From 1b7fd19acb1e46f803b39e823070966785788758 Mon Sep 17 00:00:00 2001 From: Champ-Goblem Date: Fri, 29 Apr 2022 17:15:29 +0100 Subject: [PATCH 1/6] rootfs: Fix chronyd.service failing on boot In at least kata versions 2.3.3 and 2.4.0 it was noticed that the guest operating system's clock would drift out of sync slowly over time whilst the pod was running. This had previously been raised and fixed in the old reposity via [1]. In essence kvm_ptp and chrony were paired together in order to keep the system clock up to date with the host. In the recent versions of kata metioned above, the chronyd.service fails upon boot with status `266/NAMESPACE` which seems to be due to the fact that the `/var/lib/chrony` directory no longer exists. This change sets the `/var/lib/chrony` directory for the `ReadWritePaths` to be ignored when the directory does not exist, as per [2]. [1] https://github.com/kata-containers/runtime/issues/1279 [2] https://www.freedesktop.org/software/systemd /man/systemd.exec.html#ReadWritePaths= Fixes: #4167 Signed-off-by: Champ-Goblem --- tools/osbuilder/rootfs-builder/rootfs.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index b6441ac1bf..8403a2dc56 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -540,8 +540,13 @@ EOF if [ -f "$chrony_systemd_service" ]; then # Remove user option, user could not exist in the rootfs + # Set the /var/lib/chrony for ReadWritePaths to be ignored if + # its nonexistent, this broke the service on boot previously + # due to the directory not being present "(code=exited, status=226/NAMESPACE)" sed -i -e 's/^\(ExecStart=.*\)-u [[:alnum:]]*/\1/g' \ - -e '/^\[Unit\]/a ConditionPathExists=\/dev\/ptp0' ${chrony_systemd_service} + -e '/^\[Unit\]/a ConditionPathExists=\/dev\/ptp0' \ + -e 's/^ReadWritePaths=\(.\+\) \/var\/lib\/chrony \(.\+\)$/ReadWritePaths=\1 -\/var\/lib\/chrony \2/m' \ + ${chrony_systemd_service} fi AGENT_DIR="${ROOTFS_DIR}/usr/bin" From 9941588c00a18034f132933fcf8f7140f421e030 Mon Sep 17 00:00:00 2001 From: Zvonko Kaiser Date: Fri, 17 Jun 2022 03:00:38 -0700 Subject: [PATCH 2/6] workflow: Removing man-db, workflow kept failing Fixes: #4480 Signed-off-by: Zvonko Kaiser --- .github/workflows/add-pr-sizing-label.yaml | 2 ++ .github/workflows/snap-release.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/add-pr-sizing-label.yaml b/.github/workflows/add-pr-sizing-label.yaml index 0a2d7fcbf7..ffd9b06a96 100644 --- a/.github/workflows/add-pr-sizing-label.yaml +++ b/.github/workflows/add-pr-sizing-label.yaml @@ -33,6 +33,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.KATA_GITHUB_ACTIONS_PR_SIZE_TOKEN }} run: | pr=${{ github.event.number }} + # Removing man-db, workflow kept failing, fixes: #4480 + sudo apt -y remove --purge man-db sudo apt -y install diffstat patchutils pr-add-size-label.sh -p "$pr" diff --git a/.github/workflows/snap-release.yaml b/.github/workflows/snap-release.yaml index 2fde90afc4..ecd34978f7 100644 --- a/.github/workflows/snap-release.yaml +++ b/.github/workflows/snap-release.yaml @@ -19,6 +19,8 @@ jobs: - name: Build snap run: | + # Removing man-db, workflow kept failing, fixes: #4480 + sudo apt -y remove --purge man-db sudo apt-get install -y git git-extras kata_url="https://github.com/kata-containers/kata-containers" latest_version=$(git ls-remote --tags ${kata_url} | egrep -o "refs.*" | egrep -v "\-alpha|\-rc|{}" | egrep -o "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" | sort -V -r | head -1) From 28995301b3fa8bdf06c6c5f0506cdb4962da3c53 Mon Sep 17 00:00:00 2001 From: Chelsea Mafrica Date: Fri, 17 Jun 2022 12:07:37 -0700 Subject: [PATCH 3/6] tracing: Remove whitespace from root span Remove space from root span name to follow camel casing of other tracing span names in the runtime and to make parsing easier in testing. Fixes #4483 Signed-off-by: Chelsea Mafrica --- src/runtime/pkg/containerd-shim-v2/create.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime/pkg/containerd-shim-v2/create.go b/src/runtime/pkg/containerd-shim-v2/create.go index 11609f2bcf..eba829e2dd 100644 --- a/src/runtime/pkg/containerd-shim-v2/create.go +++ b/src/runtime/pkg/containerd-shim-v2/create.go @@ -97,7 +97,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con } // create root span - rootSpan, newCtx := katatrace.Trace(s.ctx, shimLog, "root span", shimTracingTags) + rootSpan, newCtx := katatrace.Trace(s.ctx, shimLog, "rootSpan", shimTracingTags) s.rootCtx = newCtx defer rootSpan.End() From ef925d40ce7b120ad888a8487ec622a7688448c2 Mon Sep 17 00:00:00 2001 From: Liang Zhou Date: Mon, 26 Jul 2021 02:54:00 -0700 Subject: [PATCH 4/6] runtime: enable sandbox feature on qemu Enable "-sandbox on" in qemu can introduce another protect layer on the host, to make the secure container more secure. The default option is disable because this feature may introduce some performance cost, even though user can enable /proc/sys/net/core/bpf_jit_enable to reduce the impact. Fixes: #2266 Signed-off-by: Feng Wang --- src/runtime/Makefile | 6 ++ src/runtime/config/configuration-qemu.toml.in | 8 +++ src/runtime/pkg/govmm/qemu/qemu.go | 3 +- src/runtime/pkg/katautils/config.go | 2 + src/runtime/virtcontainers/hypervisor.go | 3 + src/runtime/virtcontainers/persist.go | 1 + .../virtcontainers/persist/api/config.go | 3 + src/runtime/virtcontainers/qemu.go | 65 ++++++++++++------- 8 files changed, 67 insertions(+), 24 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 85f9bbd8ab..8d7f5652cc 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -167,6 +167,11 @@ DEFDISABLEGUESTEMPTYDIR := false DEFAULTEXPFEATURES := [] DEFDISABLESELINUX := false +#Default SeccomSandbox param +#The same default policy is used by libvirt +#More explanation on https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg03348.html +# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox +DEFSECCOMPSANDBOXPARAM := on,obsolete=deny,spawn=deny,resourcecontrol=deny #Default entropy source DEFENTROPYSOURCE := /dev/urandom @@ -459,6 +464,7 @@ USER_VARS += DEFVIRTIOFSCACHE USER_VARS += DEFVIRTIOFSEXTRAARGS USER_VARS += DEFENABLEANNOTATIONS USER_VARS += DEFENABLEIOTHREADS +USER_VARS += DEFSECCOMPSANDBOXPARAM USER_VARS += DEFENABLEVHOSTUSERSTORE USER_VARS += DEFVHOSTUSERSTOREPATH USER_VARS += DEFVALIDVHOSTUSERSTOREPATHS diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 09c219545d..702b71aadd 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -76,6 +76,14 @@ firmware_volume = "@FIRMWAREVOLUMEPATH@" # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"` machine_accelerators="@MACHINEACCELERATORS@" +# Qemu seccomp sandbox feature +# comma-separated list of seccomp sandbox features to control the syscall access. +# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"` +# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox +# Another note: enabling this feature may reduce performance, you may enable +# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html +#seccompsandbox="@DEFSECCOMPSANDBOXPARAM@" + # CPU features # comma-separated list of cpu features to pass to the cpu # For example, `cpu_features = "pmu=off,vmx=off" diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index ea3f1311a8..100316dd9e 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -15,6 +15,7 @@ package qemu import ( "bytes" + "context" "fmt" "log" "os" @@ -23,8 +24,6 @@ import ( "strconv" "strings" "syscall" - - "context" ) // Machine describes the machine type qemu will emulate. diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 2a62c3d6c3..368f6eedd8 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -95,6 +95,7 @@ type hypervisor struct { FileBackedMemRootDir string `toml:"file_mem_backend"` GuestHookPath string `toml:"guest_hook_path"` GuestMemoryDumpPath string `toml:"guest_memory_dump_path"` + SeccompSandbox string `toml:"seccompsandbox"` HypervisorPathList []string `toml:"valid_hypervisor_paths"` JailerPathList []string `toml:"valid_jailer_paths"` CtlPathList []string `toml:"valid_ctlpaths"` @@ -767,6 +768,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { EnableVhostUserStore: h.EnableVhostUserStore, VhostUserStorePath: h.vhostUserStorePath(), VhostUserStorePathList: h.VhostUserStorePathList, + SeccompSandbox: h.SeccompSandbox, GuestHookPath: h.guestHookPath(), RxRateLimiterMaxRate: rxRateLimiterMaxRate, TxRateLimiterMaxRate: txRateLimiterMaxRate, diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index 9de4dc0d0a..20d7d61038 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -370,6 +370,9 @@ type HypervisorConfig struct { // VhostUserStorePathList is the list of valid values for vhost-user paths VhostUserStorePathList []string + // SeccompSandbox is the qemu function which enables the seccomp feature + SeccompSandbox string + // KernelParams are additional guest kernel parameters. KernelParams []Param diff --git a/src/runtime/virtcontainers/persist.go b/src/runtime/virtcontainers/persist.go index bc20af21fa..199c647ae2 100644 --- a/src/runtime/virtcontainers/persist.go +++ b/src/runtime/virtcontainers/persist.go @@ -247,6 +247,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) { BootFromTemplate: sconfig.HypervisorConfig.BootFromTemplate, DisableVhostNet: sconfig.HypervisorConfig.DisableVhostNet, EnableVhostUserStore: sconfig.HypervisorConfig.EnableVhostUserStore, + SeccompSandbox: sconfig.HypervisorConfig.SeccompSandbox, VhostUserStorePath: sconfig.HypervisorConfig.VhostUserStorePath, VhostUserStorePathList: sconfig.HypervisorConfig.VhostUserStorePathList, GuestHookPath: sconfig.HypervisorConfig.GuestHookPath, diff --git a/src/runtime/virtcontainers/persist/api/config.go b/src/runtime/virtcontainers/persist/api/config.go index 0af8a09227..1c16b7bd91 100644 --- a/src/runtime/virtcontainers/persist/api/config.go +++ b/src/runtime/virtcontainers/persist/api/config.go @@ -80,6 +80,9 @@ type HypervisorConfig struct { // related folders, sockets and device nodes should be. VhostUserStorePath string + // SeccompSandbox is the qemu function which enables the seccomp feature + SeccompSandbox string + // GuestHookPath is the path within the VM that will be used for 'drop-in' hooks GuestHookPath string diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index 656548e88c..b56ffda051 100644 --- a/src/runtime/virtcontainers/qemu.go +++ b/src/runtime/virtcontainers/qemu.go @@ -629,30 +629,32 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi // some devices configuration may also change kernel params, make sure this is called afterwards Params: q.kernelParameters(), } + q.checkBpfEnabled() qemuConfig := govmmQemu.Config{ - Name: fmt.Sprintf("sandbox-%s", q.id), - UUID: q.state.UUID, - Path: qemuPath, - Ctx: q.qmpMonitorCh.ctx, - Uid: q.config.Uid, - Gid: q.config.Gid, - Groups: q.config.Groups, - Machine: machine, - SMP: smp, - Memory: memory, - Devices: devices, - CPUModel: cpuModel, - Kernel: kernel, - RTC: rtc, - QMPSockets: qmpSockets, - Knobs: knobs, - Incoming: incoming, - VGA: "none", - GlobalParam: "kvm-pit.lost_tick_policy=discard", - Bios: firmwarePath, - PFlash: pflash, - PidFile: filepath.Join(q.config.VMStorePath, q.id, "pid"), + Name: fmt.Sprintf("sandbox-%s", q.id), + UUID: q.state.UUID, + Path: qemuPath, + Ctx: q.qmpMonitorCh.ctx, + Uid: q.config.Uid, + Gid: q.config.Gid, + Groups: q.config.Groups, + Machine: machine, + SMP: smp, + Memory: memory, + Devices: devices, + CPUModel: cpuModel, + SeccompSandbox: q.config.SeccompSandbox, + Kernel: kernel, + RTC: rtc, + QMPSockets: qmpSockets, + Knobs: knobs, + Incoming: incoming, + VGA: "none", + GlobalParam: "kvm-pit.lost_tick_policy=discard", + Bios: firmwarePath, + PFlash: pflash, + PidFile: filepath.Join(q.config.VMStorePath, q.id, "pid"), } qemuConfig.Devices, qemuConfig.Bios, err = q.arch.appendProtectionDevice(qemuConfig.Devices, firmwarePath, firmwareVolumePath) @@ -689,6 +691,25 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi return err } +func (q *qemu) checkBpfEnabled() { + if q.config.SeccompSandbox != "" { + out, err := os.ReadFile("/proc/sys/net/core/bpf_jit_enable") + if err != nil { + q.Logger().WithError(err).Warningf("failed to get bpf_jit_enable status") + return + } + enabled, err := strconv.Atoi(string(out)) + if err != nil { + q.Logger().WithError(err).Warningf("failed to convert bpf_jit_enable status to integer") + return + } + if enabled == 0 { + q.Logger().Warningf("bpf_jit_enable is disabled. " + + "It's recommended to turn on bpf_jit_enable to reduce the performance impact of QEMU seccomp sandbox.") + } + } +} + func (q *qemu) vhostFSSocketPath(id string) (string, error) { return utils.BuildSocketPath(q.config.VMStorePath, id, vhostFSSocket) } From 0bbbe706873e5ca00eaa94e7aea4afff65b9ba0e Mon Sep 17 00:00:00 2001 From: Amulyam24 Date: Mon, 20 Jun 2022 19:26:27 +0530 Subject: [PATCH 5/6] snap: fix snap build on ppc64le Fixes the syntax error while building rustdeps. Fixes: #4494 Signed-off-by: Amulyam24 --- snap/snapcraft.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 60185e8f61..77f27b15f9 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -74,7 +74,7 @@ parts: rustup toolchain install ${version} rustup default ${version} if [ "${arch}" == "ppc64le" ] || [ "${arch}" == "s390x" ] ; then - [ ${arch} == "ppc64le"] && arch="powerpc64le" + [ "${arch}" == "ppc64le" ] && arch="powerpc64le" rustup target add ${arch}-unknown-linux-gnu else rustup target add ${arch}-unknown-linux-musl From c7dd10e5edf715bd8fe1b81db95a3ef95de99763 Mon Sep 17 00:00:00 2001 From: Gabriela Cervantes Date: Mon, 20 Jun 2022 14:43:39 +0000 Subject: [PATCH 6/6] packaging: Remove unused publish kata image script This PR removes unused the publish kata image script which was used on kata 1.x when we had OBS packages which are not longer used on kata 2.x Fixes #4496 Signed-off-by: Gabriela Cervantes --- tools/packaging/release/publish-kata-image.sh | 76 ------------------- 1 file changed, 76 deletions(-) delete mode 100755 tools/packaging/release/publish-kata-image.sh diff --git a/tools/packaging/release/publish-kata-image.sh b/tools/packaging/release/publish-kata-image.sh deleted file mode 100755 index 1240e4f5dd..0000000000 --- a/tools/packaging/release/publish-kata-image.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/usr/bin/env bash -#Copyright (c) 2018 Intel Corporation -# -#SPDX-License-Identifier: Apache-2.0 -# - -[ -z "${DEBUG}" ] || set -x - -set -o errexit -set -o nounset -set -o pipefail - -workdir="${PWD}" - -readonly script_name="$(basename "${BASH_SOURCE[0]}")" -readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -readonly project="kata-containers" -GOPATH=${GOPATH:-${HOME}/go} - -source "${script_dir}/../scripts/lib.sh" -source "${script_dir}/../obs-packaging/scripts/pkglib.sh" - -die() { - msg="$*" - echo "ERROR: ${FUNCNAME[1]} ${msg}" >&2 - exit 1 -} - -usage() { - return_code=${1:-0} - cat < - -version: Kata version to create the image. - -Create image for a kata version. - -options: - --h : show this help --p : push image to github -EOF - - exit "${return_code}" -} - -main() { - push="false" - while getopts "d:hp" opt; do - case $opt in - h) usage 0 ;; - p) push="true" ;; - esac - done - - shift $((OPTIND - 1)) - kata_version=${1:-} - [ -n "${kata_version}" ] || usage "1" - - ref="refs/tags/${kata_version}^{}" - agent_sha=$(get_kata_hash "agent" "${ref}") - agent_sha=${agent_sha:0:${short_commit_length}} - image_tarball=$(find -name 'kata-containers-*.tar.gz' | grep "${kata_version}" | grep "${agent_sha}") || - "${script_dir}/../obs-packaging/kata-containers-image/build_image.sh" -v "${kata_version}" - image_tarball=$(find -name 'kata-containers-*.tar.gz' | grep "${kata_version}" | grep "${agent_sha}" ) || die "file not found ${image_tarball}" - - if [ ${push} == "true" ]; then - hub -C "${GOPATH}/src/github.com/${project}/agent" release edit -a "${image_tarball}" "${kata_version}" - else - echo "Wont push image to github use -p option to do it." - fi -} - -main $@