From 1222800f7c9333a5e130888144fad2fad3f1d179 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 17 May 2023 19:21:52 +0200 Subject: [PATCH] runtime: Use static_sandbox_resource_mgmt=true for TEEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When this option is enabled the runtime will attempt to determine the appropriate sandbox size (memory, CPU) before booting the virtual machine. As TEEs do not support memory and CPU hotplug, this approach must be used. Fixes: #6818 Signed-off-by: Fabiano FidĂȘncio --- src/runtime/Makefile | 2 ++ src/runtime/config/configuration-qemu-sev.toml.in | 2 +- src/runtime/config/configuration-qemu-snp.toml.in | 2 +- src/runtime/config/configuration-qemu-tdx.toml.in | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 10b1d48087..931647de33 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -266,6 +266,7 @@ DEFVFIOMODE := guest-kernel DEFSANDBOXCGROUPONLY ?= false DEFSTATICRESOURCEMGMT ?= false +DEFSTATICRESOURCEMGMT_TEE = true DEFBINDMOUNTS := [] @@ -685,6 +686,7 @@ USER_VARS += DEFVALIDENTROPYSOURCES USER_VARS += DEFSANDBOXCGROUPONLY USER_VARS += DEFSTATICRESOURCEMGMT USER_VARS += DEFSTATICRESOURCEMGMT_FC +USER_VARS += DEFSTATICRESOURCEMGMT_TEE USER_VARS += DEFBINDMOUNTS USER_VARS += DEFVFIOMODE USER_VARS += BUILDFLAGS diff --git a/src/runtime/config/configuration-qemu-sev.toml.in b/src/runtime/config/configuration-qemu-sev.toml.in index c7e735165e..d40555fa2d 100644 --- a/src/runtime/config/configuration-qemu-sev.toml.in +++ b/src/runtime/config/configuration-qemu-sev.toml.in @@ -600,7 +600,7 @@ sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@ # - When running with pods, sandbox sizing information will only be available if using Kubernetes >= 1.23 and containerd >= 1.6. CRI-O # does not yet support sandbox sizing annotations. # - When running single containers using a tool like ctr, container sizing information will be available. -static_sandbox_resource_mgmt=@DEFSTATICRESOURCEMGMT@ +static_sandbox_resource_mgmt=@DEFSTATICRESOURCEMGMT_TEE@ # If specified, sandbox_bind_mounts identifieds host paths to be mounted (ro) into the sandboxes shared path. # This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory. diff --git a/src/runtime/config/configuration-qemu-snp.toml.in b/src/runtime/config/configuration-qemu-snp.toml.in index ea7c94c576..d01de64b8e 100644 --- a/src/runtime/config/configuration-qemu-snp.toml.in +++ b/src/runtime/config/configuration-qemu-snp.toml.in @@ -592,7 +592,7 @@ sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@ # - When running with pods, sandbox sizing information will only be available if using Kubernetes >= 1.23 and containerd >= 1.6. CRI-O # does not yet support sandbox sizing annotations. # - When running single containers using a tool like ctr, container sizing information will be available. -static_sandbox_resource_mgmt=@DEFSTATICRESOURCEMGMT@ +static_sandbox_resource_mgmt=@DEFSTATICRESOURCEMGMT_TEE@ # If specified, sandbox_bind_mounts identifieds host paths to be mounted (ro) into the sandboxes shared path. # This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory. diff --git a/src/runtime/config/configuration-qemu-tdx.toml.in b/src/runtime/config/configuration-qemu-tdx.toml.in index 3adfb480a3..d43c9cea18 100644 --- a/src/runtime/config/configuration-qemu-tdx.toml.in +++ b/src/runtime/config/configuration-qemu-tdx.toml.in @@ -613,7 +613,7 @@ sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@ # - When running with pods, sandbox sizing information will only be available if using Kubernetes >= 1.23 and containerd >= 1.6. CRI-O # does not yet support sandbox sizing annotations. # - When running single containers using a tool like ctr, container sizing information will be available. -static_sandbox_resource_mgmt=@DEFSTATICRESOURCEMGMT@ +static_sandbox_resource_mgmt=@DEFSTATICRESOURCEMGMT_TEE@ # If specified, sandbox_bind_mounts identifieds host paths to be mounted (ro) into the sandboxes shared path. # This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory.