- Removes `CODE_OF_CONDUCT.md` and `CONTRIBUTING.md` from osbuilder
directory.
- Fixes a reference from `image-builder/README.md` to
`rootfs-builder/README.md`
- Updates the main `README.md` making a reference to the local
`tools/osbuilder/README.md`
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
move all osbuilder files into `tools` directory to be able
to merge this into kata-containers repo.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
QEMU >= 4.0 is able to boot into the uncompressed kernel using the PVH
entry point, but to get this `CONFIG_PVH` must be enabled in the guest
kernel and `pvh.bin` installed in the host.
Booting uncompressed kernels in QEMU 5.0 can reduce the memory footprint,
~17% for KSM and ~15% nonKSM.
fixes#1029
Signed-off-by: Julio Montes <julio.montes@intel.com>
It is simply wrong to test kata-check within before sub commands
as it is NOT before at all. Besides it causes errors if kata is
not installed.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
We should not use a plain unix socket reader to act as grpc
server. Place a really mock grpc server instead.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Support for passing sandbox annotations to the OCI layer was added
in containerd 1.3.0. Add this to the docs along with configuration
changes needed.
Fixes#653
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This PR updates the current version of the SLES obs packages that are
being generated.
Fixes#651
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
The config file created by kernel fragments scheme is quite different
with the old arm64_kata_kvm_5.4.x.
So I will update arm64_kata_kvm_5.4.x for consistency.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
kvm-ptp is critical for mitigating time drift between host and guest.
This implementation in kernel side is still one experimental feature on
aarch64, and see https://github.com/kata-containers/packaging/pull/998
for detailed instructions.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Since we disable pci shpc hotplug for arm64, see
https://github.com/kata-containers/packaging/pull/498 for detailed
reason.
We need to move CONFIG_HOTPLUG_PCI_SHPC from common conf to
x86_64-specific.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Backport Anshuman Khandual's patch series of Enabling memory hot
remove on aarch64(https://patchwork.kernel.org/cover/11419305/)
to v5.4.x.
XONE_DEVICE is dependent on the implementation of memory hot remove.
This patch series has already been merged, and queued for 5.7.
After backporting this series, we could finally enable nvdimm/dax
on arm64.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Add a few arm64-specific configs and classify them into seven new categories
, that is,
1. base architecture-dependent options(base.conf)
It also includes varient-specific features, like CONFIG_ARM64_PMEM is
one ARMv8.2 arichitectural features.
2. crypto-related options(crypto.conf)
ARMv8 adds cryptographic instructions that could significantly improve
performance on tasks such as AES encryption and SHA1 and SHA256 hashing.
3. device tree related options(dt.conf)
The "Open Firmware Device Tree", or simply Device Tree (DT), is a data
structure and language for describing hardware, which is commonly
used in arm architecture.
4. ARM errata workarounds options(errata.conf)
There are many Kconfig entires under "Kernel Features" ->
"ARM errata workarounds via the alternatives framework", which provides
software workarounds to mitigate systems affected by those erratum.
Vendor-specific option will be left to users to decide.
5. pci related options(pci.conf)
a simplified pci host controller for mach-virt.
6. serial devices options(serial.conf)
CONFIG_SERIAL_OF_PLATFORM is used for all 8250 compatible serial ports
that are probed through device tree.
7. rtc related options(rtc.conf)
we don't have KVM’s paravirtualized clock and ptp implementation is
still under experimental mode, so we need rtc on aarch64.
QEMU provides an emulated ARM AMBA PrimeCell PL031 RTC.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Compaction is the only memory management component to form high order
(larger physically contiguous) memory blocks reliably.
The page allocator relies on compaction heavily and the lack of the feature
can lead to unexpected OOM killer invocations for high order memory requests.
We shouldn't disable this option unless there really is a strong reason.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
mmio devices are required in firecracker, and for now, x86_64 and
aarch64 are all supporting kata containers with firecracker.
So, we need to move mmio-related configs to common dir.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
There exists a few security-related configs, which are x86-64 specific.
CONFIG_LEGACY_VSYSCALL_NONE=y
CONFIG_RETPOLINE=y
CONFIG_RELOCATABLE and CONFIG_RANDOMIZE_BASE are kinds of tangled on
aarch64, if CONFIG_RANDOMIZE_BASE=y, then CONFIG_RELOCATABLE will be
selected automatically.
CONFIG_RANDOMIZE_BASE will randomize the virtual address at which the
kernel image is loaded, which as a security feature could deter exploit
attempts relying on knowledge of the location of kernel internals.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
There exists a few configs about linux guest support or optimization
that are not supported on aarch64.
CONFIG_HYPERVISOR_GUEST is only defined under arch/x86/Kconfig and
unfortunately, CONFIG_KVM_GUEST is not supported on aarch64 for now.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
For now, a few configs as follows in common acpi dir are truly x86-spcecific
or disable by default on arm64.
CONFIG_ACPI_CPU_FREQ_PSS=y
CONFIG_ACPI_HOTPLUG_IOAPIC=y
CONFIG_ACPI_LEGACY_TABLES_LOOKUP
CONFIG_ACPI_LPIT=y
CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
CONFIG_ACPI_PROCESSOR_CSTATE=y
CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
CONFIG_HAVE_ACPI_APEI_NMI=y
And I also add a few configs which are aarch64-specific.
Like CONFIG_ACPI_REDUCED_HARDWARE_ONLY=y, since ARM64 can run properly
in ACPI hardware reduced mode.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
- makefile: Make SELinux support configurable
- clh: Boot from persistent memory device
- config: Add scsi_mod.scan=none for virtio-scsi
- katautils: Use config paths set during the build
- version: Update kernel to lts 5.4.32
- clh: virtiofs: Add no_posix_lock option
- versions: Switch to virtio-fs-dev branch for kernel
- v2: Open log fifo with `RDWR` instead of `WRONLY`
- qemu-ppc64le: Switch off large decrementer capability
- versions: Update go to 1.13.9
- qemu_ppc64le: EXpose fs support explicitly
- qemu: Don't crash if virtiofsd path is non existent
- Add SELinux support for running VM Confinement
- clh: Implment capabilities
- Update go to v1.13.8
- Makefile: Allow change default hypervisor via env var
- clh: Report warning when requested vCPUs exceeds maxVCPU allowed
- clh: Enable memory hotplug
- virtcontainers: check PCI resource format before using it
- Support persistent memory volumes
- versions: Update containerd commit
- virtcontainers: Don't create vfio devices in the guest
- shimv2: move container rootfs mounted flag to container level
- AArch64: officially enable firecracker v0.21.0 on AArch64
- clh: add vfio support
d78ffd65 makefile: Make SELinux support configurable
7aa31685 clh: Boot from persistent memory device
e8fc25a7 version: Update clh to master
bf9758bf katautils: Use config paths set during the build
8c850d9e config: Add scsi_mod.scan=none for virtio-scsi
07d0a4f0 version: Update kernel to lts 5.4.32
ab8050c5 kata_agent: Don't use dax if virtio_fs_cache is 0
6218b2a5 kata_agent: Remove sharedDirVirtioFSOptions
95ccc0f7 agent: Use "virtiofs" instead of "virtio_fs"
4c1cacd3 versions: Switch to virtio-fs-dev branch for kernel
8e0f891e v2: Open log fifo with `RDWR` instead of `WRONLY`
afbd03cf qemu-ppc64le: Switch off large decrementer capability
432f9bea clh: virtiofs: Add no_posix_lock option
0294fcb9 versions: Update go to 1.13.9
fd625b3f qemu: Don't crash if virtiofsd path is non existent
5eec8bdf qemu_ppc64le: EXpose fs support explicitly
e4eb553d virtcontainers: Add SELinux support for running VM Confinement
39e354f6 clh: Implement capabilities
0a1ffc1d types: Make FS sharing disable by default
669b6e32 clh: Report warning when requested vCPUs exceeds maxVCPU allowed
7997218c Makefile: Allow change default hypervisor via env var
aab82f67 clh: Add memory hotplug
e62a8aa9 versions: Update containerd commit
2f948738 clh: Use MemUnit to create VM
b6a7d8d6 utils: Add memory unit abstraction
5e7d2538 clh: add vmInfo method
ebb8fd57 versions: Update clh to latest master
4d2574a7 virtcontainers: Don't create vfio devices in the guest
3b53114a virtcontainers: improve algorithm to check Large bar devices
7aff5466 virtcontainers: check PCI resource format before using it
d0a730c6 shimv2: move container rootfs mounted flag to container level
d60902a9 FC: change minimum supported version of Firecracker to v0.21.1
aadf8c4a AArch64: enable firecracker v0.21.1 on AArch64
44e23493 FC: Fix error of overlong firecracker API unix socket
c3bafd57 FC: Change default API socket path
2945bcd7 FC: Removed redundant `--seccomp-level` jailer parameter
d2cae59e FC: Removed redundant `RescanBlockDevice` action
37b91b33 FC: Remove `logger.options`
2c310fec virtcontainers: handle persistent memory volumes
434b3025 virtcontainers: hotplug block drives that are pmem devices as nvdimm
84e0ee13 virtcontainers: reimplement `createBlockDevices`
abbdf078 virtcontainers: add Pmem attribute to BlockDrive
ee941e5c virtcontainers: Implement function to get the pmem DeviceInfo
9ff44dba virtcontainers: implement function to get the backing file
0a4e2edc virtcontainers: move GetDevicePathAndFsType to utils_linux
2c7f27ec vendor: update govmm
f61eca89 clh: Add comments around clh api
6a4e667f virtiofsd: Check if PID is valid
3251beaa version: Update clh to master
c5184641 clh: Add vfio support
4d034b1e versions: update go to v1.14
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
- release: Tag and fork documentation repo as part of release
- obs: let patch set in order before apply them
- scripts: Disable pie for qemu when static building
- kernel: Enable CONFIG_VIRTIO_PMEM for booting from pmem
- kernel: Fix patch ordering
- tests: Remove performing updates in Fedora dockerfile
- kata-deploy: fix k3s containerd check
- scripts: update configuration script to support QEMU 5.0
- obs: Update SLES version for packaging
- config: enable printk-time for kernel-5.4 for arm64
- actions: change trigger phrase for kata-deploy action
- kernel: enable virtio-fs for arm64.
- add kernel config for gpu
- Optimize the kata qemu binary size
- obs: Remove OpenSUSE Leap 15.0 from obs generation
- pod : optimization Some debian package manager tweaks
d271ee7 obs: let patch set in order before apply them
fbad186 kernel: Enable CONFIG_VIRTIO_PMEM for booting from pmem
652d1fd release: Tag and fork documentation repo as part of release
7e22144 scripts: Disable pie for qemu when static building
93da145 kernel: Fix patch ordering
59f7678 tests: Remove performing updates in Fedora dockerfiles
96f3b99 kata-deploy: fix k3s containerd check
fb42e38 scripts: update configuration script to support QEMU 5.0
9bdc51c obs: Update SLES version for packaging
32986db config: enable printk-time for kernel-5.4 for arm64
9b8f20c kernel: enable virtio-fs for arm64.
12d351d kernel: add usage in readme
1389500 kernel: support force setup
7a17b50 kernel: support bash debug
d248e41 kernel: support build guest kernel for gpu
cbfc7a1 obs: Remove OpenSUSE Leap 15.0 from obs generation
9a6bd12 debian: Install missing ca-certificates package
d527c4f debian: Don't install recommended software
3670074 scripts: Disable a few options to reduce qemu binary size on generic architectures
711eae6 scripts: Set --enable-pie on aarch64 arch
7cdf113 scripts: Relax the version limitation for qemu
0871391 scripts: Remove obsoleted --disable-uuid
878a223 scripts: Disable xen when builing qemu on generic architectures
e92f3db actions: change trigger phrase for kata-deploy action
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
- tests: deleting stale test results when tests failed
- image_builder: Reduce the boundary mb for reducing image size on arm64
- initrd-builder: Don't error if run as non-root
- s390x: Skip rust for s390x
- image_builder: Force mount_dir to be created in /tmp
c29dbae tests: deleting when tests failed
2ac3090 s390x: Skip rust for s390x
9665563 image_builder: Force mount_dir to be created in $TMPDIR
6cae294 initrd-builder: Don't error if run as non-root
005c62a image_builder: Reduce the boundary mb for reducing image size on arm64
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
- Fix potentianl crash
- sandbox: fix the issue of missing setting hostname
- unify the rustjail's log to contain container id and exec id
- Refactor the way of creating container process
ba3c732 grpc: fix the issue of potential crashes
32431d7 rpc: fix the issue of kill container process
986e666 sandbox: fix the issue of missing setting hostname
7d9bdf7 grpc: Fix the issue passing wrong exec_id to exec process
9220fb8 rustjail: unify the rustjail's log to contain container id and exec id
c1b6838 rustjail: refactoring the way of creating container process
e56b10f rustjail: remove the unused imported crates
ded27f4 oci: add Default and Clone to oci spec objects
7df8ede rustjail: replace protocol spec with oci spec
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
The enablement of ptp_kvm for arm is under review, see [1].
So we have to apply private patch to enable it in 5.4 kernel.
ptp_kvm can offer the capability of time sync in kata even there
is no network available and higher precision than time sync
service depend on network.
note:
If you want to use this feature on your arm machine, the host kernel
also need apply this patch. we recommend that your host kernel version
is the 5.4, then you can apply this patch smoothly.
[1] https://patchwork.kernel.org/cover/11372743/Fixes: #997
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
SELinux support requires libselinux to be available, but that's
not the only factor: for example, Fedora 31 has libselinux but not
a version of selinux-policy that knows about Kata containers, so
enabling SELinux support by default in that case causes usability
issues.
Another issue with the current implementation is that, when
libselinux is absent, SELinux support will be quietly disabled,
which might not be what the user (or packager) intended.
To solve both problems, introduce the new FEATURE_SELINUX user
variable. This variable takes one of three values:
* check (default): keep the current behavior;
* yes: enable SELinux support, erroring out if libselinux is
not present on the system;
* no: disable SELinux support.
In the future we might want to formalize support for optional
build-time features, but for now this will do.
Fixes: #2623
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
