Commit Graph

15876 Commits

Author SHA1 Message Date
Hyounggyu Choi
2cc48f7822 runtime-rs: Add devno to DeviceVhostUserFs
A new attribute named `devno` is added to DeviceVhostUserFs.
It will be used to specify a device number for a CCW bus type.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-11-23 13:45:36 +01:00
Hyounggyu Choi
920484918c runtime-rs: Add devno to VhostVsock
A new attribute named `devno` is added to VhostVsock.
It will be used to specify a device number for a CCW bus type.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-11-23 13:45:36 +01:00
Hyounggyu Choi
9486790089 runtime-rs: Add devno to DeviceVirtioSerial
A new attribute named `devno` is added to DeviceVirtioSerial.
It will be used to specify a device number for a CCW bus type.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-11-23 13:45:36 +01:00
Hyounggyu Choi
516daecc50 runtime-rs: Add devno to DeviceVirtioBlk
A new attribute named `devno` is added to DeviceVirtioBlk.
It will be used to specify a device number for a CCW bus type.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-11-23 13:45:36 +01:00
Hyounggyu Choi
30a64092a7 runtime-rs: Add CcwSubChannel to provide devno for CCW devices
To explicitly specify a device number on the QEMU command line
for the following devices using the CCW transport on s390x:

- SerialDevice
- BlockDevice
- VhostUserDevice
- SCSIController
- VSOCKDevice

this commit introduces a new structure CcwSubChannel and implements
the following methods:

- add_device()
- remove_device()
- address_format_ccw()
- set_addr()

You can see the detailed explanation for each method in the comment.

This resolves the 1st part of #10573.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-11-23 13:45:36 +01:00
Steve Horsman
322073bea1
Merge pull request #10447 from ldoktor/required-jobs
ci: Required jobs
2024-11-22 09:15:11 +00:00
Lukáš Doktor
e69635b376
ci.gatekeeper: Remove unused variable
this is a left-over from previous way of iterating over jobs.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2024-11-22 09:27:11 +01:00
Lukáš Doktor
fa7bca4179
ci.gatekeeper: Print the older job id
let's print the also the existing result's id when printing the
information about ignoring older result id to simplify debugging.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2024-11-22 09:27:11 +01:00
Lukáš Doktor
6c19a067a0
ci.gatekeeper: Update existing results
tha matching run_id means we're dealing with the same job but with
updated results and not with an older job. Update the results in such
case.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2024-11-22 09:27:09 +01:00
Aurélien Bombo
5e4990bcf5 coco: ci: Add no-op steps to deploy CSI driver
This adds no-op steps that'll be used to deploy and clean up the CSI driver
used for testing.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-11-21 16:08:06 -06:00
Aurélien Bombo
893f6a4ca0 ci: Introduce job to publish CSI driver image
This adds a new job to build and publish the CSI driver Docker image.

Of course this job will fail after we merge this PR because the CSI driver
compilation job hasn't been implemented yet. However that will be implemented
directly after in #10561.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-11-21 16:07:59 -06:00
Aurélien Bombo
e43c59a2c6 ci: Add no-op step to compile CSI driver
This adds a no-op build step to compile the CSI driver. The actual compilation
will be implemented in an ulterior PR, so as to ensure we don't break the CI.

Addresses: #10560

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-11-21 16:06:55 -06:00
Zvonko Kaiser
0debf77770 gpu: NVIDIA gpu initrd/image build
With each release make sure we ship a GPU enabled rootfs/initrd

Fixes: #6554

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-11-21 18:57:23 +00:00
Steve Horsman
b4da4b5e3b
Merge pull request #10377 from coolljt0725/fix_build
osbuilder: Fix build dependency of ubuntu rootfs with Docker
2024-11-21 08:45:59 +00:00
Jitang Lei
ed4c727c12 osbuilder: Fix build dependency of ubuntu rootfs with Docker
Build ubuntu rootfs with Docker failed with error:
`Unable to find libclang`

Fix this error by adding libclang-dev to the dependency.

Signed-off-by: Jitang Lei <leijitang@outlook.com>
2024-11-21 10:49:27 +08:00
Zvonko Kaiser
e9f36f8187 ci: Fixing simple typo
change evn to env

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-11-20 18:40:14 +00:00
Zvonko Kaiser
a5733877a4 ci: Fix error on self-hosted machines
We need to clean-up any created files/dirs otherwise
we cause problems on self-hosted runners. Using tempdir which
will be removed automatically.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-11-20 18:40:13 +00:00
Lukáš Doktor
62e8815a5a
ci: Add documentation to cover mapping format
to help people with adding new entries.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2024-11-20 17:25:59 +01:00
Lukáš Doktor
64306dc888
ci: Set required-tests according to GH required tests
this should record the current list of required tests from GH.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2024-11-20 17:25:57 +01:00
Steve Horsman
358ebf5134
Merge pull request #10558 from AdithyaKrishnan/main
ci: Re-enable SNP CI
2024-11-20 10:27:41 +00:00
Steve Horsman
30bad4ee43
Merge pull request #10562 from stevenhorsman/remove-release-artifactor-skips
workflows: Remove skipping of artifact uploads
2024-11-20 08:45:37 +00:00
Adithya Krishnan Kannan
2242aee099 ci: Skip the failing tests in SNP
Per [Issue#10549](https://github.com/kata-containers/kata-containers/issues/10549),
the following tests are failing on SNP.
1. k8s-guest-pull-image-encrypted.bats
2. k8s-guest-pull-image-authenticated.bats
3. k8s-guest-pull-image-signature.bats
4. k8s-confidential-attestation.bats

Per @fidencio 's comment on
[PR#10558](https://github.com/kata-containers/kata-containers/pull/10558),
I am skipping the same.

Signed-Off-By: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
2024-11-19 10:41:43 -06:00
stevenhorsman
da5f6b77c7 workflows: Remove skipping of artifact uploads
Now we are downloading artifacts to create the rootfs
we need to ensure they are uploaded always,
even on releases

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-19 13:28:02 +00:00
Steve Horsman
817438d1f6
Merge pull request #10552 from stevenhorsman/3.11.0-release
release: Bump version to 3.11.0
2024-11-19 09:44:35 +00:00
Saul Paredes
eab48c9884
Merge pull request #10545 from microsoft/cameronbaird/sync-clh-logging
runtime: fix comment to accurately reflect clh behavior
2024-11-18 11:25:58 -08:00
Adithya Krishnan Kannan
ef367d81f2 ci: Re-enable SNP CI
We've debugged the SNP Node and we
wish to test the fixes on GHA.

Signed-Off-By: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
2024-11-18 11:11:27 -06:00
stevenhorsman
7a8ba14959 release: Bump version to 3.11.0
Bump `VERSION` and helm-chart versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-18 11:13:15 +00:00
Steve Horsman
0ce3f5fc6f
Merge pull request #10514 from squarti/pause_command
agent: overwrite OCI process spec when overwriting pause image
2024-11-15 18:03:58 +00:00
Fabiano Fidêncio
92f7526550
Merge pull request #10542 from Crypt0s/topic/enable-CONFIG_KEYS
kernel: add CONFIG_KEYS=y to enable kernel keyring
2024-11-15 12:15:25 +01:00
Crypt0s
563a6887e2 kernel: add CONFIG_KEYS=y to enable kernel keyring
KinD checks for the presence of this (and other) kernel configuration
via scripts like
https://blog.hypriot.com/post/verify-kernel-container-compatibility/ or
attempts to directly use /proc/sys/kernel/keys/ without checking to see
if it exists, causing an exit when it does not see it.

Docker/it's consumers apparently expect to be able to use the kernel
keyring and it's associated syscalls from/for containers.

There aren't any known downsides to enabling this except that it would
by definition enable additional syscalls defined in
https://man7.org/linux/man-pages/man7/keyrings.7.html which are
reachable from userspace. This minimally increases the attack surface of
the Kata Kernel, but this attack surface is minimal (especially since
the kernel is most likely being executed by some kind of hypervisor) and
highly restricted compared to the utility of enabling this feature to
get further containerization compatibility.

Signed-off-by: Crypt0s <BryanHalf@gmail.com>
2024-11-15 09:30:06 +01:00
Shunsuke Kimura
706e8bce89 docs: change from OVMF.fd to AmdSev.fd
change the build method to generate OVMF for AmdSev.
This commit adds `ovmf_build=sev` env parameter.
<638c2c4164>

Fixes #10378

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2024-11-15 11:24:45 +09:00
Shunsuke Kimura
d7f6fabe65 docs: fix build-kernel.sh option
`build-kernel.sh` no longer takes an argument for the -x option.
<6c3338271b>

Fixes #10378

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2024-11-15 11:24:45 +09:00
Cameron Baird
65881ceb8a runtime: fix comment to accurately reflect clh behavior
Fix the CLH log levels description

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2024-11-14 23:16:11 +00:00
Silenio Quarti
42b6203493 agent: overwrite OCI process spec when overwriting pause image
The PR replaces the OCI process spec of the pause container with the spec of
the guest provided pause bundle.

Fixes: https://github.com/kata-containers/kata-containers/issues/10537

Signed-off-by: Silenio Quarti <silenio_quarti@ca.ibm.com>
2024-11-14 13:05:16 -05:00
Fabiano Fidêncio
6a9266124b
Merge pull request #10501 from kata-containers/topic/ci-split-tests
ci: tdx: Split jobs to run in 2 different machines
2024-11-14 17:24:50 +01:00
Fabiano Fidêncio
9b3fe0c747 ci: tdx: Adjust workflows to use different machines
This will be helpful in order to increase the OS coverage (we'll be
using both Ubuntu 24.04 and CentOS 9 Stream), while also reducing the
amount spent on the tests (as one machine will only run attestation
related tests, and the other the tests that do *not* require
attestation).

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-11-14 15:52:00 +01:00
Fabiano Fidêncio
9b1a5f2ac2 tests: Add a way to run only tests which rely on attestation
We're doing this as, at Intel, we have two different kind of machines we
can plug into our CI.  Without going much into details, only one of
those two kinds of machines will work for the attestation tests we
perform with ITA, thus in order to speed up the CI and improve test
coverage (OS wise), we're going to run different tests in different
machines.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-11-14 15:51:57 +01:00
Steve Horsman
915695f5ef
Merge pull request #9407 from mrIncompetent/root-fs-clang
rootfs: Install missing clang in Ubuntu docker image
2024-11-14 10:35:06 +00:00
Henrik Schmidt
57a4dbedeb rootfs: Install missing libclang-dev in Ubuntu docker image
Fixes #9444

Signed-off-by: Henrik Schmidt <mrIncompetent@users.noreply.github.com>
2024-11-14 08:48:24 +00:00
Hyounggyu Choi
5869046d04
Merge pull request #9195 from UiPath/fix/vcpus-for-static-mgmt
runtime: Set maxvcpus equal to vcpus for the static resources case
2024-11-14 09:38:20 +01:00
Dan Mihai
d9977b3e75
Merge pull request #10431 from microsoft/saulparedes/add-policy-state
genpolicy: add state to policy
2024-11-13 11:48:46 -08:00
Aurélien Bombo
7bc2fe90f9
Merge pull request #10521 from ncppd/osbuilder-cleanup
osbuilder: remove redundant env variable
2024-11-13 12:17:09 -06:00
Steve Horsman
a947d2bc40
Merge pull request #10539 from AdithyaKrishnan/main
ci: Temporarily skip SNP CI
2024-11-13 17:58:32 +00:00
Adithya Krishnan Kannan
439a1336b5 ci: Temporarily skip SNP CI
As discussed in the CI working group,
we are temporarily skipping the SNP CI
to unblock the remaining workflow.
Will revert after fixing the SNP runner.

Signed-Off-By: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
2024-11-13 11:44:16 -06:00
Fabiano Fidêncio
02d4c3efbf
Merge pull request #10519 from fidencio/topic/relax-restriction-for-qemu-tdx
Reapply "runtime: confidential: Do not set the max_vcpu to cpu"
2024-11-13 16:09:06 +01:00
Saul Paredes
c207312260 genpolicy: validate container sandbox names
Make sure all container sandbox names match the sandbox name of the first container.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-11-12 15:17:01 -08:00
Saul Paredes
52d1aea1f7 genpolicy: Add state
Use regorous engine's add_data method to add state to the policy.
This data can later be accessed inside rego context through the data namespace.

Support state modifications (json-patches) that may be returned as a result from policy evaluation.

Also initialize a policy engine data slice "pstate" dedicated for storing state.

Fixes #10087

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-11-12 15:16:53 -08:00
Alexandru Matei
e83f8f8a04 runtime: Set maxvcpus equal to vcpus for the static resources case
Fixes: #9194

Signed-off-by: Alexandru Matei <alexandru.matei@uipath.com>
2024-11-12 16:36:42 +02:00
GabyCT
06fe459e52
Merge pull request #10508 from GabyCT/topic/installartsta
gha: Get artifacts when installing kata tools in stability workflow
2024-11-11 15:59:06 -06:00
Nikos Ch. Papadopoulos
ab80cf8f48 osbuilder: remove redundant env variable
Remove second declaration of GO_HOME in roofs-build ubuntu script.

Signed-off-by: Nikos Ch. Papadopoulos <ncpapad@cslab.ece.ntua.gr>
2024-11-11 19:49:28 +02:00