It requires root to manipulate netns and otherwise fails
like below:
=== RUN TestStartNetworkMonitor
--- FAIL: TestStartNetworkMonitor (0.00s)
Error Trace: sandbox_test.go:1481
Error: Expected nil, but got: &errors.errorString{s:"Error switching to ns /proc/6648/task/6651/ns/net: operation not permitted"}
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Convert virtcontainers tests to testify/assert to make the virtcontainers
tests more readable.
fixes#156
Signed-off-by: Julio Montes <julio.montes@intel.com>
since some vendor id like 1ded can not be identified by virtio-pci
driver, so need to pass a specified vendor id to qemu.
Fixes: #1894
Signed-off-by: Ace-Tang <aceapril@126.com>
- qemu: use x-ignore-shared to implement vm template
- virtiofs: Allow memory hotplug with virtiofs
- Firecracker Add jailer support for firecracker
- runtime: update govmm and move to virtio 1.0 for hotplugs
- HV: kata-runtime support for ACRN hypervisor
- versions: add crictl version which is compatible with OpenShift
- versions: update CRI-O to v1.14.6
- Fix fork exec test errors
- ci: Verify and block merge if other projects are not updated
- shimv2: Add missing page size to Hugetlb Stat
d14968b qemu: use x-ignore-shared to implement vm template
d392b22 virtiofs: Allow memory hotplug with virtiofs
050f8e9 runtime: Disable disable-modern for virtio QMP add
3e4989d vendor: update govmm and match code
4fed346 Firecracker: Enable jailer by default
78ea50c virtcontainers: Jailer: Add jailer support for firecracker
98a6973 virtcontainers: Add ACRN unit test cases
f246a79 virtcontainers: Add support for updating virtio-blk based container rootfs
d9a4157 virtcontainers: Add support for launching/managing ACRN based VMs
828e0a2 pkg/katautils: Add support for ACRN hypervisor config
adcac93 kata-check: Check and validate type-1 hypervisor for kata
4d26cee Make: Add ACRN hypervisor and generate configuration file
bdd8947 versions: add crictl version which is compatible with OpenShift
098501a versions: update CRI-O to v1.14.6
4968438 tests: Fix fork/exec test error
fcf9f9f test: Fix fd leak causing test error
5182a25 ci: Verify and block merge if other projects are not updated
da7f5f3 shimv2: Add missing page size to Hugetlb Stat
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
qemu upstream has x-ignore-shared that works similar
to our private bypass-shared-memory. We can use it to
implement the vm template feature.
Fixes: #1798
Depends-on: github.com/kata-containers/packaging#641
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Kata with virtio-fs fails to do memory hotplugging. This is caused by
the fact that hot plugged memory is always backed by
'memory-backend-ram' while virtio-fs expects it to be backed by file and
shared for it to be able to use the system the way it is intended. This
chnage allows using file based memory backend for virtio-fs, hugepages
or when the user prefers to use a file backed memory
Fixes: #1745
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
History: the previous version of kvm (unknown) and qemu-lite had an
issue using virtio 1.0 version when it came to device hotplug, which led
to the team to disable 1.0 version of virtio for hotplug (set
disable-modern=on). Please check
e99f6b2931
for further info.
We have since moved to QEMU4.0 and probably a later version of kvm as
default across all distros. This change is to move to virtio 1.0 for
hotplugging devices.
Fixes: #1870
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Add jailer support to configuration files.
Also enable jailer by default in Kata containers.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Firecracker provides a jailer to constrain the VMM. Use this
jailer to launch the firecracker VMM instead of launching it
directly from the kata-runtime.
The jailer will ensure that the firecracker VMM will run
in its own network and mount namespace. All assets required
by the VMM have to be present within these namespaces.
The assets need to be copied or bind mounted into the chroot
location setup by jailer in order for firecracker to access
these resouces. This includes files, device nodes and all
other assets.
Jailer automatically sets up the jail to have access to
kvm and vhost-vsock.
If a jailer is not available (i.e. not setup in the toml)
for a given hypervisor the runtime will act as the jailer.
Also enhance the hypervisor interface and unit tests to
include the network namespace. This allows the hypervisor
to choose how and where to lauch the VMM process, vs
virtcontainers directly launching the VMM process.
Fixes: #1129
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Thist patch adds the following,
1. ACRN only supports virtio-blk and so the rootfs for the VM
sits at /dev/vda. So to get the container rootfs increment the
globalIndex by 1.
2. ACRN doesn't hot-plug container rootfs (but uses blkrescan) to
update the container rootfs. So the agent can be provided the virtpath
rather than the PCIaddr avoiding unneccessary rescaning to find the
virthpath.
v1->v2:
Removed the workaround of incrementing index for
virtio-blk device and addressed it acrn.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
This patch adds the following,
1. Implement Sandbox management APIs for ACRN.
2. Implement Sandbox operation APIs for ACRN.
3. Add support for hot-plugging virtio-blk based
(using blk rescan feature) container rootfs to ACRN.
4. Prime devices, image and kernel parameters for
launching VM using ACRN.
v2->v3:
Incrementing index to keep track of virtio-blk devices
created. This change removes the workaround introduced
in block.go.
v1->v2:
1. Created issue #1785 to address the UUID TODO item.
2. Removed dead code.
3. Fixed formatting of log messages.
4. Fixed year in copyright message.
5. Removed acrn_amd64.go file as there are no amd64 specific
changes. Moved the code to acrn_arch_base.go.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
This patch adds support for,
1. Extracting and configuring ACRN hypervisor from toml.
2. Add ACRN hypervisor ctl for controlling ACRN hypervisor.
This will be used for updating virtio-blk based
container rootfs using blk rescan feature.
v2->v3:
Fixed acrnctl path.
v1->v2:
Trimmed hypervisor config options as needed by ACRN.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
ACRN hypervisor is a type-1 hypervisor and this patch
adds support to check and validate if the system is
capable of running kata containers with ACRN hypervisor.
Depends-on: github.com/kata-containers/tests#1793
v3->v4:
Implemented a generic way to identify hypervisor and
test VM creation.
v2->v3:
1. Removed cgo structs and defined go structs.
2. Suppressed lint warnings due to unused createVM struct.
v1->v2:
1. Created an issue #1784 to address TODO item.
2. Fixed formatting of the log message.
3. Currently ACRN is only supported on amd64. So
moved ACRN specific code to kata-check_amd64.go.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
This patch covers the following aspects,
1. Add ACRN as a supported hypervisor for amd64 architecture.
2. Build and install configuration file for ACRN hypervisor.
v1->v2:
1. Deleted autogenerated configuration-acrn.toml.
2. Trimmed configuration options not used by ACRN.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
- Changes:
- version: v1.14.6
- Add username and homedir to generated password
- Close temporary image in PullImage
- Version 1.14.6-dev
- Version 1.14.5
- version: if git commit is empty, silently ignore
- enable inline exec and attach test
- Bump up minMemoryLimit to 12Mb
- Backport CircleCI config
- Fix up machine os content version and cri-o version in spec
- Add state of infracontainer to disk when stopped
- Use GlobalAuthFile when pulling the pause image if
PauseImageAuthFile is not set
- Don't discard copy.Options.SourceCtx when credentials are provided
- Don't set non-default copy.Options in imageService.PullImage if it is nil
- Add global_auth_file option to crio.image config
- Create network and plugins directory if they do not exist
- Disable file locking by default
- Update containers/image to v2.0.0, buildah to 1.8.4, libpod to 1.4.1, ...
- Bump github.com/containers/libpod from 1.2.0 to 1.3.1
- Vendor containers/storage v1.12.4
- update github.com/containers/* dependencies
- Changes to rpm build and Dockerfile for ci
- When plugin_dir is set, only use that value
- Update Makefile to be usable without git
- bump to version 1.14.5-dev
- bump to version 1.14.4
- Default to runc is default_runtime is not set
- Fix missing images names on list
- Add crio-wipe
- Add logic for running OpenShift CI on cri-o PRs
- Update device cgroup permissions for configured devices.
- version: v1.14.4-dev
- version: v1.14.3
- Fix runtime panic when having concurrent writes to runtime impl map
- server: do not add default /sys if bind mounted
- Change plugin_dir to plugin_dirs
- Added unit tests
- Add version file functionality
- fix build issues on 32-bit arches
- conmon: use sd_journal_sendv
- make vendor generated
- Move to v1.14.3-dev
- Tag v1.14.2
- Vendor in c/storage release-1.13
- Revert "update github.com/containers/* dependencies"
- Update test suites
- Fix logic of server.restore()
- version: v1.14.2-dev
Fixes#1866
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Fixed `TestSandboxCreationFromConfigRollbackFromCreateSandbox` which
requires that the hypervisor does not exist. Unfortunately, it does
exist (as a fake test binary), but isn't executable meaning although the
test failed (since an error is expected), rather than the expected
`ENOENT` error, the test was logging a message similar to the following
since the fake hypervisor exists with non-executable permissions:
```
Unable to launch /tmp/vc-tmp-526112270/hypervisor: fork/exec /tmp/vc-tmp-526112270/hypervisor: permission denied
```
Fixes: #1835.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Update the `TestQemuAddDeviceKataVSOCK` test so that it:
- Doesn't hard-code the file descriptor number.
- Cleans up after itself.
The latter issue was causing an odd error similar to the following in
the test output:
```
Unable to launch /tmp/vc-tmp-526112270/hypervisor: fork/exec /tmp/vc-tmp-526112270/hypervisor: permission denied
```
Partially fixes: #1835.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This will take the VERSION of all the components in order to
verify that they match among them before merging the runtime.
Fixes#1581
Depends-on: github.com/kata-containers/packaging#614
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Kubernetes moved CRI document within the sig-node directory. Updating
README.md accordingly.
Fixes: #1837
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
With #1485, we moved the default medium empty-dir creation to the
sandbox rootfs. This worked for devicemapper, but in case of overlay
the "local" directory was being created outside the sandbox rootfs.
As a result we were seeing the behaviour seen in #1818.
Fixes#1818
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
