Commit Graph

2111 Commits

Author SHA1 Message Date
Fupan Li
333d12dc47 runtime: fix the issue of update interface error
Since the network device hotplug is an asynchronous operation,
it's possible that the hotplug operation had returned, but
the network device hasn't ready in guest, thus it's better to
retry on this operation to wait until the device ready in guest.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-11-07 11:29:57 +08:00
Manuel Huber
8ca77f2655 tests: nvidia: cc: Run CUDA vectorAdd tests on CC mode
While the primary goal of this change is to detect regressions to the
NVIDIA SNP GPU scenario, various improvements to reflect a more
realistic CC setting are planned in subsequent changes, such as:

* moving away from the overlayfs snapshotter
* disabling filesystem sharing
* applying a pod security policy
* activating the GPUs only after attestation
* using a refined approach for GPU cold-plugging without requiring
  annotations
* revisiting pod timeout and overhead parameters (the podOverhead value
  was increased due to CUDA vectorAdd requiring about 6Gi of
  podOverhead, as well as the inference and embedqa requiring at least
  12Gi, respectively, 14Gi of podOverhead to run without invoking the
  host's oom-killer. We will revisit this aspect after addressing
  points 1. and 2.)

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-06 16:28:33 +01:00
Manuel Huber
1561d7fbba runtime: Clear outer CDI annotations
Pod annotations from the outer runtime are being used for cold-plugging
CDI devices. We need to ensure that these annotations don't leak into
the inner runtime for which specific container (sibling) annotations
are being created. Without this change, the inner runtime receives both
annotations, leading to failing CDI injection as an outer runtime
annotation observed in the guest translates to an unresolvable CDI
device, for example, cdi.k8s.io/gpu: "nvidia.com/pgpu=0".

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-04 23:18:00 +01:00
Fabiano Fidêncio
14039c9089 golang: Update to 1.24.9
In order to fix:
```

=== Running govulncheck on containerd-shim-kata-v2 ===
 Vulnerabilities found in containerd-shim-kata-v2:
=== Symbol Results ===

Vulnerability #1: GO-2025-4015
    Excessive CPU consumption in Reader.ReadResponse in net/textproto
  More info: https://pkg.go.dev/vuln/GO-2025-4015
  Standard library
    Found in: net/textproto@go1.24.6
    Fixed in: net/textproto@go1.24.8
    Vulnerable symbols found:
      #1: textproto.Reader.ReadResponse

Vulnerability #2: GO-2025-4014
    Unbounded allocation when parsing GNU sparse map in archive/tar
  More info: https://pkg.go.dev/vuln/GO-2025-4014
  Standard library
    Found in: archive/tar@go1.24.6
    Fixed in: archive/tar@go1.24.8
    Vulnerable symbols found:
      #1: tar.Reader.Next

Vulnerability #3: GO-2025-4013
    Panic when validating certificates with DSA public keys in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4013
  Standard library
    Found in: crypto/x509@go1.24.6
    Fixed in: crypto/x509@go1.24.8
    Vulnerable symbols found:
      #1: x509.Certificate.Verify
      #2: x509.Certificate.Verify

Vulnerability #4: GO-2025-4012
    Lack of limit when parsing cookies can cause memory exhaustion in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-4012
  Standard library
    Found in: net/http@go1.24.6
    Fixed in: net/http@go1.24.8
    Vulnerable symbols found:
      #1: http.Client.Do
      #2: http.Client.Get
      #3: http.Client.Head
      #4: http.Client.Post
      #5: http.Client.PostForm
      Use '-show traces' to see the other 9 found symbols

Vulnerability #5: GO-2025-4011
    Parsing DER payload can cause memory exhaustion in encoding/asn1
  More info: https://pkg.go.dev/vuln/GO-2025-4011
  Standard library
    Found in: encoding/asn1@go1.24.6
    Fixed in: encoding/asn1@go1.24.8
    Vulnerable symbols found:
      #1: asn1.Unmarshal
      #2: asn1.UnmarshalWithParams

Vulnerability #6: GO-2025-4010
    Insufficient validation of bracketed IPv6 hostnames in net/url
  More info: https://pkg.go.dev/vuln/GO-2025-4010
  Standard library
    Found in: net/url@go1.24.6
    Fixed in: net/url@go1.24.8
    Vulnerable symbols found:
      #1: url.JoinPath
      #2: url.Parse
      #3: url.ParseRequestURI
      #4: url.URL.Parse
      #5: url.URL.UnmarshalBinary

Vulnerability #7: GO-2025-4009
    Quadratic complexity when parsing some invalid inputs in encoding/pem
  More info: https://pkg.go.dev/vuln/GO-2025-4009
  Standard library
    Found in: encoding/pem@go1.24.6
    Fixed in: encoding/pem@go1.24.8
    Vulnerable symbols found:
      #1: pem.Decode

Vulnerability #8: GO-2025-4008
    ALPN negotiation error contains attacker controlled information in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2025-4008
  Standard library
    Found in: crypto/tls@go1.24.6
    Fixed in: crypto/tls@go1.24.8
    Vulnerable symbols found:
      #1: tls.Conn.Handshake
      #2: tls.Conn.HandshakeContext
      #3: tls.Conn.Read
      #4: tls.Conn.Write
      #5: tls.Dial
      Use '-show traces' to see the other 4 found symbols

Vulnerability #9: GO-2025-4007
    Quadratic complexity when checking name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4007
  Standard library
    Found in: crypto/x509@go1.24.6
    Fixed in: crypto/x509@go1.24.9
    Vulnerable symbols found:
      #1: x509.CertPool.AppendCertsFromPEM
      #2: x509.Certificate.CheckCRLSignature
      #3: x509.Certificate.CheckSignature
      #4: x509.Certificate.CheckSignatureFrom
      #5: x509.Certificate.CreateCRL
      Use '-show traces' to see the other 27 found symbols

Vulnerability #10: GO-2025-4006
    Excessive CPU consumption in ParseAddress in net/mail
  More info: https://pkg.go.dev/vuln/GO-2025-4006
  Standard library
    Found in: net/mail@go1.24.6
    Fixed in: net/mail@go1.24.8
    Vulnerable symbols found:
      #1: mail.AddressParser.Parse
      #2: mail.AddressParser.ParseList
      #3: mail.Header.AddressList
      #4: mail.ParseAddress
      #5: mail.ParseAddressList
```

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-03 16:57:22 +01:00
Zvonko Kaiser
69c76971f3 gpu: Handle VFIO and IOMMUFD
We have here either /dev/vfio/<num> or /dev/vfio/devices/vfio<num>,
for IOMMUFD format /dev/vfio/devices/vfio<num>, strip "vfio" prefix

/dev/vfio/123 - basename "123" - vfioNum = "123" - cdi.k8s.io/vfio123
/dev/vfio/devices/vfio123 - basename "vfio123" - strip - vfioNum = "123" - cdi.k8s.io/vfio123

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-31 09:46:07 +01:00
Kevin Zhao
e2dbe87a99 tests: Fix cca test failure on arm64 and other architectures
Fix the wrong test with appendProtectionDevice on arm64

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2025-10-25 13:54:35 +02:00
Mikko Ylinen
1beda258b8 qemu: nvidia: tdx: add quote-generation-socket for attestation to work
Add TDX QGS quote-generation-socket TDX QEMU object params for
attestation to work in NVGPU+TDX environment.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-10-22 21:01:35 +02:00
Kevin Zhao
141070b388 Kata-deploy: Add kata-deploy set up for qemu-cca
Support launch qemu-cca in Kata-deploy.

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2025-10-16 17:24:52 +08:00
Kevin Zhao
af919686ab Kata-deploy: Add CCA firmware build support
runtime: pass firmware to CCA Realm

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2025-10-16 17:24:45 +08:00
Kevin Zhao
bfa7f2486d runtime: Add Arm64 CCA confidential Guest Support
This commit add the support for Arm CCA/RME support in golang runtime.
The guest kernel is support since Linux 6.13.

The host kernel which Kata is running is picked from: https://gitlab.arm.com/linux-arm/linux-cca
branch: cca-host/v8 which is currently very stable and reviewed for a while, and it is
expecting to merged this year.

The Qemu support is picked up from: https://git.codelinaro.org/linaro/dcap/qemu.git, branch: cca/2025-05-28,
The Qemu support will be merged to upstream after the CCA host support official support in linux kernel.

More info regarding the CCA software stack dev and test, please refer to link:
https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29051027459/Building+an+RME+stack+for+QEMU

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2025-10-16 17:23:54 +08:00
Paul Meyer
06ed957a45 virtcontainers: fix nydus cleanup on rootfs unmount
This was discovered by @sprt in https://github.com/kata-containers/kata-containers/pull/10243#discussion_r2373709407.
Checking for state.Fstype makes no sense as we know it is empty.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-10-15 09:22:51 +02:00
Alex Lyn
b42ef09ffb Merge pull request #11888 from spuzirev/main
runtime: fix "num-queues expects uint64" error with virtio-blk
2025-10-09 20:21:32 +08:00
Sergei Puzyrev
62b12953c7 runtime: fix "num-queues expects uint64" error with virtio-blk
Unneeded type-conversion was removed.

Fixes #11887

Signed-off-by: Sergei Puzyrev <spuzirev@gmail.com>
2025-10-08 17:09:22 -05:00
Adeet Phanse
4e4f9c44ae runtime: fix device typo
Fix device typo in dragonball / runtime-rs / runtime.

Signed-off-by: Adeet Phanse <adeet.phanse@mongodb.com>
2025-10-08 17:08:27 -05:00
Aurélien Bombo
5c21b1faf3 runtime: Simplify mounting guest devices when using hostPath volumes
This change crystallizes and simplifies the current handling of /dev
hostPath mounts with virtually no functional change.

Before this change:

 - If a mount DESTINATION is in /dev and it is a non-regular file on the HOST,
   the shim passes the OCI bind mount as is to the guest (e.g.
   /dev/kmsg:/dev/kmsg). The container rightfully sees the GUEST device.

 - If the mount DESTINATION does not exist on the host, the shim relies on
   k8s/containerd to automatically create a directory (ie. non-regular file) on
   the HOST. The shim then also passes the OCI bind mount as is to the guest.  The
   container rightfully sees the GUEST device.

 - For other /dev mounts, the shim passes the device major/minor to the guest
   over virtio-fs. The container rightfully sees the GUEST device.

After this change:

 - If a mount SOURCE is in /dev and it is a non-regular file on the HOST,
   the shim passes the OCI bind mount as is to the guest. The container
   rightfully sees the GUEST device.

 - The shim does not anymore rely on k8s/containerd to create missing mount
   directories. Instead it explicitely handles missing mount SOURCES, and
   treats them like the previous bullet point.

 - The shim no longer uses virtio-fs to pass /dev device major/minor to the
   guest, instead it passes the OCI bind mount as is.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-01 15:32:21 -05:00
Mikko Ylinen
6f45a7f937 runtime: config: allow TDX QGS port=0
85f3391bc added the support for TDX QGS port=0 but missed
defaultQgsPort in the default config. defaultQgsPort overrides
user provided tdx_quote_generation_service_socket_port=0.

After this change, defaultQgsPort is not needed anymore since
there's no default: any positive integer is OK and negative or
unset value becomes a parse error.

QEMUTDXQUOTEGENERATIONSERVICESOCKETPORT in the Makefile is used
to provide a sane default when tdx_quote_generation_service_socket_port
gets set in the configuration.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-09-30 09:47:05 +02:00
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
Fupan Li
72a0f5daec Merge pull request #11794 from Sumynwa/sumsharma/clh_netdev_hotplug_pciinfo
runtime: clh: Add pci path for hotplugged network endpoints
2025-09-23 09:57:57 +08:00
Hyounggyu Choi
d90e785901 runtime: Set maxmem to initialmem on s390x when memory hotplug is disabled
On s390x, QEMU fails if maxmem is set to 0:

```
invalid value of maxmem: maximum memory size (0x0) must be at least the initial memory size
```

This commit sets maxmem to the initial memory size for s390x when hotplug is disabled,
resolving the error while still ensuring that memory hotplug remains off.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-09-18 14:05:33 +02:00
Mikko Ylinen
49fbd6e7af runtime: qemu: disable memory hotplug for ConfidentialGuests
The setting '-m xM,slots=y,maxmem=zM' where maxmem is from
the host's memory capacity is failing with confidential VMs
on hosts having 1T+ of RAM.

slots/maxmem are necessary for setups where the container
memory is hotplugged to the VM during container creation based
on createContainer info.

This is not the case with CoCo since StaticResourceManagement
is enabled and memory hotplug flows have not been checked.

To avoid unexpeted errors with maxmem, disable slots/maxmem
in case ConfidentialGuest is requested.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-09-17 23:43:36 +02:00
Sumedh Alok Sharma
3443ddf24d runtime: clh: Add pci path for hotplugged network endpoints
This commit introduces changes to parse the PciDeviceInfo received
in response payload when adding a network device to the VM with cloud
hypervisor. When hotplugging a network device for a given endpoint,
it rightly sets the PciPath of the plugged-in device in the endpoint.

In calls like virtcontainers/sandbox.go:AddInterface, the later call
to agent sends the pci info for uevents (instead of empty value) to
rightly update the interfaces instead of failing with `Link not found`

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2025-09-16 12:45:57 +00:00
Saul Paredes
5d124523f8 runtime: add initdata support in clh
Prepare the initdata image and mount it as a block device.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-09-15 11:40:21 -07:00
Saul Paredes
252d4486f1 runtime: delete initdata annotation
Delete annotation from OCI spec and sandbox config. This is done after the optional initdata annotation value has been read.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-09-15 11:34:26 -07:00
Saul Paredes
af41f5018f runtime: share initdata setup code
Move setup code such that it can be used by other hypervisors.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-09-15 11:34:26 -07:00
stevenhorsman
dc64d256bf runtime: Bump cri-o to latest
Bump cri-o to 1.34.0 to try and remediate security advisories
CVE-2025-0750 and CVE-2025-4437.

Note: Running
```
go get github.com/cri-o/cri-o@v1.34.0
```
seems to bump a lot of other go modules, hence the size of the
vendor diff

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 14:29:06 +01:00
stevenhorsman
16dd1de0ab kata-monitor: Update deprecated use of grpc functions
In google.golang.org/grpc v1.72.0, `DialContext`, is deprecated, so
switch to use `NewClient` instead.
`grpc.WithBlock()` is deprecated and not recommend, so remove this

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 14:29:06 +01:00
stevenhorsman
b9ff5ffc21 kata-monitor: Replace use of deprecated expfmt.FmtText
In `github.com/prometheus/common v0.62.0` expfmt.FmtText
is deprecated, so replace with `expfmt.NewFormat(expfmt.TypeTextPlain)`.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 14:29:06 +01:00
stevenhorsman
7f86b967d1 runtime: Replace use of deprecated expfmt.FmtText
In `github.com/prometheus/common v0.62.0` expfmt.FmtText
is deprecated, so replace with `expfmt.NewFormat(expfmt.TypeTextPlain)`.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 14:29:06 +01:00
stevenhorsman
62ed86d1aa runtime: Update deprecated use of grpc.Dial
In google.golang.org/grpc v1.72.0, `Dial`, is deprecated, so
switch to use `NewClient` instead

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 14:29:06 +01:00
stevenhorsman
334340aa18 runtime: Update remove methods
In selinux v1.12.0, `label.SetProcessLabel`, was removed to be
replaced by `selinux.SetExecLabel`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 14:29:06 +01:00
Fupan Li
679cdeadc8 runtime: fix the issue clh resize vcpu failed
Since the cloud hypervisor's resize vCPU is an asynchronous operation,
it's possible that the previous resize operation hasn't completed when
the request is sent, causing the current call to return an error.
Therefore, several retries can be performed to avoid this error.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-09-15 14:29:25 +02:00
Fabiano Fidêncio
60790907ef clh: Update to v48.0 release
```
Experimental fw_cfg Device Support
This feature enables passing configuration data and files, such as VM
boot configurations (kernel, kernel cmdline, e820 memory map, and ACPI
tables), from the host to the guest. (#7117)

Experimental ivshmem Device Support
Support for inter-VM shared memory has been added. For more information,
please refer to the ivshmem documentation. (#6703)

Firmware Boot Support on riscv64
In addition to direct kernel boot, firmware boot support has been added
on riscv64 hosts. (#7249)

Increased vCPU Limit on x86_64/kvm
The maximum number of supported vCPUs on x86_64 hosts using KVM has been
raised from 254 to 8192. (#7299)

Improved Block Performance with Small Block Sizes
Performance for virtio-blk with small block sizes (16KB and below)
is enhanced via submitting async IO requests in batches. (#7146)

Faster VM Pause Operation
The VM pause operation now is significantly faster particularly for VMs
with a large number of vCPUs. (#7290)

Updated Documentation on Windows Guest Support
Our Windows documentation now includes instructions to run Windows 11
guests, in addition to Windows Server guests. (#7218)

Policy on AI Generated Code
We will decline any contributions known to contain contents generated or
derived from using Large Language Models (LLMs). Details can be found
in our contributing documentation. (#7162)

Removed SGX Support
The SGX support has been removed, as announced in the deprecation notice two
release cycles ago. (#7093)

Notable Bug Fixes
Seccomp filter fixes with glibc v2.42 (#7327)
Various fixes related to (#7331, #7334, #7335)
```

From https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v48.0

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-09-15 08:30:18 +02:00
Dan Mihai
60beb5236d runtime: snp: enable CoCo annotations
Use @DEFENABLEANNOTATIONS_COCO@ in configuration-qemu-snp.toml,
for consistency with the tdx and coco-dev configuration files.

k8s-initdata.bats was failing during CI on SNP without this change,
because the cc_init_data annotation was disabled.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-09-12 15:38:33 +00:00
Fabiano Fidêncio
08d2ba1969 cgroups: Fix "." parent cgroup special case
ef642fe890 added a special case to avoid
moving cgroups that are on the "default" slice in case of deletion.

However, this special check should be done in the Parent() method
instead, which ensures that the default resource controller ID is
returned, instead of ".".

Fixes: #11599

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-27 08:15:15 +02:00
Fabiano Fidêncio
fd1b8ceed1 runtime: qemu: Add reclaim_guest_freed_memory [BACKPORT]
Similar to what we've done for Cloud Hypervisor in the commit
9f76467cb7, we're backporting a runtime-rs
feature that would be benificial to have as part of the go runtime.

This allows users to use virito-balloon for the hypervisor to reclaim
memory freed by the guest.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-22 23:56:47 +02:00
stevenhorsman
8cbb1a4357 runtime: Fix non constant Errorf formatting
As part of the go 1.24.6 bump there are errors about the incorrect
use of a errorf, so switch to the non-formatting version, or add
the format string as appropriate

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
stevenhorsman
381da9e603 versions: Bump golang to 1.24.6
golang 1.25 has been released, so 1.23 is EoL,
so we should update to ensure we don't end up with security issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
stevenhorsman
081823b388 runtime: Enable init_data annotation
In #11693 the cc_init_data annotation was changes to be hypervisor
scoped, so each hypervisor needs to explicitly allow it in order to
use it now, so add this to both the go and rust runtime's remote
configurations

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-21 19:26:10 +01:00
Alex Lyn
014ab2fce6 Merge pull request #11693 from BbolroC/revert-initdata-annotation
runtime-rs: Fix issues for initdata
2025-08-20 21:17:52 +08:00
Hyounggyu Choi
208cec429a runtime-rs: Introduce CoCo-specific enable_annotations
We need to include `cc_init_data` in the enable_annotations
array to pass the data. Since initdata is a CoCo-specific
feature, this commit introduces a new array,
`DEFENABLEANNOTATIONS_COCO`, which contains the required
string and applies it to the relevant CoCo configuration.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-08-20 10:15:23 +02:00
Alex Tibbles
a03dc3129d versions: sync go.mod with versions.yaml for go 1.23.12
OSV-Scanner highlights go.mod references to go stdlib 1.23.0 contrary to intention in versions.yaml, so synchronize them.
Make a converse comment for versions.yaml.

Fixes: #11700

Signed-off-by: Alex Tibbles <alex@bleg.org>
2025-08-19 11:30:19 -04:00
Hyounggyu Choi
93ec470928 runtime/tests: Update annotation for initdata
Let's rename the runtime-rs initdata annotation from
`io.katacontainers.config.runtime.cc_init_data` to
`io.katacontainers.config.hypervisor.cc_init_data`.

Rationale:
- initdata itself is a hypervisor-specific feature
- the new name aligns with the annotation handling logic:
c92bb1aa88/src/libs/kata-types/src/annotations/mod.rs (L514-L968)

This commit updates the annotation for go-runtime and tests accordingly.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-08-19 15:17:01 +02:00
Hyounggyu Choi
28bd0cf405 Merge pull request #11640 from rafsal-rahim/bm-initdata-s390x
Feat | Implement initdata for bare-metal/qemu for s390x
2025-08-15 10:42:32 +02:00
rafsalrahim
9891b111d1 runtime: Add initdata support to s390x
- Added support for initdata device on s390x.
- Generalized devno generation for QEMU CCW devices.

Signed-off-by: rafsalrahim <rafsal.rahim@ibm.com>
2025-08-14 17:10:58 +05:30
Kevin Zhao
aadad0c9b6 CI: change the directory for Arm64 firmware
Previouly it is reusing the ovmf, which will enter some
issue for path checking, so move to aavmf as it should
be.

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2025-08-13 23:39:44 +02:00
Paul Meyer
5635410dd3 runtime: make SNP guest policy configurable
Dependening on the platform configuration, users might want to
set a more secure policy than the QEMU default.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-08-13 09:06:36 +02:00
Xuewei Niu
beea0c34c5 Merge pull request #11060 from kata-containers/sprt/vfsd-metadata
runtime: virtio-fs: Support "metadata" cache mode
2025-08-08 11:13:57 +08:00
Aurélien Bombo
6d96875d04 runtime: virtio-fs: Support "metadata" cache mode
The Rust virtiofsd supports a "metadata" cache mode [1] that wasn't
present in the C version [2], so this PR adds support for that.

 [1] https://gitlab.com/virtio-fs/virtiofsd
 [2] https://qemu.weilnetz.de/doc/5.1/tools/virtiofsd.html#cmdoption-virtiofsd-cache

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-08-07 21:24:40 +08:00
Christophe de Dinechin
ec480dc438 qemu: Respect the JSON schema for hot plug
When hot-plugging CPUs on QEMU, we send a QMP command with JSON
arguments. QEMU 9.2 recently became more strict[1] enforcing the
JSON schema for QMP parameters. As a result, running Kata Containers
with QEMU 9.2 results in a message complaining that the core-id
parameter is expected to be an integer:

```
qmp hotplug cpu, cpuID=cpu-0 socketID=1, error:
QMP command failed:
Invalid parameter type for 'core-id', expected: integer
```

Fix that by changing the core-id, socket-id and thread-id to be
integer values.

[1]: be93fd5372

Fixes: #11633

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2025-08-07 09:13:57 +02:00
Markus Rudy
f7a36df290 runtime: generate proto files
The generated Go bindings for the agent are out of date. This commit
was produced by running
src/agent/src/libs/protocols/hack/update-generated-proto.sh with
protobuf compiler versions matching those of the last run, according to
the generated code comments.

Since there are new RPC methods, those needed to be added to the
HybridVSockTTRPCMockImp.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-07-31 17:58:25 +01:00