when use shim v2 interface to run container, no need to use kata-proxy
and kata-shim, remove kata-proxy and kata-shim in config file will cause
panic since type assertion. add check to avoid panic
Fixes: #1440
Signed-off-by: Ace-Tang <aceapril@126.com>
We no longer use the TrustedSandbox style annotations now we
have moved to the RuntimeClass method of choosing a runtime.
Drop the remaining Trusted items from the examples.
Fixes: #403
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
The "ephemeral" is just used to indicate ephemeral volumes in
runtime. We should not pass it to agent. Instead, "bind" should be
the correct mount type to be passed.
Fixes: #1438
Signed-off-by: Xie Yongji <xieyongji@baidu.com>
After we switched golang linter to golangci-lint, we has extra 'deadcode'
linter check, and we need to remove this linter check for all
generic items.
Fixes: #1432
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Re-implement image builder script to generate an image with a double MBR +
a DAX metadata. The DAX metadata is read by the NVDIMM driver to know the
beginning of the data in the pmem device.
This new image format is required to enable DAX in the kernels and hypervisors
that support NVDIMM, without breaking the compatibility with the kernels and
hypervisors that don't support it.
Following diagram shows how the resulting image will look like
```
.-----------.----------.---------------.-----------.
| 0 - 512 B | 4 - 8 Kb | 2M - 2M+512B | 3M |
|-----------+----------+---------------+-----------+
| MBR #1 | DAX | MBR #2 | Rootfs |
'-----------'----------'---------------'-----------+
| | ^ | ^
| '-data-' '--------'
| |
'--------rootfs-partition---------'
```
MBR: Master boot record.
DAX: Metadata required by the NVDIMM driver to enable DAX in the guest [1][2]
(struct nd_pfn_sb).
Rootfs: partition that contains the root filesystem (/usr, /bin, etc).
Kernels and hypervisors that support DAX/NVDIMM read the MBR #2,
otherwise MBR #1 is read.
[1] - https://github.com/kata-containers/osbuilder/blob/master/image-builder/\
nsdax.gpl.c
[2] - https://github.com/torvalds/linux/blob/master/drivers/nvdimm/pfn.hfixes#263
Signed-off-by: Julio Montes <julio.montes@intel.com>
Fixes: #1422
Detect failing test case:
```
....
=== RUN TestEnterContainerFailingContNotStarted
--- PASS: TestEnterContainerFailingContNotStarted (0.01s)
=== RUN TestEnterContainer
--- FAIL: TestEnterContainer (0.00s)
Error Trace: sandbox_test.go:1154
Error: Expected value not to be nil.
Messages: Entering non-running container should fail
Error Trace: sandbox_test.go:1157
Error: Expected nil, but got: &errors.errorString{s:"Can not
move from running to running"}
Messages: Failed to start sandbox: Can not move from running to
running
FAIL
```
`TestEnterContainerFailingContNotStarted` calls `cleanUp` at function
begging but it doesn't clean its garbage after it ends.
`TestEnterContainer` only call `cleanUp` in the end but it doesn't do
cleanUp in the begging, that gives first test case a chance to impact
latter one.
This commit modifies all the test cases, let them all do the cleanUp()
in the end.
The policy here is: "everyone needs to take their garbage away when they
leave" :)
Signed-off-by: Wei Zhang <zhangwei555@huawei.com>
Fixes: #1415
Container resources have been saved to ContainerConfig so there's no
need to save it again in state.json.
Signed-off-by: Wei Zhang <zhangwei555@huawei.com>
k8s host empty-dir is equivalent to docker volumes.
For this case, we should just use the host directory even
for system directories.
Move the isEphemeral function to virtcontainers to not
introduce cyclic dependency.
Fixes#1417
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
We handle system directories differently, if its a bind mount
we mount the guest system directory to the container mount and
skip the 9p share mount.
However, we should not do this for docker volumes which are directories
created by Docker.
This introduces a Docker specific check, but that is the only
information available to us at the OCI layer.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
gometalinter is deprecated and will be archived April '19. The
suggestion is to switch to golangci-lint which is apparently 5x faster
than gometalinter.
Partially Fixes: #1377
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Add a note to the developer guide explaining that the debug console
requires systemd support (hence nominally you cannot use alpine linux
for example as that doesn't use systemd).
Fixes#412.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Kata does support privileged flag but within the guest,
so explain how this works in the Limitations docs.
Fixes#362
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Change the debug console systemd job to specify the path to bash as
`/bin/bash`, *not* `/usr/bin/bash`. This unbreaks the debug console for
Ubuntu and Debian and also works for all other distros.
Fixes#410.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Don't force Docker to be kept at version 18.06 (to ensure devicemapper
is available). This feature won't be re-added by Docker and remaining on
an old version of Docker is not good from a security perspective.
Replace the pinning with a note pointing users at an issue which
provides details of alternatives to devicemapper.
Fixes#407.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
osbuilder recently added the ability to create images with a DAX/NVDIMM
header [1], however this change broke the data collection script. Update
that script to handle images with and without this header.
The data collection script will now assume a header is present. However,
if it fails to find the required partition data, it will try again, this
time assuming the image does not have a DAX/NVDIMM header.
Fixes#1404.
[1] - https://github.com/kata-containers/osbuilder/pull/236
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add a number of useful build and install targets to the `show-usage`
target which are visible when the user runs `make help`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add `install-runtime` and `install-netmon` targets. This allows the
`install` target to be simplified and also allows the runtime to be
built without having to build the `containerd-shim-v2` binary which is
slow to build:
```
$ make runtime && sudo -E PATH=$PATH make install-runtime
```
Fixes#1402.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The `containerd-shim-v2` binary does not need the `kata-runtime` binary
to be built first, so remove the dependency.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
