diff --git a/src/libs/Cargo.lock b/src/libs/Cargo.lock index 7a7ad017a4..341abf83b4 100644 --- a/src/libs/Cargo.lock +++ b/src/libs/Cargo.lock @@ -317,6 +317,7 @@ dependencies = [ "oci", "regex", "serde", + "serde_json", "slog", "slog-scope", "thiserror", @@ -663,18 +664,18 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.133" +version = "1.0.135" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97565067517b60e2d1ea8b268e59ce036de907ac523ad83a0475da04e818989a" +checksum = "2cf9235533494ea2ddcdb794665461814781c53f19d87b76e571a1c35acbad2b" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.133" +version = "1.0.135" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed201699328568d8d08208fdd080e3ff594e6c422e438b6705905da01005d537" +checksum = "8dcde03d87d4c973c04be249e7d8f0b35db1c848c487bd43032808e59dd8328d" dependencies = [ "proc-macro2", "quote", @@ -718,9 +719,9 @@ dependencies = [ [[package]] name = "slog-json" -version = "2.4.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52e9b96fb6b5e80e371423b4aca6656eb537661ce8f82c2697e619f8ca85d043" +checksum = "0f7f7a952ce80fca9da17bf0a53895d11f8aa1ba063668ca53fc72e7869329e9" dependencies = [ "chrono", "serde", diff --git a/src/libs/kata-types/Cargo.toml b/src/libs/kata-types/Cargo.toml index ecae6f0184..786615e553 100644 --- a/src/libs/kata-types/Cargo.toml +++ b/src/libs/kata-types/Cargo.toml @@ -18,6 +18,7 @@ regex = "1.5.4" serde = { version = "1.0.100", features = ["derive"] } slog = "2.5.2" slog-scope = "4.4.0" +serde_json = "1.0.73" thiserror = "1.0" toml = "0.5.8" diff --git a/src/libs/kata-types/src/annotations/dockershim.rs b/src/libs/kata-types/src/annotations/dockershim.rs index 1558983d9a..df1279dc5a 100644 --- a/src/libs/kata-types/src/annotations/dockershim.rs +++ b/src/libs/kata-types/src/annotations/dockershim.rs @@ -6,8 +6,18 @@ #![allow(missing_docs)] +//! Copied from k8s.io/pkg/kubelet/dockershim/docker_service.go, used to identify whether a docker +//! container is a sandbox or a regular container, will be removed after defining those as public +//! fields in dockershim. + +/// ContainerTypeLabelKey is the container type (podsandbox or container) of key. pub const CONTAINER_TYPE_LABEL_KEY: &str = "io.kubernetes.docker.type"; + +/// ContainerTypeLabelSandbox represents a sandbox sandbox container. pub const SANDBOX: &str = "podsandbox"; + +/// ContainerTypeLabelContainer represents a container running within a sandbox. pub const CONTAINER: &str = "container"; +/// SandboxIDLabelKey is the sandbox ID annotation. pub const SANDBOX_ID_LABEL_KEY: &str = "io.kubernetes.sandbox.id"; diff --git a/src/libs/kata-types/src/annotations/mod.rs b/src/libs/kata-types/src/annotations/mod.rs index f1cd143204..43f23e727a 100644 --- a/src/libs/kata-types/src/annotations/mod.rs +++ b/src/libs/kata-types/src/annotations/mod.rs @@ -1,9 +1,20 @@ -// Copyright (c) 2019 Alibaba Cloud +// Copyright (c) 2019-2021 Alibaba Cloud // Copyright (c) 2019 Ant Group // // SPDX-License-Identifier: Apache-2.0 // +use std::collections::HashMap; +use std::fs::File; +use std::io::{self, BufReader, Result}; +use std::u32; + +use serde::Deserialize; + +use crate::config::hypervisor::get_hypervisor_plugin; +use crate::config::TomlConfig; +use crate::sl; + /// CRI-containerd specific annotations. pub mod cri_containerd; @@ -12,3 +23,754 @@ pub mod crio; /// Dockershim specific annotations. pub mod dockershim; + +/// Third-party annotations. +pub mod thirdparty; + +// Common section +/// Prefix for Kata specific annotations +pub const KATA_ANNO_PREFIX: &str = "io.katacontainers."; +/// Prefix for Kata configuration annotations +pub const KATA_ANNO_CONF_PREFIX: &str = "io.katacontainers.config."; +/// Prefix for Kata container annotations +pub const KATA_ANNO_CONTAINER_PREFIX: &str = "io.katacontainers.container."; +/// The annotation key to fetch runtime configuration file. +pub const SANDBOX_CONFIG_PATH_KEY: &str = "io.katacontainers.config_path"; + +// OCI section +/// The annotation key to fetch the OCI configuration file path. +pub const BUNDLE_PATH_KEY: &str = "io.katacontainers.pkg.oci.bundle_path"; +/// The annotation key to fetch container type. +pub const CONTAINER_TYPE_KEY: &str = "io.katacontainers.pkg.oci.container_type"; + +// Container resource related annotations +/// Prefix for Kata container resource related annotations. +pub const KATA_ANNO_CONTAINER_RESOURCE_PREFIX: &str = "io.katacontainers.container.resource"; +/// A container annotation to specify the Resources.Memory.Swappiness. +pub const KATA_ANNO_CONTAINER_RESOURCE_SWAPPINESS: &str = + "io.katacontainers.container.resource.swappiness"; +/// A container annotation to specify the Resources.Memory.Swap. +pub const KATA_ANNO_CONTAINER_RESOURCE_SWAP_IN_BYTES: &str = + "io.katacontainers.container.resource.swap_in_bytes"; + +// Agent related annotations +/// Prefix for Agent configurations. +pub const KATA_ANNO_CONF_AGENT_PREFIX: &str = "io.katacontainers.config.agent."; +/// KernelModules is the annotation key for passing the list of kernel modules and their parameters +/// that will be loaded in the guest kernel. +/// +/// Semicolon separated list of kernel modules and their parameters. These modules will be loaded +/// in the guest kernel using modprobe(8). +/// The following example can be used to load two kernel modules with parameters +/// +/// annotations: +/// io.katacontainers.config.agent.kernel_modules: "e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0" +/// +/// The first word is considered as the module name and the rest as its parameters. +pub const KATA_ANNO_CONF_KERNEL_MODULES: &str = "io.katacontainers.config.agent.kernel_modules"; +/// A sandbox annotation to enable tracing for the agent. +pub const KATA_ANNO_CONF_AGENT_TRACE: &str = "io.katacontainers.config.agent.enable_tracing"; +/// An annotation to specify the size of the pipes created for containers. +pub const KATA_ANNO_CONF_AGENT_CONTAINER_PIPE_SIZE: &str = + "io.katacontainers.config.agent.container_pipe_size"; +/// An annotation key to specify the size of the pipes created for containers. +pub const CONTAINER_PIPE_SIZE_KERNEL_PARAM: &str = "agent.container_pipe_size"; + +// Hypervisor related annotations +/// Prefix for Hypervisor configurations. +pub const KATA_ANNO_CONF_HYPERVISOR_PREFIX: &str = "io.katacontainers.config.hypervisor."; +/// A sandbox annotation for passing a per container path pointing at the hypervisor that will run +/// the container VM. +pub const KATA_ANNO_CONF_HYPERVISOR_PATH: &str = "io.katacontainers.config.hypervisor.path"; +/// A sandbox annotation for passing a container hypervisor binary SHA-512 hash value. +pub const KATA_ANNO_CONF_HYPERVISOR_HASH: &str = "io.katacontainers.config.hypervisor.path_hash"; +/// A sandbox annotation for passing a per container path pointing at the hypervisor control binary +/// that will run the container VM. +pub const KATA_ANNO_CONF_HYPERVISOR_CTLPATH: &str = "io.katacontainers.config.hypervisor.ctlpath"; +/// A sandbox annotation for passing a container hypervisor control binary SHA-512 hash value. +pub const KATA_ANNO_CONF_HYPERVISOR_CTLHASH: &str = + "io.katacontainers.config.hypervisor.hypervisorctl_hash"; +/// A sandbox annotation for passing a per container path pointing at the jailer that will constrain +/// the container VM. +pub const KATA_ANNO_CONF_HYPERVISOR_JAILER_PATH: &str = + "io.katacontainers.config.hypervisor.jailer_path"; +/// A sandbox annotation for passing a jailer binary SHA-512 hash value. +pub const KATA_ANNO_CONF_HYPERVISOR_JAILER_HASH: &str = + "io.katacontainers.config.hypervisor.jailer_hash"; +/// A sandbox annotation to enable IO to be processed in a separate thread. +/// Supported currently for virtio-scsi driver. +pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS: &str = + "io.katacontainers.config.hypervisor.enable_iothreads"; +/// The hash type used for assets verification +pub const KATA_ANNO_CONF_HYPERVISOR_ASSET_HASH_TYPE: &str = + "io.katacontainers.config.hypervisor.asset_hash_type"; +/// SHA512 is the SHA-512 (64) hash algorithm +pub const SHA512: &str = "sha512"; + +// Hypervisor Block Device related annotations +/// Specify the driver to be used for block device either VirtioSCSI or VirtioBlock +pub const KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER: &str = + "io.katacontainers.config.hypervisor.block_device_driver"; +/// A sandbox annotation that disallows a block device from being used. +pub const KATA_ANNO_CONF_HYPERVISOR_DISABLE_BLOCK_DEVICE_USE: &str = + "io.katacontainers.config.hypervisor.disable_block_device_use"; +/// A sandbox annotation that specifies cache-related options will be set to block devices or not. +pub const KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_SET: &str = + "io.katacontainers.config.hypervisor.block_device_cache_set"; +/// A sandbox annotation that specifies cache-related options for block devices. +/// Denotes whether use of O_DIRECT (bypass the host page cache) is enabled. +pub const KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_DIRECT: &str = + "io.katacontainers.config.hypervisor.block_device_cache_direct"; +/// A sandbox annotation that specifies cache-related options for block devices. +/// Denotes whether flush requests for the device are ignored. +pub const KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_NOFLUSH: &str = + "io.katacontainers.config.hypervisor.block_device_cache_noflush"; +/// A sandbox annotation to specify use of nvdimm device for guest rootfs image. +pub const KATA_ANNO_CONF_HYPERVISOR_DISABLE_IMAGE_NVDIMM: &str = + "io.katacontainers.config.hypervisor.disable_image_nvdimm"; +/// A sandbox annotation that specifies the memory space used for nvdimm device by the hypervisor. +pub const KATA_ANNO_CONF_HYPERVISOR_MEMORY_OFFSET: &str = + "io.katacontainers.config.hypervisor.memory_offset"; +/// A sandbox annotation to specify if vhost-user-blk/scsi is abailable on the host +pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_VHOSTUSER_STORE: &str = + "io.katacontainers.config.hypervisor.enable_vhost_user_store"; +/// A sandbox annotation to specify the directory path where vhost-user devices related folders, +/// sockets and device nodes should be. +pub const KATA_ANNO_CONF_HYPERVISOR_VHOSTUSER_STORE_PATH: &str = + "io.katacontainers.config.hypervisor.vhost_user_store_path"; + +// Hypervisor Guest Boot related annotations +/// A sandbox annotation for passing a per container path pointing at the kernel needed to boot +/// the container VM. +pub const KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH: &str = + "io.katacontainers.config.hypervisor.kernel"; +/// A sandbox annotation for passing a container kernel image SHA-512 hash value. +pub const KATA_ANNO_CONF_HYPERVISOR_KERNEL_HASH: &str = + "io.katacontainers.config.hypervisor.kernel_hash"; +/// A sandbox annotation for passing a per container path pointing at the guest image that will run +/// in the container VM. +/// A sandbox annotation for passing additional guest kernel parameters. +pub const KATA_ANNO_CONF_HYPERVISOR_KERNEL_PARAMS: &str = + "io.katacontainers.config.hypervisor.kernel_params"; +/// A sandbox annotation for passing a container guest image path. +pub const KATA_ANNO_CONF_HYPERVISOR_IMAGE_PATH: &str = "io.katacontainers.config.hypervisor.image"; +/// A sandbox annotation for passing a container guest image SHA-512 hash value. +pub const KATA_ANNO_CONF_HYPERVISOR_IMAGE_HASH: &str = + "io.katacontainers.config.hypervisor.image_hash"; +/// A sandbox annotation for passing a per container path pointing at the initrd that will run +/// in the container VM. +pub const KATA_ANNO_CONF_HYPERVISOR_INITRD_PATH: &str = + "io.katacontainers.config.hypervisor.initrd"; +/// A sandbox annotation for passing a container guest initrd SHA-512 hash value. +pub const KATA_ANNO_CONF_HYPERVISOR_INITRD_HASH: &str = + "io.katacontainers.config.hypervisor.initrd_hash"; +/// A sandbox annotation for passing a per container path pointing at the guest firmware that will +/// run the container VM. +pub const KATA_ANNO_CONF_HYPERVISOR_FIRMWARE_PATH: &str = + "io.katacontainers.config.hypervisor.firmware"; +/// A sandbox annotation for passing a container guest firmware SHA-512 hash value. +pub const KATA_ANNO_CONF_HYPERVISOR_FIRMWARE_HASH: &str = + "io.katacontainers.config.hypervisor.firmware_hash"; + +// Hypervisor CPU related annotations +/// A sandbox annotation to specify cpu specific features. +pub const KATA_ANNO_CONF_HYPERVISOR_CPU_FEATURES: &str = + "io.katacontainers.config.hypervisor.cpu_features"; +/// A sandbox annotation for passing the default vcpus assigned for a VM by the hypervisor. +pub const KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS: &str = + "io.katacontainers.config.hypervisor.default_vcpus"; +/// A sandbox annotation that specifies the maximum number of vCPUs allocated for the VM by the hypervisor. +pub const KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MAX_VCPUS: &str = + "io.katacontainers.config.hypervisor.default_max_vcpus"; + +// Hypervisor Device related annotations +/// A sandbox annotation used to indicate if devices need to be hotplugged on the root bus instead +/// of a bridge. +pub const KATA_ANNO_CONF_HYPERVISOR_HOTPLUG_VFIO_ON_ROOT_BUS: &str = + "io.katacontainers.config.hypervisor.hotplug_vfio_on_root_bus"; +/// PCIeRootPort is used to indicate the number of PCIe Root Port devices +pub const KATA_ANNO_CONF_HYPERVISOR_PCIE_ROOT_PORT: &str = + "io.katacontainers.config.hypervisor.pcie_root_port"; +/// A sandbox annotation to specify if the VM should have a vIOMMU device. +pub const KATA_ANNO_CONF_HYPERVISOR_IOMMU: &str = + "io.katacontainers.config.hypervisor.enable_iommu"; +/// Enable Hypervisor Devices IOMMU_PLATFORM +pub const KATA_ANNO_CONF_HYPERVISOR_IOMMU_PLATFORM: &str = + "io.katacontainers.config.hypervisor.enable_iommu_platform"; + +// Hypervisor Machine related annotations +/// A sandbox annotation to specify the type of machine being emulated by the hypervisor. +pub const KATA_ANNO_CONF_HYPERVISOR_MACHINE_TYPE: &str = + "io.katacontainers.config.hypervisor.machine_type"; +/// A sandbox annotation to specify machine specific accelerators for the hypervisor. +pub const KATA_ANNO_CONF_HYPERVISOR_MACHINE_ACCELERATORS: &str = + "io.katacontainers.config.hypervisor.machine_accelerators"; +/// EntropySource is a sandbox annotation to specify the path to a host source of +/// entropy (/dev/random, /dev/urandom or real hardware RNG device) +pub const KATA_ANNO_CONF_HYPERVISOR_ENTROPY_SOURCE: &str = + "io.katacontainers.config.hypervisor.entropy_source"; + +// Hypervisor Memory related annotations +/// A sandbox annotation for the memory assigned for a VM by the hypervisor. +pub const KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY: &str = + "io.katacontainers.config.hypervisor.default_memory"; +/// A sandbox annotation to specify the memory slots assigned to the VM by the hypervisor. +pub const KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS: &str = + "io.katacontainers.config.hypervisor.memory_slots"; +/// A sandbox annotation that specifies the memory space used for nvdimm device by the hypervisor. +pub const KATA_ANNO_CONF_HYPERVISOR_MEMORY_PREALLOC: &str = + "io.katacontainers.config.hypervisor.enable_mem_prealloc"; +/// A sandbox annotation to specify if the memory should be pre-allocated from huge pages. +pub const KATA_ANNO_CONF_HYPERVISOR_HUGE_PAGES: &str = + "io.katacontainers.config.hypervisor.enable_hugepages"; +/// A sandbox annotation to soecify file based memory backend root directory. +pub const KATA_ANNO_CONF_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR: &str = + "io.katacontainers.config.hypervisor.file_mem_backend"; +/// A sandbox annotation that is used to enable/disable virtio-mem. +pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_MEM: &str = + "io.katacontainers.config.hypervisor.enable_virtio_mem"; +/// A sandbox annotation to enable swap of vm memory. +pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_SWAP: &str = + "io.katacontainers.config.hypervisor.enable_swap"; +/// A sandbox annotation to enable swap in the guest. +pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP: &str = + "io.katacontainers.config.hypervisor.enable_guest_swap"; + +// Hypervisor Network related annotations +/// A sandbox annotation to specify if vhost-net is not available on the host. +pub const KATA_ANNO_CONF_HYPERVISOR_DISABLE_VHOST_NET: &str = + "io.katacontainers.config.hypervisor.disable_vhost_net"; +/// A sandbox annotation that specifies max rate on network I/O inbound bandwidth. +pub const KATA_ANNO_CONF_HYPERVISOR_RX_RATE_LIMITER_MAX_RATE: &str = + "io.katacontainers.config.hypervisor.rx_rate_limiter_max_rate"; +/// A sandbox annotation that specifies max rate on network I/O outbound bandwidth. +pub const KATA_ANNO_CONF_HYPERVISOR_TX_RATE_LIMITER_MAX_RATE: &str = + "io.katacontainers.config.hypervisor.tx_rate_limiter_max_rate"; + +// Hypervisor Security related annotations +/// A sandbox annotation to specify the path within the VM that will be used for 'drop-in' hooks. +pub const KATA_ANNO_CONF_HYPERVISOR_GUEST_HOOK_PATH: &str = + "io.katacontainers.config.hypervisor.guest_hook_path"; +/// A sandbox annotation to enable rootless hypervisor (only supported in QEMU currently). +pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_ROOTLESS_HYPERVISOR: &str = + "io.katacontainers.config.hypervisor.rootless"; + +// Hypervisor Shared File System related annotations +/// A sandbox annotation to specify the shared file system type, either virtio-9p or virtio-fs. +pub const KATA_ANNO_CONF_HYPERVISOR_SHARED_FS: &str = + "io.katacontainers.config.hypervisor.shared_fs"; +/// A sandbox annotations to specify virtio-fs vhost-user daemon path. +pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_DAEMON: &str = + "io.katacontainers.config.hypervisor.virtio_fs_daemon"; +/// A sandbox annotation to specify the cache mode for fs version cache or "none". +pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_CACHE: &str = + "io.katacontainers.config.hypervisor.virtio_fs_cache"; +/// A sandbox annotation to specify the DAX cache size in MiB. +pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_CACHE_SIZE: &str = + "io.katacontainers.config.hypervisor.virtio_fs_cache_size"; +/// A sandbox annotation to pass options to virtiofsd daemon. +pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS: &str = + "io.katacontainers.config.hypervisor.virtio_fs_extra_args"; +/// A sandbox annotation to specify as the msize for 9p shares. +pub const KATA_ANNO_CONF_HYPERVISOR_MSIZE_9P: &str = "io.katacontainers.config.hypervisor.msize_9p"; + +// Runtime related annotations +/// Prefix for Runtime configurations. +pub const KATA_ANNO_CONF_RUNTIME_PREFIX: &str = "io.katacontainers.config.runtime."; +/// A sandbox annotation that determines if seccomp should be applied inside guest. +pub const KATA_ANNO_CONF_DISABLE_GUEST_SECCOMP: &str = + "io.katacontainers.config.runtime.disable_guest_seccomp"; +/// A sandbox annotation that determines if pprof enabled. +pub const KATA_ANNO_CONF_ENABLE_PPROF: &str = "io.katacontainers.config.runtime.enable_pprof"; +/// A sandbox annotation that determines if experimental features enabled. +pub const KATA_ANNO_CONF_EXPERIMENTAL: &str = "io.katacontainers.config.runtime.experimental"; +/// A sandbox annotaion that determines how the VM should be connected to the the container network +/// interface. +pub const KATA_ANNO_CONF_INTER_NETWORK_MODEL: &str = + "io.katacontainers.config.runtime.internetworking_model"; +/// SandboxCgroupOnly is a sandbox annotation that determines if kata processes are managed only in sandbox cgroup. +pub const KATA_ANNO_CONF_SANDBOX_CGROUP_ONLY: &str = + "io.katacontainers.config.runtime.sandbox_cgroup_only"; +/// A sandbox annotation that determines if create a netns for hypervisor process. +pub const KATA_ANNO_CONF_DISABLE_NEW_NETNS: &str = + "io.katacontainers.config.runtime.disable_new_netns"; +/// A sandbox annotation to specify how attached VFIO devices should be treated. +pub const KATA_ANNO_CONF_VFIO_MODE: &str = "io.katacontainers.config.runtime.vfio_mode"; + +/// A helper structure to query configuration information by check annotations. +#[derive(Debug, Default, Deserialize)] +pub struct Annotation { + annotations: HashMap, +} + +impl From> for Annotation { + fn from(annotations: HashMap) -> Self { + Annotation { annotations } + } +} + +impl Annotation { + /// Create a new instance of [`Annotation`]. + pub fn new(annotations: HashMap) -> Annotation { + Annotation { annotations } + } + + /// Deserialize an object from a json string. + pub fn deserialize(path: &str) -> Result + where + for<'a> T: Deserialize<'a>, + { + let f = BufReader::new(File::open(path)?); + Ok(serde_json::from_reader(f)?) + } + + /// Get an immutable reference to the annotation hashmap. + pub fn get_annotation(&self) -> &HashMap { + &self.annotations + } + + /// Get a mutable reference to the annotation hashmap. + pub fn get_annotation_mut(&mut self) -> &mut HashMap { + &mut self.annotations + } + + /// Get the value of annotation with `key` as string. + pub fn get(&self, key: &str) -> Option { + let v = self.annotations.get(key)?; + let value = v.trim(); + + if !value.is_empty() { + Some(String::from(value)) + } else { + None + } + } + + /// Get the value of annotation with `key` as bool. + pub fn get_bool(&self, key: &str) -> Option { + if let Some(value) = self.get(key) { + let value = value.trim(); + if value.parse::().is_err() { + warn!(sl!(), "failed to parse bool value from {}", value); + } else { + return Some(value.parse::().unwrap()); + } + } + + None + } + + /// Get the value of annotation with `key` as u32. + pub fn get_u32(&self, key: &str) -> Option { + let s = self.get(key)?; + match s.parse::() { + Ok(nums) => { + if nums > 0 { + Some(nums) + } else { + None + } + } + + Err(e) => { + warn!( + sl!(), + "failed to parse u32 value from {}, error: {:?}", s, e + ); + None + } + } + } + + /// Get the value of annotation with `key` as i32. + pub fn get_i32(&self, key: &str) -> Option { + let s = self.get(key)?; + s.parse::() + .map_or(None, |x| if x < 0 { None } else { Some(x) }) + } + + /// Get the value of annotation with `key` as u64. + pub fn get_u64(&self, key: &str) -> Option { + let s = self.get(key)?; + match s.parse::() { + Ok(nums) => { + if nums > 0 { + Some(nums) + } else { + None + } + } + + Err(e) => { + warn!( + sl!(), + "failed to parse u64 value from {}, error: {:?}", s, e + ); + None + } + } + } +} + +// Miscellaneous annotations. +impl Annotation { + /// Get the annotation of sandbox configuration file path. + pub fn get_sandbox_config_path(&self) -> Option { + self.get(SANDBOX_CONFIG_PATH_KEY) + } + + /// Get the annotation of bundle path. + pub fn get_bundle_path(&self) -> Option { + self.get(BUNDLE_PATH_KEY) + } + + /// Get the annotation of container type. + pub fn get_container_type(&self) -> Option { + self.get(CONTAINER_TYPE_KEY) + } + + /// Get the annotation to specify the Resources.Memory.Swappiness. + pub fn get_container_resource_swappiness(&self) -> Option { + let v = self.get_u32(KATA_ANNO_CONTAINER_RESOURCE_SWAPPINESS)?; + if v > 100 { + None + } else { + Some(v) + } + } + + /// Get the annotation to specify the Resources.Memory.Swap. + pub fn get_container_resource_swap_in_bytes(&self) -> Option { + self.get(KATA_ANNO_CONTAINER_RESOURCE_SWAP_IN_BYTES) + } +} + +impl Annotation { + /// update config info by annotation + pub fn update_config_by_annotation( + &self, + config: &mut TomlConfig, + hypervisor_name: &str, + agent_name: &str, + ) -> Result<()> { + if config.hypervisor.get_mut(hypervisor_name).is_none() { + return Err(io::Error::new( + io::ErrorKind::NotFound, + format!("hypervisor {} not found", hypervisor_name), + )); + } + + if config.agent.get_mut(agent_name).is_none() { + return Err(io::Error::new( + io::ErrorKind::NotFound, + format!("agent {} not found", agent_name), + )); + } + let mut hv = config.hypervisor.get_mut(hypervisor_name).unwrap(); + let mut ag = config.agent.get_mut(agent_name).unwrap(); + for (key, value) in &self.annotations { + if hv.security_info.is_annotation_enabled(key) { + match key.as_str() { + // update hypervisor config + // Hypervisor related annotations + KATA_ANNO_CONF_HYPERVISOR_PATH => { + hv.validate_hypervisor_path(value)?; + hv.path = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_CTLPATH => { + hv.validate_hypervisor_ctlpath(value)?; + hv.ctlpath = value.to_string(); + } + + KATA_ANNO_CONF_HYPERVISOR_JAILER_PATH => { + hv.validate_jailer_path(value)?; + hv.jailer_path = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS => { + hv.enable_iothreads = self.get_bool(key).unwrap_or_default(); + } + // Hypervisor Block Device related annotations + KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER => { + hv.blockdev_info.block_device_driver = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_DISABLE_BLOCK_DEVICE_USE => { + hv.blockdev_info.disable_block_device_use = + self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_SET => { + hv.blockdev_info.block_device_cache_set = + self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_DIRECT => { + hv.blockdev_info.block_device_cache_direct = + self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_NOFLUSH => { + hv.blockdev_info.block_device_cache_noflush = + self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_DISABLE_IMAGE_NVDIMM => { + hv.blockdev_info.disable_image_nvdimm = + self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_MEMORY_OFFSET => { + hv.blockdev_info.memory_offset = self.get_u64(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_ENABLE_VHOSTUSER_STORE => { + hv.blockdev_info.enable_vhost_user_store = + self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_VHOSTUSER_STORE_PATH => { + hv.blockdev_info.validate_vhost_user_store_path(value)?; + hv.blockdev_info.vhost_user_store_path = value.to_string(); + } + // Hypervisor Guest Boot related annotations + KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH => { + hv.boot_info.validate_boot_path(value)?; + hv.boot_info.kernel = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_KERNEL_PARAMS => { + hv.boot_info.kernel_params = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_IMAGE_PATH => { + hv.boot_info.validate_boot_path(value)?; + hv.boot_info.image = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_INITRD_PATH => { + hv.boot_info.validate_boot_path(value)?; + hv.boot_info.initrd = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_FIRMWARE_PATH => { + hv.boot_info.validate_boot_path(value)?; + hv.boot_info.firmware = value.to_string(); + } + // Hypervisor CPU related annotations + KATA_ANNO_CONF_HYPERVISOR_CPU_FEATURES => { + hv.cpu_info.cpu_features = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS => { + let num_cpus = self.get_i32(key).unwrap_or_default(); + if num_cpus + > get_hypervisor_plugin(hypervisor_name) + .unwrap() + .get_max_cpus() as i32 + { + return Err(io::Error::new( + io::ErrorKind::InvalidData, + format!( + "Vcpus specified in annotation {} is more than maximum limitation {}", + num_cpus, + get_hypervisor_plugin(hypervisor_name) + .unwrap() + .get_max_cpus() + ), + )); + } else { + hv.cpu_info.default_vcpus = num_cpus; + } + } + KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MAX_VCPUS => { + hv.cpu_info.default_maxvcpus = self.get_u32(key).unwrap_or_default(); + } + // Hypervisor Device related annotations + KATA_ANNO_CONF_HYPERVISOR_HOTPLUG_VFIO_ON_ROOT_BUS => { + hv.device_info.hotplug_vfio_on_root_bus = + self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_PCIE_ROOT_PORT => { + hv.device_info.pcie_root_port = self.get_u32(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_IOMMU => { + hv.device_info.enable_iommu = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_IOMMU_PLATFORM => { + hv.device_info.enable_iommu_platform = + self.get_bool(key).unwrap_or_default(); + } + // Hypervisor Machine related annotations + KATA_ANNO_CONF_HYPERVISOR_MACHINE_TYPE => { + hv.machine_info.machine_type = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_MACHINE_ACCELERATORS => { + hv.machine_info.machine_accelerators = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_ENTROPY_SOURCE => { + hv.machine_info.validate_entropy_source(value)?; + hv.machine_info.entropy_source = value.to_string(); + } + // Hypervisor Memory related annotations + KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY => { + let mem = self.get_u32(key).unwrap_or_default(); + if mem + < get_hypervisor_plugin(hypervisor_name) + .unwrap() + .get_min_memory() + { + return Err(io::Error::new( + io::ErrorKind::InvalidData, + format!( + "Memory specified in annotation {} is less than minmum required {}", + mem, + get_hypervisor_plugin(hypervisor_name) + .unwrap() + .get_min_memory() + ), + )); + } else { + hv.memory_info.default_memory = mem; + } + } + KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS => match self.get_u32(key) { + Some(v) => { + hv.memory_info.memory_slots = v; + } + None => { + return Err(io::Error::new( + io::ErrorKind::InvalidData, + format!("{}in annotation is less than zero", key), + )); + } + }, + + KATA_ANNO_CONF_HYPERVISOR_MEMORY_PREALLOC => { + hv.memory_info.enable_mem_prealloc = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_HUGE_PAGES => { + hv.memory_info.enable_hugepages = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR => { + hv.memory_info.validate_memory_backend_path(value)?; + hv.memory_info.file_mem_backend = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_MEM => { + hv.memory_info.enable_virtio_mem = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_ENABLE_SWAP => { + hv.memory_info.enable_swap = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP => { + hv.memory_info.enable_guest_swap = self.get_bool(key).unwrap_or_default(); + } + // Hypervisor Network related annotations + KATA_ANNO_CONF_HYPERVISOR_DISABLE_VHOST_NET => { + hv.network_info.disable_vhost_net = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_RX_RATE_LIMITER_MAX_RATE => match self.get_u64(key) { + Some(v) => { + hv.network_info.rx_rate_limiter_max_rate = v; + } + None => { + return Err(io::Error::new( + io::ErrorKind::InvalidData, + format!("{} in annotation is less than zero", key), + )); + } + }, + KATA_ANNO_CONF_HYPERVISOR_TX_RATE_LIMITER_MAX_RATE => match self.get_u64(key) { + Some(v) => { + hv.network_info.tx_rate_limiter_max_rate = v; + } + None => { + return Err(io::Error::new( + io::ErrorKind::InvalidData, + format!("{} in annotation is less than zero", key), + )); + } + }, + // Hypervisor Security related annotations + KATA_ANNO_CONF_HYPERVISOR_GUEST_HOOK_PATH => { + hv.security_info.validate_path(value)?; + hv.security_info.guest_hook_path = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_ENABLE_ROOTLESS_HYPERVISOR => { + hv.security_info.rootless = self.get_bool(key).unwrap_or_default(); + } + // Hypervisor Shared File System related annotations + KATA_ANNO_CONF_HYPERVISOR_SHARED_FS => { + hv.shared_fs.shared_fs = self.get(key); + } + + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_DAEMON => { + hv.shared_fs.validate_virtiofs_daemon_path(value)?; + hv.shared_fs.virtio_fs_daemon = value.to_string(); + } + + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_CACHE => { + hv.shared_fs.virtio_fs_cache = value.to_string(); + } + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_CACHE_SIZE => { + hv.shared_fs.virtio_fs_cache_size = self.get_u32(key).unwrap_or_default(); + } + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS => { + let args: Vec = + value.to_string().split(',').map(str::to_string).collect(); + for arg in args { + hv.shared_fs.virtio_fs_extra_args.push(arg.to_string()); + } + } + KATA_ANNO_CONF_HYPERVISOR_MSIZE_9P => { + hv.shared_fs.msize_9p = self.get_u32(key).unwrap_or_default(); + } + + _ => { + return Err(io::Error::new( + io::ErrorKind::InvalidInput, + format!("Invalid Annotation Type {}", key), + )); + } + } + } else { + match key.as_str() { + //update agent config + KATA_ANNO_CONF_KERNEL_MODULES => { + let kernel_mod: Vec = + value.to_string().split(';').map(str::to_string).collect(); + for modules in kernel_mod { + ag.kernel_modules.push(modules.to_string()); + } + } + KATA_ANNO_CONF_AGENT_TRACE => { + ag.enable_tracing = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_AGENT_CONTAINER_PIPE_SIZE => { + ag.container_pipe_size = self.get_u32(key).unwrap_or_default(); + } + //update runtume config + KATA_ANNO_CONF_DISABLE_GUEST_SECCOMP => { + config.runtime.disable_guest_seccomp = + self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_ENABLE_PPROF => { + config.runtime.enable_pprof = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_EXPERIMENTAL => { + let args: Vec = + value.to_string().split(',').map(str::to_string).collect(); + for arg in args { + config.runtime.experimental.push(arg.to_string()); + } + } + KATA_ANNO_CONF_INTER_NETWORK_MODEL => { + config.runtime.internetworking_model = value.to_string(); + } + KATA_ANNO_CONF_SANDBOX_CGROUP_ONLY => { + config.runtime.disable_new_netns = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_DISABLE_NEW_NETNS => { + config.runtime.disable_new_netns = self.get_bool(key).unwrap_or_default(); + } + KATA_ANNO_CONF_VFIO_MODE => { + config.runtime.vfio_mode = value.to_string(); + } + _ => { + return Err(io::Error::new( + io::ErrorKind::InvalidData, + format!("Annotation {} not enabled", key), + )); + } + } + } + } + Ok(()) + } +} diff --git a/src/libs/kata-types/src/annotations/thirdparty.rs b/src/libs/kata-types/src/annotations/thirdparty.rs new file mode 100644 index 0000000000..4ea1548b9f --- /dev/null +++ b/src/libs/kata-types/src/annotations/thirdparty.rs @@ -0,0 +1,14 @@ +// Copyright (c) 2021 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +//! Third-party annotations - annotations defined by other projects or k8s plugins but that can +//! change Kata Containers behaviour. + +/// Annotation to enable SGX. +/// +/// Hardware-based isolation and memory encryption. +// Supported suffixes are: Ki | Mi | Gi | Ti | Pi | Ei . For example: 4Mi +// For more information about supported suffixes see https://physics.nist.gov/cuu/Units/binary.html +pub const SGXEPC: &str = "sgx.intel.com/epc"; diff --git a/src/libs/kata-types/src/config/agent.rs b/src/libs/kata-types/src/config/agent.rs index 69babf86c6..9f4f0abbb4 100644 --- a/src/libs/kata-types/src/config/agent.rs +++ b/src/libs/kata-types/src/config/agent.rs @@ -50,6 +50,9 @@ pub struct Agent { /// requirements, like architecture and version. #[serde(default)] pub kernel_modules: Vec, + + /// contianer pipe size + pub container_pipe_size: u32, } impl ConfigOps for Agent { diff --git a/src/libs/kata-types/src/config/default.rs b/src/libs/kata-types/src/config/default.rs index a32975621e..829a1d7ddc 100644 --- a/src/libs/kata-types/src/config/default.rs +++ b/src/libs/kata-types/src/config/default.rs @@ -9,17 +9,12 @@ use lazy_static::lazy_static; lazy_static! { - /// Default configuration file paths. + /// Default configuration file paths, vendor may extend the list pub static ref DEFAULT_RUNTIME_CONFIGURATIONS: Vec::<&'static str> = vec![ - "/etc/kata-containers2/configuration.toml", - "/usr/share/defaults/kata-containers2/configuration.toml", - "/etc/kata-containers/configuration_v2.toml", - "/usr/share/defaults/kata-containers/configuration_v2.toml", "/etc/kata-containers/configuration.toml", "/usr/share/defaults/kata-containers/configuration.toml", ]; } - pub const DEFAULT_AGENT_NAME: &str = "kata"; pub const DEFAULT_INTERNETWORKING_MODEL: &str = "tcfilter"; @@ -46,7 +41,7 @@ pub const DEFAULT_DB_ENTROPY_SOURCE: &str = "/dev/urandom"; pub const DEFAULT_DB_MEMORY_SIZE: u32 = 128; pub const DEFAULT_DB_MEMORY_SLOTS: u32 = 128; pub const MAX_DB_VCPUS: u32 = 256; - +pub const MIN_DB_MEMORY_SIZE: u32 = 64; // Default configuration for qemu pub const DEFAULT_QEMU_BINARY_PATH: &str = "qemu"; pub const DEFAULT_QEMU_CONTROL_PATH: &str = ""; @@ -60,3 +55,4 @@ pub const DEFAULT_QEMU_MEMORY_SLOTS: u32 = 128; pub const DEFAULT_QEMU_PCI_BRIDGES: u32 = 2; pub const MAX_QEMU_PCI_BRIDGES: u32 = 5; pub const MAX_QEMU_VCPUS: u32 = 256; +pub const MIN_QEMU_MEMORY_SIZE: u32 = 64; diff --git a/src/libs/kata-types/src/config/hypervisor/dragonball.rs b/src/libs/kata-types/src/config/hypervisor/dragonball.rs index 8bde9cec76..c0b553c223 100644 --- a/src/libs/kata-types/src/config/hypervisor/dragonball.rs +++ b/src/libs/kata-types/src/config/hypervisor/dragonball.rs @@ -6,8 +6,11 @@ use std::io::Result; use std::path::Path; use std::sync::Arc; +use std::u32; use super::{default, register_hypervisor_plugin}; +use crate::config::default::MAX_DB_VCPUS; +use crate::config::default::MIN_DB_MEMORY_SIZE; use crate::config::hypervisor::{ VIRTIO_BLK, VIRTIO_BLK_MMIO, VIRTIO_FS, VIRTIO_FS_INLINE, VIRTIO_PMEM, }; @@ -35,6 +38,12 @@ impl DragonballConfig { } impl ConfigPlugin for DragonballConfig { + fn get_max_cpus(&self) -> u32 { + MAX_DB_VCPUS + } + fn get_min_memory(&self) -> u32 { + MIN_DB_MEMORY_SIZE + } fn name(&self) -> &str { HYPERVISOR_NAME_DRAGONBALL } diff --git a/src/libs/kata-types/src/config/hypervisor/mod.rs b/src/libs/kata-types/src/config/hypervisor/mod.rs index 23c74c971a..4e083f9ba2 100644 --- a/src/libs/kata-types/src/config/hypervisor/mod.rs +++ b/src/libs/kata-types/src/config/hypervisor/mod.rs @@ -31,6 +31,7 @@ use lazy_static::lazy_static; use regex::RegexSet; use super::{default, ConfigOps, ConfigPlugin, TomlConfig}; +use crate::annotations::KATA_ANNO_CONF_HYPERVISOR_PREFIX; use crate::{eother, resolve_path, validate_path}; mod dragonball; @@ -232,6 +233,12 @@ impl BootInfo { } Ok(()) } + + /// Validate guest kernel image annotaion + pub fn validate_boot_path(&self, path: &str) -> Result<()> { + validate_path!(path, "path {} is invalid{}")?; + Ok(()) + } } /// Virtual CPU configuration information. @@ -692,17 +699,22 @@ impl SecurityInfo { /// Check whether annotation key is enabled or not. pub fn is_annotation_enabled(&self, path: &str) -> bool { - if !path.starts_with("io.katacontainers.config.hypervisor.") { + if !path.starts_with(KATA_ANNO_CONF_HYPERVISOR_PREFIX) { return false; } - let pos = "io.katacontainers.config.hypervisor.".len(); + let pos = KATA_ANNO_CONF_HYPERVISOR_PREFIX.len(); let key = &path[pos..]; if let Ok(set) = RegexSet::new(&self.enable_annotations) { return set.is_match(key); } - false } + + /// Validate path + pub fn validate_path(&self, path: &str) -> Result<()> { + validate_path!(path, "path {} is invalid{}")?; + Ok(()) + } } /// Configuration information for shared filesystem, such virtio-9p and virtio-fs. @@ -955,12 +967,10 @@ impl Hypervisor { impl ConfigOps for Hypervisor { fn adjust_configuration(conf: &mut TomlConfig) -> Result<()> { HypervisorVendor::adjust_configuration(conf)?; - let hypervisors: Vec = conf.hypervisor.keys().cloned().collect(); for hypervisor in hypervisors.iter() { if let Some(plugin) = get_hypervisor_plugin(hypervisor) { plugin.adjust_configuration(conf)?; - // Safe to unwrap() because `hypervisor` is a valid key in the hash map. let hv = conf.hypervisor.get_mut(hypervisor).unwrap(); hv.blockdev_info.adjust_configuration()?; @@ -1031,9 +1041,8 @@ mod vendor { #[path = "vendor.rs"] mod vendor; +pub use self::vendor::HypervisorVendor; use crate::config::validate_path_pattern; -pub use vendor::HypervisorVendor; - #[cfg(test)] mod tests { use super::*; diff --git a/src/libs/kata-types/src/config/hypervisor/qemu.rs b/src/libs/kata-types/src/config/hypervisor/qemu.rs index 87b4a11bef..6c59f54e95 100644 --- a/src/libs/kata-types/src/config/hypervisor/qemu.rs +++ b/src/libs/kata-types/src/config/hypervisor/qemu.rs @@ -8,6 +8,10 @@ use std::path::Path; use std::sync::Arc; use super::{default, register_hypervisor_plugin}; + +use crate::config::default::MAX_QEMU_VCPUS; +use crate::config::default::MIN_QEMU_MEMORY_SIZE; + use crate::config::hypervisor::VIRTIO_BLK_MMIO; use crate::config::{ConfigPlugin, TomlConfig}; use crate::{eother, resolve_path, validate_path}; @@ -33,6 +37,13 @@ impl QemuConfig { } impl ConfigPlugin for QemuConfig { + fn get_max_cpus(&self) -> u32 { + MAX_QEMU_VCPUS + } + + fn get_min_memory(&self) -> u32 { + MIN_QEMU_MEMORY_SIZE + } fn name(&self) -> &str { HYPERVISOR_NAME_QEMU } diff --git a/src/libs/kata-types/src/config/mod.rs b/src/libs/kata-types/src/config/mod.rs index cfb6316e33..c2380c2993 100644 --- a/src/libs/kata-types/src/config/mod.rs +++ b/src/libs/kata-types/src/config/mod.rs @@ -9,6 +9,7 @@ use std::fs; use std::io::{self, Result}; use std::path::{Path, PathBuf}; use std::sync::{Arc, Mutex}; +use std::u32; use lazy_static::lazy_static; @@ -18,9 +19,9 @@ use crate::{eother, sl}; pub mod default; mod agent; -pub use self::agent::{Agent, AgentVendor}; +pub mod hypervisor; -mod hypervisor; +use self::agent::Agent; pub use self::hypervisor::{ BootInfo, DragonballConfig, Hypervisor, QemuConfig, HYPERVISOR_NAME_DRAGONBALL, HYPERVISOR_NAME_QEMU, @@ -39,6 +40,12 @@ pub trait ConfigPlugin: Send + Sync { /// Validate the configuration information. fn validate(&self, _conf: &TomlConfig) -> Result<()>; + + /// Get the minmum memory for hypervisor + fn get_min_memory(&self) -> u32; + + /// Get the max defualt cpus + fn get_max_cpus(&self) -> u32; } /// Trait to manipulate Kata configuration information. @@ -129,12 +136,10 @@ impl TomlConfig { /// Load Kata configuration information from string. pub fn load(content: &str) -> Result { let mut config: TomlConfig = toml::from_str(content)?; - Hypervisor::adjust_configuration(&mut config)?; Runtime::adjust_configuration(&mut config)?; Agent::adjust_configuration(&mut config)?; info!(sl!(), "get kata config: {:?}", config); - Ok(config) } @@ -167,7 +172,6 @@ pub fn validate_path_pattern>(patterns: &[String], path: P) -> Re .as_ref() .to_str() .ok_or_else(|| eother!("Invalid path {}", path.as_ref().to_string_lossy()))?; - for p in patterns.iter() { if let Ok(glob) = glob::Pattern::new(p) { if glob.matches(path) { @@ -226,6 +230,10 @@ impl KataConfig { pub fn get_active_config() -> Arc { KATA_ACTIVE_CONFIG.lock().unwrap().clone() } + /// Get the config in use + pub fn get_config(&self) -> &TomlConfig { + &self.config + } /// Get the agent configuration in use. pub fn get_agent(&self) -> Option<&Agent> { @@ -254,6 +262,7 @@ lazy_static! { agent: String::new(), hypervisor: String::new(), }; + Mutex::new(Arc::new(kata)) }; static ref KATA_ACTIVE_CONFIG: Mutex> = { diff --git a/src/libs/kata-types/src/config/runtime.rs b/src/libs/kata-types/src/config/runtime.rs index b4bd2466d7..48e66858eb 100644 --- a/src/libs/kata-types/src/config/runtime.rs +++ b/src/libs/kata-types/src/config/runtime.rs @@ -115,7 +115,6 @@ pub struct Runtime { impl ConfigOps for Runtime { fn adjust_configuration(conf: &mut TomlConfig) -> Result<()> { RuntimeVendor::adjust_configuration(conf)?; - if conf.runtime.internetworking_model.is_empty() { conf.runtime.internetworking_model = default::DEFAULT_INTERNETWORKING_MODEL.to_owned(); } diff --git a/src/libs/kata-types/tests/test-config.rs b/src/libs/kata-types/tests/test-config.rs index e88a250469..9a2061c7c7 100644 --- a/src/libs/kata-types/tests/test-config.rs +++ b/src/libs/kata-types/tests/test-config.rs @@ -1,41 +1,452 @@ -use kata_types::config::{QemuConfig, TomlConfig, HYPERVISOR_NAME_QEMU}; -use std::fs; -use std::path::Path; +#[cfg(test)] +mod tests { + use kata_types::annotations::{ + Annotation, KATA_ANNO_CONF_AGENT_CONTAINER_PIPE_SIZE, KATA_ANNO_CONF_AGENT_TRACE, + KATA_ANNO_CONF_DISABLE_GUEST_SECCOMP, KATA_ANNO_CONF_ENABLE_PPROF, + KATA_ANNO_CONF_EXPERIMENTAL, KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_NOFLUSH, + KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER, KATA_ANNO_CONF_HYPERVISOR_CTLPATH, + KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY, KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS, + KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP, KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS, + KATA_ANNO_CONF_HYPERVISOR_ENABLE_SWAP, KATA_ANNO_CONF_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR, + KATA_ANNO_CONF_HYPERVISOR_GUEST_HOOK_PATH, KATA_ANNO_CONF_HYPERVISOR_HUGE_PAGES, + KATA_ANNO_CONF_HYPERVISOR_JAILER_PATH, KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH, + KATA_ANNO_CONF_HYPERVISOR_MEMORY_PREALLOC, KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS, + KATA_ANNO_CONF_HYPERVISOR_PATH, KATA_ANNO_CONF_HYPERVISOR_VHOSTUSER_STORE_PATH, + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_DAEMON, KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS, + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_MEM, KATA_ANNO_CONF_KERNEL_MODULES, + }; + use kata_types::config::KataConfig; + use kata_types::config::{QemuConfig, TomlConfig}; + use std::collections::HashMap; + use std::fs; + use std::path::Path; + #[test] + fn test_change_config_annotation() { + let path = env!("CARGO_MANIFEST_DIR"); + let path = Path::new(path).join("tests/texture/configuration-anno-0.toml"); + let content = fs::read_to_string(&path).unwrap(); -#[test] -fn test_load_qemu_config() { - let plugin = QemuConfig::new(); - plugin.register(); + let qemu = QemuConfig::new(); + qemu.register(); - let path = env!("CARGO_MANIFEST_DIR"); - let path = Path::new(path).join("tests/texture/configuration-qemu.toml"); - let content = fs::read_to_string(&path).unwrap(); - let config = TomlConfig::load(&content).unwrap(); + let config = TomlConfig::load(&content).unwrap(); + KataConfig::set_active_config(config, "qemu", "agent0"); - let qemu = config.hypervisor.get(HYPERVISOR_NAME_QEMU).unwrap(); - assert_eq!(qemu.path, "/usr/bin/ls"); - assert_eq!(qemu.valid_hypervisor_paths.len(), 2); - assert_eq!(qemu.valid_hypervisor_paths[0], "/usr/bin/qemu*"); - assert_eq!(qemu.valid_hypervisor_paths[1], "/opt/qemu?"); - qemu.validate_hypervisor_path("/usr/bin/qemu0").unwrap(); - qemu.validate_hypervisor_path("/usr/bin/qemu1").unwrap(); - qemu.validate_hypervisor_path("/usr/bin/qemu2222").unwrap(); - qemu.validate_hypervisor_path("/opt/qemu3").unwrap(); - qemu.validate_hypervisor_path("/opt/qemu").unwrap_err(); - qemu.validate_hypervisor_path("/opt/qemu33").unwrap_err(); - assert_eq!(qemu.ctlpath, "/usr/bin/ls"); - assert_eq!(qemu.valid_ctlpaths.len(), 0); - assert!(qemu.jailer_path.is_empty()); - assert_eq!(qemu.valid_jailer_paths.len(), 0); - assert_eq!(qemu.disable_nesting_checks, true); - assert_eq!(qemu.enable_iothreads, true); + std::process::Command::new("mkdir") + .arg("./hypervisor_path") + .output() + .expect("failed to execute process"); + std::process::Command::new("mkdir") + .arg("./store_path") + .output() + .expect("failed to execute process"); + std::process::Command::new("mkdir") + .arg("./test_hypervisor_hook_path") + .output() + .expect("failed to execute process"); + std::process::Command::new("mkdir") + .arg("./jvm") + .output() + .expect("failed to execute process"); + std::process::Command::new("mkdir") + .arg("./test_file_backend_mem_root") + .output() + .expect("failed to execute process"); + std::process::Command::new("mkdir") + .arg("./test_jailer_path") + .output() + .expect("failed to execute process"); + std::process::Command::new("mkdir") + .arg("./test_kernel_path") + .output() + .expect("failed to execute process"); + std::process::Command::new("mkdir") + .arg("./virtio_fs") + .output() + .expect("failed to execute process"); + let mut anno_hash = HashMap::new(); + anno_hash.insert( + KATA_ANNO_CONF_KERNEL_MODULES.to_string(), + "j465 aaa=1;r33w".to_string(), + ); + anno_hash.insert(KATA_ANNO_CONF_AGENT_TRACE.to_string(), "false".to_string()); + anno_hash.insert( + KATA_ANNO_CONF_AGENT_CONTAINER_PIPE_SIZE.to_string(), + "3".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_PATH.to_string(), + "./hypervisor_path".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER.to_string(), + "device".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_NOFLUSH.to_string(), + "false".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_VHOSTUSER_STORE_PATH.to_string(), + "./store_path".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_DISABLE_GUEST_SECCOMP.to_string(), + "true".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_GUEST_HOOK_PATH.to_string(), + "./test_hypervisor_hook_path".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_MEMORY_PREALLOC.to_string(), + "false".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_CTLPATH.to_string(), + "./jvm".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS.to_string(), + "12".to_string(), + ); + anno_hash.insert(KATA_ANNO_CONF_ENABLE_PPROF.to_string(), "false".to_string()); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP.to_string(), + "false".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY.to_string(), + "100".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS.to_string(), + "false".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS.to_string(), + "false".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_ENABLE_SWAP.to_string(), + "false".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR.to_string(), + "./test_file_backend_mem_root".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_HUGE_PAGES.to_string(), + "false".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_JAILER_PATH.to_string(), + "./test_jailer_path".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH.to_string(), + "./test_kernel_path".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS.to_string(), + "100".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS.to_string(), + "rr,dg,er".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_MEM.to_string(), + "false".to_string(), + ); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_DAEMON.to_string(), + "./virtio_fs".to_string(), + ); + anno_hash.insert(KATA_ANNO_CONF_EXPERIMENTAL.to_string(), "c,d,e".to_string()); - assert_eq!(qemu.boot_info.image, "/usr/bin/echo"); - assert_eq!(qemu.boot_info.kernel, "/usr/bin/id"); - assert_eq!(qemu.boot_info.kernel_params, "ro"); - assert_eq!(qemu.boot_info.firmware, "/etc/hostname"); + let anno = Annotation::new(anno_hash); + let mut config = TomlConfig::load(&content).unwrap(); - assert_eq!(qemu.cpu_info.cpu_features, "pmu=off,vmx=off"); - assert_eq!(qemu.cpu_info.default_vcpus, 2); - assert_eq!(qemu.cpu_info.default_maxvcpus, 64); + assert!(anno + .update_config_by_annotation(&mut config, "qemu", "agent0") + .is_ok()); + KataConfig::set_active_config(config, "qemu", "agnet0"); + if let Some(ag) = KataConfig::get_default_config().get_agent() { + assert_eq!( + ag.kernel_modules[0], + "e1000e InterruptThrottleRate=3000,3000,3000 EEE=1" + ); + + assert_eq!(ag.kernel_modules[1], "i915_enabled_ppgtt=0"); + assert_eq!(ag.kernel_modules[2], "j465 aaa=1"); + assert_eq!(ag.kernel_modules[3], "r33w"); + assert!(!ag.enable_tracing); + assert_eq!(ag.container_pipe_size, 3); + } + if let Some(hv) = KataConfig::get_default_config().get_hypervisor() { + assert_eq!(hv.path, "./hypervisor_path".to_string()); + assert_eq!(hv.blockdev_info.block_device_driver, "device"); + assert!(!hv.blockdev_info.block_device_cache_noflush); + assert!(hv.blockdev_info.block_device_cache_set); + assert_eq!(hv.blockdev_info.vhost_user_store_path, "./store_path"); + assert_eq!( + hv.security_info.guest_hook_path, + "./test_hypervisor_hook_path" + ); + assert!(!hv.memory_info.enable_mem_prealloc); + assert_eq!(hv.ctlpath, "./jvm".to_string()); + assert_eq!(hv.cpu_info.default_vcpus, 12); + assert!(!hv.memory_info.enable_guest_swap); + assert_eq!(hv.memory_info.default_memory, 100); + assert!(!hv.enable_iothreads); + assert!(!hv.enable_iothreads); + assert!(!hv.memory_info.enable_swap); + assert_eq!( + hv.memory_info.file_mem_backend, + "./test_file_backend_mem_root" + ); + assert!(!hv.memory_info.enable_hugepages); + assert_eq!(hv.jailer_path, "./test_jailer_path".to_string()); + assert_eq!(hv.boot_info.kernel, "./test_kernel_path"); + assert_eq!(hv.memory_info.memory_slots, 100); + assert_eq!(hv.shared_fs.virtio_fs_extra_args[5], "rr"); + assert_eq!(hv.shared_fs.virtio_fs_extra_args[6], "dg"); + assert_eq!(hv.shared_fs.virtio_fs_extra_args[7], "er"); + assert!(!hv.memory_info.enable_virtio_mem); + assert_eq!(hv.shared_fs.virtio_fs_daemon, "./virtio_fs"); + } + + assert!( + KataConfig::get_active_config() + .get_config() + .runtime + .disable_guest_seccomp + ); + + assert!( + !KataConfig::get_active_config() + .get_config() + .runtime + .enable_pprof + ); + assert_eq!( + KataConfig::get_active_config() + .get_config() + .runtime + .experimental, + ["a", "b", "c", "d", "e"] + ); + std::process::Command::new("rmdir") + .arg("./hypervisor_path") + .output() + .expect("failed to execute process"); + std::process::Command::new("rmdir") + .arg("./test_hypervisor_hook_path") + .output() + .expect("failed to execute process"); + + std::process::Command::new("rmdir") + .arg("./test_file_backend_mem_root") + .output() + .expect("failed to execute process"); + + std::process::Command::new("rmdir") + .arg("./test_jailer_path") + .output() + .expect("failed to execute process"); + std::process::Command::new("rmdir") + .arg("./test_kernel_path") + .output() + .expect("failed to execute process"); + std::process::Command::new("rmdir") + .arg("./virtio_fs") + .output() + .expect("failed to execute process"); + std::process::Command::new("rmdir") + .arg("./jvm") + .output() + .expect("failed to execute process"); + std::process::Command::new("rmdir") + .arg("./store_path") + .output() + .expect("failed to execute process"); + } + + #[test] + fn test_fail_to_change_block_device_driver_because_not_enabled() { + let path = env!("CARGO_MANIFEST_DIR"); + let path = Path::new(path).join("tests/texture/configuration-anno-1.toml"); + let content = fs::read_to_string(&path).unwrap(); + + let qemu = QemuConfig::new(); + qemu.register(); + + let config = TomlConfig::load(&content).unwrap(); + KataConfig::set_active_config(config, "qemu", "agent0"); + + let mut anno_hash = HashMap::new(); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER.to_string(), + "fvfvfvfvf".to_string(), + ); + let anno = Annotation::new(anno_hash); + let mut config = TomlConfig::load(&content).unwrap(); + + assert!(anno + .update_config_by_annotation(&mut config, "qemu", "agent0") + .is_err()); + } + + #[test] + fn test_fail_to_change_enable_guest_swap_because_not_enabled() { + let path = env!("CARGO_MANIFEST_DIR"); + let path = Path::new(path).join("tests/texture/configuration-anno-1.toml"); + let content = fs::read_to_string(&path).unwrap(); + + let qemu = QemuConfig::new(); + qemu.register(); + + let config = TomlConfig::load(&content).unwrap(); + KataConfig::set_active_config(config, "qemu", "agent0"); + + let mut anno_hash = HashMap::new(); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP.to_string(), + "false".to_string(), + ); + let anno = Annotation::new(anno_hash); + let mut config = TomlConfig::load(&content).unwrap(); + + assert!(anno + .update_config_by_annotation(&mut config, "qemu", "agent0") + .is_err()); + } + + #[test] + fn test_fail_to_change_hypervisor_path_because_of_invalid_path() { + let path = env!("CARGO_MANIFEST_DIR"); + let path = Path::new(path).join("tests/texture/configuration-anno-0.toml"); + let content = fs::read_to_string(&path).unwrap(); + + let qemu = QemuConfig::new(); + qemu.register(); + + let config = TomlConfig::load(&content).unwrap(); + KataConfig::set_active_config(config, "qemu", "agent0"); + + let mut anno_hash = HashMap::new(); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_PATH.to_string(), + "/usr/bin/nle".to_string(), + ); + let anno = Annotation::new(anno_hash); + + let path = env!("CARGO_MANIFEST_DIR"); + let path = Path::new(path).join("tests/texture/configuration-anno-0.toml"); + let content = fs::read_to_string(&path).unwrap(); + let mut config = TomlConfig::load(&content).unwrap(); + assert!(anno + .update_config_by_annotation(&mut config, "qemu", "agent0") + .is_err()); + } + + #[test] + fn test_fail_to_change_kernel_path_because_of_invalid_path() { + let path = env!("CARGO_MANIFEST_DIR"); + let path = Path::new(path).join("tests/texture/configuration-anno-0.toml"); + let content = fs::read_to_string(&path).unwrap(); + + let qemu = QemuConfig::new(); + qemu.register(); + + let config = TomlConfig::load(&content).unwrap(); + KataConfig::set_active_config(config, "qemu", "agent0"); + + let mut anno_hash = HashMap::new(); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH.to_string(), + "/usr/bin/cdcd".to_string(), + ); + let anno = Annotation::new(anno_hash); + let mut config = TomlConfig::load(&content).unwrap(); + + assert!(anno + .update_config_by_annotation(&mut config, "qemu", "agent0") + .is_err()); + } + + #[test] + fn test_fail_to_change_memory_slots_because_of_less_than_zero() { + let path = env!("CARGO_MANIFEST_DIR"); + let path = Path::new(path).join("tests/texture/configuration-anno-0.toml"); + let content = fs::read_to_string(&path).unwrap(); + let config = TomlConfig::load(&content).unwrap(); + KataConfig::set_active_config(config, "qemu", "agent0"); + + let qemu = QemuConfig::new(); + qemu.register(); + + let mut anno_hash = HashMap::new(); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS.to_string(), + "-1".to_string(), + ); + let anno = Annotation::new(anno_hash); + let mut config = TomlConfig::load(&content).unwrap(); + + assert!(anno + .update_config_by_annotation(&mut config, "qemu", "agent0") + .is_err()); + } + + #[test] + fn test_fail_to_change_default_memory_because_less_than_min_memory_size() { + let path = env!("CARGO_MANIFEST_DIR"); + let path = Path::new(path).join("tests/texture/configuration-anno-0.toml"); + let content = fs::read_to_string(&path).unwrap(); + + let qemu = QemuConfig::new(); + qemu.register(); + + let config = TomlConfig::load(&content).unwrap(); + KataConfig::set_active_config(config, "qemu", "agent0"); + + let mut anno_hash = HashMap::new(); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY.to_string(), + "10".to_string(), + ); + let anno = Annotation::new(anno_hash); + let mut config = TomlConfig::load(&content).unwrap(); + + assert!(anno + .update_config_by_annotation(&mut config, "qemu", "agent0") + .is_err()); + } + + #[test] + fn test_fail_to_change_default_vcpus_becuase_more_than_max_cpu_size() { + let path = env!("CARGO_MANIFEST_DIR"); + let path = Path::new(path).join("tests/texture/configuration-anno-0.toml"); + let content = fs::read_to_string(&path).unwrap(); + + let qemu = QemuConfig::new(); + qemu.register(); + + let config = TomlConfig::load(&content).unwrap(); + KataConfig::set_active_config(config, "qemu", "agent0"); + + let mut anno_hash = HashMap::new(); + anno_hash.insert( + KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS.to_string(), + "400".to_string(), + ); + let anno = Annotation::new(anno_hash); + let mut config = TomlConfig::load(&content).unwrap(); + + assert!(anno + .update_config_by_annotation(&mut config, "qemu", "agent0") + .is_err()); + } } diff --git a/src/libs/kata-types/tests/texture/configuration-anno-0.toml b/src/libs/kata-types/tests/texture/configuration-anno-0.toml new file mode 100644 index 0000000000..30b1992608 --- /dev/null +++ b/src/libs/kata-types/tests/texture/configuration-anno-0.toml @@ -0,0 +1,88 @@ +[hypervisor.qemu] +path = "/usr/bin/lsns" +valid_hypervisor_paths = ["/usr/bin/qemu*", "/opt/qemu?","/usr/bin/ls*","./hypervisor_path"] +valid_jailer_paths = ["/usr/lib/rust","./test_jailer_path"] +ctlpath = "/usr/bin/" +valid_ctlpaths = ["/usr/lib/jvm","usr/bin/qemu-io","./jvm"] +disable_nesting_checks = true +enable_iothreads = true +jailer_path = "/usr/local" +kernel = "/usr/bin/../bin/zcmp" +image = "/usr/bin/./tabs" +kernel_params = "ro" +firmware = "/etc/hostname" + +cpu_features="pmu=off,vmx=off" +default_vcpus = 2 +default_maxvcpus = 64 + +machine_type = "q35" +confidential_guest = true +rootless = true +enable_annotations = ["shared_fs","path", "ctlpath","jailer_path","enable_iothreads","default_memory","memory_slots","enable_mem_prealloc","enable_hugepages","file_mem_backend","enable_virtio_mem","enable_swap","enable_guest_swap","default_vcpus","virtio_fs_extra_args","block_device_driver","vhost_user_store_path","kernel","guest_hook_path","block_device_cache_noflush","virtio_fs_daemon"] +machine_accelerators="noapic" +default_bridges = 2 +default_memory = 128 +memory_slots = 128 +memory_offset = 0x100000 +enable_virtio_mem = true +disable_block_device_use = false +shared_fs = "virtio-fs" +virtio_fs_daemon = "/usr/bin/uptime" +valid_virtio_fs_daemon_paths = ["/usr/local/bin/virtiofsd*","./virtio_fs"] +virtio_fs_cache_size = 512 +virtio_fs_extra_args = ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"] +virtio_fs_cache = "always" +block_device_driver = "virtio-blk" +block_device_cache_set = true +block_device_cache_direct = true +block_device_cache_noflush = true +enable_mem_prealloc = true +enable_hugepages = true +enable_vhost_user_store = true +vhost_user_store_path = "/tmp" +valid_vhost_user_store_paths = ["/var/kata/vhost-user-store*", "/tmp/kata?","/var/tmp","./store_path"] +enable_iommu = true +enable_iommu_platform = true +file_mem_backend = "/dev/shm" +valid_file_mem_backends = ["/dev/shm","/dev/snd","./test_file_backend_mem_root"] +enable_swap = true +pflashes = ["/proc/mounts"] +enable_debug = true +msize_9p = 16384 +disable_image_nvdimm = true +hotplug_vfio_on_root_bus = true +pcie_root_port = 2 +disable_vhost_net = true +entropy_source= "/dev/urandom" +valid_entropy_sources = ["/dev/urandom", "/dev/random"] +guest_hook_path = "/usr/share" +rx_rate_limiter_max_rate = 10000 +tx_rate_limiter_max_rate = 10000 +guest_memory_dump_path="/var/crash/kata" +guest_memory_dump_paging = true +enable_guest_swap = true + +[agent.agent0] +enable_tracing = true +debug_console_enabled = true +debug = true +dial_timeout = 1 +kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"] +container_pipe_size = 2 +[runtime] +enable_debug = true +internetworking_model="macvtap" +disable_guest_seccomp=false +enable_tracing = true +jaeger_endpoint = "localhost:1234" +jaeger_user = "user" +jaeger_password = "pw" +disable_new_netns = true +sandbox_cgroup_only=true +sandbox_bind_mounts=["/proc/self"] +vfio_mode="vfio" +experimental=["a", "b"] +enable_pprof = true + + diff --git a/src/libs/kata-types/tests/texture/configuration-qemu.toml b/src/libs/kata-types/tests/texture/configuration-anno-1.toml similarity index 75% rename from src/libs/kata-types/tests/texture/configuration-qemu.toml rename to src/libs/kata-types/tests/texture/configuration-anno-1.toml index d30e0858a8..9a411bdff5 100644 --- a/src/libs/kata-types/tests/texture/configuration-qemu.toml +++ b/src/libs/kata-types/tests/texture/configuration-anno-1.toml @@ -1,12 +1,13 @@ [hypervisor.qemu] -path = "/usr/bin/ls" -valid_hypervisor_paths = ["/usr/bin/qemu*", "/opt/qemu?"] -ctlpath = "/usr/bin/ls" +path = "/usr/bin/lsns" +valid_hypervisor_paths = ["/usr/bin/qemu*", "/opt/qemu?","/usr/bin/lsns","./hypervisor_path"] +valid_jailer_paths = ["/usr/lib/rust"] +ctlpath = "/usr/bin" disable_nesting_checks = true enable_iothreads = true - -kernel = "/usr/bin/../bin/id" -image = "/usr/bin/./echo" +jailer_path = "/usr/local" +kernel = "/usr/bin/../bin/uptime" +image = "/usr/bin/./lessecho" kernel_params = "ro" firmware = "/etc/hostname" @@ -17,7 +18,7 @@ default_maxvcpus = 64 machine_type = "q35" confidential_guest = true rootless = true -enable_annotations = ["path", "ctlpath"] +enable_annotations = ["path", "ctlpath","jailer_path"] machine_accelerators="noapic" default_bridges = 2 default_memory = 128 @@ -26,7 +27,7 @@ memory_offset = 0x100000 enable_virtio_mem = true disable_block_device_use = false shared_fs = "virtio-fs" -virtio_fs_daemon = "/usr/bin/id" +virtio_fs_daemon = "/usr/bin/uptime" valid_virtio_fs_daemon_paths = ["/usr/local/bin/virtiofsd*"] virtio_fs_cache_size = 512 virtio_fs_extra_args = ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"] @@ -61,10 +62,17 @@ guest_memory_dump_path="/var/crash/kata" guest_memory_dump_paging = true enable_guest_swap = true +[agent.agent0] +enable_tracing = true +debug_console_enabled = true +debug = true +dial_timeout = 1 +kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"] +container_pipe_size = 2 [runtime] enable_debug = true internetworking_model="macvtap" -disable_guest_seccomp=true +pdisable_guest_seccomp=true enable_tracing = true jaeger_endpoint = "localhost:1234" jaeger_user = "user" @@ -76,3 +84,4 @@ vfio_mode="vfio" experimental=["a", "b"] enable_pprof = true +