github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-17 15:38:00 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #5257 from gkurz/backport-3_0_rc1

Browse Source 
Last backport for 3.0-rc1
This commit is contained in:
Peng Tao 2022-09-28 11:01:09 +08:00 committed by GitHub
commit 5b3bbc62ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 45 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libs/kata-types/src/config/hypervisor/mod.rs
View File

@ -320,7 +320,7 @@ impl CpuInfo {
} }
} }
/// Configuration information for shared filesystem, such virtio-9p and virtio-fs. /// Configuration information for debug
#[derive(Clone, Debug, Default, Deserialize, Serialize)] #[derive(Clone, Debug, Default, Deserialize, Serialize)]
pub struct DebugInfo { pub struct DebugInfo {
/// This option changes the default hypervisor and kernel parameters to enable debug output /// This option changes the default hypervisor and kernel parameters to enable debug output
@ -596,7 +596,7 @@ impl MemoryInfo {
} }
} }
/// Configuration information for virtual machine. /// Configuration information for network.
#[derive(Clone, Debug, Default, Deserialize, Serialize)] #[derive(Clone, Debug, Default, Deserialize, Serialize)]
pub struct NetworkInfo { pub struct NetworkInfo {
/// If vhost-net backend for virtio-net is not desired, set to true. /// If vhost-net backend for virtio-net is not desired, set to true.
@ -638,7 +638,7 @@ impl NetworkInfo {
} }
} }
/// Configuration information for virtual machine. /// Configuration information for security.
#[derive(Clone, Debug, Default, Deserialize, Serialize)] #[derive(Clone, Debug, Default, Deserialize, Serialize)]
pub struct SecurityInfo { pub struct SecurityInfo {
/// Enable running QEMU VMM as a non-root user. /// Enable running QEMU VMM as a non-root user.

6
src/runtime-rs/crates/agent/src/kata/agent.rs
View File

@ -96,9 +96,9 @@ impl_agent!(
stats_container | crate::ContainerID | crate::StatsContainerResponse | None, stats_container | crate::ContainerID | crate::StatsContainerResponse | None,
pause_container | crate::ContainerID | crate::Empty | None, pause_container | crate::ContainerID | crate::Empty | None,
resume_container | crate::ContainerID | crate::Empty | None, resume_container | crate::ContainerID | crate::Empty | None,
write_stdin | crate::WriteStreamRequest | crate::WriteStreamResponse | None, write_stdin | crate::WriteStreamRequest | crate::WriteStreamResponse | Some(0),
read_stdout | crate::ReadStreamRequest | crate::ReadStreamResponse | None, read_stdout | crate::ReadStreamRequest | crate::ReadStreamResponse | Some(0),
read_stderr | crate::ReadStreamRequest | crate::ReadStreamResponse | None, read_stderr | crate::ReadStreamRequest | crate::ReadStreamResponse | Some(0),
close_stdin | crate::CloseStdinRequest | crate::Empty | None, close_stdin | crate::CloseStdinRequest | crate::Empty | None,
tty_win_resize | crate::TtyWinResizeRequest | crate::Empty | None, tty_win_resize | crate::TtyWinResizeRequest | crate::Empty | None,
update_interface | crate::UpdateInterfaceRequest | crate::Interface | None, update_interface | crate::UpdateInterfaceRequest | crate::Interface | None,

16
src/runtime/pkg/containerd-shim-v2/create.go
View File

@ -26,6 +26,7 @@ import (
"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/rootless" "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/rootless"
"github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus"
// only register the proto type // only register the proto type
crioption "github.com/containerd/containerd/pkg/runtimeoptions/v1" crioption "github.com/containerd/containerd/pkg/runtimeoptions/v1"
@ -136,7 +137,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
katautils.HandleFactory(ctx, vci, s.config) katautils.HandleFactory(ctx, vci, s.config)
rootless.SetRootless(s.config.HypervisorConfig.Rootless) rootless.SetRootless(s.config.HypervisorConfig.Rootless)
if rootless.IsRootless() { if rootless.IsRootless() {
if err := configureNonRootHypervisor(s.config); err != nil { if err := configureNonRootHypervisor(s.config, r.ID); err != nil {
return nil, err return nil, err
} }
} }
@ -303,13 +304,17 @@ func doMount(mounts []*containerd_types.Mount, rootfs string) error {
return nil return nil
} }
func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig) error { func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId string) error {
userName, err := utils.CreateVmmUser() userName, err := utils.CreateVmmUser()
if err != nil { if err != nil {
return err return err
} }
defer func() { defer func() {
if err != nil { if err != nil {
shimLog.WithFields(logrus.Fields{
"user_name": userName,
"sandbox_id": sandboxId,
}).WithError(err).Warn("configure non root hypervisor failed, delete the user")
if err2 := utils.RemoveVmmUser(userName); err2 != nil { if err2 := utils.RemoveVmmUser(userName); err2 != nil {
shimLog.WithField("userName", userName).WithError(err).Warn("failed to remove user") shimLog.WithField("userName", userName).WithError(err).Warn("failed to remove user")
} }
@ -330,7 +335,14 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig) error {
return err return err
} }
runtimeConfig.HypervisorConfig.Uid = uint32(uid) runtimeConfig.HypervisorConfig.Uid = uint32(uid)
runtimeConfig.HypervisorConfig.User = userName
runtimeConfig.HypervisorConfig.Gid = uint32(gid) runtimeConfig.HypervisorConfig.Gid = uint32(gid)
shimLog.WithFields(logrus.Fields{
"user_name": userName,
"uid": uid,
"gid": gid,
"sandbox_id": sandboxId,
}).Debug("successfully created a non root user for the hypervisor")
userTmpDir := path.Join("/run/user/", fmt.Sprint(uid)) userTmpDir := path.Join("/run/user/", fmt.Sprint(uid))
_, err = os.Stat(userTmpDir) _, err = os.Stat(userTmpDir)

3
src/runtime/virtcontainers/hypervisor.go
View File

@ -380,6 +380,9 @@ type HypervisorConfig struct {
// BlockiDeviceAIO specifies the I/O API to be used. // BlockiDeviceAIO specifies the I/O API to be used.
BlockDeviceAIO string BlockDeviceAIO string
// The user maps to the uid.
User string
// KernelParams are additional guest kernel parameters. // KernelParams are additional guest kernel parameters.
KernelParams []Param KernelParams []Param

28
src/runtime/virtcontainers/qemu.go
View File

@ -110,6 +110,8 @@ type qemu struct {
nvdimmCount int nvdimmCount int
stopped bool stopped bool
mu sync.Mutex
} }
const ( const (
@ -678,7 +680,7 @@ func (q *qemu) checkBpfEnabled() {
q.Logger().WithError(err).Warningf("failed to get bpf_jit_enable status") q.Logger().WithError(err).Warningf("failed to get bpf_jit_enable status")
return return
} }
enabled, err := strconv.Atoi(string(out)) enabled, err := strconv.Atoi(strings.TrimSpace(string(out)))
if err != nil { if err != nil {
q.Logger().WithError(err).Warningf("failed to convert bpf_jit_enable status to integer") q.Logger().WithError(err).Warningf("failed to convert bpf_jit_enable status to integer")
return return
@ -968,6 +970,8 @@ func (q *qemu) waitVM(ctx context.Context, timeout int) error {
// StopVM will stop the Sandbox's VM. // StopVM will stop the Sandbox's VM.
func (q *qemu) StopVM(ctx context.Context, waitOnly bool) error { func (q *qemu) StopVM(ctx context.Context, waitOnly bool) error {
q.mu.Lock()
defer q.mu.Unlock()
span, _ := katatrace.Trace(ctx, q.Logger(), "StopVM", qemuTracingTags, map[string]string{"sandbox_id": q.id}) span, _ := katatrace.Trace(ctx, q.Logger(), "StopVM", qemuTracingTags, map[string]string{"sandbox_id": q.id})
defer span.End() defer span.End()
@ -1059,15 +1063,27 @@ func (q *qemu) cleanupVM() error {
} }
if rootless.IsRootless() { if rootless.IsRootless() {
u, err := user.LookupId(strconv.Itoa(int(q.config.Uid))) if _, err := user.Lookup(q.config.User); err != nil {
if err != nil { q.Logger().WithError(err).WithFields(
q.Logger().WithError(err).WithField("uid", q.config.Uid).Warn("failed to find the user") logrus.Fields{
"user": q.config.User,
"uid": q.config.Uid,
}).Warn("failed to find the user, it might have been removed")
return nil return nil
} }
if err := pkgUtils.RemoveVmmUser(u.Username); err != nil { if err := pkgUtils.RemoveVmmUser(q.config.User); err != nil {
q.Logger().WithError(err).WithField("user", u.Username).Warn("failed to delete the user") q.Logger().WithError(err).WithFields(
logrus.Fields{
"user": q.config.User,
"uid": q.config.Uid,
}).Warn("failed to delete the user")
} }
q.Logger().WithFields(
logrus.Fields{
"user": q.config.User,
"uid": q.config.Uid,
}).Debug("successfully removed the non root user")
} }
return nil return nil