github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-27 12:08:58 +00:00
Code Issues Projects Releases Wiki Activity

CCv0: Merge main into CCv0 branch

Browse Source 
Merge remote-tracking branch 'upstream/main' into CCv0

Fixes: #5553
Signed-off-by: Megan Wright <megan.wright@ibm.com>
This commit is contained in:
Megan Wright 2022-11-01 10:55:33 +00:00
commit 61ec234b6a
34 changed files with 1261 additions and 531 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/design/architecture_3.0/README.md
View File

@ -64,8 +64,8 @@ The kata-runtime is controlled by TOKIO_RUNTIME_WORKER_THREADS to run the OS thr
├─ TTRPC listener thread(M * tokio task)
├─ TTRPC client handler thread(7 * M * tokio task)
├─ container stdin io thread(M * tokio task)
├─ container stdin io thread(M * tokio task)
└─ container stdin io thread(M * tokio task)
├─ container stdout io thread(M * tokio task)
└─ container stderr io thread(M * tokio task)
```
### Extensible Framework
The Kata 3.x runtime is designed with the extension of service, runtime, and hypervisor, combined with configuration to meet the needs of different scenarios. At present, the service provides a register mechanism to support multiple services. Services could interact with runtime through messages. In addition, the runtime handler handles messages from services. To meet the needs of a binary that supports multiple runtimes and hypervisors, the startup must obtain the runtime handler type and hypervisor type through configuration.

5
docs/install/kata-containers-3.0-rust-runtime-installation-guide.md
View File

@ -24,7 +24,7 @@ architectures:
| Installation method | Description | Automatic updates | Use case | Availability
|------------------------------------------------------|----------------------------------------------------------------------------------------------|-------------------|-----------------------------------------------------------------------------------------------|----------- |
| [Using kata-deploy](#kata-deploy-installation) | The preferred way to deploy the Kata Containers distributed binaries on a Kubernetes cluster | **No!** | Best way to give it a try on kata-containers on an already up and running Kubernetes cluster. | No |
| [Using kata-deploy](#kata-deploy-installation) | The preferred way to deploy the Kata Containers distributed binaries on a Kubernetes cluster | **No!** | Best way to give it a try on kata-containers on an already up and running Kubernetes cluster. | Yes |
| [Using official distro packages](#official-packages) | Kata packages provided by Linux distributions official repositories | yes | Recommended for most users. | No |
| [Using snap](#snap-installation) | Easy to install | yes | Good alternative to official distro packages. | No |
| [Automatic](#automatic-installation) | Run a single command to install a full system | **No!** | For those wanting the latest release quickly. | No |
@ -32,7 +32,8 @@ architectures:
| [Build from source](#build-from-source-installation) | Build the software components manually | **No!** | Power users and developers only. | Yes |
### Kata Deploy Installation
`ToDo`
Follow the [`kata-deploy`](../../tools/packaging/kata-deploy/README.md).
### Official packages
`ToDo`
### Snap Installation

3
docs/use-cases/using-Intel-SGX-and-kata.md
View File

@ -61,6 +61,9 @@ spec:
name: eosgx-demo-job-1
image: oeciteam/oe-helloworld:latest
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /dev
name: dev-mount
securityContext:
readOnlyRootFilesystem: true
capabilities:

5
src/agent/Cargo.lock generated
View File

@ -1889,10 +1889,11 @@ checksum = "292a948cd991e376cf75541fe5b97a1081d713c618b4f1b9500f8844e49eb565"
[[package]]
name = "libseccomp"
version = "0.2.3"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "49bda1fbf25c42ac8942ff7df1eb6172a3bc36299e84be0dba8c888a7db68c80"
checksum = "21c57fd8981a80019807b7b68118618d29a87177c63d704fc96e6ecd003ae5b3"
dependencies = [
"bitflags",
"libc",
"libseccomp-sys",
"pkg-config",

2
src/agent/rustjail/Cargo.toml
View File

@ -32,7 +32,7 @@ tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", "
futures = "0.3.17"
async-trait = "0.1.31"
inotify = "0.9.2"
libseccomp = { version = "0.2.3", optional = true }
libseccomp = { version = "0.3.0", optional = true }
[dev-dependencies]
serial_test = "0.5.0"

6
src/agent/src/netlink.rs
View File

@ -529,7 +529,9 @@ impl Handle {
.map_err(|e| anyhow!("Failed to parse IP {}: {:?}", ip_address, e))?;
// Import rtnetlink objects that make sense only for this function
use packet::constants::{NDA_UNSPEC, NLM_F_ACK, NLM_F_CREATE, NLM_F_EXCL, NLM_F_REQUEST};
use packet::constants::{
NDA_UNSPEC, NLM_F_ACK, NLM_F_CREATE, NLM_F_REPLACE, NLM_F_REQUEST,
};
use packet::neighbour::{NeighbourHeader, NeighbourMessage};
use packet::nlas::neighbour::Nla;
use packet::{NetlinkMessage, NetlinkPayload, RtnlMessage};
@ -572,7 +574,7 @@ impl Handle {
// Send request and ACK
let mut req = NetlinkMessage::from(RtnlMessage::NewNeighbour(message));
req.header.flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
req.header.flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_REPLACE;
let mut response = self.handle.request(req)?;
while let Some(message) = response.next().await {

2
src/agent/src/sandbox.rs
View File

@ -329,7 +329,7 @@ impl Sandbox {
// Reject non-file, symlinks and non-executable files
if !entry.file_type()?.is_file()
|| entry.file_type()?.is_symlink()
|| entry.metadata()?.permissions().mode() & 0o777 & 0o111 == 0
|| entry.metadata()?.permissions().mode() & 0o111 == 0
{
continue;
}

10
src/runtime-rs/Makefile
View File

@ -176,7 +176,7 @@ ifneq (,$(DBCMD))
SYSCONFIG_DB = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_DB))
SYSCONFIG_PATHS += $(SYSCONFIG_DB)
CONFIGS += $(CONFIG_DB)
# dragonball-specific options (all should be suffixed by "_dragonball")
# dragonball-specific options (all should be suffixed by "_DB")
DEFMAXVCPUS_DB := 1
DEFBLOCKSTORAGEDRIVER_DB := virtio-blk
DEFNETWORKMODEL_DB := tcfilter
@ -357,15 +357,15 @@ endef
.DEFAULT_GOAL := default
GENERATED_FILES += $(CONFIGS)
runtime: $(TARGET)
$(TARGET): $(GENERATED_CODE) $(TARGET_PATH)
$(TARGET): $(GENERATED_FILES) $(TARGET_PATH)
$(TARGET_PATH): $(SOURCES) | show-summary
@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE) $(EXTRA_RUSTFEATURES)
GENERATED_FILES += $(CONFIGS)
$(GENERATED_FILES): %: %.in
@sed \
$(foreach r,$(GENERATED_REPLACEMENTS),-e 's|@$r@|$($r)|g') \
@ -490,7 +490,7 @@ install-runtime: runtime
install-configs: $(CONFIGS)
$(foreach f,$(CONFIGS),$(call INSTALL_FILE,$f,$(dir $(CONFIG_PATH)))) \
sudo ln -sf $(DEFAULT_HYPERVISOR_CONFIG) $(DESTDIR)/$(CONFIG_PATH)
ln -sf $(DEFAULT_HYPERVISOR_CONFIG) $(DESTDIR)/$(CONFIG_PATH)
.PHONY: \
help \

6
src/runtime-rs/crates/agent/src/kata/mod.rs
View File

@ -130,7 +130,11 @@ impl KataAgent {
pub(crate) async fn agent_sock(&self) -> Result<String> {
let inner = self.inner.read().await;
Ok(inner.socket_address.clone())
Ok(format!(
"{}:{}",
inner.socket_address.clone(),
inner.config.server_port
))
}
pub(crate) async fn agent_config(&self) -> AgentConfig {

9
src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
View File

@ -15,7 +15,10 @@ use common::{
};
use containerd_shim_protos::events::task::TaskOOM;
use hypervisor::{dragonball::Dragonball, Hypervisor, HYPERVISOR_DRAGONBALL};
use kata_types::config::TomlConfig;
use kata_types::config::{
default::{DEFAULT_AGENT_LOG_PORT, DEFAULT_AGENT_VSOCK_PORT},
TomlConfig,
};
use resource::{
manager::ManagerArgs,
network::{NetworkConfig, NetworkWithNetNsConfig},
@ -299,8 +302,8 @@ impl Persist for VirtSandbox {
let agent = Arc::new(KataAgent::new(kata_types::config::Agent {
debug: true,
enable_tracing: false,
server_port: 1024,
log_port: 1025,
server_port: DEFAULT_AGENT_VSOCK_PORT,
log_port: DEFAULT_AGENT_LOG_PORT,
dial_timeout_ms: 10,
reconnect_timeout_ms: 3_000,
request_timeout_ms: 30_000,

3
src/runtime/pkg/containerd-shim-v2/metrics.go
View File

@ -51,13 +51,14 @@ func statsToMetrics(stats *vc.ContainerStats) *cgroupsv1.Metrics {
func setHugetlbStats(vcHugetlb map[string]vc.HugetlbStats) []*cgroupsv1.HugetlbStat {
var hugetlbStats []*cgroupsv1.HugetlbStat
for _, v := range vcHugetlb {
for k, v := range vcHugetlb {
hugetlbStats = append(
hugetlbStats,
&cgroupsv1.HugetlbStat{
Usage: v.Usage,
Max: v.MaxUsage,
Failcnt: v.Failcnt,
Pagesize: k,
})
}

26
src/runtime/pkg/katautils/network_linux.go
View File

@ -11,7 +11,6 @@ import (
"fmt"
"os"
"path/filepath"
goruntime "runtime"
"strings"
"github.com/containernetworking/plugins/pkg/ns"
@ -27,30 +26,7 @@ const procMountInfoFile = "/proc/self/mountinfo"
// into runtime.LockOSThread(), meaning it won't be executed in a
// different thread than the one expected by the caller.
func EnterNetNS(networkID string, cb func() error) error {
if networkID == "" {
return cb()
}
goruntime.LockOSThread()
defer goruntime.UnlockOSThread()
currentNS, err := ns.GetCurrentNS()
if err != nil {
return err
}
defer currentNS.Close()
targetNS, err := ns.GetNS(networkID)
if err != nil {
return err
}
if err := targetNS.Set(); err != nil {
return err
}
defer currentNS.Set()
return cb()
return vc.EnterNetNS(networkID, cb)
}
// SetupNetworkNamespace create a network namespace

9
src/runtime/virtcontainers/clh.go
View File

@ -100,7 +100,7 @@ type clhClient interface {
// Add/remove CPUs to/from the VM
VmResizePut(ctx context.Context, vmResize chclient.VmResize) (*http.Response, error)
// Add VFIO PCI device to the VM
VmAddDevicePut(ctx context.Context, vmAddDevice chclient.VmAddDevice) (chclient.PciDeviceInfo, *http.Response, error)
VmAddDevicePut(ctx context.Context, deviceConfig chclient.DeviceConfig) (chclient.PciDeviceInfo, *http.Response, error)
// Add a new disk device to the VM
VmAddDiskPut(ctx context.Context, diskConfig chclient.DiskConfig) (chclient.PciDeviceInfo, *http.Response, error)
// Remove a device from the VM
@ -136,8 +136,8 @@ func (c *clhClientApi) VmResizePut(ctx context.Context, vmResize chclient.VmResi
return c.ApiInternal.VmResizePut(ctx).VmResize(vmResize).Execute()
}
func (c *clhClientApi) VmAddDevicePut(ctx context.Context, vmAddDevice chclient.VmAddDevice) (chclient.PciDeviceInfo, *http.Response, error) {
return c.ApiInternal.VmAddDevicePut(ctx).VmAddDevice(vmAddDevice).Execute()
func (c *clhClientApi) VmAddDevicePut(ctx context.Context, deviceConfig chclient.DeviceConfig) (chclient.PciDeviceInfo, *http.Response, error) {
return c.ApiInternal.VmAddDevicePut(ctx).DeviceConfig(deviceConfig).Execute()
}
func (c *clhClientApi) VmAddDiskPut(ctx context.Context, diskConfig chclient.DiskConfig) (chclient.PciDeviceInfo, *http.Response, error) {
@ -808,8 +808,7 @@ func (clh *cloudHypervisor) hotPlugVFIODevice(device *config.VFIODev) error {
defer cancel()
// Create the clh device config via the constructor to ensure default values are properly assigned
clhDevice := *chclient.NewVmAddDevice()
clhDevice.Path = &device.SysfsDev
clhDevice := *chclient.NewDeviceConfig(device.SysfsDev)
pciInfo, _, err := cl.VmAddDevicePut(ctx, clhDevice)
if err != nil {
return fmt.Errorf("Failed to hotplug device %+v %s", device, openAPIClientError(err))

2
src/runtime/virtcontainers/clh_test.go
View File

@ -104,7 +104,7 @@ func (c *clhClientMock) VmResizePut(ctx context.Context, vmResize chclient.VmRes
}
//nolint:golint
func (c *clhClientMock) VmAddDevicePut(ctx context.Context, vmAddDevice chclient.VmAddDevice) (chclient.PciDeviceInfo, *http.Response, error) {
func (c *clhClientMock) VmAddDevicePut(ctx context.Context, deviceConfig chclient.DeviceConfig) (chclient.PciDeviceInfo, *http.Response, error) {
return chclient.PciDeviceInfo{}, nil, nil
}

9
src/runtime/virtcontainers/network_linux.go
View File

@ -1045,6 +1045,15 @@ func doNetNS(netNSPath string, cb func(ns.NetNS) error) error {
return cb(targetNS)
}
// EnterNetNS is free from any call to a go routine, and it calls
// into runtime.LockOSThread(), meaning it won't be executed in a
// different thread than the one expected by the caller.
func EnterNetNS(networkID string, cb func() error) error {
return doNetNS(networkID, func(nn ns.NetNS) error {
return cb()
})
}
func deleteNetNS(netNSPath string) error {
n, err := ns.GetNS(netNSPath)
if err != nil {

2
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/.openapi-generator/FILES
View File

@ -34,7 +34,6 @@ docs/SendMigrationData.md
docs/SgxEpcConfig.md
docs/TokenBucket.md
docs/VdpaConfig.md
docs/VmAddDevice.md
docs/VmConfig.md
docs/VmCoredumpData.md
docs/VmInfo.md
@ -74,7 +73,6 @@ model_send_migration_data.go
model_sgx_epc_config.go
model_token_bucket.go
model_vdpa_config.go
model_vm_add_device.go
model_vm_config.go
model_vm_coredump_data.go
model_vm_info.go

1
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/README.md
View File

@ -136,7 +136,6 @@ Class | Method | HTTP request | Description
- [SgxEpcConfig](docs/SgxEpcConfig.md)
- [TokenBucket](docs/TokenBucket.md)
- [VdpaConfig](docs/VdpaConfig.md)
- [VmAddDevice](docs/VmAddDevice.md)
- [VmConfig](docs/VmConfig.md)
- [VmCoredumpData](docs/VmCoredumpData.md)
- [VmInfo](docs/VmInfo.md)

16
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml
View File

@ -171,7 +171,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/VmAddDevice'
$ref: '#/components/schemas/DeviceConfig'
description: The path of the new device
required: true
responses:
@ -1808,20 +1808,6 @@ components:
format: int64
type: integer
type: object
VmAddDevice:
example:
path: path
iommu: false
id: id
properties:
path:
type: string
iommu:
default: false
type: boolean
id:
type: string
type: object
VmRemoveDevice:
example:
id: id

22
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api_default.go
View File

@ -833,12 +833,12 @@ func (a *DefaultApiService) ShutdownVMMExecute(r ApiShutdownVMMRequest) (*_netht
type ApiVmAddDevicePutRequest struct {
ctx _context.Context
ApiService *DefaultApiService
vmAddDevice *VmAddDevice
deviceConfig *DeviceConfig
}
// The path of the new device
func (r ApiVmAddDevicePutRequest) VmAddDevice(vmAddDevice VmAddDevice) ApiVmAddDevicePutRequest {
r.vmAddDevice = &vmAddDevice
func (r ApiVmAddDevicePutRequest) DeviceConfig(deviceConfig DeviceConfig) ApiVmAddDevicePutRequest {
r.deviceConfig = &deviceConfig
return r
}
@ -860,7 +860,6 @@ func (a *DefaultApiService) VmAddDevicePut(ctx _context.Context) ApiVmAddDeviceP
}
// Execute executes the request
//
// @return PciDeviceInfo
func (a *DefaultApiService) VmAddDevicePutExecute(r ApiVmAddDevicePutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
var (
@ -882,8 +881,8 @@ func (a *DefaultApiService) VmAddDevicePutExecute(r ApiVmAddDevicePutRequest) (P
localVarHeaderParams := make(map[string]string)
localVarQueryParams := _neturl.Values{}
localVarFormParams := _neturl.Values{}
if r.vmAddDevice == nil {
return localVarReturnValue, nil, reportError("vmAddDevice is required and must be specified")
if r.deviceConfig == nil {
return localVarReturnValue, nil, reportError("deviceConfig is required and must be specified")
}
// to determine the Content-Type header
@ -904,7 +903,7 @@ func (a *DefaultApiService) VmAddDevicePutExecute(r ApiVmAddDevicePutRequest) (P
localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept
}
// body params
localVarPostBody = r.vmAddDevice
localVarPostBody = r.deviceConfig
req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes)
if err != nil {
return localVarReturnValue, nil, err
@ -972,7 +971,6 @@ func (a *DefaultApiService) VmAddDiskPut(ctx _context.Context) ApiVmAddDiskPutRe
}
// Execute executes the request
//
// @return PciDeviceInfo
func (a *DefaultApiService) VmAddDiskPutExecute(r ApiVmAddDiskPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
var (
@ -1084,7 +1082,6 @@ func (a *DefaultApiService) VmAddFsPut(ctx _context.Context) ApiVmAddFsPutReques
}
// Execute executes the request
//
// @return PciDeviceInfo
func (a *DefaultApiService) VmAddFsPutExecute(r ApiVmAddFsPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
var (
@ -1196,7 +1193,6 @@ func (a *DefaultApiService) VmAddNetPut(ctx _context.Context) ApiVmAddNetPutRequ
}
// Execute executes the request
//
// @return PciDeviceInfo
func (a *DefaultApiService) VmAddNetPutExecute(r ApiVmAddNetPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
var (
@ -1308,7 +1304,6 @@ func (a *DefaultApiService) VmAddPmemPut(ctx _context.Context) ApiVmAddPmemPutRe
}
// Execute executes the request
//
// @return PciDeviceInfo
func (a *DefaultApiService) VmAddPmemPutExecute(r ApiVmAddPmemPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
var (
@ -1420,7 +1415,6 @@ func (a *DefaultApiService) VmAddVdpaPut(ctx _context.Context) ApiVmAddVdpaPutRe
}
// Execute executes the request
//
// @return PciDeviceInfo
func (a *DefaultApiService) VmAddVdpaPutExecute(r ApiVmAddVdpaPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
var (
@ -1532,7 +1526,6 @@ func (a *DefaultApiService) VmAddVsockPut(ctx _context.Context) ApiVmAddVsockPut
}
// Execute executes the request
//
// @return PciDeviceInfo
func (a *DefaultApiService) VmAddVsockPutExecute(r ApiVmAddVsockPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
var (
@ -1737,7 +1730,6 @@ func (a *DefaultApiService) VmCountersGet(ctx _context.Context) ApiVmCountersGet
}
// Execute executes the request
//
// @return map[string]map[string]int64
func (a *DefaultApiService) VmCountersGetExecute(r ApiVmCountersGetRequest) (map[string]map[string]int64, *_nethttp.Response, error) {
var (
@ -1837,7 +1829,6 @@ func (a *DefaultApiService) VmInfoGet(ctx _context.Context) ApiVmInfoGetRequest
}
// Execute executes the request
//
// @return VmInfo
func (a *DefaultApiService) VmInfoGetExecute(r ApiVmInfoGetRequest) (VmInfo, *_nethttp.Response, error) {
var (
@ -2637,7 +2628,6 @@ func (a *DefaultApiService) VmmPingGet(ctx _context.Context) ApiVmmPingGetReques
}
// Execute executes the request
//
// @return VmmPingResponse
func (a *DefaultApiService) VmmPingGetExecute(r ApiVmmPingGetRequest) (VmmPingResponse, *_nethttp.Response, error) {
var (

8
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md
View File

@ -554,7 +554,7 @@ No authorization required
## VmAddDevicePut
> PciDeviceInfo VmAddDevicePut(ctx).VmAddDevice(vmAddDevice).Execute()
> PciDeviceInfo VmAddDevicePut(ctx).DeviceConfig(deviceConfig).Execute()
Add a new device to the VM
@ -571,11 +571,11 @@ import (
)
func main() {
vmAddDevice := *openapiclient.NewVmAddDevice() // VmAddDevice | The path of the new device
deviceConfig := *openapiclient.NewDeviceConfig("Path_example") // DeviceConfig | The path of the new device
configuration := openapiclient.NewConfiguration()
api_client := openapiclient.NewAPIClient(configuration)
resp, r, err := api_client.DefaultApi.VmAddDevicePut(context.Background()).VmAddDevice(vmAddDevice).Execute()
resp, r, err := api_client.DefaultApi.VmAddDevicePut(context.Background()).DeviceConfig(deviceConfig).Execute()
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `DefaultApi.VmAddDevicePut``: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
@ -596,7 +596,7 @@ Other parameters are passed through a pointer to a apiVmAddDevicePutRequest stru
Name | Type | Description | Notes
------------- | ------------- | ------------- | -------------
**vmAddDevice** | [**VmAddDevice**](VmAddDevice.md) | The path of the new device |
**deviceConfig** | [**DeviceConfig**](DeviceConfig.md) | The path of the new device |
### Return type

108
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/VmAddDevice.md
View File

@ -1,108 +0,0 @@
# VmAddDevice
## Properties
Name | Type | Description | Notes
------------ | ------------- | ------------- | -------------
**Path** | Pointer to **string** | | [optional]
**Iommu** | Pointer to **bool** | | [optional] [default to false]
**Id** | Pointer to **string** | | [optional]
## Methods
### NewVmAddDevice
`func NewVmAddDevice() *VmAddDevice`
NewVmAddDevice instantiates a new VmAddDevice object
This constructor will assign default values to properties that have it defined,
and makes sure properties required by API are set, but the set of arguments
will change when the set of required properties is changed
### NewVmAddDeviceWithDefaults
`func NewVmAddDeviceWithDefaults() *VmAddDevice`
NewVmAddDeviceWithDefaults instantiates a new VmAddDevice object
This constructor will only assign default values to properties that have it defined,
but it doesn't guarantee that properties required by API are set
### GetPath
`func (o *VmAddDevice) GetPath() string`
GetPath returns the Path field if non-nil, zero value otherwise.
### GetPathOk
`func (o *VmAddDevice) GetPathOk() (*string, bool)`
GetPathOk returns a tuple with the Path field if it's non-nil, zero value otherwise
and a boolean to check if the value has been set.
### SetPath
`func (o *VmAddDevice) SetPath(v string)`
SetPath sets Path field to given value.
### HasPath
`func (o *VmAddDevice) HasPath() bool`
HasPath returns a boolean if a field has been set.
### GetIommu
`func (o *VmAddDevice) GetIommu() bool`
GetIommu returns the Iommu field if non-nil, zero value otherwise.
### GetIommuOk
`func (o *VmAddDevice) GetIommuOk() (*bool, bool)`
GetIommuOk returns a tuple with the Iommu field if it's non-nil, zero value otherwise
and a boolean to check if the value has been set.
### SetIommu
`func (o *VmAddDevice) SetIommu(v bool)`
SetIommu sets Iommu field to given value.
### HasIommu
`func (o *VmAddDevice) HasIommu() bool`
HasIommu returns a boolean if a field has been set.
### GetId
`func (o *VmAddDevice) GetId() string`
GetId returns the Id field if non-nil, zero value otherwise.
### GetIdOk
`func (o *VmAddDevice) GetIdOk() (*string, bool)`
GetIdOk returns a tuple with the Id field if it's non-nil, zero value otherwise
and a boolean to check if the value has been set.
### SetId
`func (o *VmAddDevice) SetId(v string)`
SetId sets Id field to given value.
### HasId
`func (o *VmAddDevice) HasId() bool`
HasId returns a boolean if a field has been set.
[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)

189
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_vm_add_device.go
View File

@ -1,189 +0,0 @@
/*
Cloud Hypervisor API
Local HTTP based API for managing and inspecting a cloud-hypervisor virtual machine.
API version: 0.3.0
*/
// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT.
package openapi
import (
"encoding/json"
)
// VmAddDevice struct for VmAddDevice
type VmAddDevice struct {
Path *string `json:"path,omitempty"`
Iommu *bool `json:"iommu,omitempty"`
Id *string `json:"id,omitempty"`
}
// NewVmAddDevice instantiates a new VmAddDevice object
// This constructor will assign default values to properties that have it defined,
// and makes sure properties required by API are set, but the set of arguments
// will change when the set of required properties is changed
func NewVmAddDevice() *VmAddDevice {
this := VmAddDevice{}
var iommu bool = false
this.Iommu = &iommu
return &this
}
// NewVmAddDeviceWithDefaults instantiates a new VmAddDevice object
// This constructor will only assign default values to properties that have it defined,
// but it doesn't guarantee that properties required by API are set
func NewVmAddDeviceWithDefaults() *VmAddDevice {
this := VmAddDevice{}
var iommu bool = false
this.Iommu = &iommu
return &this
}
// GetPath returns the Path field value if set, zero value otherwise.
func (o *VmAddDevice) GetPath() string {
if o == nil || o.Path == nil {
var ret string
return ret
}
return *o.Path
}
// GetPathOk returns a tuple with the Path field value if set, nil otherwise
// and a boolean to check if the value has been set.
func (o *VmAddDevice) GetPathOk() (*string, bool) {
if o == nil || o.Path == nil {
return nil, false
}
return o.Path, true
}
// HasPath returns a boolean if a field has been set.
func (o *VmAddDevice) HasPath() bool {
if o != nil && o.Path != nil {
return true
}
return false
}
// SetPath gets a reference to the given string and assigns it to the Path field.
func (o *VmAddDevice) SetPath(v string) {
o.Path = &v
}
// GetIommu returns the Iommu field value if set, zero value otherwise.
func (o *VmAddDevice) GetIommu() bool {
if o == nil || o.Iommu == nil {
var ret bool
return ret
}
return *o.Iommu
}
// GetIommuOk returns a tuple with the Iommu field value if set, nil otherwise
// and a boolean to check if the value has been set.
func (o *VmAddDevice) GetIommuOk() (*bool, bool) {
if o == nil || o.Iommu == nil {
return nil, false
}
return o.Iommu, true
}
// HasIommu returns a boolean if a field has been set.
func (o *VmAddDevice) HasIommu() bool {
if o != nil && o.Iommu != nil {
return true
}
return false
}
// SetIommu gets a reference to the given bool and assigns it to the Iommu field.
func (o *VmAddDevice) SetIommu(v bool) {
o.Iommu = &v
}
// GetId returns the Id field value if set, zero value otherwise.
func (o *VmAddDevice) GetId() string {
if o == nil || o.Id == nil {
var ret string
return ret
}
return *o.Id
}
// GetIdOk returns a tuple with the Id field value if set, nil otherwise
// and a boolean to check if the value has been set.
func (o *VmAddDevice) GetIdOk() (*string, bool) {
if o == nil || o.Id == nil {
return nil, false
}
return o.Id, true
}
// HasId returns a boolean if a field has been set.
func (o *VmAddDevice) HasId() bool {
if o != nil && o.Id != nil {
return true
}
return false
}
// SetId gets a reference to the given string and assigns it to the Id field.
func (o *VmAddDevice) SetId(v string) {
o.Id = &v
}
func (o VmAddDevice) MarshalJSON() ([]byte, error) {
toSerialize := map[string]interface{}{}
if o.Path != nil {
toSerialize["path"] = o.Path
}
if o.Iommu != nil {
toSerialize["iommu"] = o.Iommu
}
if o.Id != nil {
toSerialize["id"] = o.Id
}
return json.Marshal(toSerialize)
}
type NullableVmAddDevice struct {
value *VmAddDevice
isSet bool
}
func (v NullableVmAddDevice) Get() *VmAddDevice {
return v.value
}
func (v *NullableVmAddDevice) Set(val *VmAddDevice) {
v.value = val
v.isSet = true
}
func (v NullableVmAddDevice) IsSet() bool {
return v.isSet
}
func (v *NullableVmAddDevice) Unset() {
v.value = nil
v.isSet = false
}
func NewNullableVmAddDevice(val *VmAddDevice) *NullableVmAddDevice {
return &NullableVmAddDevice{value: val, isSet: true}
}
func (v NullableVmAddDevice) MarshalJSON() ([]byte, error) {
return json.Marshal(v.value)
}
func (v *NullableVmAddDevice) UnmarshalJSON(src []byte) error {
v.isSet = true
return json.Unmarshal(src, &v.value)
}

13
src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml
View File

@ -185,7 +185,7 @@ paths:
content:
application/json:
schema:
$ref: "#/components/schemas/VmAddDevice"
$ref: "#/components/schemas/DeviceConfig"
required: true
responses:
200:
@ -1077,17 +1077,6 @@ components:
type: integer
format: int64
VmAddDevice:
type: object
properties:
path:
type: string
iommu:
type: boolean
default: false
id:
type: string
VmRemoveDevice:
type: object
properties:

2
src/tools/kata-ctl/.gitignore vendored
View File

@ -1 +1 @@
/vendor/
src/ops/version.rs

1035
src/tools/kata-ctl/Cargo.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

9
src/tools/kata-ctl/Cargo.toml
View File

@ -3,6 +3,9 @@
# SPDX-License-Identifier: Apache-2.0
#
[workspace]
resolver = "2"
[package]
name = "kata-ctl"
version = "0.0.1"
@ -14,8 +17,12 @@ anyhow = "1.0.31"
clap = { version = "3.2.20", features = ["derive", "cargo"] }
serde_json = "1.0.85"
thiserror = "1.0.35"
privdrop = "0.5.2"
nix = "0.25.0"
[target.'cfg(target_arch = "s390x")'.dependencies]
reqwest = { version = "0.11", default-features = false, features = ["json", "blocking", "native-tls"] }
# See: https://github.com/kata-containers/kata-containers/issues/5438
[target.'cfg(not(target_arch = "s390x"))'.dependencies]
reqwest = { version = "0.11", default-features = false, features = ["json", "blocking", "rustls-tls"] }

40
src/tools/kata-ctl/src/arch/s390x/mod.rs
View File

@ -1,4 +1,5 @@
// Copyright (c) 2022 Intel Corporation
// Copyright (c) 2022 IBM Corp.
//
// SPDX-License-Identifier: Apache-2.0
//
@ -7,9 +8,44 @@
pub use arch_specific::*;
mod arch_specific {
use anyhow::Result;
use crate::check;
use anyhow::{anyhow, Result};
const PROC_CPUINFO: &str = "/proc/cpuinfo";
const CPUINFO_DELIMITER: &str = "processor ";
const CPUINFO_FEATURES_TAG: &str = "features";
const CPU_FEATURES_REQ: &[&str] = &["sie"];
// check cpu
fn check_cpu() -> Result<()> {
println!("INFO: check CPU: s390x");
let cpu_info = check::get_single_cpu_info(PROC_CPUINFO, CPUINFO_DELIMITER)?;
let cpu_features = check::get_cpu_flags(&cpu_info, CPUINFO_FEATURES_TAG).map_err(|e| {
anyhow!(
"Error parsing CPU features, file {:?}, {:?}",
PROC_CPUINFO,
e
)
})?;
let missing_cpu_features = check::check_cpu_flags(&cpu_features, CPU_FEATURES_REQ)?;
if !missing_cpu_features.is_empty() {
eprintln!("WARNING: Missing CPU flags {:?}", missing_cpu_features);
}
Ok(())
}
pub fn check() -> Result<()> {
unimplemented!("Check not implemented in s390x");
println!("INFO: check: s390x");
let _cpu_result = check_cpu();
// TODO: add additional checks, e.g, kernel modules as in go runtime
// TODO: collect outcome of tests to determine if checks pass or not
Ok(())
}
}

56
src/tools/kata-ctl/src/check.rs
View File

@ -6,32 +6,22 @@
// Contains checks that are not architecture-specific
use anyhow::{anyhow, Result};
// See: https://github.com/kata-containers/kata-containers/issues/5438
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
use reqwest::header::{CONTENT_TYPE, USER_AGENT};
use serde_json::Value;
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
use std::collections::HashMap;
use std::fs;
const KATA_GITHUB_URL: &str =
"https://api.github.com/repos/kata-containers/kata-containers/releases/latest";
#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))]
fn get_cpu_info(cpu_info_file: &str) -> Result<String> {
let contents = fs::read_to_string(cpu_info_file)?;
let contents = std::fs::read_to_string(cpu_info_file)?;
Ok(contents)
}
// get_single_cpu_info returns the contents of the first cpu from
// the specified cpuinfo file by parsing based on a specified delimiter
#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))]
pub fn get_single_cpu_info(cpu_info_file: &str, substring: &str) -> Result<String> {
let contents = get_cpu_info(cpu_info_file)?;
@ -51,6 +41,7 @@ pub fn get_single_cpu_info(cpu_info_file: &str, substring: &str) -> Result<Strin
// get_cpu_flags returns a string of cpu flags from cpuinfo, passed in
// as a string
#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))]
pub fn get_cpu_flags(cpu_info: &str, cpu_flags_tag: &str) -> Result<String> {
if cpu_info.is_empty() {
return Err(anyhow!("cpu_info string is empty"))?;
@ -74,6 +65,7 @@ pub fn get_cpu_flags(cpu_info: &str, cpu_flags_tag: &str) -> Result<String> {
// get_missing_strings searches for required (strings) in data and returns
// a vector containing the missing strings
#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))]
fn get_missing_strings(data: &str, required: &'static [&'static str]) -> Result<Vec<String>> {
let mut missing: Vec<String> = Vec::new();
@ -86,6 +78,7 @@ fn get_missing_strings(data: &str, required: &'static [&'static str]) -> Result<
Ok(missing)
}
#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))]
pub fn check_cpu_flags(
retrieved_flags: &str,
required_flags: &'static [&'static str],
@ -95,6 +88,7 @@ pub fn check_cpu_flags(
Ok(missing_flags)
}
#[cfg(any(target_arch = "x86_64"))]
pub fn check_cpu_attribs(
cpu_info: &str,
required_attribs: &'static [&'static str],
@ -110,11 +104,6 @@ pub fn run_network_checks() -> Result<()> {
Ok(())
}
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
fn get_kata_version_by_url(url: &str) -> std::result::Result<String, reqwest::Error> {
let content = reqwest::blocking::Client::new()
.get(url)
@ -127,11 +116,6 @@ fn get_kata_version_by_url(url: &str) -> std::result::Result<String, reqwest::Er
Ok(version.to_string())
}
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
fn handle_reqwest_error(e: reqwest::Error) -> anyhow::Error {
if e.is_connect() {
return anyhow!(e).context("http connection failure: connection refused");
@ -152,11 +136,6 @@ fn handle_reqwest_error(e: reqwest::Error) -> anyhow::Error {
anyhow!(e).context("unknown http connection failure: {:?}")
}
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
pub fn check_version() -> Result<()> {
let version = get_kata_version_by_url(KATA_GITHUB_URL).map_err(handle_reqwest_error)?;
@ -165,6 +144,7 @@ pub fn check_version() -> Result<()> {
Ok(())
}
#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))]
#[cfg(test)]
mod tests {
use super::*;
@ -190,11 +170,6 @@ mod tests {
assert_eq!(expected, actual);
}
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
#[test]
fn check_version_by_empty_url() {
const TEST_URL: &str = "http:";
@ -203,11 +178,6 @@ mod tests {
assert_eq!(expected, actual);
}
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
#[test]
fn check_version_by_garbage_url() {
const TEST_URL: &str = "_localhost_";
@ -216,11 +186,6 @@ mod tests {
assert_eq!(expected, actual);
}
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
#[test]
fn check_version_by_invalid_url() {
const TEST_URL: &str = "http://localhost :80";
@ -229,11 +194,6 @@ mod tests {
assert_eq!(expected, actual);
}
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
#[test]
fn check_latest_version() {
let version = get_kata_version_by_url(KATA_GITHUB_URL).unwrap();

1
src/tools/kata-ctl/src/main.rs
View File

@ -7,6 +7,7 @@ mod arch;
mod args;
mod check;
mod ops;
mod utils;
use anyhow::Result;
use clap::Parser;

9
src/tools/kata-ctl/src/ops/check_ops.rs
View File

@ -32,16 +32,7 @@ pub fn handle_check(checkcmd: CheckArgument) -> Result<()> {
CheckSubCommand::CheckVersionOnly => {
// retrieve latest release
#[cfg(any(
target_arch = "aarch64",
target_arch = "powerpc64le",
target_arch = "x86_64"
))]
check::check_version()?;
// See: https://github.com/kata-containers/kata-containers/issues/5438
#[cfg(target_arch = "s390x")]
unimplemented!("Network check not implemented on s390x")
}
}

33
src/tools/kata-ctl/src/utils.rs Normal file
View File

@ -0,0 +1,33 @@
// Copyright (c) 2022 Intel Corporation
//
// SPDX-License-Identifier: Apache-2.0
//
#![allow(dead_code)]
use anyhow::{anyhow, Result};
const NON_PRIV_USER: &str = "nobody";
pub fn drop_privs() -> Result<()> {
if nix::unistd::Uid::effective().is_root() {
privdrop::PrivDrop::default()
.chroot("/")
.user(NON_PRIV_USER)
.apply()
.map_err(|e| anyhow!("Failed to drop privileges to user {}: {}", NON_PRIV_USER, e))?;
}
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_drop_privs() {
let res = drop_privs();
assert!(res.is_ok());
}
}

1
tools/packaging/kata-deploy/README.md
View File

@ -143,6 +143,7 @@ $ kubectl apply -f https://raw.githubusercontent.com/kata-containers/kata-contai
The following removes the test pods:
```bash
$ kubectl delete -f https://raw.githubusercontent.com/kata-containers/kata-containers/main/tools/packaging/kata-deploy/examples/test-deploy-kata-dragonball.yaml
$ kubectl delete -f https://raw.githubusercontent.com/kata-containers/kata-containers/main/tools/packaging/kata-deploy/examples/test-deploy-kata-clh.yaml
$ kubectl delete -f https://raw.githubusercontent.com/kata-containers/kata-containers/main/tools/packaging/kata-deploy/examples/test-deploy-kata-fc.yaml
$ kubectl delete -f https://raw.githubusercontent.com/kata-containers/kata-containers/main/tools/packaging/kata-deploy/examples/test-deploy-kata-qemu.yaml

4
tools/packaging/static-build/virtiofsd/build-static-virtiofsd.sh
View File

@ -47,6 +47,7 @@ pull_virtiofsd_released_binary() {
init_env() {
source "$HOME/.cargo/env"
extra_rust_flags=" -C link-self-contained=yes"
case ${ARCH} in
"aarch64")
LIBC="musl"
@ -60,6 +61,7 @@ init_env() {
"s390x")
LIBC="gnu"
ARCH_LIBC=${ARCH}-linux-${LIBC}
extra_rust_flags=""
;;
"x86_64")
LIBC="musl"
@ -76,7 +78,7 @@ build_virtiofsd_from_source() {
git clone --depth 1 --branch ${virtiofsd_version} ${virtiofsd_repo} virtiofsd
pushd virtiofsd
export RUSTFLAGS='-C target-feature=+crt-static -C link-self-contained=yes'
export RUSTFLAGS='-C target-feature=+crt-static'${extra_rust_flags}
export LIBSECCOMP_LINK_TYPE=static
export LIBSECCOMP_LIB_PATH=/usr/lib/${ARCH_LIBC}
export LIBCAPNG_LINK_TYPE=static

4
versions.yaml
View File

@ -75,7 +75,7 @@ assets:
url: "https://github.com/cloud-hypervisor/cloud-hypervisor"
uscan-url: >-
https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz
version: "2115a4156891804e5fc7bbd0d1831d2e92a0c50e"
version: "b4e39427080293c674b8db627ee6daf1f1b56806"
firecracker:
description: "Firecracker micro-VMM"
@ -353,7 +353,7 @@ languages:
golangci-lint:
description: "golangci-lint"
notes: "'version' is the default minimum version used by this project."
version: "1.41.1"
version: "1.46.2"
meta:
description: |
'newest-version' is the latest version known to work when