github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-07 04:19:58 +00:00
Code Issues Projects Releases Wiki Activity
16,313 Commits 85 Branches 134 Tags 306 MiB
1a06bd1f08
Commit Graph

16313 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Aurélien Bombo
5200034642 Revert "ci: gha: Remove ok-to-test label on every push" 
This reverts commit 2ee3470627.

This is mostly redundant given we already have workflow approval for external
contributors.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-06-12 08:40:06 -05:00
Paul Meyer
64906e6973 tests/static-checks: parse rego with opa and regorus 
Ensure rego policies in tree can be parsed using opa and regorus.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-06-12 14:59:39 +02:00
Paul Meyer
107e7dfdf6 ci/static-checks: install regorus 
Make regorus available for static checks as prerequisite for rego checks.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-06-12 14:59:39 +02:00
Steve Horsman
843655c352
Merge pull request #11411 from stevenhorsman/runk-users-crate-switch 
runk: Switch users crate
 2025-06-12 10:35:31 +01:00
Paul Meyer
71796f7b12 ci/static-checks: install opa 
Make open-policy-agent available for static checks as prerequisite for rego checks.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-06-12 10:46:43 +02:00
Paul Meyer
5baea34fff genpolicy/rules: rego v1 compatibility 
Migrate policy to rego v1.
See https://www.openpolicyagent.org/docs/v0-upgrade#changes-to-rego-in-opa-v10

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-06-12 10:46:43 +02:00
Fupan Li
7c1f8c9009
Merge pull request #10697 from Apokleos/no-sharefs 
runtime-rs: Support shared_fs = "none" for CoCo
 2025-06-12 11:48:00 +08:00
Fupan Li
a495dec9f4
Merge pull request #11305 from RuoqingHe/bump-rust-1.85.1 
versions: Bump Rust from 1.80.0 to 1.85.1
 2025-06-12 10:21:38 +08:00
Ruoqing He
26c7f941aa versions: Bump rust to 1.85.1 
As discussed in 2025-05-22's AC call, bump rust toolchian to 1.85.1.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
5011253818 agent-ctl: Bump ttrpc-codegen related dependencies 
Bump `ttrpc-codegen` related dependencies in response to `ttrpc-codegen`
bump in `libs/protocol`.

Relates: #11376

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
ba75b3299f dragonball: Fix clippy elided_named_lifetimes 
Manually fix `elided_named_lifetimes` clippy warning reported by rust
1.85.1.

```console
error: elided lifetime has a name
   --> src/vm/aarch64.rs:113:10
    |
107 |     fn get_fdt_vm_info<'a>(
    |                        -- lifetime `'a` declared here
...
113 |     ) -> FdtVmInfo {
    |          ^^^^^^^^^ this elided lifetime gets resolved as `'a`
    |
    = note: `-D elided-named-lifetimes` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(elided_named_lifetimes)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
1bbedb8def dragonball: Fix clippy repr_packed_without_abi 
Fix `repr_packed_without_abi` clippy warning as suggested by rust
1.85.1.

```console
error: item uses `packed` representation without ABI-qualification
   --> dbs_pci/src/msi.rs:468:1
    |
466 |   #[repr(packed)]
    |          ------ `packed` representation set here
467 |   #[derive(Clone, Copy, Default, PartialEq)]
468 | / pub struct MsiState {
469 | |     msg_ctl: u16,
470 | |     msg_addr_lo: u32,
471 | |     msg_addr_hi: u32,
472 | |     msg_data: u16,
473 | |     mask_bits: u32,
474 | | }
    | |_^
    |
    = warning: unqualified `#[repr(packed)]` defaults to `#[repr(Rust, packed)]`, which has no stable ABI
    = help: qualify the desired ABI explicity via `#[repr(C, packed)]` or `#[repr(Rust, packed)]`
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#repr_packed_without_abi
    = note: `-D clippy::repr-packed-without-abi` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::repr_packed_without_abi)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
e8be3c13fb dragonball: Fix clippy missing_docs 
Fix `missing_docs` clippy warning as suggested by rust 1.85.1.

```console
error: missing documentation for an associated function
    --> src/device_manager/mod.rs:1299:9
     |
1299 |         pub fn new_test_mgr() -> Self {
     |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     |
     = note: `-D missing-docs` implied by `-D warnings`
     = help: to override `-D warnings` add `#[allow(missing_docs)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
ceff1ed98d dragonball: Fix clippy needless_lifetimes 
Fix `needless_lifetimes` clippy warning as suggested by rust 1.85.1.

```console
error: the following explicit lifetimes could be elided: 'a
   --> dbs_virtio_devices/src/vhost/vhost_user/connection.rs:137:6
    |
137 | impl<'a, AS: GuestAddressSpace, Q: QueueT, R: GuestMemoryRegion> EndpointParam<'a, AS, Q, R> {
    |      ^^                                                                        ^^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#needless_lifetimes
    = note: `-D clippy::needless-lifetimes` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::needless_lifetimes)]`
help: elide the lifetimes
    |
137 - impl<'a, AS: GuestAddressSpace, Q: QueueT, R: GuestMemoryRegion> EndpointParam<'a, AS, Q, R> {
137 + impl<AS: GuestAddressSpace, Q: QueueT, R: GuestMemoryRegion> EndpointParam<'_, AS, Q, R> {
    |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
c04f1048d5 dragonball: Fix clippy unnecessary_lazy_evaluations 
Fix `unnecessary_lazy_evaluations` clippy warning as suggested by rust
1.85.1.

```console
error: unnecessary closure used to substitute value for `Option::None`
   --> dbs_virtio_devices/src/vhost/vhost_user/block.rs:225:28
    |
225 |           let vhost_socket = config_path
    |  ____________________________^
226 | |             .strip_prefix("spdk://")
227 | |             .ok_or_else(|| VirtIoError::InvalidInput)?
    | |_____________________________________________________^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#unnecessary_lazy_evaluations
    = note: `-D clippy::unnecessary-lazy-evaluations` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::unnecessary_lazy_evaluations)]`
help: use `ok_or` instead
    |
227 |             .ok_or(VirtIoError::InvalidInput)?
    |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>

unnecessary_lazy_evaluations

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
16b45462a1 dragonball: Fix clippy manual_inspect 
Manually fix `manual_inspect` clippy warning reported by rust 1.85.1.

```console
error: using `map_err` over `inspect_err`
   --> dbs_virtio_devices/src/net.rs:753:52
    |
753 |         self.device_info.read_config(offset, data).map_err(|e| {
    |                                                    ^^^^^^^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_inspect
    = note: `-D clippy::manual-inspect` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::manual_inspect)]`
help: try
    |
753 ~         self.device_info.read_config(offset, data).inspect_err(|e| {
754 ~             self.metrics.cfg_fails.inc();
    |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
5e80293bfc dragonball: Fix clippy empty_line_after_doc_comments 
Fix `empty_line_after_doc_comments` clippy warning as suggested by rust
1.85.1.

```console
error: empty line after doc comment
  --> dbs_boot/src/x86_64/layout.rs:11:1
   |
11 | / /// Magic addresses externally used to lay out x86_64 VMs.
12 | |
   | |_^
13 |   /// Global Descriptor Table Offset
14 |   pub const BOOT_GDT_OFFSET: u64 = 0x500;
   |   ------------------------------ the comment documents this constant
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#empty_line_after_doc_comments
   = note: `-D clippy::empty-line-after-doc-comments` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(clippy::empty_line_after_doc_comments)]`
   = help: if the empty line is unintentional remove it
help: if the documentation should include the empty line include it in the comment
   |
12 | ///
   |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
bb13b6696e dragonball: Fix clippy manual_div_ceil 
Fix `manual_div_ceil` clippy warning as suggested by rust 1.85.1.

```console
error: manually reimplementing `div_ceil`
   --> dbs_interrupt/src/kvm/mod.rs:202:24
    |
202 |         let elem_cnt = (total_sz + elem_sz - 1) / elem_sz;
    |                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: consider using `.div_ceil()`: `total_sz.div_ceil(elem_sz)`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_div_ceil
    = note: `-D clippy::manual-div-ceil` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::manual_div_ceil)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
e58bd52dd8 dragonball: Fix clippy precedence 
Fix `precedence` clippy warning as suggested by rust 1.85.1.

```console
error: operator precedence can trip the unwary
   --> dbs_interrupt/src/kvm/mod.rs:169:6
    |
169 |     (u64::from(type1) << 48 | u64::from(entry.type_) << 32) | u64::from(entry.gsi)
    |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: consider parenthesizing your expression: `(u64::from(type1) << 48) | (u64::from(entry.type_) << 32)`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#precedence
    = note: `-D clippy::precedence` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::precedence)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
44142b13d3 genpolicy: Fix clippy unstable_name_collisions 
Manually fix `unstable_name_collisions` clippy warning reported by rust
1.85.1.

```console
error: a method with this name may be added to the standard library in the future
   --> src/registry.rs:646:10
    |
646 |     file.unlock()?;
    |          ^^^^^^
    |
    = warning: once this associated item is added to the standard library, the ambiguity may cause an error or change in behavior!
    = note: for more information, see issue #48919 <https://github.com/rust-lang/rust/issues/48919>
    = help: call with fully qualified syntax `fs2::FileExt::unlock(...)` to keep using the current method
    = note: `-D unstable-name-collisions` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(unstable_name_collisions)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
366d293141 genpolicy: Fix clippy manual_unwrap_or_default 
Manually fix `manual_unwrap_or_default` clippy warning reported by rust
1.85.1.

```console
error: if let can be simplified with `.unwrap_or_default()`
   --> src/registry.rs:619:37
    |
619 |       let mut data: Vec<ImageLayer> = if let Ok(vec) = serde_json::from_reader(read_file) {
    |  _____________________________________^
620 | |         vec
621 | |     } else {
...   |
624 | |     };
    | |_____^ help: replace it with: `serde_json::from_reader(read_file).unwrap_or_default()`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_unwrap_or_default
    = note: `-D clippy::manual-unwrap-or-default` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::manual_unwrap_or_default)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
a71a77bfa3 genpolicy: Fix clippy manual_div_ceil 
Manually fix `manual_div_ceil` clippy warning reported by rust 1.85.1.

```console
error: manually reimplementing `div_ceil`
  --> src/verity.rs:73:25
   |
73 |             let count = (data_size + entry_size - 1) / entry_size;
   |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: consider using `.div_ceil()`: `data_size.div_ceil(entry_size)`
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_div_ceil
   = note: `-D clippy::manual-div-ceil` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(clippy::manual_div_ceil)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
5d491bd4f4 genpolicy: Bump ttrpc-codegen related dependencies 
Bump `ttrpc-codegen` related dependencies in response to `ttrpc-codegen`
bump in `libs/protocol`.

Relates: #11376

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
965f1d799c kata-ctl: Fix clippy empty_line_after_outer_attr 
Manually fix `empty_line_after_outer_attr` clippy warning reported by
rust 1.85.1.

```console
error: empty line after outer attribute
   --> src/check.rs:515:9
    |
515 | /         #[allow(dead_code)]
516 | |
    | |_^
517 |           struct TestData<'a> {
    |           ------------------- the attribute applies to this struct
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#empty_line_after_outer_attr
    = note: `-D clippy::empty-line-after-outer-attr` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::empty_line_after_outer_attr)]`
    = help: if the empty line is unintentional remove it
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
3d64b11454 kata-ctl: Fix clippy question_mark 
Manually fix `question_mark` clippy warning reported by rust 1.85.1.

```console
error: this `match` expression can be replaced with `?`
  --> src/ops/check_ops.rs:49:13
   |
49 |       let f = match get_builtin_check_func(check) {
   |  _____________^
50 | |         Ok(fp) => fp,
51 | |         Err(e) => return Err(e),
52 | |     };
   | |_____^ help: try instead: `get_builtin_check_func(check)?`
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#question_mark
   = note: `-D clippy::question-mark` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(clippy::question_mark)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
702ba4033e kata-ctl: Bump ttrpc-codegen related dependencies 
Bump `ttrpc-codegen` related dependencies in response to `ttrpc-codegen`
bump in `libs/protocol`.

Relates: #11376

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
f70c17660a runtime-rs: Fix clippy unnecessary_map_or 
Fix `unnecessary_map_or` clippy warning as suggested by rust 1.85.1.

error: this `map_or` can be simplified
    --> crates/hypervisor/src/ch/inner_hypervisor.rs:1054:24
     |
1054 |           let have_tdx = fs::read(TDX_KVM_PARAMETER_PATH)
     |  ________________________^
1055 | |             .map_or(false, |content| !content.is_empty() && content[0] == b'Y');
     | |_______________________________________________________________________________^ help: use is_ok_and instead: `fs::read(TDX_KVM_PARAMETER_PATH).is_ok_and(|content| !content.is_empty() && content[0] == b'Y')`
     |
     = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#unnecessary_map_or
     = note: `-D clippy::unnecessary-map-or` implied by `-D warnings`
     = help: to override `-D warnings` add `#[allow(clippy::unnecessary_map_or)]`

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
d7dfab92be runtime-rs: Fix clippy manual_inspect 
Manually fix `manual_inspect` clippy warning reported by rust 1.85.1.

```console
error: using `map` over `inspect`
  --> crates/resource/src/cdi_devices/container_device.rs:50:10
   |
50 |         .map(|device| {
   |          ^^^
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_inspect
   = note: `-D clippy::manual-inspect` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(clippy::manual_inspect)]`
help: try
   |
50 ~         .inspect(|device| {
51 |             // push every device's Device to agent_devices
52 ~             devices_agent.push(device.device.clone());
   |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
4c467f57de runtime-rs: Fix clippy needless_return 
Fix `needless_return` clippy warning as suggested by rust 1.85.1.

```console
error: unneeded `return` statement
   --> crates/resource/src/rootfs/nydus_rootfs.rs:199:5
    |
199 |     return Some(prefetch_list_path.display().to_string());
    |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#needless_return
    = note: `-D clippy::needless-return` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::needless_return)]`
help: remove `return`
    |
199 -     return Some(prefetch_list_path.display().to_string());
199 +     Some(prefetch_list_path.display().to_string())
    |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
23365fc7e2 runtime-rs: Bump ttrpc-codegen related dependencies 
Bump `ttrpc-codegen` related dependencies in response to `ttrpc-codegen`
bump in `libs/protocol`.

Relates: #11376

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
bd4d9cf67c agent: Fix clippy empty_line_after_doc_comments 
Manually fix `empty_line_after_doc_comments` clippy warning reported by
rust 1.85.1.

```console
error: empty line after doc comment
  --> src/linux_abi.rs:8:1
   |
8  | / /// Linux ABI related constants.
9  | |
   | |_^
10 |   #[cfg(target_arch = "aarch64")]
11 |   use std::fs;
   |       ------- the comment documents this import
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#empty_line_after_doc_comments
   = note: `-D clippy::empty-line-after-doc-comments` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(clippy::empty_line_after_doc_comments)]`
   = help: if the empty line is unintentional remove it
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Paul Meyer
d488c998c7 genpolicy/rules: fix syntax issue 
Policy wan't parsable with OPA due to surplus whitespace.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-06-11 14:48:36 +02:00
Steve Horsman
c8fcda0d73
Merge pull request #11407 from Champ-Goblem/fix/nvidia-rootfs-only-copy-opa-when-agent-policy-enabled 
nvidia-rootfs: only copy `kata-opa` if `AGENT_POLICY` is enabled
 2025-06-11 13:39:07 +01:00
stevenhorsman
39f51b4c6d runk: Switch users crate 
The users@0.11.0 has a high severity CVE-2025-5791
and doesn't seem to be maintained, so switch to
uzers which forked it.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-11 12:03:28 +01:00
Champ-Goblem
d6c45027f5 nvidia-rootfs: only copy kata-opa if AGENT_POLICY is enabled 
In the nvidia rootfs build, only copy in `kata-opa` if `AGENT_POLICY` is enabled. This fixes
builds when `AGENT_POLICY` is disabled and opa is not built.

Signed-off-by: Champ-Goblem <cameron@northflank.com>
 2025-06-11 11:25:10 +02:00
Ruoqing He
2ccb306c0b agent: Fix clippy precedence 
Fix `precedence` clippy warning as suggested by rust 1.85.1.

```console
warning: operator precedence can trip the unwary
  --> src/pci.rs:54:19
   |
54 |         Ok(SlotFn(ss8 << FUNCTION_BITS | f8))
   |                   ^^^^^^^^^^^^^^^^^^^^^^^^^ help: consider parenthesizing your expression: `(ss8 << FUNCTION_BITS) | f8`
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#precedence
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 07:18:09 +00:00
Ruoqing He
048178bc5e agent: Fix clippy unnecessary_get_then_check 
Manually fix `unnecessary_get_then_check` clippy warning as suggested by
rust 1.85.1.

```console
warning: unnecessary use of `get(&shared_mount.src_ctr).is_none()`
   --> src/sandbox.rs:431:25
    |
431 |             if src_ctrs.get(&shared_mount.src_ctr).is_none() {
    |                ---------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |                |
    |                help: replace it with: `!src_ctrs.contains_key(&shared_mount.src_ctr)`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#unnecessary_get_then_check
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 07:18:09 +00:00
Ruoqing He
54ec432178 agent: Fix clippy partialeq_to_none 
Fix `partialeq_to_none` clippy warning as suggested by rust 1.85.1.

```console
warning: binary comparison to literal `Option::None`
   --> src/sandbox.rs:431:16
    |
431 |             if src_ctrs.get(&shared_mount.src_ctr) == None {
    |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: use `Option::is_none()` instead: `src_ctrs.get(&shared_mount.src_ctr).is_none()`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#partialeq_to_none
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 07:18:09 +00:00
Ruoqing He
95dca31ecc agent: Fix clippy question_mark 
Fix `question_mark` clippy warning as suggested by rust 1.85.1.

```console
warning: this `match` expression can be replaced with `?`
    --> rustjail/src/cgroups/fs/mod.rs:1327:20
     |
1327 |       let dev_type = match DeviceType::from_char(d.typ().as_str().chars().next()) {
     |  ____________________^
1328 | |         Some(t) => t,
1329 | |         None => return None,
1330 | |     };
     | |_____^ help: try instead: `DeviceType::from_char(d.typ().as_str().chars().next())?`
     |
     = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#question_mark
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 07:18:09 +00:00
Ruoqing He
5a95a65604 agent: Fix clippy unnecessary_map_or 
Fix `unnecessary_map_or` clippy warning as suggested by rust 1.85.1.

```console

warning: this `map_or` can be simplified
    --> rustjail/src/container.rs:1424:20
     |
1424 |                   if namespace
     |  ____________________^
1425 | |                     .path()
1426 | |                     .as_ref()
1427 | |                     .map_or(true, |p| p.as_os_str().is_empty())
     | |_______________________________________________________________^
     |
     = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#unnecessary_map_or
help: use is_none_or instead
     |
1424 ~                 if namespace
1425 +                     .path()
1426 +                     .as_ref().is_none_or(|p| p.as_os_str().is_empty())
     |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 07:18:09 +00:00
Ruoqing He
f9c76edd23 agent: Fix clippy manual_inspect 
Manually fix `manual_inspect` clippy warning reported by rust 1.85.1.

```console
warning: using `map_err` over `inspect_err`
   --> rustjail/src/mount.rs:881:6
    |
881 |     .map_err(|e| {
    |      ^^^^^^^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_inspect
help: try
    |
881 ~     .inspect_err(|&e| {
882 ~         log_child!(cfd_log, "mount error: {:?}", e);
    |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 07:18:09 +00:00
Ruoqing He
7ff34f00c2 agent: Fix clippy single_match 
Fix `single_match` clippy warning as suggested by rust 1.85.1.

```console
warning: you seem to be trying to use `match` for destructuring a single pattern. Consider using `if let`
   --> src/image.rs:241:9
    |
241 | /         match oci.annotations() {
242 | |             Some(a) => {
243 | |                 if ImageService::is_sandbox(a) {
244 | |                     return ImageService::get_pause_image_process();
...   |
247 | |             None => {}
248 | |         }
    | |_________^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#single_match
help: try
    |
241 ~         if let Some(a) = oci.annotations() {
242 +             if ImageService::is_sandbox(a) {
243 +                 return ImageService::get_pause_image_process();
244 +             }
245 +         }
    |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 07:18:09 +00:00
Alex Lyn
e99070afb4
Merge pull request #11343 from Apokleos/cc-blk-sharefs 
Enables block device and disable virtio-fs
 2025-06-11 11:52:52 +08:00
Alex Lyn
2d570db08b
Merge pull request #11179 from Apokleos/tdx-qemu-rs 
runtime-rs: Add TDX Support to runtime-rs for Confidential Containers (CoCo)
 2025-06-11 10:27:36 +08:00
alex.lyn
2e9d27c500 runtime-rs: Enables block device and disable virtio-fs via capabilities 
Kata runtime employs a CapabilityBits mechanism for VMM capability
governance. Fundamentally, this mechanism utilizes predefined feature
flags to manage the VMM's operational boundaries.

To meet demands for storage performance and security, it's necessary
to explicitly enable capability flags such as `BlockDeviceSupport`
(basic block device support) and `BlockDeviceHotplugSupport` (block
device hotplug) which ensures the VMM provides the expected caps.

In CoCo scenarios, due to the potential risks of sensitive data leaks
or side-channel attacks introduced by virtio-fs through shared file
systems, the `FsSharingSupport` flag must be forcibly disabled. This
disables the virtio-fs feature at the capability set level, blocking
insecure data channels.

Fixes #11341

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-11 10:19:13 +08:00
alex.lyn
23340b6b5f runtime-rs: Support cold plug of block devices via virtio-blk for Qemu 
Two key important scenarios:
(1) Support `virtio-blk-pci` cold plug capability for confidential guests
instead of nvdimm device in CVM due to security constraints in CoCo cases.
(2) Push initdata payload into compressed raw block device and insert it
in CVM through `virtio-blk-pci` cold plug mechanism.

Fixes #11341

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-11 10:19:13 +08:00
RuoqingHe
7916db9613
Merge pull request #11345 from Apokleos/fix-noise 
protocols: Fix the noise caused by non-formatted codes in protocols
 2025-06-11 09:50:02 +08:00
Aurélien Bombo
66ae9473cb
Merge pull request #11397 from kata-containers/sprt/validate-ok-to-test 
ci: gha: Remove ok-to-test label on every push
 2025-06-10 16:42:54 -05:00
Aurélien Bombo
31288ea7fc
Merge pull request #11398 from kata-containers/sprt/undo-mariner-hotfix 
Revert "ci: Fix Mariner rootfs build failure"
 2025-06-10 16:09:08 -05:00
Aurélien Bombo
f34010cc94
Merge pull request #11388 from kata-containers/sprt/azure-oidc 
ci: Use OIDC to log into Azure
 2025-06-10 13:08:44 -05:00