github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-30 12:44:39 +00:00
Code Issues Projects Releases Wiki Activity

libs/types: change method to update config by annotation

Browse Source 
Some annotations are used to override hypervisor configurations, and you
know it's dangerous. We must be careful when overriding hypervisor configuration
by annotations, to avoid security flaws.
There are two existing mechanisms to prevent attacks by annotations:
1) config.hypervisor.enable_annotations defines the allowed annotation
keys for config.hypervisor.
2) config.hyperisor.xxxx_paths defines allowd values for specific keys.

The access methods for config.hypervisor.xxx enforces the permisstion
checks for above rules.

To update conifg, traverse the annotation hashmap,check if the key is enabled in hypervisor or not.
If it is enabled. For path related annotation, check whether it is valid or not
before updating conifg. For cpu and memory related annotation, check whether it
is more than or less than the limitation for DB and qemu beforing updating config.

If it is not enabled, there will be three possibilities, agent related
annotation, runtime related annotation and hypervisor related annotation
but not enabled. The function will handle agent and runtime annotation
first, then the option left will be the invlaid hypervisor, err message
will be returned.

add more edge cases tests for updating config

clean up unused functions, delete unused files and fix warnings

Fixes: #3523

Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
This commit is contained in:
Liu Jiang 2021-12-26 01:28:15 +08:00 committed by Fupan Li
parent e19d04719f
commit 8cdd70f6c2
15 changed files with 1403 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/libs/Cargo.lock generated
View File

@ -317,6 +317,7 @@ dependencies = [
"oci",
"regex",
"serde",
"serde_json",
"slog",
"slog-scope",
"thiserror",
@ -663,18 +664,18 @@ dependencies = [
[[package]]
name = "serde"
version = "1.0.133"
version = "1.0.135"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "97565067517b60e2d1ea8b268e59ce036de907ac523ad83a0475da04e818989a"
checksum = "2cf9235533494ea2ddcdb794665461814781c53f19d87b76e571a1c35acbad2b"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.133"
version = "1.0.135"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed201699328568d8d08208fdd080e3ff594e6c422e438b6705905da01005d537"
checksum = "8dcde03d87d4c973c04be249e7d8f0b35db1c848c487bd43032808e59dd8328d"
dependencies = [
"proc-macro2",
"quote",
@ -718,9 +719,9 @@ dependencies = [
[[package]]
name = "slog-json"
version = "2.4.0"
version = "2.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "52e9b96fb6b5e80e371423b4aca6656eb537661ce8f82c2697e619f8ca85d043"
checksum = "0f7f7a952ce80fca9da17bf0a53895d11f8aa1ba063668ca53fc72e7869329e9"
dependencies = [
"chrono",
"serde",

1
src/libs/kata-types/Cargo.toml
View File

@ -18,6 +18,7 @@ regex = "1.5.4"
serde = { version = "1.0.100", features = ["derive"] }
slog = "2.5.2"
slog-scope = "4.4.0"
serde_json = "1.0.73"
thiserror = "1.0"
toml = "0.5.8"

10
src/libs/kata-types/src/annotations/dockershim.rs
View File

@ -6,8 +6,18 @@
#![allow(missing_docs)]
//! Copied from k8s.io/pkg/kubelet/dockershim/docker_service.go, used to identify whether a docker
//! container is a sandbox or a regular container, will be removed after defining those as public
//! fields in dockershim.
/// ContainerTypeLabelKey is the container type (podsandbox or container) of key.
pub const CONTAINER_TYPE_LABEL_KEY: &str = "io.kubernetes.docker.type";
/// ContainerTypeLabelSandbox represents a sandbox sandbox container.
pub const SANDBOX: &str = "podsandbox";
/// ContainerTypeLabelContainer represents a container running within a sandbox.
pub const CONTAINER: &str = "container";
/// SandboxIDLabelKey is the sandbox ID annotation.
pub const SANDBOX_ID_LABEL_KEY: &str = "io.kubernetes.sandbox.id";

764
src/libs/kata-types/src/annotations/mod.rs
View File

@ -1,9 +1,20 @@
// Copyright (c) 2019 Alibaba Cloud
// Copyright (c) 2019-2021 Alibaba Cloud
// Copyright (c) 2019 Ant Group
//
// SPDX-License-Identifier: Apache-2.0
//
use std::collections::HashMap;
use std::fs::File;
use std::io::{self, BufReader, Result};
use std::u32;
use serde::Deserialize;
use crate::config::hypervisor::get_hypervisor_plugin;
use crate::config::TomlConfig;
use crate::sl;
/// CRI-containerd specific annotations.
pub mod cri_containerd;
@ -12,3 +23,754 @@ pub mod crio;
/// Dockershim specific annotations.
pub mod dockershim;
/// Third-party annotations.
pub mod thirdparty;
// Common section
/// Prefix for Kata specific annotations
pub const KATA_ANNO_PREFIX: &str = "io.katacontainers.";
/// Prefix for Kata configuration annotations
pub const KATA_ANNO_CONF_PREFIX: &str = "io.katacontainers.config.";
/// Prefix for Kata container annotations
pub const KATA_ANNO_CONTAINER_PREFIX: &str = "io.katacontainers.container.";
/// The annotation key to fetch runtime configuration file.
pub const SANDBOX_CONFIG_PATH_KEY: &str = "io.katacontainers.config_path";
// OCI section
/// The annotation key to fetch the OCI configuration file path.
pub const BUNDLE_PATH_KEY: &str = "io.katacontainers.pkg.oci.bundle_path";
/// The annotation key to fetch container type.
pub const CONTAINER_TYPE_KEY: &str = "io.katacontainers.pkg.oci.container_type";
// Container resource related annotations
/// Prefix for Kata container resource related annotations.
pub const KATA_ANNO_CONTAINER_RESOURCE_PREFIX: &str = "io.katacontainers.container.resource";
/// A container annotation to specify the Resources.Memory.Swappiness.
pub const KATA_ANNO_CONTAINER_RESOURCE_SWAPPINESS: &str =
"io.katacontainers.container.resource.swappiness";
/// A container annotation to specify the Resources.Memory.Swap.
pub const KATA_ANNO_CONTAINER_RESOURCE_SWAP_IN_BYTES: &str =
"io.katacontainers.container.resource.swap_in_bytes";
// Agent related annotations
/// Prefix for Agent configurations.
pub const KATA_ANNO_CONF_AGENT_PREFIX: &str = "io.katacontainers.config.agent.";
/// KernelModules is the annotation key for passing the list of kernel modules and their parameters
/// that will be loaded in the guest kernel.
///
/// Semicolon separated list of kernel modules and their parameters. These modules will be loaded
/// in the guest kernel using modprobe(8).
/// The following example can be used to load two kernel modules with parameters
///
/// annotations:
/// io.katacontainers.config.agent.kernel_modules: "e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0"
///
/// The first word is considered as the module name and the rest as its parameters.
pub const KATA_ANNO_CONF_KERNEL_MODULES: &str = "io.katacontainers.config.agent.kernel_modules";
/// A sandbox annotation to enable tracing for the agent.
pub const KATA_ANNO_CONF_AGENT_TRACE: &str = "io.katacontainers.config.agent.enable_tracing";
/// An annotation to specify the size of the pipes created for containers.
pub const KATA_ANNO_CONF_AGENT_CONTAINER_PIPE_SIZE: &str =
"io.katacontainers.config.agent.container_pipe_size";
/// An annotation key to specify the size of the pipes created for containers.
pub const CONTAINER_PIPE_SIZE_KERNEL_PARAM: &str = "agent.container_pipe_size";
// Hypervisor related annotations
/// Prefix for Hypervisor configurations.
pub const KATA_ANNO_CONF_HYPERVISOR_PREFIX: &str = "io.katacontainers.config.hypervisor.";
/// A sandbox annotation for passing a per container path pointing at the hypervisor that will run
/// the container VM.
pub const KATA_ANNO_CONF_HYPERVISOR_PATH: &str = "io.katacontainers.config.hypervisor.path";
/// A sandbox annotation for passing a container hypervisor binary SHA-512 hash value.
pub const KATA_ANNO_CONF_HYPERVISOR_HASH: &str = "io.katacontainers.config.hypervisor.path_hash";
/// A sandbox annotation for passing a per container path pointing at the hypervisor control binary
/// that will run the container VM.
pub const KATA_ANNO_CONF_HYPERVISOR_CTLPATH: &str = "io.katacontainers.config.hypervisor.ctlpath";
/// A sandbox annotation for passing a container hypervisor control binary SHA-512 hash value.
pub const KATA_ANNO_CONF_HYPERVISOR_CTLHASH: &str =
"io.katacontainers.config.hypervisor.hypervisorctl_hash";
/// A sandbox annotation for passing a per container path pointing at the jailer that will constrain
/// the container VM.
pub const KATA_ANNO_CONF_HYPERVISOR_JAILER_PATH: &str =
"io.katacontainers.config.hypervisor.jailer_path";
/// A sandbox annotation for passing a jailer binary SHA-512 hash value.
pub const KATA_ANNO_CONF_HYPERVISOR_JAILER_HASH: &str =
"io.katacontainers.config.hypervisor.jailer_hash";
/// A sandbox annotation to enable IO to be processed in a separate thread.
/// Supported currently for virtio-scsi driver.
pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS: &str =
"io.katacontainers.config.hypervisor.enable_iothreads";
/// The hash type used for assets verification
pub const KATA_ANNO_CONF_HYPERVISOR_ASSET_HASH_TYPE: &str =
"io.katacontainers.config.hypervisor.asset_hash_type";
/// SHA512 is the SHA-512 (64) hash algorithm
pub const SHA512: &str = "sha512";
// Hypervisor Block Device related annotations
/// Specify the driver to be used for block device either VirtioSCSI or VirtioBlock
pub const KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER: &str =
"io.katacontainers.config.hypervisor.block_device_driver";
/// A sandbox annotation that disallows a block device from being used.
pub const KATA_ANNO_CONF_HYPERVISOR_DISABLE_BLOCK_DEVICE_USE: &str =
"io.katacontainers.config.hypervisor.disable_block_device_use";
/// A sandbox annotation that specifies cache-related options will be set to block devices or not.
pub const KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_SET: &str =
"io.katacontainers.config.hypervisor.block_device_cache_set";
/// A sandbox annotation that specifies cache-related options for block devices.
/// Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
pub const KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_DIRECT: &str =
"io.katacontainers.config.hypervisor.block_device_cache_direct";
/// A sandbox annotation that specifies cache-related options for block devices.
/// Denotes whether flush requests for the device are ignored.
pub const KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_NOFLUSH: &str =
"io.katacontainers.config.hypervisor.block_device_cache_noflush";
/// A sandbox annotation to specify use of nvdimm device for guest rootfs image.
pub const KATA_ANNO_CONF_HYPERVISOR_DISABLE_IMAGE_NVDIMM: &str =
"io.katacontainers.config.hypervisor.disable_image_nvdimm";
/// A sandbox annotation that specifies the memory space used for nvdimm device by the hypervisor.
pub const KATA_ANNO_CONF_HYPERVISOR_MEMORY_OFFSET: &str =
"io.katacontainers.config.hypervisor.memory_offset";
/// A sandbox annotation to specify if vhost-user-blk/scsi is abailable on the host
pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_VHOSTUSER_STORE: &str =
"io.katacontainers.config.hypervisor.enable_vhost_user_store";
/// A sandbox annotation to specify the directory path where vhost-user devices related folders,
/// sockets and device nodes should be.
pub const KATA_ANNO_CONF_HYPERVISOR_VHOSTUSER_STORE_PATH: &str =
"io.katacontainers.config.hypervisor.vhost_user_store_path";
// Hypervisor Guest Boot related annotations
/// A sandbox annotation for passing a per container path pointing at the kernel needed to boot
/// the container VM.
pub const KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH: &str =
"io.katacontainers.config.hypervisor.kernel";
/// A sandbox annotation for passing a container kernel image SHA-512 hash value.
pub const KATA_ANNO_CONF_HYPERVISOR_KERNEL_HASH: &str =
"io.katacontainers.config.hypervisor.kernel_hash";
/// A sandbox annotation for passing a per container path pointing at the guest image that will run
/// in the container VM.
/// A sandbox annotation for passing additional guest kernel parameters.
pub const KATA_ANNO_CONF_HYPERVISOR_KERNEL_PARAMS: &str =
"io.katacontainers.config.hypervisor.kernel_params";
/// A sandbox annotation for passing a container guest image path.
pub const KATA_ANNO_CONF_HYPERVISOR_IMAGE_PATH: &str = "io.katacontainers.config.hypervisor.image";
/// A sandbox annotation for passing a container guest image SHA-512 hash value.
pub const KATA_ANNO_CONF_HYPERVISOR_IMAGE_HASH: &str =
"io.katacontainers.config.hypervisor.image_hash";
/// A sandbox annotation for passing a per container path pointing at the initrd that will run
/// in the container VM.
pub const KATA_ANNO_CONF_HYPERVISOR_INITRD_PATH: &str =
"io.katacontainers.config.hypervisor.initrd";
/// A sandbox annotation for passing a container guest initrd SHA-512 hash value.
pub const KATA_ANNO_CONF_HYPERVISOR_INITRD_HASH: &str =
"io.katacontainers.config.hypervisor.initrd_hash";
/// A sandbox annotation for passing a per container path pointing at the guest firmware that will
/// run the container VM.
pub const KATA_ANNO_CONF_HYPERVISOR_FIRMWARE_PATH: &str =
"io.katacontainers.config.hypervisor.firmware";
/// A sandbox annotation for passing a container guest firmware SHA-512 hash value.
pub const KATA_ANNO_CONF_HYPERVISOR_FIRMWARE_HASH: &str =
"io.katacontainers.config.hypervisor.firmware_hash";
// Hypervisor CPU related annotations
/// A sandbox annotation to specify cpu specific features.
pub const KATA_ANNO_CONF_HYPERVISOR_CPU_FEATURES: &str =
"io.katacontainers.config.hypervisor.cpu_features";
/// A sandbox annotation for passing the default vcpus assigned for a VM by the hypervisor.
pub const KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS: &str =
"io.katacontainers.config.hypervisor.default_vcpus";
/// A sandbox annotation that specifies the maximum number of vCPUs allocated for the VM by the hypervisor.
pub const KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MAX_VCPUS: &str =
"io.katacontainers.config.hypervisor.default_max_vcpus";
// Hypervisor Device related annotations
/// A sandbox annotation used to indicate if devices need to be hotplugged on the root bus instead
/// of a bridge.
pub const KATA_ANNO_CONF_HYPERVISOR_HOTPLUG_VFIO_ON_ROOT_BUS: &str =
"io.katacontainers.config.hypervisor.hotplug_vfio_on_root_bus";
/// PCIeRootPort is used to indicate the number of PCIe Root Port devices
pub const KATA_ANNO_CONF_HYPERVISOR_PCIE_ROOT_PORT: &str =
"io.katacontainers.config.hypervisor.pcie_root_port";
/// A sandbox annotation to specify if the VM should have a vIOMMU device.
pub const KATA_ANNO_CONF_HYPERVISOR_IOMMU: &str =
"io.katacontainers.config.hypervisor.enable_iommu";
/// Enable Hypervisor Devices IOMMU_PLATFORM
pub const KATA_ANNO_CONF_HYPERVISOR_IOMMU_PLATFORM: &str =
"io.katacontainers.config.hypervisor.enable_iommu_platform";
// Hypervisor Machine related annotations
/// A sandbox annotation to specify the type of machine being emulated by the hypervisor.
pub const KATA_ANNO_CONF_HYPERVISOR_MACHINE_TYPE: &str =
"io.katacontainers.config.hypervisor.machine_type";
/// A sandbox annotation to specify machine specific accelerators for the hypervisor.
pub const KATA_ANNO_CONF_HYPERVISOR_MACHINE_ACCELERATORS: &str =
"io.katacontainers.config.hypervisor.machine_accelerators";
/// EntropySource is a sandbox annotation to specify the path to a host source of
/// entropy (/dev/random, /dev/urandom or real hardware RNG device)
pub const KATA_ANNO_CONF_HYPERVISOR_ENTROPY_SOURCE: &str =
"io.katacontainers.config.hypervisor.entropy_source";
// Hypervisor Memory related annotations
/// A sandbox annotation for the memory assigned for a VM by the hypervisor.
pub const KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY: &str =
"io.katacontainers.config.hypervisor.default_memory";
/// A sandbox annotation to specify the memory slots assigned to the VM by the hypervisor.
pub const KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS: &str =
"io.katacontainers.config.hypervisor.memory_slots";
/// A sandbox annotation that specifies the memory space used for nvdimm device by the hypervisor.
pub const KATA_ANNO_CONF_HYPERVISOR_MEMORY_PREALLOC: &str =
"io.katacontainers.config.hypervisor.enable_mem_prealloc";
/// A sandbox annotation to specify if the memory should be pre-allocated from huge pages.
pub const KATA_ANNO_CONF_HYPERVISOR_HUGE_PAGES: &str =
"io.katacontainers.config.hypervisor.enable_hugepages";
/// A sandbox annotation to soecify file based memory backend root directory.
pub const KATA_ANNO_CONF_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR: &str =
"io.katacontainers.config.hypervisor.file_mem_backend";
/// A sandbox annotation that is used to enable/disable virtio-mem.
pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_MEM: &str =
"io.katacontainers.config.hypervisor.enable_virtio_mem";
/// A sandbox annotation to enable swap of vm memory.
pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_SWAP: &str =
"io.katacontainers.config.hypervisor.enable_swap";
/// A sandbox annotation to enable swap in the guest.
pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP: &str =
"io.katacontainers.config.hypervisor.enable_guest_swap";
// Hypervisor Network related annotations
/// A sandbox annotation to specify if vhost-net is not available on the host.
pub const KATA_ANNO_CONF_HYPERVISOR_DISABLE_VHOST_NET: &str =
"io.katacontainers.config.hypervisor.disable_vhost_net";
/// A sandbox annotation that specifies max rate on network I/O inbound bandwidth.
pub const KATA_ANNO_CONF_HYPERVISOR_RX_RATE_LIMITER_MAX_RATE: &str =
"io.katacontainers.config.hypervisor.rx_rate_limiter_max_rate";
/// A sandbox annotation that specifies max rate on network I/O outbound bandwidth.
pub const KATA_ANNO_CONF_HYPERVISOR_TX_RATE_LIMITER_MAX_RATE: &str =
"io.katacontainers.config.hypervisor.tx_rate_limiter_max_rate";
// Hypervisor Security related annotations
/// A sandbox annotation to specify the path within the VM that will be used for 'drop-in' hooks.
pub const KATA_ANNO_CONF_HYPERVISOR_GUEST_HOOK_PATH: &str =
"io.katacontainers.config.hypervisor.guest_hook_path";
/// A sandbox annotation to enable rootless hypervisor (only supported in QEMU currently).
pub const KATA_ANNO_CONF_HYPERVISOR_ENABLE_ROOTLESS_HYPERVISOR: &str =
"io.katacontainers.config.hypervisor.rootless";
// Hypervisor Shared File System related annotations
/// A sandbox annotation to specify the shared file system type, either virtio-9p or virtio-fs.
pub const KATA_ANNO_CONF_HYPERVISOR_SHARED_FS: &str =
"io.katacontainers.config.hypervisor.shared_fs";
/// A sandbox annotations to specify virtio-fs vhost-user daemon path.
pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_DAEMON: &str =
"io.katacontainers.config.hypervisor.virtio_fs_daemon";
/// A sandbox annotation to specify the cache mode for fs version cache or "none".
pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_CACHE: &str =
"io.katacontainers.config.hypervisor.virtio_fs_cache";
/// A sandbox annotation to specify the DAX cache size in MiB.
pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_CACHE_SIZE: &str =
"io.katacontainers.config.hypervisor.virtio_fs_cache_size";
/// A sandbox annotation to pass options to virtiofsd daemon.
pub const KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS: &str =
"io.katacontainers.config.hypervisor.virtio_fs_extra_args";
/// A sandbox annotation to specify as the msize for 9p shares.
pub const KATA_ANNO_CONF_HYPERVISOR_MSIZE_9P: &str = "io.katacontainers.config.hypervisor.msize_9p";
// Runtime related annotations
/// Prefix for Runtime configurations.
pub const KATA_ANNO_CONF_RUNTIME_PREFIX: &str = "io.katacontainers.config.runtime.";
/// A sandbox annotation that determines if seccomp should be applied inside guest.
pub const KATA_ANNO_CONF_DISABLE_GUEST_SECCOMP: &str =
"io.katacontainers.config.runtime.disable_guest_seccomp";
/// A sandbox annotation that determines if pprof enabled.
pub const KATA_ANNO_CONF_ENABLE_PPROF: &str = "io.katacontainers.config.runtime.enable_pprof";
/// A sandbox annotation that determines if experimental features enabled.
pub const KATA_ANNO_CONF_EXPERIMENTAL: &str = "io.katacontainers.config.runtime.experimental";
/// A sandbox annotaion that determines how the VM should be connected to the the container network
/// interface.
pub const KATA_ANNO_CONF_INTER_NETWORK_MODEL: &str =
"io.katacontainers.config.runtime.internetworking_model";
/// SandboxCgroupOnly is a sandbox annotation that determines if kata processes are managed only in sandbox cgroup.
pub const KATA_ANNO_CONF_SANDBOX_CGROUP_ONLY: &str =
"io.katacontainers.config.runtime.sandbox_cgroup_only";
/// A sandbox annotation that determines if create a netns for hypervisor process.
pub const KATA_ANNO_CONF_DISABLE_NEW_NETNS: &str =
"io.katacontainers.config.runtime.disable_new_netns";
/// A sandbox annotation to specify how attached VFIO devices should be treated.
pub const KATA_ANNO_CONF_VFIO_MODE: &str = "io.katacontainers.config.runtime.vfio_mode";
/// A helper structure to query configuration information by check annotations.
#[derive(Debug, Default, Deserialize)]
pub struct Annotation {
annotations: HashMap<String, String>,
}
impl From<HashMap<String, String>> for Annotation {
fn from(annotations: HashMap<String, String>) -> Self {
Annotation { annotations }
}
}
impl Annotation {
/// Create a new instance of [`Annotation`].
pub fn new(annotations: HashMap<String, String>) -> Annotation {
Annotation { annotations }
}
/// Deserialize an object from a json string.
pub fn deserialize<T>(path: &str) -> Result<T>
where
for<'a> T: Deserialize<'a>,
{
let f = BufReader::new(File::open(path)?);
Ok(serde_json::from_reader(f)?)
}
/// Get an immutable reference to the annotation hashmap.
pub fn get_annotation(&self) -> &HashMap<String, String> {
&self.annotations
}
/// Get a mutable reference to the annotation hashmap.
pub fn get_annotation_mut(&mut self) -> &mut HashMap<String, String> {
&mut self.annotations
}
/// Get the value of annotation with `key` as string.
pub fn get(&self, key: &str) -> Option<String> {
let v = self.annotations.get(key)?;
let value = v.trim();
if !value.is_empty() {
Some(String::from(value))
} else {
None
}
}
/// Get the value of annotation with `key` as bool.
pub fn get_bool(&self, key: &str) -> Option<bool> {
if let Some(value) = self.get(key) {
let value = value.trim();
if value.parse::<bool>().is_err() {
warn!(sl!(), "failed to parse bool value from {}", value);
} else {
return Some(value.parse::<bool>().unwrap());
}
}
None
}
/// Get the value of annotation with `key` as u32.
pub fn get_u32(&self, key: &str) -> Option<u32> {
let s = self.get(key)?;
match s.parse::<u32>() {
Ok(nums) => {
if nums > 0 {
Some(nums)
} else {
None
}
}
Err(e) => {
warn!(
sl!(),
"failed to parse u32 value from {}, error: {:?}", s, e
);
None
}
}
}
/// Get the value of annotation with `key` as i32.
pub fn get_i32(&self, key: &str) -> Option<i32> {
let s = self.get(key)?;
s.parse::<i32>()
.map_or(None, |x| if x < 0 { None } else { Some(x) })
}
/// Get the value of annotation with `key` as u64.
pub fn get_u64(&self, key: &str) -> Option<u64> {
let s = self.get(key)?;
match s.parse::<u64>() {
Ok(nums) => {
if nums > 0 {
Some(nums)
} else {
None
}
}
Err(e) => {
warn!(
sl!(),
"failed to parse u64 value from {}, error: {:?}", s, e
);
None
}
}
}
}
// Miscellaneous annotations.
impl Annotation {
/// Get the annotation of sandbox configuration file path.
pub fn get_sandbox_config_path(&self) -> Option<String> {
self.get(SANDBOX_CONFIG_PATH_KEY)
}
/// Get the annotation of bundle path.
pub fn get_bundle_path(&self) -> Option<String> {
self.get(BUNDLE_PATH_KEY)
}
/// Get the annotation of container type.
pub fn get_container_type(&self) -> Option<String> {
self.get(CONTAINER_TYPE_KEY)
}
/// Get the annotation to specify the Resources.Memory.Swappiness.
pub fn get_container_resource_swappiness(&self) -> Option<u32> {
let v = self.get_u32(KATA_ANNO_CONTAINER_RESOURCE_SWAPPINESS)?;
if v > 100 {
None
} else {
Some(v)
}
}
/// Get the annotation to specify the Resources.Memory.Swap.
pub fn get_container_resource_swap_in_bytes(&self) -> Option<String> {
self.get(KATA_ANNO_CONTAINER_RESOURCE_SWAP_IN_BYTES)
}
}
impl Annotation {
/// update config info by annotation
pub fn update_config_by_annotation(
&self,
config: &mut TomlConfig,
hypervisor_name: &str,
agent_name: &str,
) -> Result<()> {
if config.hypervisor.get_mut(hypervisor_name).is_none() {
return Err(io::Error::new(
io::ErrorKind::NotFound,
format!("hypervisor {} not found", hypervisor_name),
));
}
if config.agent.get_mut(agent_name).is_none() {
return Err(io::Error::new(
io::ErrorKind::NotFound,
format!("agent {} not found", agent_name),
));
}
let mut hv = config.hypervisor.get_mut(hypervisor_name).unwrap();
let mut ag = config.agent.get_mut(agent_name).unwrap();
for (key, value) in &self.annotations {
if hv.security_info.is_annotation_enabled(key) {
match key.as_str() {
// update hypervisor config
// Hypervisor related annotations
KATA_ANNO_CONF_HYPERVISOR_PATH => {
hv.validate_hypervisor_path(value)?;
hv.path = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_CTLPATH => {
hv.validate_hypervisor_ctlpath(value)?;
hv.ctlpath = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_JAILER_PATH => {
hv.validate_jailer_path(value)?;
hv.jailer_path = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS => {
hv.enable_iothreads = self.get_bool(key).unwrap_or_default();
}
// Hypervisor Block Device related annotations
KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER => {
hv.blockdev_info.block_device_driver = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_DISABLE_BLOCK_DEVICE_USE => {
hv.blockdev_info.disable_block_device_use =
self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_SET => {
hv.blockdev_info.block_device_cache_set =
self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_DIRECT => {
hv.blockdev_info.block_device_cache_direct =
self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_NOFLUSH => {
hv.blockdev_info.block_device_cache_noflush =
self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_DISABLE_IMAGE_NVDIMM => {
hv.blockdev_info.disable_image_nvdimm =
self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_MEMORY_OFFSET => {
hv.blockdev_info.memory_offset = self.get_u64(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_ENABLE_VHOSTUSER_STORE => {
hv.blockdev_info.enable_vhost_user_store =
self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_VHOSTUSER_STORE_PATH => {
hv.blockdev_info.validate_vhost_user_store_path(value)?;
hv.blockdev_info.vhost_user_store_path = value.to_string();
}
// Hypervisor Guest Boot related annotations
KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH => {
hv.boot_info.validate_boot_path(value)?;
hv.boot_info.kernel = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_KERNEL_PARAMS => {
hv.boot_info.kernel_params = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_IMAGE_PATH => {
hv.boot_info.validate_boot_path(value)?;
hv.boot_info.image = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_INITRD_PATH => {
hv.boot_info.validate_boot_path(value)?;
hv.boot_info.initrd = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_FIRMWARE_PATH => {
hv.boot_info.validate_boot_path(value)?;
hv.boot_info.firmware = value.to_string();
}
// Hypervisor CPU related annotations
KATA_ANNO_CONF_HYPERVISOR_CPU_FEATURES => {
hv.cpu_info.cpu_features = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS => {
let num_cpus = self.get_i32(key).unwrap_or_default();
if num_cpus
> get_hypervisor_plugin(hypervisor_name)
.unwrap()
.get_max_cpus() as i32
{
return Err(io::Error::new(
io::ErrorKind::InvalidData,
format!(
"Vcpus specified in annotation {} is more than maximum limitation {}",
num_cpus,
get_hypervisor_plugin(hypervisor_name)
.unwrap()
.get_max_cpus()
),
));
} else {
hv.cpu_info.default_vcpus = num_cpus;
}
}
KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MAX_VCPUS => {
hv.cpu_info.default_maxvcpus = self.get_u32(key).unwrap_or_default();
}
// Hypervisor Device related annotations
KATA_ANNO_CONF_HYPERVISOR_HOTPLUG_VFIO_ON_ROOT_BUS => {
hv.device_info.hotplug_vfio_on_root_bus =
self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_PCIE_ROOT_PORT => {
hv.device_info.pcie_root_port = self.get_u32(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_IOMMU => {
hv.device_info.enable_iommu = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_IOMMU_PLATFORM => {
hv.device_info.enable_iommu_platform =
self.get_bool(key).unwrap_or_default();
}
// Hypervisor Machine related annotations
KATA_ANNO_CONF_HYPERVISOR_MACHINE_TYPE => {
hv.machine_info.machine_type = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_MACHINE_ACCELERATORS => {
hv.machine_info.machine_accelerators = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_ENTROPY_SOURCE => {
hv.machine_info.validate_entropy_source(value)?;
hv.machine_info.entropy_source = value.to_string();
}
// Hypervisor Memory related annotations
KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY => {
let mem = self.get_u32(key).unwrap_or_default();
if mem
< get_hypervisor_plugin(hypervisor_name)
.unwrap()
.get_min_memory()
{
return Err(io::Error::new(
io::ErrorKind::InvalidData,
format!(
"Memory specified in annotation {} is less than minmum required {}",
mem,
get_hypervisor_plugin(hypervisor_name)
.unwrap()
.get_min_memory()
),
));
} else {
hv.memory_info.default_memory = mem;
}
}
KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS => match self.get_u32(key) {
Some(v) => {
hv.memory_info.memory_slots = v;
}
None => {
return Err(io::Error::new(
io::ErrorKind::InvalidData,
format!("{}in annotation is less than zero", key),
));
}
},
KATA_ANNO_CONF_HYPERVISOR_MEMORY_PREALLOC => {
hv.memory_info.enable_mem_prealloc = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_HUGE_PAGES => {
hv.memory_info.enable_hugepages = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR => {
hv.memory_info.validate_memory_backend_path(value)?;
hv.memory_info.file_mem_backend = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_MEM => {
hv.memory_info.enable_virtio_mem = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_ENABLE_SWAP => {
hv.memory_info.enable_swap = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP => {
hv.memory_info.enable_guest_swap = self.get_bool(key).unwrap_or_default();
}
// Hypervisor Network related annotations
KATA_ANNO_CONF_HYPERVISOR_DISABLE_VHOST_NET => {
hv.network_info.disable_vhost_net = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_RX_RATE_LIMITER_MAX_RATE => match self.get_u64(key) {
Some(v) => {
hv.network_info.rx_rate_limiter_max_rate = v;
}
None => {
return Err(io::Error::new(
io::ErrorKind::InvalidData,
format!("{} in annotation is less than zero", key),
));
}
},
KATA_ANNO_CONF_HYPERVISOR_TX_RATE_LIMITER_MAX_RATE => match self.get_u64(key) {
Some(v) => {
hv.network_info.tx_rate_limiter_max_rate = v;
}
None => {
return Err(io::Error::new(
io::ErrorKind::InvalidData,
format!("{} in annotation is less than zero", key),
));
}
},
// Hypervisor Security related annotations
KATA_ANNO_CONF_HYPERVISOR_GUEST_HOOK_PATH => {
hv.security_info.validate_path(value)?;
hv.security_info.guest_hook_path = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_ENABLE_ROOTLESS_HYPERVISOR => {
hv.security_info.rootless = self.get_bool(key).unwrap_or_default();
}
// Hypervisor Shared File System related annotations
KATA_ANNO_CONF_HYPERVISOR_SHARED_FS => {
hv.shared_fs.shared_fs = self.get(key);
}
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_DAEMON => {
hv.shared_fs.validate_virtiofs_daemon_path(value)?;
hv.shared_fs.virtio_fs_daemon = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_CACHE => {
hv.shared_fs.virtio_fs_cache = value.to_string();
}
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_CACHE_SIZE => {
hv.shared_fs.virtio_fs_cache_size = self.get_u32(key).unwrap_or_default();
}
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS => {
let args: Vec<String> =
value.to_string().split(',').map(str::to_string).collect();
for arg in args {
hv.shared_fs.virtio_fs_extra_args.push(arg.to_string());
}
}
KATA_ANNO_CONF_HYPERVISOR_MSIZE_9P => {
hv.shared_fs.msize_9p = self.get_u32(key).unwrap_or_default();
}
_ => {
return Err(io::Error::new(
io::ErrorKind::InvalidInput,
format!("Invalid Annotation Type {}", key),
));
}
}
} else {
match key.as_str() {
//update agent config
KATA_ANNO_CONF_KERNEL_MODULES => {
let kernel_mod: Vec<String> =
value.to_string().split(';').map(str::to_string).collect();
for modules in kernel_mod {
ag.kernel_modules.push(modules.to_string());
}
}
KATA_ANNO_CONF_AGENT_TRACE => {
ag.enable_tracing = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_AGENT_CONTAINER_PIPE_SIZE => {
ag.container_pipe_size = self.get_u32(key).unwrap_or_default();
}
//update runtume config
KATA_ANNO_CONF_DISABLE_GUEST_SECCOMP => {
config.runtime.disable_guest_seccomp =
self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_ENABLE_PPROF => {
config.runtime.enable_pprof = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_EXPERIMENTAL => {
let args: Vec<String> =
value.to_string().split(',').map(str::to_string).collect();
for arg in args {
config.runtime.experimental.push(arg.to_string());
}
}
KATA_ANNO_CONF_INTER_NETWORK_MODEL => {
config.runtime.internetworking_model = value.to_string();
}
KATA_ANNO_CONF_SANDBOX_CGROUP_ONLY => {
config.runtime.disable_new_netns = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_DISABLE_NEW_NETNS => {
config.runtime.disable_new_netns = self.get_bool(key).unwrap_or_default();
}
KATA_ANNO_CONF_VFIO_MODE => {
config.runtime.vfio_mode = value.to_string();
}
_ => {
return Err(io::Error::new(
io::ErrorKind::InvalidData,
format!("Annotation {} not enabled", key),
));
}
}
}
}
Ok(())
}
}

14
src/libs/kata-types/src/annotations/thirdparty.rs Normal file
View File

@ -0,0 +1,14 @@
// Copyright (c) 2021 Alibaba Cloud
//
// SPDX-License-Identifier: Apache-2.0
//
//! Third-party annotations - annotations defined by other projects or k8s plugins but that can
//! change Kata Containers behaviour.
/// Annotation to enable SGX.
///
/// Hardware-based isolation and memory encryption.
// Supported suffixes are: Ki | Mi | Gi | Ti | Pi | Ei . For example: 4Mi
// For more information about supported suffixes see https://physics.nist.gov/cuu/Units/binary.html
pub const SGXEPC: &str = "sgx.intel.com/epc";

3
src/libs/kata-types/src/config/agent.rs
View File

@ -50,6 +50,9 @@ pub struct Agent {
/// requirements, like architecture and version.
#[serde(default)]
pub kernel_modules: Vec<String>,
/// contianer pipe size
pub container_pipe_size: u32,
}
impl ConfigOps for Agent {

10
src/libs/kata-types/src/config/default.rs
View File

@ -9,17 +9,12 @@
use lazy_static::lazy_static;
lazy_static! {
/// Default configuration file paths.
/// Default configuration file paths, vendor may extend the list
pub static ref DEFAULT_RUNTIME_CONFIGURATIONS: Vec::<&'static str> = vec![
"/etc/kata-containers2/configuration.toml",
"/usr/share/defaults/kata-containers2/configuration.toml",
"/etc/kata-containers/configuration_v2.toml",
"/usr/share/defaults/kata-containers/configuration_v2.toml",
"/etc/kata-containers/configuration.toml",
"/usr/share/defaults/kata-containers/configuration.toml",
];
}
pub const DEFAULT_AGENT_NAME: &str = "kata";
pub const DEFAULT_INTERNETWORKING_MODEL: &str = "tcfilter";
@ -46,7 +41,7 @@ pub const DEFAULT_DB_ENTROPY_SOURCE: &str = "/dev/urandom";
pub const DEFAULT_DB_MEMORY_SIZE: u32 = 128;
pub const DEFAULT_DB_MEMORY_SLOTS: u32 = 128;
pub const MAX_DB_VCPUS: u32 = 256;
pub const MIN_DB_MEMORY_SIZE: u32 = 64;
// Default configuration for qemu
pub const DEFAULT_QEMU_BINARY_PATH: &str = "qemu";
pub const DEFAULT_QEMU_CONTROL_PATH: &str = "";
@ -60,3 +55,4 @@ pub const DEFAULT_QEMU_MEMORY_SLOTS: u32 = 128;
pub const DEFAULT_QEMU_PCI_BRIDGES: u32 = 2;
pub const MAX_QEMU_PCI_BRIDGES: u32 = 5;
pub const MAX_QEMU_VCPUS: u32 = 256;
pub const MIN_QEMU_MEMORY_SIZE: u32 = 64;

9
src/libs/kata-types/src/config/hypervisor/dragonball.rs
View File

@ -6,8 +6,11 @@
use std::io::Result;
use std::path::Path;
use std::sync::Arc;
use std::u32;
use super::{default, register_hypervisor_plugin};
use crate::config::default::MAX_DB_VCPUS;
use crate::config::default::MIN_DB_MEMORY_SIZE;
use crate::config::hypervisor::{
VIRTIO_BLK, VIRTIO_BLK_MMIO, VIRTIO_FS, VIRTIO_FS_INLINE, VIRTIO_PMEM,
};
@ -35,6 +38,12 @@ impl DragonballConfig {
}
impl ConfigPlugin for DragonballConfig {
fn get_max_cpus(&self) -> u32 {
MAX_DB_VCPUS
}
fn get_min_memory(&self) -> u32 {
MIN_DB_MEMORY_SIZE
}
fn name(&self) -> &str {
HYPERVISOR_NAME_DRAGONBALL
}

23
src/libs/kata-types/src/config/hypervisor/mod.rs
View File

@ -31,6 +31,7 @@ use lazy_static::lazy_static;
use regex::RegexSet;
use super::{default, ConfigOps, ConfigPlugin, TomlConfig};
use crate::annotations::KATA_ANNO_CONF_HYPERVISOR_PREFIX;
use crate::{eother, resolve_path, validate_path};
mod dragonball;
@ -232,6 +233,12 @@ impl BootInfo {
}
Ok(())
}
/// Validate guest kernel image annotaion
pub fn validate_boot_path(&self, path: &str) -> Result<()> {
validate_path!(path, "path {} is invalid{}")?;
Ok(())
}
}
/// Virtual CPU configuration information.
@ -692,17 +699,22 @@ impl SecurityInfo {
/// Check whether annotation key is enabled or not.
pub fn is_annotation_enabled(&self, path: &str) -> bool {
if !path.starts_with("io.katacontainers.config.hypervisor.") {
if !path.starts_with(KATA_ANNO_CONF_HYPERVISOR_PREFIX) {
return false;
}
let pos = "io.katacontainers.config.hypervisor.".len();
let pos = KATA_ANNO_CONF_HYPERVISOR_PREFIX.len();
let key = &path[pos..];
if let Ok(set) = RegexSet::new(&self.enable_annotations) {
return set.is_match(key);
}
false
}
/// Validate path
pub fn validate_path(&self, path: &str) -> Result<()> {
validate_path!(path, "path {} is invalid{}")?;
Ok(())
}
}
/// Configuration information for shared filesystem, such virtio-9p and virtio-fs.
@ -955,12 +967,10 @@ impl Hypervisor {
impl ConfigOps for Hypervisor {
fn adjust_configuration(conf: &mut TomlConfig) -> Result<()> {
HypervisorVendor::adjust_configuration(conf)?;
let hypervisors: Vec<String> = conf.hypervisor.keys().cloned().collect();
for hypervisor in hypervisors.iter() {
if let Some(plugin) = get_hypervisor_plugin(hypervisor) {
plugin.adjust_configuration(conf)?;
// Safe to unwrap() because `hypervisor` is a valid key in the hash map.
let hv = conf.hypervisor.get_mut(hypervisor).unwrap();
hv.blockdev_info.adjust_configuration()?;
@ -1031,9 +1041,8 @@ mod vendor {
#[path = "vendor.rs"]
mod vendor;
pub use self::vendor::HypervisorVendor;
use crate::config::validate_path_pattern;
pub use vendor::HypervisorVendor;
#[cfg(test)]
mod tests {
use super::*;

11
src/libs/kata-types/src/config/hypervisor/qemu.rs
View File

@ -8,6 +8,10 @@ use std::path::Path;
use std::sync::Arc;
use super::{default, register_hypervisor_plugin};
use crate::config::default::MAX_QEMU_VCPUS;
use crate::config::default::MIN_QEMU_MEMORY_SIZE;
use crate::config::hypervisor::VIRTIO_BLK_MMIO;
use crate::config::{ConfigPlugin, TomlConfig};
use crate::{eother, resolve_path, validate_path};
@ -33,6 +37,13 @@ impl QemuConfig {
}
impl ConfigPlugin for QemuConfig {
fn get_max_cpus(&self) -> u32 {
MAX_QEMU_VCPUS
}
fn get_min_memory(&self) -> u32 {
MIN_QEMU_MEMORY_SIZE
}
fn name(&self) -> &str {
HYPERVISOR_NAME_QEMU
}

19
src/libs/kata-types/src/config/mod.rs
View File

@ -9,6 +9,7 @@ use std::fs;
use std::io::{self, Result};
use std::path::{Path, PathBuf};
use std::sync::{Arc, Mutex};
use std::u32;
use lazy_static::lazy_static;
@ -18,9 +19,9 @@ use crate::{eother, sl};
pub mod default;
mod agent;
pub use self::agent::{Agent, AgentVendor};
pub mod hypervisor;
mod hypervisor;
use self::agent::Agent;
pub use self::hypervisor::{
BootInfo, DragonballConfig, Hypervisor, QemuConfig, HYPERVISOR_NAME_DRAGONBALL,
HYPERVISOR_NAME_QEMU,
@ -39,6 +40,12 @@ pub trait ConfigPlugin: Send + Sync {
/// Validate the configuration information.
fn validate(&self, _conf: &TomlConfig) -> Result<()>;
/// Get the minmum memory for hypervisor
fn get_min_memory(&self) -> u32;
/// Get the max defualt cpus
fn get_max_cpus(&self) -> u32;
}
/// Trait to manipulate Kata configuration information.
@ -129,12 +136,10 @@ impl TomlConfig {
/// Load Kata configuration information from string.
pub fn load(content: &str) -> Result<TomlConfig> {
let mut config: TomlConfig = toml::from_str(content)?;
Hypervisor::adjust_configuration(&mut config)?;
Runtime::adjust_configuration(&mut config)?;
Agent::adjust_configuration(&mut config)?;
info!(sl!(), "get kata config: {:?}", config);
Ok(config)
}
@ -167,7 +172,6 @@ pub fn validate_path_pattern<P: AsRef<Path>>(patterns: &[String], path: P) -> Re
.as_ref()
.to_str()
.ok_or_else(|| eother!("Invalid path {}", path.as_ref().to_string_lossy()))?;
for p in patterns.iter() {
if let Ok(glob) = glob::Pattern::new(p) {
if glob.matches(path) {
@ -226,6 +230,10 @@ impl KataConfig {
pub fn get_active_config() -> Arc<KataConfig> {
KATA_ACTIVE_CONFIG.lock().unwrap().clone()
}
/// Get the config in use
pub fn get_config(&self) -> &TomlConfig {
&self.config
}
/// Get the agent configuration in use.
pub fn get_agent(&self) -> Option<&Agent> {
@ -254,6 +262,7 @@ lazy_static! {
agent: String::new(),
hypervisor: String::new(),
};
Mutex::new(Arc::new(kata))
};
static ref KATA_ACTIVE_CONFIG: Mutex<Arc<KataConfig>> = {

1
src/libs/kata-types/src/config/runtime.rs
View File

@ -115,7 +115,6 @@ pub struct Runtime {
impl ConfigOps for Runtime {
fn adjust_configuration(conf: &mut TomlConfig) -> Result<()> {
RuntimeVendor::adjust_configuration(conf)?;
if conf.runtime.internetworking_model.is_empty() {
conf.runtime.internetworking_model = default::DEFAULT_INTERNETWORKING_MODEL.to_owned();
}

475
src/libs/kata-types/tests/test-config.rs
View File

@ -1,41 +1,452 @@
use kata_types::config::{QemuConfig, TomlConfig, HYPERVISOR_NAME_QEMU};
use std::fs;
use std::path::Path;
#[cfg(test)]
mod tests {
use kata_types::annotations::{
Annotation, KATA_ANNO_CONF_AGENT_CONTAINER_PIPE_SIZE, KATA_ANNO_CONF_AGENT_TRACE,
KATA_ANNO_CONF_DISABLE_GUEST_SECCOMP, KATA_ANNO_CONF_ENABLE_PPROF,
KATA_ANNO_CONF_EXPERIMENTAL, KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_NOFLUSH,
KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER, KATA_ANNO_CONF_HYPERVISOR_CTLPATH,
KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY, KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS,
KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP, KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS,
KATA_ANNO_CONF_HYPERVISOR_ENABLE_SWAP, KATA_ANNO_CONF_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR,
KATA_ANNO_CONF_HYPERVISOR_GUEST_HOOK_PATH, KATA_ANNO_CONF_HYPERVISOR_HUGE_PAGES,
KATA_ANNO_CONF_HYPERVISOR_JAILER_PATH, KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH,
KATA_ANNO_CONF_HYPERVISOR_MEMORY_PREALLOC, KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS,
KATA_ANNO_CONF_HYPERVISOR_PATH, KATA_ANNO_CONF_HYPERVISOR_VHOSTUSER_STORE_PATH,
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_DAEMON, KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS,
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_MEM, KATA_ANNO_CONF_KERNEL_MODULES,
};
use kata_types::config::KataConfig;
use kata_types::config::{QemuConfig, TomlConfig};
use std::collections::HashMap;
use std::fs;
use std::path::Path;
#[test]
fn test_change_config_annotation() {
let path = env!("CARGO_MANIFEST_DIR");
let path = Path::new(path).join("tests/texture/configuration-anno-0.toml");
let content = fs::read_to_string(&path).unwrap();
#[test]
fn test_load_qemu_config() {
let plugin = QemuConfig::new();
plugin.register();
let qemu = QemuConfig::new();
qemu.register();
let config = TomlConfig::load(&content).unwrap();
KataConfig::set_active_config(config, "qemu", "agent0");
std::process::Command::new("mkdir")
.arg("./hypervisor_path")
.output()
.expect("failed to execute process");
std::process::Command::new("mkdir")
.arg("./store_path")
.output()
.expect("failed to execute process");
std::process::Command::new("mkdir")
.arg("./test_hypervisor_hook_path")
.output()
.expect("failed to execute process");
std::process::Command::new("mkdir")
.arg("./jvm")
.output()
.expect("failed to execute process");
std::process::Command::new("mkdir")
.arg("./test_file_backend_mem_root")
.output()
.expect("failed to execute process");
std::process::Command::new("mkdir")
.arg("./test_jailer_path")
.output()
.expect("failed to execute process");
std::process::Command::new("mkdir")
.arg("./test_kernel_path")
.output()
.expect("failed to execute process");
std::process::Command::new("mkdir")
.arg("./virtio_fs")
.output()
.expect("failed to execute process");
let mut anno_hash = HashMap::new();
anno_hash.insert(
KATA_ANNO_CONF_KERNEL_MODULES.to_string(),
"j465 aaa=1;r33w".to_string(),
);
anno_hash.insert(KATA_ANNO_CONF_AGENT_TRACE.to_string(), "false".to_string());
anno_hash.insert(
KATA_ANNO_CONF_AGENT_CONTAINER_PIPE_SIZE.to_string(),
"3".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_PATH.to_string(),
"./hypervisor_path".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER.to_string(),
"device".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_CACHE_NOFLUSH.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_VHOSTUSER_STORE_PATH.to_string(),
"./store_path".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_DISABLE_GUEST_SECCOMP.to_string(),
"true".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_GUEST_HOOK_PATH.to_string(),
"./test_hypervisor_hook_path".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_MEMORY_PREALLOC.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_CTLPATH.to_string(),
"./jvm".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS.to_string(),
"12".to_string(),
);
anno_hash.insert(KATA_ANNO_CONF_ENABLE_PPROF.to_string(), "false".to_string());
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY.to_string(),
"100".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_ENABLE_IO_THREADS.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_ENABLE_SWAP.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR.to_string(),
"./test_file_backend_mem_root".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_HUGE_PAGES.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_JAILER_PATH.to_string(),
"./test_jailer_path".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH.to_string(),
"./test_kernel_path".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS.to_string(),
"100".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS.to_string(),
"rr,dg,er".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_MEM.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_VIRTIO_FS_DAEMON.to_string(),
"./virtio_fs".to_string(),
);
anno_hash.insert(KATA_ANNO_CONF_EXPERIMENTAL.to_string(), "c,d,e".to_string());
let anno = Annotation::new(anno_hash);
let mut config = TomlConfig::load(&content).unwrap();
assert!(anno
.update_config_by_annotation(&mut config, "qemu", "agent0")
.is_ok());
KataConfig::set_active_config(config, "qemu", "agnet0");
if let Some(ag) = KataConfig::get_default_config().get_agent() {
assert_eq!(
ag.kernel_modules[0],
"e1000e InterruptThrottleRate=3000,3000,3000 EEE=1"
);
assert_eq!(ag.kernel_modules[1], "i915_enabled_ppgtt=0");
assert_eq!(ag.kernel_modules[2], "j465 aaa=1");
assert_eq!(ag.kernel_modules[3], "r33w");
assert!(!ag.enable_tracing);
assert_eq!(ag.container_pipe_size, 3);
}
if let Some(hv) = KataConfig::get_default_config().get_hypervisor() {
assert_eq!(hv.path, "./hypervisor_path".to_string());
assert_eq!(hv.blockdev_info.block_device_driver, "device");
assert!(!hv.blockdev_info.block_device_cache_noflush);
assert!(hv.blockdev_info.block_device_cache_set);
assert_eq!(hv.blockdev_info.vhost_user_store_path, "./store_path");
assert_eq!(
hv.security_info.guest_hook_path,
"./test_hypervisor_hook_path"
);
assert!(!hv.memory_info.enable_mem_prealloc);
assert_eq!(hv.ctlpath, "./jvm".to_string());
assert_eq!(hv.cpu_info.default_vcpus, 12);
assert!(!hv.memory_info.enable_guest_swap);
assert_eq!(hv.memory_info.default_memory, 100);
assert!(!hv.enable_iothreads);
assert!(!hv.enable_iothreads);
assert!(!hv.memory_info.enable_swap);
assert_eq!(
hv.memory_info.file_mem_backend,
"./test_file_backend_mem_root"
);
assert!(!hv.memory_info.enable_hugepages);
assert_eq!(hv.jailer_path, "./test_jailer_path".to_string());
assert_eq!(hv.boot_info.kernel, "./test_kernel_path");
assert_eq!(hv.memory_info.memory_slots, 100);
assert_eq!(hv.shared_fs.virtio_fs_extra_args[5], "rr");
assert_eq!(hv.shared_fs.virtio_fs_extra_args[6], "dg");
assert_eq!(hv.shared_fs.virtio_fs_extra_args[7], "er");
assert!(!hv.memory_info.enable_virtio_mem);
assert_eq!(hv.shared_fs.virtio_fs_daemon, "./virtio_fs");
}
assert!(
KataConfig::get_active_config()
.get_config()
.runtime
.disable_guest_seccomp
);
assert!(
!KataConfig::get_active_config()
.get_config()
.runtime
.enable_pprof
);
assert_eq!(
KataConfig::get_active_config()
.get_config()
.runtime
.experimental,
["a", "b", "c", "d", "e"]
);
std::process::Command::new("rmdir")
.arg("./hypervisor_path")
.output()
.expect("failed to execute process");
std::process::Command::new("rmdir")
.arg("./test_hypervisor_hook_path")
.output()
.expect("failed to execute process");
std::process::Command::new("rmdir")
.arg("./test_file_backend_mem_root")
.output()
.expect("failed to execute process");
std::process::Command::new("rmdir")
.arg("./test_jailer_path")
.output()
.expect("failed to execute process");
std::process::Command::new("rmdir")
.arg("./test_kernel_path")
.output()
.expect("failed to execute process");
std::process::Command::new("rmdir")
.arg("./virtio_fs")
.output()
.expect("failed to execute process");
std::process::Command::new("rmdir")
.arg("./jvm")
.output()
.expect("failed to execute process");
std::process::Command::new("rmdir")
.arg("./store_path")
.output()
.expect("failed to execute process");
}
#[test]
fn test_fail_to_change_block_device_driver_because_not_enabled() {
let path = env!("CARGO_MANIFEST_DIR");
let path = Path::new(path).join("tests/texture/configuration-anno-1.toml");
let content = fs::read_to_string(&path).unwrap();
let qemu = QemuConfig::new();
qemu.register();
let config = TomlConfig::load(&content).unwrap();
KataConfig::set_active_config(config, "qemu", "agent0");
let mut anno_hash = HashMap::new();
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_BLOCK_DEVICE_DRIVER.to_string(),
"fvfvfvfvf".to_string(),
);
let anno = Annotation::new(anno_hash);
let mut config = TomlConfig::load(&content).unwrap();
assert!(anno
.update_config_by_annotation(&mut config, "qemu", "agent0")
.is_err());
}
#[test]
fn test_fail_to_change_enable_guest_swap_because_not_enabled() {
let path = env!("CARGO_MANIFEST_DIR");
let path = Path::new(path).join("tests/texture/configuration-anno-1.toml");
let content = fs::read_to_string(&path).unwrap();
let qemu = QemuConfig::new();
qemu.register();
let config = TomlConfig::load(&content).unwrap();
KataConfig::set_active_config(config, "qemu", "agent0");
let mut anno_hash = HashMap::new();
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_ENABLE_GUEST_SWAP.to_string(),
"false".to_string(),
);
let anno = Annotation::new(anno_hash);
let mut config = TomlConfig::load(&content).unwrap();
assert!(anno
.update_config_by_annotation(&mut config, "qemu", "agent0")
.is_err());
}
#[test]
fn test_fail_to_change_hypervisor_path_because_of_invalid_path() {
let path = env!("CARGO_MANIFEST_DIR");
let path = Path::new(path).join("tests/texture/configuration-anno-0.toml");
let content = fs::read_to_string(&path).unwrap();
let qemu = QemuConfig::new();
qemu.register();
let config = TomlConfig::load(&content).unwrap();
KataConfig::set_active_config(config, "qemu", "agent0");
let mut anno_hash = HashMap::new();
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_PATH.to_string(),
"/usr/bin/nle".to_string(),
);
let anno = Annotation::new(anno_hash);
let path = env!("CARGO_MANIFEST_DIR");
let path = Path::new(path).join("tests/texture/configuration-qemu.toml");
let path = Path::new(path).join("tests/texture/configuration-anno-0.toml");
let content = fs::read_to_string(&path).unwrap();
let mut config = TomlConfig::load(&content).unwrap();
assert!(anno
.update_config_by_annotation(&mut config, "qemu", "agent0")
.is_err());
}
#[test]
fn test_fail_to_change_kernel_path_because_of_invalid_path() {
let path = env!("CARGO_MANIFEST_DIR");
let path = Path::new(path).join("tests/texture/configuration-anno-0.toml");
let content = fs::read_to_string(&path).unwrap();
let qemu = QemuConfig::new();
qemu.register();
let config = TomlConfig::load(&content).unwrap();
KataConfig::set_active_config(config, "qemu", "agent0");
let mut anno_hash = HashMap::new();
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_KERNEL_PATH.to_string(),
"/usr/bin/cdcd".to_string(),
);
let anno = Annotation::new(anno_hash);
let mut config = TomlConfig::load(&content).unwrap();
assert!(anno
.update_config_by_annotation(&mut config, "qemu", "agent0")
.is_err());
}
#[test]
fn test_fail_to_change_memory_slots_because_of_less_than_zero() {
let path = env!("CARGO_MANIFEST_DIR");
let path = Path::new(path).join("tests/texture/configuration-anno-0.toml");
let content = fs::read_to_string(&path).unwrap();
let config = TomlConfig::load(&content).unwrap();
KataConfig::set_active_config(config, "qemu", "agent0");
let qemu = config.hypervisor.get(HYPERVISOR_NAME_QEMU).unwrap();
assert_eq!(qemu.path, "/usr/bin/ls");
assert_eq!(qemu.valid_hypervisor_paths.len(), 2);
assert_eq!(qemu.valid_hypervisor_paths[0], "/usr/bin/qemu*");
assert_eq!(qemu.valid_hypervisor_paths[1], "/opt/qemu?");
qemu.validate_hypervisor_path("/usr/bin/qemu0").unwrap();
qemu.validate_hypervisor_path("/usr/bin/qemu1").unwrap();
qemu.validate_hypervisor_path("/usr/bin/qemu2222").unwrap();
qemu.validate_hypervisor_path("/opt/qemu3").unwrap();
qemu.validate_hypervisor_path("/opt/qemu").unwrap_err();
qemu.validate_hypervisor_path("/opt/qemu33").unwrap_err();
assert_eq!(qemu.ctlpath, "/usr/bin/ls");
assert_eq!(qemu.valid_ctlpaths.len(), 0);
assert!(qemu.jailer_path.is_empty());
assert_eq!(qemu.valid_jailer_paths.len(), 0);
assert_eq!(qemu.disable_nesting_checks, true);
assert_eq!(qemu.enable_iothreads, true);
let qemu = QemuConfig::new();
qemu.register();
assert_eq!(qemu.boot_info.image, "/usr/bin/echo");
assert_eq!(qemu.boot_info.kernel, "/usr/bin/id");
assert_eq!(qemu.boot_info.kernel_params, "ro");
assert_eq!(qemu.boot_info.firmware, "/etc/hostname");
let mut anno_hash = HashMap::new();
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_MEMORY_SLOTS.to_string(),
"-1".to_string(),
);
let anno = Annotation::new(anno_hash);
let mut config = TomlConfig::load(&content).unwrap();
assert_eq!(qemu.cpu_info.cpu_features, "pmu=off,vmx=off");
assert_eq!(qemu.cpu_info.default_vcpus, 2);
assert_eq!(qemu.cpu_info.default_maxvcpus, 64);
assert!(anno
.update_config_by_annotation(&mut config, "qemu", "agent0")
.is_err());
}
#[test]
fn test_fail_to_change_default_memory_because_less_than_min_memory_size() {
let path = env!("CARGO_MANIFEST_DIR");
let path = Path::new(path).join("tests/texture/configuration-anno-0.toml");
let content = fs::read_to_string(&path).unwrap();
let qemu = QemuConfig::new();
qemu.register();
let config = TomlConfig::load(&content).unwrap();
KataConfig::set_active_config(config, "qemu", "agent0");
let mut anno_hash = HashMap::new();
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_DEFAULT_MEMORY.to_string(),
"10".to_string(),
);
let anno = Annotation::new(anno_hash);
let mut config = TomlConfig::load(&content).unwrap();
assert!(anno
.update_config_by_annotation(&mut config, "qemu", "agent0")
.is_err());
}
#[test]
fn test_fail_to_change_default_vcpus_becuase_more_than_max_cpu_size() {
let path = env!("CARGO_MANIFEST_DIR");
let path = Path::new(path).join("tests/texture/configuration-anno-0.toml");
let content = fs::read_to_string(&path).unwrap();
let qemu = QemuConfig::new();
qemu.register();
let config = TomlConfig::load(&content).unwrap();
KataConfig::set_active_config(config, "qemu", "agent0");
let mut anno_hash = HashMap::new();
anno_hash.insert(
KATA_ANNO_CONF_HYPERVISOR_DEFAULT_VCPUS.to_string(),
"400".to_string(),
);
let anno = Annotation::new(anno_hash);
let mut config = TomlConfig::load(&content).unwrap();
assert!(anno
.update_config_by_annotation(&mut config, "qemu", "agent0")
.is_err());
}
}

88
src/libs/kata-types/tests/texture/configuration-anno-0.toml Normal file
View File

@ -0,0 +1,88 @@
[hypervisor.qemu]
path = "/usr/bin/lsns"
valid_hypervisor_paths = ["/usr/bin/qemu*", "/opt/qemu?","/usr/bin/ls*","./hypervisor_path"]
valid_jailer_paths = ["/usr/lib/rust","./test_jailer_path"]
ctlpath = "/usr/bin/"
valid_ctlpaths = ["/usr/lib/jvm","usr/bin/qemu-io","./jvm"]
disable_nesting_checks = true
enable_iothreads = true
jailer_path = "/usr/local"
kernel = "/usr/bin/../bin/zcmp"
image = "/usr/bin/./tabs"
kernel_params = "ro"
firmware = "/etc/hostname"
cpu_features="pmu=off,vmx=off"
default_vcpus = 2
default_maxvcpus = 64
machine_type = "q35"
confidential_guest = true
rootless = true
enable_annotations = ["shared_fs","path", "ctlpath","jailer_path","enable_iothreads","default_memory","memory_slots","enable_mem_prealloc","enable_hugepages","file_mem_backend","enable_virtio_mem","enable_swap","enable_guest_swap","default_vcpus","virtio_fs_extra_args","block_device_driver","vhost_user_store_path","kernel","guest_hook_path","block_device_cache_noflush","virtio_fs_daemon"]
machine_accelerators="noapic"
default_bridges = 2
default_memory = 128
memory_slots = 128
memory_offset = 0x100000
enable_virtio_mem = true
disable_block_device_use = false
shared_fs = "virtio-fs"
virtio_fs_daemon = "/usr/bin/uptime"
valid_virtio_fs_daemon_paths = ["/usr/local/bin/virtiofsd*","./virtio_fs"]
virtio_fs_cache_size = 512
virtio_fs_extra_args = ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"]
virtio_fs_cache = "always"
block_device_driver = "virtio-blk"
block_device_cache_set = true
block_device_cache_direct = true
block_device_cache_noflush = true
enable_mem_prealloc = true
enable_hugepages = true
enable_vhost_user_store = true
vhost_user_store_path = "/tmp"
valid_vhost_user_store_paths = ["/var/kata/vhost-user-store*", "/tmp/kata?","/var/tmp","./store_path"]
enable_iommu = true
enable_iommu_platform = true
file_mem_backend = "/dev/shm"
valid_file_mem_backends = ["/dev/shm","/dev/snd","./test_file_backend_mem_root"]
enable_swap = true
pflashes = ["/proc/mounts"]
enable_debug = true
msize_9p = 16384
disable_image_nvdimm = true
hotplug_vfio_on_root_bus = true
pcie_root_port = 2
disable_vhost_net = true
entropy_source= "/dev/urandom"
valid_entropy_sources = ["/dev/urandom", "/dev/random"]
guest_hook_path = "/usr/share"
rx_rate_limiter_max_rate = 10000
tx_rate_limiter_max_rate = 10000
guest_memory_dump_path="/var/crash/kata"
guest_memory_dump_paging = true
enable_guest_swap = true
[agent.agent0]
enable_tracing = true
debug_console_enabled = true
debug = true
dial_timeout = 1
kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"]
container_pipe_size = 2
[runtime]
enable_debug = true
internetworking_model="macvtap"
disable_guest_seccomp=false
enable_tracing = true
jaeger_endpoint = "localhost:1234"
jaeger_user = "user"
jaeger_password = "pw"
disable_new_netns = true
sandbox_cgroup_only=true
sandbox_bind_mounts=["/proc/self"]
vfio_mode="vfio"
experimental=["a", "b"]
enable_pprof = true

27
src/libs/kata-types/tests/texture/configuration-qemu.toml → src/libs/kata-types/tests/texture/configuration-anno-1.toml
View File

@ -1,12 +1,13 @@
[hypervisor.qemu]
path = "/usr/bin/ls"
valid_hypervisor_paths = ["/usr/bin/qemu*", "/opt/qemu?"]
ctlpath = "/usr/bin/ls"
path = "/usr/bin/lsns"
valid_hypervisor_paths = ["/usr/bin/qemu*", "/opt/qemu?","/usr/bin/lsns","./hypervisor_path"]
valid_jailer_paths = ["/usr/lib/rust"]
ctlpath = "/usr/bin"
disable_nesting_checks = true
enable_iothreads = true
kernel = "/usr/bin/../bin/id"
image = "/usr/bin/./echo"
jailer_path = "/usr/local"
kernel = "/usr/bin/../bin/uptime"
image = "/usr/bin/./lessecho"
kernel_params = "ro"
firmware = "/etc/hostname"
@ -17,7 +18,7 @@ default_maxvcpus = 64
machine_type = "q35"
confidential_guest = true
rootless = true
enable_annotations = ["path", "ctlpath"]
enable_annotations = ["path", "ctlpath","jailer_path"]
machine_accelerators="noapic"
default_bridges = 2
default_memory = 128
@ -26,7 +27,7 @@ memory_offset = 0x100000
enable_virtio_mem = true
disable_block_device_use = false
shared_fs = "virtio-fs"
virtio_fs_daemon = "/usr/bin/id"
virtio_fs_daemon = "/usr/bin/uptime"
valid_virtio_fs_daemon_paths = ["/usr/local/bin/virtiofsd*"]
virtio_fs_cache_size = 512
virtio_fs_extra_args = ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"]
@ -61,10 +62,17 @@ guest_memory_dump_path="/var/crash/kata"
guest_memory_dump_paging = true
enable_guest_swap = true
[agent.agent0]
enable_tracing = true
debug_console_enabled = true
debug = true
dial_timeout = 1
kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"]
container_pipe_size = 2
[runtime]
enable_debug = true
internetworking_model="macvtap"
disable_guest_seccomp=true
pdisable_guest_seccomp=true
enable_tracing = true
jaeger_endpoint = "localhost:1234"
jaeger_user = "user"
@ -76,3 +84,4 @@ vfio_mode="vfio"
experimental=["a", "b"]
enable_pprof = true