We can rely on the error handling of the actual HTTP API calls to catch
errors, and don't need to call VmmPing explicitly in advance.
Signed-off-by: Bo Chen <chen.bo@intel.com>
The cloud-hypervisor commit `6d30fe05` introduced a fix on its API for
VFIO device hotplug (`VmAddDevice`), which is required for supporting
VFIO unplug through openAPI calls in kata.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Tag openapi-generator-cli container to v4.3.1 that is the latest
stable, this way we can have reproducible builds and the same
generated code in all the systems
Signed-off-by: Julio Montes <julio.montes@intel.com>
Support the `sgx.intel.com/epc` annotation that is defined by the intel
k8s plugin. This annotation enables SGX. Hardware-based isolation and
memory encryption.
For example, use `sgx.intel.com/epc = "64Mi"` to create a container
with 1 EPC section with pre-allocated memory.
At the time of writing this patch, SGX patches have not landed on the
linux kernel project.
The following github kernel fork contains all the SGX patches for the
host and guest: https://github.com/intel/kvm-sgxfixes#483
Signed-off-by: Julio Montes <julio.montes@intel.com>
Firecracker expose metrics through fifo file
and using a JSON format. This PR will parse the
Firecracker's metrics and convert to Prometheus metrics.
Fixes: #472
Signed-off-by: bin liu <bin@hyper.sh>
Somehow we are not running static checks for a long time.
And that ended up with a lot for errors.
* Ensure debug options are valid is dropped
* fix snap links
* drop extra CONTRIBUTING.md
* reference kata-pkgsync
* move CODEOWNERS to proper place
* remove extra CODE_OF_CONDUCT.md.
* fix spell checker error on Developer-Guide.md
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Set enable_debug_console=true in Kata's congiguration file,
runtime will pass `agent.debug_console`
and `agent.debug_console_vport=1026` to agent.
Fixes: #245
Signed-off-by: bin liu <bin@hyper.sh>
Create "class" and "config" file in temporary device BDF dir,
and remove dir created by ioutil.TempDir() when test finished.
fixes: #746
Signed-off-by: zhanghj <zhanghj.lc@inspur.com>
The latest release of cloud-hypervisor v0.10.0 contains the following
updates: 1) `virtio-block` Support for Multiple Descriptors; 2) Memory
Zones; 3) `Seccomp` Sandbox Improvements; 4) Preliminary KVM HyperV
Emulation Control; 5) various bug fixes and refactoring.
Note that this patch updates the client code of clh's HTTP API in kata,
while the 'versions.yaml' file was updated in an earlier PR.
Fixes: #789
Signed-off-by: Bo Chen <chen.bo@intel.com>
Clear the 1.x branch api methods in the 2.0. Keep the same methods to
the VC interface, like the VCImpl struct.
Fixes: #751
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
I noticed the spelling mistake while reviewing another change and
doing a "grep" for "privilege" that turned up nothing.
Fixes: #671
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Currently, isPCIeDevice() attempts to determine if a (host) device is
PCI-Express capable by looking up its link speed via the PCI slots
information in sysfs. This is a) complicated and b) wrong. PCI-e
devices don't have to have slots information, so this frequently fails.
Instead determine if devices are PCI-e by checking for the presence of
PCIe extended configuration space by looking at the size of the "config"
file in sysfs.
Forward ported from 6bf93b23 in the Kata 1.x runtime repository.
Fixes: #611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add guide on how to pass a VFIO-AP device, such as Crypto Express cards
on IBM Z mainframes, to a Kata container. Like the documentation for
VFIO-PCI, this was put in the virtcontainers README.
Fixes: #658
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Recognise when a device to be hot-plugged is an IBM Adjunct Processor
(AP) device and execute VFIO AP hot-plug accordingly. Includes unittest
for recognising and uses CCW for addDeviceToBridge in hotplugVFIODevice
if appropriate.
Fixes: #491
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Co-authored-by: Julio Montes <julio.montes@intel.com>
Reviewed-by: Alice Frosi <afrosi@redhat.com>
Since we always build musl kata-agent, there is no need to build
it inside a musl container. We can just build on the host and then
copy the binary to the target rootfs.
There are still a lot to clean up and it should be made so for ALL
target distros instead of just alpine. But this is at least working
for alpine first.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
for s390x virtio devices
Add iommu_platform annotations for qemu for ccw,
other supported devices can also make use of that.
Fixes#603
Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
We kept observing instabilities from CLH CI jobs periodically (kata
1.x). To separate the random failures caused by `seccomp` from other
failures, this patch disables the 'seccomp' option from clh in kata for
now. We will bring this option back after completing the 'seccomp'
filter lists based on Kata's CI workload. Details are tracked in the
following two issues:
https://github.com/kata-containers/runtime/issues/2899 and
https://github.com/kata-containers/runtime/issues/2901
We are facing the similar challenge to stabilize CI jobs related to
cloud-hypervisor in Kata 2.0. We are disabling the `seccomp` option here
for the same reason. Related issue:
https://github.com/kata-containers/tests/issues/2813Fixes: #614
Signed-off-by: Bo Chen <chen.bo@intel.com>
When a one-shot pod dies in CRI-O, the shimv2 process isn't killed until
the pod is actually deleted, even though the VM is shut down. In this
case, the shim appears to busyloop when attempting to talk to the (now
dead) agent via VSOCK. To address this, we disconnect from the agent
after the VM is shut down.
This is especially catastrophic for one-shot pods that may persist for
hours or days, but it also applies to any shimv2 pod where Kata is
configured to use VSOCK for communication.
See github.com/kata-containers/runtime#2719 for details.
Fixes#2719
Signed-off-by: Evan Foster <efoster@adobe.com>
Expand unit tests for virtcontainers/utils/utils.go to include testing
CleanupFds, CPU calculations, ID string creation, and memory alignment
functions.
Fixes#490
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
[ Port from runtime commit 44b58e4151d1fc7debed41274b65c37233a437e3 ]
This patch enables kata+clh to unplug block devices, which is required
to pass cri-o integration tests.
Fixes: #461
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 03fb9c50c180d3359178c30e06f1122df312ae76 ]
To support unplug block device, we need to set the 'Id' explicitly while
hotplugging devices with cloud-hypervisor HTTP API.
Fixes: #461
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 39897867bc89667daaafdd141367ec4a5fdc9247 ]
API now requires cpu topology.
Fixes: #461
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 40f49312a4881c904a1cbdace04c4c697bd2d429 ]
Update api geneated by openapi.
Fixes: #461
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 30b40f5505fd46d23b89eb5fb38301d2f7454f35 ]
Along with the release of cloud-hypervisor v0.8.0, this option has been
deprecated. clh now enforces to use the alternative controls,
e.g. "shared" and "hugepages", which can infer the backing file
paths. Also, we don't use "hugepages" in kata, so we are fine now as the
"shared" control is already enabled.
Fixes: #461
Signed-off-by: Bo Chen <chen.bo@intel.com>
Some type declarations were changed. The example code here is outdated
according to the example_pod_run_test.go under virtcontainers directory.
And add the imports to make where the types from clear.
Fixes: #507
Signed-off-by: Li Ning <lining_yewu@cmss.chinamobile.com>
