github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-13 12:59:36 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11743 from BbolroC/enable-ci-qemu-se-runtime-rs

Browse Source 
runtime-rs: Enable s390x nightly test for IBM SEL
This commit is contained in:
Hyounggyu Choi
2025-09-10 15:00:16 +02:00
committed by GitHub
parent 1d26d07110 1060a94b08
commit 1737777d28
10 changed files with 33 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/ci-nightly-s390x.yaml vendored
View File

@@ -15,7 +15,8 @@ jobs:
test_title: test_title:
- kata-vfio-ap-e2e-tests - kata-vfio-ap-e2e-tests
- cc-vfio-ap-e2e-tests - cc-vfio-ap-e2e-tests
- cc-se-e2e-tests - cc-se-e2e-tests-go
- cc-se-e2e-tests-rs
steps: steps:
- name: Fetch a test result for {{ matrix.test_title }} - name: Fetch a test result for {{ matrix.test_title }}
run: | run: |

22
tests/integration/kubernetes/confidential_common.sh
View File

@@ -10,7 +10,7 @@ source "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/confidential_kbs.sh" load "${BATS_TEST_DIRNAME}/confidential_kbs.sh"
SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-tdx" "qemu-se") SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-tdx" "qemu-se" "qemu-se-runtime-rs")
SUPPORTED_NON_TEE_HYPERVISORS=("qemu-coco-dev") SUPPORTED_NON_TEE_HYPERVISORS=("qemu-coco-dev")
function setup_unencrypted_confidential_pod() { function setup_unencrypted_confidential_pod() {
@@ -31,12 +31,20 @@ function setup_unencrypted_confidential_pod() {
# and returns the remote command to be executed to that specific hypervisor # and returns the remote command to be executed to that specific hypervisor
# in order to identify whether the workload is running on a TEE environment # in order to identify whether the workload is running on a TEE environment
function get_remote_command_per_hypervisor() { function get_remote_command_per_hypervisor() {
declare -A REMOTE_COMMAND_PER_HYPERVISOR case "${KATA_HYPERVISOR}" in
REMOTE_COMMAND_PER_HYPERVISOR[qemu-snp]="dmesg | grep \"Memory Encryption Features active:.*SEV-SNP\"" qemu-se*)
REMOTE_COMMAND_PER_HYPERVISOR[qemu-tdx]="cpuid | grep TDX_GUEST" echo "cd /sys/firmware/uv; cat prot_virt_guest | grep 1"
REMOTE_COMMAND_PER_HYPERVISOR[qemu-se]="cd /sys/firmware/uv; cat prot_virt_guest | grep 1" ;;
qemu-snp)
echo "${REMOTE_COMMAND_PER_HYPERVISOR[${KATA_HYPERVISOR}]}" echo "dmesg | grep \"Memory Encryption Features active:.*SEV-SNP\""
;;
qemu-tdx)
echo "cpuid | grep TDX_GUEST"
;;
*)
echo ""
;;
esac
} }
# This function verifies whether the input hypervisor supports confidential tests and # This function verifies whether the input hypervisor supports confidential tests and

6
tests/integration/kubernetes/confidential_kbs.sh
View File

@@ -234,7 +234,7 @@ function kbs_k8s_delete() {
pushd "${COCO_KBS_DIR}" pushd "${COCO_KBS_DIR}"
if [[ "${KATA_HYPERVISOR}" = "qemu-tdx" ]]; then if [[ "${KATA_HYPERVISOR}" = "qemu-tdx" ]]; then
kubectl delete -k config/kubernetes/ita kubectl delete -k config/kubernetes/ita
elif [[ "${KATA_HYPERVISOR}" = "qemu-se" ]]; then elif [[ "${KATA_HYPERVISOR}" = qemu-se* ]]; then
kubectl delete -k config/kubernetes/overlays/ibm-se kubectl delete -k config/kubernetes/overlays/ibm-se
else else
kubectl delete -k config/kubernetes/overlays/ kubectl delete -k config/kubernetes/overlays/
@@ -304,8 +304,8 @@ function kbs_k8s_deploy() {
# expects at least one secret served at install time. # expects at least one secret served at install time.
echo "somesecret" > overlays/key.bin echo "somesecret" > overlays/key.bin
# For qemu-se runtime, prepare the necessary resources # For qemu-se* runtime, prepare the necessary resources
if [[ "${KATA_HYPERVISOR}" == "qemu-se" ]]; then if [[ "${KATA_HYPERVISOR}" == qemu-se* ]]; then
mv overlays/key.bin overlays/ibm-se/key.bin mv overlays/key.bin overlays/ibm-se/key.bin
prepare_credentials_for_qemu_se prepare_credentials_for_qemu_se
# SE_SKIP_CERTS_VERIFICATION should be set to true # SE_SKIP_CERTS_VERIFICATION should be set to true

4
tests/integration/kubernetes/k8s-block-volume.bats
View File

@@ -11,7 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
case "${KATA_HYPERVISOR}" in case "${KATA_HYPERVISOR}" in
qemu-runtime-rs) qemu-runtime-rs|qemu-se-runtime-rs)
skip "See: https://github.com/kata-containers/kata-containers/issues/10373" ;; skip "See: https://github.com/kata-containers/kata-containers/issues/10373" ;;
fc|stratovirt) fc|stratovirt)
skip "See: https://github.com/kata-containers/kata-containers/issues/10873" ;; skip "See: https://github.com/kata-containers/kata-containers/issues/10873" ;;
@@ -73,7 +73,7 @@ setup() {
teardown() { teardown() {
case "${KATA_HYPERVISOR}" in case "${KATA_HYPERVISOR}" in
qemu-runtime-rs) qemu-runtime-rs|qemu-se-runtime-rs)
skip "See: https://github.com/kata-containers/kata-containers/issues/10373" ;; skip "See: https://github.com/kata-containers/kata-containers/issues/10373" ;;
fc|stratovirt) fc|stratovirt)
skip "See: https://github.com/kata-containers/kata-containers/issues/10873" ;; skip "See: https://github.com/kata-containers/kata-containers/issues/10873" ;;

2
tests/integration/kubernetes/k8s-cpu-ns.bats
View File

@@ -14,6 +14,7 @@ setup() {
[ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}" [ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}"
[ "${KATA_HYPERVISOR}" == "cloud-hypervisor" ] && skip "https://github.com/kata-containers/kata-containers/issues/9039" [ "${KATA_HYPERVISOR}" == "cloud-hypervisor" ] && skip "https://github.com/kata-containers/kata-containers/issues/9039"
[ "${KATA_HYPERVISOR}" == "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" [ "${KATA_HYPERVISOR}" == "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
[ "${KATA_HYPERVISOR}" == "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \
[ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \
&& skip "TEEs do not support memory / CPU hotplug" && skip "TEEs do not support memory / CPU hotplug"
@@ -120,6 +121,7 @@ teardown() {
[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
[ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}" [ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}"
[ "${KATA_HYPERVISOR}" == "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" [ "${KATA_HYPERVISOR}" == "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
[ "${KATA_HYPERVISOR}" == "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
[ "${KATA_HYPERVISOR}" == "cloud-hypervisor" ] && skip "https://github.com/kata-containers/kata-containers/issues/9039" [ "${KATA_HYPERVISOR}" == "cloud-hypervisor" ] && skip "https://github.com/kata-containers/kata-containers/issues/9039"
( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \
[ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \

6
tests/integration/kubernetes/k8s-empty-dirs.bats
View File

@@ -18,8 +18,6 @@ assert_equal() {
} }
setup() { setup() {
[ "${KATA_HYPERVISOR}" = "qemu-se" ] && \
skip "See: https://github.com/kata-containers/kata-containers/issues/10002"
pod_name="sharevol-kata" pod_name="sharevol-kata"
get_pod_config_dir get_pod_config_dir
pod_logs_file="" pod_logs_file=""
@@ -45,6 +43,8 @@ setup() {
} }
@test "Empty dir volume when FSGroup is specified with non-root container" { @test "Empty dir volume when FSGroup is specified with non-root container" {
[[ "${KATA_HYPERVISOR}" = qemu-se* ]] && \
skip "See: https://github.com/kata-containers/kata-containers/issues/10002"
# This is a reproducer of k8s e2e "[sig-storage] EmptyDir volumes when FSGroup is specified [LinuxOnly] [NodeFeature:FSGroup] new files should be created with FSGroup ownership when container is non-root" test # This is a reproducer of k8s e2e "[sig-storage] EmptyDir volumes when FSGroup is specified [LinuxOnly] [NodeFeature:FSGroup] new files should be created with FSGroup ownership when container is non-root" test
pod_file="${pod_config_dir}/pod-empty-dir-fsgroup.yaml" pod_file="${pod_config_dir}/pod-empty-dir-fsgroup.yaml"
agnhost_name="${container_images_agnhost_name}" agnhost_name="${container_images_agnhost_name}"
@@ -70,8 +70,6 @@ setup() {
} }
teardown() { teardown() {
[ "${KATA_HYPERVISOR}" = "qemu-se" ] && \
skip "See: https://github.com/kata-containers/kata-containers/issues/10002"
# Debugging information # Debugging information
kubectl describe "pod/$pod_name" kubectl describe "pod/$pod_name"

4
tests/integration/kubernetes/k8s-inotify.bats
View File

@@ -12,7 +12,7 @@ setup() {
[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
issue_url="https://github.com/kata-containers/kata-containers/issues/8906" issue_url="https://github.com/kata-containers/kata-containers/issues/8906"
[ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" [[ "${KATA_HYPERVISOR}" == qemu-se* ]] && skip "test not working for IBM Z LPAR (see ${issue_url})"
get_pod_config_dir get_pod_config_dir
pod_yaml="${pod_config_dir}"/inotify-configmap-pod.yaml pod_yaml="${pod_config_dir}"/inotify-configmap-pod.yaml
@@ -50,7 +50,7 @@ teardown() {
[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
issue_url="https://github.com/kata-containers/kata-containers/issues/8906" issue_url="https://github.com/kata-containers/kata-containers/issues/8906"
[ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" [[ "${KATA_HYPERVISOR}" == qemu-se* ]] && skip "test not working for IBM Z LPAR (see ${issue_url})"
# Debugging information # Debugging information
kubectl describe "pod/$pod_name" kubectl describe "pod/$pod_name"

2
tests/integration/kubernetes/k8s-number-cpus.bats
View File

@@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
[ "${KATA_HYPERVISOR}" = "cloud-hypervisor" ] && skip "test not working https://github.com/kata-containers/kata-containers/issues/9039" [ "${KATA_HYPERVISOR}" = "cloud-hypervisor" ] && skip "test not working https://github.com/kata-containers/kata-containers/issues/9039"
[ "${KATA_HYPERVISOR}" = "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" [ "${KATA_HYPERVISOR}" = "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
[ "${KATA_HYPERVISOR}" = "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
pod_name="cpu-test" pod_name="cpu-test"
container_name="c1" container_name="c1"
get_pod_config_dir get_pod_config_dir
@@ -53,6 +54,7 @@ setup() {
teardown() { teardown() {
[ "${KATA_HYPERVISOR}" = "cloud-hypervisor" ] && skip "test not working https://github.com/kata-containers/kata-containers/issues/9039" [ "${KATA_HYPERVISOR}" = "cloud-hypervisor" ] && skip "test not working https://github.com/kata-containers/kata-containers/issues/9039"
[ "${KATA_HYPERVISOR}" = "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" [ "${KATA_HYPERVISOR}" = "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
[ "${KATA_HYPERVISOR}" = "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
# Debugging information # Debugging information
kubectl describe "pod/$pod_name" kubectl describe "pod/$pod_name"

4
tests/integration/kubernetes/k8s-shared-volume.bats
View File

@@ -9,7 +9,7 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/tests_common.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
[ "${KATA_HYPERVISOR}" = "qemu-se" ] && \ [[ "${KATA_HYPERVISOR}" == qemu-se* ]] && \
skip "See: https://github.com/kata-containers/kata-containers/issues/10002" skip "See: https://github.com/kata-containers/kata-containers/issues/10002"
get_pod_config_dir get_pod_config_dir
} }
@@ -67,7 +67,7 @@ setup() {
} }
teardown() { teardown() {
[ "${KATA_HYPERVISOR}" = "qemu-se" ] && \ [[ "${KATA_HYPERVISOR}" == qemu-se* ]] && \
skip "See: https://github.com/kata-containers/kata-containers/issues/10002" skip "See: https://github.com/kata-containers/kata-containers/issues/10002"
# Debugging information # Debugging information
kubectl describe "pod/$pod_name" || true kubectl describe "pod/$pod_name" || true

2
tests/integration/kubernetes/lib.sh
View File

@@ -302,7 +302,7 @@ set_metadata_annotation() {
# dots. # dots.
yq -i ".${annotation_key} = \"${value}\"" "${yaml}" yq -i ".${annotation_key} = \"${value}\"" "${yaml}"
if [[ "${key}" =~ kernel_params ]] && [[ "${KATA_HYPERVISOR}" == "qemu-se" ]]; then if [[ "${key}" =~ kernel_params ]] && [[ "${KATA_HYPERVISOR}" == qemu-se* ]]; then
# A secure boot image for IBM SE should be rebuilt according to the KBS configuration. # A secure boot image for IBM SE should be rebuilt according to the KBS configuration.
if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then
>&2 echo "ERROR: IBM_SE_CREDS_DIR is empty" >&2 echo "ERROR: IBM_SE_CREDS_DIR is empty"