uffd: add support for UFFD_EVENT_REMOVE events

.github/actions/build-sandbox-template/action.yml

@@ -8,7 +8,7 @@ runs:
       env:
         TEMPLATE_ID: "2j6ly824owf4awgai1xo"
         KERNEL_VERSION: "vmlinux-6.1.158"
-        FIRECRACKER_VERSION: "v1.12.1_a41d3fb"
+        FIRECRACKER_VERSION: "v1.14.1_aa14c57"
       run: |
         # Generate an unique build ID for the template for this run
         export BUILD_ID=$(uuidgen)

packages/api/internal/sandbox/sandbox_features.go

@@ -39,7 +39,15 @@ func (v *VersionInfo) Version() semver.Version {
 }
 
 func (v *VersionInfo) HasHugePages() bool {
-	if v.lastReleaseVersion.Major() >= 1 && v.lastReleaseVersion.Minor() >= 7 {
+	if v.lastReleaseVersion.Major() == 1 && v.lastReleaseVersion.Minor() >= 7 {
+		return true
+	}
+
+	return false
+}
+
+func (v *VersionInfo) HasFreePageReporting() bool {
+	if v.lastReleaseVersion.Major() == 1 && v.lastReleaseVersion.Minor() >= 14 {
 		return true
 	}
 

packages/api/internal/template-manager/create_template.go

@@ -16,6 +16,7 @@ import (
 	"github.com/e2b-dev/infra/packages/api/internal/utils"
 	"github.com/e2b-dev/infra/packages/db/pkg/types"
 	"github.com/e2b-dev/infra/packages/db/queries"
+	featureflags "github.com/e2b-dev/infra/packages/shared/pkg/feature-flags"
 	templatemanagergrpc "github.com/e2b-dev/infra/packages/shared/pkg/grpc/template-manager"
 	"github.com/e2b-dev/infra/packages/shared/pkg/id"
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
@@ -109,6 +110,8 @@ func (tm *TemplateManager) CreateTemplate(
 		return fmt.Errorf("failed to convert image registry: %w", err)
 	}
 
+	freePageReporting := features.HasFreePageReporting() && tm.featureFlags.BoolFlag(ctx, featureflags.FreePageReportingFlag, featureflags.TeamContext(teamID.String()))
+
 	template := &templatemanagergrpc.TemplateConfig{
 		TeamID:             teamID.String(),
 		TemplateID:         templateID,
@@ -119,6 +122,7 @@ func (tm *TemplateManager) CreateTemplate(
 		KernelVersion:      kernelVersion,
 		FirecrackerVersion: firecrackerVersion,
 		HugePages:          features.HasHugePages(),
+		FreePageReporting:  &freePageReporting,
 		StartCommand:       startCmd,
 		ReadyCommand:       readyCmd,
 		Force:              force,

packages/orchestrator/README.md

@@ -36,7 +36,7 @@ Flags:
 - `-template <id>` - Template ID (default: `local-template`)
 - `-storage <path>` - Local path or `gs://bucket` (enables local mode with auto-download of kernel/FC)
 - `-kernel <version>` - Kernel version (default: `vmlinux-6.1.102`)
-- `-firecracker <version>` - Firecracker version (default: `v1.12.1_a41d3fb`)
+- `-firecracker <version>` - Firecracker version (default: `v1.14.1_aa14c57`)
 - `-vcpu <n>` - vCPUs (default: `1`)
 - `-memory <mb>` - Memory in MB (default: `512`)
 - `-disk <mb>` - Disk in MB (default: `1000`)

packages/orchestrator/cmd/create-build/main.go

@@ -59,6 +59,7 @@ func main() {
 	memory := flag.Int("memory", 1024, "memory MB")
 	disk := flag.Int("disk", 1024, "disk MB")
 	hugePages := flag.Bool("hugepages", true, "use 2MB huge pages for memory (false = 4KB pages)")
+	freePageReporting := flag.Bool("free-page-reporting", false, "enable free page reporting via balloon device (requires Firecracker v1.14+)")
 	startCmd := flag.String("start-cmd", "", "start command")
 	setupCmd := flag.String("setup-cmd", "", "setup command to run during build (e.g., install deps)")
 	readyCmd := flag.String("ready-cmd", "", "ready check command")
@@ -96,7 +97,16 @@ func main() {
 		log.Fatalf("network config: %v", err)
 	}
 
-	err = doBuild(ctx, *templateID, *toBuild, *fromBuild, *kernel, *fc, *vcpu, *memory, *disk, *hugePages, *startCmd, *setupCmd, *readyCmd, localMode, *verbose, *timeout, builderConfig, networkConfig)
+	// Detect if --free-page-reporting was explicitly set; if not, pass nil so
+	// doBuild can default based on the Firecracker version.
+	var fprOverride *bool
+	flag.Visit(func(f *flag.Flag) {
+		if f.Name == "free-page-reporting" {
+			fprOverride = freePageReporting
+		}
+	})
+
+	err = doBuild(ctx, *templateID, *toBuild, *fromBuild, *kernel, *fc, *vcpu, *memory, *disk, *hugePages, fprOverride, *startCmd, *setupCmd, *readyCmd, localMode, *verbose, *timeout, builderConfig, networkConfig)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -174,9 +184,10 @@ func setupEnv(ctx context.Context, storagePath, kernel, fc string, localMode boo
 
 func doBuild(
 	parentCtx context.Context,
-	templateID, buildID, fromBuild, kernel, fc string,
+	templateID, buildID, fromBuild, kernel, fcVersion string,
 	vcpu, memory, disk int,
 	hugePages bool,
+	freePageReporting *bool,
 	startCmd, setupCmd, readyCmd string,
 	localMode, verbose bool,
 	timeout int,
@@ -316,6 +327,18 @@ func doBuild(
 		})
 	}
 
+	// Default FPR to enabled when the FC version supports it (v1.14+); explicit flag overrides.
+	var fprEnabled bool
+	if freePageReporting != nil {
+		fprEnabled = *freePageReporting
+	} else {
+		versionOnly, _, _ := strings.Cut(fcVersion, "_")
+		supported, err := utils.IsGTEVersion(versionOnly, "v1.14.0")
+		if err == nil {
+			fprEnabled = supported
+		}
+	}
+
 	tmpl := config.TemplateConfig{
 		Version:            templates.TemplateV2LatestVersion,
 		TemplateID:         templateID,
@@ -324,10 +347,11 @@ func doBuild(
 		MemoryMB:           int64(memory),
 		DiskSizeMB:         int64(disk),
 		HugePages:          hugePages,
+		FreePageReporting:  fprEnabled,
 		StartCmd:           startCmd,
 		ReadyCmd:           readyCmd,
 		KernelVersion:      kernel,
-		FirecrackerVersion: fc,
+		FirecrackerVersion: fcVersion,
 		Steps:              steps,
 	}
 

packages/orchestrator/internal/portmap/recover.go

@@ -58,7 +58,7 @@ func (h *recovery) PMAPPROC_CALLIT(args rfc1057.Call_args) rfc1057.Call_result {
 }
 
 func (h *recovery) tryRecovery(name string) {
-	if r := recover(); r != nil { //nolint:revive // recover is called from a deferred named function, which is valid Go
+	if r := recover(); r != nil { //nolint:revive // recover works fine — always called via defer
 		logger.L().Error(h.ctx, fmt.Sprintf("panic in %q portmap handler", name), zap.Any("panic", r))
 	}
 }