github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-17 15:38:00 +00:00
Code Issues Projects Releases Wiki Activity
16,468 Commits 52 Branches 136 Tags 344 MiB
d0e7a51f7b
Commit Graph

16468 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tim Zhang
d0e7a51f7b dragonball: update prometheus/protobuf to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/396
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
 2025-07-18 16:02:29 +02:00
Tim Zhang
222393375a agent: update ttrpc-codegen to remove dependency on protobuf v2 
To fix CVE-2025-53605.

Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/397
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:02:07 +02:00
Fabiano Fidêncio
60c3d89767
Merge pull request #11558 from gmintoco/feature/helm-nodeSelector 
helm: add nodeSelector support to kata-deploy chart
 2025-07-18 15:52:19 +02:00
Fabiano Fidêncio
497a3620c2 tests: Remove references to qemu-sev 
As it's been removed from our codebase.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 12:49:54 +02:00
Fabiano Fidêncio
17ce44083c runtime: Remove reference to sev package 
Otherwise it'll just break static checks.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 12:49:54 +02:00
Gus Minto-Cowcher
3b5cd2aad6 helm: remove qemu-sev references 
qemu-sev support has been removed, but those bits were left behind by
mistake.

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
 2025-07-18 12:49:54 +02:00
Gus Minto-Cowcher
41d41d51f7 helm: add nodeSelector support to kata-deploy chart 
- Add nodeSelector configuration to values.yaml with empty default
- Update DaemonSet template to conditionally include nodeSelector
- Add documentation and examples for nodeSelector usage in README
- Allows users to restrict kata-containers deployment to specific nodes by labeling them

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
 2025-07-18 12:49:54 +02:00
Fabiano Fidêncio
7d709a0759
Merge pull request #11493 from stevenhorsman/agent-ctl-tag-cache 
ci: cache: Tag agent-ctl cache
 2025-07-18 12:12:46 +02:00
Fabiano Fidêncio
4a6c718f23
Merge pull request #11584 from zvonkok/fix-kernel-debug-enabled 
kernel: fix enable kernel debug
 2025-07-18 11:38:36 +02:00
Sumedh Alok Sharma
47184e82f5
Merge pull request #11313 from Ankita13-code/ankitapareek/exec-id-agent-fix 
agent: update the processes hashmap to use exec_id as primary key
 2025-07-18 14:07:15 +05:30
Fabiano Fidêncio
d9daddce28
Merge pull request #11578 from justxuewei/vsock-async 
runtime-rs: Fix the issue of blocking socket with Tokio
 2025-07-18 10:13:03 +02:00
Xuewei Niu
629c942d4b runtime-rs: Fix the issue of blocking socket with Tokio 
According to the issue [1], Tokio will panic when we are giving a blocking
socket to Tokio's `from_std()` method, the information is as follows:

```
A panic occurred at crates/agent/src/sock/vsock.rs:59: Registering a
blocking socket with the tokio runtime is unsupported. If you wish to do
anyways, please add `--cfg tokio_allow_from_blocking_fd` to your RUSTFLAGS.
```

A workaround is to set the socket to non-blocking.

1: https://github.com/tokio-rs/tokio/issues/7172

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Xuewei Niu
1508e6f0f5 agent: Bump Tokio to v1.46.1 
Tokio now has a newer version, let us bump it.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Xuewei Niu
5a4050660a runtime-rs: Bump Tokio to v1.46.1 
Tokio now has a newer version, let us bump it.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Zvonko Kaiser
a786dc48b0 kernel: fix enable kernel debug 
The KERNEL_DEBUG_ENABLED was missing in the outer shell script
so overrides via make were not possible.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-18 02:24:19 +00:00
Fabiano Fidêncio
eb2bfbf7ac
Merge pull request #11572 from stevenhorsman/RUSTSEC-2024-0384-remediate 
More crate bumps for security remediations
 2025-07-17 22:35:05 +02:00
Zvonko Kaiser
cef9485634
Merge pull request #11450 from kata-containers/dependabot/cargo/src/agent/nix-0.27.1 
build(deps): bump nix to 0.26.4 in agent, libs, runtime-rs
 2025-07-17 14:22:40 -04:00
stevenhorsman
41a608e5ce tools: Bump borsh, liboci-cli and oci-spec 
Bump these crates to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
e56f493191 deps: Bump zbus, serial_test & async-std 
Bump these crates across various components to remove the
dependency on unmaintained instant crate and remediate
RUSTSEC-2024-0384

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
bb820714cb agent-ctl: Update borsh 
- Update borsh to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
Steve Horsman
549fd2a196
Merge pull request #11581 from stevenhorsman/osv-scanner-action-permissions-fix 
workflow: Fix osv-scanner action
 2025-07-17 18:18:16 +01:00
stevenhorsman
a7e27b9b68 workflow: Fix osv-scanner action 
- The github generated template had an old version which
isn't valid for the pr-scan, so update to the latest
- The action needs also `actions: read` and `contents:read` to run in kata-containers

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 17:29:35 +01:00
Steve Horsman
8741f2ab3d
Merge pull request #11580 from kata-containers/osv-scanner-action 
workflow: Add osv-scanner action
 2025-07-17 17:00:34 +01:00
stevenhorsman
1a75c12651 workflow: Add osv-scanner action 
Add action to check for vulnerabilities in the project and
on each PR

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 16:41:56 +01:00
stevenhorsman
4c776167e5 trace-forwarder: Add nix features 
Some of the nix apis we are using are now enabled by features,
so add these to resolve the compilation issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:09:21 +01:00
dependabot[bot]
cd79108c77 build(deps): bump nix in /src/tools/trace-forwarder 
Bumps [nix](https://github.com/nix-rust/nix) from 0.23.1 to 0.30.1.
- [Changelog](https://github.com/nix-rust/nix/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nix-rust/nix/compare/v0.23.1...v0.30.1)

---
updated-dependencies:
- dependency-name: nix
  dependency-version: 0.30.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 15:09:06 +01:00
stevenhorsman
9185ef1a67 runtime-rs: Bump nix to matching version 
runtime-rs needs the same version as libs,
so sync this up as well.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:08:46 +01:00
dependabot[bot]
219ad505c2 build(deps): bump nix from 0.24.3 to 0.26.4 in /src/agent 
Nix needs to be in sync between libs and agent, so bump
the agent to the libs version

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:01:06 +01:00
dependabot[bot]
a4d22fe330 build(deps): bump nix from 0.24.2 to 0.26.4 in /src/libs 
---
updated-dependencies:
- dependency-name: nix
  dependency-version: 0.26.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 15:01:06 +01:00
Fabiano Fidêncio
6dabb3683f
Merge pull request #10961 from zvonkok/shellcheck-zero 
shellcheck: fix kernel/build.sh
 2025-07-17 12:59:00 +02:00
Steve Horsman
405f5283f0
Merge pull request #11573 from arvindskumar99/versions_comment 
OVMF: Making comment in versions.yaml for SEV-SNP
 2025-07-17 10:11:58 +01:00
Fabiano Fidêncio
32d40849fa
Merge pull request #11577 from Xynnn007/bump-gc 
deps(chore): bump guest-components to candidate v0.14.0
 2025-07-17 11:08:36 +02:00
Zvonko Kaiser
ca4f96ed00 shellcheck: fix kernel/build.sh 
Refactor code to make shellcheck happy

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-17 10:15:41 +02:00
Xynnn007
82b890349d deps(chore): bump guest-components to candidate v0.14.0 
This new version of gc fixes s390x attestation, also introduces registry
configuration setting directly via initdata.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
 2025-07-17 10:19:02 +08:00
stevenhorsman
51f41b1669 ci: cache: Tag agent-ctl cache 
The peer pods project is using the agent-ctl tool in some
tests, so tagging our cache will let them more easily identify
development versions of kata for testing between releases.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-16 11:32:33 +01:00
Fupan Li
75d23b8884
Merge pull request #11504 from lifupan/fix_fd_leak 
agent: fix the issue of parent writer pipe fd leak
 2025-07-16 18:29:24 +08:00
Fupan Li
83f54eec52 agent: fix the issue of parent writer pipe fd leak 
Sometimes, containers or execs do not use stdin, so there is no chance
to add parent stdin to the process's writer hashmap, resulting in the
parent stdin's fd not being closed when the process is cleaned up later.

Therefore, when creating a process, first explicitly add parent stdin to
the wirter hashmap. Make sure that the parent stdin's fd can be closed
when the process is cleaned up later.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-16 16:15:31 +08:00
Fupan Li
752c8b611e
Merge pull request #11575 from Tim-Zhang/fix-runk-build 
runk: Fix build errors
 2025-07-16 15:23:58 +08:00
Arvind Kumar
2a52351822 OVMF: Making comment in versions.yaml for SEV-SNP 
Adding comment to versions.yaml to indicate that the ovmf-sev is also
used by AMD SEV-SNP, as per the discussion in
https://github.com/kata-containers/kata-containers/pull/11561.

Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-16 06:35:21 +02:00
Tim Zhang
c8183a2c14 runk: rename imported crate from users to uzers 
To adapt the new crate name and fix build errors
introduced in the commit 39f51b4c6d

Fixes: #11574

Signed-off-by: Tim Zhang <tim@hyper.sh>
 2025-07-16 11:35:39 +08:00
Fabiano Fidêncio
9cebbab29d
Merge pull request #11335 from zvonkok/fix-kata-deploy.sh 
gpu: Fix kata deploy.sh
 2025-07-15 19:50:44 +02:00
Fabiano Fidêncio
c8b7a51d72
Merge pull request #11082 from zvonkok/debug-kernel 
kernel: debug config
 2025-07-15 19:04:15 +02:00
Zvonko Kaiser
c56c896fc6 qemu: remove the experimental suffix for qemu-snp 
We switched to vanilla QEMU for the CPU SNP use-case.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:49:58 +02:00
Zvonko Kaiser
a282fa6865 gpu: Add TDX related runtime adjustments 
We have the QEMU adjustments for SNP but missing those for TDX

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:49:56 +02:00
Zvonko Kaiser
0d2993dcfd kernel: bump kernel version 
Obligatory kernel version bump

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:48:23 +02:00
Zvonko Kaiser
a4597672c0 kernel: Add KERNEL_DEBUG_ENABLED to build scripts 
We want to be able to build a debug version of the kernel for various
use-cases like debugging, tracing and others.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:48:03 +02:00
Fabiano Fidêncio
b7af7f344b
Merge pull request #11569 from Xynnn007/bump-coco 
deps(chore): update guest-components and trustee
 2025-07-15 16:34:23 +02:00
Fabiano Fidêncio
aac555eeff
Merge pull request #11571 from fidencio/topic/fix-nvidia-gpu-initrd-cache 
build: Fix cache for nvidia-gpu-initrd builds
 2025-07-15 16:28:03 +02:00
Fabiano Fidêncio
4415a47fff
Merge pull request #11557 from Apokleos/fix-initdata 
runtime-rs: Fix initdata length field missing when create block
 2025-07-15 16:22:45 +02:00
Fabiano Fidêncio
11c744c5c3
Merge pull request #11567 from zvonkok/remove-gpu-admin-tools 
Remove gpu admin tools
 2025-07-15 15:11:56 +02:00