Commit Graph

16279 Commits

Author SHA1 Message Date
Fabiano Fidêncio
f7d3ea0c55
Merge pull request #11437 from kata-containers/release-flow-permissions-fixes-iii
workflows: Release permissions
2025-06-19 11:23:46 +02:00
stevenhorsman
19597b8950 workflows: Release permissions
Add more permissions to the release workflow
in order to enable `gh release` commands to run

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-19 10:05:23 +01:00
Fabiano Fidêncio
254ada2f6a
Merge pull request #11436 from kata-containers/release-flow-permission-fix-ii
workflows: Add extra permissions
2025-06-19 10:45:26 +02:00
stevenhorsman
7c6c6f3c15 workflows: Add extra permissions
Add permissions to the ppc release

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-19 09:39:01 +01:00
Steve Horsman
00c9e61b60
Merge pull request #11435 from kata-containers/release-flow-permissions-fix(es)
workflows: Fix permissions
2025-06-19 09:35:23 +01:00
stevenhorsman
9adf989555 workflows: Fix permissions
Add extra permissions for reusable workflow calls
that need them later on

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-19 08:44:18 +01:00
Fabiano Fidêncio
e82de65d5d
Merge pull request #11425 from stevenhorsman/release-3.18.0-bump
release: Bump version to 3.18.0
2025-06-18 21:39:51 +02:00
stevenhorsman
6fc622ef0f release: Bump version to 3.18.0
Bump VERSION and helm-chart versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 19:09:42 +01:00
Steve Horsman
060faa3d1a
Merge pull request #11433 from kata-containers/cri-containerd-test-fast-fail-false
workflows: Add fail-fast: false to cri-containerd tests
2025-06-18 19:08:59 +01:00
Steve Horsman
e0084a958c
Merge pull request #11432 from stevenhorsman/golang-1.23.10
versions: Bump golang to 1.23.10
2025-06-18 17:25:07 +01:00
Steve Horsman
4e3238b9dc
Merge pull request #11337 from zvonkok/fix-module-signing
gpu: Fix module signing
2025-06-18 17:23:51 +01:00
Steve Horsman
547b6c5781
Merge pull request #11429 from stevenhorsman/cri-containerd-required-test-rename
Cri containerd required test rename
2025-06-18 15:45:14 +01:00
Zvonko Kaiser
e2f18057a4 kernel: Add config option for signing
Only sign the kernel if the user has provided the KBUILD_SIGN_PIN
otherwise ignore.

Whole here, let's move the functionality to the common fragments as it's
not a GPU specific functionality.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-06-18 15:32:26 +02:00
stevenhorsman
73d7b4f258 workflows: Add fail-fast: false to cri-containerd tests
At the moment if any of the tests in the matric fails
then the rest of the jobs are cancelled, so we have to
re-run everything. Add `fail-fast: false` to stop this
behaviour.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 14:20:16 +01:00
stevenhorsman
aedbaa1545 versions: Bump golang to 1.23.10
Bump golang to fix CVEs GO-2025-3751
and GO-2025-3563

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 11:11:32 +01:00
stevenhorsman
b20f89b775 ci: required-tests: Remove test skip
Remove the rule that causes gatekeeper to skip tests
if we've only updated the required-tests.yaml list.
Although update to just the required-tests.yaml
doesn't change the outcome of any of the CI tests, it
does change whether gatekeeper will still pass with the new
rules. Although it's a bit of a hit to run the CI, it's probably
worth it to keep gatekeeper validated.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 10:52:03 +01:00
stevenhorsman
d68b09a4f0 ci: required-tests: cri-containerd rename
Update the names of the required jobs based on
the changes done in #11019

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 10:52:03 +01:00
Steve Horsman
0aca20986b
Merge pull request #11400 from miz060/mitchzhu/add-govulncheck
ci: Add optional govulncheck security scanning to static checks
2025-06-18 10:34:56 +01:00
Steve Horsman
d754e3939b
Merge pull request #11427 from BbolroC/bump-rootfs-confidential-s390x
rootfs: Bump rootfs-{image,initrd} to 24.04
2025-06-18 09:06:58 +01:00
Mitch Zhu
292c27130d ci: Add optional govulncheck security scanning to static checks
This adds govulncheck vulnerability scanning as a non-blocking check in
the static checks workflow. The check scans Go runtime binaries for known
vulnerabilities while filtering out verified false positives.

Signed-off-by: Mitch Zhu <mitchzhu@microsoft.com>
2025-06-17 20:43:00 -07:00
Alex Lyn
b61b20eef3
Merge pull request #11394 from mythi/tdx-kata-deploy-bump
kata-deploy: accept 25.04 as supported distro for TDX
2025-06-18 08:52:46 +08:00
Hyounggyu Choi
4be261f248 rootfs: Bump rootfs-{image,initrd} to 24.04
Since #11197 was merged, all confidential k8s e2e tests for s390x
have been failing with the following errors:

```
attestation-agent: error while loading shared libraries:
libcurl.so.4: cannot open shared object file
libnghttp2.so.14: cannot open shared object file
```

In line with the update on x86_64, we need to upgrade the OS used
in rootfs-{image,initrd} on s390x.
This commit also bumps all 22.04 to 24.04 for all architectures.
For s390x, this ensures the missing packages listed above are
installed.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-06-17 22:03:26 +02:00
Steve Horsman
fd93e83a4f
Merge pull request #11019 from seungukshin/cri-containerd-tests-for-arm64
Enable cri-containerd-tests for arm64
2025-06-17 11:53:49 +01:00
Fupan Li
15b24b5be1
Merge pull request #10698 from Apokleos/kata-volume-rs
runtime-rs: Support Pull Image in Guest with Kata Volume for CoCo
2025-06-17 15:00:02 +08:00
Steve Horsman
a00f39e272
Merge pull request #11419 from katexochen/p/gitignore-direnv
gitignore: ignore direnv
2025-06-16 17:26:10 +01:00
Seunguk Shin
4f9b7e4d4f ci: Enable cri-containerd-tests for arm64
This change enables cri-containerd-test for arm64.

Signed-off-by: Seunguk Shin <seunguk.shin@arm.com>
Reviewed-by: Nick Connolly <nick.connolly@arm.com>
2025-06-16 15:12:17 +01:00
Paul Meyer
822f54c800 ci/static-checks: add dispatch trigger
This simplifies executing the workflow on a fork during testing.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-06-16 16:12:10 +02:00
Seunguk Shin
203e3af94b ci: Disable run-containerd-sandboxapi
containerd-sandboxapi fails with `containerd v2.0.x` and passes with
`containerd v1.7.x` regardless kata-containers. And it was not tested
with `containerd v2.0.x` because `containerd v2.0.x` could not
recognize `[plugins.cri.containerd]` in `config.toml`.

Signed-off-by: Seunguk Shin <seunguk.shin@arm.com>
2025-06-16 15:02:07 +01:00
Mikko Ylinen
825b1cd233 kata-deploy: accept 25.04 as supported distro for TDX
the latest Canonical TDX release supports 25.04 / Plucky as
well. Users experimenting with the latest goodies in the
25.04 TDX enablement won't get Kata deployed properly.

This change accepts 25.04 as supported distro for TDX.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-06-16 13:42:08 +01:00
Xuewei Niu
9b4518f742
Merge pull request #11359 from pawelbeza/fix-logs-on-virtiofs-shutdown
Fix logging on virtiofs shutdown
2025-06-16 17:06:29 +08:00
Paul Meyer
b629b11ba0 gitignore: ignore direnv
This allows contributors to setup direnv without having it detected by git.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-06-16 11:02:00 +02:00
Steve Horsman
64c95cb996
Merge pull request #11389 from kata-containers/checkout-persist-credentials-false
workflows: Set persist-credentials: false on checkout
2025-06-16 09:58:22 +01:00
alex.lyn
cebb259e51 runtime-rs: Introduce force guest pulling image
Container image integrity protection is a critical practice involving a
multi-layered defense mechanism. While container images inherently offer
basic integrity verification through Content-Addressable Storage (CAS)
(ensuring pulled content matches stored hashes), a combination of other
measures is crucial for production environments. These layers include:
Encrypted Transport (HTTPS/TLS) to prevent tampering during transfer;
Image Signing to confirm the image originates from a trusted source;
Vulnerability Scanning to ensure the image content is "healthy"; and
Trusted Registries with stringent access controls.

In certain scenarios, such as when container image confidentiality
requirements are not stringent, and integrity is already ensured via the
aforementioned mechanisms (especially CAS and HTTPS/TLS), adopting
"force guest pull" can be a viable option. This implies that even when
pulling images from a container registry, their integrity remains
guaranteed through content hashes and other built-in mechanisms, without
relying on additional host-side verification or specialized transfer
methods.

Since this feature is already available in runtime-go and offers
synergistic benefits with guest pull, we have chosen to support force
guest pull.

Fixes #10690

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-06-16 16:49:17 +08:00
alex.lyn
2157075140 kata-types: Introduce a helper method to adjust rootfs mounts
This commit introduces the `adjust_rootfs_mounts` function to manage
root filesystem mounts for guest-pull scenarios.

When the force guest-pull mechanism is active, this function ensures that
the rootfs is exclusively configured via a dedicated `KataVirtualVolume`.
It disregards any provided input mounts, instead generating a single,
default `KataVirtualVolume`. This volume is then base64-encoded and set
as the sole mount option for a new, singular `Mount` entry, which is
returned as the only item in the `Vec<Mount>`.

This change guarantees consistent and exclusive rootfs configuration
when utilizing guest-pull for container images.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-06-16 16:49:17 +08:00
alex.lyn
c9ffbaf30d runtime-rs: Support handling Kata Virtual Volume in handle_rootfs
In CoCo scenarios, there's no image pulling on host side, and it will
disable such operations, that's to say, there's no files sharing between
host and guest, especially for container rootfs.
We introduce Kata Virtual Volume to help handle such cases:
(1) Introduce is_kata_virtual_volume to ensure the volume is kata
virtual volume.
(2) Introduce VirtualVolume Handling logic in handle_rootfs when the
mount is kata virtual volume.

Fixes #10690

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-06-16 16:49:17 +08:00
alex.lyn
2600fc6f43 runtime-rs: Add Spec annotation to help pass image information
We need get the relevent image ref from OCI runtime Spec, especially
the annotation of it.

Fixes #10690

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-06-16 16:49:17 +08:00
alex.lyn
d4e9369d3d runtime-rs: Implement guest-pull rootfs via virtual volumes
This commit introduces comprehensive support for rootfs mount mgmt
through Kata Virtual Volumes, specifically enabling the guest-pull
mechanism.

It enhances the runtime's ability to:
(1) Extract image references from container annotations (CRI/CRI-O).
(2) Process `KataVirtualVolume` objects, configuring them for guest-pull operations.
(3) Set up the agent's storage for guest-pulled images.

This functionality streamlines the process of pulling container images
directly within the guest for rootfs, aligning with guest-side image management strategies.

Fixes #10690

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-06-16 16:49:17 +08:00
Alex Lyn
a966d1be50
Merge pull request #11197 from Xynnn007/move-image-pull
Move image pull abilities to CDH
2025-06-16 16:43:59 +08:00
Xynnn007
e0b4cd2dba initrd/image: update x86_64 base to ubuntu 24.04
The Multistrap issue has been fixed in noble thus we can use the LTS.

Also, this will fix the error reported by CDH
```
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found
```

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:54:15 +08:00
Xynnn007
0b3a8c0355 initdata: delete coco_as token section in initdata
The new version of AA allows the config not having a coco_as token
config. If not provided, it will mark as None.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:54:15 +08:00
Xynnn007
5bab460224 chore(deps): update guest-components
This patch updates the guest-components to new version with better
error logging for CDH. It also allows the config of AA not having a
coco_as token config.

Also, the new version of CDH requires to build aws-lc-sys thus needs to
install cmake for build.

See

https://github.com/kata-containers/kata-containers/actions/runs/15327923347/job/43127108813?pr=11197#step:6:1609

for details.

Besides, the new version of guest-components have some fixes for SNP
stack, which requires the updates of trustee side.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:54:15 +08:00
Xynnn007
aae64fa3d6 agent: add agent.image_pull_timeout parameter
This new parameter for kata-agent is used to control the timeout for a
guest pull request. Note that sometimes an image can be really big, so
we set default timeout to 1200 seconds (20 minutes).

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:54:15 +08:00
Xynnn007
93826ff90c tests: update negative test log assertions
After moving image pulling from kata-agent to CDH, the failed image pull
error messages have been slightly changed. This commit is to apply for
the change.

Note that in original and current image-rs implementation, both no key
or wrong key will result in a same error information.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:54:15 +08:00
Xynnn007
7420194ea8 build: abandon PULL_TYPE build env
Now kata-agent by default supports both guest pull and host pull
abilities, thus we do not need to specify the PULL_TYPE env when
building kata-agent.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:53:55 +08:00
Xynnn007
44a6d1a6f7 docs: update guest pull document
After moving guest pull abilities to CDH, the document of guest pull
should be updated due to new workflow.

Also, replace the diagram of PNG into a mermaid one for better
maintaince.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 11:13:20 +08:00
Xynnn007
105cb47991 agent: always try to override oci process spec
In previous version, only when the `guest-pull` feature is enabled
during the build time, the OCI process will be tried to be overrided
when the storage has a guest pull volume and also it is sandbox. After
getting rid of the feature, whether it is guest-pull is runtimely
determined thus we can always do this trying override, by checking if
there is kata guest pull volume in storages and it's sandbox.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 11:13:20 +08:00
Xynnn007
6b1249186f agent: embed ocicrypt config in rootfs by default
Now the ocicrypt configuration used by CDH is always the same and it's
not a good practics to write it into the rootfs during runtime by
kata-agent. Thus we now move it to coco-guest-components build script.
The config will be embedded into guest image/initrd together with CDH
binary.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 11:13:20 +08:00
Xynnn007
22e65024ce agent: get rid of pull-type option
The feature `guest-pull` and `default-pull` are both removed, because
both guest pull and host pull are supported in building time without
without involving new dependencies like image-rs before. The guest pull
will depend on the CDH process, not the build time feature.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 11:13:20 +08:00
Xynnn007
0e15b49369 agent: get rid of init_image_service
we do not need to initialize image service in kata-agent now, as it's
initialized in CDH.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 11:13:20 +08:00
Xynnn007
22c50cae7b agent: let image_pull_handler call cdh to pull image
This is a higher level calling to pull image inside guest. Now it should
call confidential_data_hub's API. As the previous pull_image API does
1. check is sandbox
2. generate bundle_path
inside the original logic, and the new API does not do them to keep the
API semantice clean, thus before we call the API, we explicitly do the
two things.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 11:13:20 +08:00