Merge pull request #10786 from zvonkok/gpu-config-update

gpu: Update config files

src/runtime/Makefile

@@ -439,17 +439,26 @@ ifneq (,$(QEMUCMD))
     KERNELNAME_CONFIDENTIAL_NV = $(call MAKE_KERNEL_CONFIDENTIAL_NAME_NV,$(KERNELCONFIDENTIALTYPE))
     KERNELPATH_CONFIDENTIAL_NV = $(KERNELDIR)/$(KERNELNAME_CONFIDENTIAL_NV)
 
-    DEFAULTVCPUS_NV = 16
-    DEFAULTMEMORY_NV = 65536
-    DEFAULTTIMEOUT_NV = 320
+    DEFAULTVCPUS_NV = 1
+    DEFAULTMEMORY_NV = 2048
+    DEFAULTTIMEOUT_NV = 500
     DEFAULTVFIOPORT_NV = root-port
     DEFAULTPCIEROOTPORT_NV = 8
 
     KERNELPARAMS_NV =  "agent.hotplug_timeout=20"
-    KERNELPARAMS_NV += $(KERNELPARAMS)
+    KERNELPARAMS_NV += "cgroup_no_v1=all"
 
-    KERNELTDXPARAMS_NV = "authorize_allow_devs=pci:ALL"
-    KERNELTDXPARAMS_NV += $(KERNELTDXPARAMS)
+    KERNELTDXPARAMS_NV = $(KERNELPARAMS_NV)
+    KERNELTDXPARAMS_NV += "clearcpuid=mtrr"
+    KERNELTDXPARAMS_NV += "authorize_allow_devs=pci:ALL"
+
+    KERNELSNPPARAMS_NV = $(KERNELPARAMS_NV)
+
+    # Setting this to false can lead to cgroup leakages in the host
+    # Best practice for production is to set this to true
+    DEFSANDBOXCGROUPONLY_NV = true
+    # The latest OVMF build should be good for both TDX and SNP
+    FIRMWAREPATH_NV := $(PREFIXDEPS)/share/ovmf/OVMF.fd
 endif
 
 ifneq (,$(CLHCMD))
@@ -617,7 +626,10 @@ USER_VARS += DEFAULTVFIOPORT_NV
 USER_VARS += DEFAULTPCIEROOTPORT_NV
 USER_VARS += KERNELPARAMS_NV
 USER_VARS += KERNELTDXPARAMS_NV
+USER_VARS += KERNELSNPPARAMS_NV
 USER_VARS += DEFAULTTIMEOUT_NV
+USER_VARS += DEFSANDBOXCGROUPONLY_NV
+USER_VARS += FIRMWAREPATH_NV
 USER_VARS += DEFROOTFSTYPE
 USER_VARS += MACHINETYPE
 USER_VARS += KERNELDIR

src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in

@@ -70,7 +70,7 @@ valid_hypervisor_paths = @QEMUSNPVALIDHYPERVISORPATHS@
 # may stop the virtual machine from booting.
 # To see the list of default parameters, enable hypervisor debug, create a
 # container and look for 'default-kernel-parameters' log entries.
-kernel_params = "@KERNELPARAMS@"
+kernel_params = "@KERNELSNPPARAMS_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
@@ -542,7 +542,7 @@ kernel_modules=[]
 
 # Agent connection dialing timeout value in seconds
 # (default: 90)
-dial_timeout = @DEFAULTTIMEOUT_NV@
+dial_timeout = 90
 
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
@@ -617,7 +617,7 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
 # The sandbox cgroup is constrained if there is no container type annotation.
 # See: https://pkg.go.dev/github.com/kata-containers/kata-containers/src/runtime/virtcontainers#ContainerType
-sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
+sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY_NV@
 
 # If enabled, the runtime will attempt to determine appropriate sandbox size (memory, CPU) before booting the virtual machine. In
 # this case, the runtime will not dynamically update the amount of memory and CPU in the virtual machine. This is generally helpful
@@ -676,7 +676,7 @@ experimental=@DEFAULTEXPFEATURES@
 # Note: The effective timeout is determined by the lesser of two values: runtime-request-timeout from kubelet config 
 # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. 
 # In essence, the timeout used for guest pull=runtime-request-timeout<create_container_timeout?runtime-request-timeout:create_container_timeout.
-create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
+create_container_timeout = @DEFAULTTIMEOUT_NV@
 
 # Base directory of directly attachable network config.
 # Network devices for VM-based containers are allowed to be placed in the

src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in

@@ -70,7 +70,7 @@ kernel_params = "@KERNELTDXPARAMS_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARETDVFPATH@"
+firmware = "@FIRMWAREPATH_NV@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -537,8 +537,8 @@ kernel_modules=[]
 #debug_console_enabled = true
 
 # Agent connection dialing timeout value in seconds
-# (default: 60)
-dial_timeout = @DEFAULTTIMEOUT_NV@
+# (default: 90)
+dial_timeout = 90
 
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
@@ -613,7 +613,7 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
 # The sandbox cgroup is constrained if there is no container type annotation.
 # See: https://pkg.go.dev/github.com/kata-containers/kata-containers/src/runtime/virtcontainers#ContainerType
-sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
+sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY_NV@
 
 # If enabled, the runtime will attempt to determine appropriate sandbox size (memory, CPU) before booting the virtual machine. In
 # this case, the runtime will not dynamically update the amount of memory and CPU in the virtual machine. This is generally helpful
@@ -672,7 +672,7 @@ experimental=@DEFAULTEXPFEATURES@
 # Note: The effective timeout is determined by the lesser of two values: runtime-request-timeout from kubelet config 
 # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. 
 # In essence, the timeout used for guest pull=runtime-request-timeout<create_container_timeout?runtime-request-timeout:create_container_timeout.
-create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
+create_container_timeout = @DEFAULTTIMEOUT_NV@
 
 # Base directory of directly attachable network config.
 # Network devices for VM-based containers are allowed to be placed in the

src/runtime/config/configuration-qemu-nvidia-gpu.toml.in

@@ -563,7 +563,7 @@ kernel_modules=[]
 
 # Agent connection dialing timeout value in seconds
 # (default: 90)
-dial_timeout = @DEFAULTTIMEOUT_NV@
+dial_timeout = 90
 
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
@@ -638,7 +638,7 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
 # The sandbox cgroup is constrained if there is no container type annotation.
 # See: https://pkg.go.dev/github.com/kata-containers/kata-containers/src/runtime/virtcontainers#ContainerType
-sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
+sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY_NV@
 
 # If enabled, the runtime will attempt to determine appropriate sandbox size (memory, CPU) before booting the virtual machine. In
 # this case, the runtime will not dynamically update the amount of memory and CPU in the virtual machine. This is generally helpful
@@ -697,7 +697,7 @@ experimental=@DEFAULTEXPFEATURES@
 # Note: The effective timeout is determined by the lesser of two values: runtime-request-timeout from kubelet config 
 # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. 
 # In essence, the timeout used for guest pull=runtime-request-timeout<create_container_timeout?runtime-request-timeout:create_container_timeout.
-create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
+create_container_timeout = @DEFAULTTIMEOUT_NV@
 
 # Base directory of directly attachable network config.
 # Network devices for VM-based containers are allowed to be placed in the

src/runtime/config/configuration-qemu-tdx.toml.in

@@ -71,7 +71,7 @@ kernel_params = "@KERNELTDXPARAMS@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARETDVFPATH@"
+firmware = "@FIRMWAREPATH_NV@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables