github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-21 01:13:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #4508 from GeorginaKin/ccv0-main-merge

Browse Source 
CCv0: Merge main into CCv0 branch
This commit is contained in:
Georgina Kinge 2022-06-22 19:28:53 +01:00 committed by GitHub
commit 676b1d6048
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 79 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/add-pr-sizing-label.yaml vendored
View File

@ -33,6 +33,8 @@ jobs:
GITHUB_TOKEN: ${{ secrets.KATA_GITHUB_ACTIONS_PR_SIZE_TOKEN }} GITHUB_TOKEN: ${{ secrets.KATA_GITHUB_ACTIONS_PR_SIZE_TOKEN }}
run: | run: |
pr=${{ github.event.number }} pr=${{ github.event.number }}
# Removing man-db, workflow kept failing, fixes: #4480
sudo apt -y remove --purge man-db
sudo apt -y install diffstat patchutils sudo apt -y install diffstat patchutils
pr-add-size-label.sh -p "$pr" pr-add-size-label.sh -p "$pr"

2
.github/workflows/snap-release.yaml vendored
View File

@ -19,6 +19,8 @@ jobs:
- name: Build snap - name: Build snap
run: | run: |
# Removing man-db, workflow kept failing, fixes: #4480
sudo apt -y remove --purge man-db
sudo apt-get install -y git git-extras sudo apt-get install -y git git-extras
kata_url="https://github.com/kata-containers/kata-containers" kata_url="https://github.com/kata-containers/kata-containers"
latest_version=$(git ls-remote --tags ${kata_url} | egrep -o "refs.*" | egrep -v "\-alpha|\-rc|{}" | egrep -o "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" | sort -V -r | head -1) latest_version=$(git ls-remote --tags ${kata_url} | egrep -o "refs.*" | egrep -v "\-alpha|\-rc|{}" | egrep -o "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" | sort -V -r | head -1)

2
snap/snapcraft.yaml
View File

@ -74,7 +74,7 @@ parts:
rustup toolchain install ${version} rustup toolchain install ${version}
rustup default ${version} rustup default ${version}
if [ "${arch}" == "ppc64le" ] || [ "${arch}" == "s390x" ] ; then if [ "${arch}" == "ppc64le" ] || [ "${arch}" == "s390x" ] ; then
[ ${arch} == "ppc64le"] && arch="powerpc64le" [ "${arch}" == "ppc64le" ] && arch="powerpc64le"
rustup target add ${arch}-unknown-linux-gnu rustup target add ${arch}-unknown-linux-gnu
else else
rustup target add ${arch}-unknown-linux-musl rustup target add ${arch}-unknown-linux-musl

6
src/runtime/Makefile
View File

@ -167,6 +167,11 @@ DEFDISABLEGUESTEMPTYDIR := false
DEFAULTEXPFEATURES := [] DEFAULTEXPFEATURES := []
DEFDISABLESELINUX := false DEFDISABLESELINUX := false
#Default SeccomSandbox param
#The same default policy is used by libvirt
#More explanation on https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg03348.html
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
DEFSECCOMPSANDBOXPARAM := on,obsolete=deny,spawn=deny,resourcecontrol=deny
#Default entropy source #Default entropy source
DEFENTROPYSOURCE := /dev/urandom DEFENTROPYSOURCE := /dev/urandom
@ -459,6 +464,7 @@ USER_VARS += DEFVIRTIOFSCACHE
USER_VARS += DEFVIRTIOFSEXTRAARGS USER_VARS += DEFVIRTIOFSEXTRAARGS
USER_VARS += DEFENABLEANNOTATIONS USER_VARS += DEFENABLEANNOTATIONS
USER_VARS += DEFENABLEIOTHREADS USER_VARS += DEFENABLEIOTHREADS
USER_VARS += DEFSECCOMPSANDBOXPARAM
USER_VARS += DEFENABLEVHOSTUSERSTORE USER_VARS += DEFENABLEVHOSTUSERSTORE
USER_VARS += DEFVHOSTUSERSTOREPATH USER_VARS += DEFVHOSTUSERSTOREPATH
USER_VARS += DEFVALIDVHOSTUSERSTOREPATHS USER_VARS += DEFVALIDVHOSTUSERSTOREPATHS

8
src/runtime/config/configuration-qemu.toml.in
View File

@ -76,6 +76,14 @@ firmware_volume = "@FIRMWAREVOLUMEPATH@"
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"` # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
machine_accelerators="@MACHINEACCELERATORS@" machine_accelerators="@MACHINEACCELERATORS@"
# Qemu seccomp sandbox feature
# comma-separated list of seccomp sandbox features to control the syscall access.
# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
# Another note: enabling this feature may reduce performance, you may enable
# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
#seccompsandbox="@DEFSECCOMPSANDBOXPARAM@"
# CPU features # CPU features
# comma-separated list of cpu features to pass to the cpu # comma-separated list of cpu features to pass to the cpu
# For example, `cpu_features = "pmu=off,vmx=off" # For example, `cpu_features = "pmu=off,vmx=off"

2
src/runtime/pkg/containerd-shim-v2/create.go
View File

@ -97,7 +97,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
} }
// create root span // create root span
rootSpan, newCtx := katatrace.Trace(s.ctx, shimLog, "root span", shimTracingTags) rootSpan, newCtx := katatrace.Trace(s.ctx, shimLog, "rootSpan", shimTracingTags)
s.rootCtx = newCtx s.rootCtx = newCtx
defer rootSpan.End() defer rootSpan.End()

3
src/runtime/pkg/govmm/qemu/qemu.go
View File

@ -15,6 +15,7 @@ package qemu
import ( import (
"bytes" "bytes"
"context"
"fmt" "fmt"
"log" "log"
"os" "os"
@ -23,8 +24,6 @@ import (
"strconv" "strconv"
"strings" "strings"
"syscall" "syscall"
"context"
) )
// Machine describes the machine type qemu will emulate. // Machine describes the machine type qemu will emulate.

2
src/runtime/pkg/katautils/config.go
View File

@ -95,6 +95,7 @@ type hypervisor struct {
FileBackedMemRootDir string `toml:"file_mem_backend"` FileBackedMemRootDir string `toml:"file_mem_backend"`
GuestHookPath string `toml:"guest_hook_path"` GuestHookPath string `toml:"guest_hook_path"`
GuestMemoryDumpPath string `toml:"guest_memory_dump_path"` GuestMemoryDumpPath string `toml:"guest_memory_dump_path"`
SeccompSandbox string `toml:"seccompsandbox"`
HypervisorPathList []string `toml:"valid_hypervisor_paths"` HypervisorPathList []string `toml:"valid_hypervisor_paths"`
JailerPathList []string `toml:"valid_jailer_paths"` JailerPathList []string `toml:"valid_jailer_paths"`
CtlPathList []string `toml:"valid_ctlpaths"` CtlPathList []string `toml:"valid_ctlpaths"`
@ -767,6 +768,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
EnableVhostUserStore: h.EnableVhostUserStore, EnableVhostUserStore: h.EnableVhostUserStore,
VhostUserStorePath: h.vhostUserStorePath(), VhostUserStorePath: h.vhostUserStorePath(),
VhostUserStorePathList: h.VhostUserStorePathList, VhostUserStorePathList: h.VhostUserStorePathList,
SeccompSandbox: h.SeccompSandbox,
GuestHookPath: h.guestHookPath(), GuestHookPath: h.guestHookPath(),
RxRateLimiterMaxRate: rxRateLimiterMaxRate, RxRateLimiterMaxRate: rxRateLimiterMaxRate,
TxRateLimiterMaxRate: txRateLimiterMaxRate, TxRateLimiterMaxRate: txRateLimiterMaxRate,

3
src/runtime/virtcontainers/hypervisor.go
View File

@ -370,6 +370,9 @@ type HypervisorConfig struct {
// VhostUserStorePathList is the list of valid values for vhost-user paths // VhostUserStorePathList is the list of valid values for vhost-user paths
VhostUserStorePathList []string VhostUserStorePathList []string
// SeccompSandbox is the qemu function which enables the seccomp feature
SeccompSandbox string
// KernelParams are additional guest kernel parameters. // KernelParams are additional guest kernel parameters.
KernelParams []Param KernelParams []Param

1
src/runtime/virtcontainers/persist.go
View File

@ -247,6 +247,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
BootFromTemplate: sconfig.HypervisorConfig.BootFromTemplate, BootFromTemplate: sconfig.HypervisorConfig.BootFromTemplate,
DisableVhostNet: sconfig.HypervisorConfig.DisableVhostNet, DisableVhostNet: sconfig.HypervisorConfig.DisableVhostNet,
EnableVhostUserStore: sconfig.HypervisorConfig.EnableVhostUserStore, EnableVhostUserStore: sconfig.HypervisorConfig.EnableVhostUserStore,
SeccompSandbox: sconfig.HypervisorConfig.SeccompSandbox,
VhostUserStorePath: sconfig.HypervisorConfig.VhostUserStorePath, VhostUserStorePath: sconfig.HypervisorConfig.VhostUserStorePath,
VhostUserStorePathList: sconfig.HypervisorConfig.VhostUserStorePathList, VhostUserStorePathList: sconfig.HypervisorConfig.VhostUserStorePathList,
GuestHookPath: sconfig.HypervisorConfig.GuestHookPath, GuestHookPath: sconfig.HypervisorConfig.GuestHookPath,

3
src/runtime/virtcontainers/persist/api/config.go
View File

@ -80,6 +80,9 @@ type HypervisorConfig struct {
// related folders, sockets and device nodes should be. // related folders, sockets and device nodes should be.
VhostUserStorePath string VhostUserStorePath string
// SeccompSandbox is the qemu function which enables the seccomp feature
SeccompSandbox string
// GuestHookPath is the path within the VM that will be used for 'drop-in' hooks // GuestHookPath is the path within the VM that will be used for 'drop-in' hooks
GuestHookPath string GuestHookPath string

65
src/runtime/virtcontainers/qemu.go
View File

@ -629,30 +629,32 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
// some devices configuration may also change kernel params, make sure this is called afterwards // some devices configuration may also change kernel params, make sure this is called afterwards
Params: q.kernelParameters(), Params: q.kernelParameters(),
} }
q.checkBpfEnabled()
qemuConfig := govmmQemu.Config{ qemuConfig := govmmQemu.Config{
Name: fmt.Sprintf("sandbox-%s", q.id), Name: fmt.Sprintf("sandbox-%s", q.id),
UUID: q.state.UUID, UUID: q.state.UUID,
Path: qemuPath, Path: qemuPath,
Ctx: q.qmpMonitorCh.ctx, Ctx: q.qmpMonitorCh.ctx,
Uid: q.config.Uid, Uid: q.config.Uid,
Gid: q.config.Gid, Gid: q.config.Gid,
Groups: q.config.Groups, Groups: q.config.Groups,
Machine: machine, Machine: machine,
SMP: smp, SMP: smp,
Memory: memory, Memory: memory,
Devices: devices, Devices: devices,
CPUModel: cpuModel, CPUModel: cpuModel,
Kernel: kernel, SeccompSandbox: q.config.SeccompSandbox,
RTC: rtc, Kernel: kernel,
QMPSockets: qmpSockets, RTC: rtc,
Knobs: knobs, QMPSockets: qmpSockets,
Incoming: incoming, Knobs: knobs,
VGA: "none", Incoming: incoming,
GlobalParam: "kvm-pit.lost_tick_policy=discard", VGA: "none",
Bios: firmwarePath, GlobalParam: "kvm-pit.lost_tick_policy=discard",
PFlash: pflash, Bios: firmwarePath,
PidFile: filepath.Join(q.config.VMStorePath, q.id, "pid"), PFlash: pflash,
PidFile: filepath.Join(q.config.VMStorePath, q.id, "pid"),
} }
qemuConfig.Devices, qemuConfig.Bios, err = q.arch.appendProtectionDevice(qemuConfig.Devices, firmwarePath, firmwareVolumePath) qemuConfig.Devices, qemuConfig.Bios, err = q.arch.appendProtectionDevice(qemuConfig.Devices, firmwarePath, firmwareVolumePath)
@ -689,6 +691,25 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
return err return err
} }
func (q *qemu) checkBpfEnabled() {
if q.config.SeccompSandbox != "" {
out, err := os.ReadFile("/proc/sys/net/core/bpf_jit_enable")
if err != nil {
q.Logger().WithError(err).Warningf("failed to get bpf_jit_enable status")
return
}
enabled, err := strconv.Atoi(string(out))
if err != nil {
q.Logger().WithError(err).Warningf("failed to convert bpf_jit_enable status to integer")
return
}
if enabled == 0 {
q.Logger().Warningf("bpf_jit_enable is disabled. " +
"It's recommended to turn on bpf_jit_enable to reduce the performance impact of QEMU seccomp sandbox.")
}
}
}
func (q *qemu) vhostFSSocketPath(id string) (string, error) { func (q *qemu) vhostFSSocketPath(id string) (string, error) {
return utils.BuildSocketPath(q.config.VMStorePath, id, vhostFSSocket) return utils.BuildSocketPath(q.config.VMStorePath, id, vhostFSSocket)
} }

7
tools/osbuilder/rootfs-builder/rootfs.sh
View File

@ -563,8 +563,13 @@ EOF
if [ -f "$chrony_systemd_service" ]; then if [ -f "$chrony_systemd_service" ]; then
# Remove user option, user could not exist in the rootfs # Remove user option, user could not exist in the rootfs
# Set the /var/lib/chrony for ReadWritePaths to be ignored if
# its nonexistent, this broke the service on boot previously
# due to the directory not being present "(code=exited, status=226/NAMESPACE)"
sed -i -e 's/^\(ExecStart=.*\)-u [[:alnum:]]*/\1/g' \ sed -i -e 's/^\(ExecStart=.*\)-u [[:alnum:]]*/\1/g' \
-e '/^\[Unit\]/a ConditionPathExists=\/dev\/ptp0' ${chrony_systemd_service} -e '/^\[Unit\]/a ConditionPathExists=\/dev\/ptp0' \
-e 's/^ReadWritePaths=\(.\+\) \/var\/lib\/chrony \(.\+\)$/ReadWritePaths=\1 -\/var\/lib\/chrony \2/m' \
${chrony_systemd_service}
fi fi
AGENT_DIR="${ROOTFS_DIR}/usr/bin" AGENT_DIR="${ROOTFS_DIR}/usr/bin"

76
tools/packaging/release/publish-kata-image.sh
View File

@ -1,76 +0,0 @@
#!/usr/bin/env bash
#Copyright (c) 2018 Intel Corporation
#
#SPDX-License-Identifier: Apache-2.0
#
[ -z "${DEBUG}" ] || set -x
set -o errexit
set -o nounset
set -o pipefail
workdir="${PWD}"
readonly script_name="$(basename "${BASH_SOURCE[0]}")"
readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly project="kata-containers"
GOPATH=${GOPATH:-${HOME}/go}
source "${script_dir}/../scripts/lib.sh"
source "${script_dir}/../obs-packaging/scripts/pkglib.sh"
die() {
msg="$*"
echo "ERROR: ${FUNCNAME[1]} ${msg}" >&2
exit 1
}
usage() {
return_code=${1:-0}
cat <<EOF
Usage:
${script_name} [options] <version>
version: Kata version to create the image.
Create image for a kata version.
options:
-h : show this help
-p : push image to github
EOF
exit "${return_code}"
}
main() {
push="false"
while getopts "d:hp" opt; do
case $opt in
h) usage 0 ;;
p) push="true" ;;
esac
done
shift $((OPTIND - 1))
kata_version=${1:-}
[ -n "${kata_version}" ] || usage "1"
ref="refs/tags/${kata_version}^{}"
agent_sha=$(get_kata_hash "agent" "${ref}")
agent_sha=${agent_sha:0:${short_commit_length}}
image_tarball=$(find -name 'kata-containers-*.tar.gz' | grep "${kata_version}" | grep "${agent_sha}") ||
"${script_dir}/../obs-packaging/kata-containers-image/build_image.sh" -v "${kata_version}"
image_tarball=$(find -name 'kata-containers-*.tar.gz' | grep "${kata_version}" | grep "${agent_sha}" ) || die "file not found ${image_tarball}"
if [ ${push} == "true" ]; then
hub -C "${GOPATH}/src/github.com/${project}/agent" release edit -a "${image_tarball}" "${kata_version}"
else
echo "Wont push image to github use -p option to do it."
fi
}
main $@