Merge pull request #3368 from snir911/backports-2.3

stable-2.3 Missing backports

ci/openshift-ci/images/Dockerfile.buildroot

@@ -6,4 +6,9 @@
 #
 FROM registry.centos.org/centos:8
 
-RUN yum -y update && yum -y install git sudo wget
+RUN yum -y update && \
+    yum -y install \
+    git \
+    sudo \
+    wget && \
+    yum clean all

pkg/logging/Cargo.toml

@@ -7,15 +7,15 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-serde_json = "1.0.39"
+serde_json = "1.0.73"
 # slog:
 # - Dynamic keys required to allow HashMap keys to be slog::Serialized.
 # - The 'max_*' features allow changing the log level at runtime
 #   (by stopping the compiler from removing log calls).
-slog = { version = "2.5.2", features = ["dynamic-keys", "max_level_trace", "release_max_level_debug"] }
+slog = { version = "2.7.0", features = ["dynamic-keys", "max_level_trace", "release_max_level_debug"] }
-slog-json = "2.3.0"
+slog-json = "2.4.0"
-slog-async = "2.3.0"
+slog-async = "2.7.0"
-slog-scope = "4.1.2"
+slog-scope = "4.4.0"
 
 [dev-dependencies]
-tempfile = "3.1.0"
+tempfile = "3.2.0"

src/agent/Cargo.toml

@@ -24,7 +24,7 @@ serial_test = "0.5.1"
 # Async helpers
 async-trait = "0.1.42"
 async-recursion = "0.3.2"
-futures = "0.3.12"
+futures = "0.3.17"
 
 # Async runtime
 tokio = { version = "1", features = ["full"] }
@@ -45,10 +45,10 @@ slog-scope = "4.1.2"
 slog-stdlog = "4.0.0"
 log = "0.4.11"
 
-prometheus = { version = "0.9.0", features = ["process"] }
+prometheus = { version = "0.13.0", features = ["process"] }
-procfs = "0.7.9"
+procfs = "0.12.0"
 anyhow = "1.0.32"
-cgroups = { package = "cgroups-rs", version = "0.2.5" }
+cgroups = { package = "cgroups-rs", version = "0.2.8" }
 
 # Tracing
 tracing = "0.1.26"

src/agent/oci/Cargo.toml

@@ -5,7 +5,7 @@ authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
 edition = "2018"
 
 [dependencies]
-serde = "1.0.91"
+serde = "1.0.131"
-serde_derive = "1.0.91"
+serde_derive = "1.0.131"
-serde_json = "1.0.39"
+serde_json = "1.0.73"
-libc = "0.2.58"
+libc = "0.2.112"

src/agent/rustjail/Cargo.toml

@@ -23,7 +23,7 @@ scan_fmt = "0.2"
 regex = "1.1"
 path-absolutize = "1.2.0"
 anyhow = "1.0.32"
-cgroups = { package = "cgroups-rs", version = "0.2.5" }
+cgroups = { package = "cgroups-rs", version = "0.2.8" }
 rlimit = "0.5.3"
 
 tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", "macros"] }

src/agent/src/metrics.rs

@@ -23,50 +23,50 @@ macro_rules! sl {
 lazy_static! {
 
     static ref     AGENT_SCRAPE_COUNT: IntCounter =
-    prometheus::register_int_counter!(format!("{}_{}",NAMESPACE_KATA_AGENT,"scrape_count").as_ref(), "Metrics scrape count").unwrap();
+    prometheus::register_int_counter!(format!("{}_{}",NAMESPACE_KATA_AGENT,"scrape_count"), "Metrics scrape count").unwrap();
 
     static ref     AGENT_THREADS: Gauge =
-    prometheus::register_gauge!(format!("{}_{}",NAMESPACE_KATA_AGENT,"threads").as_ref(), "Agent process threads").unwrap();
+    prometheus::register_gauge!(format!("{}_{}",NAMESPACE_KATA_AGENT,"threads"), "Agent process threads").unwrap();
 
     static ref     AGENT_TOTAL_TIME: Gauge =
-    prometheus::register_gauge!(format!("{}_{}",NAMESPACE_KATA_AGENT,"total_time").as_ref(), "Agent process total time").unwrap();
+    prometheus::register_gauge!(format!("{}_{}",NAMESPACE_KATA_AGENT,"total_time"), "Agent process total time").unwrap();
 
     static ref     AGENT_TOTAL_VM: Gauge =
-    prometheus::register_gauge!(format!("{}_{}",NAMESPACE_KATA_AGENT,"total_vm").as_ref(), "Agent process total VM size").unwrap();
+    prometheus::register_gauge!(format!("{}_{}",NAMESPACE_KATA_AGENT,"total_vm"), "Agent process total VM size").unwrap();
 
     static ref     AGENT_TOTAL_RSS: Gauge =
-    prometheus::register_gauge!(format!("{}_{}",NAMESPACE_KATA_AGENT,"total_rss").as_ref(), "Agent process total RSS size").unwrap();
+    prometheus::register_gauge!(format!("{}_{}",NAMESPACE_KATA_AGENT,"total_rss"), "Agent process total RSS size").unwrap();
 
     static ref     AGENT_PROC_STATUS: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_AGENT,"proc_status").as_ref(), "Agent process status.", &["item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_AGENT,"proc_status"), "Agent process status.", &["item"]).unwrap();
 
     static ref     AGENT_IO_STAT: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_AGENT,"io_stat").as_ref(), "Agent process IO statistics.", &["item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_AGENT,"io_stat"), "Agent process IO statistics.", &["item"]).unwrap();
 
     static ref     AGENT_PROC_STAT: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_AGENT,"proc_stat").as_ref(), "Agent process statistics.", &["item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_AGENT,"proc_stat"), "Agent process statistics.", &["item"]).unwrap();
 
     // guest os metrics
     static ref     GUEST_LOAD: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"load").as_ref() , "Guest system load.", &["item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"load") , "Guest system load.", &["item"]).unwrap();
 
     static ref     GUEST_TASKS: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"tasks").as_ref() , "Guest system load.", &["item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"tasks") , "Guest system load.", &["item"]).unwrap();
 
     static ref     GUEST_CPU_TIME: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"cpu_time").as_ref() , "Guest CPU statistics.", &["cpu","item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"cpu_time") , "Guest CPU statistics.", &["cpu","item"]).unwrap();
 
     static ref     GUEST_VM_STAT: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"vm_stat").as_ref() , "Guest virtual memory statistics.", &["item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"vm_stat") , "Guest virtual memory statistics.", &["item"]).unwrap();
 
     static ref     GUEST_NETDEV_STAT: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"netdev_stat").as_ref() , "Guest net devices statistics.", &["interface","item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"netdev_stat") , "Guest net devices statistics.", &["interface","item"]).unwrap();
 
     static ref     GUEST_DISKSTAT: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"diskstat").as_ref() , "Disks statistics in system.", &["disk","item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"diskstat") , "Disks statistics in system.", &["disk","item"]).unwrap();
 
     static ref     GUEST_MEMINFO: GaugeVec =
-    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"meminfo").as_ref() , "Statistics about memory usage in the system.", &["item"]).unwrap();
+    prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"meminfo") , "Statistics about memory usage in the system.", &["item"]).unwrap();
 }
 
 #[instrument]
@@ -348,17 +348,17 @@ fn set_gauge_vec_cpu_time(gv: &prometheus::GaugeVec, cpu: &str, cpu_time: &procf
     gv.with_label_values(&[cpu, "idle"])
         .set(cpu_time.idle as f64);
     gv.with_label_values(&[cpu, "iowait"])
-        .set(cpu_time.iowait.unwrap_or(0.0) as f64);
+        .set(cpu_time.iowait.unwrap_or(0) as f64);
     gv.with_label_values(&[cpu, "irq"])
-        .set(cpu_time.irq.unwrap_or(0.0) as f64);
+        .set(cpu_time.irq.unwrap_or(0) as f64);
     gv.with_label_values(&[cpu, "softirq"])
-        .set(cpu_time.softirq.unwrap_or(0.0) as f64);
+        .set(cpu_time.softirq.unwrap_or(0) as f64);
     gv.with_label_values(&[cpu, "steal"])
-        .set(cpu_time.steal.unwrap_or(0.0) as f64);
+        .set(cpu_time.steal.unwrap_or(0) as f64);
     gv.with_label_values(&[cpu, "guest"])
-        .set(cpu_time.guest.unwrap_or(0.0) as f64);
+        .set(cpu_time.guest.unwrap_or(0) as f64);
     gv.with_label_values(&[cpu, "guest_nice"])
-        .set(cpu_time.guest_nice.unwrap_or(0.0) as f64);
+        .set(cpu_time.guest_nice.unwrap_or(0) as f64);
 }
 
 #[instrument]
@@ -470,7 +470,7 @@ fn set_gauge_vec_proc_status(gv: &prometheus::GaugeVec, status: &procfs::process
     gv.with_label_values(&["vmswap"])
         .set(status.vmswap.unwrap_or(0) as f64);
     gv.with_label_values(&["hugetlbpages"])
-        .set(status.hugetblpages.unwrap_or(0) as f64);
+        .set(status.hugetlbpages.unwrap_or(0) as f64);
     gv.with_label_values(&["voluntary_ctxt_switches"])
         .set(status.voluntary_ctxt_switches.unwrap_or(0) as f64);
     gv.with_label_values(&["nonvoluntary_ctxt_switches"])

src/agent/src/mount.rs

@@ -405,14 +405,18 @@ async fn bind_watcher_storage_handler(
     logger: &Logger,
     storage: &Storage,
     sandbox: Arc<Mutex<Sandbox>>,
+    cid: Option<String>,
 ) -> Result<()> {
     let mut locked = sandbox.lock().await;
-    let container_id = locked.id.clone();
 
-    locked
+    if let Some(cid) = cid {
-        .bind_watcher
+        locked
-        .add_container(container_id, iter::once(storage.clone()), logger)
+            .bind_watcher
-        .await
+            .add_container(cid, iter::once(storage.clone()), logger)
+            .await
+    } else {
+        Ok(())
+    }
 }
 
 // mount_storage performs the mount described by the storage structure.
@@ -518,6 +522,7 @@ pub async fn add_storages(
     logger: Logger,
     storages: Vec<Storage>,
     sandbox: Arc<Mutex<Sandbox>>,
+    cid: Option<String>,
 ) -> Result<Vec<String>> {
     let mut mount_list = Vec::new();
 
@@ -548,7 +553,8 @@ pub async fn add_storages(
             }
             DRIVER_NVDIMM_TYPE => nvdimm_storage_handler(&logger, &storage, sandbox.clone()).await,
             DRIVER_WATCHABLE_BIND_TYPE => {
-                bind_watcher_storage_handler(&logger, &storage, sandbox.clone()).await?;
+                bind_watcher_storage_handler(&logger, &storage, sandbox.clone(), cid.clone())
+                    .await?;
                 // Don't register watch mounts, they're handled separately by the watcher.
                 Ok(String::new())
             }

src/agent/src/rpc.rs

@@ -148,6 +148,10 @@ impl AgentService {
         };
 
         info!(sl!(), "receive createcontainer, spec: {:?}", &oci);
+        info!(
+            sl!(),
+            "receive createcontainer, storages: {:?}", &req.storages
+        );
 
         // Some devices need some extra processing (the ones invoked with
         // --device for instance), and that's what this call is doing. It
@@ -163,7 +167,13 @@ impl AgentService {
         // After all those storages have been processed, no matter the order
         // here, the agent will rely on rustjail (using the oci.Mounts
         // list) to bind mount all of them inside the container.
-        let m = add_storages(sl!(), req.storages.to_vec(), self.sandbox.clone()).await?;
+        let m = add_storages(
+            sl!(),
+            req.storages.to_vec(),
+            self.sandbox.clone(),
+            Some(req.container_id.clone()),
+        )
+        .await?;
         {
             sandbox = self.sandbox.clone();
             s = sandbox.lock().await;
@@ -573,6 +583,7 @@ impl protocols::agent_ttrpc::AgentService for AgentService {
     ) -> ttrpc::Result<Empty> {
         trace_rpc_call!(ctx, "remove_container", req);
         is_allowed!(req);
+
         match self.do_remove_container(req).await {
             Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e.to_string())),
             Ok(_) => Ok(Empty::new()),
@@ -1002,7 +1013,7 @@ impl protocols::agent_ttrpc::AgentService for AgentService {
                 .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e.to_string()))?;
         }
 
-        match add_storages(sl!(), req.storages.to_vec(), self.sandbox.clone()).await {
+        match add_storages(sl!(), req.storages.to_vec(), self.sandbox.clone(), None).await {
             Ok(m) => {
                 let sandbox = self.sandbox.clone();
                 let mut s = sandbox.lock().await;
@@ -1709,6 +1720,7 @@ mod tests {
             fd: -1,
             mh: MessageHeader::default(),
             metadata: std::collections::HashMap::new(),
+            timeout_nano: 0,
         }
     }
 

src/trace-forwarder/Cargo.toml

@@ -13,7 +13,7 @@ edition = "2018"
 futures = "0.3.15"
 clap = "2.33.0"
 vsock = "0.2.3"
-nix = "0.21.0"
+nix = "0.23.0"
 libc = "0.2.94"
 serde = { version = "1.0.126", features = ["derive"] }
 bincode = "1.3.3"
@@ -23,9 +23,9 @@ anyhow = "1.0.31"
 opentelemetry = { version = "0.14.0", features=["serialize"] }
 opentelemetry-jaeger = "0.13.0"
 protobuf = "=2.14.0"
-tracing-opentelemetry = "0.13.0"
+tracing-opentelemetry = "0.16.0"
-tracing = "0.1.26"
+tracing = "0.1.29"
-tracing-subscriber = "0.2.18"
+tracing-subscriber = "0.3.3"
 
 # Note: this crate sets the slog 'max_*' features which allows the log level
 # to be modified at runtime.

tools/agent-ctl/Cargo.toml

@@ -21,19 +21,19 @@ hex = "0.4.2"
 byteorder = "1.3.4"
 
 logging = { path = "../../pkg/logging" }
-slog = "2.5.2"
+slog = "2.7.0"
-slog-scope = "4.3.0"
+slog-scope = "4.4.0"
-rand = "0.7.3"
+rand = "0.8.4"
 protobuf = "2.14.0"
 
-nix = "0.21.0"
+nix = "0.23.0"
-libc = "0.2.69"
+libc = "0.2.112"
 # XXX: Must be the same as the version used by the agent
 ttrpc = { version = "0.5.0" }
 
 # For parsing timeouts
-humantime = "2.0.0"
+humantime = "2.1.0"
 
 # For Options (state passing)
-serde = { version = "1.0.110", features = ["derive"] }
+serde = { version = "1.0.131", features = ["derive"] }
-serde_json = "1.0.53"
+serde_json = "1.0.73"

tools/agent-ctl/src/utils.rs

@@ -234,7 +234,7 @@ pub fn generate_random_hex_string(len: u32) -> String {
 
     let str: String = (0..len)
         .map(|_| {
-            let idx = rng.gen_range(0, CHARSET.len());
+            let idx = rng.gen_range(0..CHARSET.len());
             CHARSET[idx] as char
         })
         .collect();

tools/osbuilder/Makefile

@@ -182,7 +182,6 @@ SCRIPTS += image-builder/image_builder.sh
 SCRIPTS += initrd-builder/initrd_builder.sh
 
 HELPER_FILES :=
-HELPER_FILES += rootfs-builder/versions.txt
 HELPER_FILES += scripts/lib.sh
 HELPER_FILES += image-builder/nsdax.gpl.c
 
@@ -202,7 +201,7 @@ install-scripts:
 	@$(foreach f,$(SCRIPTS),$(call INSTALL_SCRIPT,$f,$(INSTALL_DIR)))
 	@echo "Installing helper files"
 	@$(foreach f,$(HELPER_FILES),$(call INSTALL_FILE,$f,$(INSTALL_DIR)))
-	@echo "Installing installing config files"
+	@echo "Installing config files"
 	@$(foreach f,$(DIST_CONFIGS),$(call INSTALL_FILE,$f,$(INSTALL_DIR)))
 
 .PHONY: clean

tools/osbuilder/dockerfiles/QAT/Dockerfile

@@ -42,7 +42,8 @@ RUN dnf install -y \
     systemd-devel \
     sudo \
     xz \
-    yasm
+    yasm && \
+    dnf clean all
 
 # Add in non-privileged user
 RUN useradd qatbuilder -p "" && \

tools/osbuilder/dracut/Dockerfile.in

@@ -3,8 +3,13 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+# openSUSE Tumbleweed image has only 'latest' tag so ignore DL3006 rule.
+# hadolint ignore=DL3006
 from opensuse/tumbleweed
 
+# zypper -y or --non-interactive can be used interchangeably here so ignore
+# DL3034 rule.
+# hadolint ignore=DL3034
 RUN zypper --non-interactive refresh; \
     zypper --non-interactive install --no-recommends --force-resolution \
     autoconf \

tools/osbuilder/image-builder/Dockerfile

@@ -5,6 +5,14 @@
 ARG IMAGE_REGISTRY=registry.fedoraproject.org
 FROM ${IMAGE_REGISTRY}/fedora:34
 
-RUN [ -n "$http_proxy" ] && sed -i '$ a proxy='$http_proxy /etc/dnf/dnf.conf ; true
+RUN ([ -n "$http_proxy" ] && \
-
+    sed -i '$ a proxy='$http_proxy /etc/dnf/dnf.conf ; true) && \
-RUN dnf install -y qemu-img parted gdisk e2fsprogs gcc xfsprogs findutils
+    dnf install -y \
+        e2fsprogs \
+        findutils \
+        gcc \
+        gdisk \
+        parted \
+        qemu-img \
+        xfsprogs && \
+    dnf clean all

tools/osbuilder/image-builder/image_builder.sh

@@ -137,13 +137,16 @@ build_with_container() {
 	image_dir=$(readlink -f "$(dirname "${image}")")
 	image_name=$(basename "${image}")
 
-	REGISTRY_ARG=""
+	engine_build_args=""
 	if [ -n "${IMAGE_REGISTRY}" ]; then
-		REGISTRY_ARG="--build-arg IMAGE_REGISTRY=${IMAGE_REGISTRY}"
+		engine_build_args+=" --build-arg IMAGE_REGISTRY=${IMAGE_REGISTRY}"
+	fi
+	if [ -n "${USE_PODMAN}" ]; then
+		engine_build_args+=" --runtime ${DOCKER_RUNTIME}"
 	fi
 
 	"${container_engine}" build  \
-		   ${REGISTRY_ARG} \
+		   ${engine_build_args} \
 		   --build-arg http_proxy="${http_proxy}" \
 		   --build-arg https_proxy="${https_proxy}" \
 		   -t "${container_image_name}" "${script_dir}"

tools/osbuilder/rootfs-builder/alpine/Dockerfile.in

@@ -26,4 +26,5 @@ RUN apk update && apk add \
     make \
     musl \
     musl-dev \
+    protoc \
     tar

tools/osbuilder/rootfs-builder/centos/Dockerfile.in

@@ -32,7 +32,8 @@ RUN yum -y update && yum install -y \
     sed \
     tar \
     vim \
-    which
+    which && \
+    yum clean all
 
 # This will install the proper packages to build Kata components
 @INSTALL_MUSL@

tools/osbuilder/rootfs-builder/clearlinux/Dockerfile.in

@@ -35,7 +35,8 @@ RUN dnf -y update && dnf install -y \
     systemd \
     tar \
     vim \
-    which
+    which && \
+    dnf clean all
 
 # This will install the proper packages to build Kata components
 @INSTALL_MUSL@

tools/osbuilder/rootfs-builder/fedora/Dockerfile.in

@@ -35,7 +35,8 @@ RUN dnf -y update && dnf install -y \
     systemd \
     tar \
     vim \
-    which
+    which && \
+    dnf clean all
 
 # This will install the proper packages to build Kata components
 @INSTALL_MUSL@

tools/osbuilder/rootfs-builder/gentoo/Dockerfile.in

@@ -4,6 +4,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 ARG IMAGE_REGISTRY=docker.io
+# stage3-amd64 image has only 'latest' tag so ignore DL3006 rule.
+# hadolint ignore=DL3007
 FROM ${IMAGE_REGISTRY}/gentoo/stage3-amd64:latest
 
 # This dockerfile needs to provide all the componets need to build a rootfs

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -353,23 +353,24 @@ build_rootfs_distro()
 		info "build directly"
 		build_rootfs ${ROOTFS_DIR}
 	else
+		engine_build_args=""
 		if [ -n "${USE_DOCKER}" ]; then
 			container_engine="docker"
 		elif [ -n "${USE_PODMAN}" ]; then
 			container_engine="podman"
+			engine_build_args+=" --runtime ${DOCKER_RUNTIME}"
 		fi
 
 		image_name="${distro}-rootfs-osbuilder"
 
-		REGISTRY_ARG=""
 		if [ -n "${IMAGE_REGISTRY}" ]; then
-			REGISTRY_ARG="--build-arg IMAGE_REGISTRY=${IMAGE_REGISTRY}"
+			engine_build_args+=" --build-arg IMAGE_REGISTRY=${IMAGE_REGISTRY}"
 		fi
 
 		# setup to install rust here
 		generate_dockerfile "${distro_config_dir}"
 		"$container_engine" build  \
-			${REGISTRY_ARG} \
+			${engine_build_args} \
 			--build-arg http_proxy="${http_proxy}" \
 			--build-arg https_proxy="${https_proxy}" \
 			-t "${image_name}" "${distro_config_dir}"
@@ -377,21 +378,21 @@ build_rootfs_distro()
 		# fake mapping if KERNEL_MODULES_DIR is unset
 		kernel_mod_dir=${KERNEL_MODULES_DIR:-${ROOTFS_DIR}}
 
-		docker_run_args=""
+		engine_run_args=""
-		docker_run_args+=" --rm"
+		engine_run_args+=" --rm"
 		# apt sync scans all possible fds in order to close them, incredibly slow on VMs
-		docker_run_args+=" --ulimit nofile=262144:262144"
+		engine_run_args+=" --ulimit nofile=262144:262144"
-		docker_run_args+=" --runtime ${DOCKER_RUNTIME}"
+		engine_run_args+=" --runtime ${DOCKER_RUNTIME}"
 
 		if [ -z "${AGENT_SOURCE_BIN}" ] ; then
-			docker_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}"
+			engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}"
 		else
-			docker_run_args+=" --env AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN}"
+			engine_run_args+=" --env AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN}"
-			docker_run_args+=" -v ${AGENT_SOURCE_BIN}:${AGENT_SOURCE_BIN}"
+			engine_run_args+=" -v ${AGENT_SOURCE_BIN}:${AGENT_SOURCE_BIN}"
-			docker_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}"
+			engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}"
 		fi
 
-		docker_run_args+=" $(docker_extra_args $distro)"
+		engine_run_args+=" $(docker_extra_args $distro)"
 
 		# Relabel volumes so SELinux allows access (see docker-run(1))
 		if command -v selinuxenabled > /dev/null && selinuxenabled ; then
@@ -432,7 +433,7 @@ build_rootfs_distro()
 			-v "${ROOTFS_DIR}":"/rootfs" \
 			-v "${script_dir}/../scripts":"/scripts" \
 			-v "${kernel_mod_dir}":"${kernel_mod_dir}" \
-			$docker_run_args \
+			$engine_run_args \
 			${image_name} \
 			bash /kata-containers/tools/osbuilder/rootfs-builder/rootfs.sh "${distro}"
 

tools/osbuilder/rootfs-builder/suse/Dockerfile.in

@@ -6,7 +6,7 @@
 ARG IMAGE_REGISTRY=docker.io
 #suse: docker image to be used to create a rootfs
 #@OS_VERSION@: Docker image version to build this dockerfile
-FROM ${IMAGE_REGISTRY}/opensuse/leap
+FROM ${IMAGE_REGISTRY}/opensuse/leap:15.0
 
 # This dockerfile needs to provide all the componets need to build a rootfs
 # Install any package need to create a rootfs (package manager, extra tools)

tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in

@@ -35,7 +35,9 @@ RUN apt-get update && apt-get install -y \
     sed \
     systemd \
     tar \
-    vim
+    vim && \
+    apt-get clean && rm -rf /var/lib/apt/lists/
+
 # This will install the proper packages to build Kata components
 @INSTALL_MUSL@
 @INSTALL_RUST@

tools/packaging/kata-deploy/Dockerfile

@@ -6,7 +6,7 @@ FROM registry.centos.org/centos:7 AS base
 
 ENV container docker
 
-RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+RUN (cd /lib/systemd/system/sysinit.target.wants/ && for i in *; do [ "$i" = systemd-tmpfiles-setup.service ] || rm -f "$i"; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*; \
 rm -f /etc/systemd/system/*.wants/*; \
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
@@ -25,7 +25,7 @@ ARG KUBE_ARCH=amd64
 ARG KATA_ARTIFACTS=./kata-static.tar.xz
 ARG DESTINATION=/opt/kata-artifacts
 
-COPY ${KATA_ARTIFACTS} .
+COPY ${KATA_ARTIFACTS} ${WORKDIR}
 
 RUN \
 yum -y update && \
@@ -37,7 +37,7 @@ tar xvf ${KATA_ARTIFACTS} -C ${DESTINATION}/ && \
 chown -R root:root ${DESTINATION}/
 
 RUN \
-curl -Lso /bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/${KUBE_ARCH}/kubectl && \
+curl -Lso /bin/kubectl "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/${KUBE_ARCH}/kubectl" && \
 chmod +x /bin/kubectl
 
 COPY scripts ${DESTINATION}/scripts

tools/packaging/kata-deploy/action/Dockerfile

@@ -1,7 +1,7 @@
 # Copyright (c) 2019 Intel Corporation
 #
 # SPDX-License-Identifier: Apache-2.0
-FROM mcr.microsoft.com/azure-cli:latest
+FROM mcr.microsoft.com/azure-cli:2.9.1
 
 LABEL com.github.actions.name="Test kata-deploy in an AKS cluster"
 LABEL com.github.actions.description="Test kata-deploy in an AKS cluster"
@@ -16,14 +16,14 @@ ENV GITHUB_ACTION_NAME="Test kata-deploy in an AKS cluster"
 # PKG_SHA environment variable
 ENV PKG_SHA=HEAD
 
-RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/${ARCH}/kubectl \
+RUN curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/${ARCH}/kubectl" \
   && chmod +x ./kubectl \
   && mv ./kubectl /usr/local/bin/kubectl
 
-RUN curl -LO https://github.com/Azure/aks-engine/releases/download/${AKS_ENGINE_VER}/aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}.tar.gz \
+RUN curl -LO "https://github.com/Azure/aks-engine/releases/download/${AKS_ENGINE_VER}/aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}.tar.gz" \
-  && tar xvf aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}.tar.gz \
+  && tar "xvf aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}.tar.gz" \
-  && mv aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}/aks-engine /usr/local/bin/aks-engine \
+  && mv "aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}/aks-engine" /usr/local/bin/aks-engine \
-  && rm aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}.tar.gz
+  && rm "aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}.tar.gz"
 
 COPY kubernetes-containerd.json /
 COPY setup-aks.sh test-kata.sh entrypoint.sh /

tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile

@@ -6,17 +6,19 @@ FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND=noninteractive
 ENV INSTALL_IN_GOPATH=false
 
-ADD install_yq.sh /usr/bin/install_yq.sh
+COPY install_yq.sh /usr/bin/install_yq.sh
 
 
-# yq installer deps
+# Install yq and docker
-RUN apt update && apt-get install -y curl sudo
+RUN apt-get update && \
-
+    apt-get install -y --no-install-recommends \
-# Install yq
+        ca-certificates \
-RUN install_yq.sh
+        curl \
-
+        sudo && \
-RUN curl -fsSL https://get.docker.com -o get-docker.sh
+    apt-get clean && rm -rf /var/lib/apt/lists/ && \
-RUN sh get-docker.sh
+    install_yq.sh && \
+    curl -fsSL https://get.docker.com -o get-docker.sh && \
+    sh get-docker.sh
 
 ARG IMG_USER=kata-builder
 ARG UID=1000
@@ -27,12 +29,14 @@ RUN sh -c "echo '${IMG_USER} ALL=NOPASSWD: ALL' >> /etc/sudoers"
 
 #FIXME: gcc is required as agent is build out of a container build.
 RUN apt-get update && \
-    apt install --no-install-recommends -y \
+  apt-get install --no-install-recommends -y \
-    cpio \
+  build-essential \
-    gcc \
+  cpio \
-    git \
+  gcc \
-    make \
+  git \
-    xz-utils
+  make \
+  xz-utils && \
+  apt-get clean && rm -rf /var/lib/apt/lists
 
 ENV USER ${IMG_USER}
 USER ${UID}:${GID}

tools/packaging/kata-deploy/scripts/kata-deploy.sh

@@ -266,6 +266,11 @@ function main() {
 
 		containerd_conf_file="${containerd_conf_tmpl_file}"
 		containerd_conf_file_backup="${containerd_conf_file}.bak"
+	else
+		# runtime == containerd
+		if [ ! -f "$containerd_conf_file" ]; then
+			containerd config default > "$containerd_conf_file"
+		fi
 	fi
 
 	action=${1:-}

tools/packaging/kata-monitor/Dockerfile

@@ -1,13 +1,14 @@
+# Copyright (c) 2020 Eric Ernst
 # SPDX-License-Identifier: Apache-2.0
 
-FROM golang:1.15-alpine
+FROM golang:1.15-alpine AS builder
 
-RUN apk add bash curl git make
+RUN apk add --no-cache bash curl git make
 WORKDIR /go/src/github.com/kata-containers/kata-containers/src/runtime
 COPY . /go/src/github.com/kata-containers/kata-containers
 RUN SKIP_GO_VERSION_CHECK=true make monitor
 
-FROM alpine:latest
+FROM alpine:3.14
-COPY --from=0 /go/src/github.com/kata-containers/kata-containers/src/runtime/kata-monitor /usr/bin/kata-monitor
+COPY --from=builder /go/src/github.com/kata-containers/kata-containers/src/runtime/kata-monitor /usr/bin/kata-monitor
 CMD ["-h"]
 ENTRYPOINT ["/usr/bin/kata-monitor"]

tools/packaging/static-build/kernel/Dockerfile

@@ -2,19 +2,20 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-FROM ubuntu
+FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND=noninteractive
 
 # kernel deps
-RUN apt update
+RUN apt-get update && \
-RUN apt install -y \
+    apt-get install -y --no-install-recommends \
 	    bc \
 	    bison \
 	    build-essential \
+	    ca-certificates \
 	    curl \
 	    flex \
 	    git \
 	    iptables \
-	    libelf-dev
+	    libelf-dev && \
-
+    if [ "$(uname -m)" = "s390x" ]; then apt-get install -y --no-install-recommends libssl-dev; fi && \
-RUN [ "$(uname -m)" = "s390x" ] && apt-get install -y libssl-dev || true
+    apt-get clean && rm -rf /var/lib/lists/

tools/packaging/static-build/qemu/Dockerfile

@@ -12,8 +12,8 @@ WORKDIR /root/qemu
 ARG CACHE_TIMEOUT
 RUN echo "$CACHE_TIMEOUT"
 
-RUN apt-get update && apt-get upgrade -y
+RUN apt-get update && apt-get upgrade -y && \
-RUN apt-get --no-install-recommends install -y \
+    apt-get --no-install-recommends install -y \
 	    apt-utils \
 	    autoconf \
 	    automake \
@@ -46,40 +46,33 @@ RUN apt-get --no-install-recommends install -y \
 	    python \
 	    python-dev \
 	    rsync \
-	    zlib1g-dev
+	    zlib1g-dev && \
-
+    if [ "$(uname -m)" != "s390x" ]; then apt-get install -y --no-install-recommends libpmem-dev; fi && \
-RUN [ "$(uname -m)" != "s390x" ] && apt-get install -y libpmem-dev || true
+    apt-get clean && rm -rf /var/lib/apt/lists/
 
 ARG QEMU_REPO
-
-RUN cd  .. && git clone "${QEMU_REPO}" qemu
-
 # commit/tag/branch
 ARG QEMU_VERSION
-
-RUN git checkout "${QEMU_VERSION}"
-RUN git clone https://github.com/qemu/capstone.git capstone
-RUN git clone https://github.com/qemu/keycodemapdb.git ui/keycodemapdb
-RUN git clone https://github.com/qemu/meson.git meson
-RUN git clone https://github.com/qemu/berkeley-softfloat-3.git tests/fp/berkeley-softfloat-3
-RUN git clone https://github.com/qemu/berkeley-testfloat-3.git tests/fp/berkeley-testfloat-3
-
-ADD scripts/configure-hypervisor.sh /root/configure-hypervisor.sh
-ADD qemu /root/kata_qemu
-ADD scripts/apply_patches.sh /root/apply_patches.sh
-ADD scripts/patch_qemu.sh /root/patch_qemu.sh
-
-RUN /root/patch_qemu.sh "${QEMU_VERSION}" "/root/kata_qemu/patches"
-
 ARG PREFIX
 ARG BUILD_SUFFIX
-RUN PREFIX="${PREFIX}" /root/configure-hypervisor.sh -s "kata-qemu${BUILD_SUFFIX}" | xargs ./configure \
-	--with-pkgversion="kata-static${BUILD_SUFFIX}"
-
-RUN make -j$(nproc)
 ARG QEMU_DESTDIR
-RUN make install DESTDIR="${QEMU_DESTDIR}"
 ARG QEMU_TARBALL
-ADD static-build/scripts/qemu-build-post.sh /root/static-build/scripts/qemu-build-post.sh
+
-ADD static-build/qemu.blacklist /root/static-build/qemu.blacklist
+COPY scripts/configure-hypervisor.sh /root/configure-hypervisor.sh
-RUN /root/static-build/scripts/qemu-build-post.sh
+COPY qemu /root/kata_qemu
+COPY scripts/apply_patches.sh /root/apply_patches.sh
+COPY scripts/patch_qemu.sh /root/patch_qemu.sh
+COPY static-build/scripts/qemu-build-post.sh /root/static-build/scripts/qemu-build-post.sh
+COPY static-build/qemu.blacklist /root/static-build/qemu.blacklist
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN git clone --depth=1 "${QEMU_REPO}" qemu && \
+    cd qemu && \
+    git fetch --depth=1 origin "${QEMU_VERSION}" && git checkout FETCH_HEAD && \
+    scripts/git-submodule.sh update meson capstone && \
+    /root/patch_qemu.sh "${QEMU_VERSION}" "/root/kata_qemu/patches" && \
+    (PREFIX="${PREFIX}" /root/configure-hypervisor.sh -s "kata-qemu${BUILD_SUFFIX}" | xargs ./configure \
+	--with-pkgversion="kata-static${BUILD_SUFFIX}") && \
+    make -j"$(nproc)" && \
+    make install DESTDIR="${QEMU_DESTDIR}" && \
+    /root/static-build/scripts/qemu-build-post.sh

tools/packaging/static-build/shim-v2/Dockerfile

@@ -2,18 +2,21 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-FROM ubuntu
+FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && \
-    apt-get install -y \
+    apt-get install -y --no-install-recommends \
+        build-essential \
+        ca-certificates \
         curl \
         gcc \
         git \
         make \
-        sudo
+        sudo && \
+    apt-get clean && rm -rf /var/lib/apt/lists/
 
-ADD install_go.sh /usr/bin/install_go.sh
+COPY install_go.sh /usr/bin/install_go.sh
 ARG GO_VERSION
 RUN install_go.sh "${GO_VERSION}"
 ENV PATH=/usr/local/go/bin:${PATH}

tools/packaging/tests/Dockerfile/FedoraDockerfile.in

@@ -14,15 +14,14 @@ ENV GOPATH=/home/go
 ENV TESTS_REPOSITORY_PATH="${GOPATH}/src/${TESTS_REPO}"
 ENV AGENT_INIT=yes TEST_INITRD=yes OSBUILDER_DISTRO=alpine
 
-# Install packages
+# Install packages and build and install Kata Containers
-RUN sudo dnf -y install kata-proxy kata-ksm-throttler kata-osbuilder kata-runtime kata-shim
+RUN dnf -y install kata-proxy kata-ksm-throttler kata-osbuilder kata-runtime kata-shim && \
-RUN sudo mkdir "${GOPATH}"
+    mkdir "${GOPATH}" && \
-RUN sudo dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
+    dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \
-RUN sudo dnf makecache
+    dnf makecache && dnf -y install docker-ce && dnf clean all && \
-RUN sudo dnf -y install docker-ce
+    go get -d "${TESTS_REPO}" && \
-RUN go get -d "${TESTS_REPO}"
+    cd "${TESTS_REPOSITORY_PATH}" && .ci/install_kata_image.sh && \
-RUN cd "${TESTS_REPOSITORY_PATH}" && .ci/install_kata_image.sh
+    cd "${TESTS_REPOSITORY_PATH}" && .ci/install_kata_kernel.sh && \
-RUN cd "${TESTS_REPOSITORY_PATH}" && .ci/install_kata_kernel.sh
+    kata-runtime kata-env
-RUN kata-runtime kata-env
 
 CMD ["/bin/bash"]

utils/kata-manager.sh

@@ -136,17 +136,16 @@ github_get_release_file_url()
 	local url="${1:-}"
 	local version="${2:-}"
 
-	download_url=$(curl -sL "$url" |\
+	download_urls=$(curl -sL "$url" |\
 		jq --arg version "$version" \
-		-r '.[] | select(.tag_name == $version) | .assets[0].browser_download_url' || true)
+		-r '.[] | select(.tag_name == $version) | .assets[].browser_download_url' |\
+		grep static)
 
-	[ "$download_url" = null ] && download_url=""
+	[ -z "$download_urls" ] && die "Cannot determine download URL for version $version ($url)"
-	[ -z "$download_url" ] && die "Cannot determine download URL for version $version ($url)"
 
 	local arch=$(uname -m)
-
+	local download_url=$(grep "$arch" <<< "$download_urls")
-	[ "$arch" = x86_64 ] && arch="($arch|amd64)"
+	[ -z "$download_url" ] && die "No release for architecture '$arch' ($url)"
-	echo "$download_url" | egrep -q "$arch" || die "No release for '$arch architecture ($url)"
 
 	echo "$download_url"
 }