When building kata runtime packagers can simply do something like
`make CONFDIR=/usr/share/kata-containers/defaults` and it'll make
runtime understand that `/usr/share/defaults/kata-containers/` shouldn't
be used as `defaultRuntimeConfiguration` and, instead, runtime will use
whatever as passed to `make` during build time.
This is a quite common approach, mainly for distros, as there's no
perfect agreement on directory layout and whatnot.
Kwowing that, let's also make `containerd-shim-kata-v2`, which reads the
configurations from `pkg/katautils/config-settings.go`, to have a
similar behaviour as `runtime` and respect a "build-time" configured
`defaultRuntimeConfiguration` and `defaultSysConfRuntimeConfiguration`
paths.
Fixes: #2610
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
We only dumped test results for debugging, when tests failed.
we should also delete them for avoiding leaving stale test results
under /tmp.
Fixes: #442
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
As per [1], the default scan mode of scsi is sync.
kata-agent already scans the SCSI buses [2], changing it to none
can reduce the guest boot time.
=Before this patch=
[ 0.113828] [ T1] scsi host0: Virtio SCSI HBA
[ 0.134006] [ T1] tun: Universal TUN/TAP device driver, 1.6
=After this patch=
[ 0.105891] [ T1] scsi host0: Virtio SCSI HBA
[ 0.107868] [ T1] tun: Universal TUN/TAP device driver, 1.6
It reduces about 17ms on arm64 for virtio-scsi.
This patch changes the default kernel parameter:
1. If user specifies the scan mode, use that
2. If user doesn't specify it, and the block device is virtio-scsi, use
"none" by default
[1] https://lwn.net/Articles/201898/
[2] https://github.com/kata-containers/agent/blob/649d44117a/device.go#L322Fixes: #2560
Signed-off-by: Jia He <justin.he@arm.com
If always using dax, even if virtio_fs_cache is 0, the following error
would happen:
```
[root@f32 runtime]# podman run --security-opt label=disable --runtime=/usr/local/bin/kata-runtime --rm -id fedora sh
Error: rpc error: code = Internal desc = Could not mount kataShared to /run/kata-containers/shared/containers/: invalid argument: OCI runtime error
```
Fixes: #2464
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Although in the earlier stages of development those FUSE client mount
options were needed, when virtiofs got merged the default option values
were baked into virtiofs.ko.
Those options are not only unneeded, but they'd also cause issues when
trying to run recent enough kernels, as shown below:
```
[root@f32 runtime]# podman run --security-opt label=disable --runtime=/usr/local/bin/kata-runtime --rm -id fedora sh
Error: rpc error: code = Internal desc = Could not mount kataShared to /run/kata-containers/shared/containers/: invalid argument: OCI runtime error
```
Fixes: #2464
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
virtio_fs was the name used for the module in the very early stages of
its development.
Fixes: #2462
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This includes a newer kernel and necessary overlay changes
that fix oustanding issue for running docker in docker using
overlay.
Depends-on: github.com/kata-containers/agent#738
Depends-on: github.com/kata-containers/shim#233
Fixes#2603
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
The container log fifo is opened as `O_WRONLY` now. When the read side
of fifo is closed temporarily such as restarting contaienrd, write to
`tty.Stdout` will get an EPIPE error and finally cause `io.CopyBuffer`
return. Then `ioCopy` closes the tty io and exits. Thus after containerd
restarted, the log fifo can't be reopened. The container will be blocked
forever after stdout/stderr buffer is full.
Opening the log fifo with `RDWR` instead of `WRONLY` avoids the fifo
returning EPIPE when the read side is closed, and keeps the fifo open
until the reader reopening it.
Fixes: #2590
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
Large decrementer was introduced in Power 9 cpus.
Switch it off "cap-large-decr=off" as not all KVM hosts
support it
Fixes: #2599
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
This will allow lock operations, needed by programs like
`apt-get upgrade`.
Fixes: #2594
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Update golang to 1.13.9 in versions.yaml.
In addition, add same golang version to `.travis.yml` and
delete the call to `.ci/install_go.sh` as it started to
cause problems in travis CI.
Fixes: #2592.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Since fs sharing is not assumed as supported by default, expose
explicitly that the qemu_ppc64le supports it.
Fixes: #2584
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
We want to launch the KVM launcher tool (qemu?) with an SELinux label, similar
to what we do with libvirt.
Currently when I use kata with Podman, it complains if we specify a label that
kata does not support SELinux labels. What I would like to do is have kata just
use this label to apply to the KVM launcher. Then I will work to generate a new
policy type (container_kvm_t) that will allow the KVM Launcher tool to do its
thing, but prevent breakout.
Fixes: #2501
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
It's better to check whether the sandbox's get_container
result instead of unwrap it directly, otherwise it would
crash the agent if the conainer id is invalid.
Fixes: #178
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
When kill a process, if the exec id is empty, then
it means to kill all processes in the container, if
the exec id isn't empty, then it will only kill the
specific exec process.
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Add the container id and exec id to start container's log
which would make it clearly to check the log.
Fixes: #173
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Make explicit that sharedfs is supported.
Other features are not supported today.
Fixes: #2567
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
All the other caps are inverted (not supported by default).
Make fs sharing not supported by default and let hypervisors
expose if it supports it.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
To have a consistent behavior of CPU hotplug with qemu in clh, we should
only report warning instead of errors when the requested vCPUs exceeds
the maximum number of vCPUs allowed.
Fixes: #2551
Signed-off-by: Bo Chen <chen.bo@intel.com>
- Add support to change default hypervisor via env variable.
- Show in the summary the default hypervisor to be used.
```
export DEFAULT_HYPEVISOR=cloud-hypervisor
make
sudo -E make install
```
Fixes: #2565
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Request memory to resize memory to hypervisor.
Depends-on: github.com/kata-containers/tests#2413
Fixes: #2526
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We currently use containerd v1.3.0, but this version has an
issue when running the containerd/cri tests with go 1.13.
This commit: 3a4acfbc99aa976849f51a8edd4af20ead51d8d7 from
branch release/1.3 contains the fix to be able to run the
tests with go 1.13.
Depends-on: github.com/kata-containers/tests#2415
Fixes: #2562.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
