In case we use an hypervisor that cannot support filesystem sharing,
we copy files over to the VM rootfs through the gRPC protocol. This
is a nice workaround, but it only works with regular files, which
means no device file, no socket file, no directory, etc... can be
sent this way.
This is a limitation that we accept here, by simply ignoring those
non-regular files.
Fixes#1068
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
This includes cleaning up the sandbox on disk resources,
and closing open fds when preparing the hypervisor.
Fixes: #1057
Signed-off-by: Peng Tao <bergwolf@gmail.com>
Start adding support for virtio-mmio devices starting with block.
The devices show within the vm as vda, vdb,... based on order of
insertion and such within the VM resemble virtio-blk devices.
They need to be explicitly differentiated to ensure that the
agent logic within the VM can discover and mount them appropropriately.
The agent uses PCI location to discover them for virtio-blk.
For virtio-mmio we need to use the predicted device name for now.
Note: Kata used a disk for the VM rootfs in the case of Firecracker.
(Instead of initrd or virtual-nvdimm). The Kata code today does not
handle this case properly.
For now as Firecracker is the only Hypervisor in Kata that
uses virtio-mmio directly offset the drive index to comprehend
this.
Longer term we should track if the rootfs is setup as a block
device explicitly.
Fixes: #1046
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
By breaking down updateRuntimeConfig() into smaller functions, this
commit prevents the function to grow a Go complexity higher than 15.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
In order to let the user choose firecracker hypervisor instead of
QEMU (from the configuration.toml), let's add it to the list of
supported hypervisors.
Fixes#1042
Depends-on: github.com/kata-containers/runtime#1044
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Because firecracker currently does not support a proper stop from
the caller, and because we don't want the agent to initiate a reboot
to shutdown the VM, the simplest and most efficient solution at the
moement is to signal the VM process with SIGTERM first, followed by
a SIGKILL if the process is still around.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Use the firecracker rescan logic to update the pre-attached drive.
This allows us to emulate hotplug.
Initially the drive backing stores are set to empty files on the
host. Once the actual block based device or file is available
swap the backing store.
The rescan needs to be issued iff the VM is running.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Unlike QEMU firecracker cannot accept a fd as part of the REST API.
Close the vsock vhostfd close to the point where we launch the VM.
Note: This is still racy.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Add firecracker as a supported hypervisor. This connects the
newly defined firecracker implementation as a supported
hypervisor.
Move operation definition to the common hypervisor code.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Initial Support for the firecracker VMM
Note:
- 9p is unsupported by firecracker
- Enable pseudo hotplug block device hotplug capability
Initially, this will be a pseudo capability for Firecracker hypervisor,
but we will utilize a pool of block devices and block device rescan as a
temporary workaround.
Fixes: #1064
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Vendor in all firecracker dependencies. This allows virtcontainers
to pull call the firecracker REST API.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
In case the hypervisor implementation does not return any thread
ID, this should not issue any error since there is simply nothing
to constrain.
Fixes#1062
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Copy files to contaier's rootfs if hypervisor doesn't supports filesystem
sharing, otherwise bind mount them in the shared directory.
see #1031
Signed-off-by: Julio Montes <julio.montes@intel.com>
If the hypervisor does not support filesystem sharing (for example, 9p),
files will be copied over gRPC using the copyFile request function.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Files are copied over gRPC and there is no limit in size of the files that
can be copied. Small files are copied using just one gRPC call while big files
are copied by parts.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Not all hypervisors support filesystem sharing. Add capability flags to track
this. Since most hypervisor implementations in Kata *do* support this, the set
semantices are reversed (ie, set the flag if you do not support the feature).
Fixes: #1022
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Signed-off-by: Julio Montes <julio.montes@intel.com>
Brings support to copy file from host to guest
shortlog:
169d755 protocols/grpc: implement function to copy files
ff87c26 virtio-mmio: Add support for virtio-mmio blk devices
b9c5d5b libcontainer: use /run as root containers path
092f1a0 block: add support of block storage driver "nvdimm"
Signed-off-by: Julio Montes <julio.montes@intel.com>
Vsock conflicts with factory, when both of them are enabled,
kata will try to create a new vm template which is useless,
thus it's better to return an error directly to let users know
that those two config cannot be enabled at the same time.
Fixes: #1055
Signed-off-by: fupan <lifupan@gmail.com>
The multiqueue flag associated with the TUNTAP network device cannot
be used if the number of queues indicates 0. When 0, this means the
multiqueue is not supported, and we cannot use the according flag.
Fixes#1051
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
We can use the background context when creating test sandboxes from the
sanbox unit tests. This shuts the "trace called before context set"
erros down.
Fixes: #1048
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
We need to bump the kernel version from 4.14.67 to 4.19.10 in order
to follow the recent kernel config bump.
Fixes#1029
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
containerd would like to get the shim's socket
address from shimv2's stdout, thus it's better
to discard the log's output before shimv2 init
it's logger and at the same time add a hook to
log into syslog.
Fixes: #1035
Signed-off-by: Fupan Li <lifupan@gmail.com>
Since kata-agent is using virtio-console to output debugging info
and the console ports are available in the guest as /dev/hvc0 and
/dev/hvc1, we should swap origin console type 'console=ttyAMA0'
with 'console=hvc0,hvc1'.
Fixes: #1033
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Wei Chen <Wei.Chen@arm.com>
In order to properly setup the network, hence allocate or not multiple
queues, this commit makes sure that the hypervisor capabilities are
checked for this.
Fixes#1027
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Each hypervisor is different and supports different options regarding
the network interface it creates. In particular, the multiqueue option
is not supported by Firecracker and should not be assumed by default.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
The point of knowing the number of CPUs from the network perspective
is to determine the number of queues that can be allocated to the
network interface of the our virtual machine.
Therefore, it's more logical to name it queues from a network.go
perspective.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
In order to prevent from future duplication of calls into the
hypervisor interface, the hypervisor is directly passed as part
of the xConnectVMNetwork() function. Because this does not apply
the disconnection case, this commit splits the former function
into two separate ones.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
HotplugRemoveMemory require to do a qmp call, but
unit test does not start a Qemu instance.
Depends-on: github.com/kata-containers/tests#1007
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
- Container only is responsable of namespaces and cgroups
inside the VM.
- Sandbox will manage VM resources.
The resouces has to be re-calculated and updated:
- Create new Container: If a new container is created the cpus and memory
may be updated.
- Container update: The update call will change the cgroups of a container.
the sandbox would need to resize the cpus and VM depending the update.
To manage the resources from sandbox the hypervisor interaface adds two methods.
- resizeMemory().
This function will be used by the sandbox to request
increase or decrease the VM memory.
- resizeCPUs()
vcpus are requested to the hypervisor based
on the sum of all the containers in the sandbox.
The CPUs calculations use the container cgroup information all the time.
This should allow do better calculations.
For example.
2 containers in a pod.
container 1 cpus = .5
container 2 cpus = .5
Now:
Sandbox requested vcpus 1
Before:
Sandbox requested vcpus 2
When a update request is done only some atributes have
information. If cpu and quota are nil or 0 we dont update them.
If we would updated them the sandbox calculations would remove already
removed vcpus.
This commit also moves the sandbox resource update call at container.update()
just before the container cgroups information is updated.
Fixes: #833
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
