Commit Graph

385 Commits

Author SHA1 Message Date
Fabiano Fidêncio
54878fa373 kata-deploy: add job deployment mode driven by the job-dispatcher
Phase 2 of the DaemonSet -> staged-Job migration: add an opt-in
`deploymentMode: job` that installs Kata via short-lived, per-node
install Jobs instead of the long-running DaemonSet. The DaemonSet remains
the default and is now gated behind `deploymentMode == daemonset`.

Rather than render one Job per node into the Helm release (which grows
the release secret O(nodes) and offers no rollout pacing), job mode ships
a single tiny post-install/post-upgrade hook Job that runs the
kata-deploy-job-dispatcher. The dispatcher enumerates the selected nodes
LIVE from the API server and stamps out one node-pinned install Job per
node from a constant-size ConfigMap of Job templates, keeping at most
`job.parallelism` in flight and refilling as they finish. This guarantees
per-node coverage with a paced rollout while the Helm release stays O(1)
regardless of fleet size. New nodes are picked up by re-running
`helm upgrade`; there is no always-on component.

Each per-node Job runs the staged install pipeline as ordered
initContainers and exits:

  host-check -> artifacts -> cri   (initContainers, run sequentially)
  label                            (main container)

The privilege split is explicit: the dispatcher pod is a pure
control-plane client (lists nodes, manages Jobs in its own namespace) and
runs fully unprivileged under a dedicated, least-privilege ServiceAccount
(kata-rbac.yaml); only the per-node Jobs it creates carry the privileged
kata-deploy host-mutation rights.

Node selection (templates/_helpers.tpl: nodeLabelSelector / perNodeJob):
  - job.nodes: explicit node-name list passed to the dispatcher, and
  - job.nodeSelector (equality map) ANDed with
  - job.nodeSelectorExpressions (k8s label-selector requirements:
    In / NotIn / Exists / DoesNotExist),
compiled into a single label-selector string the dispatcher resolves
live. The default expressions target worker (non-control-plane) nodes, so
no custom node labeling is required; set the expressions to [] to target
all discovered nodes.

Reuses the commonEnv/commonVolume* helpers and adds the stageContainer,
serviceAccountName, dispatcherServiceAccountName, dispatcherImage and
perNodeJob helpers shared by the dispatcher and the staged Jobs. The
default (daemonset) render is unchanged.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-06-12 18:58:33 +02:00
Fabiano Fidêncio
d4205c7fcc kata-deploy: build and publish the kata-deploy-job-dispatcher image
Package and ship the dispatcher built in the previous commit so the
job-mode Helm chart has an image to run.

  - Dockerfile.components: build kata-deploy and kata-deploy-job-dispatcher
    from the same rust-builder stage (one compile), and run fmt/clippy/
    test for both crates.
  - job-dispatcher/Dockerfile: a minimal distroless/static image containing
    only the dispatcher binary and CA certs - it is an API client, so it
    needs nothing from the host.
  - local-build: kata-deploy-job-dispatcher becomes its own build component
    with its own static tarball
    (kata-deploy-static-kata-deploy-job-dispatcher.tar.zst); the shared
    rust-builder output is reused so the two components do not recompile
    the workspace locally. The payload script builds and pushes a separate
    "<kata-deploy registry>-job-dispatcher" image with the same tag scheme,
    and release.sh publishes its multi-arch manifest symmetrically.
  - CI: add kata-deploy-job-dispatcher to the build-kata-deploy-components
    matrices (its tarball is picked up by the existing kata-artifacts-*
    glob), and gate it in the kata-deploy rust static checks.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-06-12 18:58:33 +02:00
Fabiano Fidêncio
230e01b04e Merge pull request #13126 from kata-containers/topic/runtimes-introduce-azure-specific-configs
runtime/runtime-rs: introduce Azure specific configs
2026-06-02 09:17:09 +02:00
Greg Kurz
8a49ecb159 Merge pull request #13097 from BbolroC/fix-shim-components-for-s390x
ci: Refactor boot-image-se build and update shim components
2026-06-01 11:43:42 +02:00
Zvonko Kaiser
7f906ec95d build: add kata-deploy-publish target
Mirror the CI payload publish flow in local builds, including image and
helm chart publishing, while reusing the same chart upload helper in
payload-after-push to avoid duplicated chart packaging logic.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2026-05-29 16:22:12 +02:00
Zvonko Kaiser
fb73ccc352 build: include kata-deploy static artifacts in nvgpu bundle
Build and package kata-deploy binary and nydus snapshotter component
tarballs as part of nvgpu-tarball so local publish can consume a single
kata-static.tar.zst without rebuilding extra artifacts.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2026-05-29 16:22:12 +02:00
Hyounggyu Choi
640fa488a5 ci: Refactor boot-image-se build and update shim components
- Add FAKE_SE_IMAGE mode support in SE image build scripts for CI without real SE setup
- Simplify workflow by removing build-asset-boot-image-se job
- Integrate fake-boot-image-se into build matrix instead of separate job
- Skip attestation for fake-boot-image-se builds
- Update qemu-se and qemu-se-runtime-rs shim components to use:
  - rootfs-initrd-confidential instead of rootfs-image-confidential
  - boot-image-se component

This change streamlines the s390x SE build process and makes it easier
to test without requiring actual Secure Execution infrastructure.
This fixes deployment issues on non-TEE systems where TEE-specific artifacts
(like boot-image-se for IBM SEL) are not included in the kata-deploy image,
while ensuring TEE systems still get all required components.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2026-05-29 11:35:40 +02:00
Fabiano Fidêncio
bddf1ecab4 build: stop producing cloud-hypervisor-glibc artifacts
Drop cloud-hypervisor-glibc from local and CI kata-deploy build targets
now that Azure CLH uses the standard cloud-hypervisor artifact set.

This removes obsolete build matrix entries and installer target
handling.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-28 23:32:37 +02:00
Fabiano Fidêncio
64056add0d build: add passthrough mode to kata-deploy-merge-builds
kata-deploy now unpacks individual component tarballs itself, so the
final `kata-static.tar.zst` no longer needs to be a merged filesystem
payload. Merging everything has two downsides for that flow:

  - It pulls in everything kept on disk under build/, which previously
    forced us to also drop agent/busybox/coco-guest-components/nydus
    from the build set to keep them out of the final tarball.
  - The merged tarball duplicates content kata-deploy will repack on
    its own anyway.

Add a `passthrough` mode to kata-deploy-merge-builds.sh that, instead
of untarring each `kata-static-*.tar.zst` into a single filesystem
tree, copies the selected component tarballs into the final tarball
as-is. The existing `merge` mode remains the default to preserve the
non-kata-deploy install paths (e.g. `make install-tarball`).

Wire `nvgpu-tarball` to the new mode via `FINAL_TARBALL_MERGE_MODE=
passthrough`, paired with the existing `FINAL_TARBALL_INPUTS`
allowlist. This lets us keep agent/busybox/coco as build prereqs of
the GPU rootfs while shipping a final tarball that only contains the
NVIDIA-relevant components.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-26 21:55:08 +02:00
Zvonko Kaiser
9b85bff2b4 build: don't double-prefix absolute versions.yaml path in merge-builds
The Makefile passes $(MK_DIR)/../../../../versions.yaml — already an
absolute path — to kata-deploy-merge-builds.sh. The script then
unconditionally prepended ${PWD}/, producing a malformed path like:

  /repo//repo/tools/.../local-build//../../../../versions.yaml

which made cp fail with "No such file or directory" at the merge-builds
step (the very last step of `make nvgpu-tarball`).

Only prepend ${PWD}/ when the input is relative — that preserves the
original fix for the pushd-changes-cwd issue (commit ae6e8d2b3) without
mangling absolute paths from Makefile callers.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Assisted-By: Claude <noreply@anthropic.com>
2026-05-26 21:55:08 +02:00
Zvonko Kaiser
5aa6229eba build: group parallel build output by target
With `make all -j N` running multiple tarballs concurrently and silent
mode redirecting each build's stdio to its per-target log, a failing
target's "Failed to build: <name>, logs:" banner gets interleaved with
other in-flight jobs' output, making it hard to tell which target
failed.

Pass `--output-sync=target` to the recursive make so each sub-make's
output is buffered and emitted as one block when the target finishes,
keeping the failure banner contiguous with its log dump.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Assisted-By: Claude <noreply@anthropic.com>
2026-05-26 21:55:08 +02:00
Zvonko Kaiser
18cee00df9 build: guard parallel races on build symlink and ~/.docker
Parallel make jobs invoke kata-deploy-binaries-in-docker.sh concurrently
and collide on two shared paths:

  ln: Already exists
  mkdir: /home/$USER/.docker: File exists

Skip the symlink creation when the link is already in place. If a
parallel job wins the create race in the cold-start window, fall back to
re-checking that the link exists so a real ln failure (permission, disk
full, etc.) still propagates rather than being silently swallowed.

The `~/.docker` mkdir is guarded by a `[[ ! -d ]]` check that two
processes can pass simultaneously, after which one bare `mkdir` fails.
Switch to `mkdir -p` so the second invocation is a no-op.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2026-05-26 21:55:08 +02:00
Zvonko Kaiser
815ebc340d build: add nvgpu-tarball target
serial-targets now waits for the other BASE_TARBALLS items so the
inner rootfs assembly runs with DEPS= against already-built
artifacts. This also fixes a pre-existing race in the main flows
where the outer parallel and inner -j 1 makes could both build
kernel-tarball at the same time.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2026-05-26 21:55:08 +02:00
Zvonko Kaiser
6a367ab777 build: declare install-prebuilt-artifacts as .PHONY
Leftover from #12954's rebase: the substantive sed-hack -> DEPS= change
landed on main, but the .PHONY declaration didn't make it. Add it so
the recipe always runs even if a stale `kata-artifacts` file exists in
CWD.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Assisted-By: Claude <noreply@anthropic.com>
2026-05-26 21:55:08 +02:00
Fabiano Fidêncio
25491fc20c Merge pull request #13104 from kata-containers/topic/kata-deploy-build-as-an-artefact
kata-deploy: prebuild payload-specific component artifacts
2026-05-25 22:56:55 +02:00
Fabiano Fidêncio
c65d64873b kata-deploy: prebuild payload-specific component artifacts
Build and publish the kata-deploy binary and CoCo guest-pull nydus
snapshotter as dedicated per-arch artifacts, then consume those tarballs
when assembling the kata-deploy image.

This avoids rebuilding those components in the payload image (which
would happen in serial) path and reduces overall CI build time.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-25 22:13:41 +02:00
Fabiano Fidêncio
72be31c384 build: Validate measured-rootfs root hashes all shims
The cached shim-v2 tarballs ship per-variant `root_hash_*.txt` files
embedded in the matching measured-rootfs image. Until now only
shim-v2-rust validated those hashes against the freshly built rootfs
images on a cache hit; shim-v2-go reused whatever was cached without
checking, even though its bundled configuration files contain the
`KERNELVERITYPARAMS_*` values baked in at build time.

When a PR changes the agent (and therefore the rootfs image and its
dm-verity hash) but does not touch `src/runtime`, the shim-v2-go cache
key stays the same and the stale tarball is reused. The resulting
guest cmdline carries a verity hash that no longer matches the new
rootfs image, so the VM panics very early in boot:

    device-mapper: verity: 254:1: metadata block 0 is corrupted
    erofs (device dm-0): cannot read erofs superblock
    Kernel panic - not syncing: VFS: Unable to mount root fs ...

Generalize the shim-v2-rust cache validation so it also runs for
shim-v2-go, push the per-variant root-hash sidecar files for both
shims, and fall back to a full rebuild whenever the cached hash is
missing or differs from the image one.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-25 11:04:08 +02:00
Huy Pham
c490373a78 kata-deploy: packaging: fix absolute path resolution in merge script
The `kata-deploy-merge-builds.sh` script blindly prepended `PWD` to the
`kata_versions_yaml_file` argument, assuming it was always a relative
path. However, the `Makefile` passes an absolute path using `$(MK_DIR)`.
This resulted in invalid double-concatenated paths like
`/workspace/...//workspace/...` which failed to copy.

Fix this by using `readlink -f` to safely resolve the path. This
correctly handles both relative and absolute paths, preventing path
corruption.

Signed-off-by: Huy Pham <huypham@google.com>
2026-05-22 12:05:56 -07:00
Huy Pham
ee4f756b75 kata-deploy: packaging: fix buggy return statements in cache check
The `install_cached_tarball_component` function in the binaries
packaging script contained syntax errors where it attempted to capture
the empty stdout of the `cleanup_and_fail` function inside a return
statement (e.g., `return "$(cleanup_and_fail ...)"`).

Since `cleanup_and_fail` only returns an exit status and produces no
stdout, this evaluated to `return ""`, which is invalid in bash and
causes the script to crash with `numeric argument required` instead of
returning the failure status.

Fix this by replacing the buggy inline returns with proper `if` blocks
that call `cleanup_and_fail` and explicitly return `1`.

Signed-off-by: Huy Pham <huypham@google.com>
2026-05-21 09:21:05 -07:00
Fabiano Fidêncio
7536f2c616 Merge pull request #13055 from kata-containers/topic/kata-deploy-only-install-what-will-be-used
kata-deploy: only install what will actually be used
2026-05-21 17:53:09 +02:00
Fabiano Fidêncio
9a0acc6c4c kata-deploy: ship individual component tarballs; drop merged tarball
Update the Dockerfile to copy each kata-static-<name>.tar.zst directly
into the image alongside shim-components.json, replacing the old
artifact-extractor stage that unpacked a single merged tarball.

Update the publish-kata-deploy-payload and release CI workflows to
download individual per-component artifacts instead of waiting for a
merged tarball, and simplify kata-deploy-build-and-upload-payload.sh
accordingly.  The kata-deploy image build is no longer blocked on the
merge step.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-20 20:52:36 +02:00
Fabiano Fidêncio
c87e327876 kata-deploy: split shim-v2 into shim-v2-go and shim-v2-rust
Split the monolithic shim-v2 build target into separate shim-v2-go and
shim-v2-rust targets in kata-deploy-binaries.sh, the local-build
Makefile, and the four architecture CI workflows.

The Go and Rust shims now each produce their own kata-static-<name>.tar.zst
artifact, allowing downstream consumers to select only the shim variant
they need.  MEASURED_ROOTFS is set per-arch for the Rust job in CI.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-20 20:52:36 +02:00
stevenhorsman
3f27052184 kata-deploy: always add HEAD commit SHA tag to all builds
Previously, the commit SHA tag was only added for specific components
(agent, agent-ctl) by setting artefact_tag in individual install
functions. This was inconsistent and error-prone.

Now, the HEAD commit SHA is always added as a tag for all builds in
the central tagging logic. This ensures:
- All components get tagged with the commit SHA
- The correct HEAD commit is used (not the last commit that modified
  a specific path)
- Simpler, more maintainable code

The git command uses `git -C` to change to the repo directory before
running git log, which correctly returns the HEAD commit SHA regardless
of which files were modified in recent commits.

Assisted-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-05-20 17:42:09 +01:00
stevenhorsman
e3a00a2ec2 kata-deploy: fix binary location for agent-ctl
Moving agent-ctl into the root workspace moves the target
directory, so update this target to be in root, not src/tools

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-05-18 09:47:15 +01:00
Fabiano Fidêncio
93e02944fa image-builder/nvidia: skip DAX header for virtio-blk-pci images
The DAX header (2 MiB of NVDIMM metadata + a duplicate MBR) is
unconditionally prepended to every image by set_dax_header(). NVIDIA
images use virtio-blk-pci with disable_image_nvdimm=true, so the
kernel reads MBR #1 directly and never touches the DAX metadata --
it is dead weight.

Add a SKIP_DAX_HEADER environment variable (default "no") that, when
set to "yes", skips the DAX header entirely:
- Removes the 2 MiB DAX overhead from image size calculations in
  both the erofs and ext4 paths
- Skips the set_dax_header() call, avoiding compilation and
  execution of the nsdax tool
- Passes the variable through to containerised builds

Enable SKIP_DAX_HEADER=yes for both install_image_nvidia_gpu() and
install_image_nvidia_gpu_confidential() in the build pipeline. All
other image builds are unaffected (default remains "no").

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-10 17:18:05 +02:00
Fabiano Fidêncio
6b802a4e30 nvidia: switch GPU rootfs images to erofs
Switch the NVIDIA GPU rootfs images (both standard and confidential)
from ext4 to erofs (Enhanced Read-Only File System).

Unlike ext4, which is a read-write filesystem mounted read-only by
convention, erofs is structurally read-only -- no journal, no write
metadata, no superblock write path. This eliminates accidental
mutation and reduces the attack surface inside the guest VM, which
is particularly important for confidential workloads using dm-verity.

Introduce a DEFROOTFSTYPE_NV Makefile variable (set to erofs) for
both Go and Rust runtimes, keeping the global DEFROOTFSTYPE as ext4
so non-NVIDIA configurations are unaffected.

Update all six NVIDIA GPU configuration templates (base, SNP, TDX
for both runtimes) to use @DEFROOTFSTYPE_NV@ instead of the global
@DEFROOTFSTYPE@.

Export FS_TYPE=erofs in install_image_nvidia_gpu() and
install_image_nvidia_gpu_confidential() so the build pipeline
produces erofs images via the image builder.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-10 17:18:05 +02:00
Fabiano Fidêncio
acfb9f9762 Merge pull request #12954 from zvonkok/modular-makefile
build: remove gha-adjust-to-use-prebuilt-components.sh
2026-05-07 10:32:32 +02:00
stevenhorsman
b61b3d2f20 kata-deploy: Update default tool binary location
Now that all but agent-ctl (still WIP) of the tools are
in the root workspace, switch the default to that and add
the exception for agent-ctl as it's the odd one out.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-04-30 08:46:22 +01:00
Zvonko Kaiser
35dfb11fe4 build: replace prebuilt-components sed hack with DEPS=
Mutating the Makefile in-place to strip prereqs was fragile and
limited to one target per invocation. DEPS= skips deps declaratively
and propagates through recursive make, so multi-target builds can
opt out in one shot.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2026-04-30 00:48:46 +00:00
Zvonko Kaiser
54c514e249 build: allow overriding rootfs/boot tarball prereqs via DEPS
Skipping prereq rebuilds is useful when artifacts are already staged
from a prior run (CI splitting work across jobs, local iteration).

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2026-04-29 23:59:05 +00:00
stevenhorsman
9cae783f14 kata-deploy: fix binary location for trace-forwarder
Moving the trace-forwarder into the root workspace moves the target
directory, so update this target.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-04-29 13:27:09 +01:00
Fabiano Fidêncio
28d9043d4c build: Add driver version to artefact cache
Add the nvidia driver version to the artefact cache keys so that
a driver bump triggers image and initrd rebuilds.

Also rename the helper functions to follow a consistent
get_latest_nvidia_* naming convention.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-25 19:28:31 +02:00
Fabiano Fidêncio
00842794e2 tools: Fix shellcheck issues in kata-deploy-copy-yq-installer.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
a751f84a14 tools: Fix shellcheck issues in kata-deploy-copy-libseccomp-installer.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
94b870c67a tools: Fix shellcheck issues in kata-deploy-build-and-upload-payload.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
eb58dea7c2 tools: Fix shellcheck issues in kata-deploy-binaries.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
31c711b99b tools: Fix shellcheck issues in kata-deploy-binaries-in-docker.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
ea27e2f021 tools: Fix shellcheck issues in install_oras.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
861f15cdc4 build: add arm64 coco-dev build dependencies
Build coco-guest-components, pause-image, and rootfs-image-confidential
for arm64, which are required by qemu-coco-dev-runtime-rs.

Enable MEASURED_ROOTFS on the arm64 shim-v2 build, add the aarch64 case
to install_kernel() so the default kernel is built as a unified kernel
(with confidential guest support, like x86_64), and adjust the kernel
install naming so only CCA builds get the -confidential suffix.

Also wire rootfs-image-confidential-tarball into the aarch64 local-build
Makefile.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
2026-04-18 00:48:13 +02:00
Fabiano Fidêncio
a12e0f1204 build: cache: Take NVRC & NVAT version into consideration
Without those, we'd end up pulling the same / old rootfs that's cached
without re-building it in case of a bump in any of those components.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-08 10:14:11 +02:00
Fabiano Fidêncio
9e1f595160 kata-deploy: add Rust binary to root workspace
Add tools/packaging/kata-deploy/binary as a workspace member, inherit shared
dependency versions from the root manifest, and refresh Cargo.lock.

Build the kata-deploy image from the repository root: copy the workspace
layout into the rust-builder stage, run cargo test/build with -p kata-deploy,
and adjust artifact and static asset COPY paths. Update the payload build
script to invoke docker buildx with -f .../Dockerfile from the repo root.

Add a repo-root .dockerignore to keep the Docker build context smaller.
Document running unit tests with cargo test -p kata-deploy from the root.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-07 10:07:06 +08:00
Agam Dua
91d6c39f06 kernel: Fix debug build and add debug symbols to installation
Fixed a bug with the debug kernel build where common/ was repeated
after the common path variable, resulting in the debug
confs never being picked up.

This exposed a subsequent bug where the debug conf
was included in other builds, this is also fixed by creating a
separate directory for debug confs with one file at the moment,
debug.conf that contains debug configurations and bpf specific
configs.

To enable kernel builds (specifically for bpf) the dwarves package was added
to the kernel dockerfile for the pahole package.

Signed-off-by: Agam Dua <agam_dua@apple.com>
2026-03-20 14:50:23 -07:00
Agam Dua
5ab0744c25 ci: Add pipeline for building and distributing the debug kernel
Add the debug kernel to the kata tarball alongside the other kernels.

Also update the kernel README documentation to describe the new debug
kernel build process.

Signed-off-by: Agam Dua <agam_dua@apple.com>
2026-03-20 14:50:23 -07:00
Manuel Huber
660e3bb653 gpu: Obsolete the NVIDIA initrd build
As the NVIDIA stack has shifted to using an image for both the
confidential and non-confidential variants, we retire the initrd
build.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-03-16 21:29:58 -04:00
Aurélien Bombo
f8e234c6f9 Merge pull request #12650 from kata-containers/sprt/remove-csi
ci: Stop building/deploying CSI driver
2026-03-16 16:53:02 -05:00
Manuel Huber
8162d15b46 nvidia: fix invalid CTK reference
Use proper reference from versions yaml structure.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-03-11 12:49:29 -07:00
Aurélien Bombo
64aed13d5f Revert "ci: Add no-op step to compile CSI driver"
This reverts commit e43c59a2c6.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-03-11 12:55:23 -05:00
Aurélien Bombo
d598e0baf1 Revert "ci: Implement build step for CSI driver"
This partially reverts commit fb87bf221f.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-03-11 12:55:23 -05:00
Markus Rudy
cf7d4c33b3 kata-deploy: fix binary location for genpolicy
Moving the genpolicy crate into the root workspace causes the build
outputs to go into the root workspace's target directory, instead of
src/tools/genpolicy/target, invalidating assumptions made by the
kata-deploy-binaries script.

This commit adds a special case for the lookup path of the genpolicy
binary, and fixes two bugs that made identifying this problem harder.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2026-03-11 09:30:48 +01:00
Fabiano Fidêncio
e9894c0bd8 nvidia: Bump nvidia-container-toolkit to 1.18.1
Let's update the nvidia-container-toolkit to 1.18.1 (from 1.17.6).

We're, from now on, relying on the version set in the versions.yaml
file.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-03-05 11:53:09 +01:00