PIE (position-independent executables) does good to security.
For some historical reason(compliation failure), it was disabled. But it
can be supported now on aarch64.
Fixes#926
Signed-off-by: Jia He <justin.he@arm.com>
Currently arm64 kata uses 3.0 qemu version. Hence aarch64 can't use some
--disable configure options between [3.1, 4.0].
Besides, due to upstream qemu bug about --disable-replication, still
enable the replication on aarch64 for qemu 3.0. Please refer to the
commit 3ebb9c4f52 ("migration/colo.c: Fix compilation issue when disable
replication")
Fixes#926
Signed-off-by: Jia He <justin.he@arm.com>
Qemu commit 315d318 uses built-in UUID implementation, hence we can't
disable uuid. This option is for generic arch, not only for aarch64.
Otherwise there is a warning during configure:
configure: --disable-uuid is obsolete, UUID support is always built
Fixes#926
Signed-off-by: Jia He <justin.he@arm.com>
Previously, it misses to add the --disable-xen for reducing qemu size
on aarch64. This patch add disable-xen on all arches, hence the case
switch is removed.
Fixes#926
Signed-off-by: Jia He <justin.he@arm.com>
Remove the rootfs bind dest and finally remove the created share
directory when stopping the container.
Fixes#2516
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
vmlinux on arm64
arm64 does not use vmlinux to boot, Image is used instead.
Otherwise, kata can't boot from vmlinux.container
Besides, given that firecracker only supports booting from Image,
don't set vmlinux for firecracker target
Fixes#930
Signed-off-by: Jia He <justin.he@arm.com>
With the HTTP API 'vm.resize()', the CPU hotplug with CLH is much simpler
comparing with QEMU. This is because we don't need to distinguish adding from
removing CPUs.
Fixes: #2495
Depends-on: github.com/kata-containers/packaging#968
Depends-on: github.com/kata-containers/tests#2364
Signed-off-by: Bo Chen <chen.bo@intel.com>
The prepare_overlay() code path is called when rootfs.sh is invoked
with no passed in distro string. This is used for the dracut case
from the Makefile for example. In that particular case, the starting
root directory is empty.
It's also valid to pass a prepopulated directory to rootfs.sh, which
is essentially a request for the script to just make the necessary
kata changes. Currently though prepare_overlay() makes some changes
that could wipe out pre-arranged /sbin/init setup.
Check first to see if /sbin/init exists in the rootfs dir, and if so,
skip the symlink changes
Fixes: #419
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Let's change the kata-deploy github action trigger from:
'/test kata-deploy'
to
'/test-kata-deploy'
which will hopefully reduce the number of false triggers caused when
we issue the 'normal' CI runs that are triggered by other
'/test xxxx' phrases.
Fixes: #971
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Nothing inherently requires root here. If the ROOTFS_DIR is only
root accessible then the operation may fail, but better IMO to let
that fail naturally
Fixes: #422
Signed-off-by: Cole Robinson <crobinso@redhat.com>
In Fedora we are running the osbuilder scripts on the client machine,
to generate an initrd for the running host kernel. In this setup,
there's currently a runtime dependency on gcc for compiling the nsdax
tool, which is suboptimal.
Add NSDAX_BIN environment variable; if specified, image-builder.sh
will use that path as the nsdax tool. This let's ship a compiled
nsdax tool to users and drop the runtime gcc dependency
Fixes: #417
Signed-off-by: Cole Robinson <crobinso@redhat.com>
There are two 'debug' settings in the containerd config file that
affect the shimv2 runtime log output. Add the other method to the
existing documentation, and also note that enabling full containerd
debug also affects all of containerd.
The commit also re-generates the TOC, which seems to correct a
few anomolies there.
Fixes: #596
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
The 'apiSocket' member in the CloudHypervisorState struct needs to be kept
across different executions of kata-runtime with persist HypervisorState, so
that kata-runtime can talk with the same running cloud-hypervisor through
HTTP/REST API calls.
Fixes: #2506
Signed-off-by: Bo Chen <chen.bo@intel.com>
Adds a cmdline option to configure the stdout/stderr pipe sizes.
Uses `F_SETPIPE_SZ` to resize the write side of the pipe after
creation.
Example Cmdline option: `agent.container_pipe_size=2097152`
fixes#152
Signed-off-by: Alex Price <aprice@atlassian.com>
Fedora versions 28 and 29 has come EOL, we should update the generation
of obs packages but now for Fedora 30.
Fixes#963
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This allows to reuse detached block index and ensures that the
index will not reach the limit of device(such as `maxSCSIDevices`)
after restarting containers many times in one pod.
Fixes: #2007
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
I add another sub-command `build-service` in Makefile to
generate rust-agent-related systemd service files, which
are necessary for building guest rootfs image.
The whole design is following the one in go-agent.
Fixes: #144
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
The script points kata-runtime at the generated initrd/image by
editing the host config file, which we aren't doing when
KATA_DEV_MODE=1 is set, so this won't work.
Fixes: #415
Signed-off-by: Cole Robinson <crobinso@redhat.com>
If KATA_DEV_MODE is set, test_images.sh attempts to validate that
docker has kata-runtime as a configured --runtime value. This gives
a nicer and earlier error, but it also complicates using
/usr/bin/docker as provided by podman, which has a different 'info'
topology.
Let's drop the check and let the tests fail naturally if the host
isn't configured properly
Signed-off-by: Cole Robinson <crobinso@redhat.com>
set_runtime attempts to overwrite the host docker configuration to
default to DOCKER_RUNTIME instead of kata-runtime, which does not
work for 'docker build'.
Since this is a host altering step, skip it if KATA_DEV_MODE is set.
Signed-off-by: Cole Robinson <crobinso@redhat.com>
kata-manager.sh makes host config changes. KATA_DEV_MODE is meant to
avoid such changes.
Add a helper run_mgr function which stubs out kata-manager.sh usage
if KATA_DEV_MODE is set.
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Define KATA_DEV_MODE at the top of the file, so code doesn't need
to conditionally compare against it
Signed-off-by: Cole Robinson <crobinso@redhat.com>
The current setup leaves images/ and rootfs-osbuilder/ dirs stranded
in the $project_dir when run locally. This simplifies things by only
passing through the project_dir and the tmp_dir that all our output
is relative to
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Enable libpmem to support PMEM when running under Kubernetes.
see https://github.com/kata-containers/runtime/issues/2262
According to QEMU's nvdimm documentation: When 'pmem' is 'on' and QEMU is
built with libpmem support, QEMU will take necessary operations to guarantee
the persistence of its own writes to the vNVDIMM backend.
fixes#958
Signed-off-by: Julio Montes <julio.montes@intel.com>
Otherwise it defaults to using the $project_dir/dracut_overlay, which
leaves junk hanging around when running the tests locally
Signed-off-by: Cole Robinson <crobinso@redhat.com>
This is similarly used in image_builder.sh and can be handy to
determine what is happening. Unfold the 'set' short options while
we are at it
Signed-off-by: Cole Robinson <crobinso@redhat.com>
The rootfs and image builder scripts are wired up to handle the
DOCKER_RUNTIME, so pass our value down to those scripts
Signed-off-by: Cole Robinson <crobinso@redhat.com>
