Let's remove the whole content from:
* /opt/confidential-containers/libexec
* /opt/confidential-containers/share
And then manually remove the binaries under bin directory` as the
pre-install hook will drop binaries there.
Finally, let's call a `rmdir -p /opt/confidential-containers/bin` which
should take care of the cleanup in case no pre-install hook is used, and
let's make sure we pass `--ignore-fail-on-non-empty` so we don't fail
when using a pre-install hook.
Fixes: #5128
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
For Confidential Containers the file is present at
`/opt/confidential-containers` instead of `/opt/kata`.
Fixes: #5119
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Add shim management http server and boot it as a light-weight thread
when the sandbox is created.
Fixes: #5114
Signed-off-by: Ji-Xinyou <jerryji0414@outlook.com>
period should have a type of u64, and quota should be i64, the
function of getting CPU period and quota from annotations should
use the same data type as function return type.
Fixes: #5100
Signed-off-by: Bin Liu <bin@hyper.sh>
Every now and then we've been hitting issues with parallel builds. in
order to not rely on lucky for the first release, let's do a serial
build of the payload image.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's add the documentation on how to generate the Kata Containers
payload, based in the CCv0 branch, that's consumed by the Confidential
Containers Operator.
Fixes: #5041
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The `image` target is only used by and only present in the `CCv0`
branch, and it's name is misleading. :-)
Let's rename it (and the scripts used by it) to mention payload rather
than image, and to actually build the cc related tarballs instead of the
"vanilla" Kata Containers tarballs.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's adjust the `kata-deploy-build-and-upload-image.sh` to build the
image following the `kata-containers-${commit}` tag pattern, and to push
it to the quay.io/confidential-containers/runtime-payload repo.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's try to remove the /opt/confidential-containers directory. If it's
not empty, let's not bother force removing it, as the pre-install script
also drops files to the very same directory.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We're currently backing up and restoring all the possible shim files,
but the default one ("containerd-shim-kata-v2").
Let's ensure this is also backed up and restored.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Instead of passing a `KATA_CONF_FILE` environament variable, let's rely
on the configured (in the container engine) config path, as both
containerd and CRI-O support it, and we're using this for both of them.
This is a "backport" of f7ccf92dc8, from
the original `kata-deploy.sh` to the one used for Confidential
Containers.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As containerd is the only supported container engine, let's simplify the
script and, at the same time, make it clear that other container engines
are not supported yet.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Kata 3.0 introduced 3 new configurations under runtime section:
name="virt_container"
hypervisor_name="dragonball"
agent_name="kata"
Blank values will lead to starting to fail.
Adding default values will make user easy to migrate to kata 3.0.
Fixes: #5098
Signed-off-by: Bin Liu <bin@hyper.sh>
Let's create the QEMU build image based on the version of QEMU used, so
if we happen to have a parallel build we ensure different images are
being used.
Also, let's ensure the image gets remove after the build.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
In the commit 54d6d01754 we ended up
removing the BUILD_SUFFIX argument passed to QEMU as it only seemed to
be used to generate the HYPERVISOR_NAME and PKGVERSION, which were added
as arguments to the dockerfile.
However, it turns out BUILD_SUFFIX is used by the `qemu-build-post.sh`
script, so it can rename the QEMU binary accordingly.
Let's just bring it back.
Fixes: #5078
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
(cherry picked from commit 373dac2dbb)
Patches failing without the no_patches.txt file for SPR-BKC-QEMU-v2.5.
Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
(cherry picked from commit 59e3850bfd)
Dockerfile cannot decipher multiple conditional statements in the main RUN call.
Cannot segregate statements in Dockerfile with '{}' braces without wrapping entire statement in 'bash -c' statement.
Dockerfile does not support setting variables by bash command.
Must set HYPERVISOR_NAME and PKGVERSION from parent script: build-base-qemu.sh
Fixes: #5078
Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
(cherry picked from commit 54d6d01754)
4cf502fb20 added the ability to build
TD-Shim, but forgot to have it added as part of the cc-tarball target.
Fixes: #5042
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Refactor the container builder code (`InitContainer` and `ActivatedContainer`)
to make it easier to understand and to maintain.
The details:
1. Separate the existing `builder.rs` into an `init_builder.rs` and
`activated_builder.rs` to make them easy to read and maintain.
2. Move the `create_linux_container` function from the `builder.rs` to
`container.rs` because it is shared by the both files.
3. Some validation functions such as `validate_spec` from `builder.rs`
to `utils.rs` because they will be also used by other components as
utilities in the future.
Fixes: #5033
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
In the commit 54d6d01754 we ended up
removing the BUILD_SUFFIX argument passed to QEMU as it only seemed to
be used to generate the HYPERVISOR_NAME and PKGVERSION, which were added
as arguments to the dockerfile.
However, it turns out BUILD_SUFFIX is used by the `qemu-build-post.sh`
script, so it can rename the QEMU binary accordingly.
Let's just bring it back.
Fixes: #5078
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Following the instructions in guidance doc will result in the ECONNREFUSED,
thus we need to keep the unix socket address in the two commands consistent.
Fixes: #5085
Signed-off-by: Yuan-Zhuo <yuanzhuo0118@outlook.com>
Dockerfile cannot decipher multiple conditional statements in the main RUN call.
Cannot segregate statements in Dockerfile with '{}' braces without wrapping entire statement in 'bash -c' statement.
Dockerfile does not support setting variables by bash command.
Must set HYPERVISOR_NAME and PKGVERSION from parent script: build-base-qemu.sh
Fixes: #5078
Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
Added default sev kata config template.
Added required default variables in Makefile.
Fixes#5012Fixes#5008
Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
amend_spec do two works:
- modify the spec
- check if the pid namespace is enabled
This make it confusable. So split it into two functions.
Fixes: #5062
Signed-off-by: Bin Liu <bin@hyper.sh>
Augment the mock hypervisor so that we can validate that ACPI memory hotplug
is carried out as expected.
We'll augment the number of memory slots in the hypervisor config each
time the memory of the hypervisor is changed. In this way we can ensure
that large memory hotplugs are broken up into appropriately sized
pieces in the unit test.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
