Commit Graph

1743 Commits

Author SHA1 Message Date
Alex Lyn
362ea54763
Merge pull request #11517 from zvonkok/fix-nvrc-build
gpu: NVRC static build
2025-07-04 13:51:03 +08:00
Aurélien Bombo
fe532f9d04
Merge pull request #11475 from kata-containers/sprt/zizmor-fixes
security: ci: Fixes for Zizmor GHA security scanning
2025-07-03 13:29:47 -05:00
Zvonko Kaiser
c3b2d69452 gpu: NVRC static build
We had the proper config.toml configuration for static builds
but were building the glibc  target and not the musl target.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-03 15:31:00 +00:00
Fabiano Fidêncio
e2b93fff3f build: Allow passing IMAGE_SIZE_ALIGNMENT_MB as an env var
This helps considerably to avoid patching the code, and just adjusting
the build environment to use a smaller alignment than the default one.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-06-28 00:05:20 +02:00
Aurélien Bombo
d94085916e ci: set Zizmor as required test
This adds Zizmor GHA security scanning as a PR gate.

Note that this does NOT require that Zizmor returns 0 alerts, but rather
that Zizmor's invocation completes successfully (regardless of how many
alerts it raises).

I will set up the former after this commit is merged (through the GH UI).

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-26 12:36:41 -05:00
Saul Paredes
d53c720ac1 tools: kata-monitor: update go version used to build in Dockerfile
Current Dockerfile fails when trying to build from the root of the repo
docker build -t kata-monitor -f tools/packaging/kata-monitor/Dockerfile .
with "invalid go version '1.23.0': must match format 1.23"

Using go 1.23 in the Dockerfile fixes the build error

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-06-25 15:32:41 -07:00
stevenhorsman
d9defd5102 osbuilder: Update image-builder base to f42
Fedora 40 is EoL, and I've seen the registry pull fail
a few times recently, so let's bump to fedora 42 which
has 10 months of support left.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-20 20:52:30 +01:00
stevenhorsman
6fc622ef0f release: Bump version to 3.18.0
Bump VERSION and helm-chart versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 19:09:42 +01:00
Steve Horsman
4e3238b9dc
Merge pull request #11337 from zvonkok/fix-module-signing
gpu: Fix module signing
2025-06-18 17:23:51 +01:00
Zvonko Kaiser
e2f18057a4 kernel: Add config option for signing
Only sign the kernel if the user has provided the KBUILD_SIGN_PIN
otherwise ignore.

Whole here, let's move the functionality to the common fragments as it's
not a GPU specific functionality.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-06-18 15:32:26 +02:00
stevenhorsman
b20f89b775 ci: required-tests: Remove test skip
Remove the rule that causes gatekeeper to skip tests
if we've only updated the required-tests.yaml list.
Although update to just the required-tests.yaml
doesn't change the outcome of any of the CI tests, it
does change whether gatekeeper will still pass with the new
rules. Although it's a bit of a hit to run the CI, it's probably
worth it to keep gatekeeper validated.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 10:52:03 +01:00
stevenhorsman
d68b09a4f0 ci: required-tests: cri-containerd rename
Update the names of the required jobs based on
the changes done in #11019

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 10:52:03 +01:00
Steve Horsman
d754e3939b
Merge pull request #11427 from BbolroC/bump-rootfs-confidential-s390x
rootfs: Bump rootfs-{image,initrd} to 24.04
2025-06-18 09:06:58 +01:00
Hyounggyu Choi
4be261f248 rootfs: Bump rootfs-{image,initrd} to 24.04
Since #11197 was merged, all confidential k8s e2e tests for s390x
have been failing with the following errors:

```
attestation-agent: error while loading shared libraries:
libcurl.so.4: cannot open shared object file
libnghttp2.so.14: cannot open shared object file
```

In line with the update on x86_64, we need to upgrade the OS used
in rootfs-{image,initrd} on s390x.
This commit also bumps all 22.04 to 24.04 for all architectures.
For s390x, this ensures the missing packages listed above are
installed.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-06-17 22:03:26 +02:00
Mikko Ylinen
825b1cd233 kata-deploy: accept 25.04 as supported distro for TDX
the latest Canonical TDX release supports 25.04 / Plucky as
well. Users experimenting with the latest goodies in the
25.04 TDX enablement won't get Kata deployed properly.

This change accepts 25.04 as supported distro for TDX.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-06-16 13:42:08 +01:00
Xynnn007
5bab460224 chore(deps): update guest-components
This patch updates the guest-components to new version with better
error logging for CDH. It also allows the config of AA not having a
coco_as token config.

Also, the new version of CDH requires to build aws-lc-sys thus needs to
install cmake for build.

See

https://github.com/kata-containers/kata-containers/actions/runs/15327923347/job/43127108813?pr=11197#step:6:1609

for details.

Besides, the new version of guest-components have some fixes for SNP
stack, which requires the updates of trustee side.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:54:15 +08:00
Xynnn007
7420194ea8 build: abandon PULL_TYPE build env
Now kata-agent by default supports both guest pull and host pull
abilities, thus we do not need to specify the PULL_TYPE env when
building kata-agent.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:53:55 +08:00
Xynnn007
6b1249186f agent: embed ocicrypt config in rootfs by default
Now the ocicrypt configuration used by CDH is always the same and it's
not a good practics to write it into the rootfs during runtime by
kata-agent. Thus we now move it to coco-guest-components build script.
The config will be embedded into guest image/initrd together with CDH
binary.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 11:13:20 +08:00
Steve Horsman
c8fcda0d73
Merge pull request #11407 from Champ-Goblem/fix/nvidia-rootfs-only-copy-opa-when-agent-policy-enabled
nvidia-rootfs: only copy `kata-opa` if `AGENT_POLICY` is enabled
2025-06-11 13:39:07 +01:00
Champ-Goblem
d6c45027f5 nvidia-rootfs: only copy kata-opa if AGENT_POLICY is enabled
In the nvidia rootfs build, only copy in `kata-opa` if `AGENT_POLICY` is enabled. This fixes
builds when `AGENT_POLICY` is disabled and opa is not built.

Signed-off-by: Champ-Goblem <cameron@northflank.com>
2025-06-11 11:25:10 +02:00
Aurélien Bombo
31288ea7fc
Merge pull request #11398 from kata-containers/sprt/undo-mariner-hotfix
Revert "ci: Fix Mariner rootfs build failure"
2025-06-10 16:09:08 -05:00
Aurélien Bombo
f34010cc94
Merge pull request #11388 from kata-containers/sprt/azure-oidc
ci: Use OIDC to log into Azure
2025-06-10 13:08:44 -05:00
Aurélien Bombo
004c1a4595 Revert "ci: Fix Mariner rootfs build failure"
This reverts commit dfa25a42ff.

The original issue was fixed:

https://github.com/microsoft/azurelinux/issues/13971#issuecomment-2956384627
2025-06-09 14:06:07 -05:00
Aurélien Bombo
dfa25a42ff ci: Fix Mariner rootfs build failure
This implements a workaround for microsoft/azurelinux#13971 to unblock
the CI.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-09 10:56:10 -05:00
Aurélien Bombo
9dd3807467 ci: Use OIDC to log into Azure
This completely eliminates the Azure secret from the repo, following the below
guidance:

https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure

The federated identity is scoped to the `ci` environment, meaning:

 * I had to specify this environment in some YAMLs. I don't believe there's any
   downside to this.
 * As previously, the CI works seamlessly both from PRs and in the manual
   workflow.

I also deleted the tools/packaging/kata-deploy/action folder as it doesn't seem
to be used anymore, and it contains a reference to the secret.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-06 15:26:10 -05:00
Aurélien Bombo
8c3f8f8e21
Merge pull request #11339 from kata-containers/sprt/require-agent-ctl
ci: Require agent-ctl tests
2025-06-03 11:58:33 -04:00
Steve Horsman
8176eefdac
Merge pull request #10748 from zvonkok/helm-doc
doc: Add Helm Chart entry
2025-06-03 14:48:19 +01:00
Zvonko Kaiser
985e965adb doc: Added Helm Chart README.md
We need more and accurate documentation. Let's start
by providing an Helm Chart install doc and as a second
step remove the kustomize steps.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Co-authored-by: Steve Horsman <steven@uk.ibm.com>
2025-06-02 23:26:16 +00:00
Dan Mihai
c2c194d860 kata-deploy: smaller guest image file for mariner
Align up the mariner Guest image file size to 2M instead of the
default 128M alignment.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-06-02 16:15:17 +00:00
Dan Mihai
65385a5bf9 image: custom guest rootfs image file size alignment
The Guest rootfs image file size is aligned up to 128M boundary,
since commmit 2b0d5b2. This change allows users to use a custom
alignment value - e.g., to align up to 2M, users will be able to
specify IMAGE_SIZE_ALIGNMENT_MB=2 for image_builder.sh.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-06-02 16:15:17 +00:00
Fabiano Fidêncio
dadbfd42c8 kernel: Move mem-agent configs to the common kernel build
There's no benefit on keeping those restricted to the dragonball build,
when they can be used with other VMMs as well (as long as they support
the mem-agent).

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-05-30 21:49:22 +02:00
Champ-Goblem
a37080917d kernel: Add CONFIG_TUN for VPN services
TUN/TAP is a must for VPN related services.

Signed-off-by: Champ-Goblem <cameron@northflank.com>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-05-30 21:49:22 +02:00
Aurélien Bombo
c03b38c7e3 ci: Require agent-ctl tests
This adds `run-kata-agent-apis` to the list of required tests.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-05-29 14:09:42 -05:00
Wainer Moschetta
c249769bb8
Merge pull request #11270 from ldoktor/gk
tools.testing: Add methods to simplify gatekeeper development
2025-05-26 12:04:07 -03:00
Gao Xiang
b441890749 kernel: drop outdated erofs patches for 6.1.y kernels
Patches 0001..0004 have been included upstream as dependencies
since Linux 6.1.113.

Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2025-05-26 15:48:24 +08:00
Gao Xiang
b681dfb594 kernel: support CONFIG_TMPFS_XATTR=y
Currently, Kata EROFS support needs it, otherwise it will:
[    0.564610] erofs: (device sda): mounted with root inode @ nid 36.
[    0.564858] overlayfs: failed to set xattr on upper
[    0.564859] overlayfs: ...falling back to index=off,metacopy=off.
[    0.564860] overlayfs: ...falling back to xino=off.

Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2025-05-24 20:43:35 +08:00
Steve Horsman
91f2e97aae
Merge pull request #11267 from Rtoax/p001-fix-osbuilder-lib.sh-indent
osbuilder: lib.sh: Fix indent
2025-05-22 09:54:18 +01:00
stevenhorsman
7b90ff3c01 release: Bump version to 3.17.0
Bump VERSION and helm-chart versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-21 12:04:39 +01:00
Jacek Tomasiak
91fb4353f6
osbuilder: ubuntu: Add REPO_COMPONENTS setting
Added variable REPO_COMPONENTS (default: "main") which sets components
used by mmdebstrap for rootfs building.
This is useful for custom image builders who want to include EXTRA_PKGS
from components other than the default "main" (e.g. "universe").

Fixes: #11278
Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
2025-05-20 14:01:48 +02:00
Fabiano Fidêncio
0bc0623037
Merge pull request #11277 from skazi0/repo-url
osbuilder: ubuntu: Expose REPO_URL variables
2025-05-20 13:46:01 +02:00
Steve Horsman
4b317dddfa
Merge pull request #11271 from stevenhorsman/gatekeeper-truncate-names
ci: gatekeeper: Require names update
2025-05-20 10:20:05 +01:00
Shunsuke Kimura
9a8d64d6b1 kata-deploy: execute in the host environment
`containerd` command should be executed in the host environment.
(To generate the config that matches the host's containerd version.)

Fixes: #11092

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2025-05-19 21:42:21 +09:00
Shunsuke Kimura
d3edc90d80 kata-deploy: Fix condition always true
if config.toml does not exist,
`[ -x $(command -v containerd) ]` will always True
(Because it is not enclosed in "").

```
// current code
$ [ -x $(command -v containerd_notfound) ]
$ echo $?
0

// maybe expected code
$ [ -x "$(command -v containerd_notfound)" ]
$ echo $?
1
```

Fixes: #11092

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2025-05-19 21:42:21 +09:00
Jacek Tomasiak
da6860a632
osbuilder: ubuntu: Expose REPO_URL variables
This exposes REPO_URL and adds REPO_URL_X86_64 which can be set to use
custom Ubuntu repo for building rootfs.
If only one architecture is built, REPO_URL can be set. Otherwise,
REPO_URL_X86_64 is used for x86_64 arch and REPO_URL for others.

Fixes: #11276
Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
2025-05-19 12:41:49 +02:00
Fabiano Fidêncio
219d6e8ea6
Merge pull request #11257 from mythi/coco-guest-hardening
confidential guest kernel hardening changes
2025-05-16 08:52:36 +02:00
Fabiano Fidêncio
02ce395a69
Merge pull request #11272 from seungukshin/enable-edk2-for-arm64
Enable edk2 for arm64
2025-05-15 20:59:56 +02:00
Fabiano Fidêncio
676e66ae49
Merge pull request #11246 from skazi0/mmdebstrap
osbuilder: ubuntu: Switch from multistrap to mmdebstrap
2025-05-15 14:15:37 +02:00
Seunguk Shin
5cabce1a25 packaging: Build edk2 for arm64
The edk2 is required for memory hot plug on qemu for arm64.
This adds the edk2 to static tarball for arm64.

Signed-off-by: Seunguk Shin <seunguk.shin@arm.com>
Reviewed-by: Nick Connolly <nick.connolly@arm.com>
2025-05-15 10:12:24 +01:00
stevenhorsman
c09291a9c7 ci: gatekeeper: Require names update
The github rest api truncated job names that are >100
characters (which doesn't seem to be documented).
There doesn't seem to be a way to easily make gatekeeper
handle this automatically, so lets update the required-tests
to expect the truncated job names

Fixes: #11176
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-15 10:07:41 +01:00
Lukáš Doktor
9f8c8ea851
tools.testing: Add way to re-play recorded queries in gatekeeper
to simplify gatekeeper development add support for DEBUG_INPUT which can
be used to report content from files gathered in DEBUG run.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-05-15 10:32:10 +02:00