From 40a15ac7607ba977679f1830a9811845a36a5064 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 12 Apr 2025 13:04:55 +0200 Subject: [PATCH 1/4] build: Allow adding a guest-hook to the rootfs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Kata Containers provides, since forever, a way to run OCI guest-hooks from the rootfs, as long as the files are dropped in a specific location defined in the configuration.toml. However, so far, it's been up to the ones using it to hack the generated image in order to add those guest hooks, which is far from handy. Let's add a way for the ones interested on this feature to just drop a tarball file under the same known build directory, spcificy an env var, and let the guest hooks be installed during the rootfs build. Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 11 +++++++++++ tools/packaging/guest-image/build_image.sh | 7 +++++-- .../kata-deploy-binaries-in-docker.sh | 2 ++ .../local-build/kata-deploy-binaries.sh | 16 ++++++++++++++++ 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index fabbba4ee..bab6ac03f 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -32,6 +32,7 @@ SELINUX=${SELINUX:-"no"} AGENT_POLICY=${AGENT_POLICY:-no} AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN:-""} AGENT_TARBALL=${AGENT_TARBALL:-""} +GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL:-}" COCO_GUEST_COMPONENTS_TARBALL=${COCO_GUEST_COMPONENTS_TARBALL:-""} CONFIDENTIAL_GUEST="${CONFIDENTIAL_GUEST:-no}" PAUSE_IMAGE_TARBALL=${PAUSE_IMAGE_TARBALL:-""} @@ -520,6 +521,11 @@ build_rootfs_distro() engine_run_args+=" -v $(dirname ${PAUSE_IMAGE_TARBALL}):$(dirname ${PAUSE_IMAGE_TARBALL})" fi + if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then + engine_run_args+=" --env GUEST_HOOKS_TARBALL=${GUEST_HOOKS_TARBALL}" + engine_run_args+=" -v $(dirname ${GUEST_HOOKS_TARBALL}):$(dirname ${GUEST_HOOKS_TARBALL})" + fi + engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}" engine_run_args+=" $(docker_extra_args $distro)" @@ -784,6 +790,11 @@ EOF ln -sf "${policy_file_name}" "${policy_dir}/default-policy.rego" fi + if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then + info "Install the ${GUEST_HOOKS_TARBALL} guest hooks" + tar xvJpf "${GUEST_HOOKS_TARBALL}" -C "${ROOTFS_DIR}" + fi + info "Check init is installed" [ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}" OK "init is installed" diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index b53902230..228b3e1c1 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -21,6 +21,7 @@ readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)" export GOPATH=${GOPATH:-${HOME}/go} export AGENT_TARBALL=${AGENT_TARBALL:-} +export GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL:-}" ARCH=${ARCH:-$(uname -m)} if [ $(uname -m) == "${ARCH}" ]; then @@ -48,7 +49,8 @@ build_initrd() { AGENT_POLICY="${AGENT_POLICY:-}" \ PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ - PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" + PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \ + GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}" if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then nvidia_driver_version=$(cat "${builddir}"/initrd-image/*/nvidia_driver_version) @@ -77,7 +79,8 @@ build_image() { AGENT_POLICY="${AGENT_POLICY:-}" \ PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ - PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" + PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \ + GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}" if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then nvidia_driver_version=$(cat "${builddir}"/rootfs-image/*/nvidia_driver_version) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index f7abd5b05..02d878ede 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -105,6 +105,7 @@ USE_CACHE="${USE_CACHE:-}" BUSYBOX_CONF_FILE=${BUSYBOX_CONF_FILE:-} NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK:-}" KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-} +GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" docker run \ -v $HOME/.docker:/root/.docker \ @@ -137,6 +138,7 @@ docker run \ --env BUSYBOX_CONF_FILE="${BUSYBOX_CONF_FILE}" \ --env NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK}" \ --env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \ + --env GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME}" \ --env AA_KBC="${AA_KBC:-}" \ --env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \ --env SE_KERNEL_PARAMS="${SE_KERNEL_PARAMS:-}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 04492266c..ffe0a9c86 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -49,6 +49,7 @@ ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY:-ghcr.io}" ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-kata-containers}" ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}" ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}" +GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" TARGET_BRANCH="${TARGET_BRANCH:-main}" PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-}" KERNEL_HEADERS_PKG_TYPE="${KERNEL_HEADERS_PKG_TYPE:-deb}" @@ -311,6 +312,13 @@ get_pause_image_tarball_path() { echo "${pause_image_local_build_dir}/${pause_image_tarball_name}" } +get_guest_hooks_tarball_path() { + guest_hooks_local_build_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + guest_hooks_tarball_name="${GUEST_HOOKS_TARBALL_NAME}" + + echo "${guest_hooks_local_build_dir}/${guest_hooks_tarball_name}" +} + get_latest_pause_image_artefact_and_builder_image_version() { local pause_image_repo="$(get_from_kata_deps ".externals.pause.repo")" local pause_image_version=$(get_from_kata_deps ".externals.pause.version") @@ -386,6 +394,10 @@ install_image() { export AGENT_TARBALL=$(get_agent_tarball_path) export AGENT_POLICY=yes + if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then + export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" + fi + "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } @@ -468,6 +480,10 @@ install_initrd() { export AGENT_TARBALL=$(get_agent_tarball_path) export AGENT_POLICY=yes + if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then + export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" + fi + "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } From 5d0688079a4ecd91622ae54bf94aacfafad6847f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 12 Apr 2025 13:13:53 +0200 Subject: [PATCH 2/4] build: Allow users to specificy EXTRA_PKGS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Right now we've had some logic to add EXTRA_PKGS, but those were restrict to the nvidia builds, and would require changing the file manually. Let's make sure a user can add this just by specifying an env var. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy-binaries-in-docker.sh | 2 ++ .../local-build/kata-deploy-binaries.sh | 17 +++++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 02d878ede..b4745043f 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -106,6 +106,7 @@ BUSYBOX_CONF_FILE=${BUSYBOX_CONF_FILE:-} NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK:-}" KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-} GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" +EXTRA_PKGS="${EXTRA_PKGS:-}" docker run \ -v $HOME/.docker:/root/.docker \ @@ -139,6 +140,7 @@ docker run \ --env NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK}" \ --env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \ --env GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME}" \ + --env EXTRA_PKGS="${EXTRA_PKGS}" \ --env AA_KBC="${AA_KBC:-}" \ --env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \ --env SE_KERNEL_PARAMS="${SE_KERNEL_PARAMS:-}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index ffe0a9c86..6b13104ad 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -50,6 +50,7 @@ ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-kata-containers}" ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}" ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}" GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" +EXTRA_PKGS="${EXTRA_PKGS:-}" TARGET_BRANCH="${TARGET_BRANCH:-main}" PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-}" KERNEL_HEADERS_PKG_TYPE="${KERNEL_HEADERS_PKG_TYPE:-deb}" @@ -398,6 +399,10 @@ install_image() { export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" fi + if [[ -n "${EXTRA_PKGS}" ]]; then + export EXTRA_PKGS + fi + "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } @@ -484,6 +489,10 @@ install_initrd() { export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" fi + if [[ -n "${EXTRA_PKGS}" ]]; then + export EXTRA_PKGS + fi + "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } @@ -516,7 +525,7 @@ install_initrd_confidential() { # Install NVIDIA GPU image install_image_nvidia_gpu() { export AGENT_POLICY="yes" - export EXTRA_PKGS="apt" + EXTRA_PKGS="apt ${EXTRA_PKGS}" NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute,dcgm"} install_image "nvidia-gpu" } @@ -524,7 +533,7 @@ install_image_nvidia_gpu() { # Install NVIDIA GPU initrd install_initrd_nvidia_gpu() { export AGENT_POLICY="yes" - export EXTRA_PKGS="apt" + EXTRA_PKGS="apt ${EXTRA_PKGS}" NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute,dcgm"} install_initrd "nvidia-gpu" } @@ -532,7 +541,7 @@ install_initrd_nvidia_gpu() { # Instal NVIDIA GPU confidential image install_image_nvidia_gpu_confidential() { export AGENT_POLICY="yes" - export EXTRA_PKGS="apt" + EXTRA_PKGS="apt ${EXTRA_PKGS}" # TODO: export MEASURED_ROOTFS=yes NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute"} install_image "nvidia-gpu-confidential" @@ -541,7 +550,7 @@ install_image_nvidia_gpu_confidential() { # Install NVIDIA GPU confidential initrd install_initrd_nvidia_gpu_confidential() { export AGENT_POLICY="yes" - export EXTRA_PKGS="apt" + EXTRA_PKGS="apt ${EXTRA_PKGS}" # TODO: export MEASURED_ROOTFS=yes NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute"} install_initrd "nvidia-gpu-confidential" From 2fef594f1476773f946edd8786ede695348b600e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 12 Apr 2025 13:17:21 +0200 Subject: [PATCH 3/4] build: Allow users to define AGENT_POLICY MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is mostly used for Kata Containers backing up Confidential Computing use cases, this also has benefits for the normal Kata Containers use cases, this it's left enabled by default. However, let's allow users to specify whether or not they want to have it enabled, as depending on their use-case, it just does not make sense. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries-in-docker.sh | 2 ++ .../local-build/kata-deploy-binaries.sh | 15 ++++++++------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index b4745043f..410ba5297 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -107,6 +107,7 @@ NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK:-}" KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-} GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" EXTRA_PKGS="${EXTRA_PKGS:-}" +AGENT_POLICY="${AGENT_POLICY:-yes}" docker run \ -v $HOME/.docker:/root/.docker \ @@ -141,6 +142,7 @@ docker run \ --env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \ --env GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME}" \ --env EXTRA_PKGS="${EXTRA_PKGS}" \ + --env AGENT_POLICY="${AGENT_POLICY}" \ --env AA_KBC="${AA_KBC:-}" \ --env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \ --env SE_KERNEL_PARAMS="${SE_KERNEL_PARAMS:-}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 6b13104ad..1838ac2e7 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -51,6 +51,7 @@ ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}" ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}" GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" EXTRA_PKGS="${EXTRA_PKGS:-}" +AGENT_POLICY="${AGENT_POLICY:-yes}" TARGET_BRANCH="${TARGET_BRANCH:-main}" PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-}" KERNEL_HEADERS_PKG_TYPE="${KERNEL_HEADERS_PKG_TYPE:-deb}" @@ -393,7 +394,7 @@ install_image() { fi export AGENT_TARBALL=$(get_agent_tarball_path) - export AGENT_POLICY=yes + export AGENT_POLICY if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" @@ -483,7 +484,7 @@ install_initrd() { fi export AGENT_TARBALL=$(get_agent_tarball_path) - export AGENT_POLICY=yes + export AGENT_POLICY if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" @@ -524,7 +525,7 @@ install_initrd_confidential() { # # Install NVIDIA GPU image install_image_nvidia_gpu() { - export AGENT_POLICY="yes" + export AGENT_POLICY EXTRA_PKGS="apt ${EXTRA_PKGS}" NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute,dcgm"} install_image "nvidia-gpu" @@ -532,7 +533,7 @@ install_image_nvidia_gpu() { # Install NVIDIA GPU initrd install_initrd_nvidia_gpu() { - export AGENT_POLICY="yes" + export AGENT_POLICY EXTRA_PKGS="apt ${EXTRA_PKGS}" NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute,dcgm"} install_initrd "nvidia-gpu" @@ -540,7 +541,7 @@ install_initrd_nvidia_gpu() { # Instal NVIDIA GPU confidential image install_image_nvidia_gpu_confidential() { - export AGENT_POLICY="yes" + export AGENT_POLICY EXTRA_PKGS="apt ${EXTRA_PKGS}" # TODO: export MEASURED_ROOTFS=yes NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute"} @@ -549,7 +550,7 @@ install_image_nvidia_gpu_confidential() { # Install NVIDIA GPU confidential initrd install_initrd_nvidia_gpu_confidential() { - export AGENT_POLICY="yes" + export AGENT_POLICY EXTRA_PKGS="apt ${EXTRA_PKGS}" # TODO: export MEASURED_ROOTFS=yes NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute"} @@ -962,7 +963,7 @@ install_agent() { export GPERF_URL="$(get_from_kata_deps ".externals.gperf.url")" info "build static agent" - DESTDIR="${destdir}" AGENT_POLICY="yes" PULL_TYPE=${PULL_TYPE} "${agent_builder}" + DESTDIR="${destdir}" AGENT_POLICY="${AGENT_POLICY}" PULL_TYPE=${PULL_TYPE} "${agent_builder}" } install_coco_guest_components() { From 5e363dc277614b1ca76c1e52e78351f51b0cd3f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sun, 13 Apr 2025 22:20:28 +0200 Subject: [PATCH 4/4] virtiofsd: Update to v1.13.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's been released for some time already ... and although we did have the necessary patches in, we better to stick to a released version of the project. Signed-off-by: Fabiano Fidêncio --- versions.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/versions.yaml b/versions.yaml index a0f810a22..e908644d1 100644 --- a/versions.yaml +++ b/versions.yaml @@ -364,9 +364,14 @@ externals: virtiofsd: description: "vhost-user virtio-fs device backend written in Rust" url: "https://gitlab.com/virtio-fs/virtiofsd" - # v1.13.0 + seccomp patch allowing the tkill syscall - version: "cecc61bca981ab42aae6ec490dfd59965e79025e" - toolchain: "1.83.0" + version: "v1.13.1" + toolchain: "1.80.0" + meta: + # From https://gitlab.com/virtio-fs/virtiofsd/-/releases/v1.13.1, + # this is the link labelled virtiofsd-v1.13.1.zip + # + # yamllint disable-line rule:line-length + binary: "https://gitlab.com/-/project/21523468/uploads/05d4925181301a59b8c322cd9f9d44a7/virtiofsd-v1.13.1.zip" xurls: description: |