FIPS are a set of security standards for encryption algorithms
in user and kernel space among others.
Have Kata support this by starting the VM for a container
in FIPS mode on detecting that the host is running in FIPS mode.
Depends-on: github.com/kata-containers/packaging#788
Fixes#2170
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
cri-tools version was managed in the tests repository, but as
we define here cri-o, containerd and kubernetes versions, it
make sense to have the cri-tools version defined in this repo.
conmon has now to be installed/built separately. So add it
to the list.
Depends-on: github.com/kata-containers/tests#2057
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Update k8s supported version from 1.15.3 to 1.16.2
and cri-o from 1.15.0 to 1.16.0
Fixes: #2166.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
- sandbox/cgroups: don't constrain if using SandboxCgroupsOnly
- cli: add kata-overhead subcommand
- versions: support specify version in versions.yaml for rust agent.
- virtcontainers/sandbox: calculate container's CPU from sandbox.contai…
- ci: Fix versions_checker.sh
- ci: Fix versions_checker.sh
- virtcontainers: unmount host mounts if container can't be created
- virtcontainers/store: make VCStoreUUIDPath rootless
- virtcontainers/annotations: use right domain name for kata annotations
- v2: Change the event and error behavior of pause/resume
- Update cni plugin version
- Load state early so that hypervisor can store the correct state
e4c816b versions: support specify version in versions.yaml for rust agent.
691a6a7 sandbox/cgroups: don't constrain if using SandboxCgroupsOnly
7fe0100 cli: add kata-overhead command
1bbc1d5 virtcontainers: add StatsSandbox to vc API
569bd78 virtcontainers: change pass by value to pass by reference
5b226d0 ci: Fix versions_checker.sh
f8b84d7 ci: Fix versions_checker.sh
24d7aff virtcontainers: change pass by value to pass by reference
abec17f virtcontainers/store: make VCStoreUUIDPath rootless
eca7bd2 virtcontainers: unmount host mounts if container can't be created
91bd095 virtcontainers/annotations: use right domain name for kata annotations
c1060a3 v2: Change the event and error behavior of pause/resume
f6a10bc state: Refactor code to move all the state load code
fa4acad state: Load the state from storage early on
929c4e7 network: Change NewNS() call
c0995c6 vendor: Vendor the latest CNI plugins
86d8346 version: Update the version for cni plugins
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
When SandboxCgroupsOnly is set, we are expected to just inherit our parent's
cgroup settings and to move all Kata threads within that sandbox cgroup. The
initial implementation still adjusted the size of this cgroup. This commit
fixes this.
This commit makes a couple of functional changes, small refactors, and
adds clarifying comments for some functions.
Fixes: #2090
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Introduce kata-overhead command to kata-runtime CLI, to help
with calculating sandbox overhead.
Fixes: #2096
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
StatsSandbox is used to gather metrics for the sandbox (host cgroup) as
well as from the individual containers (from the guest cgroups). This is
intended to be used for easily calculating Kata sandbox overheads.
Fixes: #2096
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
container.config does not point to sandbox.config.Containers.ContainerConfig
which caused the ContainerConfig not sync.
Fixes: #2129
Signed-off-by: Wang Liang <wangliangzz@inspur.com>
These include features like privileged containers without host devices
and support for per runtime annotations.
Depends-on: github.com/kata-containers/tests#2029
Fixes#2099
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
ACRN doesn't support configuring number of guest vcpu option ('-c') anymore.
Number of guest vcpus will be defined in the hypervisor scenario
configuration file instead.
Removed the -c option from the acrn-dm parameters when launching VMs and
also trimmed configuration.toml file accordingly.
fixes#2136
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
When do the reloading sandbox in shimv2, it's needed to
rewatch the hypervisor's console when debug enabled.
Fixes:#2091
Signed-off-by: lifupan <lifupan@gmail.com>
Version checker does to work today
- Allow to detect stabe branches
Fixes#1581
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Version checker does to work today
- Allow to detect stabe branches
Fixes#1581
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
container.config does not point to sandbox.config.Containers.ContainerConfig
which caused the ContainerConfig not sync.
Fixes: #2129
Signed-off-by: Wang Liang <wangliangzz@inspur.com>
The uuid file shouldn't be created at `/var` if running rootless.
Modify `VMUUIDStoragePath` to get a path accessible for non-root users
if running rootless.
fixes#2133
Signed-off-by: Julio Montes <julio.montes@intel.com>
Mount points, like `resolv.conf` and `hostname` are left in the
host when the cgroup creation fails.
Use `unmountHostMounts()` and `bindUnmountContainerRootfs()` in the rollback
function that is called when container's creation fails.
fixes#2108
Signed-off-by: Julio Montes <julio.montes@intel.com>
The domain name should be used as prefix for the annotations, for
kata containers the domain name is katacontainers.io, not kata-containers.io
fixes#2123
Signed-off-by: Julio Montes <julio.montes@intel.com>
1. Send the event when the container is paused/resumed successfully
2. Return the error of the pause/resume function rather than
`getContainerStatus`.
Fixes#2121
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
Refactor so that all code to load state, devices, network
takes place at one place. This is in line with the experimental api
for new storage that also loads all the necessary items here all at once.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
The hypervisor.createSandbox may need to access the state.
For eg, ACRN today needs to access the block index to assign
it to the root image of the VM. Hence load this early on.
Fixes#2026
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Update the version used for testing the cni plugins to the latest
0.8.2 release. This way we make sure CI tests with latest CNI plugins.
Depends-on: github.com/kata-containers/tests#1984
Fixes#2111
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
- Fix cache factory UT
- Virtio-fs v0.3 support
- virtcontainers: set agent's logs vsock port
- config: Fix `virtio-fs` typo in Makefile
- Hypervisor: UUID fix for acrn hypevisor
- virtcontainers: change firecracker socket permissions
- Add annotations to provide custom configs
- Fix CRIO + Firecracker
- rootless: add rootless to kata
- QEMU: do not require nvdimm machine option with initrd
- s390x: Fix runtime build for s390x
- versions: Update kernel to 4.19.75
- config: honor DEFSHAREDFS_QEMU_VIRTIOFS and CONFIG_QEMU_VIRTIOFS_IN
- Support Firecracker 0.18
- virtcontainers: fix the issue of missing qemu error logs
- config: Fix the qemu-virtiofs.toml
- s390x: Share image between qemu instances
- The unit of newMemory is MB
- config: use 9p as default shared filesystem for nemu
- Remove annotation config json key
dd21046 vc/store: fix TestStoreVCNewVCSandboxStore/TestStoreVCNewVCContainerStore
6ab89e4 vc/store: fix cache factory ut
4863aa9 vc/store: reuse store
ad15631 virtiofsd: Do not use posix lock.
2b40b6b vendor: update kata agent
aa43e2a virtcontainers: set agent's logs vsock port
23a5dc7 virtiofsd: use virtiofsd --syslog
d5a3d0a virtiofs: use virtiofsd --fd=FDNUM
6ce6a26 kata_agent: use virtio-fs 0.3+ mount options
80855a8 ci: travis: allow ppc64le failures
c3abd51 config: Fix `virtio-fs` typo in Makefile
8f6b0a6 virtcontainers: change firecracker socket permissions
8f70643 tests: Remove hardcoded annotation value.
e7b9c36 tests: Add tests for annotations.
09129c1 config: Define minimum memory requirement
8405b56 annotations: add Annotations for the agent.
5b78a8a annotations: Add annotations for runtime config
afb91c2 annotations: Add annotations to support additional configurations
845bf73 annotations: Support annotations to customise kata config
30d0b7a annotations: Add missing firmware and hashes to asset annotations
46b6815 annotations: Change existing annotations to fit a new format
312f3e7 virtcontainers/fc: implement remove device
7e9cc56 virtcontainers/fc: improve create disk pool process
07932d5 virtcontainers/fc: add logs and improve others to make debugging easier
ed7240b virtcontainers: move device operations to a more generic place
e93bf96 network: Add tuntap device
c8dd92d dep: update vendor packages for netlink commit
41407cf vc: make cgroup usage configurable if rootless
5f0799f vc: add rootless dir to path variables
cdd6f7e katautils: update paths to be configurable for rootless execution
2d8b278 rootless: add rootless logic
8b843c5 QEMU: do not require nvdimm machine option with initrd
c152ebf s390x: Fix runtime build for s390x
bc3c07b versions: Update kernel to 4.19.75
aa6a16c Hypervisor: UUID fix for acrn hypevisor
b1909e8 config: fix virtiofsd name
84ead98 config: add configuration-qemu-virtio-fs.toml to gitignore
443e657 config: honor DEFSHAREDFS_QEMU_VIRTIOFS and CONFIG_QEMU_VIRTIOFS_IN
3d0949d virtcontainers: check minimum supported version of firecracker
1f93cff virtcontainers: fix the issue of missing qemu error logs
8680db6 versions: update firecracker to the version 0.18.0
123ba13 vendor: update kata agent
5ac6e9a virtcontainers: make socket generation hypervisor specific
f2f0923 virtcontainers: rename kataVSOCK type and move it into the types package
f42dd7d virtcontainers/fc: Add support for hybrid vsocks
2c4cf39 virtcontainers/fc: bump firecracker experimental version
bb87b44 virtcontainers/fc: Add logger to the http transport
880bb2b virtcontainers: introducing HybridVSock type
2a8af23 virtcontainers: Make fc.go fit the new API
67ce728 virtcontainers: Update firecracker swagger API
cdb1b5c cli: Fix the qemu-virtiofs.toml
4134571 config: do not use nemu variable for qemu-virtiofs configuration
97fe749 config: use 9p as default shared filesystem for nemu
c81db9c sandbox: The unit of newMemory is MB
7fa0a72 s390x: Share image between qemu instances
7965baa vendor: update govmm
2ed94cb Config: Remove ConfigJSONKey from annotations
Signed-off-by: katacontainersbot <katacontainersbot@gmail.com>
