Commit Graph

572 Commits

Author SHA1 Message Date
Dan Mihai
969b8e0fb8 genpolicy: more detailed UID/GID debug logs
Add more details to code paths handling UID/GID values, for easier
debugging.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-11-08 00:00:09 +01:00
Fabiano Fidêncio
14039c9089 golang: Update to 1.24.9
In order to fix:
```

=== Running govulncheck on containerd-shim-kata-v2 ===
 Vulnerabilities found in containerd-shim-kata-v2:
=== Symbol Results ===

Vulnerability #1: GO-2025-4015
    Excessive CPU consumption in Reader.ReadResponse in net/textproto
  More info: https://pkg.go.dev/vuln/GO-2025-4015
  Standard library
    Found in: net/textproto@go1.24.6
    Fixed in: net/textproto@go1.24.8
    Vulnerable symbols found:
      #1: textproto.Reader.ReadResponse

Vulnerability #2: GO-2025-4014
    Unbounded allocation when parsing GNU sparse map in archive/tar
  More info: https://pkg.go.dev/vuln/GO-2025-4014
  Standard library
    Found in: archive/tar@go1.24.6
    Fixed in: archive/tar@go1.24.8
    Vulnerable symbols found:
      #1: tar.Reader.Next

Vulnerability #3: GO-2025-4013
    Panic when validating certificates with DSA public keys in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4013
  Standard library
    Found in: crypto/x509@go1.24.6
    Fixed in: crypto/x509@go1.24.8
    Vulnerable symbols found:
      #1: x509.Certificate.Verify
      #2: x509.Certificate.Verify

Vulnerability #4: GO-2025-4012
    Lack of limit when parsing cookies can cause memory exhaustion in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-4012
  Standard library
    Found in: net/http@go1.24.6
    Fixed in: net/http@go1.24.8
    Vulnerable symbols found:
      #1: http.Client.Do
      #2: http.Client.Get
      #3: http.Client.Head
      #4: http.Client.Post
      #5: http.Client.PostForm
      Use '-show traces' to see the other 9 found symbols

Vulnerability #5: GO-2025-4011
    Parsing DER payload can cause memory exhaustion in encoding/asn1
  More info: https://pkg.go.dev/vuln/GO-2025-4011
  Standard library
    Found in: encoding/asn1@go1.24.6
    Fixed in: encoding/asn1@go1.24.8
    Vulnerable symbols found:
      #1: asn1.Unmarshal
      #2: asn1.UnmarshalWithParams

Vulnerability #6: GO-2025-4010
    Insufficient validation of bracketed IPv6 hostnames in net/url
  More info: https://pkg.go.dev/vuln/GO-2025-4010
  Standard library
    Found in: net/url@go1.24.6
    Fixed in: net/url@go1.24.8
    Vulnerable symbols found:
      #1: url.JoinPath
      #2: url.Parse
      #3: url.ParseRequestURI
      #4: url.URL.Parse
      #5: url.URL.UnmarshalBinary

Vulnerability #7: GO-2025-4009
    Quadratic complexity when parsing some invalid inputs in encoding/pem
  More info: https://pkg.go.dev/vuln/GO-2025-4009
  Standard library
    Found in: encoding/pem@go1.24.6
    Fixed in: encoding/pem@go1.24.8
    Vulnerable symbols found:
      #1: pem.Decode

Vulnerability #8: GO-2025-4008
    ALPN negotiation error contains attacker controlled information in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2025-4008
  Standard library
    Found in: crypto/tls@go1.24.6
    Fixed in: crypto/tls@go1.24.8
    Vulnerable symbols found:
      #1: tls.Conn.Handshake
      #2: tls.Conn.HandshakeContext
      #3: tls.Conn.Read
      #4: tls.Conn.Write
      #5: tls.Dial
      Use '-show traces' to see the other 4 found symbols

Vulnerability #9: GO-2025-4007
    Quadratic complexity when checking name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4007
  Standard library
    Found in: crypto/x509@go1.24.6
    Fixed in: crypto/x509@go1.24.9
    Vulnerable symbols found:
      #1: x509.CertPool.AppendCertsFromPEM
      #2: x509.Certificate.CheckCRLSignature
      #3: x509.Certificate.CheckSignature
      #4: x509.Certificate.CheckSignatureFrom
      #5: x509.Certificate.CreateCRL
      Use '-show traces' to see the other 27 found symbols

Vulnerability #10: GO-2025-4006
    Excessive CPU consumption in ParseAddress in net/mail
  More info: https://pkg.go.dev/vuln/GO-2025-4006
  Standard library
    Found in: net/mail@go1.24.6
    Fixed in: net/mail@go1.24.8
    Vulnerable symbols found:
      #1: mail.AddressParser.Parse
      #2: mail.AddressParser.ParseList
      #3: mail.Header.AddressList
      #4: mail.ParseAddress
      #5: mail.ParseAddressList
```

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-03 16:57:22 +01:00
ssc
5a586e13a1 kata-ctl: add factory subcommands for VM template management
- init: initialize the VM template factory
- status: check the current factory status
- destroy: clean up and remove factory resources
These commands provide basic lifecycle management for VM templates.

Signed-off-by: ssc <741026400@qq.com>
2025-10-30 10:27:17 +08:00
dependabot[bot]
99ae3607dc build(deps): bump astral-tokio-tar in /src/tools/agent-ctl
Bumps [astral-tokio-tar](https://github.com/astral-sh/tokio-tar) from 0.5.5 to 0.5.6.
- [Release notes](https://github.com/astral-sh/tokio-tar/releases)
- [Changelog](https://github.com/astral-sh/tokio-tar/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/tokio-tar/compare/v0.5.5...v0.5.6)

---
updated-dependencies:
- dependency-name: astral-tokio-tar
  dependency-version: 0.5.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-25 13:53:24 +02:00
Markus Rudy
acc7974602 genpolicy: allow non-watchable ConfigMaps
If a ConfigMap has more than 8 files it will not be mounted watchable
[1]. However, genpolicy assumes that ConfigMaps are always mounted at a
watchable path, so containers with large ConfigMap mounts fail
verification.

This commit allows mounting ConfigMaps from watchable and non-watchable
directories. ConfigMap mounts can't be meaningfully verified anyway, so
the exact location of the data does not matter, except that we stay in
the sandbox data dirs.

[1]: 0ce3f5fc6f/docs/design/inotify.md (L11-L21)

Fixes: #11777
Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-10-23 15:45:17 +02:00
Dan Mihai
346e1c1db6 genpolicy: allow optional secret volumes
Don't reject during policy generation Secret volumes defined as
optional.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-10-21 15:27:31 +00:00
Saul Paredes
dfd269eb87 genpolicy: take path to initdata from command line if provided
Otherwise use default initdata.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-10-13 10:47:53 -07:00
Dan Mihai
6ab59453ff genpolicy: better parsing of mount path
Mount paths ending in '/' were not parsed correctly.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-10-07 23:35:06 +02:00
Dan Mihai
ba792945ef genpolicy: additional mount_source_allows logging
Make debugging policy errors related to storage mount sources easier to
debug.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-10-07 23:35:06 +02:00
Steve Horsman
0d58bad0fd Merge pull request #11840 from kata-containers/dependabot/cargo/src/tools/agent-ctl/astral-tokio-tar-0.5.5
build(deps): bump astral-tokio-tar from 0.5.2 to 0.5.5 in /src/tools/agent-ctl
2025-10-06 09:35:56 +01:00
Aurélien Bombo
20c60b21bd Merge pull request #11839 from Sumynwa/sumsharma/agent-ctl-vm-container
agent-ctl: Add fs sharing using virtio-fs when booting a pod vm.
2025-09-30 15:45:10 -05:00
Markus Rudy
369aed0203 kata-types: conditionally include safe-path
Most of the kata-types code is reusable across platforms. However, some
functions in the mount module require safe-path, which is Linux-specific
and can't be used on other platforms, notably darwin.

This commit adds a new feature `safe-path` to kata-types, which enables
the functions that use safe-path. The Linux-only callers kata-ctl and
runtime-rs enable this feature, whereas genpolicy only needs initdata
and does not need the functions from the mount module. Using a feature
instead of a target_os restriction ensures that the developer experience
for genpolicy remains the same.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-09-29 09:48:32 +02:00
Sumedh Alok Sharma
c94e65e982 agent-ctl: Add fs sharing using virtio-fs when booting a pod vm.
This commit adds changes to enable fs sharing between host/guest
using virtio-fs when booting a pod VM for testing. This primarily
enables sharing container rootfs for testing container lifecycle
commands.

Summary of changes is as below:
- adds minimal virtiofsd code to start userspace daemon (based on
`runtime-rs/crates/resource/src/share_fs`)
- adds the virtiofs device to the test vm
- prepares and mounts the container rootfs on host
- modifies container storage & oci specs

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2025-09-29 07:20:42 +00:00
Xuewei Niu
98446e7338 Merge pull request #11678 from StevenFryto/rootless_vmm
runtime-rs: Add support for running the VMM in non-root mode
2025-09-25 22:03:25 +08:00
stevenfryto
bde6eb7c3a runtime-rs: add generic support for running the VMM in non-root mode
This commit introduces generic support for running the VMM in rootless mode in runtime-rs:
1.Detect whether the VMM is running in rootless mode.
2.Before starting the VMM process, create a non-root user and launch the VMM with that user’s UID and GID; also add the KVM user's group ID to the VMM process's supplementary groups so the VMM process can access /dev/kvm.
3.Add the setup of the rootless directory located in the dir /run/user/<uid> directory, and modify some path variables to be functions that return the path with the rootless directory prefix when running in rootless mode.

Fixes: #11414

Signed-off-by: stevenfryto <sunzitai_1832@bupt.edu.cn>
2025-09-25 19:30:29 +08:00
why
5d76811c8a csi-kata-directvolume: Add basic SPDK volume support
Introduce initial implementation for SPDK-backed CSI volumes, allowing
basic create and delete operations with vhost-user-blk integration.

Signed-off-by: why <1206176262@qq.com>
2025-09-25 19:29:50 +08:00
Dan Mihai
38a28b273a Merge pull request #11814 from charludo/main
genpolicy: match sandbox name by regex
2025-09-23 14:14:11 -07:00
dependabot[bot]
e24e564eb7 build(deps): bump astral-tokio-tar in /src/tools/agent-ctl
Bumps [astral-tokio-tar](https://github.com/astral-sh/tokio-tar) from 0.5.2 to 0.5.5.
- [Release notes](https://github.com/astral-sh/tokio-tar/releases)
- [Changelog](https://github.com/astral-sh/tokio-tar/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/tokio-tar/compare/v0.5.2...v0.5.5)

---
updated-dependencies:
- dependency-name: astral-tokio-tar
  dependency-version: 0.5.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-23 17:46:48 +00:00
Charlotte Hartmann Paludo
2cea32cc23 genpolicy: match sandbox name by regex
`allow_interactive_exec` requires a sandbox-name annotation, however
this is only added for pods by genpolicy. Other pod-generating resources
have unpredictable sandbox names.

This patch instead uses a regex for the sandbox name in genpolicy, based
on the specified metadata and following Kubernetes' naming logic. The
generated regex is then used in the policy to correctly match the
sandbox name.

Fixes: #11823

Signed-off-by: Charlotte Hartmann Paludo <git@charlotteharludo.com>
Co-authored-by: Paul Meyer <katexochen0@gmail.com>
Co-authored-by: Markus Rudy <mr@edgeless.systems>
2025-09-23 10:31:58 +02:00
Mikko Ylinen
28ab972b3f agent-ctl: bump image-rs
pull image-rs from CoCo guest-components that is targeted for
CoCo v0.16.0.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-09-22 08:31:58 +03:00
Caspian443
2221b76b67 runtime-rs: Add selinux support for hypervisor
- read selinux_label from OCI spec in sandbox
- set selinux_label in preparevm and startvm in hypervisor

Fixes: [#9866](https://github.com/Caspian443/kata-containers/issues/9866)

Signed-off-by: Caspian443 <scrisis843@gmail.com>
2025-09-21 13:59:17 +08:00
Fabiano Fidêncio
4265beb081 tools: agent-ctl: Fix unresolved ch import
agent-ctl's make check has been failing with:
```
    Checking kata-agent-ctl v0.0.1 (/home/ubuntu/runner/_layout/_work/kata-containers/kata-containers/src/tools/agent-ctl)
error[E0432]: unresolved import `hypervisor::ch`
  --> src/vm/vm_ops.rs:10:5
   |
10 |     ch::CloudHypervisor,
   |     ^^ could not find `ch` in `hypervisor`
   |
note: found an item that was configured out
  --> /home/ubuntu/runner/_layout/_work/kata-containers/kata-containers/src/runtime-rs/crates/hypervisor/src/lib.rs:30:9
   |
30 | pub mod ch;
   |         ^^
note: the item is gated here
  --> /home/ubuntu/runner/_layout/_work/kata-containers/kata-containers/src/runtime-rs/crates/hypervisor/src/lib.rs:26:1
   |
26 | / #[cfg(all(
27 | |     feature = "cloud-hypervisor",
28 | |     any(target_arch = "x86_64", target_arch = "aarch64")
29 | | ))]
   | |___^
```

Let's just make sure that we include ch conditionally as well.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-09-16 18:44:33 +02:00
Saul Paredes
cc73b14e26 docs: update policy docs
Update policy docs to use initdata annotation and encoding

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-09-15 11:40:29 -07:00
Saul Paredes
a427537914 genpolicy: add initdata support
Encode policy inside initdata and encode as annotation (base64(gzip(toml))).

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-09-15 11:34:26 -07:00
stevenhorsman
e3aa973995 versions(deps): Bump slab versions prior to 0.4.10
Although versions of slab prior to 0.4.10, don't have a security
vulnearability, we can bump them all to keep things in sync

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 09:48:03 +02:00
stevenhorsman
924051c652 genpolicy: Bump slab crate to 0.4.11
Bump versions to remediate CVE-2025-55159

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 09:48:03 +02:00
stevenhorsman
8fb4332d42 agent-ctl: Bump slab crate to 0.4.11
Bump versions to remediate CVE-2025-55159

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-15 09:48:03 +02:00
Alex Lyn
7062a769b7 genpolicy: Exclude cgroup namespace from namespace validation
Exclude 'cgroup' namespace from namespace checks during `allow_linux`
validation. This complements the existing exclusion of the 'network'
namespace.

As runtime-rs has specific cgroup namespace configurations, and excluding it from
policy validation ensures parity between runtime-rs and runtime-go implementations.

This allows focusing validation on critical namespaces like PID, IPC, and MNT, while
avoiding potential policy mismatches due to another cgroup namespace management by
the runtime-rs.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-09-14 17:24:06 +08:00
Alex Lyn
12a9ad56b4 genpolicy: Normalize namespace type for mount/mnt compatibility
Add `normalize_namespace_type()` function to map "mount"
(case-insensitive) to "mnt" while keeping other values unchanged.
This ensures namespace comparisons treat "mount" and "mnt" as
equivalent.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-09-14 17:24:06 +08:00
Alex Lyn
ebdfbd3120 genpolicy: Make comparison order-independent and accept CAP_X/X
- Use set comparison to ignore ordering differences when matching
  capabilities.
- Add normalization to strip "CAP_" prefix to support both CAP_XXX and
  XXX formats.

This makes capability matching more robust against different ordering
and naming formats.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-09-14 17:23:58 +08:00
Steve Horsman
58259aa5f4 Merge pull request #11754 from stevenhorsman/go.mod-1.24.6-bump
versions: Tidy up go.mod versions
2025-09-10 14:11:33 +01:00
Steve Horsman
e502fa2feb Merge pull request #11731 from kata-containers/dependabot/go_modules/src/tools/csi-kata-directvolume/github.com/ulikunitz/xz-0.5.14
build(deps): bump github.com/ulikunitz/xz from 0.5.11 to 0.5.14 in /src/tools/csi-kata-directvolume
2025-09-10 09:47:28 +01:00
stevenhorsman
87356269d8 versions: Tidy up go.mod versions
Update go 1.23 references to go 1.24.6 to match
versions.yaml

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-08 14:03:47 +01:00
stevenhorsman
2d28f3d267 agent-ctl: version: bump hypervisor
Bump the version of runtime-rs' hypervisor crate
to upgrade (indirectly) protobug and remediate vulnerability
RUSTSEC-2024-0437

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-08 13:23:03 +01:00
dependabot[bot]
5ae34ab240 build(deps): bump github.com/ulikunitz/xz
Bumps [github.com/ulikunitz/xz](https://github.com/ulikunitz/xz) from 0.5.11 to 0.5.14.
- [Commits](https://github.com/ulikunitz/xz/compare/v0.5.11...v0.5.14)

---
updated-dependencies:
- dependency-name: github.com/ulikunitz/xz
  dependency-version: 0.5.14
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-08 11:30:49 +01:00
Dan Mihai
9b0b7fc795 genpolicy: print Input and Policy storages
Print the Storage data structures, to help with debugging.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-09-04 16:03:03 +00:00
dependabot[bot]
3a0416c99f build(deps): bump gopkg.in/yaml.v3 in /src/tools/log-parser
Bumps gopkg.in/yaml.v3 from 3.0.0 to 3.0.1.

---
updated-dependencies:
- dependency-name: gopkg.in/yaml.v3
  dependency-version: 3.0.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-28 14:03:22 +00:00
stevenhorsman
8cbb1a4357 runtime: Fix non constant Errorf formatting
As part of the go 1.24.6 bump there are errors about the incorrect
use of a errorf, so switch to the non-formatting version, or add
the format string as appropriate

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
stevenhorsman
381da9e603 versions: Bump golang to 1.24.6
golang 1.25 has been released, so 1.23 is EoL,
so we should update to ensure we don't end up with security issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
Alex Tibbles
a03dc3129d versions: sync go.mod with versions.yaml for go 1.23.12
OSV-Scanner highlights go.mod references to go stdlib 1.23.0 contrary to intention in versions.yaml, so synchronize them.
Make a converse comment for versions.yaml.

Fixes: #11700

Signed-off-by: Alex Tibbles <alex@bleg.org>
2025-08-19 11:30:19 -04:00
Dan Mihai
ea74024b93 Merge pull request #11663 from burgerdev/arp
genpolicy: support AddARPNeighbors
2025-08-13 14:54:36 -07:00
Sumedh Alok Sharma
c7c811071a agent-ctl: Add option --vm to boot pod VM for testing.
This change introduces a new command line option `--vm`
to boot up a pod VM for testing. The tool connects with
kata agent running inside the VM to send the test commands.
The tool uses `hypervisor` crates from runtime-rs for VM
lifecycle management. Current implementation supports
Qemu & Cloud Hypervisor as VMMs.

In summary:
- tool parses the VMM specific runtime-rs kata config file in
/opt/kata/share/defaults/kata-containers/runtime-rs/*
- prepares and starts a VM using runtime-rs::hypervisor vm APIs
- retrieves agent's server address to setup connection
- tests the requested commands & shutdown the VM

Fixes #11566

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2025-08-11 11:03:18 +00:00
Pavel Mores
1f95d9401b runtime-rs: change representation of default_vcpus from i32 to f32
This commit focuses purely on the formal change of type.  If any subsequent
changes in semantics are needed they are purposely avoided here so that the
commit can be reviewed as a 100% formal and 0% semantic change.

Signed-off-by: Pavel Mores <pmores@redhat.com>
2025-08-07 10:32:44 +02:00
Markus Rudy
3eb0641431 genpolicy: add rule for AddARPNeighbors
When the network interface provisioned by the CNI has static ARP table entries,
the runtime calls AddARPNeighbor to propagate these to the agent. As of today,
these calls are simply rejected.

In order to allow the calls, we do some sanity checks on the arguments:

We must ensure that we don't unexpectedly route traffic to the host that was
not intended to leave the VM. In a first approximation, this applies to
loopback IPs and devices. However, there may be other sensitive ranges (for
example, VPNs between VMs), so there should be some flexibility for users to
restrict this further. This is why we introduce a setting, similar to
UpdateRoutes, that allows restricting the neighbor IPs further.

The only valid state of an ARP neighbor entry is NUD_PERMANENT, which has a
value of 128 [1]. This is already enforced by the runtime.

According to rtnetlink(7), valid flag values are 8 and 128, respectively [2],
thus we allow any combination of these.

[1]: https://github.com/torvalds/linux/blob/4790580/include/uapi/linux/neighbour.h#L72
[2]: https://github.com/torvalds/linux/blob/4790580/include/uapi/linux/neighbour.h#L49C20-L53

Fixes: #11664

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-08-06 17:24:36 +02:00
Dan Mihai
c11c972465 genpolicy: config layer logging clean-up
Use a simple debug!() for logging the config_layer string, instead of
transcoding, etc.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-28 18:30:13 +00:00
Dan Mihai
30bfa2dfcc genpolicy: use CoCo settings by default
- "confidential_emptyDir" becomes "emptyDir" in the settings file.
- "confidential_configMap" becomes "configMap" in settings.
- "mount_source_cpath" becomes "cpath".
- The new "root_path" gets used instead of the old "cpath" to point to
  the container root path..
- "confidential_guest" is no longer used. By default it gets replaced
  by "enable_configmap_secret_storages"=false, because CoCo is using
  CopyFileRequest instead of the Storage data structures for ConfigMap
  and/or Secret volume mounts during CreateContainerRequest.
- The value of "guest_pull" becomes true by default.
- "image_layer_verification" is no longer used - just CoCo's guest pull
  is supported.
- The Request input files from unit tests are changing to reflect the
  new default settings values described above.
- tests/integration/kubernetes/tests_common.sh adjusts the settings for
  platforms that are not set-up for CoCo during CI (i.e., platforms
  other than SNP, TDX, and CoCo Dev).

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-28 18:30:13 +00:00
Dan Mihai
94995d7102 genpolicy: skip pulling layers for guest-pull
Skip pulling container image layers when guest-pull=true. The contents
of these layers were ignored due to:
- #11162, and
- tarfs snapshotter support having been removed from genpolicy.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-28 18:30:13 +00:00
Dan Mihai
f6016f4f36 genpolicy: remove tarfs snapshotter support
AKS Confidential Containers are using the tarfs snapshotter. CoCo
upstream doesn't use this snapshotter, so remove this Policy complexity
from upstream.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-28 18:30:10 +00:00
dependabot[bot]
ef9d960763 build(deps): bump the openssl group across 4 directories with 1 update
Bumps the openssl group with 1 update in the /src/dragonball directory: [openssl](https://github.com/sfackler/rust-openssl).
Bumps the openssl group with 1 update in the /src/runtime-rs directory: [openssl](https://github.com/sfackler/rust-openssl).
Bumps the openssl group with 1 update in the /src/tools/genpolicy directory: [openssl](https://github.com/sfackler/rust-openssl).
Bumps the openssl group with 1 update in the /src/tools/kata-ctl directory: [openssl](https://github.com/sfackler/rust-openssl).


Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

---
updated-dependencies:
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: openssl
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: openssl
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: openssl
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: openssl
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-23 15:17:12 +00:00
Steve Horsman
09efcfbd86 Merge pull request #11606 from kata-containers/dependabot/cargo/src/tools/genpolicy/zerocopy-0.6.6
build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy
2025-07-21 18:58:56 +01:00