support shadow simulations on more runners
Currently we only have one runner (ci-runner-x86-03-shadow) that supports running Shadow simulations. While runners with less RAM like ci-runner-01 can't be used for large-scale tor simulations, it'd be useful if they could be used for smaller simulations. This would be useful for doing small test runs of the https://gitlab.torproject.org/jnewsome/sponsor-61-sims pipeline, and later for running small shadow sims for arti and/or tor integration testing (tpo/core/arti#174 (closed)).
Cross-referencing #40327 (closed), I think for other runners we'd need to:
- Set
shm_size
to something larger. Half of the VM's RAM is a reasonable starting point, I think. (Note this doesn't pre-reserve any RAM, just makes it available to potentially allocate in /dev/shm). - Add
cap_add = ["SYS_PTRACE"]
. Although shadow no longer uses ptrace itself by default, I think this capability is still required for related APIs it does use (e.g.process_vm_readv
) - Use a recent or customized seccomp policy that allows pidfd_open (see #40327 (comment 2743878))
It'd be nice to also disable the speculative store bypass mitigation for the sake of performance (#40327 (comment 2743641)), but not strictly necessary.
We'd also want to either add a /shadow
volume as per #40476 (closed), or add a tag to ci-runner-x86-03-shadow
to indicate it has such a volume. Or maybe we'd decide the shadow
tag is what denotes such a runner. (The sponsor-61-sims
pipeline runs fine on runners that don't have such a volume attached, but we only want to run "production" runs of the pipeline where /shadow
is persistent)