The local-build script should honor the value of SKOPEO exported in the
environment so that it will be able to build the image without skopeo
inside. This remove the hard-coded "SKOPEO=yes".
Fixes#4959
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Initialize the trusted stroage when the device is defined
as "/dev/trusted_store" with shell script as first step.
Fixes: #4882
Signed-off-by: Wang, Arron <arron.wang@intel.com>
After enable data integrity for trusted storage, the initialize
time will take three times more and IO performance will drop more than
30%, the default value will be NOT enabled but add this config to
allow the user to enable if they care more strict security.
Fixes: #4882
Signed-off-by: Wang, Arron <arron.wang@intel.com>
By default the pause image and runtime config will provided
by host side, this may have potential security risks when the
host config a malicious pause image, then we will use the pause
image packaged in the rootfs.
Fixes: #4882
Signed-off-by: Wang, Arron <arron.wang@intel.com>
With the runtime-rs changes the agent services need to be asynchronous,
so attempt to update the image_service to match this
Co-authored-by: Georgina Kinge <georgina.kinge@ibm.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
More and more Rust code is introduced, the test utils original in agent
should be made easy to share, move it into a new crate will make it
easy to share between different crates.
Fixes: #4925
Signed-off-by: Bin Liu <bin@hyper.sh>
Instead of setting:
```
firmware = "/path/to/OVMF.fd"
firmware_volume = "/path/to/OVMF_VARS.fd"
```
We should either be setting:
```
firmware = "/path/to/OVMF.fd"
```
Or:
```
firmware = "/path/to/OVMF_CODE.fd"
firmware_volume = "/path/to/OVMF_VARS.fd"
```
I'm taking the approach to setting up the latter, as that's what's been
tested as part of our TDX CI.
Fixes: #4926
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
vergen is a build dependency, but it is not being used.
we are processing ver/commit hash by make command, but not by vergen.
Fixes: #4920
Signed-off-by: Bin Liu <bin@hyper.sh>
- runtime-rs: fix design doc's typo
- docs: use curl as default downloader for runtime-rs
- runtime-rs: update Cargo.lock
- Fix some GitHub actions workflow issues
- versions: Update libseccomp version
- runtime-rs:merge runtime rs to main
- nydus: wait nydusd API server ready before mounting share fs
- versions: Update TD-shim due to build breakage
- agent-ctl: Add an empty [workspace]
- packaging: Create no_patches.txt for the SPR-BKC-PC-v9.6.x
- docs: Improve SGX documentation
- runtime: explicitly mark the source of the log is from qemu.log
- runtime: add unlock before return in sendReq
- docs: add back host network limitation
- runk: add ps sub-command
- Depends-on:github.com/kata-containers/tests#4986
- runtime-rs:update rtnetlink version
- runtime-rs:skip the build process when the arch is s390x
- docs: Improve SGX documentation
- agent: Use rtnetlink's neighbours API to add neighbors
- Bump TDX dependencies (QEMU and Kernel)
- OVMF / td-shim: Adjust final tarball location
- libs: fix CI error for protocols
- runtime-rs: merge main to runtime-rs
- packaging: Add support for building TDVF
- versions: Track and add support for building TD-shim
- versions: Upgrade rust version
- Merge Main into runtime-rs branch
- agent: log RPC calls for debugging
- runtime-rs: fix stop failed in azure
- Add support AmdSev build of OVMF
- runtime: Support for host cgroupv2
- versions: Update runc version
- qemu: Add liburing to qemu build
- runtime-rs: fix set share sandbox pid namespace
- Docs: fix tables format error
- versions: Update Firecracker version to v1.1.0
- agent: Fix stream fd's double close
- container: kill all of the processes in a container when it terminated
- fix network failed for kata ci
- runtime-rs: handle default_vcpus greator than default_maxvcpu
- agent: fix fd-double-close problem in ut test_do_write_stream
- runtime-rs: add functionalities support for macvlan and vlan endpoints
- Docs: add rust environment setup for kata 3.0
- rustjail: check result to let it return early
- upgrade nydus version
- support disable_guest_seccomp
- cgroups: remove unnecessary get_paths()
- versions: Update firecracker version
- kata-monitor: fix can't monitor /run/vc/sbs
- runtime-rs: fix sandbox_cgroup_only=false panic
- runtime-rs: fix ctr exit failed
- docs: add installation guide for kata 3.0
- runtime-rs: support functionalities of ipvlan endpoint
- runtime-rs: remove the value of hypervisor path in DB config
- kata-sys-util: upgrade nix version
- runtime-rs: fix some bugs to make runtime-rs on aarch64
- runk: Support `exec` sub-command
- runtime-rs: hypervisor part
- clh: Don't crash if no network device is set by the upper layer
- packaging: Rework how ${BUILD_SUFFIX} is used with the QEMU builder scripts
- versions: Update Cloud Hypervisor to v25.0
- Runtime-rs merge main
- kernel: Deduplicate code used for building TEE kernels
- runtime-rs: Dragonball-sandbox - add virtio device feature support for aarch64
- packaging: Simplify config path handling
- build: save lines for repository_owner check
- kata 3.0 Architecture
- Fix clh tarball build
- runtime-rs: built-in Dragonball sandbox part III - virtio-blk, virtio-fs, virtio-net and VMM API support
- runtime: Fix DisableSelinux config
- docs: Update URL links for containerd documentation
- docs: delete CRI containerd plugin statement
- release: Revert kata-deploy changes after 2.5.0-rc0 release
- tools/snap: simplify nproc
- action: revert commit message limit to 150 bytes
- runtime-rs: Dragonball sandbox - add Vcpu::configure() function for aarch64
- runtime-rs: makefile for dragonball
- runtime-rs:refactor network model with netlink
- runtime-rs: Merge Main into runtime-rs branch
- runtime-rs: built-in Dragonball sandbox part II - vCPU manager
- runtime-rs: runtime-rs merge main
- runtime-rs: built-in Dragonball sandbox part I - resource and device managers
caada34f1 runtime-rs: fix design doc's typo
b61dda40b docs: use curl as default downloader for runtime-rs
ca9d16e5e runtime-rs: update Cargo.lock
99a7b4f3e workflow: Revert "static-checks: Allow Merge commit to be >75 chars"
d14e80e9f workflow: Revert "docs: modify move-issues-to-in-progress.yaml"
1f4b6e646 versions: Update libseccomp version
8a4e69008 versions: Update TD-shim due to build breakage
065305f4a agent-ctl: Add an empty [workspace]
1444d7ce4 packaging: Create no_patches.txt for the SPR-BKC-PC-v9.6.x
2ae807fd2 nydus: wait nydusd API server ready before mounting share fs
c8d4ea84e docs: Improve SGX documentation
d8ad16a34 runtime: add unlock before return in sendReq
8bbffc42c runtime-rs:update rtnetlink version
c5452faec docs: Improve SGX documentation
389ae9702 runtime-rs:skip the test when the arch is s390x
945e02227 runtime-rs:skip the build process when the arch is s390x
8d1cb1d51 td-shim: Adjust final tarball location
62f05d4b4 ovmf: Adjust final tarball location
9972487f6 versions: Bump Kernel TDX version
c9358155a kernel: Sort the TDX configs alphabetically
dd397ff1b versions: Bump QEMU TDX version
230a22905 runk: add ps sub-command
889557ecb docs: add back host network limitation
c9b5bde30 versions: Track and build TDVF
e6a5a5106 packaging: Generate a tarball as OVMF build result
42eaf19b4 packaging: Simplify OVMF repo clone
4d33b0541 packaging: Don't hardcode "edk2" as the cloned repo's dir.
7247575fa runtime-rs:fix cargo clippy
b06bc8228 versions: Track and add support for building TD-shim
86ac653ba libs: fix CI error for protocols
81fe51ab0 agent: fix unittests for arp neighbors
845c1c03c agent: use rtnetlink's neighbours API to add neighbors
9b1940e93 versions: update rust version
638c2c416 static-build: Add AmdSev option for OVMF builder Introduces new build of firmware needed for SEV
f0b58e38d static-build: Add build script for OVMF
fa0b11fc5 runtime-rs: fix stdin hang in azure
5c3155f7e runtime: Support for host cgroup v2
4ab45e5c9 docs: Update support for host cgroupv2
326eb2f91 versions: Update runc version
f5aa6ae46 agent: Fix stream fd's double close problem
6e149b43f Docs: fix tables format error
85f4e7caf runtime: explicitly mark the source of the log is from qemu.log
56d49b507 versions: Update Firecracker version to v1.1.0
b3147411e runtime-rs:add unit test for set share pid ns
1ef3f8eac runtime-rs: set share sandbox pid namespace
57c556a80 runtime-rs: fix stop failed in azure
0e24f47a4 agent: log RPC calls for debugging
c825065b2 runtime-rs: fix tc filter setup failed
e0194dcb5 runtime-rs: update route destination with prefix
fa85fd584 docs: add rust environment setup for kata 3.0
896478c92 runtime-rs: add functionalities support for macvlan and vlan endpoints
df79c8fe1 versions: Update firecracker version
912641509 agent: fix fd-double-close problem in ut test_do_write_stream
43045be8d runtime-rs: handle default_vcpus greator than default_maxvcpu
0d7cb7eb1 agent: delete agent-type property in announce
eec9ac81e rustjail: check result to let it return early.
402bfa0ce nydus: upgrade nydus/nydus-snapshotter version
54f53d57e runtime-rs: support disable_guest_seccomp
4331ef80d Runtime-rs: add installation guide for rust-runtime
72dbd1fcb kata-monitor: fix can't monitor /run/vc/sbs.
e9988f0c6 runtime-rs: fix sandbox_cgroup_only=false panic
cebbebbe8 runtime-rs: fix ctr exit failed
62182db64 runtime-rs: add unit test for ipvlan endpoint
99654ce69 runtime-rs: update dbs-xxx dependencies
f4c3adf59 runtime-rs: Add compile option file
545ae3f0e runtime-rs: fix warning
19eca71cd runtime-rs: remove the value of hypervisor path in DB config
d8920b00c runtime-rs: support functionalities of ipvlan endpoint
2b01e9ba4 dragonball: fix warning
996a6b80b kata-sys-util: upgrade nix version
f690b0aad qemu: Add liburing to qemu build
d93e4b939 container: kill all of the processes in this container
3c989521b dragonball: update for review
274598ae5 kata-runtime: add dragonball config check support.
1befbe673 runtime-rs: Cargo lock for fix version problem
3d6156f6e runtime-rs: support dragonball and runtime-binary
3f6123b4d libs: update configuration and annotations
9ae2a45b3 cgroups: remove unnecessary get_paths()
be31207f6 clh: Don't crash if no network device is set by the upper layer
051181249 packaging: Add a "-" in the dir name if $BUILD_DIR is available
dc3b6f659 versions: Update Cloud Hypervisor to v25.0
201ff223f packaging: Use the $BUILD_SUFFIX when renaming the qemu binary
1a25afcdf kernel: Allow passing the URL to download the tarball
80c68b80a kernel: Deduplicate code used for building TEE kernels
d2584991e dragonball: fix dependency unused warning
458f6f42f dragonball: use const string for legacy device type
939959e72 docs: add Dragonball to hypervisors
f6f96b8fe dragonball: add legacy device support for aarch64
7a4183980 dragonball: add device info support for aarch64
f7ccf92dc kata-deploy: Rely on the configured config path
386a523a0 kata-deploy: Pass the config path to CRI-O
13df57c39 build: save lines for repository_owner check
57c2d8b74 docs: Update URL links for containerd documentation
e57a1c831 build: Mark git repos as safe for build
2551924bd docs: delete CRI containerd plugin statement
9cee52153 fmt: do cargo fmt and add a dependency for blk_dev
47a4142e0 fs: change vhostuser and virtio into const
e14e98bbe cpu_topo: add handle_cpu_topology function
5d3b53ee7 downtime: add downtime support
6a1fe85f1 vfio: add vfio as TODO
5ea35ddcd refractor: remove redundant by_id
b646d7cb3 config: remove ht_enabled
cb54ac6c6 memory: remove reserve_memory_bytes
bde6609b9 hotplug: add room for other hotplug solution
d88b1bf01 dragonball: update vsock dependency
dd003ebe0 Dragonball: change error name and fix compile error
38957fe00 UT: fix compile error in unit tests
11b3f9514 dragonball: add virtio-fs device support
948381bdb dragonball: add virtio-net device support
3d20387a2 dragonball: add virtio-blk device support
87d38ae49 Doc: add document for Dragonball API
2bb1eeaec docs: further questions related to upcall
026aaeecc docs: add FAQ to the report
fffcb8165 docs: update the content of the report
42ea854eb docs: kata 3.0 Architecture
efdb92366 build: Fix clh source build as normal user
0e40ecf38 tools/snap: simplify nproc
f59939a31 runk: Support `exec` sub-command
4d89476c9 runtime: Fix DisableSelinux config
090de2dae dragonball: fix the clippy errors.
a1593322b dragonball: add vsock api to api server
89b9ba860 dragonball: add set_vm_configuration api
95fa0c70c dragonball: add start microvm support
5c1ccc376 dragonball: add Vmm struct
4d234f574 dragonball: refactor code layout
cfd5dae47 dragonball: add vm struct
527b73a8e dragonball: remove unused feature in AddressSpaceMgr
3bafafec5 action: extend commit message line limit to 150 bytes
5010c643c release: Revert kata-deploy changes after 2.5.0-rc0 release
7120afe4e dragonball: add vcpu test function for aarch64
648d285a2 dragonball: add vcpu support for aarch64
7dad7c89f dragonball: update dbs-xxx dependency
07231b2f3 runtime-rs:refactor network model with netlink
c8a905206 build: format files
242992e3d build: put install methods in utils.mk
8a697268d build: makefile for dragonball config
9c526292e runtime-rs:refactor network model with netlink
71db2dd5b hotplug: add room for future acpi hotplug mechanism
8bb00a3dc dragonball: fix a bug when generating kernel boot args
2aedd4d12 doc: add document for vCPU, api and device
bec22ad01 dragonball: add api module
07f44c3e0 dragonball: add vcpu manager
78c971875 dragonball: add upcall support
7d1953b52 dragonball: add vcpu
468c73b3c dragonball: add kvm context
e89e6507a dragonball: add signal handler
b6cb2c4ae dragonball: add metrics system
e80e0c464 dragonball: add io manager wrapper
d5ee3fc85 safe-path: fix clippy warning
93c10dfd8 runtime-rs: add crosvm license in Dragonball
dfe6de771 dragonball: add dragonball into kata README
39ff85d61 dragonball: green ci
71f24d827 dragonball: add Makefile.
a1df6d096 Doc: Update Dragonball Readme and add document for device
8619f2b3d dragonball: add virtio vsock device manager.
52d42af63 dragonball: add device manager.
c1c1e5152 dragonball: add kernel config.
6850ef99a dragonball: add configuration manager.
0bcb422fc dragonball: add legacy devices manager
3c45c0715 dragonball: add console manager.
3d38bb300 dragonball: add address space manager.
aff604055 dragonball: add resource manager support.
8835db6b0 dragonball: initial commit
9cb15ab4c agent: add the FSGroup support
ff7874bc2 protobuf: upgrade the protobuf version to 2.27.0
06f398a34 runtime-rs: use withContext to evaluate lazily
fd4c26f9c runtime-rs: support network resource
4be7185aa runtime-rs: runtime part implement
10343b1f3 runtime-rs: enhance runtimes
9887272db libs: enhance kata-sys-util and kata-types
3ff0db05a runtime-rs: support rootfs volume for resource
234d7bca0 runtime-rs: support cgroup resource
75e282b4c runtime-rs: hypervisor base define
bdfee005f runtime-rs: service and runtime framework
4296e3069 runtime-rs: agent implements
d3da156ee runtime-rs: uint FsType for s390x
e705ee07c runtime-rs: update containerd-shim-protos to 0.2.0
8c0a60e19 runtime-rs: modify the review suggestion
278f843f9 runtime-rs: shim implements for runtime-rs
641b73610 libs: enhance kata-sys-util
69ba1ae9e trans: fix the issue of wrong swapness type
d2a9bc667 agent: agent-protocol support async
aee9633ce libs/sys-util: provide functions to execute hooks
8509de0ae libs/sys-util: add function to detect and update K8s emptyDir volume
6d59e8e19 libs/sys-util: introduce function to get device id
5300ea23a libs/sys-util: implement reflink_copy()
1d5c898d7 libs/sys-util: add utilities to parse NUMA information
87887026f libs/sys-util: add utilities to manipulate cgroup
ccd03e2ca libs/sys-util: add wrappers for mount and fs
45a00b4f0 libs/sys-util: add kata-sys-util crate under src/libs
48c201a1a libs/types: make the variable name easier to understand
b9b6d70aa libs/types: modify implementation details
05ad026fc libs/types: fix implementation details
d96716b4d libs/types:fix styles and implementation details
6cffd943b libs/types:return Result to handle parse error
6ae87d9d6 libs/types: use contains to make code more readable
45e5780e7 libs/types: fixed spelling and grammer error
2599a06a5 libs/types:use include_str! in test file
8ffff40af libs/types:Option type to handle empty tomlconfig
626828696 libs/types: add license for test-config.rs
97d8c6c0f docs: modify move-issues-to-in-progress.yaml
8cdd70f6c libs/types: change method to update config by annotation
e19d04719 libs/types: implement KataConfig to wrap TomlConfig
387ffa914 libs/types: support load Kata agent configuration from file
69f10afb7 libs/types: support load Kata hypervisor configuration from file
21cc02d72 libs/types: support load Kata runtime configuration from file
5b89c1df2 libs/types: add kata-types crate under src/libs
4f62a7618 libs/logging: fix clippy warnings
6f8acb94c libs: refine Makefile rules
7cdee4980 libs/logging: introduce a wrapper writer for logging
426f38de9 libs/logging: implement rotator for log files
392f1ecdf libs: convert to a cargo workspace
575df4dc4 static-checks: Allow Merge commit to be >75 chars
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Add required kernel config for dm-crypt/dm-integrity/dm-verity
and related crypto config.
Add userspace command line tools for disk encryption support
and ext4 file system utilities.
Fixes: #4761
Signed-off-by: Arron Wang <arron.wang@intel.com>
For CoCo stack, the pause image is managed by host side,
then it may configure a malicious pause image, we need package
a pause image inside the rootfs and don't the pause image from host.
Fixes: #4768
Signed-off-by: Wang, Arron <arron.wang@intel.com>
Pick up a new verison of image-rs as the pinned version depended on a
version of ocicrypt-rs that doesn't build anymore
Fixes: #4867
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
As route model is used for specific internal scenario, and it's not for
the general requirement.
Fixes:#4838
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
AMD SEV pre-attestation is handled by the runtime before the guest is
launched. Guest VM is started paused and the runtime communicates with a
remote keybroker service (e.g., simple-kbs) to validate the attestation
measurement and to receive launch secret. Upon validation, the launch
secret is injected into guest memory and the VM is started.
Fixes: #4280
Signed-off-by: Jim Cadden <jcadden@ibm.com>
Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
This PR updates the libseccomp version at the versions.yaml that is
being used in the kata CI.
Fixes#4858
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
