All the code related to HasCRIContainerType is useless and no longer needed
since the CRIContainerType annotation is not considered for constraining or
not the sandbox
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Kata relies on the cgroup parent created and configured by the container
engine, but sometimes the sandbox cgroup is not configured and the container
may have access to all the resources, hence the runtime must constrain the
sandbox and update the list of devices with the devices hotplugged in the
hypervisor.
Fixes: kata-containers/runtime#2605
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
The hypervisor needs access to `/dev/vfio/vfio` to use VFIO devices.
Remove all devicemapper devices from the allowed list, the device cgroup
must be updated when before hotpluggin any device.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
add `AddDevice` and `RemoveDevice` to cgroup manager to allow adding
and removing devices from the device cgroup
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Add functions to convert a host device to a cgroup device or linux device,
the first one is used to update the device cgroup and the second one to
update the resources in the OCI spec.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
`GetHostPath()` method returns the device path in the host, this way the
runtime can get the device information for updating the sandbox's device
cgroup.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Hardcode the Cargo.lock file to prevent dependencies
change which would cause some compatible issues.
Fixes: #230
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Since the ttrpc upgraded with async supported, which isn't
compatible with current agent, thus it's better to change
the dependency to a stable branch.
Fixes: #229
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Only load runtime config when it is not set.
We do not expect a service's runtime config to change while
it is running.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
To use the kata-containers repo path.
Most of the change is generated by script:
find . -type f -name "*.go" |xargs sed -i -e \
's|github.com/kata-containers/runtime|github.com/kata-containers/kata-containers/src/runtime|g'
Fixes: #201
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
- Removes `CODE_OF_CONDUCT.md` and `CONTRIBUTING.md` from osbuilder
directory.
- Fixes a reference from `image-builder/README.md` to
`rootfs-builder/README.md`
- Updates the main `README.md` making a reference to the local
`tools/osbuilder/README.md`
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
move all osbuilder files into `tools` directory to be able
to merge this into kata-containers repo.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
It is simply wrong to test kata-check within before sub commands
as it is NOT before at all. Besides it causes errors if kata is
not installed.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
We should not use a plain unix socket reader to act as grpc
server. Place a really mock grpc server instead.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
- makefile: Make SELinux support configurable
- clh: Boot from persistent memory device
- config: Add scsi_mod.scan=none for virtio-scsi
- katautils: Use config paths set during the build
- version: Update kernel to lts 5.4.32
- clh: virtiofs: Add no_posix_lock option
- versions: Switch to virtio-fs-dev branch for kernel
- v2: Open log fifo with `RDWR` instead of `WRONLY`
- qemu-ppc64le: Switch off large decrementer capability
- versions: Update go to 1.13.9
- qemu_ppc64le: EXpose fs support explicitly
- qemu: Don't crash if virtiofsd path is non existent
- Add SELinux support for running VM Confinement
- clh: Implment capabilities
- Update go to v1.13.8
- Makefile: Allow change default hypervisor via env var
- clh: Report warning when requested vCPUs exceeds maxVCPU allowed
- clh: Enable memory hotplug
- virtcontainers: check PCI resource format before using it
- Support persistent memory volumes
- versions: Update containerd commit
- virtcontainers: Don't create vfio devices in the guest
- shimv2: move container rootfs mounted flag to container level
- AArch64: officially enable firecracker v0.21.0 on AArch64
- clh: add vfio support
d78ffd65 makefile: Make SELinux support configurable
7aa31685 clh: Boot from persistent memory device
e8fc25a7 version: Update clh to master
bf9758bf katautils: Use config paths set during the build
8c850d9e config: Add scsi_mod.scan=none for virtio-scsi
07d0a4f0 version: Update kernel to lts 5.4.32
ab8050c5 kata_agent: Don't use dax if virtio_fs_cache is 0
6218b2a5 kata_agent: Remove sharedDirVirtioFSOptions
95ccc0f7 agent: Use "virtiofs" instead of "virtio_fs"
4c1cacd3 versions: Switch to virtio-fs-dev branch for kernel
8e0f891e v2: Open log fifo with `RDWR` instead of `WRONLY`
afbd03cf qemu-ppc64le: Switch off large decrementer capability
432f9bea clh: virtiofs: Add no_posix_lock option
0294fcb9 versions: Update go to 1.13.9
fd625b3f qemu: Don't crash if virtiofsd path is non existent
5eec8bdf qemu_ppc64le: EXpose fs support explicitly
e4eb553d virtcontainers: Add SELinux support for running VM Confinement
39e354f6 clh: Implement capabilities
0a1ffc1d types: Make FS sharing disable by default
669b6e32 clh: Report warning when requested vCPUs exceeds maxVCPU allowed
7997218c Makefile: Allow change default hypervisor via env var
aab82f67 clh: Add memory hotplug
e62a8aa9 versions: Update containerd commit
2f948738 clh: Use MemUnit to create VM
b6a7d8d6 utils: Add memory unit abstraction
5e7d2538 clh: add vmInfo method
ebb8fd57 versions: Update clh to latest master
4d2574a7 virtcontainers: Don't create vfio devices in the guest
3b53114a virtcontainers: improve algorithm to check Large bar devices
7aff5466 virtcontainers: check PCI resource format before using it
d0a730c6 shimv2: move container rootfs mounted flag to container level
d60902a9 FC: change minimum supported version of Firecracker to v0.21.1
aadf8c4a AArch64: enable firecracker v0.21.1 on AArch64
44e23493 FC: Fix error of overlong firecracker API unix socket
c3bafd57 FC: Change default API socket path
2945bcd7 FC: Removed redundant `--seccomp-level` jailer parameter
d2cae59e FC: Removed redundant `RescanBlockDevice` action
37b91b33 FC: Remove `logger.options`
2c310fec virtcontainers: handle persistent memory volumes
434b3025 virtcontainers: hotplug block drives that are pmem devices as nvdimm
84e0ee13 virtcontainers: reimplement `createBlockDevices`
abbdf078 virtcontainers: add Pmem attribute to BlockDrive
ee941e5c virtcontainers: Implement function to get the pmem DeviceInfo
9ff44dba virtcontainers: implement function to get the backing file
0a4e2edc virtcontainers: move GetDevicePathAndFsType to utils_linux
2c7f27ec vendor: update govmm
f61eca89 clh: Add comments around clh api
6a4e667f virtiofsd: Check if PID is valid
3251beaa version: Update clh to master
c5184641 clh: Add vfio support
4d034b1e versions: update go to v1.14
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
- tests: deleting stale test results when tests failed
- image_builder: Reduce the boundary mb for reducing image size on arm64
- initrd-builder: Don't error if run as non-root
- s390x: Skip rust for s390x
- image_builder: Force mount_dir to be created in /tmp
c29dbae tests: deleting when tests failed
2ac3090 s390x: Skip rust for s390x
9665563 image_builder: Force mount_dir to be created in $TMPDIR
6cae294 initrd-builder: Don't error if run as non-root
005c62a image_builder: Reduce the boundary mb for reducing image size on arm64
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
