To include block readonly capability. Included commits:
3700c55 qemu: add block device readonly support
88a25a2 Refactor code to support multiple virtio transports at runtime
2ee53b0 qemu: Don't set ".cache-size=" when CacheSize is 0
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
cgroup manager is in charge to create and setup cgroups for
virtual containers, for example it adds /dev/kvm and
/dev/vhost-net to the list of cgroup devices in order to have
virtual containers working.
fixes#2438fixes#2419
Signed-off-by: Julio Montes <julio.montes@intel.com>
virtcontainers/pkg/cgroups contains functions and structures needed to deal
with cgroups and virtual containers
Signed-off-by: Julio Montes <julio.montes@intel.com>
We leverage the new openAPI knobs from CLH to set readonly for disk image
and we also pass kernel cmd to set guest root filesystem readonly.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Use CLH branch stable/v0.5.x, and also re-generate the openAPI client
code with the new 'cloud-hypervisor.yaml'.
Fixes: #2488
Signed-off-by: Bo Chen <chen.bo@intel.com>
cri-o v1.16.x has network namespace mount point leaking problem, and
the latest v1.17.x has fixed this problem.
since cri-o and k8s follow the same release cycle and deprecation policy,
I will also update k8s to the latest release v1.17.3-00 as well.
Fixes: #2457
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
A malicious can trick us with a crafted container
rootfs symlink and make runtime umount other mountpoints.
Make sure we do not walk through symlinks when umounting.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
cloud-hypervisor uses `hybrid vsocks`, it is not needed to find a
context ID.
Fixes: #2481
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Some flags defined by the host may not be compatible with golang,
not use LDFLAGS but use our own variable.
Fixes: #2478
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
- Fix typos in sandbox and persist/fs
- AArch64: change image rootfs from fedora to ubuntu
- build: Add support to strip the binary
- kernel: Update kernel to latest stable 5.4.15
- selinux: Disable selinux
- rootless: implement rootless fs and support --rootless option
- ci: Do not setup virtcontainers while using podman
- CI: update yq to 3.1.0
- dep: Fix dep check
- Update Cloud Hypervisor to v0.5.0
- docs: README: Minor grammatical updates
- FC: Update Firecracker to v0.20.0
- Support hotplug PCIe in q35
- virtcontainers: clh: Set the serial to NULL instead of OFF
- s390x: fix refactoring
- AArch64: fix golint error on ARM CI.
- versions: bump conmon version to v2.0.5
- virtcontainers: Fix error message in mockHypervisor
- rootless: use libcontainer API to detect rootless
- Add Ipv6 support
- vendor: update agent client
- qemu: Add virtio-mem support
- virtcontainers: constrain docker container when sandbox_cgroup_only=true
- Fix typo in 'sandbox'
- vc: Detach device when unable to store sandbox device
- unit-test: cleaning up stale files under /tmp
- support systemd cgroups and cgroupsV2
- Land experimental "newstore" as formal feature
- versions: update qemu to 4.1.1
- FC: jailer failed when importing new flag "--config-file"
- ut: fix make test failures
- qemu: add disable_image_nvdimm option
- clh: Increase unit test using mock testing
- versions: Update cloud hypervisor url
- rootless: fix rootless for case net=none
- vendor: Update github.com/kata-containers/agent
- shimv2: support runtime config path via annotation
- shimv2: clean up properly if vmm quits unexpectedly
- vendor: Update golang.org/x/sys
- clh: update to latest master
- cache-factory: a few bug fix
- FC: introduce `--config-file` to bypass API ready state
- clh: client: update acording to versions.yaml
- vc: Check error return from storeState
- makefile: honor virtiofs config for default config
- virtiofs: add default value for virtioFsCache type.
0f720e6f virtcontainers: fix typo in sandbox
78bb6c0f virtcontainers/persist: fix typo in fs
2c3b4657 build: Add support to strip the binary
a45cf62e virtcontainers/pkg/rootless: fix comment on exported var
c36c667b cli: implement --rootless option
11bd456a virtcontainers: support new persist API
9585bc92 virtcontainers/hypervisors: support new persist API
00307a70 virtcontainers/sandbox: support new persist API
4b9ab557 virtcontainers/factory: support new persist API
71f48a33 virtcontainers/persist: update `GetDriver` to support rootless fs
dd2762fd virtcontainers/persist: introduce mock fs driver
ea8fb96c virtcontainers/persist: introduce rootless fs driver
768db1bd virtcontainers/persist: update API and interface
6be74811 virtcontainers: remove getVMPath method from agent
658f7797 rootless: move pkg/rootless to virtcontainers
83561c4c ci: Do not setup virtcontainers while using podman
22c486aa CI: update yq to 3.1.0
a8dcff5b AArch64: change image rootfs from fedora to ubuntu
de7383b2 kernel: Update kernel to latest stable 5.4.15
5c3bcd88 dep: Fix dep check
836e3c21 clh: update to v0.5.0
055f3171 selinux: Disable selinux
7498978c Vendor: update agent client
27d9e433 FC: update Firecracker to v0.20.0
bb41b724 qemu: Support PCIe device hotplug for q35
fa7d00ec vendor: update github.com/intel/govmm
b2fb86f3 virtcontainers: clh: Set the serial to NULL instead of OFF
96a49a89 AArch64: arm ci failed on stale Gopkg.lock.
9bf4b859 AArch64: fix golint error on ARM CI.
2560e65e versions: bump conmon version to v2.0.5
693ad238 virtcontainers: Fix error message in mockHypervisor
c5d79eb2 ipv6: Add support for ipv6 for netmon as well.
b169476b ipv6: Add support for ipv6
4a77b0f8 rootless: use libcontainer API to detect rootless
b602e62a docs: README: Minor grammatical updates
c26ce186 vendor: update agent client
01a12b00 qemu: Add virtio-mem support
c3cf98ac virtcontainers: constrain docker container when sandbox_cgroup_only=true
54482f18 virtcontainers: remove json cgroups struct tag
b3374289 vendor: Update github.com/intel/govmm
316b5f2b virtcontainers: Fix typo in logger message
1f957e1b vc: Detach device when unable to store sandbox device
7186c01d unit-test: delete what ioutil.TempFile creates
0244d95e unit-test: delete what ioutil.TempDir() creates
aa62781a unit-test: reconstuct TestMain
d042d5c0 virtcontainers: fix unit tests
776da087 virtcontainers/hook: fix HookState
f372b858 virtcontainers: reimplement setupSandboxCgroup
9949daf4 virtcontainers: move validCgroupPath
ce2795e9 virtcontainers: remove systemd paramenter from constraintGRPCSpec
8c63c180 virtcontainers: add function to create a new cgroup manager
8057cd72 virtcontainers: add function to identify systemd cgroup path
4126968b virtcontainers: save CgroupPaths and Cgroups in sandbox
a170d00b vendor: update agent
112f90b7 vendor: update golang/x/sys
4a1dc1ee vendor: update libcontainer
908a42a4 vendor: update logrus
0af48197 versions: update qemu to 4.1.1
35948550 s390x: fix refactoring
290339da compatibility: keep oldstore for compatibility
4a298cb9 persist: address comments
d33b154d persist: add interface for global read/write
ed4a1954 persist: remove unused struct
8e88859e persist: remove all usage of VCStore
01b4a64b persist: remove VCStore from sandbox/apis
b63e517f persist: replace sandbox lock with newstore.Lock
508101bc persist: fix vmtemplate storage leak
29b55ab8 persist: remove VCStore from container
633748aa persist: remove VCStore from hypervisor
687f2dbe persist: move "newstore" out of experimental
3ed472dc store: UT tmp path should be random
56171206 nsenter: skip ut on non-root
e5b04a5b ut: fs test should set RunStoragePath
9bf0d67f ut: direct factory needs to set VCStorePrefix
4c35d091 vc: set store RunVMStoragePath for ut
3deb24e5 cli: flush coverage report in defer function
f56d70cc vc: UT should set VCStorePrefix
7c7a4a3b annotations: add disable_image_nvdimm
652bb76d cli: syscall return value check is wrong
a8717286 qemu: add disalbe_image_nvdimm option
dd5b4469 qemu: refactor appendImage
a2d3f9f3 vitiofsd: Add virtiofsd interaface
2a085ee6 clh: virtiofsd: check path is not empty
af5c9c23 clh: hypervisor: Do not set 9p values for virtiofs
6a10cd96 clh: test: add unit test
8a439eab clh: add Client Interface and bootVM test
09198eed FC: jailer failed when importing new flag "--config-file"
661956f5 versions: Update cloud hypervisor url
b96c7e5a rootless: fix rootless for case net=none
a215f87e vendor: Update github.com/kata-containers/agent to handle hvsock issue
1c11fe20 shimv2: support runtime config path via annotation
6cd9b3b0 vendor: Update golang.org/x/sys
9c3151e5 clh: remove not requried values
e9a852dd clh: update api calls for latest master
1a7539c1 clh: update client
55323788 versions: update clh to v0.4.0
6eae033f shimv2: cleanup container if not found
743309cd vc: stop container should change container state at last
efb611aa clh: client: update acording to versions.yaml
ab2088f7 makefile: honor virtiofs config for default config
9a154570 vc: Check error return from storeState
8f6d0ab1 FC: introduce `--config-file` to replace API configure request
f2d8d715 FC: func checkVersion should be more independent
9ce21135 FC: remove API Ready state
cc25216b virtiofs: add default value for virtioFsCache type.
837a0ee0 cache-factory: set bridge info when creating vm
3d8ffe41 cache-factory: fix nil pointer runtime panic
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
- should ignore invalid a key-value pair as an env
- Revert: "Makefile: Fix rust agent build using "--release"."
- Makefile: Fix rust agent build using "--release".
- vsock: support log_vport and debug_console_vport
- Agent: Separate logging into a single crate
- agent: fix the issue of crash agent without spec
- fix the issue of missing restore process's cwd
- Running rust-agent on AArch64
- ci: Remove run_rust_test functions as not being used
- add oci compatibility test case
- agent: Add unit tests for sandbox.rs
- version: Add VERSION file
- ci: Add minimal makefile to use central go test script
- netlink: pull out netlink as library crate.
- Fixup workflow 103
40b5a56 agent: ignore invalid a key-value pair as an env
269daa9 Revert: "Makefile: Fix rust agent build using "--release"."
a3e46a3 Makefile: Fix rust agent build using "--release".
3c1252e vsock: support log_vport and debug_console_vport
c373f84 agent: separate logging into a single crate
2be8661 agent: fix the issue of missing restore process's cwd
6c7453d agent: fix the issue of crash agent without spec
4edf537 ci: Remove run_rust_test functions as not being used
d222533 agent: add oci compatibility test case
7dfc4e0 linker: `no such file` linking error on AArch64
44b2caa AArch64: missing symbols on target `aarch64-unknown-linux-musl`
9621a7f ABI: only support arm 64-bit platform
8d60612 version: Add VERSION file
a5192a1 netlink: pull out netlink as library crate.
3881c06 ci: Add minimal makefile to use central go test script
1c57665 workflows: make sure we build the experimental kernel, CLH
cbd5fa0 workflows: fix step output usage
92301a6 agent: Add unit tests for sandbox.rs
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
we need to refine unit tests due to previous two commits and
add new test for new func checkVersionConsistencyInComponents.
Fixes: #2375
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Use `kata-runtime kata-check --strict/-s` to perform version
consistency check.
Only if major version number, minor version number and Patch
number are all the same, we determine those two kata components
are version-consistent.
Fixes: #2375
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
We import new struct VersionInfo for better organizing version info of
kata components, in order to follow Semantic Versioning Specification.
Fixes: #2375
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
This provides a flag "STRIP=yes" to strip the golang binary
After this patch, the binary size is reduced a lot:
19356680 containerd-shim-kata-v2*
25980728 containerd-shim-kata-v2.nostip*
4021784 kata-netmon*
5093992 kata-netmon.nostrip*
26339392 kata-runtime*
33097344 kata-runtime.nostrip*
Fixes: #2455
Signed-off-by: Jia He <justin.he@arm.com>
By default virtcontainer auto-detects if the current process is running
rootless or not, but this behavior can change from commandline with the
--rootless option
fixes#2417
Signed-off-by: Julio Montes <julio.montes@intel.com>
GetDriver returns new PersistDriver according to current needs, a mock fs
driver is returned when mockTesting is enabled, a rootless fs is returned when
rootless is detected, otherwise a fs driver is used.
Signed-off-by: Julio Montes <julio.montes@intel.com>
