Merge pull request #3948 from Megan-Wright/CCv0

CCv0: Merge main into CCv0 branch
2025-08-22 01:43:04 +00:00 · 2022-03-24 09:45:11 +01:00 · 2022-03-24 09:45:11 +01:00 · 480c4d9716
commit 480c4d9716
parent fa3aced1ac ef8ba4bbec
23 changed files with 216 additions and 99 deletions
--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@ -10,7 +10,7 @@ env:
  error_msg: |+
    See the document below for help on formatting commits for the project.
-    https://github.com/kata-containers/community/blob/master/CONTRIBUTING.md#patch-format
+    https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
 jobs:
  commit-message-check:
--- a/docs/how-to/run-kata-with-k8s.md
+++ b/docs/how-to/run-kata-with-k8s.md
@ -104,26 +104,69 @@ $ sudo kubeadm init --ignore-preflight-errors=all --cri-socket /run/containerd/c
 $ export KUBECONFIG=/etc/kubernetes/admin.conf
 ```
-You can force Kubelet to use Kata Containers by adding some `untrusted`
+### Allow pods to run in the master node
 annotation to your pod configuration. In our case, this ensures Kata
 Containers is the selected runtime to run the described workload.
-`nginx-untrusted.yaml`
+By default, the cluster will not schedule pods in the master node. To enable master node scheduling:
-```yaml
+```bash
-apiVersion: v1
+$ sudo -E kubectl taint nodes --all node-role.kubernetes.io/master-
-kind: Pod
+```
 ### Create runtime class for Kata Containers
 Users can use [`RuntimeClass`](https://kubernetes.io/docs/concepts/containers/runtime-class/#runtime-class) to specify a different runtime for Pods.
 ```bash
 $ cat > runtime.yaml <<EOF
 apiVersion: node.k8s.io/v1
 kind: RuntimeClass
 metadata:
-  name: nginx-untrusted
+  name: kata
-  annotations:
+handler: kata
-    io.kubernetes.cri.untrusted-workload: "true"
+EOF
-spec:
+
-  containers:
+$ sudo -E kubectl apply -f runtime.yaml
 ```
 ### Run pod in Kata Containers
 If a pod has the `runtimeClassName` set to `kata`, the CRI plugin runs the pod with the
 [Kata Containers runtime](../../src/runtime/README.md).
 - Create an pod configuration that using Kata Containers runtime
  ```bash
  $ cat << EOF | tee nginx-kata.yaml
  apiVersion: v1
  kind: Pod
  metadata:
    name: nginx-kata
  spec:
    runtimeClassName: kata
    containers:
    - name: nginx
      image: nginx
 ```
-Next, you run your pod:
+  EOF
-```
+  ```
 $ sudo -E kubectl apply -f nginx-untrusted.yaml
 ```
 - Create the pod
  ```bash
  $ sudo -E kubectl apply -f nginx-kata.yaml
  ```
 - Check pod is running
  ```bash
  $ sudo -E kubectl get pods
  ```
 - Check hypervisor is running
  ```bash
  $ ps aux | grep qemu
  ```
 ### Delete created pod
 ```bash
 $ sudo -E kubectl delete -f nginx-kata.yaml
 ```
--- a/docs/use-cases/using-Intel-SGX-and-kata.md
+++ b/docs/use-cases/using-Intel-SGX-and-kata.md
@ -21,20 +21,7 @@ CONFIG_X86_SGX_KVM=y
   * [Intel SGX Kubernetes device plugin](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/cmd/sgx_plugin#deploying-with-pre-built-images)
 > Note: Kata Containers supports creating VM sandboxes with Intel® SGX enabled
-> using [cloud-hypervisor](https://github.com/cloud-hypervisor/cloud-hypervisor/) VMM only. QEMU support is waiting to get the
+> using [cloud-hypervisor](https://github.com/cloud-hypervisor/cloud-hypervisor/) and [QEMU](https://www.qemu.org/) VMMs only.
 > Intel SGX enabled QEMU upstream release.
 ## Installation
 ### Kata Containers Guest Kernel
 Follow the instructions to [setup](../../tools/packaging/kernel/README.md#setup-kernel-source-code) and [build](../../tools/packaging/kernel/README.md#build-the-kernel) the experimental guest kernel. Then, install as:
 ```sh
 $ sudo cp kata-linux-experimental-*/vmlinux /opt/kata/share/kata-containers/vmlinux.sgx
 $ sudo sed -i 's|vmlinux.container|vmlinux.sgx|g' \
  /opt/kata/share/defaults/kata-containers/configuration-clh.toml
 ```
 ### Kata Containers Configuration
@ -48,6 +35,8 @@ to the `sandbox` are: `["io.katacontainers.*", "sgx.intel.com/epc"]`.
 With the following sample job deployed using `kubectl apply -f`:
 > Note: Change the `runtimeClassName` option accordingly, only `kata-clh` and `kata-qemu` support Intel® SGX.
 ```yaml
 apiVersion: batch/v1
 kind: Job
--- a/src/runtime/virtcontainers/container.go
+++ b/src/runtime/virtcontainers/container.go
@ -12,6 +12,7 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"syscall"
 	"time"
@ -1060,7 +1061,18 @@ func (c *Container) signalProcess(ctx context.Context, processID string, signal
 		return fmt.Errorf("Container not ready, running or paused, impossible to signal the container")
 	}
-	return c.sandbox.agent.signalProcess(ctx, c, processID, signal, all)
+	// kill(2) method can return ESRCH in certain cases, which is not handled by containerd cri server in container_stop.go.
 	// CRIO server also doesn't handle ESRCH. So kata runtime will swallow it here.
 	var err error
 	if err = c.sandbox.agent.signalProcess(ctx, c, processID, signal, all); err != nil &&
 		strings.Contains(err.Error(), "ESRCH: No such process") {
 		c.Logger().WithFields(logrus.Fields{
 			"container":  c.id,
 			"process-id": processID,
 		}).Warn("signal encounters ESRCH, process already finished")
 		return nil
 	}
 	return err
 }
 func (c *Container) winsizeProcess(ctx context.Context, processID string, height, width uint32) error {
--- a/src/runtime/virtcontainers/container_test.go
+++ b/src/runtime/virtcontainers/container_test.go
@ -86,7 +86,7 @@ func TestContainerRemoveDrive(t *testing.T) {
 	sandbox := &Sandbox{
 		ctx:        context.Background(),
 		id:         "sandbox",
-		devManager: manager.NewDeviceManager(manager.VirtioSCSI, false, "", nil),
+		devManager: manager.NewDeviceManager(config.VirtioSCSI, false, "", nil),
 		config:     &SandboxConfig{},
 	}
@ -320,7 +320,7 @@ func TestContainerAddDriveDir(t *testing.T) {
 	sandbox := &Sandbox{
 		ctx:        context.Background(),
 		id:         testSandboxID,
-		devManager: manager.NewDeviceManager(manager.VirtioSCSI, false, "", nil),
+		devManager: manager.NewDeviceManager(config.VirtioSCSI, false, "", nil),
 		hypervisor: &mockHypervisor{},
 		agent:      &mockAgent{},
 		config: &SandboxConfig{
--- a/src/runtime/virtcontainers/device/config/config.go
+++ b/src/runtime/virtcontainers/device/config/config.go
@ -51,7 +51,7 @@ const (
 	// VirtioBlock means use virtio-blk for hotplugging drives
 	VirtioBlock = "virtio-blk"
-	// VirtioBlockCCW means use virtio-blk for hotplugging drives
+	// VirtioBlockCCW means use virtio-blk-ccw for hotplugging drives
 	VirtioBlockCCW = "virtio-blk-ccw"
 	// VirtioSCSI means use virtio-scsi for hotplugging drives
@ -72,6 +72,12 @@ const (
 	VirtioFSNydus = "virtio-fs-nydus"
 )
 const (
 	// Define the string key for DriverOptions in DeviceInfo struct
 	FsTypeOpt      = "fstype"
 	BlockDriverOpt = "block-driver"
 )
 const (
 	// The OCI spec requires the major-minor number to be provided for a
 	// device. We have chosen the below major numbers to represent
@ -97,7 +103,7 @@ var getSysDevPath = getSysDevPathImpl
 // DeviceInfo is an embedded type that contains device data common to all types of devices.
 type DeviceInfo struct {
 	// DriverOptions is specific options for each device driver
-	// for example, for BlockDevice, we can set DriverOptions["blockDriver"]="virtio-blk"
+	// for example, for BlockDevice, we can set DriverOptions["block-driver"]="virtio-blk"
 	DriverOptions map[string]string
 	// Hostpath is device path on host
--- a/src/runtime/virtcontainers/device/config/pmem.go
+++ b/src/runtime/virtcontainers/device/config/pmem.go
@ -81,8 +81,8 @@ func PmemDeviceInfo(source, destination string) (*DeviceInfo, error) {
 		fstype = "ext4"
 	}
-	pmemLog.WithField("fstype", fstype).Debug("filesystem for mount point")
+	pmemLog.WithField(FsTypeOpt, fstype).Debug("filesystem for mount point")
-	device.DriverOptions["fstype"] = fstype
+	device.DriverOptions[FsTypeOpt] = fstype
 	return device, nil
 }
--- a/src/runtime/virtcontainers/device/drivers/block.go
+++ b/src/runtime/virtcontainers/device/drivers/block.go
@ -70,13 +70,13 @@ func (device *BlockDevice) Attach(ctx context.Context, devReceiver api.DeviceRec
 		ReadOnly: device.DeviceInfo.ReadOnly,
 	}
-	if fs, ok := device.DeviceInfo.DriverOptions["fstype"]; ok {
+	if fs, ok := device.DeviceInfo.DriverOptions[config.FsTypeOpt]; ok {
 		drive.Format = fs
 	}
 	customOptions := device.DeviceInfo.DriverOptions
 	if customOptions == nil ||
-		customOptions["block-driver"] == "virtio-scsi" {
+		customOptions[config.BlockDriverOpt] == config.VirtioSCSI {
 		// User has not chosen a specific block device type
 		// Default to SCSI
 		scsiAddr, err := utils.GetSCSIAddress(index)
@ -85,15 +85,15 @@ func (device *BlockDevice) Attach(ctx context.Context, devReceiver api.DeviceRec
 		}
 		drive.SCSIAddr = scsiAddr
-	} else if customOptions["block-driver"] != "nvdimm" {
+	} else if customOptions[config.BlockDriverOpt] != config.Nvdimm {
 		var globalIdx int
-		switch customOptions["block-driver"] {
+		switch customOptions[config.BlockDriverOpt] {
-		case "virtio-blk":
+		case config.VirtioBlock:
 			globalIdx = index
-		case "virtio-blk-ccw":
+		case config.VirtioBlockCCW:
 			globalIdx = index
-		case "virtio-mmio":
+		case config.VirtioMmio:
 			//With firecracker the rootfs for the VM itself
 			//sits at /dev/vda and consumes the first index.
 			//Longer term block based VM rootfs should be added
@ -111,7 +111,7 @@ func (device *BlockDevice) Attach(ctx context.Context, devReceiver api.DeviceRec
 		drive.VirtPath = filepath.Join("/dev", driveName)
 	}
-	deviceLogger().WithField("device", device.DeviceInfo.HostPath).WithField("VirtPath", drive.VirtPath).Infof("Attaching %s device", customOptions["block-driver"])
+	deviceLogger().WithField("device", device.DeviceInfo.HostPath).WithField("VirtPath", drive.VirtPath).Infof("Attaching %s device", customOptions[config.BlockDriverOpt])
 	device.BlockDrive = drive
 	if err = devReceiver.HotplugAddDevice(ctx, device, config.DeviceBlock); err != nil {
 		return err
--- a/src/runtime/virtcontainers/device/drivers/vhost_user_blk.go
+++ b/src/runtime/virtcontainers/device/drivers/vhost_user_blk.go
@ -100,14 +100,14 @@ func isVirtioBlkBlockDriver(customOptions map[string]string) bool {
 	if customOptions == nil {
 		// User has not chosen a specific block device type
 		// Default to SCSI
-		blockDriverOption = "virtio-scsi"
+		blockDriverOption = config.VirtioSCSI
 	} else {
-		blockDriverOption = customOptions["block-driver"]
+		blockDriverOption = customOptions[config.BlockDriverOpt]
 	}
-	if blockDriverOption == "virtio-blk" ||
+	if blockDriverOption == config.VirtioBlock ||
-		blockDriverOption == "virtio-blk-ccw" ||
+		blockDriverOption == config.VirtioBlockCCW ||
-		blockDriverOption == "virtio-mmio" {
+		blockDriverOption == config.VirtioMmio {
 		return true
 	}
--- a/src/runtime/virtcontainers/device/manager/manager.go
+++ b/src/runtime/virtcontainers/device/manager/manager.go
@ -21,19 +21,6 @@ import (
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/utils"
 )
 const (
 	// VirtioMmio indicates block driver is virtio-mmio based
 	VirtioMmio string = "virtio-mmio"
 	// VirtioBlock indicates block driver is virtio-blk based
 	VirtioBlock string = "virtio-blk"
 	// VirtioBlockCCW indicates block driver is virtio-blk-ccw based
 	VirtioBlockCCW string = "virtio-blk-ccw"
 	// VirtioSCSI indicates block driver is virtio-scsi based
 	VirtioSCSI string = "virtio-scsi"
 	// Nvdimm indicates block driver is nvdimm based
 	Nvdimm string = "nvdimm"
 )
 var (
 	// ErrIDExhausted represents that devices are too many
 	// and no more IDs can be generated
@ -69,16 +56,16 @@ func NewDeviceManager(blockDriver string, vhostUserStoreEnabled bool, vhostUserS
 		vhostUserStorePath:    vhostUserStorePath,
 		devices:               make(map[string]api.Device),
 	}
-	if blockDriver == VirtioMmio {
+	if blockDriver == config.VirtioMmio {
-		dm.blockDriver = VirtioMmio
+		dm.blockDriver = config.VirtioMmio
-	} else if blockDriver == VirtioBlock {
+	} else if blockDriver == config.VirtioBlock {
-		dm.blockDriver = VirtioBlock
+		dm.blockDriver = config.VirtioBlock
-	} else if blockDriver == Nvdimm {
+	} else if blockDriver == config.Nvdimm {
-		dm.blockDriver = Nvdimm
+		dm.blockDriver = config.Nvdimm
-	} else if blockDriver == VirtioBlockCCW {
+	} else if blockDriver == config.VirtioBlockCCW {
-		dm.blockDriver = VirtioBlockCCW
+		dm.blockDriver = config.VirtioBlockCCW
 	} else {
-		dm.blockDriver = VirtioSCSI
+		dm.blockDriver = config.VirtioSCSI
 	}
 	drivers.AllPCIeDevs = make(map[string]bool)
@ -132,13 +119,13 @@ func (dm *deviceManager) createDevice(devInfo config.DeviceInfo) (dev api.Device
 		if devInfo.DriverOptions == nil {
 			devInfo.DriverOptions = make(map[string]string)
 		}
-		devInfo.DriverOptions["block-driver"] = dm.blockDriver
+		devInfo.DriverOptions[config.BlockDriverOpt] = dm.blockDriver
 		return drivers.NewVhostUserBlkDevice(&devInfo), nil
 	} else if isBlock(devInfo) {
 		if devInfo.DriverOptions == nil {
 			devInfo.DriverOptions = make(map[string]string)
 		}
-		devInfo.DriverOptions["block-driver"] = dm.blockDriver
+		devInfo.DriverOptions[config.BlockDriverOpt] = dm.blockDriver
 		return drivers.NewBlockDevice(&devInfo), nil
 	} else {
 		deviceLogger().WithField("device", devInfo.HostPath).Info("Device has not been passed to the container")
--- a/src/runtime/virtcontainers/device/manager/manager_linux_test.go
+++ b/src/runtime/virtcontainers/device/manager/manager_linux_test.go
@ -31,7 +31,7 @@ func TestAttachVhostUserBlkDevice(t *testing.T) {
 	tmpDir, err := os.MkdirTemp("", "")
 	dm := &deviceManager{
-		blockDriver:           VirtioBlock,
+		blockDriver:           config.VirtioBlock,
 		devices:               make(map[string]api.Device),
 		vhostUserStoreEnabled: true,
 		vhostUserStorePath:    tmpDir,
--- a/src/runtime/virtcontainers/device/manager/manager_test.go
+++ b/src/runtime/virtcontainers/device/manager/manager_test.go
@ -26,7 +26,7 @@ const dirMode = os.FileMode(0750) | os.ModeDir
 func TestNewDevice(t *testing.T) {
 	dm := &deviceManager{
-		blockDriver: VirtioBlock,
+		blockDriver: config.VirtioBlock,
 		devices:     make(map[string]api.Device),
 	}
 	savedSysDevPrefix := config.SysDevPrefix
@ -96,7 +96,7 @@ func TestNewDevice(t *testing.T) {
 func TestAttachVFIODevice(t *testing.T) {
 	dm := &deviceManager{
-		blockDriver: VirtioBlock,
+		blockDriver: config.VirtioBlock,
 		devices:     make(map[string]api.Device),
 	}
 	tmpDir, err := os.MkdirTemp("", "")
@ -155,7 +155,7 @@ func TestAttachVFIODevice(t *testing.T) {
 func TestAttachGenericDevice(t *testing.T) {
 	dm := &deviceManager{
-		blockDriver: VirtioBlock,
+		blockDriver: config.VirtioBlock,
 		devices:     make(map[string]api.Device),
 	}
 	path := "/dev/tty2"
@ -180,7 +180,7 @@ func TestAttachGenericDevice(t *testing.T) {
 func TestAttachBlockDevice(t *testing.T) {
 	dm := &deviceManager{
-		blockDriver: VirtioBlock,
+		blockDriver: config.VirtioBlock,
 		devices:     make(map[string]api.Device),
 	}
 	path := "/dev/hda"
@ -203,7 +203,7 @@ func TestAttachBlockDevice(t *testing.T) {
 	assert.Nil(t, err)
 	// test virtio SCSI driver
-	dm.blockDriver = VirtioSCSI
+	dm.blockDriver = config.VirtioSCSI
 	device, err = dm.NewDevice(deviceInfo)
 	assert.Nil(t, err)
 	err = device.Attach(context.Background(), devReceiver)
@ -214,7 +214,7 @@ func TestAttachBlockDevice(t *testing.T) {
 }
 func TestAttachDetachDevice(t *testing.T) {
-	dm := NewDeviceManager(VirtioSCSI, false, "", nil)
+	dm := NewDeviceManager(config.VirtioSCSI, false, "", nil)
 	path := "/dev/hda"
 	deviceInfo := config.DeviceInfo{
--- a/src/runtime/virtcontainers/documentation/api/1.0/api.md
+++ b/src/runtime/virtcontainers/documentation/api/1.0/api.md
@ -547,7 +547,7 @@ type DeviceInfo struct {
 	ID string
 	// DriverOptions is specific options for each device driver
-	// for example, for BlockDevice, we can set DriverOptions["blockDriver"]="virtio-blk"
+	// for example, for BlockDevice, we can set DriverOptions["block-driver"]="virtio-blk"
 	DriverOptions map[string]string
 }
 ```
@ -835,7 +835,7 @@ type DeviceInfo struct {
 	ID string
 	// DriverOptions is specific options for each device driver
-	// for example, for BlockDevice, we can set DriverOptions["blockDriver"]="virtio-blk"
+	// for example, for BlockDevice, we can set DriverOptions["block-driver"]="virtio-blk"
 	DriverOptions map[string]string
 }
 ```
--- a/src/runtime/virtcontainers/kata_agent_test.go
+++ b/src/runtime/virtcontainers/kata_agent_test.go
@ -390,10 +390,10 @@ func TestHandleBlockVolume(t *testing.T) {
 	mounts = append(mounts, vMount, bMount, dMount)
 	tmpDir := "/vhost/user/dir"
-	dm := manager.NewDeviceManager(manager.VirtioBlock, true, tmpDir, devices)
+	dm := manager.NewDeviceManager(config.VirtioBlock, true, tmpDir, devices)
 	sConfig := SandboxConfig{}
-	sConfig.HypervisorConfig.BlockDeviceDriver = manager.VirtioBlock
+	sConfig.HypervisorConfig.BlockDeviceDriver = config.VirtioBlock
 	sandbox := Sandbox{
 		id:         "100",
 		containers: containers,
--- a/src/runtime/virtcontainers/persist/api/device.go
+++ b/src/runtime/virtcontainers/persist/api/device.go
@ -86,7 +86,7 @@ type VhostUserDeviceAttrs struct {
 // Refs: virtcontainers/device/drivers/generic.go:GenericDevice
 type DeviceState struct {
 	// DriverOptions is specific options for each device driver
-	// for example, for BlockDevice, we can set DriverOptions["blockDriver"]="virtio-blk"
+	// for example, for BlockDevice, we can set DriverOptions["block-driver"]="virtio-blk"
 	DriverOptions map[string]string
 	// VhostUserDeviceAttrs is specific for vhost-user device driver
--- a/src/runtime/virtcontainers/persist_test.go
+++ b/src/runtime/virtcontainers/persist_test.go
@ -10,11 +10,11 @@ import (
 	"os"
 	"testing"
-	"github.com/stretchr/testify/assert"
+	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/device/config"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/device/manager"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
 	"github.com/stretchr/testify/assert"
 )
 func TestSandboxRestore(t *testing.T) {
@ -32,7 +32,7 @@ func TestSandboxRestore(t *testing.T) {
 	sandbox := Sandbox{
 		id:         "test-exp",
 		containers: container,
-		devManager: manager.NewDeviceManager(manager.VirtioSCSI, false, "", nil),
+		devManager: manager.NewDeviceManager(config.VirtioSCSI, false, "", nil),
 		hypervisor: &mockHypervisor{},
 		network:    network,
 		ctx:        context.Background(),
--- a/src/runtime/virtcontainers/sandbox_test.go
+++ b/src/runtime/virtcontainers/sandbox_test.go
@ -548,7 +548,7 @@ func TestSandboxAttachDevicesVFIO(t *testing.T) {
 		config.SysIOMMUPath = savedIOMMUPath
 	}()
-	dm := manager.NewDeviceManager(manager.VirtioSCSI, false, "", nil)
+	dm := manager.NewDeviceManager(config.VirtioSCSI, false, "", nil)
 	path := filepath.Join(vfioPath, testFDIOGroup)
 	deviceInfo := config.DeviceInfo{
 		HostPath:      path,
@ -599,7 +599,7 @@ func TestSandboxAttachDevicesVhostUserBlk(t *testing.T) {
 	tmpDir, err := os.MkdirTemp("", "")
 	assert.Nil(t, err)
 	os.RemoveAll(tmpDir)
-	dm := manager.NewDeviceManager(manager.VirtioSCSI, true, tmpDir, nil)
+	dm := manager.NewDeviceManager(config.VirtioSCSI, true, tmpDir, nil)
 	vhostUserDevNodePath := filepath.Join(tmpDir, "/block/devices/")
 	vhostUserSockPath := filepath.Join(tmpDir, "/block/sockets/")
--- a/src/runtime/virtcontainers/utils/utils.go
+++ b/src/runtime/virtcontainers/utils/utils.go
@ -321,6 +321,7 @@ func WaitLocalProcess(pid int, timeoutSecs uint, initialSignal syscall.Signal, l
 	if initialSignal != syscall.Signal(0) {
 		if err = syscall.Kill(pid, initialSignal); err != nil {
 			if err == syscall.ESRCH {
 				logger.WithField("pid", pid).Warnf("kill encounters ESRCH, process already finished")
 				return nil
 			}
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -651,12 +651,12 @@ EOF
 		container_registries_dir="${ROOTFS_DIR}/etc/containers/registries.d"
 		mkdir -p ${container_registries_dir}
-	cat << EOT | tee ${container_registries_dir}/quay.io.yaml
+	cat << EOF | tee ${container_registries_dir}/quay.io.yaml
 docker:
    quay.io/kata-containers/confidential-containers:
        sigstore: file://${rootfs_quay_verification_directory}/signatures
        sigstore-staging: file://${rootfs_quay_verification_directory}/signatures
-EOT
+EOF
 	fi
    if [ -n "${AA_KBC}" ]; then
--- a/tools/packaging/qemu/patches/6.2.x/Revert-target-ppc-Move-SPR_DSISR-setting-to-powerpc_excp.patch
+++ b/tools/packaging/qemu/patches/6.2.x/Revert-target-ppc-Move-SPR_DSISR-setting-to-powerpc_excp.patch
@ -0,0 +1,81 @@
 From 29c4a3363bf287bb9a7b0342b1bc2dba3661c96c Mon Sep 17 00:00:00 2001
 From: Fabiano Rosas <farosas@linux.ibm.com>
 Date: Fri, 17 Dec 2021 17:57:18 +0100
 Subject: [PATCH] Revert "target/ppc: Move SPR_DSISR setting to powerpc_excp"
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This reverts commit 336e91f85332dda0ede4c1d15b87a19a0fb898a2.
 It breaks the --disable-tcg build:
 ../target/ppc/excp_helper.c:463:29: error: implicit declaration of
 function ‘cpu_ldl_code’ [-Werror=implicit-function-declaration]
 We should not have TCG code in powerpc_excp because some kvm-only
 routines use it indirectly to dispatch interrupts. See
 kvm_handle_debug, spapr_mce_req_event and
 spapr_do_system_reset_on_cpu.
 We can re-introduce the change once we have split the interrupt
 injection code between KVM and TCG.
 Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
 Message-Id: <20211209173323.2166642-1-farosas@linux.ibm.com>
 Signed-off-by: Cédric Le Goater <clg@kaod.org>
 ---
 target/ppc/excp_helper.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)
 diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
 index feb3fd42e2..6ba0840e99 100644
 --- a/target/ppc/excp_helper.c
 +++ b/target/ppc/excp_helper.c
@@ -464,15 +464,13 @@ static inline void powerpc_excp(PowerPCCPU *cpu, int excp_model, int excp)
         break;
     }
     case POWERPC_EXCP_ALIGN:     /* Alignment exception                      */
 +        /* Get rS/rD and rA from faulting opcode */
         /*
 -         * Get rS/rD and rA from faulting opcode.
 -         * Note: We will only invoke ALIGN for atomic operations,
 -         * so all instructions are X-form.
 +         * Note: the opcode fields will not be set properly for a
 +         * direct store load/store, but nobody cares as nobody
 +         * actually uses direct store segments.
          */
 -        {
 -            uint32_t insn = cpu_ldl_code(env, env->nip);
 -            env->spr[SPR_DSISR] |= (insn & 0x03FF0000) >> 16;
 -        }
 +        env->spr[SPR_DSISR] |= (env->error_code & 0x03FF0000) >> 16;
         break;
     case POWERPC_EXCP_PROGRAM:   /* Program exception                        */
         switch (env->error_code & ~0xF) {
@@ -1441,6 +1439,11 @@ void ppc_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
                                  int mmu_idx, uintptr_t retaddr)
 {
     CPUPPCState *env = cs->env_ptr;
 +    uint32_t insn;
 +
 +    /* Restore state and reload the insn we executed, for filling in DSISR.  */
 +    cpu_restore_state(cs, retaddr, true);
 +    insn = cpu_ldl_code(env, env->nip);
     switch (env->mmu_model) {
     case POWERPC_MMU_SOFT_4xx:
@@ -1456,8 +1459,8 @@ void ppc_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
     }
     cs->exception_index = POWERPC_EXCP_ALIGN;
 -    env->error_code = 0;
 -    cpu_loop_exit_restore(cs, retaddr);
 +    env->error_code = insn & 0x03FF0000;
 +    cpu_loop_exit(cs);
 }
 #endif /* CONFIG_TCG */
 #endif /* !CONFIG_USER_ONLY */
 -- 
 GitLab
--- a/tools/packaging/qemu/patches/tag_patches/v6.2.0/no_patches.txt
+++ b/tools/packaging/qemu/patches/tag_patches/v6.2.0/no_patches.txt
--- a/tools/packaging/scripts/configure-hypervisor.sh
+++ b/tools/packaging/scripts/configure-hypervisor.sh
@ -250,7 +250,6 @@ generate_qemu_options() {
 	qemu_options+=(size:--disable-auth-pam)
 	# Disable unused filesystem support
 	[ "$arch" == x86_64 ] && qemu_options+=(size:--disable-fdt)
 	qemu_options+=(size:--disable-glusterfs)
 	qemu_options+=(size:--disable-libiscsi)
 	qemu_options+=(size:--disable-libnfs)
@ -303,7 +302,6 @@ generate_qemu_options() {
 		;;
 	esac
 	qemu_options+=(size:--disable-qom-cast-debug)
 	qemu_options+=(size:--disable-tcmalloc)
 	# Disable libudev since it is only needed for qemu-pr-helper and USB,
 	# none of which are used with Kata
--- a/versions.yaml
+++ b/versions.yaml
@ -88,8 +88,8 @@ assets:
    qemu:
      description: "VMM that uses KVM"
      url: "https://github.com/qemu/qemu"
-      version: "v6.1.0"
+      version: "v6.2.0"
-      tag: "v6.1.0"
+      tag: "v6.2.0"
      # Do not include any non-full release versions
      # Break the line *without CR or space being appended*, to appease
      # yamllint, and note the deliberate ' ' at the end of the expression.