Commit Graph

14298 Commits

Author SHA1 Message Date
Fabiano Fidêncio
dbd1fa51cd
tests: kbs: Don't assume /tmp/trustee exists in the machine
Instead, check if the directory exists before pushd'ing into it.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-22 20:01:57 +02:00
Gabriela Cervantes
f698caccc0
gha: Enable install kbs and coco components for TDX
This PR enables the installation and unistallation of the kbs client
as well as general coco components needed for the TDX GHA CI.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-05-22 20:01:57 +02:00
GabyCT
eaaab19763
Merge pull request #9685 from GabyCT/topic/fixic
tests: Fix indentation in confidential common script
2024-05-22 11:53:33 -06:00
Gabriela Cervantes
29a10f1373 metrics: Fix minvalue for boot time
This PR fixes the minvalue for boot time to avoid the random failures
of the GHA CI.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-05-22 17:52:51 +00:00
GabyCT
0b32360ab4
Merge pull request #9684 from stevenhorsman/add-arch-to-component-cache-tags
ci: cache: Add arch suffix to all cache tags
2024-05-22 09:24:28 -06:00
Fabiano Fidêncio
0e33ecf7fc
Merge pull request #9653 from JakubLedworowski/fixes-9497-ensure-quote-generation-service-is-added-to-qemu-cmd-2
runtime: Enable connection to Quote Generation Service (QGS)
2024-05-22 15:49:23 +02:00
sidneychang
8938f35627 runtime-rs: Adjust indentation in ifneq statements within Makefile.
Replace tab indentation with spaces for the three lines within the ifneq statements, aligning them with the surrounding code.

Fixes:#9692

Signed-off-by: sidneychang <2190206983@qq.com>
2024-05-22 20:24:35 +08:00
Fabiano Fidêncio
94f7bbf253
Merge pull request #9682 from fidencio/topic/allow-increasing-cpus-and-memory-via-annotation-for-tdx
runtime: tdx: Allow default_{cpu,memory} annotations
2024-05-22 12:07:28 +02:00
Xuewei Niu
d31616cec3 runtime-rs: Remove obsoleted dial_timeout config
The `dial_timeout` works fine for Runtime-go, but is obsoleted in
Runtime-rs.

When the pod cannot connect to the Agent upon starting, we need to adjust
the `reconnect_timeout_ms` to increase the number of connection attempts to
the Agent.

Fixes: #9688

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
2024-05-22 17:57:05 +08:00
Jakub Ledworowski
fc680139e5 runtime: Enable connection to Quote Generation Service (QGS)
For the TD attestation to work the connection to QGS on the host is needed.
By default QGS runs on vsock port 4050, but can be modified by the host owner.
Format of the qemu object follows the SocketAddress structure, so it needs to be provided in the JSON format, as in the example below:
-object '{"qom-type":"tdx-guest","id":"tdx","quote-generation-socket":{"type":"vsock","cid":"2","port":"4050"}}'

Fixes: #9497
Signed-off-by: Jakub Ledworowski <jakub.ledworowski@intel.com>
2024-05-22 11:16:24 +02:00
Alex Lyn
0331859740
Merge pull request #9642 from gkurz/drop-unused-knobs-qemu-rs
runtime-rs: Drop some useless QEMU arguments
2024-05-22 16:13:14 +08:00
Alex Lyn
ce030d1804
Merge pull request #9641 from cmaf/runtime-resize-mem-1
runtime: Add missing check in ResizeMemory for CH
2024-05-22 14:05:30 +08:00
Alex Lyn
b7af00be2a
Merge pull request #9624 from cncal/bugfix_duplicated_devices
runtime: fix duplicated devices requested to the agent
2024-05-22 12:45:46 +08:00
Steve Horsman
f41f642b90
Merge pull request #9635 from kata-containers/dependabot/go_modules/src/runtime/go_modules-f0df977846
build(deps): bump github.com/containerd/containerd from 1.7.11 to 1.7.16 in /src/runtime in the go_modules group across 1 directory
2024-05-21 21:19:32 +01:00
Steve Horsman
9b0ed3dfa7
Merge pull request #9657 from ajaypvictor/remote-hyp-annotations
runtime: Disable number of cpu comparison on remote hypervisor scenario
2024-05-21 21:19:12 +01:00
Hyounggyu Choi
92101fc61f
Merge pull request #9658 from BbolroC/migrate-vfio-ap-test
CI: Migrate vfio-ap test files from tests repo
2024-05-21 20:21:09 +02:00
Lei Huang
b0a91b0d13 kata-agent: update env PCIDEVICE_<prefix>_<resource-name>_INFO
The new version of sriov-network-device-plugin adds an env
`PCIDEVICE_<prefix>_<resource-name>_INFO`, which has a json
value; kata-agent can't parse it as env
`PCIDEVICE_<prefix>_<resource-name>` which has value in format
"DDDD:BB:SS.F".

This change updates env `PCIDEVICE_<prefix>_<resource-name>_INFO`.

Signed-off-by: Lei Huang <leih@nvidia.com>
2024-05-21 10:46:41 -07:00
stevenhorsman
db4818fe1d ci: cache: Enforce tag length limit
Container tags can be a maximum of 128 characters long
so calculate the length of the arch suffix and then restrict
the tag to this length subtracted from 128

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-21 18:03:45 +01:00
Gabriela Cervantes
c9e91db16f tests: Fix indentation in confidential common script
This PR fixes the indentation in the confidential common script.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-05-21 16:33:46 +00:00
stevenhorsman
d6afd77eae ci: cache: Update agent cache to use the full commit hash
- Previously I copied the logic that abbreviated the commit hash
from the versioning, but looking at our versions.yaml the clear pattern
is that when pointing at commits of dependencies we use the full
commit hash, not the abbreviated one, so for consistency I think we should
do the same with the components that we make available

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-21 16:51:16 +01:00
stevenhorsman
d46b6a3879 ci: cache: Add arch suffix to all cache tags
As we have multi-arch builds for nearly all components, we want to ensure
that all the cache tags we set have the architecture suffix, not just the
`TARGET_BRANCH` one.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-21 11:25:07 +01:00
stevenhorsman
865fa9da15 runtime: Resolve go static-checks failure
Remove `rand.Seed` call to resolve the following failure:
```
rand.Seed is deprecated: As of Go 1.20 there is no reason to call Seed with a random value.
```

The go rand.Seed docs: https://pkg.go.dev/math/rand@go1.20#Seed
back this up and states:
> If Seed is not called, the generator is seeded randomly at program startup.
so I believe we can just delete the call.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-21 11:08:59 +01:00
Fabiano Fidêncio
abf52420a4 runtime: tdx: Allow default_{cpu,memory} annotations
For now, let's allow the users to set the default_cpu and default_memory
when using TDX, as they may hit issues related to the size of the
container image that must be pulled and unpacked inside the guest,

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-21 10:26:39 +02:00
stevenhorsman
75a201389d runtime: update go version in go.mod
- Make due to us bumping the golang version used in our CI
but `make vendor` fails without the go version in the runtime go.mod
being increased, so update this and run go mod tidy

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-21 09:11:46 +01:00
dependabot[bot]
735185b15c build(deps): bump github.com/containerd/containerd
Bumps the go_modules group with 1 update in the /src/runtime directory: [github.com/containerd/containerd](https://github.com/containerd/containerd).


Updates `github.com/containerd/containerd` from 1.7.11 to 1.7.16
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](https://github.com/containerd/containerd/compare/v1.7.11...v1.7.16)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-05-21 09:11:46 +01:00
Ajay Victor
abe607b0c7 runtime: Disable number of cpu comparison on remote hypervisor scenario
Fixes https://github.com/kata-containers/kata-containers/issues/9238

Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
2024-05-21 13:34:21 +05:30
dependabot[bot]
01868b2849
---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-05-20 22:06:41 +00:00
Fabiano Fidêncio
8879e3bc45
Merge pull request #9452 from GabyCT/topic/tdxcoco
gha: Add support to install KBS to k8s TDX GHA workflow
2024-05-20 23:28:52 +02:00
Fabiano Fidêncio
072b929b6f
Merge pull request #9660 from malt3/fix/genpolicy/namespace_empty_string
genpolicy: detect empty string in ns as default
2024-05-20 21:34:13 +02:00
Gabriela Cervantes
cfdef7ed5f tests/k8s: Use custom intel DCAP configuration
This PR adds the use of custom Intel DCAP configuration when
deploying the KBS.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-05-20 18:44:57 +00:00
Gabriela Cervantes
cace2fd340 metrics: Improve variable definition in memory usage script
This PR improves general format like variable definition to have
uniformity across the memory usage script.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-05-20 16:14:59 +00:00
Fabiano Fidêncio
97056b017d
Merge pull request #9675 from stevenhorsman/release-build-tarballs-inherit-secrets
gha: release: Set inherit secrets on tarball builds
2024-05-20 18:06:38 +02:00
Fabiano Fidêncio
b8b3bcc492
Merge pull request #9671 from bikesheddev/fix/kata-deploy-unbound-variable
fix: kata-deploy.sh VERSION_ID unbound-variable
2024-05-20 17:22:55 +02:00
Fabiano Fidêncio
94cff3f74e
Merge pull request #9315 from fidencio/topic/adapt-TEEs-for-shared_fs-none
TEEs: Use `shared_fs=none` for TDX
2024-05-20 17:17:36 +02:00
Fabiano Fidêncio
cffeb0ffb8
Merge pull request #9673 from fidencio/topic/revert-aks-workaround
Revert "ci: azure: Workaround azure cli installation script"
2024-05-20 16:16:55 +02:00
stevenhorsman
f271983aeb gha: release: Set inherit secrets on tarball builds
Now we have updated the release builds to push
artefacts to
our registry for the release, so we can cache the images, we need to
set `secrets: inherit` for all architecture's tarball builds
so that we can log into quay.io and ghcr in those steps

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-20 14:19:17 +01:00
Fabiano Fidêncio
25c9cf32ff
Revert "ci: azure: Workaround azure cli installation script"
This reverts commit 5ff53e4d1c, as the
script was fixed by MSFT, at least according to:
https://github.com/Azure/azure-cli/issues/28984

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-20 14:38:46 +02:00
vac (Brendan)
d812007b99 kata-deploy: Fix unbound VERSION_ID
VERSION_ID is not guaranteed to be specified in os-release, this
makes kaka-deploy breaks in rolling distros like arch linux and void
linux.

Note that operating system vendors may choose not to provide
version information, for example to accommodate for rolling releases.
In this case, VERSION and VERSION_ID may be unset.
Applications should not rely on these fields to be set.

Signed-off-by: vac <dot.fun@protonmail.com>
2024-05-20 19:48:31 +08:00
Tim Zhang
857d2bbc8e agent: Fix ctr exec stuck problem
Fixes: #9532

Close stdin when write_stdin receives data of length 0.

Stop call notify_term_close() in close_stdin, because it could
discard stdout unexpectedly.

Signed-off-by: Tim Zhang <tim@hyper.sh>
2024-05-20 14:52:14 +08:00
Fabiano Fidêncio
e8ebe18868
tests: k8s: tdx: Skip liveness probe test
This test doesn't fail with the guest image pulling, but it for sure
should. :-)

We can see in the bats logs, something like:
```
Events:
  Type     Reason     Age               From               Message
  ----     ------     ----              ----               -------
  Normal   Scheduled  31s               default-scheduler  Successfully assigned kata-containers-k8s-tests/liveness-exec to 984fee00bd70.jf.intel.com
  Normal   Pulled     23s               kubelet            Successfully pulled image "quay.io/prometheus/busybox:latest" in 345ms (345ms including waiting)
  Normal   Started    21s               kubelet            Started container liveness
  Warning  Unhealthy  7s (x3 over 13s)  kubelet            Liveness probe failed: cat: can't open '/tmp/healthy': No such file or directory
  Normal   Killing    7s                kubelet            Container liveness failed liveness probe, will be restarted
  Normal   Pulled     7s                kubelet            Successfully pulled image "quay.io/prometheus/busybox:latest" in 389ms (389ms including waiting)
  Warning  Failed     5s                kubelet            Error: failed to create containerd task: failed to create shim task: the file /bin/sh was not found: unknown
  Normal   Pulling    5s (x3 over 23s)  kubelet            Pulling image "quay.io/prometheus/busybox:latest"
  Normal   Pulled     4s                kubelet            Successfully pulled image "quay.io/prometheus/busybox:latest" in 342ms (342ms including waiting)
  Normal   Created    4s (x3 over 23s)  kubelet            Created container liveness
  Warning  Failed     3s                kubelet            Error: failed to create containerd task: failed to create shim task: failed to mount /run/kata-containers/f0ec86fb156a578964007f7773a3ccbdaf60023106634fe030f039e2e154cd11/rootfs to /run/kata-containers/liveness/rootfs, with error: ENOENT: No such file or directory: unknown
  Warning  BackOff    1s (x3 over 3s)   kubelet            Back-off restarting failed container liveness in pod liveness-exec_kata-containers-k8s-tests(b1a980bf-a5b3-479d-97c2-ebdb45773eff)
```

Let's skip it for now as we have an issue opened to track it down:
https://github.com/kata-containers/kata-containers/issues/9665

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 21:59:29 +02:00
Fabiano Fidêncio
a2c70222a8
tests: k8s: tdx: Skip initContainerd shared vol test
This is another one that is related to initContainers not being properly
handled with the guest image pulling.

Let's skip it for now as we have
https://github.com/kata-containers/kata-containers/issues/9668 to track
it down.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 20:58:45 +02:00
Fabiano Fidêncio
9d56145499
tests: k8s: tdx: Skip volume related tests
Similarly to firecracker, which doesn't have support for virtio-fs /
virtio-9p, TDX used with `shared_fs=none` will face the very same
limitations.

The tests affected are:
* k8s-credentials-secrets.bats
* k8s-file-volume.bats
* k8s-inotify.bats
* k8s-nested-configmap-secret.bats
* k8s-projected-volume.bats
* k8s-volume.bats

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 19:38:49 +02:00
Fabiano Fidêncio
606a62a0a7
tests: k8s: tdx: Skip "Setting sysctl" test
This test fails when using `shared_fs=none` with the nydus-snapshotter,
and we're tracking the issue here:
https://github.com/kata-containers/kata-containers/issues/9666

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 19:38:38 +02:00
Fabiano Fidêncio
937b2d5806
tests: k8s: tdx: Skip "Kill all processes in container" test
This test fails when using `shared_fs=none` with the nydus snapshotter,
and we're tracking the issue here:
https://github.com/kata-containers/kata-containers/issues/9664

For now, let's have it skipped.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 18:51:14 +02:00
Fabiano Fidêncio
03ce41b743
tests: k8s: tdx: Skip "Check custom dns" test
The test has been failing on TDX for a while, and an issue has been
created to track it down, see:
https://github.com/kata-containers/kata-containers/issues/9663

For now, let's have it skipped.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 18:51:14 +02:00
Fabiano Fidêncio
1a8a4d046d
tests: k8s: setup: Improve / Fix logs
Let's make sure the logs will print the correct annotation and its
value, instead of always mentioning "kernel" and "initrd".

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 18:51:14 +02:00
Fabiano Fidêncio
3f38309c39
tests: k8s: tdx: Stop running k8s-guest-pull-image.bats
We're doing that as all tests are going to be running with
`shared_fs=none`, meaning that we don't need any specific test for this
case anymore.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 18:51:00 +02:00
Fabiano Fidêncio
e84619d54b
tests: k8s: tdx: Add add_runtime_handler_annotations function
This function will set the needed annotation for enforcing that the
image pull will be handled by the snapshotter set for the runtime
handler, instead of using the default one.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 18:49:07 +02:00
Fabiano Fidêncio
f2de259387
runtime: tdx: Use shared_fs=none
We shouldn't be using 9p, at all, with TEEs, as off right now we have no
way to ensure the channels are encrypted.  The way to work this around
for now is using guest pull, either with containerd + nydus snapshotter
or with CRI-O; or even tardev snapshotter for pulling on the host (which
is the approach used by MSFT).

This is only done for TDX for now, leaving the generic, AMD, and IBM
related stuff for the folks working on those to switch and debug
possible issues on their environment.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-19 18:47:09 +02:00
Fabiano Fidêncio
5b257685d9
Merge pull request #9662 from dborquez/fix_launchtimes_timestamp_generation
Fix launch times timestamp generation.
2024-05-18 21:11:09 +02:00