- similar to the static_sandbox_default_workload_mem option,
assign a default number of vcpus to the VM when no limits
are given, 1 vcpu in this case
- similar to commit c7b8ee9, do not allocate additional vcpus
when limits are provided
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
After these changes:
1. The value of the K8s runtime class memory overhead:
- Covers the memory usage from all the Host-side components (mainly
the Kata Shim and the VMM).
- Doesn't include the memory usage from any Guest-side components.
2. The value of a pod memory limit specified by the user:
- Is equal to the memory size of the Pod VM.
- Includes the memory usage from all the Guest-side components
(mainly user's workload, the Guest kernel, and the Kata Agent)
- Doesn't include the memory usage from any Host-side components.
Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This branch starts introducing additional scripting to build, deploy
and evaluate the components used in AKS' Pod Sandboxing and
Confidential Containers preview features. This includes the capability
to build the IGVM file and its reference measurement file for remote
attestation.
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
tools: Improve igvm-builder and node-builder/azure-linux scripting
- Support for Mariner 3 builds using OS_VERSION variable
- Improvements to IGVM build process and flow as described in README
- Adoption of using only cloud-hypervisor-cvm on CBL-Mariner
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
tools: Add package-tools-install functionality
- Add script to install kata-containers(-cc)-tools bits
- Minor improvements in README.md
- Minor fix in package_install
- Remove echo outputs in package_build
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
tools: Enable setting IGVM SVN
- Allow setting SVN parameter for IGVM build scripting
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
node-builder: introduce BUILD_TYPE variable
This lets developers build and deploy Kata in debug mode without having to make
manual edits to the build scripts.
With BUILD_TYPE=debug (default is release):
* The agent is built in debug mode.
* The agent is built with a permissive policy (using allow-all.rego).
* The shim debug config file is used, ie. we create the symlink
configuration-clh-snp-debug.toml <- configuration-clh-snp.toml.
For example, building and deploying Kata-CC in debug mode is now as simple as:
make BUILD_TYPE=debug all-confpods deploy-confpods
Also do note that make still lets you override the other variables even after
setting BUILD_TYPE. For example, you can use the production shim config with
BUILD_TYPE=debug:
make BUILD_TYPE=debug SHIM_USE_DEBUG_CONFIG=no all-confpods deploy-confpods
Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
node-builder: introduce SHIM_REDEPLOY_CONFIG
See README: when SHIM_REDEPLOY_CONFIG=no, the shim configuration is NOT
redeployed, so that potential config changes made directly on the host
during development aren't lost.
Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
node-builder: Use img for Pod Sandboxing
Switch from UVM initrd to image format
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
node-builder: Adapt README instructions
- Sanitize containerd config snippet
- Set podOverhead for Kata runtime class
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
tools: Adapt AGENT_POLICY_FILE path
- Adapt path in uvm_build.sh script to comply
with the usptream changes we pulled in
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
node-builder: Use Azure Linux 3 as default path
- update recipe and node-builder scripting
- change default value on rootfs-builder
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
node-builder: Deploy-only for AzL3 VMs
- split deployment sections in node-builder README.md
- install jq, curl dependencies within IGVM script
- add path parameter to UVM install script
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
node-builder: Minor updates to README.md
- no longer install make package, is part of meta package
- remove superfluous popd
- add note on permissive policy for ConfPods UVM builds
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
node-builder: Updates to README.md
- with the latest 3.2.0.azl4 package on PMC, can remove OS_VERSION parameter
and use the make deploy calls instead of copying files by hand for variant
I (now aligned with Variant II)
- with the latest changes on msft-main, set the podOverhead to 600Mi
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
node-builder: Fix SHIM_USE_DEBUG_CONFIG behavior
Using a symlink would create a cycle after calling this script again when
copying the final configuration at line 74 so we just use cp instead.
Also, I moved this block to the end of the file to properly override the final
config file.
Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
node-builder: Build and install debug configuration for pod sandboxing
For ease of debugging, install a configuration-clh-debug.toml for pod
sandboxing as we do in Conf pods.
Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
runtime: remove clh-snp config file usage in makefile
Not needed to build vanilla kata
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
package_tools_install.sh: include nsdax.gpl.c
Include nsdax.gpl.c
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
This fixes the below error when attempting to access the debug console when
all debug_console_enabled=true and all 3 enable_debug options are true:
level=error msg="error create pseudo tty" error="open /dev/ptmx: operation not
permitted"
Signed-off-by: Aurelien Bombo <abombo@microsoft.com>
This adds our team as reviewers for PRs automatically again.
Signed-off-by: Chris Co <chrco@microsoft.com>
Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Bug: https://microsoft.visualstudio.com/OS/_workitems/edit/43668151
Rationale: This is a temporary solution for optimizing memory usage for
the current mechanism of requesting resources through pod Limit
annotations:
- if no Limits are specified and hence WorkloadMemMB is 0, set a default
value 'StaticWorkloadDefaultMem' to allocate a default amount of
memory for use for containers in the sandbox in addition to the base
memory
- if Limits are specified, the base memory and the sum of Limits are
allocated. The end user needs to be aware of the minimum memory
requirements for their pods, otherwise the pod will be stuck in the
ContainerCreating state
Testing: Manual testing, creating pods with Limits and without limits,
and with two containers where each container has a limit, tested with
integration in a SPEC file where the config variables were set via
environment variables via the make command
Adapted by @mfrw from 3.1.0 to apply to 3.2.0
Signed-off-by: Muhammad Falak R Wani <mwani@microsoft.com>
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
runtime: Remove unused VMM options for mem alloc
- We only ever tested these fork changes with CLH+MSHV
- Remove these options as we don't use QEMU/FC
Signed-off-by: Manuel Huber <mahuber@microsoft.com>
As there were a few moderate security vulnerability fixes missed as part
of the 3.19.0 release.
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
For the release itself, let's simply copy the VERSION file to the
tarball.
To do so, we had to change the logic that merges the build, as at that
point the tag is not yet pushed to the repo.
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
On commit 90bc749a19, we've changed the
QEMUTDXPATH in order to get it to work with GPUs, but the change broke
the non-GPU TDX use-case, which depends on the distro binary.
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
- Add nodeSelector configuration to values.yaml with empty default
- Update DaemonSet template to conditionally include nodeSelector
- Add documentation and examples for nodeSelector usage in README
- Allows users to restrict kata-containers deployment to specific nodes by labeling them
Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
According to the issue [1], Tokio will panic when we are giving a blocking
socket to Tokio's `from_std()` method, the information is as follows:
```
A panic occurred at crates/agent/src/sock/vsock.rs:59: Registering a
blocking socket with the tokio runtime is unsupported. If you wish to do
anyways, please add `--cfg tokio_allow_from_blocking_fd` to your RUSTFLAGS.
```
A workaround is to set the socket to non-blocking.
1: https://github.com/tokio-rs/tokio/issues/7172
Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
The KERNEL_DEBUG_ENABLED was missing in the outer shell script
so overrides via make were not possible.
Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
