Since the crate dirs::home_dir function depends on the
libc's api: getpwuid_r, but this api function wouldn't
be static linked on glibc, thus we'd better to figure
out an alternative way to get the home dir from /etc/passwd.
For much more info about this glibc's issue, please see:
https://sourceware.org/bugzilla/show_bug.cgi?id=19341.
This commit read and parse the "/etc/passwd" directly and
fetch the corresponding uid's home dir.
Fixes: #675
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Remove unused function parameters from the following types:
- `AgentCmdFp`: Removed the config parameter and made
the context parameter the first (à la golang).
- `BuiltinCmdFp`: Removed the config and options parameters.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The recent switch to an async rust agent broke the `agent-ctl` tool.
However, we didn't notice because that isn't being built by the CI.
Fix the breakage by passing a ttRPC context to all ttRPC API calls and
also build the tool as part of the static checks CI.
Fixes: #1471.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
If specified, sandbox_bind_mounts identifies host paths to be
mounted (ro) into the sandboxes shared path. This is only valid
if filesystem sharing is utilized.
The provided path(s) will be bindmounted (ro) into the shared fs directory on
the host, and thus mapped into the guest. If defaults are utilized,
these mounts should be available in the guest at
`/var/run/kata-containers/shared/containers/sandbox-mounts`
These will not be exposed to the container workloads, and are only
added for potential guest-services to consume (example: expose certs
into the guest that are available on the host).
Fixes: #1464
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Add target to run codecov report locally.
Useful to identify what are the missing lines
to be covered by unit test.
Fixes: #1487
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Currently, musl toolchain installation on arm64 is just downloading from
a website. It's unsafe in case the website corrupts. So build musl
toolchain from source if it can't be downloaded.
Fixes: #1481
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Update the Intel QAT Dockerfile to work with the 2.0 repos, fix some
bugs with building Debian/Ubuntu rootfs, and update the latest QAT
driver. Updated copyright.
Fixes: #1419
Signed-off-by: Adams, Eric <eric.adams@intel.com>
QEMU 5.2.0 needs ninja-build package installed on the build environment.
The default-configs were copied to $QEMU_SRC/default-configs but that does
take any effect, so instead it is now copied to $QEMU_SRC/default-configs/devices
and the configs for i386 were updated.
Also it had to change some arguments being passed to configure as Meson was failing
due inconsistent paths:
./meson.build:1:0: ERROR: The value of the 'libdir' option is '/usr/lib/qemu' which must be a subdir of the prefix '/snap/kata-containers/current/usr'.
Note that if you pass a relative path, it is assumed to be a subdir of prefix.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This change the version of QEMU used in the tests and CI.
The scripts/configure-hypervisor.sh was changed so that:
- Passing the `--enable-virtiofsd` flag
- Do not compiling with -O3 to avoid the warning:
Program python3 found: YES (/usr/bin/python3)
../meson.build:104: WARNING: Consider using the built-in optimization level instead of using "-O3".
../meson.build:108: WARNING: Consider using the built-in optimization level instead of using "-O3".
The qemu.blacklist files was changed so that new and uneeded firmware files are removed from the
final tarball. Except for qboot.rom which is new but kept, since it can be used with microvm
machine type (in case we want to enable microvm in the future).
The patches which are applied on QEMU sources:
- 0001-virtiofsd-Allow-to-build-it-without-the-tools.patch
(Build fix for Meson - allows passing `--disable-tools --enable-virtiofsd`)
- 0002-virtiofsd-extract-lo_do_open-from-lo_open.patch
0003-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch
0004-virtiofsd-prevent-opening-of-special-files-CVE-2020-.patch
0005-virtiofsd-Add-_llseek-to-the-seccomp-whitelist.patch
0006-virtiofsd-Add-restart_syscall-to-the-seccomp-whiteli.patch
(Security fixes for virtiofsd)
- 0007-9p-removing-coroutines-of-9p-to-increase-the-I-O-per.patch
(Performance improvement for 9p driver)
- 0008-hw-s390x-fix-build-for-virtio-9p-ccw.patch
(Build fix for virtio-9p-ccw machine type)
Fixes: #1238
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Each Kata Containers application should generate log records with a specified
structure. Currently on containerd-shim-v2's logs, the required 'name' field
is missing. This changed its logger to append the application name on each
and every emitted entries.
Fixes#1479
Related-to: github.com/kata-containers/tests/issues/3260
Suggested-by: James O. D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The scripts/configure-hypervisor.sh split the QEMU and GCC version
in major and minor versions then use those values on shell conditionals
to compare versions. This is error prone, so instead this change the script
to use the `sort -V -C ` command for version comparisons.
Fixes: #1349
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
When do pass guest device files to container, the source
file wouldn't be a regular file, but we also need to create
a corresponding destination file to bind mount source file
to it. Thus it's better to check whether the source file
was a directory instead of regular file.
Fixes: #1477
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Looks like we inadvertantly removed the check on the loadRuntimeConfig
error return value. Adding back...
Fixes: #1474
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Agent sends -1 PID when invoking OCI hooks.
OCI state struct is initialized before obtaining PID, so this PR moves
`oci_state` call down, right after we get the id.
Fixes: #1458
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Port kata-containers/agent#883 to the Rust Agent.
In the event that the virtiofs device is already mounted at the
requested destination, don't error out. We'll check before attempting to
mount to see if the destination is already a mount point. If so, skip
doing the mount in the agent.
This facilitates mounting the sharedfs automatically in the guest before
the agent service starts.
Signed-off-by: Eric Ernst eric.g.ernst@gmail.comFixes: #1398
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Since the kata's hypervisor process is in the network namespace,
which is close to container's process, and some host metrics
such as cadvisor can use this pid to access the network namespace
to get some network metrics. Thus this commit replace the shim's
pid with the hypervisor's pid.
Fixes: #1451
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
There's no runtime repo anymore, let's avoid making a reference to it,
which may end up confusing people reading the Release-Process file.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
All the work done on this file, apart from merging the 2.x repo, and now
removing unused lines, comes from Intel.
The reason it's being added is to silent a complaint from the static
checker.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
There's no more NEMU, for some time already. Considering this, let's
just remove any mention to it as part of our project.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
There's no reason to ship qemu & qemu-virtiofs when the former already
includes vitiofs support (and that's the default for 2.x deployments).
In case we will enable experimental qemu DAX support, we should add a
new target, a "qemu-experimental" target, as Carlos has been working on.
Fixes: #1424
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The docker script has been removed as part of
62cbaf4de4, but references to it were left
behind in the artifact-list.sh, release/kata-deploy-binaries.sh, and
kata-deploy/Dockerfile.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
BFQ weight controller is using the same BFQ weight scheme (i.e 1->1000).
Therefore, there is no need to do the conversion.
More details here: https://github.com/opencontainers/runc/pull/2786Fixes: #1440
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
If the container has exited, the sender in notifier watching OOM events
will be dropped after the loop exited, and recv() from the according
receiver will get None.
This will lead two problems for get_oom_event rpc all from agent:
- return an wrong OOM event.
- continuously return OOM events.
Fixes: #1369
Signed-off-by: bin <bin@hyper.sh>
For Kata Containers 2.x, CRI-O should always be using the
`containerd-shim-kata-v2` binary, and always be configured to use the
"vm" runtime type, developed specifically for the shimv2, instead of the
default "oci" runtime type.
I've taken the liberty to try to simplify the CRI-O script and make it
less error prone. In the future, we can start dropping a configuration
file to /etc/crio/crio.conf.d and just removing it as part of the
cleanup, but that's for the future.
Fixes: #1357
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Factoring those pieces of code to their own functions allows us to
easily re-use them when creating & cleaning up the CRI-O configuration
files, as CRI-O is also affected by the issues that are still opened.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Our list was based on what we used to ship for Kata Containers 1.x, not
even taking into account the shimv2 binary.
Let's update it in order to reflect better what we currently distribute.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
