History: the previous version of kvm (unknown) and qemu-lite had an
issue using virtio 1.0 version when it came to device hotplug, which led
to the team to disable 1.0 version of virtio for hotplug (set
disable-modern=on). Please check
e99f6b2931
for further info.
We have since moved to QEMU4.0 and probably a later version of kvm as
default across all distros. This change is to move to virtio 1.0 for
hotplugging devices.
Fixes: #1870
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Add jailer support to configuration files.
Also enable jailer by default in Kata containers.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Firecracker provides a jailer to constrain the VMM. Use this
jailer to launch the firecracker VMM instead of launching it
directly from the kata-runtime.
The jailer will ensure that the firecracker VMM will run
in its own network and mount namespace. All assets required
by the VMM have to be present within these namespaces.
The assets need to be copied or bind mounted into the chroot
location setup by jailer in order for firecracker to access
these resouces. This includes files, device nodes and all
other assets.
Jailer automatically sets up the jail to have access to
kvm and vhost-vsock.
If a jailer is not available (i.e. not setup in the toml)
for a given hypervisor the runtime will act as the jailer.
Also enhance the hypervisor interface and unit tests to
include the network namespace. This allows the hypervisor
to choose how and where to lauch the VMM process, vs
virtcontainers directly launching the VMM process.
Fixes: #1129
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Thist patch adds the following,
1. ACRN only supports virtio-blk and so the rootfs for the VM
sits at /dev/vda. So to get the container rootfs increment the
globalIndex by 1.
2. ACRN doesn't hot-plug container rootfs (but uses blkrescan) to
update the container rootfs. So the agent can be provided the virtpath
rather than the PCIaddr avoiding unneccessary rescaning to find the
virthpath.
v1->v2:
Removed the workaround of incrementing index for
virtio-blk device and addressed it acrn.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
This patch adds the following,
1. Implement Sandbox management APIs for ACRN.
2. Implement Sandbox operation APIs for ACRN.
3. Add support for hot-plugging virtio-blk based
(using blk rescan feature) container rootfs to ACRN.
4. Prime devices, image and kernel parameters for
launching VM using ACRN.
v2->v3:
Incrementing index to keep track of virtio-blk devices
created. This change removes the workaround introduced
in block.go.
v1->v2:
1. Created issue #1785 to address the UUID TODO item.
2. Removed dead code.
3. Fixed formatting of log messages.
4. Fixed year in copyright message.
5. Removed acrn_amd64.go file as there are no amd64 specific
changes. Moved the code to acrn_arch_base.go.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
This patch adds support for,
1. Extracting and configuring ACRN hypervisor from toml.
2. Add ACRN hypervisor ctl for controlling ACRN hypervisor.
This will be used for updating virtio-blk based
container rootfs using blk rescan feature.
v2->v3:
Fixed acrnctl path.
v1->v2:
Trimmed hypervisor config options as needed by ACRN.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
ACRN hypervisor is a type-1 hypervisor and this patch
adds support to check and validate if the system is
capable of running kata containers with ACRN hypervisor.
Depends-on: github.com/kata-containers/tests#1793
v3->v4:
Implemented a generic way to identify hypervisor and
test VM creation.
v2->v3:
1. Removed cgo structs and defined go structs.
2. Suppressed lint warnings due to unused createVM struct.
v1->v2:
1. Created an issue #1784 to address TODO item.
2. Fixed formatting of the log message.
3. Currently ACRN is only supported on amd64. So
moved ACRN specific code to kata-check_amd64.go.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
This patch covers the following aspects,
1. Add ACRN as a supported hypervisor for amd64 architecture.
2. Build and install configuration file for ACRN hypervisor.
v1->v2:
1. Deleted autogenerated configuration-acrn.toml.
2. Trimmed configuration options not used by ACRN.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
- Changes:
- version: v1.14.6
- Add username and homedir to generated password
- Close temporary image in PullImage
- Version 1.14.6-dev
- Version 1.14.5
- version: if git commit is empty, silently ignore
- enable inline exec and attach test
- Bump up minMemoryLimit to 12Mb
- Backport CircleCI config
- Fix up machine os content version and cri-o version in spec
- Add state of infracontainer to disk when stopped
- Use GlobalAuthFile when pulling the pause image if
PauseImageAuthFile is not set
- Don't discard copy.Options.SourceCtx when credentials are provided
- Don't set non-default copy.Options in imageService.PullImage if it is nil
- Add global_auth_file option to crio.image config
- Create network and plugins directory if they do not exist
- Disable file locking by default
- Update containers/image to v2.0.0, buildah to 1.8.4, libpod to 1.4.1, ...
- Bump github.com/containers/libpod from 1.2.0 to 1.3.1
- Vendor containers/storage v1.12.4
- update github.com/containers/* dependencies
- Changes to rpm build and Dockerfile for ci
- When plugin_dir is set, only use that value
- Update Makefile to be usable without git
- bump to version 1.14.5-dev
- bump to version 1.14.4
- Default to runc is default_runtime is not set
- Fix missing images names on list
- Add crio-wipe
- Add logic for running OpenShift CI on cri-o PRs
- Update device cgroup permissions for configured devices.
- version: v1.14.4-dev
- version: v1.14.3
- Fix runtime panic when having concurrent writes to runtime impl map
- server: do not add default /sys if bind mounted
- Change plugin_dir to plugin_dirs
- Added unit tests
- Add version file functionality
- fix build issues on 32-bit arches
- conmon: use sd_journal_sendv
- make vendor generated
- Move to v1.14.3-dev
- Tag v1.14.2
- Vendor in c/storage release-1.13
- Revert "update github.com/containers/* dependencies"
- Update test suites
- Fix logic of server.restore()
- version: v1.14.2-dev
Fixes#1866
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Fixed `TestSandboxCreationFromConfigRollbackFromCreateSandbox` which
requires that the hypervisor does not exist. Unfortunately, it does
exist (as a fake test binary), but isn't executable meaning although the
test failed (since an error is expected), rather than the expected
`ENOENT` error, the test was logging a message similar to the following
since the fake hypervisor exists with non-executable permissions:
```
Unable to launch /tmp/vc-tmp-526112270/hypervisor: fork/exec /tmp/vc-tmp-526112270/hypervisor: permission denied
```
Fixes: #1835.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Update the `TestQemuAddDeviceKataVSOCK` test so that it:
- Doesn't hard-code the file descriptor number.
- Cleans up after itself.
The latter issue was causing an odd error similar to the following in
the test output:
```
Unable to launch /tmp/vc-tmp-526112270/hypervisor: fork/exec /tmp/vc-tmp-526112270/hypervisor: permission denied
```
Partially fixes: #1835.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This will take the VERSION of all the components in order to
verify that they match among them before merging the runtime.
Fixes#1581
Depends-on: github.com/kata-containers/packaging#614
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Kubernetes moved CRI document within the sig-node directory. Updating
README.md accordingly.
Fixes: #1837
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
With #1485, we moved the default medium empty-dir creation to the
sandbox rootfs. This worked for devicemapper, but in case of overlay
the "local" directory was being created outside the sandbox rootfs.
As a result we were seeing the behaviour seen in #1818.
Fixes#1818
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Update virtcontainer to use latest swagger definition.
Most changes are around mandatory parameters which need to be
passed in via pointers so that the absence of the same can be
detected (vs using default values).
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Auger Eric's latest patches about "ARM virt: Initial RAM expansion
and extended memory map"(https://patchwork.kernel.org/cover/10835377/)
paves the way to device memory, which is the foundation for NVDIMM and
memory hotplug.
This new feature on qemu kinds of depends on host kernel's new feature
on dynamic IPA range(https://lwn.net/Articles/750176/).
The availability of this feature is advertised by a new kvm cap
KVM_CAP_ARM_VM_IPA_SIZE. When supported, this capability returns the
maximum IPA shift supported by the host. The supported IPA size on
a host could be different from the system's PARange indicated
by the CPUs (e.g, kernel limit on the PA size).
Fixes: #1796
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Add a log message for every trace span created, required by the tracing
tests to validate tracing is working.
Fixes: #1814.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The upstream yaml definition has a formatting issue. Fix the
indentation to ensure that swagger can generate the code.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
We only use the swagger generated code from the firecracker-go-sdk.
Now that vsock support is directly available in the upstream
firecracker swagger definition unvendor and generate the
firecracker API directly from the upstream yaml definition.
Previosly vsock was not available in the upstream definition.
It is now provided as an experimental feature.
https://github.com/firecracker-microvm/firecracker/blob/master/api_server/swagger/firecracker-experimental.yaml
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Upgrade Firecracker to 0.17.0. This is required to pick up
bug fixes needed in jailer, to allow kata to run firecracker
constrained by a jailer in Kata.
Fixes: #1746
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
