Currently kata shim v2 doesn't translate ESRCH signal, causing container
fail to stop and shim leak.
Fixes: #3874
Signed-off-by: Feng Wang <feng.wang@databricks.com>
(cherry picked from commit aa5ae6b17c)
This is a bug fix release. The following issues have been addressed:
1) VFIO ioctl reordering to fix MSI on AMD platforms; 2) Fix virtio-net
control queue.
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v22.1
Note: client code of Cloud Hypervisor is not updated given this is a
backport change.
Fixes: #3872
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit 7a18e32fa7)
If, for some reason, we're able to launch cloud hypervisor but not able
to boot the VM up, the virtiofsd process would be left behind.
Let's ensure, via defer, that we stop virtiofsd in case of errors.
Fixes: #3819
Backports: #3823
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
- back port:: runtime: make selinux configurable
- stable-2.3 | kata-deploy: Use (kata with) qemu as the default shim-v2 binary
- stable-2.3 | shim: log events for CRI-O
- stable-2.3 | agent: fix invalid hooks env issues
- stable-2.3 | packaging: Use `patch` for applying patches
0b6e9f83 runtime: make selinux configurable
408477a2 kata-deploy: Use (kata with) qemu as the default shim-v2 binary
9431498e shim: log events for CRI-O
406f00a3 packaging: Use `patch` for applying patches
7af719e4 agent: handle hook process result
9b34cf46 agent: valid envs for hooks
9c195364 agent: Fix execute_hook() args error
9bea3a42 agent: check environment variables if empty or invalid
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
removes --tags selinux handling in the makefile (part of it introduced here: d78ffd6)
and makes selinux configurable via configuration.toml
Fixes: #3631
Signed-off-by: Tanweer Noor <tnoor@apple.com>
When using kata-deploy, no `containerd-shim-kata-v2` binary is deployed,
but we do deploy a `kata` runtime class, which seems very much
incosistent.
As the default configuration for kata-containers points to QEMU, let's
also use kata with QEMU as the default shim-v2 binary.
Fixes: #3228, #3734
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
(cherry picked from commit 11220f052f)
CRI-O start shim process without setting TTRPC_ADDRESS,
that the forwarding events goroutine will get errors.
For CRI-O runtime, we can log the events to log file.
Fixes: #3733
Signed-off-by: bin <bin@hyper.sh>
`tools/packaging/scripts/apply_patches.sh` uses `git apply $patch`, but
this will not apply to subdirectories. If one wanted to apply with
`git apply`, they'd have to run it with `--directory=...`
_relative to the Git tree's root_ (absolute will not work!). I suggest
we just use `patch`, which will do what we expected `git apply` would
do.
`patch` is also added to build containers that require it.
Fixes: #3690
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Current hook process is handled by just calling
unwrap() on it, sometime it will cause panic.
By handling all Result type and check the error can
avoid panic.
Fixes: #3649
Signed-off-by: bin <bin@hyper.sh>
Envs contain null-byte will cause running hooks to panic,
this commit will filter envs and only pass valid envs to hooks.
Fixes: #3667
Signed-off-by: bin <bin@hyper.sh>
1. The hook.args[0] is the hook binary name which shouldn't be included
in the Command.args.
2. Add new unit tests
Fixes: #2610
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
Signed-off-by: bin <bin@hyper.sh>
- stable-2.3 | workflows: Use base instead of head ref for kata-deploy-test
- stable-2.3-backports
- [backport from main] agent: fix the issue of missing create a new session for container
- stable-2.3 - kata-deploy: validate conf file can be created
- stable-2.3 | kata-monitor: increase delay before syncing with the container manager
- stable-2.3 | versions: Upgrade to Cloud Hypervisor v21.0
- stable-2.3: backport lint fixes from main
- stable-2.3 | runtime: -Wl,--s390-pgste for s390x
- stable-2.3 | kata-manager: Retrieve static tarball
- stable-2.3 | ci: Pass function arguments in static-checks.sh
977f1f5b workflows: Use base instead of head ref for kata-deploy-test
99ed596a workflows: Fix typo in kata-deploy-push action
13b7d93b workflows: Ensure a label change re-triggers the actions
b8463224 workflows: Ensure force-skip-ci skips all actions
8c8571f4 workflows: Use the correct branch ref on test kata-deploy
620bb97e runtime: Provide protection for shared data
770d4acf tools: Fix groupname if it differs from username
cedb01d2 runtime: close span before return from function in case of error
a661e538 agent: fix the issue of missing create a new session for container
bed0f3c8 kata-deploy: validate conf file can be created
786c667e kata-monitor: increase delay before syncing with the container manager
e3b00f39 runtime: -Wl,--s390-pgste for s390x
3260adc4 virtcontainers: clh: Re-generate the client code
cc64461f versions: Upgrade to Cloud Hypervisor v21.0
f2c6cd08 ci: Pass function arguments in static-checks.sh
78afa10a agent: resolve unused variables in tests
a8298676 agent: remove unused field in mount handling
87f9a690 agent: drop unused fields from network
fc012a2b agent: clear cargo test warnings
63c5a8aa uevent: Fix clippy issue in test code
d1530afa kata-manager: Retrieve static tarball
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Although I've done tests on my own fork using `head_ref` and those
worked, it seems those only worked as the PR was coming from exactly the
same repository as the target one.
Let's switch to base_ref, instead, which we for sure have as part of our
repo.
The downside of this is that we run the test with the last merged PR,
rather than with the "to-be-approved" PR, but that's a limitation we've
always had.
Fixes: #3482
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
(cherry picked from commit 3924470c8f)
This is needed in order to ensure that, for instance, if `force-skip-ci`
label is either added or removed later, the jobs related to the actions
will be restarted and accordingly checked.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Before this change it was only applied to the static-checks, but if
we're already taking the extreme path of skipping the CI, we better
ensure we skip all the actions and not just a few of them.
Fixes: #3471
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The action used for testing kata-deploy is entirely based on the action
used to build the kata-deploy tarball, but while the latter is able to
use the correct branch, the former always uses `main`.
This happens as the `issue_comment`, from GitHub actions, passed the
"default branch" as the GITHUB_REF.
As we're not the first ones to face such a issue, I've decided to take
one of the approaches suggested at one of the checkout's issues,
https://github.com/actions/checkout/issues/331, and take advantage of a
new action provided by the community, which will get the PR where the
comment was made, give us that ref, and that then can be used with the
checkout action, resulting on what we originally wanted.
Fixes: #3443
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The script `tools/packaging/static-build/qemu/build-base-qemu.sh`
previously failed on systems where the user's groupname differs from the
username
Fixes: #3461
Signed-off-by: Sebastian Hasler <sebastian.hasler@stuvus.uni-stuttgart.de>
When the container didn't had a tty console, it would be in a same
process group with the kata-agent, which wasn't expected. Thus,
create a new session for the container process.
Fixes: #3063
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
When we detect a new kata sandbox from the sbs fs, we add that to the
sandbox cache to retrieve metrics.
We also schedule a sync with the container manager, which we consider
the source of truth: if the kata pod is not yet ready the container
manager will not report it and we will drop it from our cache.
We will add it back only when we re-sync, i.e., when we get an event
from the sbs fs (which means a kata pod has been terminated or a new one
has been started).
Since we use the sync with the container manager to remove pods from the
cache, we can wait some more before syncing (and so reduce the chance to
miss a kata pod just because it was not ready yet).
Let's raise the waiting time before starting the sync timer.
Fixes: #3550
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
for linking. Required for basic KVM checks on some kernels (e.g. the
one RHEL is currently shipping), cf.
6621441db5/target/s390x/kvm/meson.build (L15-L16).
Must also be applied to netmon in backport.
Fixes: #3469
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Co-authored-by: Amulya Meka <amulmek1@in.ibm.com>
Highlights from the Cloud Hypervisor release v21.0: 1) Efficient Local
Live Migration (for Live Upgrade); 2) Recommended Kernel is Now 5.15; 3)
Bug fixes on OpenAPI yaml spec file, avoid deadlock for live-migration,
etc.
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v21.0Fixes: #3519
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit 7e15e99d5f)
