scope and dependency risk, not a narrow automated repair.

Security
Needs attention: Socket flagged archived transitive packages introduced by the new Firecracker dependency path, so maintainers need to accept or reduce that supply-chain risk.

Review details

Best possible solution:

Land only after maintainers accept the built-in Firecracker scope, review the dependency risk, and receive redacted successful Linux/KVM warmup, run or SSH, stop, and cleanup proof.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a feature PR. The useful validation path is a successful real Linux/KVM Firecracker warmup, run or SSH, stop, and cleanup smoke, and the current evidence only reports an environment-blocked host check.

Is this the best way to solve the issue?

Unclear until proof and maintainer signoff land. The adapter direction fits Crabbox's provider model, but a built-in local microVM provider with new dependencies and host execution paths needs explicit acceptance before merge.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against a569f971a9f9.

Label changes

Label justifications:

  • P2: This is a normal-priority user-visible provider feature with broad but bounded blast radius until merged.
  • merge-risk: 🚨 security-boundary: The PR adds local KVM, Firecracker binary, kernel/rootfs, CNI plugin, and process-control behavior behind a built-in provider.
  • merge-risk: 🚨 availability: Incorrect lifecycle behavior could leave microVM processes, network namespaces, CNI state, or local artifacts behind on operator hosts.
  • rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🐚 platinum hermit.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body reports tests and a non-KVM environment_blocked smoke, but not a successful real Linux/KVM Firecracker lease; add redacted terminal output, logs, or a recording and update the PR body for re-review.
Evidence reviewed

Security concerns:

  • [medium] Review archived transitive dependency warnings — go.mod:26
    Socket reports archived transitive packages through the newly added Firecracker SDK/CNI dependency path, including mapstructure, opentracing-go, and urlesc; maintainers should accept that risk or choose a dependency path that avoids it.
    Confidence: 0.78

What I checked:

  • Repository policy read: AGENTS.md was read fully; its provider-neutral boundary and security/configuration guidance applies because the PR adds a built-in provider and local host execution paths. (AGENTS.md:13, a569f971a9f9)
  • Current main lacks raw Firecracker provisioning: Current main documents Tensorlake as Firecracker-backed delegated execution and explicitly says Crabbox does not provision raw Firecracker instances directly. (docs/providers/README.md:152, a569f971a9f9)
  • PR registers the requested provider: The PR head registers provider=firecracker as a Linux SSH-lease provider with ssh, crabbox-sync, cleanup, and coordinator=never. (internal/providers/firecracker/provider.go:18, 2f42e604fb21)
  • PR adds the lifecycle surface: The PR head implements acquire, resolve, list, release, cleanup, touch, and doctor behavior around Firecracker state, SSH, process, and network lifecycle. (internal/providers/firecracker/backend.go:163, 2f42e604fb21)
  • Host path trust gate exists: The PR applies repository-local Firecracker binary, jailer, kernel, rootfs, network, and CNI path config only from trusted config sources. (internal/cli/config.go:4663, 2f42e604fb21)
  • Real behavior proof is still insufficient: The PR body reports tests plus a non-Linux/non-KVM environment_blocked smoke, but no successful warmup, run or SSH, stop, and cleanup proof from a Linux/KVM Firecracker host. (2f42e604fb21)

Likely related people:

  • coygeek: Current main includes recent provider-foundation work by Coy Geek touching the same registry, config, and provider-docs surfaces, and this PR is the linked Firecracker implementation candidate. (role: recent provider contributor and linked implementation owner; confidence: high; commits: 6e7939dbdc63, a90b7807a9a0, 2f42e604fb21; files: internal/providers/all/all.go, internal/cli/config.go, docs/providers/README.md)
  • Vincent Koc: Current-main blame for provider registry/config surfaces points to Vincent Koc, and the latest PR-head commit handles Firecracker cross-platform process-signal compilation. (role: recent area contributor; confidence: medium; commits: 14d774f3eb00, 2f42e604fb21; files: internal/providers/all/all.go, internal/cli/config.go, docs/providers/README.md)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added the rating: 🌊 off-meta tidepool PR readiness rating does not apply to this item. label Jun 14, 2026

Copy link
Copy Markdown
Contributor

@clawsweeper re-review

The prior review timed out before producing findings. Please review the current head.

@clawsweeper

clawsweeper Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. and removed rating: 🌊 off-meta tidepool PR readiness rating does not apply to this item. labels Jun 15, 2026
coygeek and others added 16 commits June 24, 2026 10:30
Expose the first Firecracker provider contract so Crabbox can advertise the direct microVM surface, configure it consistently, and report actionable host readiness before lifecycle support lands.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Document the current Firecracker provider surface around config, doctor, and host prerequisites while lifecycle work is still pending. Add a read-only readiness smoke helper with tests so Linux and KVM blockers are classified honestly.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Replace the placeholder Firecracker lifecycle with state-backed acquire,
resolve, list, release, and cleanup flows behind the existing provider
contract. Add rootfs and cloud-init artifact management, Linux-specific VM
launchers, and lifecycle regression tests for rollback and retained-artifact
behavior.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Build the SDK Firecracker command with the same launch context used for VM startup so timeout cancellation can terminate the child process before PID capture is available.

Extend the launch-timeout regression test to verify both machine construction and startup receive the bounded context.
Set the default Firecracker kernel command line to mount the first drive as a writable /dev/vda root filesystem so standard guests can boot and Crabbox can bootstrap them.

Document the guest-image expectation and assert the launch config carries the writable root device contract.
Attach the writable rootfs before the cloud-init drive so the default root=/dev/vda kernel args mount the intended filesystem.

Also expand user-home paths for Firecracker binary and jailer flags to match the rest of the provider path handling.
Separate Firecracker's long-lived process context from the launch timeout so successful leases are not canceled as acquire returns.

Cancel the process context only on startup failure, launch timeout, or rollback, with regression coverage for both successful acquire and timeout cleanup.
Always signal a recorded Firecracker PID during acquire rollback before removing network and state artifacts, even when SDK StopVMM reports success.

Extend the SSH-readiness rollback regression to assert the recorded process receives SIGTERM and is no longer considered alive.
Skip network teardown for retained Firecracker records that have already been released and no longer track a live PID, while preserving active-release and rollback cleanup.

Extend retained-artifact coverage to prove later cleanup removes state without repeating network cleanup.
@vincentkoc vincentkoc force-pushed the firecracker-provider branch from 47db201 to 6d80d85 Compare June 24, 2026 02:38
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgolang/​github.com/​firecracker-microvm/​firecracker-go-sdk@​v1.0.075100100100100
Addedgolang/​github.com/​containernetworking/​cni@​v1.0.190100100100100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Deprecated by its maintainer: golang github.com/mitchellh/mapstructure

Reason: Repository has been archived by the owner.

From: ?golang/github.com/lxc/incus/v7@v7.1.0golang/github.com/firecracker-microvm/firecracker-go-sdk@v1.0.0golang/github.com/mitchellh/mapstructure@v1.5.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/mitchellh/mapstructure@v1.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: golang github.com/opentracing/opentracing-go

Reason: Repository has been archived by the owner.

From: ?golang/github.com/firecracker-microvm/firecracker-go-sdk@v1.0.0golang/github.com/opentracing/opentracing-go@v1.2.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/opentracing/opentracing-go@v1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: golang github.com/PuerkitoBio/urlesc

Reason: Repository has been archived by the owner.

From: ?golang/github.com/PuerkitoBio/urlesc@v0.0.0-20170810143723-de5bf2ad4578

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/PuerkitoBio/urlesc@v0.0.0-20170810143723-de5bf2ad4578. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@vincentkoc vincentkoc merged commit 0535a62 into openclaw:main Jun 24, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add first-class Firecracker microVM provider support

3 participants