diff --git a/.github/workflows/add-pr-sizing-label.yaml b/.github/workflows/add-pr-sizing-label.yaml index 0a2d7fcbf7..ffd9b06a96 100644 --- a/.github/workflows/add-pr-sizing-label.yaml +++ b/.github/workflows/add-pr-sizing-label.yaml @@ -33,6 +33,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.KATA_GITHUB_ACTIONS_PR_SIZE_TOKEN }} run: | pr=${{ github.event.number }} + # Removing man-db, workflow kept failing, fixes: #4480 + sudo apt -y remove --purge man-db sudo apt -y install diffstat patchutils pr-add-size-label.sh -p "$pr" diff --git a/.github/workflows/snap-release.yaml b/.github/workflows/snap-release.yaml index 2fde90afc4..ecd34978f7 100644 --- a/.github/workflows/snap-release.yaml +++ b/.github/workflows/snap-release.yaml @@ -19,6 +19,8 @@ jobs: - name: Build snap run: | + # Removing man-db, workflow kept failing, fixes: #4480 + sudo apt -y remove --purge man-db sudo apt-get install -y git git-extras kata_url="https://github.com/kata-containers/kata-containers" latest_version=$(git ls-remote --tags ${kata_url} | egrep -o "refs.*" | egrep -v "\-alpha|\-rc|{}" | egrep -o "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" | sort -V -r | head -1) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 60185e8f61..77f27b15f9 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -74,7 +74,7 @@ parts: rustup toolchain install ${version} rustup default ${version} if [ "${arch}" == "ppc64le" ] || [ "${arch}" == "s390x" ] ; then - [ ${arch} == "ppc64le"] && arch="powerpc64le" + [ "${arch}" == "ppc64le" ] && arch="powerpc64le" rustup target add ${arch}-unknown-linux-gnu else rustup target add ${arch}-unknown-linux-musl diff --git a/src/runtime/Makefile b/src/runtime/Makefile index be47012f05..757d0a48a9 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -167,6 +167,11 @@ DEFDISABLEGUESTEMPTYDIR := false DEFAULTEXPFEATURES := [] DEFDISABLESELINUX := false +#Default SeccomSandbox param +#The same default policy is used by libvirt +#More explanation on https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg03348.html +# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox +DEFSECCOMPSANDBOXPARAM := on,obsolete=deny,spawn=deny,resourcecontrol=deny #Default entropy source DEFENTROPYSOURCE := /dev/urandom @@ -459,6 +464,7 @@ USER_VARS += DEFVIRTIOFSCACHE USER_VARS += DEFVIRTIOFSEXTRAARGS USER_VARS += DEFENABLEANNOTATIONS USER_VARS += DEFENABLEIOTHREADS +USER_VARS += DEFSECCOMPSANDBOXPARAM USER_VARS += DEFENABLEVHOSTUSERSTORE USER_VARS += DEFVHOSTUSERSTOREPATH USER_VARS += DEFVALIDVHOSTUSERSTOREPATHS diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 09c219545d..702b71aadd 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -76,6 +76,14 @@ firmware_volume = "@FIRMWAREVOLUMEPATH@" # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"` machine_accelerators="@MACHINEACCELERATORS@" +# Qemu seccomp sandbox feature +# comma-separated list of seccomp sandbox features to control the syscall access. +# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"` +# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox +# Another note: enabling this feature may reduce performance, you may enable +# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html +#seccompsandbox="@DEFSECCOMPSANDBOXPARAM@" + # CPU features # comma-separated list of cpu features to pass to the cpu # For example, `cpu_features = "pmu=off,vmx=off" diff --git a/src/runtime/pkg/containerd-shim-v2/create.go b/src/runtime/pkg/containerd-shim-v2/create.go index 1edf005916..c80d85efd5 100644 --- a/src/runtime/pkg/containerd-shim-v2/create.go +++ b/src/runtime/pkg/containerd-shim-v2/create.go @@ -97,7 +97,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con } // create root span - rootSpan, newCtx := katatrace.Trace(s.ctx, shimLog, "root span", shimTracingTags) + rootSpan, newCtx := katatrace.Trace(s.ctx, shimLog, "rootSpan", shimTracingTags) s.rootCtx = newCtx defer rootSpan.End() diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index ea3f1311a8..100316dd9e 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -15,6 +15,7 @@ package qemu import ( "bytes" + "context" "fmt" "log" "os" @@ -23,8 +24,6 @@ import ( "strconv" "strings" "syscall" - - "context" ) // Machine describes the machine type qemu will emulate. diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 15fc533102..c883d9a8de 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -95,6 +95,7 @@ type hypervisor struct { FileBackedMemRootDir string `toml:"file_mem_backend"` GuestHookPath string `toml:"guest_hook_path"` GuestMemoryDumpPath string `toml:"guest_memory_dump_path"` + SeccompSandbox string `toml:"seccompsandbox"` HypervisorPathList []string `toml:"valid_hypervisor_paths"` JailerPathList []string `toml:"valid_jailer_paths"` CtlPathList []string `toml:"valid_ctlpaths"` @@ -767,6 +768,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { EnableVhostUserStore: h.EnableVhostUserStore, VhostUserStorePath: h.vhostUserStorePath(), VhostUserStorePathList: h.VhostUserStorePathList, + SeccompSandbox: h.SeccompSandbox, GuestHookPath: h.guestHookPath(), RxRateLimiterMaxRate: rxRateLimiterMaxRate, TxRateLimiterMaxRate: txRateLimiterMaxRate, diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index 9de4dc0d0a..20d7d61038 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -370,6 +370,9 @@ type HypervisorConfig struct { // VhostUserStorePathList is the list of valid values for vhost-user paths VhostUserStorePathList []string + // SeccompSandbox is the qemu function which enables the seccomp feature + SeccompSandbox string + // KernelParams are additional guest kernel parameters. KernelParams []Param diff --git a/src/runtime/virtcontainers/persist.go b/src/runtime/virtcontainers/persist.go index bc20af21fa..199c647ae2 100644 --- a/src/runtime/virtcontainers/persist.go +++ b/src/runtime/virtcontainers/persist.go @@ -247,6 +247,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) { BootFromTemplate: sconfig.HypervisorConfig.BootFromTemplate, DisableVhostNet: sconfig.HypervisorConfig.DisableVhostNet, EnableVhostUserStore: sconfig.HypervisorConfig.EnableVhostUserStore, + SeccompSandbox: sconfig.HypervisorConfig.SeccompSandbox, VhostUserStorePath: sconfig.HypervisorConfig.VhostUserStorePath, VhostUserStorePathList: sconfig.HypervisorConfig.VhostUserStorePathList, GuestHookPath: sconfig.HypervisorConfig.GuestHookPath, diff --git a/src/runtime/virtcontainers/persist/api/config.go b/src/runtime/virtcontainers/persist/api/config.go index 0af8a09227..1c16b7bd91 100644 --- a/src/runtime/virtcontainers/persist/api/config.go +++ b/src/runtime/virtcontainers/persist/api/config.go @@ -80,6 +80,9 @@ type HypervisorConfig struct { // related folders, sockets and device nodes should be. VhostUserStorePath string + // SeccompSandbox is the qemu function which enables the seccomp feature + SeccompSandbox string + // GuestHookPath is the path within the VM that will be used for 'drop-in' hooks GuestHookPath string diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index 656548e88c..b56ffda051 100644 --- a/src/runtime/virtcontainers/qemu.go +++ b/src/runtime/virtcontainers/qemu.go @@ -629,30 +629,32 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi // some devices configuration may also change kernel params, make sure this is called afterwards Params: q.kernelParameters(), } + q.checkBpfEnabled() qemuConfig := govmmQemu.Config{ - Name: fmt.Sprintf("sandbox-%s", q.id), - UUID: q.state.UUID, - Path: qemuPath, - Ctx: q.qmpMonitorCh.ctx, - Uid: q.config.Uid, - Gid: q.config.Gid, - Groups: q.config.Groups, - Machine: machine, - SMP: smp, - Memory: memory, - Devices: devices, - CPUModel: cpuModel, - Kernel: kernel, - RTC: rtc, - QMPSockets: qmpSockets, - Knobs: knobs, - Incoming: incoming, - VGA: "none", - GlobalParam: "kvm-pit.lost_tick_policy=discard", - Bios: firmwarePath, - PFlash: pflash, - PidFile: filepath.Join(q.config.VMStorePath, q.id, "pid"), + Name: fmt.Sprintf("sandbox-%s", q.id), + UUID: q.state.UUID, + Path: qemuPath, + Ctx: q.qmpMonitorCh.ctx, + Uid: q.config.Uid, + Gid: q.config.Gid, + Groups: q.config.Groups, + Machine: machine, + SMP: smp, + Memory: memory, + Devices: devices, + CPUModel: cpuModel, + SeccompSandbox: q.config.SeccompSandbox, + Kernel: kernel, + RTC: rtc, + QMPSockets: qmpSockets, + Knobs: knobs, + Incoming: incoming, + VGA: "none", + GlobalParam: "kvm-pit.lost_tick_policy=discard", + Bios: firmwarePath, + PFlash: pflash, + PidFile: filepath.Join(q.config.VMStorePath, q.id, "pid"), } qemuConfig.Devices, qemuConfig.Bios, err = q.arch.appendProtectionDevice(qemuConfig.Devices, firmwarePath, firmwareVolumePath) @@ -689,6 +691,25 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi return err } +func (q *qemu) checkBpfEnabled() { + if q.config.SeccompSandbox != "" { + out, err := os.ReadFile("/proc/sys/net/core/bpf_jit_enable") + if err != nil { + q.Logger().WithError(err).Warningf("failed to get bpf_jit_enable status") + return + } + enabled, err := strconv.Atoi(string(out)) + if err != nil { + q.Logger().WithError(err).Warningf("failed to convert bpf_jit_enable status to integer") + return + } + if enabled == 0 { + q.Logger().Warningf("bpf_jit_enable is disabled. " + + "It's recommended to turn on bpf_jit_enable to reduce the performance impact of QEMU seccomp sandbox.") + } + } +} + func (q *qemu) vhostFSSocketPath(id string) (string, error) { return utils.BuildSocketPath(q.config.VMStorePath, id, vhostFSSocket) } diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 1e504c76f5..d82f2e7d6d 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -563,8 +563,13 @@ EOF if [ -f "$chrony_systemd_service" ]; then # Remove user option, user could not exist in the rootfs + # Set the /var/lib/chrony for ReadWritePaths to be ignored if + # its nonexistent, this broke the service on boot previously + # due to the directory not being present "(code=exited, status=226/NAMESPACE)" sed -i -e 's/^\(ExecStart=.*\)-u [[:alnum:]]*/\1/g' \ - -e '/^\[Unit\]/a ConditionPathExists=\/dev\/ptp0' ${chrony_systemd_service} + -e '/^\[Unit\]/a ConditionPathExists=\/dev\/ptp0' \ + -e 's/^ReadWritePaths=\(.\+\) \/var\/lib\/chrony \(.\+\)$/ReadWritePaths=\1 -\/var\/lib\/chrony \2/m' \ + ${chrony_systemd_service} fi AGENT_DIR="${ROOTFS_DIR}/usr/bin" diff --git a/tools/packaging/release/publish-kata-image.sh b/tools/packaging/release/publish-kata-image.sh deleted file mode 100755 index 1240e4f5dd..0000000000 --- a/tools/packaging/release/publish-kata-image.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/usr/bin/env bash -#Copyright (c) 2018 Intel Corporation -# -#SPDX-License-Identifier: Apache-2.0 -# - -[ -z "${DEBUG}" ] || set -x - -set -o errexit -set -o nounset -set -o pipefail - -workdir="${PWD}" - -readonly script_name="$(basename "${BASH_SOURCE[0]}")" -readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -readonly project="kata-containers" -GOPATH=${GOPATH:-${HOME}/go} - -source "${script_dir}/../scripts/lib.sh" -source "${script_dir}/../obs-packaging/scripts/pkglib.sh" - -die() { - msg="$*" - echo "ERROR: ${FUNCNAME[1]} ${msg}" >&2 - exit 1 -} - -usage() { - return_code=${1:-0} - cat < - -version: Kata version to create the image. - -Create image for a kata version. - -options: - --h : show this help --p : push image to github -EOF - - exit "${return_code}" -} - -main() { - push="false" - while getopts "d:hp" opt; do - case $opt in - h) usage 0 ;; - p) push="true" ;; - esac - done - - shift $((OPTIND - 1)) - kata_version=${1:-} - [ -n "${kata_version}" ] || usage "1" - - ref="refs/tags/${kata_version}^{}" - agent_sha=$(get_kata_hash "agent" "${ref}") - agent_sha=${agent_sha:0:${short_commit_length}} - image_tarball=$(find -name 'kata-containers-*.tar.gz' | grep "${kata_version}" | grep "${agent_sha}") || - "${script_dir}/../obs-packaging/kata-containers-image/build_image.sh" -v "${kata_version}" - image_tarball=$(find -name 'kata-containers-*.tar.gz' | grep "${kata_version}" | grep "${agent_sha}" ) || die "file not found ${image_tarball}" - - if [ ${push} == "true" ]; then - hub -C "${GOPATH}/src/github.com/${project}/agent" release edit -a "${image_tarball}" "${kata_version}" - else - echo "Wont push image to github use -p option to do it." - fi -} - -main $@