diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 901bceb4e5..d7f058c3e1 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -246,7 +246,7 @@ DEFSHAREDFS_QEMU_VIRTIOFS := virtio-fs # Please keep DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS in sync with TDX/SEV/SNP DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS := virtio-9p DEFSHAREDFS_STRATOVIRT_VIRTIOFS := virtio-fs -DEFSHAREDFS_QEMU_TDX_VIRTIOFS := virtio-9p +DEFSHAREDFS_QEMU_TDX_VIRTIOFS := none DEFSHAREDFS_QEMU_SEV_VIRTIOFS := virtio-9p DEFSHAREDFS_QEMU_SNP_VIRTIOFS := virtio-9p DEFVIRTIOFSDAEMON := $(LIBEXECDIR)/virtiofsd diff --git a/tests/integration/kubernetes/k8s-credentials-secrets.bats b/tests/integration/kubernetes/k8s-credentials-secrets.bats index a448608ff9..88db956337 100644 --- a/tests/integration/kubernetes/k8s-credentials-secrets.bats +++ b/tests/integration/kubernetes/k8s-credentials-secrets.bats @@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" get_pod_config_dir pod_yaml_file="${pod_config_dir}/pod-secret.yaml" @@ -62,6 +63,7 @@ setup() { teardown() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-custom-dns.bats b/tests/integration/kubernetes/k8s-custom-dns.bats index 02b6f1110f..1c52bf2094 100644 --- a/tests/integration/kubernetes/k8s-custom-dns.bats +++ b/tests/integration/kubernetes/k8s-custom-dns.bats @@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9663" + pod_name="custom-dns-test" file_name="/etc/resolv.conf" get_pod_config_dir @@ -37,6 +39,8 @@ setup() { } teardown() { + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9663" + # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-file-volume.bats b/tests/integration/kubernetes/k8s-file-volume.bats index 17f9725673..f794c6e3db 100644 --- a/tests/integration/kubernetes/k8s-file-volume.bats +++ b/tests/integration/kubernetes/k8s-file-volume.bats @@ -12,6 +12,8 @@ TEST_INITRD="${TEST_INITRD:-no}" setup() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" + pod_name="test-file-volume" container_name="busybox-file-volume-container" node="$(get_one_kata_node)" @@ -57,6 +59,7 @@ setup() { teardown() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" kubectl describe pod "$pod_name" diff --git a/tests/integration/kubernetes/k8s-guest-pull-image.bats b/tests/integration/kubernetes/k8s-guest-pull-image.bats index fb42974019..ba7d8da111 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image.bats @@ -9,6 +9,10 @@ load "${BATS_TEST_DIRNAME}/lib.sh" load "${BATS_TEST_DIRNAME}/confidential_common.sh" setup() { + if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then + skip "${KATA_HYPERVISOR} is already running all the tests with guest-pulling, skip this specific one" + fi + if is_confidential_hardware; then skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}." fi @@ -226,6 +230,10 @@ setup() { } teardown() { + if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then + skip "${KATA_HYPERVISOR} is already running all the tests with guest-pulling, skip this specific one" + fi + if is_confidential_hardware; then skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}." fi diff --git a/tests/integration/kubernetes/k8s-inotify.bats b/tests/integration/kubernetes/k8s-inotify.bats index 193cf99dc3..7b73f30313 100644 --- a/tests/integration/kubernetes/k8s-inotify.bats +++ b/tests/integration/kubernetes/k8s-inotify.bats @@ -13,6 +13,7 @@ setup() { [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" issue_url="https://github.com/kata-containers/kata-containers/issues/8906" [ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" get_pod_config_dir pod_yaml="${pod_config_dir}"/inotify-configmap-pod.yaml @@ -47,6 +48,7 @@ teardown() { [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" issue_url="https://github.com/kata-containers/kata-containers/issues/8906" [ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" # Debugging information kubectl describe "pod/$pod_name" kubectl delete pod "$pod_name" diff --git a/tests/integration/kubernetes/k8s-kill-all-process-in-container.bats b/tests/integration/kubernetes/k8s-kill-all-process-in-container.bats index 9174855c38..e50edd97a1 100644 --- a/tests/integration/kubernetes/k8s-kill-all-process-in-container.bats +++ b/tests/integration/kubernetes/k8s-kill-all-process-in-container.bats @@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9664" + pod_name="busybox" first_container_name="first-test-container" @@ -39,6 +41,8 @@ setup() { } teardown() { + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9664" + # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-liveness-probes.bats b/tests/integration/kubernetes/k8s-liveness-probes.bats index ea8d51c41e..62c67f7af5 100644 --- a/tests/integration/kubernetes/k8s-liveness-probes.bats +++ b/tests/integration/kubernetes/k8s-liveness-probes.bats @@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9665" + sleep_liveness=20 agnhost_name="${container_images_agnhost_name}" agnhost_version="${container_images_agnhost_version}" @@ -89,6 +91,8 @@ setup() { } teardown() { + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9665" + # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-nested-configmap-secret.bats b/tests/integration/kubernetes/k8s-nested-configmap-secret.bats index ebffb6e187..5c49f11c97 100644 --- a/tests/integration/kubernetes/k8s-nested-configmap-secret.bats +++ b/tests/integration/kubernetes/k8s-nested-configmap-secret.bats @@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" get_pod_config_dir @@ -32,6 +33,7 @@ setup() { teardown() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-projected-volume.bats b/tests/integration/kubernetes/k8s-projected-volume.bats index 5d9f336a79..d448d62d17 100644 --- a/tests/integration/kubernetes/k8s-projected-volume.bats +++ b/tests/integration/kubernetes/k8s-projected-volume.bats @@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" get_pod_config_dir @@ -56,6 +57,7 @@ setup() { teardown() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-shared-volume.bats b/tests/integration/kubernetes/k8s-shared-volume.bats index 360ea998c3..9af567eddd 100644 --- a/tests/integration/kubernetes/k8s-shared-volume.bats +++ b/tests/integration/kubernetes/k8s-shared-volume.bats @@ -40,6 +40,8 @@ setup() { } @test "initContainer with shared volume" { + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9668" + pod_name="initcontainer-shared-volume" last_container="last" cmd='test $(cat /volume/initContainer) -lt $(cat /volume/container)' diff --git a/tests/integration/kubernetes/k8s-sysctls.bats b/tests/integration/kubernetes/k8s-sysctls.bats index cea2b9fb47..f7df754667 100644 --- a/tests/integration/kubernetes/k8s-sysctls.bats +++ b/tests/integration/kubernetes/k8s-sysctls.bats @@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9666" + pod_name="sysctl-test" get_pod_config_dir @@ -30,6 +32,8 @@ setup() { } teardown() { + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9666" + # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-volume.bats b/tests/integration/kubernetes/k8s-volume.bats index 4178f8b1e1..1f75398efb 100644 --- a/tests/integration/kubernetes/k8s-volume.bats +++ b/tests/integration/kubernetes/k8s-volume.bats @@ -12,6 +12,7 @@ TEST_INITRD="${TEST_INITRD:-no}" setup() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" get_pod_config_dir @@ -62,6 +63,7 @@ setup() { teardown() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667" # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/setup.sh b/tests/integration/kubernetes/setup.sh index 41538537f5..ba33d68a96 100755 --- a/tests/integration/kubernetes/setup.sh +++ b/tests/integration/kubernetes/setup.sh @@ -12,6 +12,7 @@ DEBUG="${DEBUG:-}" export AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-no}" export KATA_HOST_OS="${KATA_HOST_OS:-}" +export KATA_HYPERVISOR="${KATA_HYPERVISOR:-}" if [ -n "${K8S_TEST_POLICY_FILES:-}" ]; then K8S_TEST_POLICY_FILES=($K8S_TEST_POLICY_FILES) @@ -56,7 +57,7 @@ add_annotations_to_yaml() { case "${resource_kind}" in Pod) - echo "Adding kernel and initrd annotations to ${resource_kind} from ${yaml_file}" + info "Adding \"${annotation_name}=${annotation_value}\" to ${resource_kind} from ${yaml_file}" yq write -i \ "${K8S_TEST_YAML}" \ "metadata.annotations[${annotation_name}]" \ @@ -64,7 +65,7 @@ add_annotations_to_yaml() { ;; Deployment|Job|ReplicationController) - echo "Adding kernel and initrd annotations to ${resource_kind} from ${yaml_file}" + info "Adding \"${annotation_name}=${annotation_value}\" to ${resource_kind} from ${yaml_file}" yq write -i \ "${K8S_TEST_YAML}" \ "spec.template.metadata.annotations[${annotation_name}]" \ @@ -72,15 +73,15 @@ add_annotations_to_yaml() { ;; List) - echo "Issue #7765: adding kernel and initrd annotations to ${resource_kind} from ${yaml_file} is not implemented yet" + info "Issue #7765: adding annotations to ${resource_kind} from ${yaml_file} is not implemented yet" ;; ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service) - echo "Kernel and initrd annotations are not required for ${resource_kind} from ${yaml_file}" + info "Annotations are not required for ${resource_kind} from ${yaml_file}" ;; *) - echo "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for kernel and initrd annotations testing" + info "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for annotations testing" return 1 ;; esac @@ -102,10 +103,25 @@ add_cbl_mariner_kernel_initrd_annotations() { fi } +add_runtime_handler_annotations() { + case "${KATA_HYPERVISOR}" in + qemu-tdx) + info "Add runtime handler annotations for ${KATA_HYPERVISOR}" + local handler_annotation="io.containerd.cri.runtime-handler" + local handler_value="kata-${KATA_HYPERVISOR}" + for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml + do + add_annotations_to_yaml "${K8S_TEST_YAML}" "${handler_annotation}" "${handler_value}" + done + ;; + esac +} + main() { ensure_yq reset_workloads_work_dir add_cbl_mariner_kernel_initrd_annotations + add_runtime_handler_annotations } main "$@"