FIPS are a set of security standards for encryption algorithms
in user and kernel space among others.
Have Kata support this by starting the VM for a container
in FIPS mode on detecting that the host is running in FIPS mode.
Depends-on: github.com/kata-containers/packaging#788
Fixes#2170
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
cri-tools version was managed in the tests repository, but as
we define here cri-o, containerd and kubernetes versions, it
make sense to have the cri-tools version defined in this repo.
conmon has now to be installed/built separately. So add it
to the list.
Depends-on: github.com/kata-containers/tests#2057
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
This adds an option to the agent to control the hotplug timeout of block devices.
Retains the previous behaviour of defaulting to 3 seconds if not specified.
Can be increased when block device hot plugging is taking longer than expected.
fixes#62
Signed-off-by: Alex Price <aprice@atlassian.com>
Update k8s supported version from 1.15.3 to 1.16.2
and cri-o from 1.15.0 to 1.16.0
Fixes: #2166.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
The `skip_*` macros will be useful across the different tests so having
them in a separate module can help with code duplication. This change
creates a new module and exports the macros at crate level.
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
Fixes to allow the rust agent to be built using a gnu target.
Specifically, remove assumptions about musl-specific types.
Fixes: #70.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Since build with --release produces corrupted binary in ci, we removed
--release. However, the make install target cannot find the binary,
set BUILDTYPE to debug
Fixes: #67
Signed-off-by: Yang Bo <bo@hyper.sh>
- sandbox/cgroups: don't constrain if using SandboxCgroupsOnly
- cli: add kata-overhead subcommand
- versions: support specify version in versions.yaml for rust agent.
- virtcontainers/sandbox: calculate container's CPU from sandbox.contai…
- ci: Fix versions_checker.sh
- ci: Fix versions_checker.sh
- virtcontainers: unmount host mounts if container can't be created
- virtcontainers/store: make VCStoreUUIDPath rootless
- virtcontainers/annotations: use right domain name for kata annotations
- v2: Change the event and error behavior of pause/resume
- Update cni plugin version
- Load state early so that hypervisor can store the correct state
e4c816b versions: support specify version in versions.yaml for rust agent.
691a6a7 sandbox/cgroups: don't constrain if using SandboxCgroupsOnly
7fe0100 cli: add kata-overhead command
1bbc1d5 virtcontainers: add StatsSandbox to vc API
569bd78 virtcontainers: change pass by value to pass by reference
5b226d0 ci: Fix versions_checker.sh
f8b84d7 ci: Fix versions_checker.sh
24d7aff virtcontainers: change pass by value to pass by reference
abec17f virtcontainers/store: make VCStoreUUIDPath rootless
eca7bd2 virtcontainers: unmount host mounts if container can't be created
91bd095 virtcontainers/annotations: use right domain name for kata annotations
c1060a3 v2: Change the event and error behavior of pause/resume
f6a10bc state: Refactor code to move all the state load code
fa4acad state: Load the state from storage early on
929c4e7 network: Change NewNS() call
c0995c6 vendor: Vendor the latest CNI plugins
86d8346 version: Update the version for cni plugins
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
The get_key_value method is currently only avaiable in nightly rust.
As only this feature is required it worth to refactor and enable building
in the stable channel.
The method was removed by first getting the value from the CGROUPS hashmap,
then key is get by iterating over all the keys. The checks for an empty key and
key == "devices" were moved out of the hashmap block.
The README.md was updated as well to detail the instructions for stable rust.
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
Create a config module and add more tests. Also enable setting the log
level from the kernel command-line.
Fixes: #59, #63.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
When SandboxCgroupsOnly is set, we are expected to just inherit our parent's
cgroup settings and to move all Kata threads within that sandbox cgroup. The
initial implementation still adjusted the size of this cgroup. This commit
fixes this.
This commit makes a couple of functional changes, small refactors, and
adds clarifying comments for some functions.
Fixes: #2090
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Introduce kata-overhead command to kata-runtime CLI, to help
with calculating sandbox overhead.
Fixes: #2096
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
StatsSandbox is used to gather metrics for the sandbox (host cgroup) as
well as from the individual containers (from the guest cgroups). This is
intended to be used for easily calculating Kata sandbox overheads.
Fixes: #2096
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
container.config does not point to sandbox.config.Containers.ContainerConfig
which caused the ContainerConfig not sync.
Fixes: #2129
Signed-off-by: Wang Liang <wangliangzz@inspur.com>
These include features like privileged containers without host devices
and support for per runtime annotations.
Depends-on: github.com/kata-containers/tests#2029
Fixes#2099
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
ACRN doesn't support configuring number of guest vcpu option ('-c') anymore.
Number of guest vcpus will be defined in the hypervisor scenario
configuration file instead.
Removed the -c option from the acrn-dm parameters when launching VMs and
also trimmed configuration.toml file accordingly.
fixes#2136
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
When do the reloading sandbox in shimv2, it's needed to
rewatch the hypervisor's console when debug enabled.
Fixes:#2091
Signed-off-by: lifupan <lifupan@gmail.com>
Version checker does to work today
- Allow to detect stabe branches
Fixes#1581
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Version checker does to work today
- Allow to detect stabe branches
Fixes#1581
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
