chore: update Lima VM config and CI pipeline for v1.5.0

Lima wfe-test VM: Alpine with system containerd + BuildKit from apk,
TCP socat proxy for reliable gRPC transport, probes with sudo for
socket permission fixes. 2 core / 4GB / 20GB.

CI pipeline: add wfe-rustlang to feature-tests, package, and publish
steps. Container tests use TCP proxy (http://127.0.0.1:2500) instead
of Unix socket forwarding. Containerd tests set WFE_IO_DIR for shared
filesystem support.

test/lima/wfe-test.yaml

@@ -1,18 +1,22 @@
-# WFE Test VM — BuildKit + containerd with host-accessible sockets
+# WFE Test VM — Alpine + containerd + BuildKit
 #
-# Provides both buildkitd and containerd daemons with Unix sockets
+# Lightweight VM for running wfe-buildkit and wfe-containerd integration tests.
-# forwarded to the host for integration testing.
+# Provides system-level containerd and BuildKit daemons with Unix sockets
+# forwarded to the host.
 #
 # Usage:
-#   limactl start ./test/lima/wfe-test.yaml
+#   limactl create --name wfe-test ./test/lima/wfe-test.yaml
+#   limactl start wfe-test
 #
 # Sockets (on host after start):
-#   BuildKit:   unix://$HOME/.lima/wfe-test/sock/buildkitd.sock
+#   BuildKit:   unix://$HOME/.lima/wfe-test/buildkitd.sock
-#   containerd: unix://$HOME/.lima/wfe-test/sock/containerd.sock
+#   containerd: unix://$HOME/.lima/wfe-test/containerd.sock
 #
-# Verify:
+# Run tests:
-#   BUILDKIT_HOST="unix://$HOME/.lima/wfe-test/sock/buildkitd.sock" buildctl debug workers
+#   WFE_BUILDKIT_ADDR="unix://$HOME/.lima/wfe-test/buildkitd.sock" \
-#   # containerd accessible via gRPC at unix://$HOME/.lima/wfe-test/sock/containerd.sock
+#   WFE_CONTAINERD_ADDR="unix://$HOME/.lima/wfe-test/containerd.sock" \
+#   cargo test -p wfe-buildkit -p wfe-containerd --test integration
+#   cargo test -p wfe-yaml --features rustlang,containerd --test rustlang_containerd -- --ignored
 #
 # Teardown:
 #   limactl stop wfe-test
@@ -21,30 +25,117 @@
 message: |
   WFE integration test VM is ready.
 
-  BuildKit socket:   unix://{{.Dir}}/sock/buildkitd.sock
+  containerd: http://127.0.0.1:2500  (TCP proxy, use for gRPC)
-  containerd socket: unix://{{.Dir}}/sock/containerd.sock
+  BuildKit:   http://127.0.0.1:2501  (TCP proxy, use for gRPC)
-
-  Verify BuildKit:
-    BUILDKIT_HOST="unix://{{.Dir}}/sock/buildkitd.sock" buildctl debug workers
 
   Run tests:
-    WFE_BUILDKIT_ADDR="unix://{{.Dir}}/sock/buildkitd.sock" \
+    WFE_CONTAINERD_ADDR="http://127.0.0.1:2500" \
-    WFE_CONTAINERD_ADDR="unix://{{.Dir}}/sock/containerd.sock" \
+    WFE_BUILDKIT_ADDR="http://127.0.0.1:2501" \
-    cargo nextest run -p wfe-buildkit -p wfe-containerd
+    cargo test -p wfe-yaml --features rustlang,containerd --test rustlang_containerd -- --ignored
 
-minimumLimaVersion: 2.0.0
+minimumLimaVersion: "2.0.0"
 
-base: template:_images/ubuntu-lts
+vmType: vz
+mountType: virtiofs
+cpus: 2
+memory: 4GiB
+disk: 20GiB
+
+images:
+  - location: "https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/cloud/nocloud_alpine-3.21.6-aarch64-uefi-cloudinit-r0.qcow2"
+    arch: "aarch64"
+  - location: "https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/cloud/nocloud_alpine-3.21.6-x86_64-uefi-cloudinit-r0.qcow2"
+    arch: "x86_64"
+
+mounts:
+  # Share /tmp so the containerd shim can access FIFOs created by the host-side executor
+  - location: /tmp/wfe-io
+    mountPoint: /tmp/wfe-io
+    writable: true
 
 containerd:
   system: false
-  user: true
+  user: false
+
+provision:
+  # 1. Base packages + containerd + buildkit from Alpine repos (musl-compatible)
+  - mode: system
+    script: |
+      #!/bin/sh
+      set -eux
+      apk update
+      apk add --no-cache \
+        curl bash coreutils findutils grep tar gzip pigz \
+        containerd containerd-openrc \
+        runc \
+        buildkit buildkit-openrc \
+        nerdctl
+
+  # 2. Start containerd
+  - mode: system
+    script: |
+      #!/bin/sh
+      set -eux
+      rc-update add containerd default 2>/dev/null || true
+      rc-service containerd start 2>/dev/null || true
+      # Wait for socket
+      for i in $(seq 1 15); do
+        [ -S /run/containerd/containerd.sock ] && break
+        sleep 1
+      done
+      chmod 666 /run/containerd/containerd.sock 2>/dev/null || true
+
+  # 3. Start BuildKit (Alpine package names the service "buildkitd")
+  - mode: system
+    script: |
+      #!/bin/sh
+      set -eux
+      rc-update add buildkitd default 2>/dev/null || true
+      rc-service buildkitd start 2>/dev/null || true
+
+  # 4. Fix socket permissions + TCP proxy for gRPC access (persists across reboots)
+  - mode: system
+    script: |
+      #!/bin/sh
+      set -eux
+      apk add --no-cache socat
+      mkdir -p /etc/local.d
+      cat > /etc/local.d/fix-sockets.start << 'EOF'
+      #!/bin/sh
+      # Wait for daemons
+      for i in $(seq 1 30); do
+        [ -S /run/buildkit/buildkitd.sock ] && break
+        sleep 1
+      done
+      # Fix permissions for Lima socket forwarding
+      chmod 755 /run/buildkit /run/containerd 2>/dev/null
+      chmod 666 /run/buildkit/buildkitd.sock /run/containerd/containerd.sock 2>/dev/null
+      # TCP proxy for gRPC (Lima socket forwarding breaks HTTP/2)
+      socat TCP4-LISTEN:2500,fork,reuseaddr UNIX-CONNECT:/run/containerd/containerd.sock &
+      socat TCP4-LISTEN:2501,fork,reuseaddr UNIX-CONNECT:/run/buildkit/buildkitd.sock &
+      EOF
+      chmod +x /etc/local.d/fix-sockets.start
+      rc-update add local default 2>/dev/null || true
+      /etc/local.d/fix-sockets.start
+
+probes:
+  - script: |
+      #!/bin/sh
+      set -eux
+      sudo test -S /run/containerd/containerd.sock
+      sudo chmod 755 /run/containerd 2>/dev/null
+      sudo chmod 666 /run/containerd/containerd.sock 2>/dev/null
+    hint: "Waiting for containerd socket"
+  - script: |
+      #!/bin/sh
+      set -eux
+      sudo test -S /run/buildkit/buildkitd.sock
+      sudo chmod 755 /run/buildkit 2>/dev/null
+      sudo chmod 666 /run/buildkit/buildkitd.sock 2>/dev/null
+    hint: "Waiting for BuildKit socket"
 
 portForwards:
-  # BuildKit daemon socket
+  - guestSocket: "/run/buildkit/buildkitd.sock"
-  - guestSocket: "/run/user/{{.UID}}/buildkit-default/buildkitd.sock"
+    hostSocket: "{{.Dir}}/buildkitd.sock"
-    hostSocket: "{{.Dir}}/sock/buildkitd.sock"
+  - guestSocket: "/run/containerd/containerd.sock"
-
+    hostSocket: "{{.Dir}}/containerd.sock"
-  # containerd daemon socket (rootless)
-  - guestSocket: "/run/user/{{.UID}}/containerd/containerd.sock"
-    hostSocket: "{{.Dir}}/sock/containerd.sock"

workflows.yaml

@@ -158,7 +158,8 @@ workflows:
         config:
           run: |
             cd "$WORKSPACE_DIR"
-            cargo nextest run -p wfe-yaml --features buildkit,containerd -P ci
+            cargo nextest run -p wfe-yaml --features buildkit,containerd,rustlang -P ci
+            cargo nextest run -p wfe-rustlang -P ci
 
   # ─── Workflow: test-integration ──────────────────────────────────
 
@@ -299,12 +300,12 @@ workflows:
               }
             fi
 
-            # Wait for sockets to be available
+            # Wait for TCP proxy ports (socat bridges to containerd/buildkit sockets)
             for i in $(seq 1 30); do
-              if [ -S "$HOME/.lima/wfe-test/sock/buildkitd.sock" ]; then
+              if curl -sf http://127.0.0.1:2500 >/dev/null 2>&1 || [ $? -eq 56 ]; then
                 break
               fi
-              echo "Waiting for buildkitd socket... ($i/30)"
+              echo "Waiting for containerd TCP proxy... ($i/30)"
               sleep 2
             done
 
@@ -320,7 +321,7 @@ workflows:
         config:
           run: |
             cd "$WORKSPACE_DIR"
-            export WFE_BUILDKIT_ADDR="unix://$HOME/.lima/wfe-test/sock/buildkitd.sock"
+            export WFE_BUILDKIT_ADDR="http://127.0.0.1:2501"
             cargo nextest run -p wfe-buildkit -P ci
             echo "##wfe[output buildkit_ok=true]"
 
@@ -334,8 +335,11 @@ workflows:
         config:
           run: |
             cd "$WORKSPACE_DIR"
-            export WFE_CONTAINERD_ADDR="unix://$HOME/.lima/wfe-test/sock/containerd.sock"
+            export WFE_CONTAINERD_ADDR="http://127.0.0.1:2500"
+            export WFE_IO_DIR="/tmp/wfe-io"
+            mkdir -p "$WFE_IO_DIR"
             cargo nextest run -p wfe-containerd -P ci
+            cargo nextest run -p wfe-yaml --features rustlang,containerd --test rustlang_containerd -P ci -- --ignored
             echo "##wfe[output containerd_ok=true]"
 
     ensure:
@@ -475,7 +479,7 @@ workflows:
             cd "$WORKSPACE_DIR"
             for crate in wfe-core wfe-sqlite wfe-postgres wfe-opensearch wfe-valkey \
                          wfe-buildkit-protos wfe-containerd-protos wfe-buildkit wfe-containerd \
-                         wfe wfe-yaml; do
+                         wfe-rustlang wfe wfe-yaml; do
               echo "Packaging $crate..."
               cargo package -p "$crate" --no-verify --allow-dirty 2>&1 || exit 1
             done
@@ -619,7 +623,7 @@ workflows:
             exit 0
             cd "$WORKSPACE_DIR"
             REGISTRY="${REGISTRY:-sunbeam}"
-            for crate in wfe-buildkit wfe-containerd; do
+            for crate in wfe-buildkit wfe-containerd wfe-rustlang; do
               echo "Publishing $crate..."
               cargo publish -p "$crate" --registry "$REGISTRY" 2>&1 || echo "Already published: $crate"
             done