github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-20 00:48:04 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #4508 from GeorginaKin/ccv0-main-merge

Browse Source 
CCv0: Merge main into CCv0 branch
This commit is contained in:
Georgina Kinge 2022-06-22 19:28:53 +01:00 committed by GitHub
commit 676b1d6048
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 79 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/add-pr-sizing-label.yaml vendored
View File

@ -33,6 +33,8 @@ jobs:
GITHUB_TOKEN: ${{ secrets.KATA_GITHUB_ACTIONS_PR_SIZE_TOKEN }}
run: |
pr=${{ github.event.number }}
# Removing man-db, workflow kept failing, fixes: #4480
sudo apt -y remove --purge man-db
sudo apt -y install diffstat patchutils
pr-add-size-label.sh -p "$pr"

2
.github/workflows/snap-release.yaml vendored
View File

@ -19,6 +19,8 @@ jobs:
- name: Build snap
run: |
# Removing man-db, workflow kept failing, fixes: #4480
sudo apt -y remove --purge man-db
sudo apt-get install -y git git-extras
kata_url="https://github.com/kata-containers/kata-containers"
latest_version=$(git ls-remote --tags ${kata_url} | egrep -o "refs.*" | egrep -v "\-alpha|\-rc|{}" | egrep -o "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" | sort -V -r | head -1)

2
snap/snapcraft.yaml
View File

@ -74,7 +74,7 @@ parts:
rustup toolchain install ${version}
rustup default ${version}
if [ "${arch}" == "ppc64le" ] || [ "${arch}" == "s390x" ] ; then
[ ${arch} == "ppc64le"] && arch="powerpc64le"
[ "${arch}" == "ppc64le" ] && arch="powerpc64le"
rustup target add ${arch}-unknown-linux-gnu
else
rustup target add ${arch}-unknown-linux-musl

6
src/runtime/Makefile
View File

@ -167,6 +167,11 @@ DEFDISABLEGUESTEMPTYDIR := false
DEFAULTEXPFEATURES := []
DEFDISABLESELINUX := false
#Default SeccomSandbox param
#The same default policy is used by libvirt
#More explanation on https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg03348.html
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
DEFSECCOMPSANDBOXPARAM := on,obsolete=deny,spawn=deny,resourcecontrol=deny
#Default entropy source
DEFENTROPYSOURCE := /dev/urandom
@ -459,6 +464,7 @@ USER_VARS += DEFVIRTIOFSCACHE
USER_VARS += DEFVIRTIOFSEXTRAARGS
USER_VARS += DEFENABLEANNOTATIONS
USER_VARS += DEFENABLEIOTHREADS
USER_VARS += DEFSECCOMPSANDBOXPARAM
USER_VARS += DEFENABLEVHOSTUSERSTORE
USER_VARS += DEFVHOSTUSERSTOREPATH
USER_VARS += DEFVALIDVHOSTUSERSTOREPATHS

8
src/runtime/config/configuration-qemu.toml.in
View File

@ -76,6 +76,14 @@ firmware_volume = "@FIRMWAREVOLUMEPATH@"
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
machine_accelerators="@MACHINEACCELERATORS@"
# Qemu seccomp sandbox feature
# comma-separated list of seccomp sandbox features to control the syscall access.
# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
# Another note: enabling this feature may reduce performance, you may enable
# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
#seccompsandbox="@DEFSECCOMPSANDBOXPARAM@"
# CPU features
# comma-separated list of cpu features to pass to the cpu
# For example, `cpu_features = "pmu=off,vmx=off"

2
src/runtime/pkg/containerd-shim-v2/create.go
View File

@ -97,7 +97,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
}
// create root span
rootSpan, newCtx := katatrace.Trace(s.ctx, shimLog, "root span", shimTracingTags)
rootSpan, newCtx := katatrace.Trace(s.ctx, shimLog, "rootSpan", shimTracingTags)
s.rootCtx = newCtx
defer rootSpan.End()

3
src/runtime/pkg/govmm/qemu/qemu.go
View File

@ -15,6 +15,7 @@ package qemu
import (
"bytes"
"context"
"fmt"
"log"
"os"
@ -23,8 +24,6 @@ import (
"strconv"
"strings"
"syscall"
"context"
)
// Machine describes the machine type qemu will emulate.

2
src/runtime/pkg/katautils/config.go
View File

@ -95,6 +95,7 @@ type hypervisor struct {
FileBackedMemRootDir string `toml:"file_mem_backend"`
GuestHookPath string `toml:"guest_hook_path"`
GuestMemoryDumpPath string `toml:"guest_memory_dump_path"`
SeccompSandbox string `toml:"seccompsandbox"`
HypervisorPathList []string `toml:"valid_hypervisor_paths"`
JailerPathList []string `toml:"valid_jailer_paths"`
CtlPathList []string `toml:"valid_ctlpaths"`
@ -767,6 +768,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
EnableVhostUserStore: h.EnableVhostUserStore,
VhostUserStorePath: h.vhostUserStorePath(),
VhostUserStorePathList: h.VhostUserStorePathList,
SeccompSandbox: h.SeccompSandbox,
GuestHookPath: h.guestHookPath(),
RxRateLimiterMaxRate: rxRateLimiterMaxRate,
TxRateLimiterMaxRate: txRateLimiterMaxRate,

3
src/runtime/virtcontainers/hypervisor.go
View File

@ -370,6 +370,9 @@ type HypervisorConfig struct {
// VhostUserStorePathList is the list of valid values for vhost-user paths
VhostUserStorePathList []string
// SeccompSandbox is the qemu function which enables the seccomp feature
SeccompSandbox string
// KernelParams are additional guest kernel parameters.
KernelParams []Param

1
src/runtime/virtcontainers/persist.go
View File

@ -247,6 +247,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
BootFromTemplate: sconfig.HypervisorConfig.BootFromTemplate,
DisableVhostNet: sconfig.HypervisorConfig.DisableVhostNet,
EnableVhostUserStore: sconfig.HypervisorConfig.EnableVhostUserStore,
SeccompSandbox: sconfig.HypervisorConfig.SeccompSandbox,
VhostUserStorePath: sconfig.HypervisorConfig.VhostUserStorePath,
VhostUserStorePathList: sconfig.HypervisorConfig.VhostUserStorePathList,
GuestHookPath: sconfig.HypervisorConfig.GuestHookPath,

3
src/runtime/virtcontainers/persist/api/config.go
View File

@ -80,6 +80,9 @@ type HypervisorConfig struct {
// related folders, sockets and device nodes should be.
VhostUserStorePath string
// SeccompSandbox is the qemu function which enables the seccomp feature
SeccompSandbox string
// GuestHookPath is the path within the VM that will be used for 'drop-in' hooks
GuestHookPath string

21
src/runtime/virtcontainers/qemu.go
View File

@ -629,6 +629,7 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
// some devices configuration may also change kernel params, make sure this is called afterwards
Params: q.kernelParameters(),
}
q.checkBpfEnabled()
qemuConfig := govmmQemu.Config{
Name: fmt.Sprintf("sandbox-%s", q.id),
@ -643,6 +644,7 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
Memory: memory,
Devices: devices,
CPUModel: cpuModel,
SeccompSandbox: q.config.SeccompSandbox,
Kernel: kernel,
RTC: rtc,
QMPSockets: qmpSockets,
@ -689,6 +691,25 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
return err
}
func (q *qemu) checkBpfEnabled() {
if q.config.SeccompSandbox != "" {
out, err := os.ReadFile("/proc/sys/net/core/bpf_jit_enable")
if err != nil {
q.Logger().WithError(err).Warningf("failed to get bpf_jit_enable status")
return
}
enabled, err := strconv.Atoi(string(out))
if err != nil {
q.Logger().WithError(err).Warningf("failed to convert bpf_jit_enable status to integer")
return
}
if enabled == 0 {
q.Logger().Warningf("bpf_jit_enable is disabled. " +
"It's recommended to turn on bpf_jit_enable to reduce the performance impact of QEMU seccomp sandbox.")
}
}
}
func (q *qemu) vhostFSSocketPath(id string) (string, error) {
return utils.BuildSocketPath(q.config.VMStorePath, id, vhostFSSocket)
}

7
tools/osbuilder/rootfs-builder/rootfs.sh
View File

@ -563,8 +563,13 @@ EOF
if [ -f "$chrony_systemd_service" ]; then
# Remove user option, user could not exist in the rootfs
# Set the /var/lib/chrony for ReadWritePaths to be ignored if
# its nonexistent, this broke the service on boot previously
# due to the directory not being present "(code=exited, status=226/NAMESPACE)"
sed -i -e 's/^\(ExecStart=.*\)-u [[:alnum:]]*/\1/g' \
-e '/^\[Unit\]/a ConditionPathExists=\/dev\/ptp0' ${chrony_systemd_service}
-e '/^\[Unit\]/a ConditionPathExists=\/dev\/ptp0' \
-e 's/^ReadWritePaths=\(.\+\) \/var\/lib\/chrony \(.\+\)$/ReadWritePaths=\1 -\/var\/lib\/chrony \2/m' \
${chrony_systemd_service}
fi
AGENT_DIR="${ROOTFS_DIR}/usr/bin"

76
tools/packaging/release/publish-kata-image.sh
View File

@ -1,76 +0,0 @@
#!/usr/bin/env bash
#Copyright (c) 2018 Intel Corporation
#
#SPDX-License-Identifier: Apache-2.0
#
[ -z "${DEBUG}" ] || set -x
set -o errexit
set -o nounset
set -o pipefail
workdir="${PWD}"
readonly script_name="$(basename "${BASH_SOURCE[0]}")"
readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly project="kata-containers"
GOPATH=${GOPATH:-${HOME}/go}
source "${script_dir}/../scripts/lib.sh"
source "${script_dir}/../obs-packaging/scripts/pkglib.sh"
die() {
msg="$*"
echo "ERROR: ${FUNCNAME[1]} ${msg}" >&2
exit 1
}
usage() {
return_code=${1:-0}
cat <<EOF
Usage:
${script_name} [options] <version>
version: Kata version to create the image.
Create image for a kata version.
options:
-h : show this help
-p : push image to github
EOF
exit "${return_code}"
}
main() {
push="false"
while getopts "d:hp" opt; do
case $opt in
h) usage 0 ;;
p) push="true" ;;
esac
done
shift $((OPTIND - 1))
kata_version=${1:-}
[ -n "${kata_version}" ] || usage "1"
ref="refs/tags/${kata_version}^{}"
agent_sha=$(get_kata_hash "agent" "${ref}")
agent_sha=${agent_sha:0:${short_commit_length}}
image_tarball=$(find -name 'kata-containers-*.tar.gz' | grep "${kata_version}" | grep "${agent_sha}") ||
"${script_dir}/../obs-packaging/kata-containers-image/build_image.sh" -v "${kata_version}"
image_tarball=$(find -name 'kata-containers-*.tar.gz' | grep "${kata_version}" | grep "${agent_sha}" ) || die "file not found ${image_tarball}"
if [ ${push} == "true" ]; then
hub -C "${GOPATH}/src/github.com/${project}/agent" release edit -a "${image_tarball}" "${kata_version}"
else
echo "Wont push image to github use -p option to do it."
fi
}
main $@