github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-16 16:32:03 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2783 from likebreath/1001/clh_enable_seccomp

Browse Source 
virtcontainers: clh: Enable the `seccomp` feature
This commit is contained in:
James O. D. Hunt 2021-10-21 09:21:33 +01:00 committed by GitHub
commit 09741272bc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/runtime/config/configuration-clh.toml.in
View File

@ -114,6 +114,9 @@ block_device_driver = "virtio-blk"
# being allocated using huge pages. # being allocated using huge pages.
#enable_hugepages = true #enable_hugepages = true
# Disable the 'seccomp' feature from Cloud Hypervisor, default false
# disable_seccomp = true
# This option changes the default hypervisor and kernel parameters # This option changes the default hypervisor and kernel parameters
# to enable debug output where available. # to enable debug output where available.
# #

1
src/runtime/pkg/katautils/config-settings.go.in
View File

@ -87,6 +87,7 @@ const defaultTxRateLimiterMaxRate = uint64(0)
const defaultConfidentialGuest = false const defaultConfidentialGuest = false
const defaultGuestSwap = false const defaultGuestSwap = false
const defaultRootlessHypervisor = false const defaultRootlessHypervisor = false
const defaultDisableSeccomp = false
var defaultSGXEPCSize = int64(0) var defaultSGXEPCSize = int64(0)

3
src/runtime/pkg/katautils/config.go
View File

@ -135,6 +135,7 @@ type hypervisor struct {
ConfidentialGuest bool `toml:"confidential_guest"` ConfidentialGuest bool `toml:"confidential_guest"`
GuestSwap bool `toml:"enable_guest_swap"` GuestSwap bool `toml:"enable_guest_swap"`
Rootless bool `toml:"rootless"` Rootless bool `toml:"rootless"`
DisableSeccomp bool `toml:"disable_seccomp"`
} }
type runtime struct { type runtime struct {
@ -865,6 +866,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
VirtioFSExtraArgs: h.VirtioFSExtraArgs, VirtioFSExtraArgs: h.VirtioFSExtraArgs,
SGXEPCSize: defaultSGXEPCSize, SGXEPCSize: defaultSGXEPCSize,
EnableAnnotations: h.EnableAnnotations, EnableAnnotations: h.EnableAnnotations,
DisableSeccomp: h.DisableSeccomp,
}, nil }, nil
} }
@ -1056,6 +1058,7 @@ func GetDefaultHypervisorConfig() vc.HypervisorConfig {
ConfidentialGuest: defaultConfidentialGuest, ConfidentialGuest: defaultConfidentialGuest,
GuestSwap: defaultGuestSwap, GuestSwap: defaultGuestSwap,
Rootless: defaultRootlessHypervisor, Rootless: defaultRootlessHypervisor,
DisableSeccomp: defaultDisableSeccomp,
} }
} }

8
src/runtime/virtcontainers/clh.go
View File

@ -960,11 +960,11 @@ func (clh *cloudHypervisor) launchClh() (int, error) {
args = append(args, "-v") args = append(args, "-v")
} }
// Disable the 'seccomp' option in clh for now. // Enable the `seccomp` feature from Cloud Hypervisor by default
// In this way, we can separate the periodic failures caused // Disable it only when requested by users for debugging purposes
// by incomplete `seccomp` filters from other failures. if clh.config.DisableSeccomp {
// We will bring it back after completing the `seccomp` filter.
args = append(args, "--seccomp", "false") args = append(args, "--seccomp", "false")
}
clh.Logger().WithField("path", clhPath).Info() clh.Logger().WithField("path", clhPath).Info()
clh.Logger().WithField("args", strings.Join(args, " ")).Info() clh.Logger().WithField("args", strings.Join(args, " ")).Info()

3
src/runtime/virtcontainers/hypervisor.go
View File

@ -508,6 +508,9 @@ type HypervisorConfig struct {
// Rootless is used to enable rootless VMM process // Rootless is used to enable rootless VMM process
Rootless bool Rootless bool
// Disable seccomp from the hypervisor process
DisableSeccomp bool
} }
// vcpu mapping from vcpu number to thread number // vcpu mapping from vcpu number to thread number