The incorrect name causes `make cc-payload` to fail, as
`cc-tdx-rootfs-tarball` is a non existent target.
Fixes: #5628
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Support the handlers in runtime, which are used by kata-ctl iptables series of commands in runtime.
Fixes: #5370
Signed-off-by: Ji-Xinyou <jerryji0414@outlook.com>
The cargo patch in the cargo.toml seems to cause the whole runtime-rs
building time longer and also makes it harder to build runtime-rs in an
environment without the network
We should delete all patches from the cargo.toml file and publish all
the crates that was once patched.
fixes: #5614#5527#5526#5449
Signed-off-by: Chao Wu <chaowu@linux.alibaba.com>
This is just to keep the support for s390x without the cosign
verification while looking for a solution for #5582.
Fixes: #5599
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
image-rs tagged its v0.2.0 release, let's bump it here as we're about to
release the payload for the v0.2.0 Confidential Containers release.
Fixes: #5593
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's bump the td-shim to its `v0.2.0` release.
Together with the bump, let's also adapt its build scripts so we're able
to build the `v0.2.0` as part of our infra.
Fixes: #5593
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The attestation-agent v0.2.0 has been released, let's bump it here and
ensure we use the new release as part of what will become the payload
for the Confidential Containers v0.2.0 release.
Fixes: #5593
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
On install you generate a configuration-fc.toml
file when building the kata-runtime and
copy it to either /etc/kata-containers/configuration-fc.toml
or /usr/share/defaults/kata-containers/configuration-fc.toml.
To reflect that the path must be one of the above,
we can fix the path in doc.
Fixes: #5589
Signed-off-by: Mathis Joffre <mariusjoffre@gmail.com>
It appears that _either_ the GitHub workflow runners have changed their
environment, or the Ubuntu archive has changed package dependencies,
resulting in the following error when building the snap:
```
Installing build dependencies: bc bison build-essential cpio curl docker.io ...
:
The following packages have unmet dependencies:
docker.io : Depends: containerd (>= 1.2.6-0ubuntu1~)
E: Unable to correct problems, you have held broken packages.
```
This PR uses the simplest solution: install the `containerd` and `runc`
packages. However, we might want to investigate alternative solutions in
the future given that the docker and containerd packages seem to have
gone wild in the Ubuntu GitHub workflow runner environment. If you
include the official docker repo (which the snap uses), a _subset_ of
the related packages is now:
- `containerd`
- `containerd.io`
- `docker-ce`
- `docker.io`
- `moby-containerd`
- `moby-engine`
- `moby-runc`
- `runc`
Fixes: #5545.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
(cherry picked from commit 990e6359b7)
Rather than hard-coding the package manager into the docker part,
use the `build-packages` section to specify the parts package
dependencies in a distro agnostic manner.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
(cherry picked from commit ca69a9ad6d)
In the current Dragonball code, mem_file_path config is not used when
hugetlbfs is enabled.
In this commit we add mem_file_path into hugetlbfs enable process.
fixes: #5566
Signed-off-by: Chao Wu <chaowu@linux.alibaba.com>
Although introducing an awful amount of code duplication, let's
parallelise the static checks in order to reduce its time and the space
used in the VMs running those.
While I understand there may be ways to make the whole setup less
repetitive and error prone, I'm taking the approach of:
* Make it work
* Make it right
* Make it fast
So, it's clear that I'm only attempting to make it work, and I'd
appreciate community help in order to improve the situation here. But,
for now, this is a stopgap solution.
JFYI, the time needed for run the tests on the `main` branch went down
from ~110 minutes to ~60 minutes. Plus, we're not running those on a
single VM anymore, which decreases the change to hit the space limit.
Reference: https://github.com/kata-containers/kata-containers/actions/runs/3393468605/jobs/5640842041
Ideally, each one of the following tests should be also split into
smaller tests, each test for one component, for instance.
* static-checks
* compiler-checks
* unit-tests
* unit-tests-as-root
Fixes: #5585
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
(cherry picked from commit 40d514aa2c)
Although introducing an awful amount of code duplication, let's
parallelise the static checks in order to reduce its time and the space
used in the VMs running those.
While I understand there may be ways to make the whole setup less
repetitive and error prone, I'm taking the approach of:
* Make it work
* Make it right
* Make it fast
So, it's clear that I'm only attempting to make it work, and I'd
appreciate community help in order to improve the situation here. But,
for now, this is a stopgap solution.
JFYI, the time needed for run the tests on the `main` branch went down
from ~110 minutes to ~60 minutes. Plus, we're not running those on a
single VM anymore, which decreases the change to hit the space limit.
Reference: https://github.com/kata-containers/kata-containers/actions/runs/3393468605/jobs/5640842041
Ideally, each one of the following tests should be also split into
smaller tests, each test for one component, for instance.
* static-checks
* compiler-checks
* unit-tests
* unit-tests-as-root
Fixes: #5585
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
1. be able to check does hypervisor support use block device, block
device hotplug, multi-queue, and share file
2. be able to set the hypervisor capability of using block device, block
device hotplug, multi-queue, and share file
Fixes: #5569
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
This commit adds the `kernel-hashes=on` flag to the QEMU command line
for all SEV guests (previously, this was only enabled for SEV guests
with `guest_pre_attestation=on`. This change allows the AmdSev firmware
to be used for both encrypted and non-encrypted container images.
**Note:** This change makes the AmdSev OVMF build a requirement for all
SEV guests. The standard host OVMF package will no longer work.
Fixes#5307.
Signed-off-by: Jim Cadden <jcadden@ibm.com>
Let's ensure we add the option for the user, at build time, to set the
AGENT_AA_KBC_PARAMS passed to the agent, via the kernel command line.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we're switching TDX to using EAA KBC instead of OfflineFS KBC, let's
add the configuration files needed for testing this before we fully
switch TDX to using such an image.
Fixes: #5563
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The specific TDX image relies on having EAA KBC, instead of using the
default `offline_fs_kbc`.
This image is, with this commit, built and distributed, but not yet used
by TDX specific configurations, which will be done in a follow-up
commit.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Instead of removing the non-needed packages under `/usr/share` and then
installing new components, let's make sure we do the removal at the end
of our script.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's do that instead of updating and installing the
`software-properties-common` package, as it reduces the final size of
the image.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
First of all, EAA KBC is only used with TDX, thus we can safely assume
that eaa_kbc means TDX, at least for now.
A `/etc/tdx-attest.conf` file, with the data "port=4050" is needed as
that's the default configuration for the Quote Generation Service (QGS)
which is present on the guest side.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This will become very handy by the moment we start building different
images targetting different TEEs.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The 'config' argument to ShareVirtioFsStandalone::new() is now actually
used, taking care of an explicit TODO.
If a shared path doesn't exist in ShareVirtioFsStandalone::virtiofsd_args()
it is now created instead of returning an error, thus following
ShareVirtioFsInline's suit.
The '-o vhost_user_socket=...' command line argument doesn't seem to be
supported by newer versions of virtiofsd so we replace it with
'--socket-path' which should be functionally equivalent according to docs.
Fixes#5572
Signed-off-by: Pavel Mores <pmores@redhat.com>
Replace hard-coded aa_kbc_param check to set the image_client's
security_validate, with reading the setting from the agent config
Fixes: #4888
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
