From 8220e54787dceb5b1ecd60d00220739e74b9af03 Mon Sep 17 00:00:00 2001 From: chmod100 Date: Fri, 5 Aug 2022 11:36:40 +0000 Subject: [PATCH 1/7] runtime: add unlock before return in sendReq Unlock is required before return, so there need to add unlock Fixes: #4827 Signed-off-by: chmod100 --- src/runtime/virtcontainers/kata_agent.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index ba2fc811d2..f10f81daea 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -2015,11 +2015,13 @@ func (k *kataAgent) sendReq(spanCtx context.Context, request interface{}) (inter k.Lock() if k.reqHandlers == nil { + k.Unlock() return nil, errors.New("Client has already disconnected") } handler := k.reqHandlers[msgName] if msgName == "" || handler == nil { + k.Unlock() return nil, errors.New("Invalid request type") } From 22c005f551c47ebdc2d89557d975b1cefbb4ca06 Mon Sep 17 00:00:00 2001 From: liubin Date: Wed, 20 Jul 2022 12:11:59 +0800 Subject: [PATCH 2/7] nydus: upgrade nydus/nydus-snapshotter version Upgrade nydus/nydus-snapshotter to the latest version. Fixes: #4694 Signed-off-by: liubin --- versions.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/versions.yaml b/versions.yaml index 520fb4dd3e..0793f35330 100644 --- a/versions.yaml +++ b/versions.yaml @@ -241,12 +241,12 @@ externals: nydus: description: "Nydus image acceleration service" url: "https://github.com/dragonflyoss/image-service" - version: "v1.1.2" + version: "v2.1.0-alpha.4" nydus-snapshotter: description: "Snapshotter for Nydus image acceleration service" url: "https://github.com/containerd/nydus-snapshotter" - version: "v0.1.0" + version: "v0.2.3" virtiofsd: description: "vhost-user virtio-fs device backend written in Rust" From 59bd5c2e0a8895719572b94a43b3dc2eacc30b55 Mon Sep 17 00:00:00 2001 From: Fupan Li Date: Thu, 14 Jul 2022 16:39:49 +0800 Subject: [PATCH 3/7] container: kill all of the processes in this container When a container terminated, we should make sure there's no processes left after destroying the container. Before this commit, kata-agent depended on the kernel's pidns to destroy all of the process in a container after the 1 process exit in a container. This is true for those container using a separated pidns, but for the case of shared pidns within the sandbox, the container exit wouldn't trigger the pidns terminated, and there would be some daemon process left in this container, this wasn't expected. Fixes: #4663 Signed-off-by: Fupan Li --- src/agent/rustjail/src/container.rs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs index 29f2bb1308..4891a7471b 100644 --- a/src/agent/rustjail/src/container.rs +++ b/src/agent/rustjail/src/container.rs @@ -1092,6 +1092,16 @@ impl BaseContainer for LinuxContainer { fs::remove_dir_all(&self.root)?; if let Some(cgm) = self.cgroup_manager.as_mut() { + // Kill all of the processes created in this container to prevent + // the leak of some daemon process when this container shared pidns + // with the sandbox. + let pids = cgm.get_pids().context("get cgroup pids")?; + for i in pids { + if let Err(e) = signal::kill(Pid::from_raw(i), Signal::SIGKILL) { + warn!(self.logger, "kill the process {} error: {:?}", i, e); + } + } + cgm.destroy().context("destroy cgroups")?; } Ok(()) From 01c889fb666d0f131a99edf6f6232bd17245d438 Mon Sep 17 00:00:00 2001 From: Manabu Sugimoto Date: Wed, 6 Jul 2022 15:35:24 +0900 Subject: [PATCH 4/7] runtime: Fix DisableSelinux config Enable Kata runtime to handle `disable_selinux` flag properly in order to be able to change the status by the runtime configuration whether the runtime applies the SELinux label to VMM process. Fixes: #4599 Signed-off-by: Manabu Sugimoto --- src/runtime/config/configuration-acrn.toml.in | 6 +++--- src/runtime/config/configuration-clh.toml.in | 6 +++--- src/runtime/config/configuration-fc.toml.in | 6 +++--- src/runtime/config/configuration-qemu.toml.in | 6 +++--- src/runtime/pkg/katautils/config.go | 3 +++ 5 files changed, 15 insertions(+), 12 deletions(-) diff --git a/src/runtime/config/configuration-acrn.toml.in b/src/runtime/config/configuration-acrn.toml.in index f0be92ad08..5f1368ce82 100644 --- a/src/runtime/config/configuration-acrn.toml.in +++ b/src/runtime/config/configuration-acrn.toml.in @@ -118,6 +118,9 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_ACRN@" # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + [agent.@PROJECT_TYPE@] # If enabled, make the agent display debug-level messages. # (default: disabled) @@ -186,9 +189,6 @@ internetworking_model="@DEFNETWORKMODEL_ACRN@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ -# disable applying SELinux on the VMM process (default false) -disable_selinux=@DEFDISABLESELINUX@ - # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 5d2d9c2f10..f09c095f0e 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -39,6 +39,9 @@ image = "@IMAGEPATH@" # Default false # confidential_guest = true +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + # Path to the firmware. # If you want Cloud Hypervisor to use a specific firmware, set its path below. # This is option is only used when confidential_guest is enabled. @@ -319,9 +322,6 @@ internetworking_model="@DEFNETWORKMODEL_CLH@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ -# disable applying SELinux on the VMM process (default false) -disable_selinux=@DEFDISABLESELINUX@ - # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/config/configuration-fc.toml.in b/src/runtime/config/configuration-fc.toml.in index 8761d8a02e..b7f349c0dd 100644 --- a/src/runtime/config/configuration-fc.toml.in +++ b/src/runtime/config/configuration-fc.toml.in @@ -221,6 +221,9 @@ valid_entropy_sources = @DEFVALIDENTROPYSOURCES@ # Default 0-sized value means unlimited rate. #tx_rate_limiter_max_rate = 0 +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and @@ -309,9 +312,6 @@ internetworking_model="@DEFNETWORKMODEL_FC@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ -# disable applying SELinux on the VMM process (default false) -disable_selinux=@DEFDISABLESELINUX@ - # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 115cd19ccd..3ec44c8b6e 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -406,6 +406,9 @@ valid_entropy_sources = @DEFVALIDENTROPYSOURCES@ # use legacy serial for guest console if available and implemented for architecture. Default false #use_legacy_serial = true +# disable applying SELinux on the VMM process (default false) +disable_selinux=@DEFDISABLESELINUX@ + [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and @@ -523,9 +526,6 @@ internetworking_model="@DEFNETWORKMODEL_QEMU@" # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ -# disable applying SELinux on the VMM process (default false) -disable_selinux=@DEFDISABLESELINUX@ - # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 4edc0c1108..0903c8ea9e 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -669,6 +669,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { RxRateLimiterMaxRate: rxRateLimiterMaxRate, TxRateLimiterMaxRate: txRateLimiterMaxRate, EnableAnnotations: h.EnableAnnotations, + DisableSeLinux: h.DisableSeLinux, }, nil } @@ -805,6 +806,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { GuestSwap: h.GuestSwap, Rootless: h.Rootless, LegacySerial: h.LegacySerial, + DisableSeLinux: h.DisableSeLinux, }, nil } @@ -869,6 +871,7 @@ func newAcrnHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { BlockDeviceDriver: blockDriver, DisableVhostNet: h.DisableVhostNet, GuestHookPath: h.guestHookPath(), + DisableSeLinux: h.DisableSeLinux, EnableAnnotations: h.EnableAnnotations, }, nil } From 1b930156cbe138234e3080fff3bcf46af2dc5197 Mon Sep 17 00:00:00 2001 From: Archana Shinde Date: Tue, 5 Jul 2022 14:46:43 -0700 Subject: [PATCH 5/7] build: Fix clh source build as normal user While running make as non-privileged user, the make errors out with the following message: "INFO: Build cloud-hypervisor enabling the following features: tdx Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=cloudhypervisor%2Fdev&tag=20220524-0": dial unix /var/run/docker.sock: connect: permission denied" Even though the user may be part of docker group, the clh build from source does a docker in docker build. It is necessary for the user of the nested container to be part of docker build for the build to succeed. Fixes #4594 Signed-off-by: Archana Shinde --- .../kata-deploy/local-build/dockerbuild/Dockerfile | 7 ++++++- .../local-build/kata-deploy-binaries-in-docker.sh | 14 ++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile b/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile index 5514d9a640..06a4a93ac9 100644 --- a/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile +++ b/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile @@ -23,8 +23,13 @@ RUN apt-get update && \ ARG IMG_USER=kata-builder ARG UID=1000 ARG GID=1000 +# gid of the docker group on the host, required for running docker in docker builds. +ARG HOST_DOCKER_GID + RUN if [ ${IMG_USER} != "root" ]; then groupadd --gid=${GID} ${IMG_USER};fi RUN if [ ${IMG_USER} != "root" ]; then adduser ${IMG_USER} --uid=${UID} --gid=${GID};fi +RUN if [ ${IMG_USER} != "root" ] && [ ! -z ${HOST_DOCKER_GID} ]; then groupadd --gid=${HOST_DOCKER_GID} docker_on_host;fi +RUN if [ ${IMG_USER} != "root" ] && [ ! -z ${HOST_DOCKER_GID} ]; then usermod -a -G docker_on_host ${IMG_USER};fi RUN sh -c "echo '${IMG_USER} ALL=NOPASSWD: ALL' >> /etc/sudoers" #FIXME: gcc is required as agent is build out of a container build. @@ -40,4 +45,4 @@ RUN apt-get update && \ apt-get clean && rm -rf /var/lib/apt/lists ENV USER ${IMG_USER} -USER ${UID}:${GID} +USER ${IMG_USER} diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 4035ff9cbd..24d19c936f 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -20,17 +20,27 @@ if [ "${script_dir}" != "${PWD}" ]; then ln -sf "${script_dir}/build" "${PWD}/build" fi +# This is the gid of the "docker" group on host. In case of docker in docker builds +# for some of the targets (clh builds from source), the nested container user needs to +# be part of this group. +docker_gid=$(getent group docker | cut -d: -f3 || { echo >&2 "Missing docker group, docker needs to be installed" && false; }) + +# If docker gid is the effective group id of the user, do not pass it as +# an additional group. +if [ ${docker_gid} == ${gid} ]; then + docker_gid="" +fi + docker build -q -t build-kata-deploy \ --build-arg IMG_USER="${USER}" \ --build-arg UID=${uid} \ --build-arg GID=${gid} \ + --build-arg HOST_DOCKER_GID=${docker_gid} \ "${script_dir}/dockerbuild/" docker run \ -v /var/run/docker.sock:/var/run/docker.sock \ - --user ${uid}:${gid} \ --env USER=${USER} -v "${kata_dir}:${kata_dir}" \ --rm \ -w ${script_dir} \ build-kata-deploy "${kata_deploy_create}" $@ - From 05b2096c08b6816e9fdc99f06467e0c688ba8e81 Mon Sep 17 00:00:00 2001 From: Peng Tao Date: Mon, 15 Aug 2022 07:22:43 +0000 Subject: [PATCH 6/7] release: Adapt kata-deploy for 2.5.0 kata-deploy files must be adapted to a new release. The cases where it happens are when the release goes from -> to: * main -> stable: * kata-deploy-stable / kata-cleanup-stable: are removed * stable -> stable: * kata-deploy / kata-cleanup: bump the release to the new one. There are no changes when doing an alpha release, as the files on the "main" branch always point to the "latest" and "stable" tags. Signed-off-by: Peng Tao --- tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml | 2 +- tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml b/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml index 851e958a4c..96b01c0148 100644 --- a/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml +++ b/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml @@ -18,7 +18,7 @@ spec: katacontainers.io/kata-runtime: cleanup containers: - name: kube-kata-cleanup - image: quay.io/kata-containers/kata-deploy:latest + image: quay.io/kata-containers/kata-deploy:2.5.0 imagePullPolicy: Always command: [ "bash", "-c", "/opt/kata-artifacts/scripts/kata-deploy.sh reset" ] env: diff --git a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml index a03a56b84e..f1ca83d1a7 100644 --- a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml +++ b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml @@ -16,7 +16,7 @@ spec: serviceAccountName: kata-label-node containers: - name: kube-kata - image: quay.io/kata-containers/kata-deploy:latest + image: quay.io/kata-containers/kata-deploy:2.5.0 imagePullPolicy: Always lifecycle: preStop: From da875e7473cabc59df0a7d9c8e3dd4bfac2cbbc1 Mon Sep 17 00:00:00 2001 From: Peng Tao Date: Mon, 15 Aug 2022 07:22:43 +0000 Subject: [PATCH 7/7] release: Kata Containers 2.5.0 These patches were backported from main branch: 05b2096c0 release: Adapt kata-deploy for 2.5.0 1b930156c build: Fix clh source build as normal user 01c889fb6 runtime: Fix DisableSelinux config 59bd5c2e0 container: kill all of the processes in this container 22c005f55 nydus: upgrade nydus/nydus-snapshotter version 8220e5478 runtime: add unlock before return in sendReq 4f0ca40e0 versions: Update Firecracker version to v1.1.0 da24fd88e clh: Don't crash if no network device is set by the upper layer ed25d2cf5 versions: Update Cloud Hypervisor to v25.0 dfc1413e4 action: extend commit message line limit to 150 bytes Depends-on: github.com/kata-containers/tests#5032 Signed-off-by: Peng Tao --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 3fef9b5648..437459cd94 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5.0-rc0 +2.5.0