diff --git a/Makefile b/Makefile index 6caced7c3a..43b45150c3 100644 --- a/Makefile +++ b/Makefile @@ -116,6 +116,7 @@ CONFIG_FILE = configuration.toml HYPERVISOR_ACRN = acrn HYPERVISOR_FC = firecracker +JAILER_FC = jailer HYPERVISOR_NEMU = nemu HYPERVISOR_QEMU = qemu @@ -130,6 +131,7 @@ QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD) NEMUPATH := $(NEMUBINDIR)/$(NEMUCMD) FCPATH = $(FCBINDIR)/$(FCCMD) +FCJAILERPATH = $(FCBINDIR)/$(FCJAILERCMD) ACRNPATH := $(ACRNBINDIR)/$(ACRNCMD) ACRNCTLPATH := $(ACRNBINDIR)/$(ACRNCTLCMD) @@ -355,6 +357,7 @@ USER_VARS += ACRNPATH USER_VARS += ACRNCTLPATH USER_VARS += FCCMD USER_VARS += FCPATH +USER_VARS += FCJAILERPATH USER_VARS += NEMUCMD USER_VARS += NEMUPATH USER_VARS += SYSCONFIG @@ -516,6 +519,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit -e "s|@CONFIG_FC_IN@|$(CONFIG_FC_IN)|g" \ -e "s|@CONFIG_PATH@|$(CONFIG_PATH)|g" \ -e "s|@FCPATH@|$(FCPATH)|g" \ + -e "s|@FCJAILERPATH@|$(FCJAILERPATH)|g" \ -e "s|@NEMUPATH@|$(NEMUPATH)|g" \ -e "s|@ACRNPATH@|$(ACRNPATH)|g" \ -e "s|@ACRNCTLPATH@|$(ACRNCTLPATH)|g" \ diff --git a/arch/amd64-options.mk b/arch/amd64-options.mk index a038b71e4f..fd49e379f8 100644 --- a/arch/amd64-options.mk +++ b/arch/amd64-options.mk @@ -13,6 +13,8 @@ QEMUCMD := qemu-system-x86_64 # Firecracker binary name FCCMD := firecracker +# Firecracker's jailer binary name +FCJAILERCMD := jailer # NEMU binary name NEMUCMD := nemu-system-x86_64 diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in index 3f9ca1fbf9..5b3353cd7a 100644 --- a/cli/config/configuration-fc.toml.in +++ b/cli/config/configuration-fc.toml.in @@ -12,6 +12,11 @@ [hypervisor.firecracker] path = "@FCPATH@" +# Path for the jailer specific to firecracker +# If the jailer path is not set kata will launch firecracker +# without a jail. If the jailer is set firecracker will be +# launched in a jailed enviornment created by the jailer +jailer_path = "@FCJAILERPATH@" kernel = "@KERNELPATH_FC@" image = "@IMAGEPATH@" diff --git a/pkg/katautils/config_test.go b/pkg/katautils/config_test.go index 883818d809..3ad78a6bc0 100644 --- a/pkg/katautils/config_test.go +++ b/pkg/katautils/config_test.go @@ -514,6 +514,8 @@ func TestMinimalRuntimeConfig(t *testing.T) { proxyPath := path.Join(dir, "proxy") hypervisorPath := path.Join(dir, "hypervisor") defaultHypervisorPath = hypervisorPath + jailerPath := path.Join(dir, "jailer") + defaultJailerPath = jailerPath netmonPath := path.Join(dir, "netmon") imagePath := path.Join(dir, "image.img") @@ -524,12 +526,14 @@ func TestMinimalRuntimeConfig(t *testing.T) { savedDefaultImagePath := defaultImagePath savedDefaultInitrdPath := defaultInitrdPath savedDefaultHypervisorPath := defaultHypervisorPath + savedDefaultJailerPath := defaultJailerPath savedDefaultKernelPath := defaultKernelPath defer func() { defaultImagePath = savedDefaultImagePath defaultInitrdPath = savedDefaultInitrdPath defaultHypervisorPath = savedDefaultHypervisorPath + defaultJailerPath = savedDefaultJailerPath defaultKernelPath = savedDefaultKernelPath }() @@ -538,9 +542,10 @@ func TestMinimalRuntimeConfig(t *testing.T) { defaultImagePath = imagePath defaultInitrdPath = initrdPath defaultHypervisorPath = hypervisorPath + defaultJailerPath = jailerPath defaultKernelPath = kernelPath - for _, file := range []string{defaultImagePath, defaultInitrdPath, defaultHypervisorPath, defaultKernelPath} { + for _, file := range []string{defaultImagePath, defaultInitrdPath, defaultHypervisorPath, defaultJailerPath, defaultKernelPath} { err = WriteFile(file, "foo", testFileMode) if err != nil { t.Fatal(err) @@ -588,6 +593,11 @@ func TestMinimalRuntimeConfig(t *testing.T) { t.Error(err) } + err = createEmptyFile(jailerPath) + if err != nil { + t.Error(err) + } + err = createEmptyFile(netmonPath) if err != nil { t.Error(err) @@ -600,6 +610,7 @@ func TestMinimalRuntimeConfig(t *testing.T) { expectedHypervisorConfig := vc.HypervisorConfig{ HypervisorPath: defaultHypervisorPath, + JailerPath: defaultJailerPath, KernelPath: defaultKernelPath, ImagePath: defaultImagePath, InitrdPath: defaultInitrdPath,