Commit Graph

1767 Commits

Author SHA1 Message Date
Gus Minto-Cowcher
3b5cd2aad6 helm: remove qemu-sev references
qemu-sev support has been removed, but those bits were left behind by
mistake.

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
2025-07-18 12:49:54 +02:00
Gus Minto-Cowcher
41d41d51f7 helm: add nodeSelector support to kata-deploy chart
- Add nodeSelector configuration to values.yaml with empty default
- Update DaemonSet template to conditionally include nodeSelector
- Add documentation and examples for nodeSelector usage in README
- Allows users to restrict kata-containers deployment to specific nodes by labeling them

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
2025-07-18 12:49:54 +02:00
Fabiano Fidêncio
7d709a0759
Merge pull request #11493 from stevenhorsman/agent-ctl-tag-cache
ci: cache: Tag agent-ctl cache
2025-07-18 12:12:46 +02:00
Zvonko Kaiser
a786dc48b0 kernel: fix enable kernel debug
The KERNEL_DEBUG_ENABLED was missing in the outer shell script
so overrides via make were not possible.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-18 02:24:19 +00:00
Zvonko Kaiser
ca4f96ed00 shellcheck: fix kernel/build.sh
Refactor code to make shellcheck happy

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-17 10:15:41 +02:00
stevenhorsman
51f41b1669 ci: cache: Tag agent-ctl cache
The peer pods project is using the agent-ctl tool in some
tests, so tagging our cache will let them more easily identify
development versions of kata for testing between releases.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-07-16 11:32:33 +01:00
Fabiano Fidêncio
9cebbab29d
Merge pull request #11335 from zvonkok/fix-kata-deploy.sh
gpu: Fix kata deploy.sh
2025-07-15 19:50:44 +02:00
Zvonko Kaiser
c56c896fc6 qemu: remove the experimental suffix for qemu-snp
We switched to vanilla QEMU for the CPU SNP use-case.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-15 16:49:58 +02:00
Zvonko Kaiser
a282fa6865 gpu: Add TDX related runtime adjustments
We have the QEMU adjustments for SNP but missing those for TDX

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-15 16:49:56 +02:00
Zvonko Kaiser
0d2993dcfd kernel: bump kernel version
Obligatory kernel version bump

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-15 16:48:23 +02:00
Zvonko Kaiser
a4597672c0 kernel: Add KERNEL_DEBUG_ENABLED to build scripts
We want to be able to build a debug version of the kernel for various
use-cases like debugging, tracing and others.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-15 16:48:03 +02:00
Fabiano Fidêncio
aac555eeff
Merge pull request #11571 from fidencio/topic/fix-nvidia-gpu-initrd-cache
build: Fix cache for nvidia-gpu-initrd builds
2025-07-15 16:28:03 +02:00
Fabiano Fidêncio
11c744c5c3
Merge pull request #11567 from zvonkok/remove-gpu-admin-tools
Remove gpu admin tools
2025-07-15 15:11:56 +02:00
Fabiano Fidêncio
3e86f3a95c build: Rename rootfs-nvidia-* to fix cache issues
The convention for rootfs-* names is:
* rootfs-${image_type}-${special_build}

If this is not followed, cache will never work as expected, leading to
building the initrd / image on every single build, which is specially
constly when building the nvidia specific targets.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-07-15 14:48:45 +02:00
Zvonko Kaiser
da17b06d28 gpu: Pin toolkit version
New versions have incompatibilites, pin toolkit to a working
version

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-14 22:07:21 +00:00
Zvonko Kaiser
97a4a1574e gpu: Remove gpu-admin-tools
NVRC got a new feature reading the CC mode directly from register

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-14 21:59:31 +00:00
Hyounggyu Choi
a224b4f9e4 ci: Make qemu-coco-dev for s390x (zVSI) required again
As the following job has passed 10 days in a row for the nightly test:

```
kata-containers-ci-on-push / run-k8s-tests-on-zvsi / run-k8s-tests (nydus, qemu-coco-dev, kubeadm)
```

this commit makes the job required again.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-07-14 11:03:54 +02:00
Arvind Kumar
afedad0965 kernel: Removing SEV kernel packages
Removing kernel config files realting
to SEV as part of the SEV deprecation
efforts.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
2025-07-07 11:21:11 -05:00
Arvind Kumar
675ea86aba kata-deploy: Removing SEV from kata-deploy
Removing files related to SEV, responsible for
installing and configuring Kata containers.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
2025-07-07 11:17:32 -05:00
Fabiano Fidêncio
2c2995b7b0 tests: runtimeclasses: Adjust gpu runtimeclasses
679cc9d47c was merged and bumped the
podoverhead for the gpu related runtimeclasses. However, the bump on the
`kata-runtimeClasses.yaml` as overlooked, making our tests fail due to
that discrepancy.

Let's just adjust the values here and move on.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-07-07 11:43:40 +02:00
Fabiano Fidêncio
ef545eed86
Merge pull request #11513 from lifupan/dragonball_6.12.x
tools: port the dragonball kernel patch to 6.12.x
2025-07-07 10:31:49 +02:00
Fabiano Fidêncio
a2faf93211 kernel: Bump to v6.12.36
As that's the latest releasesd LTS.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-07-06 23:48:20 +02:00
Fupan Li
fd21c9df59 tools: port the dragonball kernel patch to 6.12.x
Backport the dragonball's kernel patches to
6.12.x kernel version.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-07-06 23:48:20 +02:00
Zvonko Kaiser
679cc9d47c gpu: Update runtimeClasses for correct podoverhead
We cannot only rely only on default_cpu and default_memory in the
config, default is 1 and 2Gi but we need some overhead for QEMU and
the other related binaries running as the pod overhead. Especially
when QEMU is hot-plugging GPUs, CPUs, and memory it can consume more
memory.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-04 12:20:15 -04:00
Alex Lyn
362ea54763
Merge pull request #11517 from zvonkok/fix-nvrc-build
gpu: NVRC static build
2025-07-04 13:51:03 +08:00
Aurélien Bombo
fe532f9d04
Merge pull request #11475 from kata-containers/sprt/zizmor-fixes
security: ci: Fixes for Zizmor GHA security scanning
2025-07-03 13:29:47 -05:00
Zvonko Kaiser
c3b2d69452 gpu: NVRC static build
We had the proper config.toml configuration for static builds
but were building the glibc  target and not the musl target.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-03 15:31:00 +00:00
Fabiano Fidêncio
e2b93fff3f build: Allow passing IMAGE_SIZE_ALIGNMENT_MB as an env var
This helps considerably to avoid patching the code, and just adjusting
the build environment to use a smaller alignment than the default one.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-06-28 00:05:20 +02:00
Aurélien Bombo
d94085916e ci: set Zizmor as required test
This adds Zizmor GHA security scanning as a PR gate.

Note that this does NOT require that Zizmor returns 0 alerts, but rather
that Zizmor's invocation completes successfully (regardless of how many
alerts it raises).

I will set up the former after this commit is merged (through the GH UI).

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-26 12:36:41 -05:00
Saul Paredes
d53c720ac1 tools: kata-monitor: update go version used to build in Dockerfile
Current Dockerfile fails when trying to build from the root of the repo
docker build -t kata-monitor -f tools/packaging/kata-monitor/Dockerfile .
with "invalid go version '1.23.0': must match format 1.23"

Using go 1.23 in the Dockerfile fixes the build error

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-06-25 15:32:41 -07:00
stevenhorsman
d9defd5102 osbuilder: Update image-builder base to f42
Fedora 40 is EoL, and I've seen the registry pull fail
a few times recently, so let's bump to fedora 42 which
has 10 months of support left.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-20 20:52:30 +01:00
stevenhorsman
6fc622ef0f release: Bump version to 3.18.0
Bump VERSION and helm-chart versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 19:09:42 +01:00
Steve Horsman
4e3238b9dc
Merge pull request #11337 from zvonkok/fix-module-signing
gpu: Fix module signing
2025-06-18 17:23:51 +01:00
Zvonko Kaiser
e2f18057a4 kernel: Add config option for signing
Only sign the kernel if the user has provided the KBUILD_SIGN_PIN
otherwise ignore.

Whole here, let's move the functionality to the common fragments as it's
not a GPU specific functionality.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-06-18 15:32:26 +02:00
stevenhorsman
b20f89b775 ci: required-tests: Remove test skip
Remove the rule that causes gatekeeper to skip tests
if we've only updated the required-tests.yaml list.
Although update to just the required-tests.yaml
doesn't change the outcome of any of the CI tests, it
does change whether gatekeeper will still pass with the new
rules. Although it's a bit of a hit to run the CI, it's probably
worth it to keep gatekeeper validated.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 10:52:03 +01:00
stevenhorsman
d68b09a4f0 ci: required-tests: cri-containerd rename
Update the names of the required jobs based on
the changes done in #11019

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 10:52:03 +01:00
Steve Horsman
d754e3939b
Merge pull request #11427 from BbolroC/bump-rootfs-confidential-s390x
rootfs: Bump rootfs-{image,initrd} to 24.04
2025-06-18 09:06:58 +01:00
Hyounggyu Choi
4be261f248 rootfs: Bump rootfs-{image,initrd} to 24.04
Since #11197 was merged, all confidential k8s e2e tests for s390x
have been failing with the following errors:

```
attestation-agent: error while loading shared libraries:
libcurl.so.4: cannot open shared object file
libnghttp2.so.14: cannot open shared object file
```

In line with the update on x86_64, we need to upgrade the OS used
in rootfs-{image,initrd} on s390x.
This commit also bumps all 22.04 to 24.04 for all architectures.
For s390x, this ensures the missing packages listed above are
installed.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-06-17 22:03:26 +02:00
Mikko Ylinen
825b1cd233 kata-deploy: accept 25.04 as supported distro for TDX
the latest Canonical TDX release supports 25.04 / Plucky as
well. Users experimenting with the latest goodies in the
25.04 TDX enablement won't get Kata deployed properly.

This change accepts 25.04 as supported distro for TDX.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-06-16 13:42:08 +01:00
Xynnn007
5bab460224 chore(deps): update guest-components
This patch updates the guest-components to new version with better
error logging for CDH. It also allows the config of AA not having a
coco_as token config.

Also, the new version of CDH requires to build aws-lc-sys thus needs to
install cmake for build.

See

https://github.com/kata-containers/kata-containers/actions/runs/15327923347/job/43127108813?pr=11197#step:6:1609

for details.

Besides, the new version of guest-components have some fixes for SNP
stack, which requires the updates of trustee side.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:54:15 +08:00
Xynnn007
7420194ea8 build: abandon PULL_TYPE build env
Now kata-agent by default supports both guest pull and host pull
abilities, thus we do not need to specify the PULL_TYPE env when
building kata-agent.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:53:55 +08:00
Xynnn007
6b1249186f agent: embed ocicrypt config in rootfs by default
Now the ocicrypt configuration used by CDH is always the same and it's
not a good practics to write it into the rootfs during runtime by
kata-agent. Thus we now move it to coco-guest-components build script.
The config will be embedded into guest image/initrd together with CDH
binary.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 11:13:20 +08:00
Steve Horsman
c8fcda0d73
Merge pull request #11407 from Champ-Goblem/fix/nvidia-rootfs-only-copy-opa-when-agent-policy-enabled
nvidia-rootfs: only copy `kata-opa` if `AGENT_POLICY` is enabled
2025-06-11 13:39:07 +01:00
Champ-Goblem
d6c45027f5 nvidia-rootfs: only copy kata-opa if AGENT_POLICY is enabled
In the nvidia rootfs build, only copy in `kata-opa` if `AGENT_POLICY` is enabled. This fixes
builds when `AGENT_POLICY` is disabled and opa is not built.

Signed-off-by: Champ-Goblem <cameron@northflank.com>
2025-06-11 11:25:10 +02:00
Aurélien Bombo
31288ea7fc
Merge pull request #11398 from kata-containers/sprt/undo-mariner-hotfix
Revert "ci: Fix Mariner rootfs build failure"
2025-06-10 16:09:08 -05:00
Aurélien Bombo
f34010cc94
Merge pull request #11388 from kata-containers/sprt/azure-oidc
ci: Use OIDC to log into Azure
2025-06-10 13:08:44 -05:00
Aurélien Bombo
004c1a4595 Revert "ci: Fix Mariner rootfs build failure"
This reverts commit dfa25a42ff.

The original issue was fixed:

https://github.com/microsoft/azurelinux/issues/13971#issuecomment-2956384627
2025-06-09 14:06:07 -05:00
Aurélien Bombo
dfa25a42ff ci: Fix Mariner rootfs build failure
This implements a workaround for microsoft/azurelinux#13971 to unblock
the CI.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-09 10:56:10 -05:00
Aurélien Bombo
9dd3807467 ci: Use OIDC to log into Azure
This completely eliminates the Azure secret from the repo, following the below
guidance:

https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure

The federated identity is scoped to the `ci` environment, meaning:

 * I had to specify this environment in some YAMLs. I don't believe there's any
   downside to this.
 * As previously, the CI works seamlessly both from PRs and in the manual
   workflow.

I also deleted the tools/packaging/kata-deploy/action folder as it doesn't seem
to be used anymore, and it contains a reference to the secret.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-06 15:26:10 -05:00
Aurélien Bombo
8c3f8f8e21
Merge pull request #11339 from kata-containers/sprt/require-agent-ctl
ci: Require agent-ctl tests
2025-06-03 11:58:33 -04:00