--enable-pie is not compatible with --static option for qemu building.
Without this patch, it will report a configure error during static building:
ERROR: static and pie are mutually incompatible
Fixes: #982
Signed-off-by: Jia He <justin.he@arm.com>
If always using dax, even if virtio_fs_cache is 0, the following error
would happen:
```
[root@f32 runtime]# podman run --security-opt label=disable --runtime=/usr/local/bin/kata-runtime --rm -id fedora sh
Error: rpc error: code = Internal desc = Could not mount kataShared to /run/kata-containers/shared/containers/: invalid argument: OCI runtime error
```
Fixes: #2464
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Although in the earlier stages of development those FUSE client mount
options were needed, when virtiofs got merged the default option values
were baked into virtiofs.ko.
Those options are not only unneeded, but they'd also cause issues when
trying to run recent enough kernels, as shown below:
```
[root@f32 runtime]# podman run --security-opt label=disable --runtime=/usr/local/bin/kata-runtime --rm -id fedora sh
Error: rpc error: code = Internal desc = Could not mount kataShared to /run/kata-containers/shared/containers/: invalid argument: OCI runtime error
```
Fixes: #2464
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
virtio_fs was the name used for the module in the very early stages of
its development.
Fixes: #2462
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This includes a newer kernel and necessary overlay changes
that fix oustanding issue for running docker in docker using
overlay.
Depends-on: github.com/kata-containers/agent#738
Depends-on: github.com/kata-containers/shim#233
Fixes#2603
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
The container log fifo is opened as `O_WRONLY` now. When the read side
of fifo is closed temporarily such as restarting contaienrd, write to
`tty.Stdout` will get an EPIPE error and finally cause `io.CopyBuffer`
return. Then `ioCopy` closes the tty io and exits. Thus after containerd
restarted, the log fifo can't be reopened. The container will be blocked
forever after stdout/stderr buffer is full.
Opening the log fifo with `RDWR` instead of `WRONLY` avoids the fifo
returning EPIPE when the read side is closed, and keeps the fifo open
until the reader reopening it.
Fixes: #2590
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
Large decrementer was introduced in Power 9 cpus.
Switch it off "cap-large-decr=off" as not all KVM hosts
support it
Fixes: #2599
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
Add containerd and crio versions that support
`privileged_without_host_devices` behaviour.
Fixes#638
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This will allow lock operations, needed by programs like
`apt-get upgrade`.
Fixes: #2594
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Fix the `build-kernel.sh` script to sort patches correctly. Previously,
it relied on `find(1)` for the ordering. However, `find(1)` does not
guarantee any ordering of files within a directory. Since the ordering
could therefore be "random", it was quite possible for patches to be
applied in the wrong order, resulting in conflicts.
Fixes: #1003.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This PR fixes the opensuse installation guide, it solves the issue of
having an extra empty space at the end of the distro name which is causing
a failure when we want to add the kata containers obs repository as we
are looking for http://download.opensuse.org/repositories/home:/katacontainers:/releases:/x86_64:/master/openSUSE_Leap_15.1%20/
which is non existing and it is giving us an error of Valid metadata not found at specified URL.
This PR replaces the URL for a correct one.
Fixes#635
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Update golang to 1.13.9 in versions.yaml.
In addition, add same golang version to `.travis.yml` and
delete the call to `.ci/install_go.sh` as it started to
cause problems in travis CI.
Fixes: #2592.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
For obs and running the packages testing in Fedora, we need to remove
the performing of doing an update as it is hit by
https://github.com/kata-containers/runtime/issues/2580. This is needed
to unblock the errors in the testing.
Fixes#1001
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
The default k3s containerRuntimeVersion takes the form of:
containerd://1.3.3-k3s2
The awk was stripping away the k3s portion before checking if it was a
k3s containerd.
fixes#996
Signed-off-by: Brandon Wilson <brandon@coil.com>
Since fs sharing is not assumed as supported by default, expose
explicitly that the qemu_ppc64le supports it.
Fixes: #2584
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
We want to launch the KVM launcher tool (qemu?) with an SELinux label, similar
to what we do with libvirt.
Currently when I use kata with Podman, it complains if we specify a label that
kata does not support SELinux labels. What I would like to do is have kata just
use this label to apply to the KVM launcher. Then I will work to generate a new
policy type (container_kvm_t) that will allow the KVM Launcher tool to do its
thing, but prevent breakout.
Fixes: #2501
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
By default, SPDK's setup.sh will bind PCI devices to
userspace from kernel. This may confuse beginners.
So add PCI_WHITELIST="none" to blacklist all PCI devices.
Fixes: #626
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Configure parameter "enable_vhost_user_store" is
added as an indicator to enable vhost-user storage
device assignment.
Also notice user hugepage should be enabled for
SPDK vhost target currently.
Fixes: #626
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Sentences for how to do host setup for vhost-user devices
were not clear, so re-edit them.
Fixes: #626
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
It's better to check whether the sandbox's get_container
result instead of unwrap it directly, otherwise it would
crash the agent if the conainer id is invalid.
Fixes: #178
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
When kill a process, if the exec id is empty, then
it means to kill all processes in the container, if
the exec id isn't empty, then it will only kill the
specific exec process.
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
