To print the correct value of kernel parameters, the log field
value should not be a function name. And for that qemuArchBase
doesn't contain debug flag, so the log contains debug/non-debug
parameters.
Fixes: #2048
Signed-off-by: bin <bin@hyper.sh>
`memory_offset` is used to increase the maximum amount of memory
supported in a VM, this offset is equal to the NVDIMM/PMEM device that
is hot added, in real use case workloads such devices are bigger than
4G, which is the current limit (uint32).
fixes#2006
Signed-off-by: Julio Montes <julio.montes@intel.com>
Since SEV support has been added, an implementation mistake was also
added to TestQemuAmd64AppendProtectionDevice.
appendProtectionDevice() will, as it name says, append the protection
device to whatever was there previously. So, when SEV was added, we
broke the comparison done for TDX as we didn't append the expected
output for TDX with what we already had for SEV.
This should be enough to get the tests passing.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Remove storeSandbox() at the end of createSandboxFromConfig(),
because this callchain createSandboxFromConfig -> createContainers
has already calls storeSandbox().
This can improve the startup speed of the container,
even just for a little.
Fixes: #1980
Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
Secure Execution is a confidential computing technology on s390x (IBM Z
& LinuxONE). Enable the correspondent virtualization technology in QEMU
(where it is referred to as "Protected Virtualization").
- Introduce enableProtection and appendProtectionDevice functions for
QEMU s390x.
- Introduce CheckCmdline to check for "prot_virt=1" being present on the
kernel command line.
- Introduce CPUFacilities and avilableGuestProtection for hypervisor
s390x to check for CPU support.
Fixes: #1771
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Previously, all consts were in single lines in
virtcontainers/qemu_s390x.go. Put them into a const block.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Trace spans erroneously set the network model to default in all cases.
Add function to return network model string and use it to set attribute
in spans.
Fixes#1878
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Add sandbox, container, and hypervisor IDs to trace spans. Note that
some spans in sandbox.go are created with a trace() call from api.go.
These spans have additional attributes set after span creation to
overwrite the api attributes.
Fixes#1878
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Export proc stats for virtiofsd.
This commit only adds for hypervisors that have support for it.
- qemu
- cloud-hypervisor
Fixes: #1926
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
It is in real life usage as we put non constrained sandbox processes
(like shim) in a separate cgroup path.
Fixes: #1944
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
CloudHypervisor is using virtiofsd.go to manage virtiofsd process,
but qemu has its code in qemu.go. This commit let qemu to re-use
code in virtiofsd.go to reduce code and improve maintenanceability.
Fixes: #1933
Signed-off-by: bin <bin@hyper.sh>
Span attributes (tags) are not consistent in runtime tracing, so
designate and use core attributes such source, package, subsystem, and
type as span metadata for more understandable output.
Use WithAttributes() during span creation to reduce calls to
SetAttributes().
Modify Trace() in katautils to accept slice of attributes so multiple
functions using different attributes can use it.
Fixes#1852
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
This commit will fix two problems:
- Virtiofsd process ID returned to the caller will always be 0,
the pid var is never being assigned a value.
- Socket listen fd may leak in case of failure of starting virtiofsd process.
This is a port of be9ca0d58bFixes: #1931
Signed-off-by: bin <bin@hyper.sh>
Protected Execution Facility(PEF) is the confidential computing
technology on ppc64le. This PR adds the support for it in Kata.
Also re-vendor govmm for the latest changes.
Fixes: #1881
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
Without this, if the shim dies, we will not have a reliable way to
identify what mounts should be cleaned up if `containerd-shim-kata-v2
cleanup` is called for the sandbox.
Before this, if you `ctr run` with a sandbox bindmount defined and SIGKILL the
containerd-shim-kata-v2, you'll notice the sandbox bindmount left on
host.
With this change, the shim is able to get the sandbox bindmount
information from disk and do the appropriate cleanup.
Fixes#1896
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
If for any reason there's an error when trying to setup the sandbox
bindmounts, make sure we roll back any mounts already created when
setting up the sandbox.
Without this, we'd leave shared directory mount and potentially
sandbox-bindmounts on the host.
Fixes: #1895
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
we can have the following case,
1. start kata container with factory feature, this need kata-runtime
config to enable factory and use initrd as base image.
2. start a kata container.
3. cd /root; cd /run/vc/vm/template dir, this will make
/run/vc/vm/template to be in used.
4. destroy vm template with kata-runtime factory destroy , and check
the template mountpoint.
we can see the template mountpoints will add everytime we repeat the above steps .
[root@centos1 template]# mount |grep template
[root@centos1 template]# docker run -ti --rm --runtime untrusted-runtime --net none busybox echo
[root@centos1 template]# cd /root; cd /run/vc/vm/template/
[root@centos1 template]# /kata/bin/kata-runtime factory destroy
vm factory destroyed
[root@centos1 template]# mount |grep template
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
[root@centos1 template]# docker run -ti --rm --runtime untrusted-runtime --net none busybox echo
[root@centos1 template]# cd /root; cd /run/vc/vm/template/
[root@centos1 template]# /kata/bin/kata-runtime factory destroy
vm factory destroyed
[root@centos1 template]# mount |grep template
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
Fixes: #938
Signed-off-by: Shukui Yang <keloyangsk@gmail.com>
Define the structure and functions needed to support confidential
guests, this commit doesn't add support for any specific technology,
support for TDX, SEV, PEF and others will be added in following
commits.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Got:
FATA[0000] run pod sandbox: rpc error: code = Unknown desc = failed to
create containerd task: Add 189759MB virtio-mem-pci fail QMP command
failed: backend memory size must be multiple of 0x200000: unknown
This commit let sizeMB be multiple of 2Mib to fix the issue.
Fixes: #1796
Signed-off-by: Hui Zhu <teawater@antfin.com>
`CPUFlags` returns a map with all the CPU flags, these CPU flags
may help us to identiry whether a system support confidential computing
or not.
Signed-off-by: Julio Montes <julio.montes@intel.com>
