From 157f3326dd0ac91accf568b001e665508c6f6169 Mon Sep 17 00:00:00 2001 From: randomizedcoder Date: Wed, 13 May 2026 09:36:44 -0700 Subject: [PATCH 1/3] nix: skip tap microvm tests with actionable hint when host network is missing pcp-test-all-microvms previously reported VM_START_FAILED for the base-tap, eval-tap and grafana-tap variants when the host TAP bridge and device had not been created. The failure mode gave no hint that sudo nix run .#pcp-network-setup was the fix. Detect the bridge and TAP device up front and, when they are not present, print a banner pointing at pcp-check-host / pcp-network-setup and mark the three tap variants as "SKIPPED (tap network not set up)" in the summary, mirroring the existing --skip-tap path (which is now labelled "SKIPPED (--skip-tap)" so the two skip reasons are distinguishable). Non-tap variants are unaffected and the run still exits 0 when only tap variants are skipped, matching --skip-tap semantics. Co-Authored-By: Claude Opus 4.7 --- build/nix/tests/test-all-microvms.nix | 51 +++++++++++++++++++++++---- 1 file changed, 45 insertions(+), 6 deletions(-) diff --git a/build/nix/tests/test-all-microvms.nix b/build/nix/tests/test-all-microvms.nix index 4d74fecd33..0ad1a9446b 100644 --- a/build/nix/tests/test-all-microvms.nix +++ b/build/nix/tests/test-all-microvms.nix @@ -81,6 +81,7 @@ pkgs.writeShellApplication { gnugrep procps nix + iproute2 ]; text = '' set +e # Don't exit on error - we want to continue and report all results @@ -91,6 +92,8 @@ pkgs.writeShellApplication { SSH_RETRY_DELAY=${toString constants.test.sshRetryDelaySeconds} BASE_SSH_PORT=${toString constants.ports.sshForward} TAP_VM_IP="${constants.network.vmIp}" + TAP_BRIDGE="${constants.network.bridge}" + TAP_DEVICE="${constants.network.tap}" # Service warmup: wait for services to fully start after SSH connects # pmlogger takes ~9s, Grafana HTTP takes ~17s after service activation @@ -259,6 +262,16 @@ pkgs.writeShellApplication { run_ssh_check "$host" "$port" "pminfo kernel.all.load" "pminfo -f kernel.all.load" } + # Check whether host TAP networking has been set up. + # Returns 0 if both the bridge and TAP device exist on the host. + # Note: operational state may be DOWN when no VM is attached — that is + # the normal pre-test condition, so we only check for existence. + check_tap_network() { + ip link show "$TAP_BRIDGE" >/dev/null 2>&1 || return 1 + ip link show "$TAP_DEVICE" >/dev/null 2>&1 || return 1 + return 0 + } + # Check Grafana HTTP endpoint (with retry - Grafana needs extra startup time) check_grafana_http() { local host="$1" @@ -546,6 +559,24 @@ pkgs.writeShellApplication { # Ensure clean state stop_all_vms + # Preflight: detect whether host TAP networking is set up. + # When it is not, tap variants are skipped with an actionable hint + # instead of failing with an opaque VM_START_FAILED. + TAP_NETWORK_READY=true + if check_tap_network; then + log "TAP networking detected ($TAP_BRIDGE, $TAP_DEVICE)" + else + TAP_NETWORK_READY=false + log_section "TAP networking not set up — tap variants will be skipped" + echo "Bridge '$TAP_BRIDGE' or TAP device '$TAP_DEVICE' is not present/up." + echo "" + echo "To enable tap variants (base-tap, eval-tap, grafana-tap), run:" + echo " nix run .#pcp-check-host" + echo " sudo nix run .#pcp-network-setup" + echo "" + echo "Then re-run this test. To suppress this message, pass --skip-tap." + fi + # Define test order (NOTE: BCC is deprecated - use BPF PMDA instead) VARIANT_ORDER=(base base-tap eval eval-tap grafana grafana-tap bpf) @@ -555,12 +586,20 @@ pkgs.writeShellApplication { continue fi - # Skip TAP variants if requested - if [[ "$SKIP_TAP" == "true" ]] && [[ "$key" == *"-tap" ]]; then - RESULTS[$key]="SKIPPED" - DURATIONS[$key]=0 - TOTAL_SKIPPED=$((TOTAL_SKIPPED + 1)) - continue + # Skip TAP variants when requested or when host networking is not set up. + if [[ "$key" == *"-tap" ]]; then + if [[ "$SKIP_TAP" == "true" ]]; then + RESULTS[$key]="SKIPPED (--skip-tap)" + DURATIONS[$key]=0 + TOTAL_SKIPPED=$((TOTAL_SKIPPED + 1)) + continue + fi + if [[ "$TAP_NETWORK_READY" == "false" ]]; then + RESULTS[$key]="SKIPPED (tap network not set up)" + DURATIONS[$key]=0 + TOTAL_SKIPPED=$((TOTAL_SKIPPED + 1)) + continue + fi fi # Get variant properties From f8637e636b94ae7728559f95052148ed6eca3cdc Mon Sep 17 00:00:00 2001 From: randomizedcoder Date: Wed, 13 May 2026 10:07:12 -0700 Subject: [PATCH 2/3] nix: bump nixpkgs to 2026-05-10 and microvm.nix to 2026-05-13 Updates the nixpkgs input from 2026-01-05 to 2026-05-10. Bumping nixpkgs alone broke MicroVM evaluation because the newer ZFS module forces resolution of fileSystems."/nix/store".fsType during initrd configuration, which is set by microvm.nix's 9p share but not in time under the new option-evaluation order. Updating microvm.nix from 2026-02-22 to 2026-05-13 (its corresponding tracking version) restores eval and the MicroVM lifecycle tests pass with the new nixpkgs. Co-Authored-By: Claude Opus 4.7 --- flake.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index 18301f739f..8be4ded7ff 100644 --- a/flake.lock +++ b/flake.lock @@ -26,11 +26,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1771802632, - "narHash": "sha256-UAH8YfrHRvXAMeFxUzJ4h4B1loz1K1wiNUNI8KiPqOg=", + "lastModified": 1778669912, + "narHash": "sha256-WT2iimtOBZM/6AcZeBoJU2EgUSaywtlItsEgNkZBda0=", "owner": "astro", "repo": "microvm.nix", - "rev": "b67e3d80df3ec35bdfd3a00ad64ee437ef4fcded", + "rev": "a7a7009064cec75d9da652c6723412ce27b9bc44", "type": "github" }, "original": { @@ -41,11 +41,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1767640445, - "narHash": "sha256-UWYqmD7JFBEDBHWYcqE6s6c77pWdcU/i+bwD6XxMb8A=", + "lastModified": 1778443072, + "narHash": "sha256-zi7/fsqM/kFdNuED//4WOCUtezGtKKqRNORjMvfwjnA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9f0c42f8bc7151b8e7e5840fb3bd454ad850d8c5", + "rev": "da5ad661ba4e5ef59ba743f0d112cbc30e474f32", "type": "github" }, "original": { @@ -65,11 +65,11 @@ "spectrum": { "flake": false, "locked": { - "lastModified": 1759482047, - "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", + "lastModified": 1772189877, + "narHash": "sha256-i1p90Rgssb//aNiTDFq46ZG/fk3LmyRLChtp/9lddyA=", "ref": "refs/heads/main", - "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", - "revCount": 996, + "rev": "fe39e122d898f66e89ffa17d4f4209989ccb5358", + "revCount": 1255, "type": "git", "url": "https://spectrum-os.org/git/spectrum" }, From d1a1cbcfdca6da283c14a2de057471b08b4616d1 Mon Sep 17 00:00:00 2001 From: randomizedcoder Date: Wed, 13 May 2026 12:07:16 -0700 Subject: [PATCH 3/3] nix: set explicit grafana secret_key for newer nixpkgs The Grafana NixOS module no longer provides a default for services.grafana.settings.security.secret_key and asserts that operators set their own. Without this, eval of the grafana MicroVM variant fails with: Failed assertions: - Grafana's secret key (services.grafana.settings.security.secret_key) doesn't have a default value anymore. Please generate your own and use a file-provider on this option! The dev MicroVM is already documented as local-development-only (the admin password is the literal string "pcp" and a warning is emitted on activation), so a hardcoded non-default value satisfies the assertion without changing the security posture. A file-provider would only meaningfully help if there were real persistent secrets to protect, which there aren't in this test image. Co-Authored-By: Claude Opus 4.7 --- build/nix/grafana.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build/nix/grafana.nix b/build/nix/grafana.nix index 05e47e804c..c8cd5c1132 100644 --- a/build/nix/grafana.nix +++ b/build/nix/grafana.nix @@ -142,6 +142,10 @@ in security = { admin_user = "admin"; admin_password = cfg.adminPassword; + # Newer NixOS grafana modules assert this is set explicitly (no default). + # The dev microvm has no real secrets to protect — the file already + # warns this is for local development only. + secret_key = "pcp-microvm-dev-only-not-a-real-secret"; }; # Disable analytics/phone-home