diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go index b0697fd840..1d3b729ff5 100644 --- a/src/runtime/virtcontainers/sandbox.go +++ b/src/runtime/virtcontainers/sandbox.go @@ -17,6 +17,8 @@ import ( "os" "os/exec" "path/filepath" + + //"strconv" "strings" "sync" "syscall" @@ -28,6 +30,8 @@ import ( "github.com/sirupsen/logrus" "github.com/vishvananda/netlink" + cri "github.com/containerd/containerd/pkg/cri/annotations" + crio "github.com/containers/podman/v4/pkg/annotations" "github.com/kata-containers/kata-containers/src/runtime/pkg/device/api" "github.com/kata-containers/kata-containers/src/runtime/pkg/device/config" "github.com/kata-containers/kata-containers/src/runtime/pkg/device/drivers" @@ -36,6 +40,7 @@ import ( "github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace" resCtrl "github.com/kata-containers/kata-containers/src/runtime/pkg/resourcecontrol" exp "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/experimental" + "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/image" "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist" persistapi "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist/api" pbTypes "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols" @@ -134,52 +139,38 @@ type SandboxResourceSizing struct { // SandboxConfig is a Sandbox configuration. type SandboxConfig struct { // Annotations keys must be unique strings and must be name-spaced - Annotations map[string]string - + // with e.g. reverse domain notation (org.clearlinux.key). + Annotations map[string]string + Hostname string + ID string + HypervisorType HypervisorType // Custom SELinux security policy to the container process inside the VM GuestSeLinuxLabel string - - HypervisorType HypervisorType - - ID string - - Hostname string - + // Volumes is a list of shared volumes between the host and the Sandbox. + Volumes []types.Volume // SandboxBindMounts - list of paths to mount into guest SandboxBindMounts []string - // Experimental features enabled Experimental []exp.Feature - // Containers describe the list of containers within a Sandbox. // This list can be empty and populated by adding containers // to the Sandbox a posteriori. - // TODO: this should be a map to avoid duplicated containers - Containers []ContainerConfig - - Volumes []types.Volume - - NetworkConfig NetworkConfig - - AgentConfig KataAgentConfig - + //TODO: this should be a map to avoid duplicated containers + Containers []ContainerConfig + NetworkConfig NetworkConfig + AgentConfig KataAgentConfig HypervisorConfig HypervisorConfig - - ShmSize uint64 - + ShmSize uint64 SandboxResources SandboxResourceSizing - - VfioMode config.VFIOModeType - + VfioMode config.VFIOModeType // StaticResourceMgmt indicates if the shim should rely on statically sizing the sandbox (VM) StaticResourceMgmt bool - + // Offload the CRI image management service to the Kata agent. + ServiceOffload bool // SharePidNs sets all containers to share the same sandbox level pid namespace. SharePidNs bool - // SystemdCgroup enables systemd cgroup support SystemdCgroup bool - // SandboxCgroupOnly enables cgroup only at podlevel in the host SandboxCgroupOnly bool @@ -339,6 +330,7 @@ func (s *Sandbox) Release(ctx context.Context) error { if s.monitor != nil { s.monitor.stop() } + s.fsShare.StopFileEventWatcher(ctx) s.hypervisor.Disconnect(ctx) return s.agent.disconnect(ctx) } @@ -621,6 +613,21 @@ func newSandbox(ctx context.Context, sandboxConfig SandboxConfig, factory Factor return nil, err } + if len(sandboxConfig.Containers) > 0 { + // These values are required by remote hypervisor + for _, a := range []string{cri.SandboxName, crio.SandboxName} { + if value, ok := sandboxConfig.Containers[0].Annotations[a]; ok { + sandboxConfig.HypervisorConfig.SandboxName = value + } + } + + for _, a := range []string{cri.SandboxNamespace, crio.Namespace} { + if value, ok := sandboxConfig.Containers[0].Annotations[a]; ok { + sandboxConfig.HypervisorConfig.SandboxNamespace = value + } + } + } + // If we have a confidential guest we need to cold-plug the PCIe VFIO devices // until we have TDISP/IDE PCIe support. coldPlugVFIO := (sandboxConfig.HypervisorConfig.ColdPlugVFIO != hv.NoPort) @@ -1292,6 +1299,13 @@ func (s *Sandbox) startVM(ctx context.Context, prestartHookFunc func(context.Con return err } + // not sure how we know that this callback has been executed + if s.config.HypervisorConfig.ConfidentialGuest && s.config.HypervisorConfig.GuestPreAttestation { + if err := s.hypervisor.AttestVM(ctx); err != nil { + return err + } + } + if prestartHookFunc != nil { hid, err := s.GetHypervisorPid() if err != nil { @@ -2683,3 +2697,8 @@ func (s *Sandbox) resetVCPUsPinning(ctx context.Context, vCPUThreadsMap VcpuThre } return nil } + +// PullImage pulls an image on a sandbox. +func (s *Sandbox) PullImage(ctx context.Context, req *image.PullImageReq) (*image.PullImageResp, error) { + return s.agent.PullImage(ctx, req) +}