github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-12 05:12:37 +00:00
Code Issues Projects Releases Wiki Activity
16,539 Commits 52 Branches 136 Tags 333 MiB
8768e08258
Commit Graph

16539 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
a9c8377073
build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy 
---
updated-dependencies:
- dependency-name: zerocopy
  dependency-version: 0.6.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-21 12:50:38 +00:00
dependabot[bot]
0b4c434ece
build(deps): bump unsafe-libyaml in /src/tools/kata-ctl 
Bumps [unsafe-libyaml](https://github.com/dtolnay/unsafe-libyaml) from 0.2.9 to 0.2.11.
- [Release notes](https://github.com/dtolnay/unsafe-libyaml/releases)
- [Commits](https://github.com/dtolnay/unsafe-libyaml/compare/0.2.9...0.2.11)

---
updated-dependencies:
- dependency-name: unsafe-libyaml
  dependency-version: 0.2.11
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-21 12:46:27 +00:00
Fabiano Fidêncio
35629d0690
Merge pull request #11603 from stevenhorsman/security-updates-21-jul 
dependencies: More crate bumps to resolve security issues
 2025-07-21 14:33:07 +02:00
stevenhorsman
162ba19b85 agent-ctl: Bump rusttls 
Bump rusttls to >=0.23.18 to remediate RUSTSEC-2024-0399

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:41:59 +01:00
stevenhorsman
42339e9cdf dragonball: Update url crate 
Update url to 2.5.4 to bump idna to 1.0.3 and remediate
RUSTSEC-2024-0421

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:35:05 +01:00
stevenhorsman
1795361589 runk: Update rustjail 
Update the rustjail crate to pull in the latest security fixes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:31:18 +01:00
stevenhorsman
28929f5b3e runtime: Bump promethus 
Bump this crate to remove the old version of protobuf
and remediate RUSTSEC-2024-0437

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:29:57 +01:00
stevenhorsman
e66aa1ef8c runtime: Bump promethus and ttrpc-codegen 
Bump these crates to remove the old version of protobuf
and remediate RUSTSEC-2024-0437

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:29:39 +01:00
Fabiano Fidêncio
d60513ece9
Merge pull request #11597 from kata-containers/topic/fix-release-static-tarball-content 
release: Copy the VERSION file to the tarball
 2025-07-20 21:06:40 +02:00
Fabiano Fidêncio
55aae75ed7 shellcheck: Fix issues on kata-deploy-merge-builds.sh 
As we're already touching the file, let's get those fixed.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-20 09:33:50 +02:00
Fabiano Fidêncio
aaeb3b3221 release: Copy the VERSION file to the tarball 
For the release itself, let's simply copy the VERSION file to the
tarball.

To do so, we had to change the logic that merges the build, as at that
point the tag is not yet pushed to the repo.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-20 00:06:14 +02:00
Fabiano Fidêncio
21ccaf4a80
Merge pull request #11596 from fidencio/release/v3.19.0 
release: Bump version to 3.19.0
 2025-07-19 18:27:36 +02:00
Fabiano Fidêncio
60f312b4ae release: Bump version to 3.19.0 
Bump VERSION and helm-chart versions

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-19 09:11:30 +02:00
Fabiano Fidêncio
1351ccb2de
Merge pull request #11576 from Tim-Zhang/update-protobuf-to-fix-CVE-2025-53605 
chore: Update protobuf to fix CVE-2025-53605
 2025-07-19 07:43:13 +02:00
Fabiano Fidêncio
7f5f032aca runtime-rs: Update containerd-shim / containerd-shim-protos 
Let's bump those to their 0.10.0 releases, which contain fixes for the
CVE-2025-53605.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-19 00:18:01 +02:00
Fabiano Fidêncio
6dc4c0faae
Merge pull request #11589 from fidencio/topic/fix-tdx-qemu-path-for-non-gpu 
qemu: tdx: Fix binary path for non-gpu TDX
 2025-07-18 17:24:00 +02:00
Tim Zhang
2fe9df16cc gent-ctl: update Cargo.lock to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/392
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:13:25 +02:00
Tim Zhang
45b44742de genpolicy: update Cargo.lock to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/394
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:10:52 +02:00
Tim Zhang
fa9ff1b299 kata-ctl: update prometheus/protobuf to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/395
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:05:13 +02:00
Tim Zhang
d0e7a51f7b dragonball: update prometheus/protobuf to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/396
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
 2025-07-18 16:02:29 +02:00
Tim Zhang
222393375a agent: update ttrpc-codegen to remove dependency on protobuf v2 
To fix CVE-2025-53605.

Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/397
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:02:07 +02:00
Fabiano Fidêncio
60c3d89767
Merge pull request #11558 from gmintoco/feature/helm-nodeSelector 
helm: add nodeSelector support to kata-deploy chart
 2025-07-18 15:52:19 +02:00
Fabiano Fidêncio
3143787f69 qemu: tdx: Fix binary path for non-gpu TDX 
On commit 90bc749a19, we've changed the
QEMUTDXPATH in order to get it to work with GPUs, but the change broke
the non-GPU TDX use-case, which depends on the distro binary.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 15:26:27 +02:00
Fabiano Fidêncio
497a3620c2 tests: Remove references to qemu-sev 
As it's been removed from our codebase.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 12:49:54 +02:00
Fabiano Fidêncio
17ce44083c runtime: Remove reference to sev package 
Otherwise it'll just break static checks.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 12:49:54 +02:00
Gus Minto-Cowcher
3b5cd2aad6 helm: remove qemu-sev references 
qemu-sev support has been removed, but those bits were left behind by
mistake.

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
 2025-07-18 12:49:54 +02:00
Gus Minto-Cowcher
41d41d51f7 helm: add nodeSelector support to kata-deploy chart 
- Add nodeSelector configuration to values.yaml with empty default
- Update DaemonSet template to conditionally include nodeSelector
- Add documentation and examples for nodeSelector usage in README
- Allows users to restrict kata-containers deployment to specific nodes by labeling them

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
 2025-07-18 12:49:54 +02:00
Fabiano Fidêncio
7d709a0759
Merge pull request #11493 from stevenhorsman/agent-ctl-tag-cache 
ci: cache: Tag agent-ctl cache
 2025-07-18 12:12:46 +02:00
Fabiano Fidêncio
4a6c718f23
Merge pull request #11584 from zvonkok/fix-kernel-debug-enabled 
kernel: fix enable kernel debug
 2025-07-18 11:38:36 +02:00
Sumedh Alok Sharma
47184e82f5
Merge pull request #11313 from Ankita13-code/ankitapareek/exec-id-agent-fix 
agent: update the processes hashmap to use exec_id as primary key
 2025-07-18 14:07:15 +05:30
Fabiano Fidêncio
d9daddce28
Merge pull request #11578 from justxuewei/vsock-async 
runtime-rs: Fix the issue of blocking socket with Tokio
 2025-07-18 10:13:03 +02:00
Xuewei Niu
629c942d4b runtime-rs: Fix the issue of blocking socket with Tokio 
According to the issue [1], Tokio will panic when we are giving a blocking
socket to Tokio's `from_std()` method, the information is as follows:

```
A panic occurred at crates/agent/src/sock/vsock.rs:59: Registering a
blocking socket with the tokio runtime is unsupported. If you wish to do
anyways, please add `--cfg tokio_allow_from_blocking_fd` to your RUSTFLAGS.
```

A workaround is to set the socket to non-blocking.

1: https://github.com/tokio-rs/tokio/issues/7172

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Xuewei Niu
1508e6f0f5 agent: Bump Tokio to v1.46.1 
Tokio now has a newer version, let us bump it.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Xuewei Niu
5a4050660a runtime-rs: Bump Tokio to v1.46.1 
Tokio now has a newer version, let us bump it.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Zvonko Kaiser
a786dc48b0 kernel: fix enable kernel debug 
The KERNEL_DEBUG_ENABLED was missing in the outer shell script
so overrides via make were not possible.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-18 02:24:19 +00:00
Fabiano Fidêncio
eb2bfbf7ac
Merge pull request #11572 from stevenhorsman/RUSTSEC-2024-0384-remediate 
More crate bumps for security remediations
 2025-07-17 22:35:05 +02:00
Zvonko Kaiser
cef9485634
Merge pull request #11450 from kata-containers/dependabot/cargo/src/agent/nix-0.27.1 
build(deps): bump nix to 0.26.4 in agent, libs, runtime-rs
 2025-07-17 14:22:40 -04:00
stevenhorsman
41a608e5ce tools: Bump borsh, liboci-cli and oci-spec 
Bump these crates to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
e56f493191 deps: Bump zbus, serial_test & async-std 
Bump these crates across various components to remove the
dependency on unmaintained instant crate and remediate
RUSTSEC-2024-0384

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
bb820714cb agent-ctl: Update borsh 
- Update borsh to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
Steve Horsman
549fd2a196
Merge pull request #11581 from stevenhorsman/osv-scanner-action-permissions-fix 
workflow: Fix osv-scanner action
 2025-07-17 18:18:16 +01:00
stevenhorsman
a7e27b9b68 workflow: Fix osv-scanner action 
- The github generated template had an old version which
isn't valid for the pr-scan, so update to the latest
- The action needs also `actions: read` and `contents:read` to run in kata-containers

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 17:29:35 +01:00
Steve Horsman
8741f2ab3d
Merge pull request #11580 from kata-containers/osv-scanner-action 
workflow: Add osv-scanner action
 2025-07-17 17:00:34 +01:00
stevenhorsman
1a75c12651 workflow: Add osv-scanner action 
Add action to check for vulnerabilities in the project and
on each PR

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 16:41:56 +01:00
stevenhorsman
4c776167e5 trace-forwarder: Add nix features 
Some of the nix apis we are using are now enabled by features,
so add these to resolve the compilation issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:09:21 +01:00
dependabot[bot]
cd79108c77 build(deps): bump nix in /src/tools/trace-forwarder 
Bumps [nix](https://github.com/nix-rust/nix) from 0.23.1 to 0.30.1.
- [Changelog](https://github.com/nix-rust/nix/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nix-rust/nix/compare/v0.23.1...v0.30.1)

---
updated-dependencies:
- dependency-name: nix
  dependency-version: 0.30.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 15:09:06 +01:00
stevenhorsman
9185ef1a67 runtime-rs: Bump nix to matching version 
runtime-rs needs the same version as libs,
so sync this up as well.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:08:46 +01:00
dependabot[bot]
219ad505c2 build(deps): bump nix from 0.24.3 to 0.26.4 in /src/agent 
Nix needs to be in sync between libs and agent, so bump
the agent to the libs version

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:01:06 +01:00
dependabot[bot]
a4d22fe330 build(deps): bump nix from 0.24.2 to 0.26.4 in /src/libs 
---
updated-dependencies:
- dependency-name: nix
  dependency-version: 0.26.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 15:01:06 +01:00
Fabiano Fidêncio
6dabb3683f
Merge pull request #10961 from zvonkok/shellcheck-zero 
shellcheck: fix kernel/build.sh
 2025-07-17 12:59:00 +02:00