From 6b31b06832a35cd976d79118585412da0b62ad62 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Tue, 8 Mar 2022 09:42:05 -0600 Subject: [PATCH 1/6] kernel: fix cve-2022-0847 bump guest kernel version to fix cve-2022-0847 "Dirty Pipe" fixes #3852 Signed-off-by: Julio Montes --- tools/packaging/kernel/kata_config_version | 2 +- versions.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index 8643cf6deb..d61f00d8ca 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -89 +90 diff --git a/versions.yaml b/versions.yaml index ec5118f7af..d1ad5c690b 100644 --- a/versions.yaml +++ b/versions.yaml @@ -153,7 +153,7 @@ assets: kernel: description: "Linux kernel optimised for virtual machines" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" - version: "v5.15.23" + version: "v5.15.26" tdx: description: "Linux kernel that supports TDX" url: "https://github.com/intel/tdx/archive/refs/tags" From 2918be180f5237cd70ec70d8c35a6e29aeb05035 Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Tue, 8 Mar 2022 16:29:36 +0000 Subject: [PATCH 2/6] manager: Create containerd link Make the `kata-manager` create a `containerd` link to ensure the downloaded containerd systemd service file can find the daemon when using the GitHub packaged version of containerd. Signed-off-by: James O. D. Hunt --- utils/kata-manager.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/utils/kata-manager.sh b/utils/kata-manager.sh index 38260c865b..9c298c9eb3 100755 --- a/utils/kata-manager.sh +++ b/utils/kata-manager.sh @@ -402,7 +402,12 @@ install_containerd() sudo tar -C /usr/local -xvf "${file}" - sudo ln -sf /usr/local/bin/ctr "${link_dir}" + for file in \ + /usr/local/bin/containerd \ + /usr/local/bin/ctr + do + sudo ln -sf "$file" "${link_dir}" + done info "$project installed\n" } From 4111e1a3de0b1b13345532baaa20b756adfd1bd8 Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Tue, 8 Mar 2022 16:37:39 +0000 Subject: [PATCH 3/6] manager: Add option to enable component debug Added a `-d` option to `kata-manager` to enable Kata Containers and containerd debug. Signed-off-by: James O. D. Hunt --- utils/kata-manager.sh | 116 +++++++++++++++++++++++++++++++++++------- 1 file changed, 97 insertions(+), 19 deletions(-) diff --git a/utils/kata-manager.sh b/utils/kata-manager.sh index 9c298c9eb3..afc1bb2025 100755 --- a/utils/kata-manager.sh +++ b/utils/kata-manager.sh @@ -208,6 +208,7 @@ Description: Install $kata_project [1] (and optionally $containerd_project [2]) Options: -c : Specify containerd version. + -d : Enable debug for all components. -f : Force installation (use with care). -h : Show this help statement. -k : Specify Kata Containers version. @@ -414,6 +415,9 @@ install_containerd() configure_containerd() { + local enable_debug="${1:-}" + [ -z "$enable_debug" ] && die "no enable debug value" + local project="$containerd_project" info "Configuring $project" @@ -465,26 +469,55 @@ configure_containerd() info "Backed up $cfg to $original" } + local modified="false" + # Add the Kata Containers configuration details: + local comment_text + comment_text=$(printf "%s: Added by %s\n" \ + "$(date -Iseconds)" \ + "$script_name") + sudo grep -q "$kata_runtime_type" "$cfg" || { cat <<-EOT | sudo tee -a "$cfg" -[plugins] - [plugins."io.containerd.grpc.v1.cri"] - [plugins."io.containerd.grpc.v1.cri".containerd] - default_runtime_name = "${kata_runtime_name}" - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.${kata_runtime_name}] - runtime_type = "${kata_runtime_type}" -EOT + # $comment_text + [plugins] + [plugins."io.containerd.grpc.v1.cri"] + [plugins."io.containerd.grpc.v1.cri".containerd] + default_runtime_name = "${kata_runtime_name}" + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.${kata_runtime_name}] + runtime_type = "${kata_runtime_type}" + EOT - info "Modified $cfg" + modified="true" } + if [ "$enable_debug" = "true" ] + then + local debug_enabled + debug_enabled=$(awk -v RS='' '/\[debug\]/' "$cfg" |\ + grep -E "^\s*\\s*=\s*.*\" || true) + + [ -n "$debug_enabled" ] || { + cat <<-EOT | sudo tee -a "$cfg" + # $comment_text + [debug] + level = "debug" + EOT + } + + modified="true" + fi + + [ "$modified" = "true" ] && info "Modified $cfg" sudo systemctl enable containerd sudo systemctl start containerd - info "Configured $project\n" + local msg="disabled" + [ "$enable_debug" = "true" ] && msg="enabled" + + info "Configured $project (debug $msg)\n" } install_kata() @@ -545,11 +578,48 @@ install_kata() info "$project installed\n" } +configure_kata() +{ + local enable_debug="${1:-}" + [ -z "$enable_debug" ] && die "no enable debug value" + + [ "$enable_debug" = "false" ] && \ + info "Using default $kata_project configuration" && \ + return 0 + + local config_file='configuration.toml' + local kata_dir='/etc/kata-containers' + + sudo mkdir -p "$kata_dir" + + local cfg_from + local cfg_to + + cfg_from="${kata_install_dir}/share/defaults/kata-containers/${config_file}" + cfg_to="${kata_dir}/${config_file}" + + [ -e "$cfg_from" ] || die "cannot find $kata_project configuration file" + + sudo install -o root -g root -m 0644 "$cfg_from" "$cfg_to" + + sudo sed -i \ + -e 's/^# *\(enable_debug\).*=.*$/\1 = true/g' \ + -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.log=debug initcall_debug"/g' \ + "$cfg_to" + + info "Configured $kata_project for full debug (delete $cfg_to to use pristine $kata_project configuration)" +} + handle_kata() { local version="${1:-}" - install_kata "$version" + local enable_debug="${2:-}" + [ -z "$enable_debug" ] && die "no enable debug value" + + install_kata "$version" "$enable_debug" + + configure_kata "$enable_debug" kata-runtime --version } @@ -561,6 +631,9 @@ handle_containerd() local force="${2:-}" [ -z "$force" ] && die "need force value" + local enable_debug="${3:-}" + [ -z "$enable_debug" ] && die "no enable debug value" + local ret if [ "$force" = "true" ] @@ -577,7 +650,7 @@ handle_containerd() fi fi - configure_containerd + configure_containerd "$enable_debug" containerd --version } @@ -622,20 +695,22 @@ handle_installation() local only_kata="${3:-}" [ -z "$only_kata" ] && die "no only Kata value" + local enable_debug="${4:-}" + [ -z "$enable_debug" ] && die "no enable debug value" + # These params can be blank - local kata_version="${4:-}" - local containerd_version="${5:-}" + local kata_version="${5:-}" + local containerd_version="${6:-}" setup "$cleanup" "$force" - handle_kata "$kata_version" + handle_kata "$kata_version" "$enable_debug" [ "$only_kata" = "false" ] && \ handle_containerd \ "$containerd_version" \ - "$force" - - test_installation + "$force" \ + "$enable_debug" if [ "$only_kata" = "true" ] then @@ -652,16 +727,18 @@ handle_args() local cleanup="true" local force="false" local only_kata="false" + local enable_debug="false" local opt local kata_version="" local containerd_version="" - while getopts "c:fhk:or" opt "$@" + while getopts "c:dfhk:or" opt "$@" do case "$opt" in c) containerd_version="$OPTARG" ;; + d) enable_debug="true" ;; f) force="true" ;; h) usage; exit 0 ;; k) kata_version="$OPTARG" ;; @@ -679,6 +756,7 @@ handle_args() "$cleanup" \ "$force" \ "$only_kata" \ + "$enable_debug" \ "$kata_version" \ "$containerd_version" } From d815393c3e73ac1f19f82477ff4203011c682263 Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Tue, 8 Mar 2022 16:41:54 +0000 Subject: [PATCH 4/6] manager: Add options to change self test behaviour Added new `kata-manager` options to control the self-test behaviour. By default, after installation the manager will run a test to ensure a Kata Containers container can be created. New options allow: - The self test to be disabled. - Only the self test to be run (no installation). These features allow changes to be made to the installed system before the self test is run. Fixes: #3851. Signed-off-by: James O. D. Hunt --- utils/kata-manager.sh | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/utils/kata-manager.sh b/utils/kata-manager.sh index afc1bb2025..3f8b7657e9 100755 --- a/utils/kata-manager.sh +++ b/utils/kata-manager.sh @@ -214,6 +214,8 @@ Options: -k : Specify Kata Containers version. -o : Only install Kata Containers. -r : Don't cleanup on failure (retain files). + -t : Disable self test (don't try to create a container after install). + -T : Only run self test (do not install anything). Notes: @@ -698,9 +700,17 @@ handle_installation() local enable_debug="${4:-}" [ -z "$enable_debug" ] && die "no enable debug value" + local disable_test="${5:-}" + [ -z "$disable_test" ] && die "no disable test value" + + local only_run_test="${6:-}" + [ -z "$only_run_test" ] && die "no only run test value" + # These params can be blank - local kata_version="${5:-}" - local containerd_version="${6:-}" + local kata_version="${7:-}" + local containerd_version="${8:-}" + + [ "$only_run_test" = "true" ] && test_installation && return 0 setup "$cleanup" "$force" @@ -712,6 +722,8 @@ handle_installation() "$force" \ "$enable_debug" + [ "$disable_test" = "false" ] && test_installation + if [ "$only_kata" = "true" ] then info "$kata_project is now installed" @@ -727,6 +739,8 @@ handle_args() local cleanup="true" local force="false" local only_kata="false" + local disable_test="false" + local only_run_test="false" local enable_debug="false" local opt @@ -734,7 +748,7 @@ handle_args() local kata_version="" local containerd_version="" - while getopts "c:dfhk:or" opt "$@" + while getopts "c:dfhk:ortT" opt "$@" do case "$opt" in c) containerd_version="$OPTARG" ;; @@ -744,6 +758,8 @@ handle_args() k) kata_version="$OPTARG" ;; o) only_kata="true" ;; r) cleanup="false" ;; + t) disable_test="true" ;; + T) only_run_test="true" ;; esac done @@ -757,6 +773,8 @@ handle_args() "$force" \ "$only_kata" \ "$enable_debug" \ + "$disable_test" \ + "$only_run_test" \ "$kata_version" \ "$containerd_version" } From 4e54aa5a7b17d3cd9742463068fd2a6807ae8a1c Mon Sep 17 00:00:00 2001 From: Garrett Mahin Date: Sun, 13 Mar 2022 17:39:08 -0500 Subject: [PATCH 5/6] doc: fix filename typo Corrects a filename typo in cleanup cluster part of kata-deploy README.md Fixes: #3869 Signed-off-by: Garrett Mahin --- tools/packaging/kata-deploy/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/README.md b/tools/packaging/kata-deploy/README.md index b6d455adc8..c298c61454 100644 --- a/tools/packaging/kata-deploy/README.md +++ b/tools/packaging/kata-deploy/README.md @@ -143,7 +143,7 @@ $ kubectl -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod After ensuring kata-deploy has been deleted, cleanup the cluster: ```sh -$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/kata-containers/main/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup-stabe.yaml +$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/kata-containers/main/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup-stable.yaml ``` The cleanup daemon-set will run a single time, cleaning up the node-label, which makes it difficult to check in an automated fashion. From 24028969c22b4bda843b20beb0210cc665a39923 Mon Sep 17 00:00:00 2001 From: David Gibson Date: Tue, 22 Mar 2022 17:08:15 +1100 Subject: [PATCH 6/6] virtcontainers: Run mock hook from build tree rather than system bin dir Running unit tests should generally have minimal dependencies on things outside the build tree. It *definitely* shouldn't modify system wide things outside the build tree. Currently the runtime "make test" target does so, though. Several of the tests in src/runtime/pkg/katautils/hook_test.go require a sample hook binary. They expect this hook in /usr/bin/virtcontainers/bin/test/hook, so the makefile, as root, installs the test binary to that location. Go tests automatically run within the package's directory though, so there's no need to use a system wide path. We can use a relative path to the binary build within the tree just as easily. fixes #3941 Signed-off-by: David Gibson --- src/runtime/Makefile | 6 ++---- src/runtime/pkg/katautils/hook_test.go | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 9f34c3da76..f87e72e583 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -589,12 +589,10 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit generate-config: $(CONFIGS) -test: install-hook go-test +test: hook go-test -install-hook: +hook: make -C virtcontainers hook - echo "installing mock hook" - sudo -E make -C virtcontainers install go-test: $(GENERATED_FILES) go clean -testcache diff --git a/src/runtime/pkg/katautils/hook_test.go b/src/runtime/pkg/katautils/hook_test.go index 6109b55499..50452974b6 100644 --- a/src/runtime/pkg/katautils/hook_test.go +++ b/src/runtime/pkg/katautils/hook_test.go @@ -20,7 +20,7 @@ import ( var testKeyHook = "test-key" var testContainerIDHook = "test-container-id" var testControllerIDHook = "test-controller-id" -var testBinHookPath = "/usr/bin/virtcontainers/bin/test/hook" +var testBinHookPath = "../../virtcontainers/hook/mock/hook" var testBundlePath = "/test/bundle" func getMockHookBinPath() string {