Support fuzzing on GCE

[pimyn-girgis]

---

Before sending a pull request, please review Contribution Guidelines:
https://github.com/google/syzkaller/blob/master/docs/contributing.md

---

[a-nogikh]

(Reviewed not all commits yet)

Please send the first commit as a separate PR, we'll merge it right away.

---

Regarding syz-cluster integration: there's one that we need to double-check - bootable disk images. For qemu, we only need a generic disk image (the buildroot one) + the kernel image (the bzImage file). And we do definitely pass on the kernel image file form the build step to the boot/fuzz/retest actions + the syz-manager configs correctly reference it.

For gce, a kernel image must be incorporated into the disk image (/pkg/build takes care of that). But it means that we should take the image out of pkg/build.Image and make sure that it's also passed on to other action and that all gce manager configs reference it and not the generic buildroot image.

---

Another action item here is to make sure that boot/fuzz/test pods (to be more precise, the service accounts they use) have the permissions to use the GCS and GCE APIs.

Even better (but not critical, we can skip it), if they only have these permissions if VM type is gce.

One more thing is that it makes no sense to request a lot of CPUs and RAM for the pods with gce VM type (afaik we set it in the argo workflow templates). Also such pods do not have to stay on the pool of machines with nested virtualization support:

syzkaller/syz-cluster/overlays/gke/common/kustomization.yaml

Lines 13 to 32 in 86914af

	patches:
	- target:
	kind: WorkflowTemplate
	name: (boot|fuzz)-action-template
	patch: |-
	- op: replace
	path: /spec/templates/0/tolerations
	value:
	- key: "workload"
	operator: "Equal"
	value: "nested-vm"
	effect: "NoSchedule"
	- target:
	kind: WorkflowTemplate
	name: (boot|fuzz)-action-template
	patch: |-
	- op: replace
	path: /spec/templates/0/nodeSelector
	value:
	amd64-nested-virtualization: "true"

---

Yet another point to take care of is that now syz-manager names does begin to be important as they will be used for the GCE images that would be created and as a prefix for the transient fuzzing VMs. It must be unique.

[a-nogikh]

** Thinking out loud **

The structure has become a bit too broad - it has both the fields that we need for the syz-manager config (Focus, VMType, later maybe Arch as well) and the fields we only need for focused fuzzing (CorpusURLs, etc).

Maybe we need a separate structure like SyzkallerConfig or EnvConfig to only include the information truly relevant for running a syz-manager --mode=smoke or pkg/manager/diff. And then nest it into both FuzzConfig (which can become FuzzTask) and RetestTask.

Wdyt?

[a-nogikh]

Would be nice to have at least some gce tests (see testdata).

[a-nogikh]

Please split off pkg/gce, vm/gce: auto delete instances if VMRunningTime is set in config to a separate commit. It would be very nice to test it locally before we merge it, e.g. by setting up a syzkaller instance on GCP and letting it run for some time.

(And note that we typically use shorter commit titles)

[pimyn-girgis]

@a-nogikh PTAL

I still need to:

1. check that SAs have permission to use required GCS and GCE APIs.
2. check that bootable disk images are referenced correctly
3. add gce tests for fuzzconfig/generate.go
4. address the comment about separating structs

[a-nogikh]

One random idea (idk if it's better or not).

Instead of random names, we could maintain a poll of reusable images and GCS files. E.g. if a manager is named ci-upstream, it would look up ci-upstream-image-0, ci-upstream-image-1 and check their last_active tags.

If GCE API allows to determine concurrent label updates (so that if two managers change labels concurrently, only one wins), we can let them contest for the images.

In that case, we wouldn't really need to delete any other images, only the one we've managed to grab (?)

[a-nogikh]

Nit: it's not really about efficiency :)
Let's maybe it just be gce / qemu?

In this case we also should not demand that the pod is scheduled specifically on the node pool with nested vm support.

Same for the retest and boot steps.

[pimyn-girgis]

I wanted to decouple the vm type from the machine capabilities, only using it in the first stage and propagating it further. What do you think of profile names like "low" and "high"?
I'm also not very fixated on decoupling, so if you prefer, I'll go with qemu/gce.

[a-nogikh]

This path should be configurable somewhere, as it depends on the used GCP project.

[a-nogikh]

Shall we then also switch fuzz and retest to use it? fuzz still has readFuzzConfig.

Nit: I think it could be called ReadFromFile as it's evident from the package name that it's about fuzz config.

[a-nogikh]

For gce, we may want to change the machine type from e2 to some that supports nested virtualization. AFAIK it's either n2 or n2d (needs double-checking).

[a-nogikh]

Maybe move it to https://github.com/google/syzkaller/blob/master/syz-cluster/pkg/app/config.go's validation checks?
The arch ultimately comes from Trees/FuzzTargets anyway.

[a-nogikh]

Would be very nice to see some gce tests in testdata/.

[a-nogikh]

I'm hesitating whether we want to renew the image label on VM creation.

In syz-manager, you could pause and resume its execution:

syzkaller/pkg/manager/http.go

Line 137 in d9b7f62

case "pause":

If the manager is paused for longer than VMRunningTime, session will break.

[a-nogikh]

What error would we get in that case? If one manager would get success and the other something like "operation in progress" or "not found", maybe it's okay to just tolerate those errors?

[a-nogikh]

One potential problem to double-check: AFAIK we are first uploading the image to the GCS bucket on gcs_path. Do we use manager's name for the file?

In that case, we could accumulate there a lot of garbage.