Extra groups were not being handled when exec'ing. Ensure
that these are handled.
Before this, running a pod with:
```
...snippet...
securityContext:
fsGroup: 266
runAsGroup: 51020
runAsUser: 264
```
And then exec'ing would not supply the fsGroup:
```
$ kubectl exec -it kata-bb -- sh -c id
uid=264 gid=51020
```
Fixes: #1500
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Since the crate dirs::home_dir function depends on the
libc's api: getpwuid_r, but this api function wouldn't
be static linked on glibc, thus we'd better to figure
out an alternative way to get the home dir from /etc/passwd.
For much more info about this glibc's issue, please see:
https://sourceware.org/bugzilla/show_bug.cgi?id=19341.
This commit read and parse the "/etc/passwd" directly and
fetch the corresponding uid's home dir.
Fixes: #675
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Remove unused function parameters from the following types:
- `AgentCmdFp`: Removed the config parameter and made
the context parameter the first (à la golang).
- `BuiltinCmdFp`: Removed the config and options parameters.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The recent switch to an async rust agent broke the `agent-ctl` tool.
However, we didn't notice because that isn't being built by the CI.
Fix the breakage by passing a ttRPC context to all ttRPC API calls and
also build the tool as part of the static checks CI.
Fixes: #1471.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Currently, musl toolchain installation on arm64 is just downloading from
a website. It's unsafe in case the website corrupts. So build musl
toolchain from source if it can't be downloaded.
Fixes: #1481
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Update the Intel QAT Dockerfile to work with the 2.0 repos, fix some
bugs with building Debian/Ubuntu rootfs, and update the latest QAT
driver. Updated copyright.
Fixes: #1419
Signed-off-by: Adams, Eric <eric.adams@intel.com>
Each Kata Containers application should generate log records with a specified
structure. Currently on containerd-shim-v2's logs, the required 'name' field
is missing. This changed its logger to append the application name on each
and every emitted entries.
Fixes#1479
Related-to: github.com/kata-containers/tests/issues/3260
Suggested-by: James O. D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
When do pass guest device files to container, the source
file wouldn't be a regular file, but we also need to create
a corresponding destination file to bind mount source file
to it. Thus it's better to check whether the source file
was a directory instead of regular file.
Fixes: #1477
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Looks like we inadvertantly removed the check on the loadRuntimeConfig
error return value. Adding back...
Fixes: #1474
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Agent sends -1 PID when invoking OCI hooks.
OCI state struct is initialized before obtaining PID, so this PR moves
`oci_state` call down, right after we get the id.
Fixes: #1458
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Port kata-containers/agent#883 to the Rust Agent.
In the event that the virtiofs device is already mounted at the
requested destination, don't error out. We'll check before attempting to
mount to see if the destination is already a mount point. If so, skip
doing the mount in the agent.
This facilitates mounting the sharedfs automatically in the guest before
the agent service starts.
Signed-off-by: Eric Ernst eric.g.ernst@gmail.comFixes: #1398
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Since the kata's hypervisor process is in the network namespace,
which is close to container's process, and some host metrics
such as cadvisor can use this pid to access the network namespace
to get some network metrics. Thus this commit replace the shim's
pid with the hypervisor's pid.
Fixes: #1451
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
There's no runtime repo anymore, let's avoid making a reference to it,
which may end up confusing people reading the Release-Process file.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
All the work done on this file, apart from merging the 2.x repo, and now
removing unused lines, comes from Intel.
The reason it's being added is to silent a complaint from the static
checker.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
There's no more NEMU, for some time already. Considering this, let's
just remove any mention to it as part of our project.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
There's no reason to ship qemu & qemu-virtiofs when the former already
includes vitiofs support (and that's the default for 2.x deployments).
In case we will enable experimental qemu DAX support, we should add a
new target, a "qemu-experimental" target, as Carlos has been working on.
Fixes: #1424
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The docker script has been removed as part of
62cbaf4de4, but references to it were left
behind in the artifact-list.sh, release/kata-deploy-binaries.sh, and
kata-deploy/Dockerfile.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
If the container has exited, the sender in notifier watching OOM events
will be dropped after the loop exited, and recv() from the according
receiver will get None.
This will lead two problems for get_oom_event rpc all from agent:
- return an wrong OOM event.
- continuously return OOM events.
Fixes: #1369
Signed-off-by: bin <bin@hyper.sh>
For Kata Containers 2.x, CRI-O should always be using the
`containerd-shim-kata-v2` binary, and always be configured to use the
"vm" runtime type, developed specifically for the shimv2, instead of the
default "oci" runtime type.
I've taken the liberty to try to simplify the CRI-O script and make it
less error prone. In the future, we can start dropping a configuration
file to /etc/crio/crio.conf.d and just removing it as part of the
cleanup, but that's for the future.
Fixes: #1357
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Factoring those pieces of code to their own functions allows us to
easily re-use them when creating & cleaning up the CRI-O configuration
files, as CRI-O is also affected by the issues that are still opened.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Our list was based on what we used to ship for Kata Containers 1.x, not
even taking into account the shimv2 binary.
Let's update it in order to reflect better what we currently distribute.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
