Commit Graph

947 Commits

Author SHA1 Message Date
Seunguk Shin
40dac78412 kata-deploy: support build confidential kernel and shim-v2 for CCA
After supporting the Arm CCA, it will rely on the kernel kvm.h headers to build the
runtime. The kernel-headers currently quite new with the traditional one, so that we
rely on build the kernel header first and then inject it to the shim-v2 build container.

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
Co-authored-by: Seunguk Shin <seunguk.shin@arm.com>
2025-10-16 17:23:58 +08:00
Fabiano Fidêncio
aa7e46b5ed tests: Check the multi-snapshotter situation on containerd
One problem that we've been having for a reasonable amount of time, is
containerd not behaving very well when we have multiple snapshotters.

Although I'm adding this test with my "CoCo" hat in mind, the issue can
happen easily with any other case that requires a different snapshotter
(such as, for instance, firecracker + devmapper).

With this in mind, let's do some stability tests, checking every hour a
simple case of running a few pre-defined containers with runc, and then
running the same containers with kata.

This should be enough to put us in the situation where containerd gets
confused about which snapshotter owns the image layers, and break on us
(or not break and show us that this has been solved ...).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-15 13:35:43 +02:00
stevenhorsman
8ce714cf97 ci: Add protobuf-compiler dependencies
We are seeing more protoc related failures on the new
runners, so try adding the protobuf-compiler dependency
to these steps to see if it helps.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-10-14 10:58:58 +01:00
Fabiano Fidêncio
e782d1ad50 ci: k8s: Test experimental_force_guest_pull
Now that we have added the ability to deploy kata-containers with
experimental_force_guest_pull configured, let's make sure we test it to
avoid any kind of regressions.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-10 20:08:10 +02:00
Fabiano Fidêncio
496e255ea2 build: Fix KBUILD_SIGN_PIN usage
What was done in the past, trying to set the env var on the same step
it'd be used, simply does not work.

Instead, we need to properly set it through the `env` set up, as done
now.

We're also bumping the kata_config_version to ensure we retrigger the
kernel builds.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-10 15:25:10 +02:00
stevenhorsman
8dcd91cf5f ci: Enable new ibm runners
We have some scalable s390x and ppc runners, so
start to use them for build and test, to improve
the throughput of our CI

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-10-10 09:42:06 +01:00
Fabiano Fidêncio
06a3bbdd44 ci: k8s: coco: Add "Report tests" step
For some reason we didn't have the "Report tests" step as part of the
TEE jobs. This step immensely helps to check which tests are failing and
why, so let's add it while touching the workflow.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-10 09:51:59 +02:00
Fabiano Fidêncio
a1f90fe350 tests: k8s: Unify k8s TEE tests
There's no reason to have the code duplication between the SNP / TDX
tests for CoCo, as those are basically using the same configuration
nowadays.

Note that for the TEEs case, as the nydus-snapshotter is deployed by the
admin, once, instead of deploying it on every run ... I'm actually
removing the nydus-snapshotter steps so we make it clear that those
steps are not performed by the CI.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-10 09:51:59 +02:00
Aurélien Bombo
07645cf58b ci: actionlint: Address issues and set as required
Address issues just introduced and set actionlint as a required by removing
the path filter.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 16:55:27 -05:00
Aurélien Bombo
5a4ddb8c71 ci: zizmor: Fix all template-injection alerts
Fix all instances of template injection by using environment variables as
recommended by Zizmor, instead of directly injecting values into the
commands.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 16:55:26 -05:00
Aurélien Bombo
7b203d1b43 ci: zizmor: Ignore dangerous-triggers audit for known safe usage
The two ignored cases are strictly necessary for the CI to work today, and we
have various security mitigations in place.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 16:55:08 -05:00
Aurélien Bombo
7afdfc7388 ci: zizmor: Disable undocumented-permissions audit
There are 62 such warnings and addressing them would take quite a bit of
time so just disable them for now.

help[undocumented-permissions]: permissions without explanatory comments
  --> ./.github/workflows/release.yaml:71:7
   |
71 |       packages: write
   |       ^^^^^^^^^^^^^^^ needs an explanatory comment
72 |       id-token: write
   |       ^^^^^^^^^^^^^^^ needs an explanatory comment
73 |       attestations: write
   |       ^^^^^^^^^^^^^^^^^^^ needs an explanatory comment
   |
   = note: audit confidence → High

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 16:55:08 -05:00
Aurélien Bombo
ec81ea95df gha: Add workflow_dispatch trigger to docs-url-alive-check
We can't test this PR because the workflow needs this trigger, so adding
this will allow testing future PRs.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 14:39:34 -05:00
Aurélien Bombo
4d760e64ae gha: Fix docs-url-alive-check workflow
The Go installation step was broken because the checkout action was
checking out the code in a subdirectory:

https://github.com/kata-containers/kata-containers/actions/runs/18265538456/job/51999316919

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 14:39:34 -05:00
Fabiano Fidêncio
3418cedacc ci: Add tests for erofs-snapshotter (for coco-qemu-dev)
erofs-snapshotter can be used to leverage sharing the image from the
host to the guest without the need of a shared filesystem (such as
virtio-fs or virtio-9p).

This case is ideal for Confidential Computing enabled on Kata
Containers, and we can immensely benefit from this snapshotter, thus
let's test it as soon as possible so we can find issues, report bugs,
and ask for enhancement requests.

There are at least a few things that we know for sure to be problematic
now:
* Policy has to be adjusted to the erofs-snapshotter
* There is no support for signed nor encrypted images
* Tests that use the KBS are disabled for now

Even with the limitations, I do believe we should be testing the
snapshoitter, so we can team up and get those limitations addressed.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-08 10:34:09 +02:00
Fabiano Fidêncio
f994bacf6c tests: coco: Use the new way to set up nydus snapshotter
Let's rely on kata-deploy setting up the nydus snapshotter for us,
instead of doing this with external code.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-07 10:32:46 +02:00
Fabiano Fidêncio
4359c7b15d tests: Ensure the nydus-snapshotter versions are aligned
In the previous commit we added the assumption that the
nydus-snapshotter version should be the same in two different places.

Now, with this test, we ensure those will always be in sync.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-07 10:32:46 +02:00
Markus Rudy
369124b180 ci: build genpolicy on darwin
genpolicy is a developer tool that should be usable on MacOS. Adding it
to the darwin CI job ensures that it can still be built after changes.

On an Apple M2, the output of `uname -m` is `arm64`, which is why a new
case is needed in the arch_to_* functions.

We're not going to cross-compile binaries on darwin, so don't install
any additional Rust targets.

Fixes: #11635

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-09-29 09:48:32 +02:00
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
Aurélien Bombo
2e033d0079 gha: Run Zizmor without Advanced Security
This does not change the security of the analysis, this is just to work
around zizmorcore/zizmor-action#43.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 10:50:41 -05:00
Fabiano Fidêncio
8abfef358a tests: Only run docker tests with one VMM
Docker tests have been broken for a while and should be removed if we
cannot maintain those.

For now, though, let's limit it to run only with one hypervisor and
avoid wasting resources for no reason.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-09-15 23:03:04 +02:00
Fabiano Fidêncio
dce6f13da8 tests: Only run devmapper tests with QEMU
devmapper tests have been failing for a while. It's been breaking on the
kata-deploy deployment, which is most likely related to Disk Pressure.

Removing files was not enough to get the tests to run, so we'll just run
those with QEMU as a way to test fixes.  Once we get the test working,
we can re-enable the other VMMs, but for now let's just not waste
resources for no reason.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-09-15 23:02:33 +02:00
Fabiano Fidêncio
ad7e60030a tests: k8s: kata-deploy: Remove unnecessary dirs to free up space
This is following Steve's suggestion, based on what's been done on
cloud-api-adaptor.

The reason we're doing it here is because we've seen pods being evicted
due to disk pressure.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-09-15 15:27:54 +02:00
stevenhorsman
9c0fcd30c5 ci: Add slab to dependabot groups
Add slab, so that in future the different component bumps are all done together

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 09:48:03 +02:00
Aurélien Bombo
11655ef029 ci: Run Zizmor on pushes to any branch
This runs Zizmor on pushes to any branch, not just main.

This is useful for:

 1. Testing changes in feature branches with the manually-triggered CI.
 2. Forked repos that may use a different name than "main" for their
    default branch.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-11 09:33:25 -05:00
Hyounggyu Choi
1737777d28 Merge pull request #11743 from BbolroC/enable-ci-qemu-se-runtime-rs
runtime-rs: Enable s390x nightly test for IBM SEL
2025-09-10 15:00:16 +02:00
Hyounggyu Choi
1060a94b08 GHA: Add s390x nightly test for runtime-rs on IBM SEL
A new internal nightly test has been established for runtime-rs.
This commit adds a new entry `cc-se-e2e-tests-rs` to the existing
matrix and renames the existing entry `cc-se-e2e-tests` to
`cc-se-e2e-tests-go`.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-09-10 10:57:40 +02:00
Aurélien Bombo
c0030c271c ci: security: Fix "commit hash does not point to a Git tag"
This fixes all such issues, ie.:

https://github.com/kata-containers/kata-containers/security/code-scanning/459
https://github.com/kata-containers/kata-containers/security/code-scanning/508
https://github.com/kata-containers/kata-containers/security/code-scanning/510

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-08 11:17:54 -05:00
Aurélien Bombo
cbcc7af6f3 Merge pull request #11615 from kata-containers/sprt/zizmor-pedantic
security: gha: Run Zizmor in auditor mode
2025-09-08 10:28:19 -05:00
Aurélien Bombo
f39517a18a ci: aks: Refresh OIDC token in case access token expired
It's possible that tests take a long time to run and hence that the access
token expires before we delete the cluster. In this case `az cli` will try
to refresh the access token using the OIDC token (which will have
definitely also expired because its lifetime is ~5 minutes).

To address this we refresh the OIDC token manually instead. Automatic
refresh isn't supported per Azure/azure-cli#28708.

Fixes: #11758

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-04 12:44:02 -05:00
Aurélien Bombo
1dcc67c241 security: gha: Use Zizomor's auditor mode
This is the strictest possible setting for Zizmor.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-03 12:30:09 -05:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
stevenhorsman
f79e453313 workflows: Tighten up workflow permissions
Since the previous tightening a few workflow updates have
gone in and the zizmor job isn't flagging them as issues,
so address this to remove potential attack vectors

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Steve Horsman
23d2dfaedc Merge pull request #11707 from fidencio/topic/switch-to-use-zstd-when-possible
kata-deploy: local-build: Use zstd instead of xz
2025-08-22 10:06:00 +01:00
stevenhorsman
0ccf429a3d workflows: Switch workflows to use install_go.sh
Update the two workflows that used setup-go to
instead call `install_go.sh` script, which handles
installing the correct version of golang

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
Fabiano Fidêncio
ad240a39e6 kata-deploy: tools: tests: Use zstd instead of xz
Although the compress ratio is not as optimal as using xz, it's way
faster to compress / uncompress, and it's "good enough".

This change is not small, but it's still self-contained, and has to get
in at once, in order to help bisects in the future.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-08-21 19:53:55 +02:00
alex.lyn
b23d094928 CI: Introduce CI for libs to Improve code quality and reduce noises
Currently, runtime-rs related code within the libs directory lacks
sufficient CI protection. We frequently observe the following issues:
- Inconsistent Code Formatting: Code that has not been properly
  formatted
is merged.
- Failing Tests: Code with failing unit or integration tests is merged.

To address these issues, we need introduce stricter CI checks for the
libs directory. This may specifically include:
- Code Formatting Checks
- Mandatory Test Runs

Fixes #11512

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-08-20 15:36:09 +08:00
Zvonko Kaiser
1b1b3af9ab ci: Remove trigger for stable branch
We do not support stable branches anymore,
remove the trigger for it.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-08-06 09:22:24 +08:00
Aurélien Bombo
c47bff6d6a Merge pull request #11637 from kata-containers/sprt/remove-install-az-cli
gha: Remove unnecessary install-azure-cli step
2025-08-01 09:34:46 -05:00
Markus Rudy
3fd354b991 ci: add codegen to static-checks
Signed-off-by: Markus Rudy <mr@edgeless.systems>

Fixes: #11631

Co-authored-by: Steve Horsman <steven@uk.ibm.com>
2025-07-31 17:58:25 +01:00
Fabiano Fidêncio
8d30b84abd build: nvidia: Fix KBUILD_SIGN_PIN breakage
We only need KBUILD_SIGN_PIN exported when building nvidia related
artefacts.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-07-31 16:39:20 +02:00
Aurélien Bombo
96f1d95de5 gha: Remove unnecessary install-azure-cli step
az cli is already installed by the azure/login action.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-07-30 10:42:56 -05:00
Zvonko Kaiser
fbb0e7f2f2 gpu: Add secrets passthrough to the workflow
We need to pass-through the secrets in all the needed workflows
ci, ci-on-push, ci-nightly, ci-devel

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:51:01 +00:00
Zvonko Kaiser
30778594d0 gpu: Add arm64-nvidia-a100 to actionlint.yaml
Make zizmor happy about our custom runner label

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:45:59 +00:00
Zvonko Kaiser
7669f1fbd1 gpu: Add NVIDIA GPU test block for amd64
Once we have the amd64 artifacts we can run some arm64 k8s tests.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:45:59 +00:00
Zvonko Kaiser
97d7575d41 gpu: Disable metrics tests
We are not running the metrics tests anyway for now
lets make room to run the GPU tests.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:45:58 +00:00
stevenhorsman
475baf95ad ci: Try passing api token into githubh api call
Our CI keeps on getting
```
jq: error (at <stdin>:1): Cannot index string with string "tag_name"
```
during the install dependencies phase, which I suspect
might be due to github rate limits being reduced, so try
to pass through the `GH_TOKEN` env and use it in the auth header.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-07-24 08:49:32 +01:00
Fabiano Fidêncio
aaeb3b3221 release: Copy the VERSION file to the tarball
For the release itself, let's simply copy the VERSION file to the
tarball.

To do so, we had to change the logic that merges the build, as at that
point the tag is not yet pushed to the repo.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-07-20 00:06:14 +02:00
stevenhorsman
a7e27b9b68 workflow: Fix osv-scanner action
- The github generated template had an old version which
isn't valid for the pr-scan, so update to the latest
- The action needs also `actions: read` and `contents:read` to run in kata-containers

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-07-17 17:29:35 +01:00
stevenhorsman
1a75c12651 workflow: Add osv-scanner action
Add action to check for vulnerabilities in the project and
on each PR

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-07-17 16:41:56 +01:00