get_mounts() parses /proc/self/mountinfo in order to get the mountpoints
for various cgroup filesystems. One of the entries in mountinfo is the
"device" for each filesystem, but for virtual filesystems like /proc, /sys
and cgroups, the device entry is arbitrary. Depending on the exact rootfs
setup, it can end up being "-".
This breaks get_mounts() because it uses " - " as a separator. There
really is a " - " separator in mountinfo, but in this case the device entry
shows up as a second one. Fix this, by changing a split to a splitn, which
will effectively only consider the first " - " in the line.
While we're there, make the warning message more useful, by having it
actually show which line it wasn't able to parse.
fixes#2182
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Use which to find the full path of exe before run execute_hook
to avoid error: 'No such file or directory'
Fixes: #2172
Signed-off-by: Tim Zhang <tim@hyper.sh>
After create an container/exec successfully, containerd
would wait it immediately, and if start it failed, there
is no chance to send value to exitCh, thus the wait goroutine
would blocked for ever and had no chance to exit.
Fixes: #2087
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
The snap/snapcraft.yaml set AGENT_VERSION to the current VERSION. The osbuilder script
will try to checkout the AGENT_VERSION tag. Let's ensure that all tags and branches
are fetched by the github's checkout action so the tag checkout does not fail.
Fixes#2052
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Architectures that do not support memory hotplugging will fail when
memory limits are set because that amount is hotplugged. Issue a warning
instead. The long-term solution is virtio-mem.
Fixes: #1412
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Bump containerd version to the latest v1.3.x, so we don't have to do
intrusive changes in our codebase (as done for in the main branch).
Fixes: #2350
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This PR updates the proper urls for the Documentation Requirements document.
Fixes#2094
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This PR updates the proper url for kata-deploy scripts at the
minikube installation.
Fixes#2072
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This PR updates the correct url for kata installation guides in kata 2.x
Fixes#2069
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
For QEMU 5.0.0 it is applied the patches/5.0.x/0002-memory-backend-file-nvdimm-support-read-only-files-a.patch
to fix an issue with the use of read-only files as backend memory of nvdimm devices. When Kata Containers bumped
to QEMU 5.2.0 that patch was left behind by mistake. In meanwhile a proper feature ("nvdimm: read-only file support")
was proposed and merged upstream (see https://mail.gnu.org/archive/html/qemu-devel/2021-01/msg00258.html).
This contain the backport of the commit 8360ebeb4f4a from QEMU master which should be applied on QEMU 5.2.0
so that feature is available to Kata Containers.
Fixes#2011
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
(cherry picked from commit 3f39df0d18)
This PR removes old links that were used in kata 1.x but not
longer valid for kata 2.x
Fixes#2019
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
- stable-2.1 | week 23: weekly backports
- stable-2.1 | versions: Update kubernetes to 1.21.1
- stable-2.1 | Port fd leak fixes
- [stable-2.1] Weekly backports to stable-2.1 branch, May 31st 2021
- [backport]runtime: and cgroup and SandboxCgroupOnly check for check sub-command
- Weekly stable 2.1 backports may 24th
- [backport-2.1] workflows: release kata 2.x snap through the stable channel
- [2.1] how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
- github: Do not run require porting labels on stable-2.1
492729f4 tools/packaging: clone meson and dependencies before building QEMU
db8d853b runtime: remove covertool from cli test
3fad5277 docs: Fix Release Process document
175970c9 versions: Update kubernetes to 1.21.1
1cc2ad3f agent: Fix fd leak caused by netlink
ac34f6df agent: Upgrade tokio-vsock to fix fd leak of vsock socket
915fea7b cgroup: fix the issue of set mem.limit and mem.swap
a05e1377 agent: re-enable the standard SIGPIPE behavior
8019f732 virtiofsd: Fix file descriptors leak and return correct PID
e48c9d42 runtime: and cgroup and SandboxCgroupOnly check for check sub-command
7874ab33 agent: fix start container failed when dropping all capabilities
536634e9 qemu: align before memory hotplug on arm64
c51891fe sandbox-bindmount: persist mount information
b137c7ac sandbox: Cleanup if failure to setup sandbox-bindmount occurs
68a77a7d workflows: release kata 2.x snap through the stable channel
550269ff how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
1ea0dc98 github: Do not run require porting labels on stable-2.1
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
In some distros (Ubuntu 18 and 20) it's not possible to clone meson
and QEMU dependencies from https://git.qemu.org due to problems with
its certificates, let's pull these dependencies from github before
building QEMU.
fixes#1965
Signed-off-by: Julio Montes <julio.montes@intel.com>
(cherry picked from commit 9ec9bbbabc)
covertool has no active since 2018 and is not compatible with go1.16
../vendor/github.com/dlespiau/covertool/pkg/cover/cover.go:76:29: cannot use f (type dummyTestDeps) as type testing.testDeps in argument to testing.MainStart:
dummyTestDeps does not implement testing.testDeps (missing SetPanicOnExit0 method)
Fixes: #1862
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
(cherry picked from commit 1b60705646)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This PR updates the correct url for github actions as well as it
corrects a misspelling.
Fixes#1960
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
(cherry picked from commit 9158ec68cc)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The reason for doing such is to (try to) avoid random crashes we've been
facing as part of our CI, such as the one reported as part of
https://github.com/kata-containers/tests/issues/3473Fixes: #1850
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit dbef2b2931)
See also: little-dude/netlink#165
Fixes: #1952
Because the author of netlink has no time to maintain the crate
(https://github.com/little-dude/netlink/issues/161), so we
need to switch the dependency to github temporarily.
Signed-off-by: Tim Zhang <tim@hyper.sh>
When update memory limit, we should adapt the write sequence
for memory and swap memory, so it won't fail because
the new value and the old value don't fit kernel's
validation.
Fixes: #1917
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
(cherry picked from commit 30f4834c5b)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The Rust standard library had suppressed the default SIGPIPE
behavior, see https://github.com/rust-lang/rust/pull/13158.
Since the parent's signal handler would be inherited by it's child
process, thus we should re-enable the standard SIGPIPE behavior as a
workaround.
Fixes: #1887
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
(cherry picked from commit 0ae364c8eb)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit will fix two problems:
- Virtiofsd process ID returned to the caller will always be 0,
the pid var is never being assigned a value.
- Socket listen fd may leak in case of failure of starting virtiofsd process.
This is a port of be9ca0d58bFixes: #1931
Signed-off-by: bin <bin@hyper.sh>
(cherry picked from commit 773deca2f6)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
In kata-runtime check sub-command, checks cgroups and SandboxCgroupOnly
to show message if the SandboxCgroupOnly is not set to true
and cgroup v2 is used.
Fixes: #1927
Signed-off-by: bin <bin@hyper.sh>
When starting a container and dropping all capabilities,
the init child process has no permission to read the exec.fifo
file because the parent set the file mode 0o622. So change the exec.fifo file mode to 0o644.
fixes#1913
Signed-off-by: quanweiZhou <quanweiZhou@linux.alibaba.com>
(cherry picked from commit 3e4ebe10ac)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
When hotplug memory on arm64 in kata, kernel will shout:
[ 0.396551] Block size [0x40000000] unaligned hotplug range: start 0xc8000000, size 0x40000000
[ 0.396556] acpi PNP0C80:01: add_memory failed
[ 0.396834] acpi PNP0C80:01: acpi_memory_enable_device() error
[ 0.396948] acpi PNP0C80:01: Enumeration failure
It means that kernel will check if the memory range to be hotplugged
align with 1G before plug the memory. So we should twist the qemu to
make sure the memory range align with 1G to pass the kernel check.
Fixes: #1841
Signed-off-by: Yuanzhe Liu <yuanzheliu09@gmail.com>
(cherry picked from commit bc36b7b49f)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Without this, if the shim dies, we will not have a reliable way to
identify what mounts should be cleaned up if `containerd-shim-kata-v2
cleanup` is called for the sandbox.
Before this, if you `ctr run` with a sandbox bindmount defined and SIGKILL the
containerd-shim-kata-v2, you'll notice the sandbox bindmount left on
host.
With this change, the shim is able to get the sandbox bindmount
information from disk and do the appropriate cleanup.
Fixes#1896
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
(cherry picked from commit 7f1030d303)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
If for any reason there's an error when trying to setup the sandbox
bindmounts, make sure we roll back any mounts already created when
setting up the sandbox.
Without this, we'd leave shared directory mount and potentially
sandbox-bindmounts on the host.
Fixes: #1895
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
(cherry picked from commit 089a7484e1)
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
