Merge pull request #9315 from fidencio/topic/adapt-TEEs-for-shared_fs-none

TEEs: Use `shared_fs=none` for TDX

src/runtime/Makefile

@@ -246,7 +246,7 @@ DEFSHAREDFS_QEMU_VIRTIOFS := virtio-fs
 # Please keep DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS in sync with TDX/SEV/SNP
 DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS := virtio-9p
 DEFSHAREDFS_STRATOVIRT_VIRTIOFS := virtio-fs
-DEFSHAREDFS_QEMU_TDX_VIRTIOFS := virtio-9p
+DEFSHAREDFS_QEMU_TDX_VIRTIOFS := none
 DEFSHAREDFS_QEMU_SEV_VIRTIOFS := virtio-9p
 DEFSHAREDFS_QEMU_SNP_VIRTIOFS := virtio-9p
 DEFVIRTIOFSDAEMON := $(LIBEXECDIR)/virtiofsd

tests/integration/kubernetes/k8s-credentials-secrets.bats

@@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 setup() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 
 	get_pod_config_dir
 	pod_yaml_file="${pod_config_dir}/pod-secret.yaml"
@@ -62,6 +63,7 @@ setup() {
 teardown() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 
 	# Debugging information
 	kubectl describe "pod/$pod_name"

tests/integration/kubernetes/k8s-custom-dns.bats

@@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9663"
+
 	pod_name="custom-dns-test"
 	file_name="/etc/resolv.conf"
 	get_pod_config_dir
@@ -37,6 +39,8 @@ setup() {
 }
 
 teardown() {
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9663"
+
 	# Debugging information
 	kubectl describe "pod/$pod_name"
 

tests/integration/kubernetes/k8s-file-volume.bats

@@ -12,6 +12,8 @@ TEST_INITRD="${TEST_INITRD:-no}"
 setup() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
+
 	pod_name="test-file-volume"
 	container_name="busybox-file-volume-container"
 	node="$(get_one_kata_node)"
@@ -57,6 +59,7 @@ setup() {
 teardown() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 
 	kubectl describe pod "$pod_name"
 

tests/integration/kubernetes/k8s-guest-pull-image.bats

@@ -9,6 +9,10 @@ load "${BATS_TEST_DIRNAME}/lib.sh"
 load "${BATS_TEST_DIRNAME}/confidential_common.sh"
 
 setup() {
+    if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then
+	    skip "${KATA_HYPERVISOR} is already running all the tests with guest-pulling, skip this specific one"
+    fi
+
     if is_confidential_hardware; then
         skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}."
     fi
@@ -226,6 +230,10 @@ setup() {
 }
 
 teardown() {
+    if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then
+	    skip "${KATA_HYPERVISOR} is already running all the tests with guest-pulling, skip this specific one"
+    fi
+
     if is_confidential_hardware; then
         skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}."
     fi

tests/integration/kubernetes/k8s-inotify.bats

@@ -13,6 +13,7 @@ setup() {
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
 	issue_url="https://github.com/kata-containers/kata-containers/issues/8906"
 	[ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 	get_pod_config_dir
 
 	pod_yaml="${pod_config_dir}"/inotify-configmap-pod.yaml
@@ -47,6 +48,7 @@ teardown() {
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
 	issue_url="https://github.com/kata-containers/kata-containers/issues/8906"
 	[ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 	# Debugging information
 	kubectl describe "pod/$pod_name"
 	kubectl delete pod "$pod_name"

tests/integration/kubernetes/k8s-kill-all-process-in-container.bats

@@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9664"
+
 	pod_name="busybox"
 	first_container_name="first-test-container"
 
@@ -39,6 +41,8 @@ setup() {
 }
 
 teardown() {
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9664"
+
 	# Debugging information
 	kubectl describe "pod/$pod_name"
 

tests/integration/kubernetes/k8s-liveness-probes.bats

@@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9665"
+
 	sleep_liveness=20
 	agnhost_name="${container_images_agnhost_name}"
 	agnhost_version="${container_images_agnhost_version}"
@@ -89,6 +91,8 @@ setup() {
 }
 
 teardown() {
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9665"
+
 	# Debugging information
 	kubectl describe "pod/$pod_name"
 

tests/integration/kubernetes/k8s-nested-configmap-secret.bats

@@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 setup() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 	
 	get_pod_config_dir
 
@@ -32,6 +33,7 @@ setup() {
 teardown() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 
 	# Debugging information
 	kubectl describe "pod/$pod_name"

tests/integration/kubernetes/k8s-projected-volume.bats

@@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 setup() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 
 	get_pod_config_dir
 
@@ -56,6 +57,7 @@ setup() {
 teardown() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 
 	# Debugging information
 	kubectl describe "pod/$pod_name"

tests/integration/kubernetes/k8s-shared-volume.bats

@@ -40,6 +40,8 @@ setup() {
 }
 
 @test "initContainer with shared volume" {
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9668"
+
 	pod_name="initcontainer-shared-volume"
 	last_container="last"
 	cmd='test $(cat /volume/initContainer) -lt $(cat /volume/container)'

tests/integration/kubernetes/k8s-sysctls.bats

@@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9666"
+
 	pod_name="sysctl-test"
 	get_pod_config_dir
 
@@ -30,6 +32,8 @@ setup() {
 }
 
 teardown() {
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9666"
+
 	# Debugging information
 	kubectl describe "pod/$pod_name"
 

tests/integration/kubernetes/k8s-volume.bats

@@ -12,6 +12,7 @@ TEST_INITRD="${TEST_INITRD:-no}"
 setup() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 
 	get_pod_config_dir
 
@@ -62,6 +63,7 @@ setup() {
 teardown() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+	[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/9667"
 
 	# Debugging information
 	kubectl describe "pod/$pod_name"

tests/integration/kubernetes/setup.sh

@@ -12,6 +12,7 @@ DEBUG="${DEBUG:-}"
 
 export AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-no}"
 export KATA_HOST_OS="${KATA_HOST_OS:-}"
+export KATA_HYPERVISOR="${KATA_HYPERVISOR:-}"
 
 if [ -n "${K8S_TEST_POLICY_FILES:-}" ]; then
 	K8S_TEST_POLICY_FILES=($K8S_TEST_POLICY_FILES)
@@ -56,7 +57,7 @@ add_annotations_to_yaml() {
 	case "${resource_kind}" in
 
 	Pod)
-		echo "Adding kernel and initrd annotations to ${resource_kind} from ${yaml_file}"
+		info "Adding \"${annotation_name}=${annotation_value}\" to ${resource_kind} from ${yaml_file}"
 		yq write -i \
 		  "${K8S_TEST_YAML}" \
 		  "metadata.annotations[${annotation_name}]" \
@@ -64,7 +65,7 @@ add_annotations_to_yaml() {
 		;;
 
 	Deployment|Job|ReplicationController)
-		echo "Adding kernel and initrd annotations to ${resource_kind} from ${yaml_file}"
+		info "Adding \"${annotation_name}=${annotation_value}\" to ${resource_kind} from ${yaml_file}"
 		yq write -i \
 		  "${K8S_TEST_YAML}" \
 		  "spec.template.metadata.annotations[${annotation_name}]" \
@@ -72,15 +73,15 @@ add_annotations_to_yaml() {
 		;;
 
 	List)
-		echo "Issue #7765: adding kernel and initrd annotations to ${resource_kind} from ${yaml_file} is not implemented yet"
+		info "Issue #7765: adding annotations to ${resource_kind} from ${yaml_file} is not implemented yet"
 		;;
 
 	ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service)
-		echo "Kernel and initrd annotations are not required for ${resource_kind} from ${yaml_file}"
+		info "Annotations are not required for ${resource_kind} from ${yaml_file}"
 		;;
 
 	*)
-		echo "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for kernel and initrd annotations testing"
+		info "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for annotations testing"
 		return 1
 		;;
 	esac
@@ -102,10 +103,25 @@ add_cbl_mariner_kernel_initrd_annotations() {
 	fi
 }
 
+add_runtime_handler_annotations() {
+	case "${KATA_HYPERVISOR}" in
+		qemu-tdx)
+			info "Add runtime handler annotations for ${KATA_HYPERVISOR}"
+			local handler_annotation="io.containerd.cri.runtime-handler"
+			local handler_value="kata-${KATA_HYPERVISOR}"
+			for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml
+			do
+				add_annotations_to_yaml "${K8S_TEST_YAML}" "${handler_annotation}" "${handler_value}"
+			done
+			;;
+	esac
+}
+
 main() {
 	ensure_yq
 	reset_workloads_work_dir
 	add_cbl_mariner_kernel_initrd_annotations
+	add_runtime_handler_annotations
 }
 
 main "$@"