If the rootfs is built with SECCOMP=yes environment
variable then include libseccomp package inside the
rootfs image. Else do not include it.
Fixes: #155
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Refactor the config related codes into a separated
package which can be shared with other cli programs
such as kata's shimv2.
Fixes: #787Fixes: #714
Signed-off-by: fupan <lifupan@gmail.com>
This patch added -x option to curl: -x uses the http_proxy
settings to download golang binary behind the firewall
Fixes: #193
Signed-off-by: Leno Hou <lenohou@gmail.com>
Got "docker: Error response from daemon: OCI runtime create failed:
QMP command failed: unknown." when "docker run --privileged" with kata.
In qemu part, it got:
"Could not open '/dev/sr0': Read-only file system"
or
"No medium found"
The cause is qemu need open block device to get its status.
But /dev/sr0 is a CDROM that cannot be opened.
This patch let newContainer doesn't attach device if it is a CDROM
to handle the issue.
Fixes#829
Signed-off-by: Hui Zhu <teawater@hyper.sh>
When running test_images.sh, allow specific rootfs builds to
fail without impacting the overall tests results.
The distros allowed to fail are the ones specifying
BUILD_CAN_FAIL in their config.sh.
Fixes: #190
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Add the ability to trap a build error inside rootfs.sh, without
returning an error code.
Gating conditions (all of them are needed):
- GRACEFUL_EXIT shall be passed as env variable to rootfs.sh
- BUILD_CAN_FAIL shall be specified in the distro config.sh
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Now that Interface structure includes the useful information about
the type of interface, Kata does not need to do any assumption about
the type of interface that needs to be added.
Fixes#866
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
In order to provide the right information about the interface that
needs to be added, kata-netmon provisions the new field LinkType of
the Interface structure.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This commit replaces every place where the "types" package from the
Kata agent was used, with the new "types" package from virtcontainers.
In order to do so, it introduces a few translation functions between
the agent and virtcontainers types, since this is needed by the kata
agent implementation.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Instead of relying on the kata agent to define generic structures,
the logic is to define those as virtcontainers "types" package.
This way, all consumers of those structures, such as kata-runtime,
kata-netmon, and kata-containerd-shim, don't have to import some
dependency from the kata-agent.
Fixes#876
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Build {runtime,netmon} as Position-Independent-Executable (PIE) for improved
security and compliancy with distros packaging guidelines.
Fixes: #875
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
After we scan the netns, we should hotplug the network interface to
the guest after it is kicked off running.
Fixes: #871
Signed-off-by: Peng Tao <bergwolf@gmail.com>
Check that the system golang version is new enough to build with
according to the data from the `versions.yaml` file.
Update the verions in the versions.yaml accordingly, and add a note
describing what the 'newest-version' item represents.
Note, we only do a minimum requirement check, and are not checking
against the 'newest-version' info from the yaml.
Fixes: #148
Inspired-by: Wei Zhang <zhangwei555@huawei.com>
Idea-by: James O. D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Install `yq` before running the tests.
The Makefile now uses `yq` to check the golang version against
the versions file.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
We need to have `yq` installed before we can 'make', as we
now use it for a version check in the build. But, we may not
have golang installed. Add a script that installs `yq` via
curl'ing from the github releases.
This was cloned from the function in the tests repo .ci scripts
that perform the same action.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Improve rootfs.sh usage output to have a consistent layout and
documentation of options and environment variables.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Both of the netmon and proxy should use the right path
figured out from the configure instead of the default settings
to get their versions.
Fixes: #868
Signed-off-by: Fupan Li <lifupan@gmail.com>
Add support for specifying an optional drop-in path for guest OCI hooks.
This is the runtime side for leveraging the agent change introduced in
kata-containers/agent@980023ec62Fixes: #720
Co-authored-by: Edward Guzman <eguzman@nvidia.com>
Co-authored-by: Felix Abecassis <fabecassis@nvidia.com>
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
Fixes#344
Add host cgroup support for kata.
This commits only adds cpu.cfs_period and cpu.cfs_quota support.
It will create 3-level hierarchy, take "cpu" cgroup as an example:
```
/sys/fs/cgroup
|---cpu
|---kata
|---<sandbox-id>
|--vcpu
|---<sandbox-id>
```
* `vc` cgroup is common parent for all kata-container sandbox, it won't be removed
after sandbox removed. This cgroup has no limitation.
* `<sandbox-id>` cgroup is the layer for each sandbox, it contains all other qemu
threads except for vcpu threads. In future, we can consider putting all shim
processes and proxy process here. This cgroup has no limitation yet.
* `vcpu` cgroup contains vcpu threads from qemu. Currently cpu quota and period
constraint applies to this cgroup.
Signed-off-by: Wei Zhang <zhangwei555@huawei.com>
Signed-off-by: Jingxiao Lu <lujingxiao@huawei.com>
Add new vendor library "github.com/containerd/cgroups"
commit: 5017d4e9a9cf2d4381db99eacd9baf84b95bfb14
This library is for host cgroup support for next commit.
Signed-off-by: Wei Zhang <zhangwei555@huawei.com>
Now that the agent has split the generic types in their own package,
kata-netmon can use them directly and get rid of the duplication of
those. This is very helpful as it will prevent structures from being
out of sync between kata-netmon and the kata-runtime, without bringing
in the huge overhead that the initial grpc package was introducing.
Fixes#857
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Some agent types definition that were generic enough to be reused
everywhere, have been split from the initial grpc package.
This prevents from importing the entire protobuf package through
the grpc one, and prevents binaries such as kata-netmon to stay
in sync with the types definitions.
Fixes#856
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Introduce constants for the network model strings, so as to
avoid using the strings directly at multiple places.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Introduce a new mode that uses tc filters to redirect traffic from
the network interface created by the network plugin to a
tap interface that we connect to the VM.
This mode will help support ipvlan as well.
Fixes#144
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
