Commit Graph

1559 Commits

Author SHA1 Message Date
Dan Mihai
7b63f256e5 gha: fix git-helper issues reported by shellcheck
./tests/git-helper.sh:20:5: note: Prefer [[ ]] over [ ] for tests in Bash/Ksh. [SC2292]
./tests/git-helper.sh:22:26: note: Double quote to prevent globbing and word splitting. [SC2086]
./tests/git-helper.sh:23:7: note: Prefer [[ ]] over [ ] for tests in Bash/Ksh. [SC2292]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-06 20:28:41 +00:00
Dan Mihai
04adcdace6 gha: always delete workspace on rebase error
The workplace was already being deleted on non-x86_64 platforms, but
x86_64 can be affected by the same problem too. That might have been
the case with the SNP and TDX test runs from:

https://github.com/kata-containers/kata-containers/actions/runs/13687511270/job/38313758751?pr=10973
https://github.com/kata-containers/kata-containers/actions/runs/13687511270/job/38313760086?pr=10973

Rebase worked fine for the same patch/PR on other platforms.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-06 20:24:09 +00:00
Xuewei Niu
644af52968
Merge pull request #10876 from lifupan/fupan_containerd
ci: cri-containerd: upgrade the LTS / Active versions for containerd
2025-03-06 17:08:40 +08:00
Hyounggyu Choi
bf41618a84
Merge pull request #10862 from BbolroC/enable-ibm-se-for-qemu-runtime-rs
runtime-rs: Enable IBM SE for QEMU
2025-03-06 05:38:13 +01:00
Fabiano Fidêncio
545780a83a shellcheck: tests: k8s: Fix gha-run.sh warnings
As we'll touch this file during this series, let's already make sure we
solve all the needed warnings.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-05 19:44:27 +01:00
Fabiano Fidêncio
50f765b19c shellcheck: tests: Fix gha-run-k8s-common.sh warnings
Let's fix all the warnings caught in this file, as we're already
touching it.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-05 19:44:27 +01:00
Fabiano Fidêncio
219db60071 tests: kata-deploy: microk8s: Re-work installation
So we can ensure that the user has enough permissions to access
microk8s.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-05 19:44:27 +01:00
Fabiano Fidêncio
c337a21a4e shellcheck: kata-deploy: Fix warnings
He were fixing the few warnings we found in the files present in the
functional tests for kata-deploy.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-05 19:44:27 +01:00
Fupan Li
7024d3c600 CI: cri-containerd: upgrade the LTS / Active versions for containerd
As we're testing against the LTS and the Active versions of
containers, let's upgrade the lts version from 1.6 to 1.7 and
active version from 1.7 to 2.0 to cover the sandboxapi tests.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-03-05 23:09:24 +08:00
Hyounggyu Choi
4ea7d274c4 runtime-rs: Add new runtimeClass qemu-se-runtime-rs
When `KATA_HYPERVISOR` is set to `qemu-se-runtime-rs`,
a configuration file is properly referenced and a runtime class
should be created via kata-deploy.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-03-05 13:50:38 +01:00
Zvonko Kaiser
4bb0eb4590
Merge pull request #10954 from kata-containers/topic/metrics-kata-deploy
Rework and fix metrics issues
2025-03-04 20:22:53 -05:00
stevenhorsman
02a2f6a9c1 tests: Sanitize K8S_TEST_ENTRY
Now we've added the double quotes around
`${K8S_TEST_UNION[@]}`, so platforms are
failing with:
```
Error: Test file "/home/ubuntu/runner/_layout/_work/kata-containers/kata-containers/tests/integration/kubernetes/k8s-nginx-connectivity.bats
" does not exist
```
due to the line continuation, so sanitise the value
to try and fix this.

Co-authored-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-04 09:39:10 +00:00
stevenhorsman
9a9e88a38d test: vfio: Attempt to fix logic
This was checking that a literal string was non-zero.
I'm assume it instead wanted to check if the file exists

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-04 09:39:10 +00:00
stevenhorsman
b220cca253 shellcheck: Fix shellcheck SC2066
> Since you double-quoted this, it will not word split, and the loop will only run once.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-04 09:39:10 +00:00
stevenhorsman
b8cfdd06fb shellcheck: Fix shellcheck SC2071
> > is for string comparisons. Use -gt instead.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-04 09:39:10 +00:00
stevenhorsman
eb90b93e3f shellcheck: Fix shellcheck SC2104
> In functions, use return instead of break.
> rationale: break or continue are used to abort or
continue a loop, and are not the right way to exit
a function. Use return instead.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-04 09:39:10 +00:00
stevenhorsman
dbba6b056b shellcheck: Fix shellcheck SC2148
> Tips depend on target shell and yours is unknown. Add a shebang.

Add
```
#!/usr/bin/env bash
```

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-04 09:35:46 +00:00
stevenhorsman
c5ff513e0b shellcheck: Fix shellcheck SC2068
> Double quote array expansions to avoid re-splitting elements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-04 09:35:46 +00:00
stevenhorsman
58672068ff shellcheck: Fix shellcheck SC2145
> Argument mixes string and array. Use * or separate argument.

- Swap echos for printfs and improve formatting
- Replace $@ with $*
- Split arrays into separate arguments

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-04 09:35:46 +00:00
stevenhorsman
c69509be1c metrics: Reduce repeats for boot time tests on qemu
On qemu the run seems to error after ~4-7 runs, so try
a cut down version of repetitions to see if this helps us
get results in a stable way.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-02 08:42:00 +00:00
stevenhorsman
0962cd95bc metrics: Increase minpercent range for qemu iperf test
We have a new metrics machine and environment
and the iperf jitter result failed as it finished too quickly,
so increase the minpercent to try and get it stable

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-02 08:32:26 +00:00
stevenhorsman
ef0e8669fb metrics: Increase minpercent range for clh tests
We have a new metrics machine and environment
and the fio write.bw and iperf3 parallel.Results
tests failed for clh, as below
the minimum range, so increase the
minpercent to try and get it stable

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-02 08:32:26 +00:00
stevenhorsman
f81c85e73d metrics: Increase maxpercent range for clh boot times
We have a new metrics machine and environment
and the boot time test failed for clh, so increase the
maxpercent to try and get it stable

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-01 17:50:05 +00:00
stevenhorsman
435ee86fdd metrics: Update iperf affinity
The iperf deployment is quite a lot out of date
and uses `master` for it's affinity and toleration,
so update this to control-plane, so it can run on
newer Kubernetes clusters

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-01 17:50:05 +00:00
stevenhorsman
85bbc0e969 metrics: Increase wait time
The new metrics runner seems slower, so we are
seeing errors like:
The iperf3 tests are failing with:
```
pod rejected: RuntimeClass "kata" not found
```
so give more time for it to succeed

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-01 17:50:05 +00:00
stevenhorsman
4ce94c2d1b Revert "metrics: Add init_env function to latency test"
This reverts commit 9ac29b8d38.
to remove the duplicate `init_env` call

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-01 17:50:05 +00:00
stevenhorsman
658a5e032b metrics: Increase containerd start timeout
- Move `kill_kata_components` from common.bash
into the metrics code base as the only user of it
- Increase the timeout on the start of containerd as
the last 10 nightlies metric tests have failed with:
```
223478 Killed                  sudo timeout -s SIGKILL "${TIMEOUT}" systemctl start containerd
```

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-01 17:50:05 +00:00
stevenhorsman
3fab7944a3 workflows: Improve metrics jobs
- As the metrics tests are largely independent
then allow subsequent tests to run even if previous
ones failed. The results might not be perfect if
clean-up is required, but we can work on that later.
- Move the test results check out of the latency
test that seems arbitrary and into it's own job step
- Add timeouts to steps that might fail/hang if there
are containerd/K8s issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-01 17:50:05 +00:00
stevenhorsman
6f918d71f5 workflows: Update metrics jobs
Currently the run-metrics job runs a manual install
and does this in a separate job before the metrics
tests run. This doesn't make sense as if we have multiple
CI runs in parallel (like we often do), there is a high chance
that the setup for another PR runs between the metrics
setup and the runs, meaning it's not testing the correct
version of code. We want to remove this from happening,
so install (and delete to cleanup) kata as part of the metrics
test jobs.

Also switch to kata-deploy rather than manual install for
simplicity and in order to test what we recommend to users.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-01 17:50:05 +00:00
Stephane Talbot
f80e7370d5 test: Verify deployement of kata-deploy on microk8s
Enable fonctional test to verify deployment of kata-deploy on a Microk8s cluster

Signed-off-by: Stephane Talbot <Stephane.Talbot@univ-savoie.fr>
2025-02-28 10:10:29 +01:00
Zvonko Kaiser
33460386b9
Merge pull request #10803 from ryansavino/update-confidential-initrd-22.04
versions: update confidential initrd to 22.04
2025-02-27 09:29:36 -05:00
stevenhorsman
d08787774f ci: k8s: Use pinned k0s version
Update the code to install the version of k0s
that we have in our versions.yaml, rather than
just installing the latest, to help our CI being
less stable and prone to breaking due to things
we don't control.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-27 11:33:23 +00:00
Ryan Savino
ceafa82f2e tests: skip trusted storage tests for qemu-snp
skip tests for trusted storage until #10838 is resolved.

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
2025-02-26 14:23:57 -06:00
Ruoqing He
ed50e31625 build: Reorganize target selection
Architectures here with `musl` available are minority, which is more
suitable for enumeration.

With this change, we are implicitly choosing gnu target for `ppc64le`,
`riscv64` and `s390x`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-26 00:56:54 +08:00
Ruoqing He
562911e170 build: Add riscv mapping for common.bash
While installing Rust and Golang in our CI workflow, `arch_to_golang`
and `arch_to_rust` are needed for inferring the correct arch string for
riscv64 architecture.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-26 00:56:54 +08:00
Fabiano Fidêncio
a6186b6244 ci: k8s: arm: Skip "Check the number vcpus are ..." test
See https://github.com/kata-containers/kata-containers/issues/10928

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-24 18:43:24 +01:00
Fabiano Fidêncio
1798804c32 ci: k8s: arm: Skip "Pod quota" test
See https://github.com/kata-containers/kata-containers/issues/10927

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-24 18:43:24 +01:00
Fabiano Fidêncio
053827cacc ci: k8s: arm: Skip "Running within memory constraints" test
See https://github.com/kata-containers/kata-containers/issues/10926

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-24 18:43:24 +01:00
Aurélien Bombo
1f8c15fa48 Revert "tests: Skip k8s job test on qemu-coco-dev"
This reverts commit a8ccd9a2ac.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-02-21 17:52:17 -06:00
Aurélien Bombo
7542dbffb8 Revert "tests: disable k8s-policy-job.bats on coco-dev"
This reverts commit 47ce5dad9d.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-02-21 17:52:17 -06:00
Xuewei Niu
cdb29a4fd1
Merge pull request #10780 from RuoqingHe/setup-dragonball-workspace
dragonball: Appease clippy, setup workspace and centralize RustVMM
2025-02-21 14:04:19 +08:00
Aurélien Bombo
601c403603
Merge pull request #10818 from burgerdev/plumbing
agent: clear log pipes if denied by policy
2025-02-19 16:28:58 -06:00
Aurélien Bombo
cb3467535c tests: Add policy test for ReadStreamRequest
This test verifies that, when ReadStreamRequest is blocked by the
policy, the logs are empty and the container does not deadlock.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-02-19 14:03:41 -06:00
Hyounggyu Choi
a8363c28ca tests: Support systemd unit files in /usr/lib as well as /lib
On Ubuntu 24.04, due to the /usr merge, system-provided unit files
now reside in `/usr/lib/systemd/system/` instead of `/lib/systemd/system/`.
For example, the command below now returns a different path:

```
$ systemctl show containerd.service -p FragmentPath
/usr/lib/systemd/system/containerd.service
```

Previously, on Ubuntu 22.04 and earlier, it returned:

```
/lib/systemd/system/containerd.service
```

The current pattern `if [[ $unit_file == /lib* ]]` fails to match the new path.
To ensure compatibility across versions, we update the pattern to match both
`/lib` and `/usr/lib` like:

```
if [[ $unit_file =~ ^/(usr/)?lib/ ]]
```

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-02-19 14:34:59 +01:00
Ruoqing He
6bb193bbc0 spell: Update dictionary for dbs crates
Add entries for dbs_* crates' README.md to pass `kata-spell-check.sh`
spell checking.

Changed British terms to American terms in README of `dbs_pci` to pass
`hunspell` check.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-19 21:20:30 +08:00
Ruoqing He
d23284a0dc header_check: Check header for changed text files
We are running `header_check` for non-text files like binary files,
symbolic link files, image files (pictures) and etc., which does not
make sense.

Filter out non-text files and run `header_check` only for text files
changed.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-18 22:39:53 +08:00
Ruoqing He
7e49e83779 spell: Add missing entries for kata-spell-check
`kata-dictionary.dic` changes after running `kata-spell-check.sh
make-dict`. This is due to someone forgot to first update entries in
data and run `make-dict`, but directly updated `kata-dictionary.dic`
instead.

Add mssing entries to data and re-run `make-dict` to generate correct
`kata-dictionary.dic`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-18 19:06:34 +08:00
Fabiano Fidêncio
64ceb0832a
Merge pull request #10851 from fidencio/topic/bump-image-rs-to-bring-in-ttrpc-0.8.4
agent: Bump image-rs to 514c561d93
2025-02-14 18:21:56 +01:00
stevenhorsman
56fb2a9482 tests: Skip block volume test on fc, stratovirt
The block volume test has failed on 10/10 nightlies
and all the PRs I've seen, so skip it until it can be assessed.

See #10873

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-13 11:50:35 +00:00
stevenhorsman
2d266df846 test: Update expected error in signed image tests
We are seeing a different error in the new version of image-rs,
so update our tests to match.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-13 11:44:51 +00:00
Steve Horsman
8614e5efc4
Merge pull request #10869 from stevenhorsman/bump-kcli-ubuntu-version
ci: k8s: Bump kcli image version
2025-02-13 09:59:20 +00:00
Wainer Moschetta
62e239ceaa
Merge pull request #10810 from arvindskumar99/nydus_perm_install
Skipping SNP and SEV from deploying and deleting Snapshotter
2025-02-12 14:38:56 -03:00
stevenhorsman
fd7bcd88d0 ci: k8s: Bump kcli image version
When trying to deploy nydus on kcli locally we get the
following failure:
```
root@sh-kata-ci1:~# kubectl get pods -n nydus-system
NAMESPACE                   NAME                                          READY   STATUS              RESTARTS      AGE
nydus-system                nydus-snapshotter-5kdqs                       0/1     CrashLoopBackOff    4 (84s ago)   7m29s
```
Digging into this I found that the nydus-snapshotter service
is failing with:
```
ubuntu@kata-k8s-worker-0:~$ journalctl -u nydus-snapshotter.service
-- Logs begin at Wed 2025-02-12 15:06:08 UTC, end at Wed 2025-02-12 15:20:27 UTC. --
Feb 12 15:10:39 kata-k8s-worker-0 systemd[1]: Started nydus snapshotter.
Feb 12 15:10:39 kata-k8s-worker-0 containerd-nydus-grpc[6349]: /usr/local/bin/containerd-nydus-grpc:
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required b>
Feb 12 15:10:39 kata-k8s-worker-0 containerd-nydus-grpc[6349]: /usr/local/bin/containerd-nydus-grpc:
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required b>
Feb 12 15:10:39 kata-k8s-worker-0 systemd[1]: nydus-snapshotter.service: Main process exited, code=exited, status=1/FAILURE
```
I think this is because 20.04 has version:
```
ubuntu@kata-k8s-worker-0:~$ ldd --version
ldd (Ubuntu GLIBC 2.31-0ubuntu9.16) 2.31
```
so it's too old for the nydus snapshotter.
Also 20.04 is EoL soon, so bumping is better.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-12 15:38:18 +00:00
Fupan Li
5b809ca440 CI: a workaround for containerd v2.x e2e test
the latest containerd had an issue for its e2e test, thus we should do
the following fix to workaround this issue. For much info about this issue,
please see:

https://github.com/containerd/containerd/pull/11240

Once this pr was merged and release new version, we can remove
this workaround.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
a3fd3d90bc ci: Add the sandbox api testcases
A test case is added based on the intergrated cri-containerd case.
The difference between cri containerd integrated testcase and sandbox
api testcase is the "sandboxer" setting in the sandbox runtime handler.

If the "sandboxer" is set to "" or "podsandbox", then containerd will
use the legacy shimv2 api, and if the "sandboxer" is set to "shim", then
it will use the sandbox api to launch the pod.

In addition, add a containerd v2.0.0 version. Because containerd officially
supports the sandbox api from version 2.0.0.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
33555037c0 protocols: Add the cri api protos
Add the cri api protos to support the sandbox api.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Dan Mihai
fdf3088be0
Merge pull request #10842 from microsoft/danmihai1/disable-job-policy-test
tests: disable k8s-policy-job.bats on coco-dev
2025-02-06 09:09:49 -08:00
Hyounggyu Choi
1bdb34e880 tests: Skip trusted storage tests for IBM SE
Let's skip all tests for trusted storage until #10838 is resolved.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-02-06 12:09:14 +01:00
Dan Mihai
47ce5dad9d tests: disable k8s-policy-job.bats on coco-dev
k8s-policy-job is modeled after the older k8s-job, and it appears
that both of them fail occasionally on coco-dev.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-02-05 23:06:16 +00:00
Arvind Kumar
47534c1c3e nydus: Skipping SNP and SEV from deploying and deleting Snapshotter
Preparing to install nydus permanently on the AMD node,
so disabling deploy and delete command for SNP and SEV.

Signed-off-by: Arvind Kumar <arvinkum@amd.com>
2025-02-05 12:26:53 -06:00
Greg Kurz
0215d958da
Merge pull request #10805 from balintTobik/egrep_removal
egrep/fgrep removal
2025-01-30 18:26:59 +01:00
Balint Tobik
1943a1c96d tests: replace egrep with grep -E to avoid deprecation warning
https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html

Signed-off-by: Balint Tobik <btobik@redhat.com>
2025-01-29 11:26:27 +01:00
Hyounggyu Choi
dde627cef4 test: Run full set of zcrypttest for VFIO-AP coldplug
Previously, the test for VFIO-AP coldplug only checked whether a
passthrough device was attached to the VM guest. This commit expands
the test to include a full set of zcrypttest to verify that the device
functions properly within a container.

Additionally, since containerd has been upgraded to v1.7.25 on the
test machine, it is no longer necessary to run the test via crictl.
The commit removes all related codes/files.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-01-28 10:53:00 +01:00
Zvonko Kaiser
b4c710576e
Merge pull request #10782 from stevenhorsman/clh-metrics-write-update
metrics: Increase minval range for blogbench test
2025-01-24 10:21:20 -05:00
Fabiano Fidêncio
b47cc6fffe cri-containerd: Skip TestDeviceCgroup till it's adapted to cgroupsv2
As the devices controller works in a different way in cgroupsv2, the
"/sys/fs/cgroup/devices/devices.list" file simply doesn't exist.

For now, let's skip the test till the test maintainer decides to
re-enable it for cgroupsv2.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 17:25:56 +01:00
Fabiano Fidêncio
0626d7182a tests: k8s-cpu-ns: Adapt to cgroupsv2
The changes done are:
* cpu/cpu.shares was replaced by cpu.weight
  * The weight, according to our reference[0], is calculated by:
    weight = (1 + ((request - 2) * 9999) / 262142)

* cpu/cpu.cfs_quota_us & cpu/cpu.cfs_period_us were replaced by cpu.max,
  where quota and period are written together (in this order)

[0]: https://github.com/containers/crun/blob/main/crun.1.md#cgroup-v2

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 17:25:56 +01:00
Fabiano Fidêncio
4307f0c998 Revert "ci: mariner: Ensure kernel_params can be set"
This reverts commit 091ad2a1b2, in order
to ensure tests would be running with cgroupsv2 on the guest.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 17:25:56 +01:00
stevenhorsman
d031e479ab metrics: Increase minval range for blogbench test
In the last couple of days I've seen the blogbench
metrics write latency test on clh fail a few times because
the latency was too low, so adjust the minimum range
to tolerate quicker finishes.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-23 15:58:31 +00:00
Fabiano Fidêncio
734ef71cf7 tests: k8s: confidential: Cleanup $HOME/.ssh/known_hosts
I've noticed the following error when running the tests with SEV:
```
2025-01-21T17:10:28.7999896Z # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
2025-01-21T17:10:28.8000614Z # @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
2025-01-21T17:10:28.8001217Z # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
2025-01-21T17:10:28.8001857Z # IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
2025-01-21T17:10:28.8003009Z # Someone could be eavesdropping on you right now (man-in-the-middle attack)!
2025-01-21T17:10:28.8003348Z # It is also possible that a host key has just been changed.
2025-01-21T17:10:28.8004422Z # The fingerprint for the ED25519 key sent by the remote host is
2025-01-21T17:10:28.8005019Z # SHA256:x7wF8zI+LLyiwphzmUhqY12lrGY4gs5qNCD81f1Cn1E.
2025-01-21T17:10:28.8005459Z # Please contact your system administrator.
2025-01-21T17:10:28.8006734Z # Add correct host key in /home/kata/.ssh/known_hosts to get rid of this message.
2025-01-21T17:10:28.8007031Z # Offending ED25519 key in /home/kata/.ssh/known_hosts:178
2025-01-21T17:10:28.8007254Z #   remove with:
2025-01-21T17:10:28.8008172Z #   ssh-keygen -f "/home/kata/.ssh/known_hosts" -R "10.244.0.71"
```

And this was causing a failure to ssh into the confidential pod.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 12:04:13 +01:00
Fabiano Fidêncio
18137b1583 tests: k8s: confidential: Increase log_buf_len to 4M
Relying on dmesg is really not ideal, as we may lose important info,
mainly those which happen very early in the boot, depending on the size
of kernel ring buffer.

So, for this specific test, let's increase the kernel ring buffer, by
default, to 4M.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 12:04:13 +01:00
Aurélien Bombo
0d70dc31c1 ci: Unify on $GH_PR_NUMBER environment variable
While working on #10559, I realized that some parts of the codebase use
$GH_PR_NUMBER, while other parts use $PR_NUMBER.

Notably, in that PR, since I used $GH_PR_NUMBER for CoCo non-TEE tests
without realizing that TEE tests use $PR_NUMBER, the tests on that PR
fail on TEEs:

https://github.com/kata-containers/kata-containers/actions/runs/12818127344/job/35744760351?pr=10559#step:10:45

  ...
  44      error: error parsing STDIN: error converting YAML to JSON: yaml: line 90: mapping values are not allowed in this context
  ...
  135               image: ghcr.io/kata-containers/csi-kata-directvolume:
  ...

So let's unify on $GH_PR_NUMBER so that this issue doesn't repro in the
future: I replaced all instances of PR_NUMBER with GH_PR_NUMBER.

Note that since some test scripts also refer to that variable, the CI
for this PR will fail (would have also happened with the converse
substitution), hence I'm not adding the ok-to-test label and we should
force-merge this after review.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-01-17 10:53:08 -06:00
Hyounggyu Choi
f7816e9206 tests: Introduce retry_kubectl_apply() for trusted storage
On s390x, some tests for trusted storage occasionally failed due to:

```bash
etcdserver: request timed out
```

or

```bash
Internal error occurred: resource quota evaluation timed out
```

These timeouts were not observed previously on k3s but occur
sporadically on kubeadm. Importantly, they appear to be temporary
and transient, which means they can be ignored in most cases.

To address this, we introduced a new wrapper function, `retry_kubectl_apply()`,
for `kubectl create`. This function retries applying a given manifest up to 5
times if it fails due to a timeout. However, it will still catch and handle
any other errors during pod creation.

Fixes: #10651

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-01-14 21:15:44 +01:00
Pradipta Banerjee
36580bb642 tests: Update sealed secret CI value to base64url
The existing encoding was base64 and it fails due to
874948638a

Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
2025-01-13 09:37:05 -05:00
Zvonko Kaiser
f08a9eac11
Merge pull request #10721 from stevenhorsman/more-metrics-latency-minimum-range-fixes
metrics: Increase latency test range
2025-01-10 21:59:39 -05:00
Wainer Moschetta
5fae2a9f91
Merge pull request #9871 from wainersm/fix-print_cluster_name
tests/gha-run-k8s-common: shorten AKS cluster name
2025-01-09 14:35:02 -03:00
stevenhorsman
aaae5b6d0f metrics: clh: Increase network-iperf3 range
We hit a failure with:
```
time="2025-01-09T09:55:58Z" level=warning msg="Failed Minval (0.017600 > 0.015000) for [network-iperf3]"
```
The range is very big, but in the last 3 test runs I reviewed we have got a minimum value of 0.015s
and a max value of 0.052, so there is a ~350% difference possible
so I think we need to have a wide range to make this stable.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-09 11:25:57 +00:00
stevenhorsman
e946d9d5d3 metrics: qemu: Increase latency test range
After the kernel version bump, in the latest nightly run
https://github.com/kata-containers/kata-containers/actions/runs/12681309963/job/35345228400
The sequential read throughput result was 79.7% of the expected (so failed)
and the sequential write was 84% of the expected, so was fairly close,
so increase their minimum ranges to make them more robust.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-09 11:25:50 +00:00
Wainer dos Santos Moschetta
badc208e9a tests/gha-run-k8s-common: shorten AKS cluster name
Because az client restricts the name to be less than 64 characters. In
some cases (e.g. KATA_HYPERVISOR=qemu-runtime-rs) the generated name
will exceed the limit. This changed the function to shorten the name:

* SHA1 is computed from metadata then compound the cluster's name
* metadata as plain-text are passed as --tags

Fixes: #9850
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2025-01-08 16:39:07 -03:00
Fabiano Fidêncio
8f8988fcd1
Merge pull request #10714 from fidencio/topic/update-virtiofsd
virtiofsd: Update to its v1.13.0 ( + one patch) release :-)
2025-01-08 17:59:29 +01:00
Fabiano Fidêncio
eb3fe0d27c
Merge pull request #10717 from fidencio/topic/re-enable-oom-test-for-mariner
tests: Re-enable oom tests for mariner
2025-01-08 17:43:56 +01:00
stevenhorsman
dc069d83b5 metrics: Increase latency test range
The bump to kernel 6.12 seems to have reduced the latency in
the metrics test, so increase the ranges for the minimal value,
to account for this.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-08 15:11:49 +00:00
Fabiano Fidêncio
967d5afb42 Revert "tests: k8s: Skip one of the empty-dir tests"
This reverts commit 9aea7456fb.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-08 14:07:34 +01:00
Fabiano Fidêncio
53ac0f00c5 tests: Re-enable oom tests for mariner
Since we bumped to the 6.12.x LTS kernel, we've also adjusted the
aggressivity of the OOM test, which may be enough to allow us to
re-enable it for mariner.

Fixes: #8821

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-07 18:33:17 +01:00
Fabiano Fidêncio
f4a39e8c40
Merge pull request #10468 from fidencio/topic/early-tests-on-next-lts-kernel
versions: Move kernel to the latest 6.12 release (the current LTS)
2025-01-07 18:02:04 +01:00
Fupan Li
b19db40343 CI: change the containerd tarball name to containerd
Since from https://github.com/containerd/containerd/pull/9096
containerd removed cri-containerd-*.tar.gz release bundles,
thus we'd better change the tarball name to "containerd".

BTW, the containerd tarball containerd the follow files:

bin/
bin/containerd-shim
bin/ctr
bin/containerd-shim-runc-v1
bin/containerd-stress
bin/containerd
bin/containerd-shim-runc-v2

thus we should untar containerd into /usr/local directory instead of "/"
to keep align with the cri-containerd.

In addition, there's no containerd.service file,runc binary and cni-plugin
included, thus we should add a specific containerd.service file and
install install the runc binary and cni-pluginspecifically.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-01-07 17:39:05 +08:00
Fabiano Fidêncio
9aea7456fb tests: k8s: Skip one of the empty-dir tests
An issue has been created for this, and we should fix the issue before
the next release.  However, for now, let's unblock the kernel bump and
have the test skipped.

Reference: https://github.com/kata-containers/kata-containers/issues/10706

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-06 21:48:20 +01:00
Fabiano Fidêncio
44ff602c64 tests: k8s: Be more aggressive to get OOM
Let's increase the amount of bytes allocated per VM worker, so we can
hit the OOM sooner.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-06 21:48:20 +01:00
Fupan Li
2068801b80
Merge pull request #10626 from teawater/ma
Add mem-agent to kata
2024-12-24 14:11:36 +08:00
Steve Horsman
99f239bc44
Merge pull request #10380 from stevenhorsman/required-tests-guidance
doc: Add required jobs info
2024-12-20 16:24:42 +00:00
stevenhorsman
d1d4bc43a4 static-checks: Add words to dictionary
devmapper and snapshotters are being marked as spelling
errors, so add them to the kata dictionary

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-20 14:16:52 +00:00
stevenhorsman
dd02b6699e tests: Fix qemu-coc-dev skip
Fix the logic to make the test skipped on qemu-coco-dev,
rather than the opposite and update the syntax to make it
clearer as it incorrectly got written and reviewed by three
different people in it's prior form.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-19 19:50:46 +00:00
Hyounggyu Choi
341e5ca58e vfio-ap: Assign default string "0" for empty APID and APQI
The current script logic assigns an empty string to APID and APQI
when APQN consists entirely of zeros (e.g., "00.0000").
However, this behavior is incorrect, as "00" and "0000" are valid
values and should be represented as "0".
This commit ensures that the script assigns the default string “0”
to APID and APQI if their computed values are empty.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-12-13 14:39:03 +01:00
Ryan Savino
7d45382f54 Revert "ci: Skip the failing tests in SNP"
This reverts commit 2242aee099.
2024-12-10 16:20:31 -06:00
Aurélien Bombo
037281d699
Merge pull request #10593 from microsoft/saulparedes/improve_namespace_validation
policy: improve pod namespace validation
2024-12-09 11:55:09 -06:00
Hui Zhu
4407f6e098 mem-agent: Add to src
mem-agent is a component designed for managing memory in Linux
environments.
Sub-feature memcg: Utilizes the MgLRU feature to monitor each cgroup's
memory usage and periodically reclaim cold memory.
Sub-feature compact: Periodically compacts memory to facilitate the
kernel's free page reporting feature, enabling the release of more idle
memory from guests.
During memory reclamation and compaction, mem-agent monitors system
pressure using Pressure Stall Information (PSI). If the system pressure
becomes too high, memory reclamation or compaction will automatically
stop.

Fixes: #10625

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2024-12-06 10:00:02 +08:00
Wainer Moschetta
a94982d8b8
Merge pull request #10617 from stevenhorsman/skip-k8s-job-test-on-non-tee
tests: Skip k8s job test on qemu-coco-dev
2024-12-04 15:47:33 -03:00
Saul Paredes
84a411dac4 policy: improve pod namespace validation
- Remove default_namespace from settings
- Ensure container namespaces in a pod match each other in case no namespace is specified in the YAML

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-12-04 10:17:54 -08:00
Steve Horsman
c86f76d324
Merge pull request #10588 from stevenhorsman/metrics-clh-min-range-relaxation
metrics: Increase minval range for failing tests
2024-12-04 16:10:26 +00:00
stevenhorsman
a8ccd9a2ac tests: Skip k8s job test on qemu-coco-dev
The tests is unstable on this platform, so skip it for now to prevent
the regular known failures covering up other issues. See #10616

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-04 16:00:05 +00:00
Saul Paredes
711d12e5db policy: support optional metadata uid field
This prevents a deserialization error when uid is specified

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-12-02 11:24:58 -08:00
stevenhorsman
b87b4b6756 metrics: Increase ranges range for qemu failing tests
We've also seen the qemu metrics tests are failing due to the results
being slightly outside the max range for network-iperf3 parallel and minimum for network-iperf3 jitter tests on PRs that have no code changes,
so we've increase the bounds to not see false negatives.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-29 10:52:16 +00:00
stevenhorsman
4011071526 metrics: Increase minval range for failing tests
We've seen a couple of instances recently where the metrics
tests are failing due to the results being below the minimum
value by ~2%.
For tests like latency I'm not sure why values being too low would
be an issue, but I've updated the minpercent range of the failing tests
to try and get them passing.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-29 10:50:02 +00:00
Aurélien Bombo
16a91fccbe
Merge pull request #10561 from sprt/csi-driver-ci
coco: ci: Lay groundwork for compiling and publishing CSI driver image [1/x]
2024-11-27 10:26:45 -06:00
Aurélien Bombo
5e4990bcf5 coco: ci: Add no-op steps to deploy CSI driver
This adds no-op steps that'll be used to deploy and clean up the CSI driver
used for testing.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-11-21 16:08:06 -06:00
Adithya Krishnan Kannan
2242aee099 ci: Skip the failing tests in SNP
Per [Issue#10549](https://github.com/kata-containers/kata-containers/issues/10549),
the following tests are failing on SNP.
1. k8s-guest-pull-image-encrypted.bats
2. k8s-guest-pull-image-authenticated.bats
3. k8s-guest-pull-image-signature.bats
4. k8s-confidential-attestation.bats

Per @fidencio 's comment on
[PR#10558](https://github.com/kata-containers/kata-containers/pull/10558),
I am skipping the same.

Signed-Off-By: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
2024-11-19 10:41:43 -06:00
Fabiano Fidêncio
9b1a5f2ac2 tests: Add a way to run only tests which rely on attestation
We're doing this as, at Intel, we have two different kind of machines we
can plug into our CI.  Without going much into details, only one of
those two kinds of machines will work for the attestation tests we
perform with ITA, thus in order to speed up the CI and improve test
coverage (OS wise), we're going to run different tests in different
machines.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-11-14 15:51:57 +01:00
GabyCT
06fe459e52
Merge pull request #10508 from GabyCT/topic/installartsta
gha: Get artifacts when installing kata tools in stability workflow
2024-11-11 15:59:06 -06:00
Fabiano Fidêncio
2281342fb8
Merge pull request #10513 from fidencio/topic/ci-adjust-proxy-nightmare-for-tdx
ci: tdx: kbs: Ensure https_proxy is taken in consideration
2024-11-10 00:17:10 +01:00
Saul Paredes
461efc0dd5 tests: remove manifest v1 test
This test was meant to show support for pulling images with v1 manifest schema versions.

The nginxhttps image has been modified in https://hub.docker.com/r/ymqytw/nginxhttps/tags such that we are no longer able to pull it:

$ docker pull ymqytw/nginxhttps:1.5
Error response from daemon: missing signature key

We may remove this test since schema version 1 manifests are deprecated per
https://docs.docker.com/engine/deprecated/#pushing-and-pulling-with-image-manifest-v2-schema-1 :
"These legacy formats should no longer be used, and users are recommended to update images to use current formats, or to upgrade to more
current images". This schema version was used by old docker versions. Further OCI spec
https://github.com/opencontainers/image-spec/blob/main/manifest.md#image-manifest-property-descriptions only supports schema version 2.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-11-08 13:38:51 -08:00
Fabiano Fidêncio
baf88bb72d ci: tdx: kbs: Ensure https_proxy is taken in consideration
Trustee's deployment must set the correct https_proxy as env var on the
container that will talk to the ITA / ITTS server, otherwise the kbs
service won't be able to start, causing then issues in our CI.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Signed-off-by: Krzysztof Sandowicz <krzysztof.sandowicz@intel.com>
2024-11-08 16:06:16 +01:00
Steve Horsman
1f728eb906
Merge pull request #10498 from stevenhorsman/update-create-container-timeout-log
tests: k8s: Update image pull timeout error
2024-11-08 10:47:39 +00:00
Gabriela Cervantes
4274198664 gha: Get artifacts when installing kata tools in stability workflow
This PR adds the get artifacts which are needed when installing kata
tools in stability workflow to avoid failures saying that artifacts
are missing.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-11-07 16:20:41 +00:00
GabyCT
47cea6f3c6
Merge pull request #10493 from GabyCT/topic/katatoolsta
gha: Add install kata tools as part of the stability workflow
2024-11-06 14:16:48 -06:00
Gabriela Cervantes
13e27331ef gha: Add install kata tools as part of the stability workflow
This PR adds the install kata tools step as part of the k8s stability workflow.
To avoid the failures saying that certain kata components are not installed it.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-11-06 20:07:06 +00:00
Fabiano Fidêncio
71c4c2a514
Merge pull request #10486 from kata-containers/topic/enable-AUTO_GENERATE_POLICY-for-qemu-coco-dev
workflows: Use AUTO_GENERATE_POLICY for qemu-coco-dev
2024-11-06 21:04:45 +01:00
stevenhorsman
85554257f8 tests: k8s: Update image pull timeout error
Currently the error we are checking for is
`CreateContainerRequest timed out`, but this message
doesn't always seem to be printed to our pod log.
Try using a more general message that should be present
more reliably.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-06 17:00:26 +00:00
Julien Ropé
da5e0c3f53 ci: skip nginx connectivity test with crio
We have an error with service name resolution with this test when using crio.
This error could not be reproduced outside of the CI for now.
Skipping it to keep the CI job running until we find a solution.

See: #10414

Signed-off-by: Julien Ropé <jrope@redhat.com>
2024-11-06 12:07:02 +01:00
Julien Ropé
6d0cb1e9a8 ci: export CONTAINER_RUNTIME to the test scripts
This variable will allow tests to adapt their behaviour to the runtime (containerd/crio).

Signed-off-by: Julien Ropé <jrope@redhat.com>
2024-11-06 11:29:11 +01:00
Fabiano Fidêncio
72979d7f30 workflows: Use AUTO_GENERATE_POLICY for qemu-coco-dev
By the moment we're testing it also with qemu-coco-dev, it becomes
easier for a developer without access to TEE to also test it locally.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-11-06 10:47:08 +01:00
Dan Mihai
03bf4433d7
Merge pull request #10459 from stevenhorsman/update-bats
tests: k8s: Update bats
2024-11-04 12:26:58 -08:00
Aurélien Bombo
f639d3e87c
Merge pull request #10395 from Sumynwa/sumsharma/create_container
agent-ctl: Add support to test kata-agent's container creation APIs.
2024-11-04 14:09:12 -06:00
Gabriela Cervantes
fd4d0dd1ce gha: Fix source for gha stability run script
This PR fixes the source to avoid duplication specially in the common.sh
script and avoid failures saying that certain script is not in the directory.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-11-04 16:16:13 +00:00
stevenhorsman
175ebfec7c Revert "k8s:kbs: Add trap statement to clean up tmp files"
This reverts commit 973b8a1d8f.

As @danmihai1 points out https://github.com/bats-core/bats-core/issues/364
states that using traps in bats is error prone, so this could be the cause
of the confidential test instability we've been seeing, like it was
in the static checks, so let's try and revert this.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-04 09:59:37 +00:00
stevenhorsman
75cb1f46b8 tests/k8s: Add skip is setup_common fails
At @danmihai1's suggestion add a die message in case
the call to setup_common fails, so we can see if in the test
output.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-04 09:59:33 +00:00
stevenhorsman
3f5bf9828b tests: k8s: Update bats
We've seen some issues with tests not being run in
some of the Coco CI jobs (Issue #10451) and in the
envrionments that are more stable we noticed that
they had a newer version of bats installed.

Try updating the version to 1.10+ and print out
the version for debug purposes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-04 09:59:33 +00:00
Sumedh Alok Sharma
4b7aba5c57 agent-ctl: Add support to test kata-agent's container creation APIs.
This commit introduces changes to enable testing kata-agent's container
APIs of CreateContainer/StartContainer/RemoveContainer. The changeset
include:
- using confidential-containers image-rs crate to pull/unpack/mount a
container image. Currently supports only un-authenicated registry pull
- re-factor api handlers to reduce cmdline complexity and handle
request generation logic in tool
- introduce an OCI config template for container creation
- add test case

Fixes #9707

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2024-11-01 22:18:54 +05:30
Gabriela Cervantes
c4089df9d2 gha: Add missing steps in Kata stability workflow
This PR adds missing steps in the gha run script for the kata stability
workflow.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-10-30 19:13:15 +00:00
Hyounggyu Choi
dca69296ae
Merge pull request #10476 from BbolroC/switch-to-kubeadm-s390x
gha: Switch KUBERNETES from k3s to kubeadm on s390x
2024-10-30 09:52:06 +01:00
GabyCT
8539cd361a
Merge pull request #10462 from GabyCT/topic/increstress
tests: Increase time to run stressng k8s tests
2024-10-29 11:08:47 -06:00
Hyounggyu Choi
238f67005f tests: Add kubeadm option for KUBERNETES in gha-run.sh
When creating a k8s cluster via kubeadm, the devmapper setup
for containerd requires a different configuration.
This commit introduces a new `kubeadm` option for the KUBERNETES
variable and adjusts the path to the containerd config file for
devmapper setup.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-10-29 14:19:42 +01:00
stevenhorsman
b1cffb4b09 Revert "tests: Add trap statement in kata doc script"
This reverts commit 093a6fd542.
as it is breaking the static checks

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-10-29 09:57:18 +00:00
Fabiano Fidêncio
b70d7c1aac
tests: Enable measured rootfs tests for qemu-coco-dev
Then it's on pair with what's being tested with TEEs using a rootfs
image.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-10-28 12:43:54 +01:00
Fabiano Fidêncio
7d202fc173
tests: Re-enable measured_rootfs test for TDX
As we're now building everything needed to test TDX with measured rootfs
support, let's bring this test back in (for TDX only, at least for now).

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-10-28 12:43:53 +01:00
Fabiano Fidêncio
eb07a809ce
tests: Add a helper script to use prebuild components
This is a helper script that does basically what's already being done by
the s390x CI, which is:
* Move a folder with the components that we were stored / downloaded
  during the GHA execution to the expected `build` location
* Get rid of the dependencies for a specific asset, as the dependencies
  are already pulled in from previous GHA steps

For now this script is only being added but not yet executed anywhere,
and that will come as the next step in this series.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-10-28 12:43:52 +01:00
Gabriela Cervantes
a3ef8c0a16 tests: Increase time to run stressng k8s tests
This PR increase the time to run the stressng k8s tests for the
CoCo stability CI.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-10-24 16:34:17 +00:00
Gabriela Cervantes
093a6fd542 tests: Add trap statement in kata doc script
This PR adds the trap statement into the kata doc
script to clean up properly the temporary files.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-10-23 15:56:58 +00:00
alex.lyn
b25538f670 ci: Introduce CI to validate pod hostname
Fixes #10422

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2024-10-21 16:32:56 +01:00
GabyCT
b00203ba9b
Merge pull request #10428 from GabyCT/topic/archk8sc
gha: Use a arch_to_golang variable to have uniformity
2024-10-17 11:00:59 -06:00
Gabriela Cervantes
f0e0c74fd4 gha: Use a arch_to_golang variable to have uniformity
This PR replaces the arch uname -m to use the arch_to_golang
variable in the script to have a better uniformity across the script.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-10-15 20:03:09 +00:00
Dan Mihai
ece0f9690e tests: k8s-inotify: longer pod termination timeout
inotify-configmap-pod.yaml is using: "inotifywait --timeout 120",
so wait for up to 180 seconds for the pod termination to be
reported.

Hopefully, some of the sporadic errors from #10413 will be avoided
this way:

not ok 1 configmap update works, and preserves symlinks
waitForProcess "${wait_time}" "$sleep_time" "${command}" failed

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-10-15 16:01:25 +00:00
Dan Mihai
ccfb7faa1b tests: k8s-inotify.bats: don't leak configmap
Delete the configmap if the test failed, not just on the successful
path.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-10-15 16:01:25 +00:00
Leonard Cohnen
c06bf2e3bb genpolicy: read binaryData value as String
While Kubernetes defines `binaryData` as `[]byte`,
when defined in a YAML file the raw bytes are
base64 encoded. Therefore, we need to read the YAML
value as `String` and not as `Vec<u8>`.

Fixes: #10410

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2024-10-14 20:03:11 +02:00
Fabiano Fidêncio
cf5d3ed0d4 kbs: ita: Ensure the proper image / image_tag is used for ITA
When dealing with a specific release, it was easier to just do some
adjustments on the image that has to be used for ITA without actually
adding a new entry in the versions.yaml.

However, it's been proven to be more complicated than that when it comes
to dealing with staged images, and we better explicitly add (and
update) those versions altogether to avoid CI issues.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-10-10 10:01:33 +02:00
Fabiano Fidêncio
3f7ce1d620
Merge pull request #10401 from stevenhorsman/kbs-deploy-overlays-update
Kbs deploy overlays update
2024-10-10 09:50:19 +02:00
Fabiano Fidêncio
091ad2a1b2
ci: mariner: Ensure kernel_params can be set
The reason we're doing this is because mariner image uses, by default,
cgroups default-hierarchy as `unified` (aka, cgroupsv2).

In order to keep the same initrd behaviour for mariner, let's enforce
that `SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1
systemd.legacy_systemd_cgroup_controller=yes
systemd.unified_cgroup_hierarchy=0` is passed to the kernel cmdline, at
least for now.

Other tests that are setting `kernel_params` are not running on mariner,
then we're safe taking this path as it's done as part of this PR.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-10-09 18:23:35 +02:00
Fabiano Fidêncio
3bbf3c81c2
ci: mariner: Use the image instead of the initrd
As an image has been added for mariner as part of the commit 63c1f81c2,
let's start using it in the CI, instead of using the initrd.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-10-09 18:23:32 +02:00
stevenhorsman
8763880e93 tests/k8s: kbs: Update overlays logic
In https://github.com/confidential-containers/trustee/pull/521
the overlays logic was modified to add non-SE
s390x support and simplify non-ibm-se platforms.
We need to update the logic in `kbs_k8s_deploy`
to match and can remove the dummying of `IBM_SE_CREDS_DIR`
for non-SE now

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-10-09 09:39:41 +01:00
ChengyuZhu6
a94024aedc tests: add test for sealed file secrets
add a test for sealed file secrets.

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2024-10-08 16:01:48 +08:00
Dan Mihai
6d5fc898b8 tests: k8s: AUTO_GENERATE_POLICY=yes for local testing
The behavior of Kata CI doesn't change.

For local testing using kubernetes/gha-run.sh and AUTO_GENERATE_POLICY=yes:

1. Before these changes users were forced to use:
- SEV, SNP, or TDX guests, or
- KATA_HOST_OS=cbl-mariner

2. After these changes users can also use other platforms that are
configured with "shared_fs = virtio-fs" - e.g.,
- KATA_HOST_OS=ubuntu + KATA_HYPERVISOR=qemu

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-10-04 18:26:00 +00:00
Dan Mihai
5aaef8e6eb
Merge pull request #10376 from microsoft/danmihai1/auto-generate-just-for-ci
gha: enable AUTO_GENERATE_POLICY where needed
2024-10-04 10:52:31 -07:00