Flip the runtime-rs NVIDIA GPU configs (plain/tdx/snp) from the monolithic
image to the driver-agnostic nvidia base boot image plus a cold-plugged,
driver-versioned gpu extension mounted at /run/kata-extensions/gpu.
Confidential runtime-rs configs additionally cold-plug the CoCo
guest-components extension and enforce the nvidia base dm-verity hash.
The Go runtime keeps booting the monolithic nvidia-gpu / nvidia-gpu-confidential
images, mirroring the CoCo split where runtime-rs is the first-class citizen and
Go stays on the monolithic layout.
Add the IMAGE{NAME,PATH}_NV_{BASE,EXTENSION} and NVIDIAGPUEXTENSIONVERITYPARAMS
make vars (runtime-rs only), and read the nvidia base + gpu-extension root
hashes into runtime-rs's shim-v2 opts while the Go opts keep reading the
monolithic nvidia-gpu / nvidia-gpu-confidential hashes.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
Carve the monolithic NVIDIA GPU rootfs into a driver-agnostic
nvidia base image (NVRC init + agent + base libs + in-tree modules)
and a driver-versioned gpu extension (GPU userspace, configs, firmware,
NVIDIA modules) laid out for /run/kata-extensions/gpu. Both halves are
produced from the same chiseled tree via a partition-after step, so
the monolith build stays byte-identical and continues to ship.
The shared stage-one (driver install) is reused across the monolith,
base and extension variants; nvidia base is cached without the driver/ctk
versions so one base image can back multiple driver extensions.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
We've been carrying a full, 1200+ line busybox .config for the NVIDIA
images. That's a pain to review and to keep in sync with a busybox
bump, as basically every default that changes upstream ends up as noise
in our file.
Switch to shipping only the handful of options we actually care about in
a small fragment and let busybox's own Kconfig fill in the rest at build
time: start from allnoconfig, drop the baseline entries for whatever the
fragment overrides (Kconfig keeps the first value it reads), append the
fragment and run silentoldconfig. This reproduces the exact same
.config we had frozen, module loading included, so there's no functional
change here.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
NVRC v0.1.5 carries the guest-side extension mounting that the composable
NVIDIA GPU images will rely on.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
The InfiniBand and Mellanox mlx5 options used to be carried (as modules)
in the NVIDIA GPU config fragments. They're now enabled built-in by the
common mlx5.conf fragment, which every kernel build already picks up, so
keeping them here is redundant - and the =m entries here only end up
fighting the built-in =y ones from the common fragment.
Drop the HGX/DGX block from both the x86_64 and arm64 GPU fragments and
bump kata_config_version so the kernel is rebuilt.
Assisted-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Replace the kustomize-based Trustee deployment with the upstream Trustee
Helm chart (deployment/helm-chart) for every platform, including TDX and
s390x, which the previous iteration still left on kustomize. The chart
deploys KBS, AS and RVPS as three separate images, so versions.yaml pins
image_kbs/image_as/image_rvps (from the upstream staged-images registry)
alongside the trustee revision, and bumps trustee to a build that carries
the IBM SE material mounting support and the SHA-512 report-data change.
guest-components is bumped in lockstep so IBM SE attestation agrees on the
SHA-512 runtime-data digest.
KBS runs with authorization_mode = "AuthenticatedAuthorization", so admin
requests from kbs-client carry the bearer token minted by the chart's
bootstrap job instead of relying on an anonymous, allow-all admin API. As
reused CI runners may still carry a kbs-client from an older Trustee that
predates the --admin-token-file flag, the client is rebuilt from the pinned
sources unless the installed one already understands it.
On the Intel TDX CI runner only the Attestation Service reaches the public
Intel DCAP collateral endpoint, so it is the sole component that needs the
corporate proxy. We set https_proxy on the AS alone: the KBS <-> AS <-> RVPS
traffic is plain HTTP/gRPC and in-cluster, and routing it through the proxy
breaks those connections. The Intel DCAP and NVIDIA verifiers are configured
by the chart out of the box, so TDX and SNP need no extra verifier knobs.
For IBM SE (s390x) the SE verifier now runs inside the gRPC Attestation
Service, so the SE materials are mounted on the AS Pod (not KBS) through the
chart's as.ibmse.* knobs, which create a node-local PV/PVC. The AS runs as a
non-root user with CAP_DAC_OVERRIDE dropped, hence fsGroup=1000 and a
group-readable hdr.bin so it can read the mounted materials.
The chart's default CPU requests reserve more of the small single-node CI
runners than the old single-Pod deployment did, starving test workloads that
ask for a couple of Guaranteed CPUs. Trustee requests are shrunk (limits kept
generous) so those Pods schedule again.
Debug logging is enabled on all components (log_level=debug) to ease
triaging attestation / resource-retrieval failures in CI, and the release is
rolled out with 'helm upgrade --install' so re-runs on long-lived CI
clusters reconcile in place.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
Some are format expectation changes in 1.95, but
I think some are just missing fmts that our CI doesn't
check.
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Remove redundant `.into_iter()` call on `zip()` argument in
`multi_layer_erofs.rs`, as flagged by the new
`clippy::useless_conversion` lint in Rust 1.95.
Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Replace manual `if us != 0` guard before integer division with
`checked_div` as flagged by the new `clippy::manual_checked_ops` lint
in Rust 1.95.
Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Replace manual `if us != 0` guard before integer division with
`checked_div` as flagged by the new `clippy::manual_checked_ops` lint
in Rust 1.95.
Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Remove redundant `.into_iter()` call in `Vec::from_iter()` argument in
dragonball and firecracker's `inner_hypervisor.rs`, as flagged by the new
`clippy::useless_conversion` lint in Rust 1.95.
Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Rust 1.95's clippy introduces new `collapsible_match` lints for `if`
blocks nested inside match arms that can be expressed as match guards.
Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Rust 1.95's clippy introduces new `collapsible_match` lints for `if`
blocks nested inside match arms that can be expressed as match guards.
Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Rust 1.95's clippy introduces new `collapsible_match` lints for `if`
blocks nested inside match arms that can be expressed as match guards.
Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
When 1.97 has been released, in compliance with our toolchain guidance
we should bump to rust 1.95
Assisted-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
The CLH runtime-rs config template uses @CONFIG_CLH_IN@ in its
source-file comment, but CONFIG_CLH_IN was missing from the generated
template variables.
Add it to USER_VARS so the generated config records the template path
instead of keeping the literal placeholder.
Fixes: #12941
Signed-off-by: WaterWhisperer <waterwhisperer24@qq.com>
TestKilledVmmCleanup SIGKILLs the VMM and then removes the pod. After a
hard VMM kill the shim exits promptly (which the test asserts), so the
container's TaskExit event may not have reached containerd before the
shim was gone, leaving CRI's view of the container as "running" and
making a plain `crictl rmp` fail with "container is still running, to
stop first".
Retry the normal removal a few times to give the event time to arrive,
and only fall back to `crictl rmp -f` if it keeps failing -- which is how
a crashed sandbox is recovered in practice (kubelet GC / manual force
removal). The essential guarantee, that no shim process is leaked after
the VMM is killed, is unchanged.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Docker and containerd rely on the TaskExit event and a prompt Wait RPC,
not just the eventual sandbox teardown. With the original ordering the
shim tore the sandbox down (Stop/Delete the guest) *before* publishing
the container exit, so for a slow guest shutdown -- e.g. the nvidia-gpu
config with an 8GB /dev/shm memory-backend on a constrained CI runner --
containerd could SIGKILL the shim before the exit was published. The
`docker run --rm` removal then races the dead-shim cleanup and fails,
even though the container itself exited 0.
Publish the container exit (c.exitCh) and the TaskExit event *before*
the sandbox teardown, and run the teardown without holding s.mu so
concurrent Delete()/Shutdown() RPCs are not blocked.
To keep the guarantees the previous ordering provided:
* teardownWg lets Shutdown() wait for an in-flight teardown to finish,
so the sandbox run directory (watched by kata-monitor) and the CRI
state are gone before the shim exits -- without holding s.mu across
the slow guest shutdown; and
* teardownOnce serialises wait()'s teardown with watchSandbox()'s
killed-VMM teardown so the (not internally synchronized)
Sandbox.Stop/Delete never run concurrently.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
For `docker run --rm`, containerd invokes the shim `delete` binary
(cleanupAfterDeadShim) once the container task exits. Kata's Cleanup
path re-loads the sandbox and calls StopContainer/DeleteContainer/Stop,
each of which lazily connects to the guest agent over vsock.
When the sandbox was already torn down by the main shim (the common
case for a short-lived `docker run --rm`), the VM -- and its agent --
are gone, so that vsock connect blocks until containerd's delete
timeout SIGKILLs the binary. The removal then fails and `docker run
--rm` returns non-zero even though the container itself exited 0.
Detect the already-dead hypervisor (its pidfile is gone / the pid no
longer maps to a live process) at the start of CleanupContainer and
mark the agent dead. Subsequent agent RPCs then fail fast with "Dead
agent" and the force path performs only host-side cleanup, so the
delete binary returns promptly instead of hanging.
The legitimate "shim crashed but VM still alive" cleanup is unaffected:
the hypervisor is still running, so the agent is not marked dead and
the normal agent-based teardown proceeds.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
virtio-mem is enabled on s390x, where memory hotplug goes through a
virtio-mem-ccw device set up during VM initialization. That device --
and the later resize -- require a memory hotplug region (a non-zero
maxmem/slots on the QEMU command line).
The runtime-rs command line generator, however, zeroes maxmem/slots
whenever the guest uses the shared /dev/shm memory-backend with a
non-nvdimm rootfs (the s390x case: virtio-blk-ccw rootfs). With no
hotplug region reserved, two things broke on s390x:
* setup_virtio_mem failed VM start with "the configuration is not
prepared for memory devices, consider specifying the maxmem option";
* with virtio-mem unavailable, memory resize fell back to pc-dimm,
which is not a valid device model on s390x, breaking
TestContainerMemoryUpdate:
'pc-dimm' is not a valid device model name
Keep the hotplug region when virtio-mem is enabled, mirroring the Go
runtime which reserves maxmem and hotplugs via virtio-mem-ccw on s390x.
This lets setup_virtio_mem succeed at boot and makes memory resize use
virtio-mem instead of pc-dimm.
Also guard setup_virtio_mem behind QemuCmdLine::has_memory_hotplug_region()
as a defensive fallback: if some configuration still ends up without a
hotplug region, skip virtio-mem setup (like static-sizing arches such as
arm64) rather than failing VM start.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Let's ensure we have more debug logs to go through in case of failures.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
Extend basic-ci-amd64 VMM matrix coverage to include qemu-nvidia-gpu and
qemu-nvidia-gpu-runtime-rs so this branch is validated in CI.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
NVIDIA GPU configs default pod_resource_api_sock to the kubelet Pod
Resources API path. On non-Kubernetes hosts that path is usually missing;
use CDI sandbox annotations for cold-plug instead of failing kubelet lookup.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
The container create flow forced every non-pod-container to the
"pod_sandbox" type. Standalone engines (Docker/nerdctl/podman) surface
as SingleContainer, so they were mislabeled as pod sandboxes.
The agent skips CDI device injection when the container type is
"pod_sandbox", so the NVIDIA CDI edits carried in the "cdi.k8s.io/*"
annotations were never applied and the GPU userspace (e.g. nvidia-smi)
was missing in the guest. Emit the actual container type instead, which
matches the Go runtime and lets the agent inject CDI devices for the
single-container flow.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <noreply@cursor.com>
ContainerType already renders as "single_container" via Display, but
from_str rejected it. Accept it so the value can round-trip, matching
the container type the Go runtime uses for standalone containers.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <noreply@cursor.com>
The kubelet PodResources API is only available under Kubernetes. For
single-container engines (Docker/nerdctl/podman) the CDI runtime applies
the device's containerEdits directly to the OCI spec, so the VFIO nodes
(e.g. /dev/vfio/devices/vfio0) show up in linux.devices instead.
Discover those nodes from the OCI spec in addition to the PodResources
API and feed both into the same cold-plug path, de-duplicating by host
path. This reuses the existing Kubernetes machinery so GPU passthrough
works for single containers with no changes to device handling.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <noreply@cursor.com>
A discrete GPU usually shares its IOMMU group with an audio function
(e.g. NVIDIA 02:00.1). Cold-plugging every function in the group made
QEMU emit a vfio-pci/pcie-root-port/iommufd triple per function while
reusing the GPU's root-port and IOMMUFD object ids, so QEMU aborted with
a duplicate-id error before it was reachable over QMP.
Apply the existing IOMMU_IGNORE classification while discovering the
group so audio controllers and bridges are pruned, leaving only the
passthrough-capable device(s). Also fix filter_bridge_device to parse
the sysfs class attribute as hex; the previous decimal parse always
failed, which is why the filter never removed anything.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <noreply@cursor.com>
Set the new pci_path field in cloud-hypervisor network test config so
unit tests compile with the updated NetworkConfig struct.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
Persist and forward the hot-plugged NIC guest PCI path so the agent can
resolve sysfs location and update interfaces reliably.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
Network interface hot-plug places the NIC on the pcie-pci-bridge nested
under a root port. Track the bridge slots already occupied (queried via
query-pci) and reserve bridge slot ranges correctly so repeated NIC
hot-plug operations do not collide on the same bridge slot.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
Network interface hot-plug on Q35 with OVMF needs a hot-pluggable PCIe
slot to attach the NIC to after boot. Add the nested root-port plus
pcie-pci-bridge topology and the related QEMU argument ordering so a
network device can be hot-plugged into the bridge.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
Use a nested root-port plus pcie-pci-bridge topology on Q35+OVMF so
firmware reserves hot-plug resources and NIC hot-plug works reliably.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
Layer tar entries may include current-directory components, such as
./etc/passwd, when images are produced by common tar commands.
Normalize layer paths before matching passwd, group, and whiteout
entries. This lets genpolicy handle equivalent relative paths while
skipping empty, unsafe, or absolute paths.
Fixes: #12692
Assisted-By: OpenAI Codex
Signed-off-by: Han Zhang <ihanzhzh@gmail.com>
Add kata-deploy-scheduling.bats to KATA_DEPLOY_TEST_UNION so the new
Helm scheduling template tests run in CI.
Signed-off-by: Zachary Spar <zspar@coreweave.com>