As discussed in #2908, Ubuntu is used as a base for CCv0 for building
umoci in the guest. Currently, CCv0 only works with initrd, so this only
applies to initrd.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Pull an encrypted image using the Attestation Agent as
a keyprovider.
Fixes: #3022
Signed-off-by: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
Add the "Merge pull request (kata-containers)?#<x> from" message to the
subsystem check to allow commit check on merges between branches to work
Fixes: #3085
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
- Add new agent configuration policy path parameter
- Update agent pull image to use the policy path if specified and
otherwise fall back to the accept all policy
- Remove the double copy of the image during pulling
- Ensure that temporary directories are always removed
Fixes: #2682
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
- Document how to test the signature validation with
a number of different scenarios and test images
- Update ccv0.sh to add policy_path to kernel_params
Fixes: #2682
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
- Add hardcoded gpg, signature and polict files
- Modify rootfs.sh to put these in the correct place in the kata image
if skopeo and umoci are being used
Fixes: #2682
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
We do not get a root filesystem path from the agent when creating a
new container for which the container image was not pulled by
containerd. That prevents the agent from creating the container.
To fix that, we populate the container root path with the internal
rootfs path by fetching the containerd added image name annotation and
mapping it back to a path through our image hash map.
Fixes#3009
Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
In the confidential computing scenario, there is no Image
information on the host, so skip handling Rootfs at
CreateContainer.
Fixes#3009
Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
- Replace containerd to `confidential-containers/containerd` in go.mod
- Use separate ImageService to support PullImage
Fixes#3009
Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
The version `v1.6.0-beta.2` released support for shim service,
which is needed for our implementation of ImageService.
Fixes#3009
Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
While building snap, static qemu is considered. Disable libudev
as it doesn't have static libraries on most of the distros of all
archs.
Fixes: #3002
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
If a file/directory doesn't exist, os.Stat() returns an
error. Assert the returned value with os.IsNotExist() to
prevent it from failing.
Fixes: #2920
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
When the container didn't had a tty console, it would be in a same
process group with the kata-agent, which wasn't expected. Thus,
create a new session for the container process.
Fixes: #3063
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
Many of these functions are just used on one place throughout the rest
of the code base. If we create hypervisor package, newtork package, etc, we may want to
parse this out.
Fixes: #3049
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
This will be useful at runtime level; no need for oci or uuid to be subpkg of
virtcontainers.
While at it, ensure we run gofmt on the changed files.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Update the agent README by removing the historical details about the
conversion from golang to rust which (occurred at the start of Kata 2.x
development) and replacing it with information that developers and
testers should find more useful.
Fixes: #3056.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The fact that we need to "bridge" the endpoint is a bit irrelevant. To
be consistent with the rest of the endpoints, let's just call this
"macvlan"
Fixes: #3050
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
The thread monitor will check if the agent and the VMM are alive every
second in a blocking thread. The Cloud hypervisor API server is
single-threaded, if the monitor does a `check()`, while a slow request
is still in progress, the monitor check() method will timeout. The
monitor thread will stop all the shim-v2 execution.
This commit modifies the monitor thread to make it check the status of
the hypervisor after 5 seconds. Additionally, the `check()` method from
cloud-hypervisor will use the method `clh.isClhRunning(timeout)` with a
10 seconds timeout. The monitor function does no timeout, so even if
`hypervisor.check()` takes more 10 seconds, the isClhRunning method
handles errors doing a VmmPing and retry in case of errors until the
timeout is reached.
Reduce the time to the next check to 5 should not affect any functionality,
but it will reduce the overhead polling the hypervisor.
Fixes: #2777
Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
CRI-O deployment documentation was quite outdated, giving info from the
`1.x` era. Let's update this to reflect what we currently have.
Fixes: #2498
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The links are either pointing to the not-used-anymore `master` branch,
or to the kubernetes-incubator page.
Let's always point to the CRI-O github page, using the `main`branch.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Although the documentation removed is correct, it's not relevant to the
current supported versions of CRI-O.
Related: #2498
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Since the `utils::get_option` interface is modified,
PullImage needs to adapt to this modification in CCv0 branch.
Fixes#3044
Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
The main.yaml workflow was created and used only on 1.x. We inherited
it, but we didn't remove it after deprecating the 1.x repos.
While here, let's also update the reference to the `main.yaml` file,
and point to `release.yaml` (the file that's actually used for 2.x).
Fixes: #3033
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
There are two types packages under virtcontainers, and the
virtcontainers/pkg/types has a few codes, merging them into
one can make it easy for outstanding and using types package.
Fixes: #3031
Signed-off-by: bin <bin@hyper.sh>
