We leverage the new openAPI knobs from CLH to set readonly for disk image
and we also pass kernel cmd to set guest root filesystem readonly.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Use CLH branch stable/v0.5.x, and also re-generate the openAPI client
code with the new 'cloud-hypervisor.yaml'.
Fixes: #2488
Signed-off-by: Bo Chen <chen.bo@intel.com>
This repo triggers the github action to create release tarballs.
It looks for release tags in other repos. So tag this repo
last to make sure tags have been created on other repos.
Fixes#947
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Removes two (similar) functions that install `yq`. Instead of
having different functions, use the one that we have in the
tests repository.
In addition, removes the `.ci/lib.sh` which only had an additional
`clone_tests_repo` function which was not being used.
Fixes: #939.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
cri-o v1.16.x has network namespace mount point leaking problem, and
the latest v1.17.x has fixed this problem.
since cri-o and k8s follow the same release cycle and deprecation policy,
I will also update k8s to the latest release v1.17.3-00 as well.
Fixes: #2457
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
A malicious can trick us with a crafted container
rootfs symlink and make runtime umount other mountpoints.
Make sure we do not walk through symlinks when umounting.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
We now make alpha releases before making a release candidate release.
Mention this in the docs.
Fixes#598
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Update release doc to mention that patch releases are not made
every 3 weeks, while minor releases are made every 12 weeks now.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
cloud-hypervisor uses `hybrid vsocks`, it is not needed to find a
context ID.
Fixes: #2481
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Some flags defined by the host may not be compatible with golang,
not use LDFLAGS but use our own variable.
Fixes: #2478
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The containerd's debug option will determine whether
the kata's log forared to containerd's log pipe or
not.
Fixes:#596
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Do not check for 'not in final' in spec creation, the logic
to fully validate is longer that just one grep.
Next should:
Use the same script build-kernel.sh to generate spec and validate it.
For now is still safe as CI will run all the build-kernels.sh to verify
the resulting config.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Kernel build for packages got broken after upgrade, this add needed
changes to build again.
Fixes#924
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
- Fix typos in sandbox and persist/fs
- AArch64: change image rootfs from fedora to ubuntu
- build: Add support to strip the binary
- kernel: Update kernel to latest stable 5.4.15
- selinux: Disable selinux
- rootless: implement rootless fs and support --rootless option
- ci: Do not setup virtcontainers while using podman
- CI: update yq to 3.1.0
- dep: Fix dep check
- Update Cloud Hypervisor to v0.5.0
- docs: README: Minor grammatical updates
- FC: Update Firecracker to v0.20.0
- Support hotplug PCIe in q35
- virtcontainers: clh: Set the serial to NULL instead of OFF
- s390x: fix refactoring
- AArch64: fix golint error on ARM CI.
- versions: bump conmon version to v2.0.5
- virtcontainers: Fix error message in mockHypervisor
- rootless: use libcontainer API to detect rootless
- Add Ipv6 support
- vendor: update agent client
- qemu: Add virtio-mem support
- virtcontainers: constrain docker container when sandbox_cgroup_only=true
- Fix typo in 'sandbox'
- vc: Detach device when unable to store sandbox device
- unit-test: cleaning up stale files under /tmp
- support systemd cgroups and cgroupsV2
- Land experimental "newstore" as formal feature
- versions: update qemu to 4.1.1
- FC: jailer failed when importing new flag "--config-file"
- ut: fix make test failures
- qemu: add disable_image_nvdimm option
- clh: Increase unit test using mock testing
- versions: Update cloud hypervisor url
- rootless: fix rootless for case net=none
- vendor: Update github.com/kata-containers/agent
- shimv2: support runtime config path via annotation
- shimv2: clean up properly if vmm quits unexpectedly
- vendor: Update golang.org/x/sys
- clh: update to latest master
- cache-factory: a few bug fix
- FC: introduce `--config-file` to bypass API ready state
- clh: client: update acording to versions.yaml
- vc: Check error return from storeState
- makefile: honor virtiofs config for default config
- virtiofs: add default value for virtioFsCache type.
0f720e6f virtcontainers: fix typo in sandbox
78bb6c0f virtcontainers/persist: fix typo in fs
2c3b4657 build: Add support to strip the binary
a45cf62e virtcontainers/pkg/rootless: fix comment on exported var
c36c667b cli: implement --rootless option
11bd456a virtcontainers: support new persist API
9585bc92 virtcontainers/hypervisors: support new persist API
00307a70 virtcontainers/sandbox: support new persist API
4b9ab557 virtcontainers/factory: support new persist API
71f48a33 virtcontainers/persist: update `GetDriver` to support rootless fs
dd2762fd virtcontainers/persist: introduce mock fs driver
ea8fb96c virtcontainers/persist: introduce rootless fs driver
768db1bd virtcontainers/persist: update API and interface
6be74811 virtcontainers: remove getVMPath method from agent
658f7797 rootless: move pkg/rootless to virtcontainers
83561c4c ci: Do not setup virtcontainers while using podman
22c486aa CI: update yq to 3.1.0
a8dcff5b AArch64: change image rootfs from fedora to ubuntu
de7383b2 kernel: Update kernel to latest stable 5.4.15
5c3bcd88 dep: Fix dep check
836e3c21 clh: update to v0.5.0
055f3171 selinux: Disable selinux
7498978c Vendor: update agent client
27d9e433 FC: update Firecracker to v0.20.0
bb41b724 qemu: Support PCIe device hotplug for q35
fa7d00ec vendor: update github.com/intel/govmm
b2fb86f3 virtcontainers: clh: Set the serial to NULL instead of OFF
96a49a89 AArch64: arm ci failed on stale Gopkg.lock.
9bf4b859 AArch64: fix golint error on ARM CI.
2560e65e versions: bump conmon version to v2.0.5
693ad238 virtcontainers: Fix error message in mockHypervisor
c5d79eb2 ipv6: Add support for ipv6 for netmon as well.
b169476b ipv6: Add support for ipv6
4a77b0f8 rootless: use libcontainer API to detect rootless
b602e62a docs: README: Minor grammatical updates
c26ce186 vendor: update agent client
01a12b00 qemu: Add virtio-mem support
c3cf98ac virtcontainers: constrain docker container when sandbox_cgroup_only=true
54482f18 virtcontainers: remove json cgroups struct tag
b3374289 vendor: Update github.com/intel/govmm
316b5f2b virtcontainers: Fix typo in logger message
1f957e1b vc: Detach device when unable to store sandbox device
7186c01d unit-test: delete what ioutil.TempFile creates
0244d95e unit-test: delete what ioutil.TempDir() creates
aa62781a unit-test: reconstuct TestMain
d042d5c0 virtcontainers: fix unit tests
776da087 virtcontainers/hook: fix HookState
f372b858 virtcontainers: reimplement setupSandboxCgroup
9949daf4 virtcontainers: move validCgroupPath
ce2795e9 virtcontainers: remove systemd paramenter from constraintGRPCSpec
8c63c180 virtcontainers: add function to create a new cgroup manager
8057cd72 virtcontainers: add function to identify systemd cgroup path
4126968b virtcontainers: save CgroupPaths and Cgroups in sandbox
a170d00b vendor: update agent
112f90b7 vendor: update golang/x/sys
4a1dc1ee vendor: update libcontainer
908a42a4 vendor: update logrus
0af48197 versions: update qemu to 4.1.1
35948550 s390x: fix refactoring
290339da compatibility: keep oldstore for compatibility
4a298cb9 persist: address comments
d33b154d persist: add interface for global read/write
ed4a1954 persist: remove unused struct
8e88859e persist: remove all usage of VCStore
01b4a64b persist: remove VCStore from sandbox/apis
b63e517f persist: replace sandbox lock with newstore.Lock
508101bc persist: fix vmtemplate storage leak
29b55ab8 persist: remove VCStore from container
633748aa persist: remove VCStore from hypervisor
687f2dbe persist: move "newstore" out of experimental
3ed472dc store: UT tmp path should be random
56171206 nsenter: skip ut on non-root
e5b04a5b ut: fs test should set RunStoragePath
9bf0d67f ut: direct factory needs to set VCStorePrefix
4c35d091 vc: set store RunVMStoragePath for ut
3deb24e5 cli: flush coverage report in defer function
f56d70cc vc: UT should set VCStorePrefix
7c7a4a3b annotations: add disable_image_nvdimm
652bb76d cli: syscall return value check is wrong
a8717286 qemu: add disalbe_image_nvdimm option
dd5b4469 qemu: refactor appendImage
a2d3f9f3 vitiofsd: Add virtiofsd interaface
2a085ee6 clh: virtiofsd: check path is not empty
af5c9c23 clh: hypervisor: Do not set 9p values for virtiofs
6a10cd96 clh: test: add unit test
8a439eab clh: add Client Interface and bootVM test
09198eed FC: jailer failed when importing new flag "--config-file"
661956f5 versions: Update cloud hypervisor url
b96c7e5a rootless: fix rootless for case net=none
a215f87e vendor: Update github.com/kata-containers/agent to handle hvsock issue
1c11fe20 shimv2: support runtime config path via annotation
6cd9b3b0 vendor: Update golang.org/x/sys
9c3151e5 clh: remove not requried values
e9a852dd clh: update api calls for latest master
1a7539c1 clh: update client
55323788 versions: update clh to v0.4.0
6eae033f shimv2: cleanup container if not found
743309cd vc: stop container should change container state at last
efb611aa clh: client: update acording to versions.yaml
ab2088f7 makefile: honor virtiofs config for default config
9a154570 vc: Check error return from storeState
8f6d0ab1 FC: introduce `--config-file` to replace API configure request
f2d8d715 FC: func checkVersion should be more independent
9ce21135 FC: remove API Ready state
cc25216b virtiofs: add default value for virtioFsCache type.
837a0ee0 cache-factory: set bridge info when creating vm
3d8ffe41 cache-factory: fix nil pointer runtime panic
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
- Config changes for 5.4 kernel
- kernel: Enable new LTS 5.4.x on ppc64le arch
- lib: yq: explode anchors to get real value of image values
- kernel: use the maximum number of CPUs supported by KVM
- release: use absolute path for kubeconfig
- network: Enable ipv6 config CONFIG_IPV6_MULTIPLE_TABLES
- actions: check for packaging before clone
- release: bump kata-containers repository
- kernel/configs: enable CONFIG_X86_MPPARSE
- obs: Add ubuntu 19.04 testing
- release: tag and branch kata-containers repository
- add workflow for testing kata-deploy
- fixes for qemu 4.2.0
- config: enable printk_time for arm64.
- kernel: Enable new LTS 5.4.3 on AArch64
- FC: ELF format kernel image unsupported with firecracker on AArch64
- kata-static: Add sudo while building cloud hypervisor docker image
- obs: Remove fedora 28 obs packages
- snap: fix how latest stable version is obtained
- qemu: Patch qemu to support image without write access.
- snap: fix snap in launchpad
- kata-deploy: action: take updated yaml paths into account
04386a6 kernel: Enable new LTS 5.4.x on ppc64le arch
ea8b775 lib: yq: explode anchors to get real value of image values
b66fb43 kernel: Remove CONFIG_INET6 options from fragments
17d86c3 kernel: Always apply whitelist
ba68012 kernel: use the maximum number of CPUs supported by KVM
e0a57b6 network: Enable ipv6 config CONFIG_IPV6_MULTIPLE_TABLES
0751072 release: use absolute path for kubeconfig
32f2ff1 actions: check for packaging before clone
0ff7072 release: bump kata-containers repository
a95b359 kernel/configs: enable CONFIG_X86_MPPARSE
b023d8d kata-deploy: use clh instead of cloud-hypervisor
59a34bb static-build: drop NEMU, add CLH
6c9db9b kata-deploy-action: test CLH
f184afc testing: add workflows for testing kata-deploy
c14ded3 obs: Add ubuntu 19.04 testing
3ce2d36 release: tag and branch kata-containers repository
2ef9bbc FC: ELF format kernel image unsupported with firecracker on AArch64
ca6df85 kata-static: Add sudo while building cloud hypervisor docker image
59dc61d kernel: Enable new LTS 5.4.3 on AArch64
34d2c81 obs: Remove fedora 28 obs packages
ce2accc qemu/patches: add patches for qemu 4.2.0
7c13dc3 static-build: update blacklist for qemu 4.2.0
a407c92 config: enable printk_time for arm64.
5877ab7 snap: fix how latest stable version is obtained
43a6e67 snap: overwrite Makefile variables
bfe65e0 kernel: make get_config_version quiet
076cfa9 qemu: Patch qemu to support image without write access.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
- should ignore invalid a key-value pair as an env
- Revert: "Makefile: Fix rust agent build using "--release"."
- Makefile: Fix rust agent build using "--release".
- vsock: support log_vport and debug_console_vport
- Agent: Separate logging into a single crate
- agent: fix the issue of crash agent without spec
- fix the issue of missing restore process's cwd
- Running rust-agent on AArch64
- ci: Remove run_rust_test functions as not being used
- add oci compatibility test case
- agent: Add unit tests for sandbox.rs
- version: Add VERSION file
- ci: Add minimal makefile to use central go test script
- netlink: pull out netlink as library crate.
- Fixup workflow 103
40b5a56 agent: ignore invalid a key-value pair as an env
269daa9 Revert: "Makefile: Fix rust agent build using "--release"."
a3e46a3 Makefile: Fix rust agent build using "--release".
3c1252e vsock: support log_vport and debug_console_vport
c373f84 agent: separate logging into a single crate
2be8661 agent: fix the issue of missing restore process's cwd
6c7453d agent: fix the issue of crash agent without spec
4edf537 ci: Remove run_rust_test functions as not being used
d222533 agent: add oci compatibility test case
7dfc4e0 linker: `no such file` linking error on AArch64
44b2caa AArch64: missing symbols on target `aarch64-unknown-linux-musl`
9621a7f ABI: only support arm 64-bit platform
8d60612 version: Add VERSION file
a5192a1 netlink: pull out netlink as library crate.
3881c06 ci: Add minimal makefile to use central go test script
1c57665 workflows: make sure we build the experimental kernel, CLH
cbd5fa0 workflows: fix step output usage
92301a6 agent: Add unit tests for sandbox.rs
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
we need to refine unit tests due to previous two commits and
add new test for new func checkVersionConsistencyInComponents.
Fixes: #2375
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Use `kata-runtime kata-check --strict/-s` to perform version
consistency check.
Only if major version number, minor version number and Patch
number are all the same, we determine those two kata components
are version-consistent.
Fixes: #2375
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
We import new struct VersionInfo for better organizing version info of
kata components, in order to follow Semantic Versioning Specification.
Fixes: #2375
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
There was a race condition between bind() and listen() that was hit very
rarely when using Kata Containers and Cloud-Hypervisor. It's been
identified the problem is really coming from the virtio-vsock driver,
which is fixed by those new kernel patches uploaded for each version of
the kernels used by Kata Containers.
Fixes#932
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This provides a flag "STRIP=yes" to strip the golang binary
After this patch, the binary size is reduced a lot:
19356680 containerd-shim-kata-v2*
25980728 containerd-shim-kata-v2.nostip*
4021784 kata-netmon*
5093992 kata-netmon.nostrip*
26339392 kata-runtime*
33097344 kata-runtime.nostrip*
Fixes: #2455
Signed-off-by: Jia He <justin.he@arm.com>
Linux has embraced another LTS kernel version v5.4.x.
Update the kernel config for Power as well.
Fixes: #936
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
