Merge pull request #3948 from Megan-Wright/CCv0

CCv0: Merge main into CCv0 branch
2025-08-21 17:34:31 +00:00 · 2022-03-24 09:45:11 +01:00 · 2022-03-24 09:45:11 +01:00 · 480c4d9716
commit 480c4d9716
parent fa3aced1ac ef8ba4bbec
23 changed files with 216 additions and 99 deletions
--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@ -10,7 +10,7 @@ env:
  error_msg: |+
    See the document below for help on formatting commits for the project.

-    https://github.com/kata-containers/community/blob/master/CONTRIBUTING.md#patch-format
+    https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format

 jobs:
  commit-message-check:
--- a/docs/how-to/run-kata-with-k8s.md
+++ b/docs/how-to/run-kata-with-k8s.md
@ -104,26 +104,69 @@ $ sudo kubeadm init --ignore-preflight-errors=all --cri-socket /run/containerd/c
 $ export KUBECONFIG=/etc/kubernetes/admin.conf
 ```

-You can force Kubelet to use Kata Containers by adding some `untrusted`
-annotation to your pod configuration. In our case, this ensures Kata
-Containers is the selected runtime to run the described workload.
+### Allow pods to run in the master node

-`nginx-untrusted.yaml`
-```yaml
-apiVersion: v1
-kind: Pod
+By default, the cluster will not schedule pods in the master node. To enable master node scheduling:
+```bash
+$ sudo -E kubectl taint nodes --all node-role.kubernetes.io/master-
+```
+
+### Create runtime class for Kata Containers
+
+Users can use [`RuntimeClass`](https://kubernetes.io/docs/concepts/containers/runtime-class/#runtime-class) to specify a different runtime for Pods.
+
+```bash
+$ cat > runtime.yaml <<EOF
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
 metadata:
-  name: nginx-untrusted
-  annotations:
-    io.kubernetes.cri.untrusted-workload: "true"
-spec:
-  containers:
+  name: kata
+handler: kata
+EOF
+
+$ sudo -E kubectl apply -f runtime.yaml
+```
+
+### Run pod in Kata Containers
+
+If a pod has the `runtimeClassName` set to `kata`, the CRI plugin runs the pod with the
+[Kata Containers runtime](../../src/runtime/README.md).
+
+- Create an pod configuration that using Kata Containers runtime
+
+  ```bash
+  $ cat << EOF | tee nginx-kata.yaml
+  apiVersion: v1
+  kind: Pod
+  metadata:
+    name: nginx-kata
+  spec:
+    runtimeClassName: kata
+    containers:
    - name: nginx
      image: nginx
-```

-Next, you run your pod:
-```
-$ sudo -E kubectl apply -f nginx-untrusted.yaml
-```
+  EOF
+  ```

+- Create the pod
+  ```bash
+  $ sudo -E kubectl apply -f nginx-kata.yaml
+  ```
+
+- Check pod is running
+
+  ```bash
+  $ sudo -E kubectl get pods
+  ```
+
+- Check hypervisor is running
+  ```bash
+  $ ps aux | grep qemu
+  ```
+
+### Delete created pod
+
+```bash
+$ sudo -E kubectl delete -f nginx-kata.yaml
+```
--- a/docs/use-cases/using-Intel-SGX-and-kata.md
+++ b/docs/use-cases/using-Intel-SGX-and-kata.md
@ -21,20 +21,7 @@ CONFIG_X86_SGX_KVM=y
   * [Intel SGX Kubernetes device plugin](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/cmd/sgx_plugin#deploying-with-pre-built-images)

 > Note: Kata Containers supports creating VM sandboxes with Intel® SGX enabled
-> using [cloud-hypervisor](https://github.com/cloud-hypervisor/cloud-hypervisor/) VMM only. QEMU support is waiting to get the
-> Intel SGX enabled QEMU upstream release.
-
-## Installation
-
-### Kata Containers Guest Kernel
-
-Follow the instructions to [setup](../../tools/packaging/kernel/README.md#setup-kernel-source-code) and [build](../../tools/packaging/kernel/README.md#build-the-kernel) the experimental guest kernel. Then, install as:
-
-```sh
-$ sudo cp kata-linux-experimental-*/vmlinux /opt/kata/share/kata-containers/vmlinux.sgx
-$ sudo sed -i 's|vmlinux.container|vmlinux.sgx|g' \
-  /opt/kata/share/defaults/kata-containers/configuration-clh.toml
-```
+> using [cloud-hypervisor](https://github.com/cloud-hypervisor/cloud-hypervisor/) and [QEMU](https://www.qemu.org/) VMMs only.

 ### Kata Containers Configuration

@ -48,6 +35,8 @@ to the `sandbox` are: `["io.katacontainers.*", "sgx.intel.com/epc"]`.

 With the following sample job deployed using `kubectl apply -f`:

+> Note: Change the `runtimeClassName` option accordingly, only `kata-clh` and `kata-qemu` support Intel® SGX.
+
 ```yaml
 apiVersion: batch/v1
 kind: Job
--- a/src/runtime/virtcontainers/container.go
+++ b/src/runtime/virtcontainers/container.go
@ -12,6 +12,7 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"syscall"
 	"time"

@ -1060,7 +1061,18 @@ func (c *Container) signalProcess(ctx context.Context, processID string, signal
 		return fmt.Errorf("Container not ready, running or paused, impossible to signal the container")
 	}

-	return c.sandbox.agent.signalProcess(ctx, c, processID, signal, all)
+	// kill(2) method can return ESRCH in certain cases, which is not handled by containerd cri server in container_stop.go.
+	// CRIO server also doesn't handle ESRCH. So kata runtime will swallow it here.
+	var err error
+	if err = c.sandbox.agent.signalProcess(ctx, c, processID, signal, all); err != nil &&
+		strings.Contains(err.Error(), "ESRCH: No such process") {
+		c.Logger().WithFields(logrus.Fields{
+			"container":  c.id,
+			"process-id": processID,
+		}).Warn("signal encounters ESRCH, process already finished")
+		return nil
+	}
+	return err
 }

 func (c *Container) winsizeProcess(ctx context.Context, processID string, height, width uint32) error {
--- a/src/runtime/virtcontainers/container_test.go
+++ b/src/runtime/virtcontainers/container_test.go
@ -86,7 +86,7 @@ func TestContainerRemoveDrive(t *testing.T) {
 	sandbox := &Sandbox{
 		ctx:        context.Background(),
 		id:         "sandbox",
-		devManager: manager.NewDeviceManager(manager.VirtioSCSI, false, "", nil),
+		devManager: manager.NewDeviceManager(config.VirtioSCSI, false, "", nil),
 		config:     &SandboxConfig{},
 	}

@ -320,7 +320,7 @@ func TestContainerAddDriveDir(t *testing.T) {
 	sandbox := &Sandbox{
 		ctx:        context.Background(),
 		id:         testSandboxID,
-		devManager: manager.NewDeviceManager(manager.VirtioSCSI, false, "", nil),
+		devManager: manager.NewDeviceManager(config.VirtioSCSI, false, "", nil),
 		hypervisor: &mockHypervisor{},
 		agent:      &mockAgent{},
 		config: &SandboxConfig{
--- a/src/runtime/virtcontainers/device/config/config.go
+++ b/src/runtime/virtcontainers/device/config/config.go
@ -51,7 +51,7 @@ const (
 	// VirtioBlock means use virtio-blk for hotplugging drives
 	VirtioBlock = "virtio-blk"

-	// VirtioBlockCCW means use virtio-blk for hotplugging drives
+	// VirtioBlockCCW means use virtio-blk-ccw for hotplugging drives
 	VirtioBlockCCW = "virtio-blk-ccw"

 	// VirtioSCSI means use virtio-scsi for hotplugging drives
@ -72,6 +72,12 @@ const (
 	VirtioFSNydus = "virtio-fs-nydus"
 )

+const (
+	// Define the string key for DriverOptions in DeviceInfo struct
+	FsTypeOpt      = "fstype"
+	BlockDriverOpt = "block-driver"
+)
+
 const (
 	// The OCI spec requires the major-minor number to be provided for a
 	// device. We have chosen the below major numbers to represent
@ -97,7 +103,7 @@ var getSysDevPath = getSysDevPathImpl
 // DeviceInfo is an embedded type that contains device data common to all types of devices.
 type DeviceInfo struct {
 	// DriverOptions is specific options for each device driver
-	// for example, for BlockDevice, we can set DriverOptions["blockDriver"]="virtio-blk"
+	// for example, for BlockDevice, we can set DriverOptions["block-driver"]="virtio-blk"
 	DriverOptions map[string]string

 	// Hostpath is device path on host
--- a/src/runtime/virtcontainers/device/config/pmem.go
+++ b/src/runtime/virtcontainers/device/config/pmem.go
@ -81,8 +81,8 @@ func PmemDeviceInfo(source, destination string) (*DeviceInfo, error) {
 		fstype = "ext4"
 	}

-	pmemLog.WithField("fstype", fstype).Debug("filesystem for mount point")
-	device.DriverOptions["fstype"] = fstype
+	pmemLog.WithField(FsTypeOpt, fstype).Debug("filesystem for mount point")
+	device.DriverOptions[FsTypeOpt] = fstype

 	return device, nil
 }
--- a/src/runtime/virtcontainers/device/drivers/block.go
+++ b/src/runtime/virtcontainers/device/drivers/block.go
@ -70,13 +70,13 @@ func (device *BlockDevice) Attach(ctx context.Context, devReceiver api.DeviceRec
 		ReadOnly: device.DeviceInfo.ReadOnly,
 	}

-	if fs, ok := device.DeviceInfo.DriverOptions["fstype"]; ok {
+	if fs, ok := device.DeviceInfo.DriverOptions[config.FsTypeOpt]; ok {
 		drive.Format = fs
 	}

 	customOptions := device.DeviceInfo.DriverOptions
 	if customOptions == nil ||
-		customOptions["block-driver"] == "virtio-scsi" {
+		customOptions[config.BlockDriverOpt] == config.VirtioSCSI {
 		// User has not chosen a specific block device type
 		// Default to SCSI
 		scsiAddr, err := utils.GetSCSIAddress(index)
@ -85,15 +85,15 @@ func (device *BlockDevice) Attach(ctx context.Context, devReceiver api.DeviceRec
 		}

 		drive.SCSIAddr = scsiAddr
-	} else if customOptions["block-driver"] != "nvdimm" {
+	} else if customOptions[config.BlockDriverOpt] != config.Nvdimm {
 		var globalIdx int

-		switch customOptions["block-driver"] {
-		case "virtio-blk":
+		switch customOptions[config.BlockDriverOpt] {
+		case config.VirtioBlock:
 			globalIdx = index
-		case "virtio-blk-ccw":
+		case config.VirtioBlockCCW:
 			globalIdx = index
-		case "virtio-mmio":
+		case config.VirtioMmio:
 			//With firecracker the rootfs for the VM itself
 			//sits at /dev/vda and consumes the first index.
 			//Longer term block based VM rootfs should be added
@ -111,7 +111,7 @@ func (device *BlockDevice) Attach(ctx context.Context, devReceiver api.DeviceRec
 		drive.VirtPath = filepath.Join("/dev", driveName)
 	}

-	deviceLogger().WithField("device", device.DeviceInfo.HostPath).WithField("VirtPath", drive.VirtPath).Infof("Attaching %s device", customOptions["block-driver"])
+	deviceLogger().WithField("device", device.DeviceInfo.HostPath).WithField("VirtPath", drive.VirtPath).Infof("Attaching %s device", customOptions[config.BlockDriverOpt])
 	device.BlockDrive = drive
 	if err = devReceiver.HotplugAddDevice(ctx, device, config.DeviceBlock); err != nil {
 		return err
--- a/src/runtime/virtcontainers/device/drivers/vhost_user_blk.go
+++ b/src/runtime/virtcontainers/device/drivers/vhost_user_blk.go
@ -100,14 +100,14 @@ func isVirtioBlkBlockDriver(customOptions map[string]string) bool {
 	if customOptions == nil {
 		// User has not chosen a specific block device type
 		// Default to SCSI
-		blockDriverOption = "virtio-scsi"
+		blockDriverOption = config.VirtioSCSI
 	} else {
-		blockDriverOption = customOptions["block-driver"]
+		blockDriverOption = customOptions[config.BlockDriverOpt]
 	}

-	if blockDriverOption == "virtio-blk" ||
-		blockDriverOption == "virtio-blk-ccw" ||
-		blockDriverOption == "virtio-mmio" {
+	if blockDriverOption == config.VirtioBlock ||
+		blockDriverOption == config.VirtioBlockCCW ||
+		blockDriverOption == config.VirtioMmio {
 		return true
 	}

--- a/src/runtime/virtcontainers/device/manager/manager.go
+++ b/src/runtime/virtcontainers/device/manager/manager.go
@ -21,19 +21,6 @@ import (
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/utils"
 )

-const (
-	// VirtioMmio indicates block driver is virtio-mmio based
-	VirtioMmio string = "virtio-mmio"
-	// VirtioBlock indicates block driver is virtio-blk based
-	VirtioBlock string = "virtio-blk"
-	// VirtioBlockCCW indicates block driver is virtio-blk-ccw based
-	VirtioBlockCCW string = "virtio-blk-ccw"
-	// VirtioSCSI indicates block driver is virtio-scsi based
-	VirtioSCSI string = "virtio-scsi"
-	// Nvdimm indicates block driver is nvdimm based
-	Nvdimm string = "nvdimm"
-)
-
 var (
 	// ErrIDExhausted represents that devices are too many
 	// and no more IDs can be generated
@ -69,16 +56,16 @@ func NewDeviceManager(blockDriver string, vhostUserStoreEnabled bool, vhostUserS
 		vhostUserStorePath:    vhostUserStorePath,
 		devices:               make(map[string]api.Device),
 	}
-	if blockDriver == VirtioMmio {
-		dm.blockDriver = VirtioMmio
-	} else if blockDriver == VirtioBlock {
-		dm.blockDriver = VirtioBlock
-	} else if blockDriver == Nvdimm {
-		dm.blockDriver = Nvdimm
-	} else if blockDriver == VirtioBlockCCW {
-		dm.blockDriver = VirtioBlockCCW
+	if blockDriver == config.VirtioMmio {
+		dm.blockDriver = config.VirtioMmio
+	} else if blockDriver == config.VirtioBlock {
+		dm.blockDriver = config.VirtioBlock
+	} else if blockDriver == config.Nvdimm {
+		dm.blockDriver = config.Nvdimm
+	} else if blockDriver == config.VirtioBlockCCW {
+		dm.blockDriver = config.VirtioBlockCCW
 	} else {
-		dm.blockDriver = VirtioSCSI
+		dm.blockDriver = config.VirtioSCSI
 	}

 	drivers.AllPCIeDevs = make(map[string]bool)
@ -132,13 +119,13 @@ func (dm *deviceManager) createDevice(devInfo config.DeviceInfo) (dev api.Device
 		if devInfo.DriverOptions == nil {
 			devInfo.DriverOptions = make(map[string]string)
 		}
-		devInfo.DriverOptions["block-driver"] = dm.blockDriver
+		devInfo.DriverOptions[config.BlockDriverOpt] = dm.blockDriver
 		return drivers.NewVhostUserBlkDevice(&devInfo), nil
 	} else if isBlock(devInfo) {
 		if devInfo.DriverOptions == nil {
 			devInfo.DriverOptions = make(map[string]string)
 		}
-		devInfo.DriverOptions["block-driver"] = dm.blockDriver
+		devInfo.DriverOptions[config.BlockDriverOpt] = dm.blockDriver
 		return drivers.NewBlockDevice(&devInfo), nil
 	} else {
 		deviceLogger().WithField("device", devInfo.HostPath).Info("Device has not been passed to the container")
--- a/src/runtime/virtcontainers/device/manager/manager_linux_test.go
+++ b/src/runtime/virtcontainers/device/manager/manager_linux_test.go
@ -31,7 +31,7 @@ func TestAttachVhostUserBlkDevice(t *testing.T) {

 	tmpDir, err := os.MkdirTemp("", "")
 	dm := &deviceManager{
-		blockDriver:           VirtioBlock,
+		blockDriver:           config.VirtioBlock,
 		devices:               make(map[string]api.Device),
 		vhostUserStoreEnabled: true,
 		vhostUserStorePath:    tmpDir,
--- a/src/runtime/virtcontainers/device/manager/manager_test.go
+++ b/src/runtime/virtcontainers/device/manager/manager_test.go
@ -26,7 +26,7 @@ const dirMode = os.FileMode(0750) | os.ModeDir

 func TestNewDevice(t *testing.T) {
 	dm := &deviceManager{
-		blockDriver: VirtioBlock,
+		blockDriver: config.VirtioBlock,
 		devices:     make(map[string]api.Device),
 	}
 	savedSysDevPrefix := config.SysDevPrefix
@ -96,7 +96,7 @@ func TestNewDevice(t *testing.T) {

 func TestAttachVFIODevice(t *testing.T) {
 	dm := &deviceManager{
-		blockDriver: VirtioBlock,
+		blockDriver: config.VirtioBlock,
 		devices:     make(map[string]api.Device),
 	}
 	tmpDir, err := os.MkdirTemp("", "")
@ -155,7 +155,7 @@ func TestAttachVFIODevice(t *testing.T) {

 func TestAttachGenericDevice(t *testing.T) {
 	dm := &deviceManager{
-		blockDriver: VirtioBlock,
+		blockDriver: config.VirtioBlock,
 		devices:     make(map[string]api.Device),
 	}
 	path := "/dev/tty2"
@ -180,7 +180,7 @@ func TestAttachGenericDevice(t *testing.T) {

 func TestAttachBlockDevice(t *testing.T) {
 	dm := &deviceManager{
-		blockDriver: VirtioBlock,
+		blockDriver: config.VirtioBlock,
 		devices:     make(map[string]api.Device),
 	}
 	path := "/dev/hda"
@ -203,7 +203,7 @@ func TestAttachBlockDevice(t *testing.T) {
 	assert.Nil(t, err)

 	// test virtio SCSI driver
-	dm.blockDriver = VirtioSCSI
+	dm.blockDriver = config.VirtioSCSI
 	device, err = dm.NewDevice(deviceInfo)
 	assert.Nil(t, err)
 	err = device.Attach(context.Background(), devReceiver)
@ -214,7 +214,7 @@ func TestAttachBlockDevice(t *testing.T) {
 }

 func TestAttachDetachDevice(t *testing.T) {
-	dm := NewDeviceManager(VirtioSCSI, false, "", nil)
+	dm := NewDeviceManager(config.VirtioSCSI, false, "", nil)

 	path := "/dev/hda"
 	deviceInfo := config.DeviceInfo{
--- a/src/runtime/virtcontainers/documentation/api/1.0/api.md
+++ b/src/runtime/virtcontainers/documentation/api/1.0/api.md
@ -547,7 +547,7 @@ type DeviceInfo struct {
 	ID string

 	// DriverOptions is specific options for each device driver
-	// for example, for BlockDevice, we can set DriverOptions["blockDriver"]="virtio-blk"
+	// for example, for BlockDevice, we can set DriverOptions["block-driver"]="virtio-blk"
 	DriverOptions map[string]string
 }
 ```
@ -835,7 +835,7 @@ type DeviceInfo struct {
 	ID string

 	// DriverOptions is specific options for each device driver
-	// for example, for BlockDevice, we can set DriverOptions["blockDriver"]="virtio-blk"
+	// for example, for BlockDevice, we can set DriverOptions["block-driver"]="virtio-blk"
 	DriverOptions map[string]string
 }
 ```
--- a/src/runtime/virtcontainers/kata_agent_test.go
+++ b/src/runtime/virtcontainers/kata_agent_test.go
@ -390,10 +390,10 @@ func TestHandleBlockVolume(t *testing.T) {
 	mounts = append(mounts, vMount, bMount, dMount)

 	tmpDir := "/vhost/user/dir"
-	dm := manager.NewDeviceManager(manager.VirtioBlock, true, tmpDir, devices)
+	dm := manager.NewDeviceManager(config.VirtioBlock, true, tmpDir, devices)

 	sConfig := SandboxConfig{}
-	sConfig.HypervisorConfig.BlockDeviceDriver = manager.VirtioBlock
+	sConfig.HypervisorConfig.BlockDeviceDriver = config.VirtioBlock
 	sandbox := Sandbox{
 		id:         "100",
 		containers: containers,
--- a/src/runtime/virtcontainers/persist/api/device.go
+++ b/src/runtime/virtcontainers/persist/api/device.go
@ -86,7 +86,7 @@ type VhostUserDeviceAttrs struct {
 // Refs: virtcontainers/device/drivers/generic.go:GenericDevice
 type DeviceState struct {
 	// DriverOptions is specific options for each device driver
-	// for example, for BlockDevice, we can set DriverOptions["blockDriver"]="virtio-blk"
+	// for example, for BlockDevice, we can set DriverOptions["block-driver"]="virtio-blk"
 	DriverOptions map[string]string

 	// VhostUserDeviceAttrs is specific for vhost-user device driver
--- a/src/runtime/virtcontainers/persist_test.go
+++ b/src/runtime/virtcontainers/persist_test.go
@ -10,11 +10,11 @@ import (
 	"os"
 	"testing"

-	"github.com/stretchr/testify/assert"
-
+	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/device/config"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/device/manager"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
+	"github.com/stretchr/testify/assert"
 )

 func TestSandboxRestore(t *testing.T) {
@ -32,7 +32,7 @@ func TestSandboxRestore(t *testing.T) {
 	sandbox := Sandbox{
 		id:         "test-exp",
 		containers: container,
-		devManager: manager.NewDeviceManager(manager.VirtioSCSI, false, "", nil),
+		devManager: manager.NewDeviceManager(config.VirtioSCSI, false, "", nil),
 		hypervisor: &mockHypervisor{},
 		network:    network,
 		ctx:        context.Background(),
--- a/src/runtime/virtcontainers/sandbox_test.go
+++ b/src/runtime/virtcontainers/sandbox_test.go
@ -548,7 +548,7 @@ func TestSandboxAttachDevicesVFIO(t *testing.T) {
 		config.SysIOMMUPath = savedIOMMUPath
 	}()

-	dm := manager.NewDeviceManager(manager.VirtioSCSI, false, "", nil)
+	dm := manager.NewDeviceManager(config.VirtioSCSI, false, "", nil)
 	path := filepath.Join(vfioPath, testFDIOGroup)
 	deviceInfo := config.DeviceInfo{
 		HostPath:      path,
@ -599,7 +599,7 @@ func TestSandboxAttachDevicesVhostUserBlk(t *testing.T) {
 	tmpDir, err := os.MkdirTemp("", "")
 	assert.Nil(t, err)
 	os.RemoveAll(tmpDir)
-	dm := manager.NewDeviceManager(manager.VirtioSCSI, true, tmpDir, nil)
+	dm := manager.NewDeviceManager(config.VirtioSCSI, true, tmpDir, nil)

 	vhostUserDevNodePath := filepath.Join(tmpDir, "/block/devices/")
 	vhostUserSockPath := filepath.Join(tmpDir, "/block/sockets/")
--- a/src/runtime/virtcontainers/utils/utils.go
+++ b/src/runtime/virtcontainers/utils/utils.go
@ -321,6 +321,7 @@ func WaitLocalProcess(pid int, timeoutSecs uint, initialSignal syscall.Signal, l
 	if initialSignal != syscall.Signal(0) {
 		if err = syscall.Kill(pid, initialSignal); err != nil {
 			if err == syscall.ESRCH {
+				logger.WithField("pid", pid).Warnf("kill encounters ESRCH, process already finished")
 				return nil
 			}

--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -651,12 +651,12 @@ EOF

 		container_registries_dir="${ROOTFS_DIR}/etc/containers/registries.d"
 		mkdir -p ${container_registries_dir}
-	cat << EOT | tee ${container_registries_dir}/quay.io.yaml
+	cat << EOF | tee ${container_registries_dir}/quay.io.yaml
 docker:
    quay.io/kata-containers/confidential-containers:
        sigstore: file://${rootfs_quay_verification_directory}/signatures
        sigstore-staging: file://${rootfs_quay_verification_directory}/signatures
-EOT
+EOF
 	fi

    if [ -n "${AA_KBC}" ]; then
--- a/tools/packaging/qemu/patches/6.2.x/Revert-target-ppc-Move-SPR_DSISR-setting-to-powerpc_excp.patch
+++ b/tools/packaging/qemu/patches/6.2.x/Revert-target-ppc-Move-SPR_DSISR-setting-to-powerpc_excp.patch
@ -0,0 +1,81 @@
+From 29c4a3363bf287bb9a7b0342b1bc2dba3661c96c Mon Sep 17 00:00:00 2001
+From: Fabiano Rosas <farosas@linux.ibm.com>
+Date: Fri, 17 Dec 2021 17:57:18 +0100
+Subject: [PATCH] Revert "target/ppc: Move SPR_DSISR setting to powerpc_excp"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 336e91f85332dda0ede4c1d15b87a19a0fb898a2.
+
+It breaks the --disable-tcg build:
+
+ ../target/ppc/excp_helper.c:463:29: error: implicit declaration of
+ function ‘cpu_ldl_code’ [-Werror=implicit-function-declaration]
+
+We should not have TCG code in powerpc_excp because some kvm-only
+routines use it indirectly to dispatch interrupts. See
+kvm_handle_debug, spapr_mce_req_event and
+spapr_do_system_reset_on_cpu.
+
+We can re-introduce the change once we have split the interrupt
+injection code between KVM and TCG.
+
+Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
+Message-Id: <20211209173323.2166642-1-farosas@linux.ibm.com>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+---
+ target/ppc/excp_helper.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
+index feb3fd42e2..6ba0840e99 100644
+--- a/target/ppc/excp_helper.c
+++ b/target/ppc/excp_helper.c
+@@ -464,15 +464,13 @@ static inline void powerpc_excp(PowerPCCPU *cpu, int excp_model, int excp)
+         break;
+     }
+     case POWERPC_EXCP_ALIGN:     /* Alignment exception                      */
+        /* Get rS/rD and rA from faulting opcode */
+         /*
+-         * Get rS/rD and rA from faulting opcode.
+-         * Note: We will only invoke ALIGN for atomic operations,
+-         * so all instructions are X-form.
+         * Note: the opcode fields will not be set properly for a
+         * direct store load/store, but nobody cares as nobody
+         * actually uses direct store segments.
+          */
+-        {
+-            uint32_t insn = cpu_ldl_code(env, env->nip);
+-            env->spr[SPR_DSISR] |= (insn & 0x03FF0000) >> 16;
+-        }
+        env->spr[SPR_DSISR] |= (env->error_code & 0x03FF0000) >> 16;
+         break;
+     case POWERPC_EXCP_PROGRAM:   /* Program exception                        */
+         switch (env->error_code & ~0xF) {
+@@ -1441,6 +1439,11 @@ void ppc_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
+                                  int mmu_idx, uintptr_t retaddr)
+ {
+     CPUPPCState *env = cs->env_ptr;
+    uint32_t insn;
+
+    /* Restore state and reload the insn we executed, for filling in DSISR.  */
+    cpu_restore_state(cs, retaddr, true);
+    insn = cpu_ldl_code(env, env->nip);
+ 
+     switch (env->mmu_model) {
+     case POWERPC_MMU_SOFT_4xx:
+@@ -1456,8 +1459,8 @@ void ppc_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
+     }
+ 
+     cs->exception_index = POWERPC_EXCP_ALIGN;
+-    env->error_code = 0;
+-    cpu_loop_exit_restore(cs, retaddr);
+    env->error_code = insn & 0x03FF0000;
+    cpu_loop_exit(cs);
+ }
+ #endif /* CONFIG_TCG */
+ #endif /* !CONFIG_USER_ONLY */
+-- 
+GitLab
+
--- a/tools/packaging/qemu/patches/tag_patches/v6.2.0/no_patches.txt
+++ b/tools/packaging/qemu/patches/tag_patches/v6.2.0/no_patches.txt
--- a/tools/packaging/scripts/configure-hypervisor.sh
+++ b/tools/packaging/scripts/configure-hypervisor.sh
@ -250,7 +250,6 @@ generate_qemu_options() {
 	qemu_options+=(size:--disable-auth-pam)

 	# Disable unused filesystem support
-	[ "$arch" == x86_64 ] && qemu_options+=(size:--disable-fdt)
 	qemu_options+=(size:--disable-glusterfs)
 	qemu_options+=(size:--disable-libiscsi)
 	qemu_options+=(size:--disable-libnfs)
@ -303,7 +302,6 @@ generate_qemu_options() {
 		;;
 	esac
 	qemu_options+=(size:--disable-qom-cast-debug)
-	qemu_options+=(size:--disable-tcmalloc)

 	# Disable libudev since it is only needed for qemu-pr-helper and USB,
 	# none of which are used with Kata
--- a/versions.yaml
+++ b/versions.yaml
@ -88,8 +88,8 @@ assets:
    qemu:
      description: "VMM that uses KVM"
      url: "https://github.com/qemu/qemu"
-      version: "v6.1.0"
-      tag: "v6.1.0"
+      version: "v6.2.0"
+      tag: "v6.2.0"
      # Do not include any non-full release versions
      # Break the line *without CR or space being appended*, to appease
      # yamllint, and note the deliberate ' ' at the end of the expression.