Commit Graph

15741 Commits

Author SHA1 Message Date
RuoqingHe
2f134514b0
Merge pull request #11097 from kimullaa/robust-user-input
kata-deploy: add INSTALLATION_PREFIX validation
2025-04-02 10:05:03 +08:00
Ruoqing He
96e43fbee5 ci: Enable build-kata-static-tarball-riscv64.yaml
Previously we introduced `build-kata-static-tarball-riscv64.yaml`,
enable that workflow in `ci.yaml`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-04-01 16:35:14 +08:00
RuoqingHe
10ceeb0930
Merge pull request #11104 from fidencio/topic/kata-deploy-create-runtimeclasses-by-default
kata-deploy: Create runtimeclasses by default
2025-04-01 10:55:44 +08:00
RuoqingHe
b19a8c7b1c
Merge pull request #11066 from kimullaa/update-command-sample
kernel: Update the usage in readme
2025-04-01 09:12:43 +08:00
RuoqingHe
b046f79d06
Merge pull request #11100 from kimullaa/remove-double-slash
kata-deploy: remove the double "/"
2025-04-01 08:17:00 +08:00
Shunsuke Kimura
a05f5f1827 kata-deploy: add INSTALLATION_PREFIX validation
INSTALLATION_PREFIX must begin with a "/"
because it is being concatenated with /host.

If there is no /, displays a message and makes an error.

Fixes: #11096

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2025-04-01 06:47:30 +09:00
Shunsuke Kimura
a49b6f8634 kata-deploy: Moves the function to the top
Move functions that may be used in validation to the top.

Fixes: #11097

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2025-04-01 06:47:30 +09:00
Zvonko Kaiser
d81a1747bd
Merge pull request #11085 from kevinzs2048/fix-virtiomem
runtime-go: qemu: Fix sandbox start failing with virtio-mem enable on arm64
2025-03-31 17:09:43 -04:00
Zvonko Kaiser
e5c4cfb8a1
Merge pull request #11081 from BbolroC/unsealed-secret-fix
tests: Enable sealed secrets for all TEEs
2025-03-31 11:19:52 -04:00
Shunsuke Kimura
c0af0b43e0 kernel: Update the outdated usage in the readme
Since it is difficult to update the README when modifying the options of ./build-kernel.sh,
instead of update the README, we encourage users to run the -h command.

Fixes: #11065

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2025-03-31 23:29:58 +09:00
Shunsuke Kimura
902cb5f205 kata-deploy: remove the double "/"
Currently, ConfigPath in containerd.toml is a double "/" as follows.

```
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-clh.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers//configuration-clh.toml"
...
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-cloud-hypervisor.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers//runtime-rs/configuration-cloud-hypervisor.toml"
...
```

So, removed the double "/".

Fixes: #11099

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2025-03-31 22:31:36 +09:00
Fabiano Fidêncio
28be53ac92 kata-deploy: Create runtimeclasses by default
Let's make the life of the users easier and create the runtimeclasses
for them by default.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-31 11:29:44 +01:00
Xuewei Niu
abbc9c6b50
Merge pull request #11101 from RuoqingHe/runtime-rs-fix-fmt-check
runtime-rs: Remove redundant empty line
2025-03-31 16:28:55 +08:00
Ruoqing He
3c78c42ea5 runtime-rs: Remove redundant empty line
While running `cargo fmt -- --check` in `src/runtime-rs` directory, it
errors out and suggesting these is an redundant empty line, which
prevents `make check` of `runtime-rs` component from passing.

Remove redundant empty line to fix this.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-31 00:39:04 +08:00
Steve Horsman
44bab5afc4
Merge pull request #11091 from fidencio/topic/ci-add-kata-deploy-tests-as-required
gatekeeper: Add kata-deploy tests as required
2025-03-28 11:05:03 +00:00
Fabiano Fidêncio
5a08d748b9
Merge pull request #11088 from kimullaa/fix-cleanup-failure
kata-deploy: Fix kata-cleanup's CrashLoopBackOff
2025-03-27 20:33:52 +01:00
Fabiano Fidêncio
700944c420 gatekeeper: Add kata-deploy tests as required
kata-deploy tests have been quite stable, working for more than 10 days
without any nightly failure (or any failure reported at all), and I'll
be the one maintaining those.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-27 19:47:38 +01:00
Steve Horsman
97bd311a66
Merge pull request #11058 from stevenhorsman/required-static-checks-rename
ci: Update static-checks strings
2025-03-27 12:56:28 +00:00
Xuewei Niu
54dcf0d342
Merge pull request #11056 from RuoqingHe/runtime-qemu-riscv
runtime: Support and enable build on riscv64
2025-03-27 17:02:21 +08:00
Fabiano Fidêncio
047b7e1fb7
Merge pull request #11063 from lifupan/fix_compile
runtime-rs: update the protobuf to 3.7.1
2025-03-27 09:52:20 +01:00
Fabiano Fidêncio
41b536d487
Merge pull request #11059 from microsoft/danmihai1/tests-common
tests: k8s: clean-up shellcheck warnings in tests_common.sh
2025-03-27 09:51:49 +01:00
Shunsuke Kimura
9ab6ab9897 kata-deploy: Fix kata-cleanup's CrashLoopBackOff
Since kata-deploy.sh references an undefined variable,
kata-cleanup.yaml enters a CrashLoopBackOff state.

```
$ kubectl apply -f https://raw.githubusercontent.com/kata-containers/kata-containers/main/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
daemonset.apps/kubelet-kata-cleanup created

$ kubectl get pods -n kube-system
kubelet-kata-cleanup-zzbd2        0/1     CrashLoopBackOff   3 (33s ago)     80s

$ kubectl logs -n kube-system daemonsets/kubelet-kata-cleanup
/opt/kata-artifacts/scripts/kata-deploy.sh: line 19: SHIMS: unbound variable
```

Therefore, set an initial value for the environment variables.

Fixes: #11083

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2025-03-27 15:00:19 +09:00
Hyounggyu Choi
0432d2fcdf
Merge pull request #11086 from BbolroC/fix-overwrite-containerd-config
tests: Make sure /etc/containerd before writing config
2025-03-27 05:57:31 +01:00
Ruoqing He
46caa986bb ci: Skip tests depend on virtualization on riscv64
`VMContainerCapable` requires a present `kvm` device, which is not yet
available in our RISC-V runners. Skipped related tests if it is running
on `riscv-builder`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-27 10:47:49 +08:00
Ruoqing He
7f0b1946c5 ci: Enable build-check for runtime on riscv64
`runtime` support for riscv64 is now ready, let enable building and
testing on that component.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-27 10:38:30 +08:00
Yuting Nie
1f52f83309 runtime: Enable kata-check test on riscv64
Provide according tests to cover `kata-runtime` package, test
`kata-runtime`'s `check` functionality on riscv64 platforms.

Signed-off-by: Yuting Nie <nieyuting@iscas.ac.cn>
2025-03-27 10:36:55 +08:00
Yuting Nie
b6924ef5e5 runtime: Add getExpectedHostDetails for riscv64
Add `getExpectedHostDetails` with expected value according to template
defined in `kata-check_data_riscv64_test.go`. This provides necessary
`HostInfo` for tests to cover `kata-check_riscv64.go`.

Signed-off-by: Yuting Nie <nieyuting@iscas.ac.cn>
2025-03-27 10:34:34 +08:00
Yuting Nie
594c5e36a6 runtime: Add mock data for kata-check
Add definition of `testCPUInfoTemplate` which is retrieved from
`/proc/cpuinfo` of a QEMU emulated virtual machine on virt board.

Signed-off-by: Yuting Nie <nieyuting@iscas.ac.cn>
2025-03-27 10:33:42 +08:00
Yuting Nie
0ff5cb1e66 runtime: Enable testSetCPUTypeGeneric for riscv64
`testSetCPUTypeGeneric` will be used for writting `kata-check` in
`kata-runtime` on riscv64 platforms, enable building for later testing.

Signed-off-by: Yuting Nie <nieyuting@iscas.ac.cn>
2025-03-27 10:32:29 +08:00
Ruoqing He
2329aeec38 runtime: Disable race flag for riscv64
`-race` flag used for `go test` is not yet supported on riscv64
platforms, disable it for now.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-27 10:28:53 +08:00
Ruoqing He
1b4dbebb1b runtime: Enable runtime to build on riscv64
Convert Rust arch to Go arch in Makefile, and add `riscv64-options.mk`
to provide definitions required for runtime to build on riscv64.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-27 10:22:55 +08:00
Ruoqing He
805da14634 runtime: Enable runtime check for riscv64
Enable `kata-runtime check` command to work on riscv64 platforms to make
sure required features/devices presents.

Co-authored-by: Yuting Nie <nieyuting@iscas.ac.cn>
Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-27 10:07:09 +08:00
Ruoqing He
96b2d25508 runtime: Define default values for QEMU riscv
Provide default values while invoking QEMU as the hypervisor for Go
runtime on riscv64 platform.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-27 10:05:36 +08:00
Ruoqing He
1662595146 runtime: Introduce riscv64 to govmm pkg
Define `vmm` for riscv64, set `MaxVCPUs` to 512 as QEMU RISC-V virt
Generic Virtual Platform [1] define.

[1] https://www.qemu.org/docs/master/system/riscv/virt.html

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-27 09:57:49 +08:00
Ruoqing He
1e4963a3b2 runtime: Define availableGuestProtection for riscv64
`GuestProtection` feature is not made available yet, return
`noneProtection` for now.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-27 09:34:53 +08:00
Ruoqing He
4947938ce8 runtime: Introduce riscv64 template for vm factory
Set `templateDeviceStateSize` to 8 as other architectures did.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-27 09:28:32 +08:00
Zvonko Kaiser
b7cf4fd2e6
Merge pull request #11053 from ldoktor/ci
ci: shellcheck fixes
2025-03-26 13:22:56 -04:00
Hyounggyu Choi
1e187482d4 tests: Make sure /etc/containerd before writing config
We get the following error while writing containerd config
if a base dir `/etc/containerd` does not exist like:

```
sudo tee /etc/containerd/config.toml << EOF
...
EOF
tee: /etc/containerd/config.toml: No such file or directory
```

The commit makes sure a base directory for containerd before
writing config and drops the config file deletion because a
default behaviour of `tee` is overwriting.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-03-26 18:19:45 +01:00
Hyounggyu Choi
0aa76f7206 tests: Enable sealed secrets for TEEs
Fixes: #11011

This commit allows all TEEs to run the sealed secret test.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-03-26 17:50:41 +01:00
Hyounggyu Choi
423ad8341d agent: Call cdh_handler for sealed secrets after add_storage()
As reported in #11011, mounted secrets are available after
a container image is pulled by add_storage() for IBM SE.
But secure mount should be handled before the `add_storage()`.
Therefore, this commit divides cdh_handler() into:

- cdh_handler_trusted_storage()
- cdh_handler_sealed_secrets()

and calls cdh_handler_sealed_secrets() after add_storage()
while keeping cdh_handler_trusted_storage() unchanged.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-03-26 17:50:41 +01:00
Fabiano Fidêncio
7a0ac55f22
Merge pull request #10984 from fidencio/topic/tests-kata-deploy-ground-work-to-rewrite-the-tests
tests: kata-deploy: The rest of the ground work to rewrite the kata-deploy tests
2025-03-26 17:47:48 +01:00
Hyounggyu Choi
8088064b8b tests: Set default policy before running sealed secrets tests
The test `Cannot get CDH resource when deny-all policy is set`
completes with a KBS policy set to deny-all. This affects the
future TEE test (e.g. k8s-sealed-secrets.bats) which makes a
request against KBS.
This commit introduces kbs_set_default_policy() and puts it to
the setup() in k8s-sealed-secrets.bats.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-03-26 17:44:38 +01:00
Kevin Zhao
211a36559c runtime-go: qemu: Fix sandbox start failing with virtio-mem enable on arm64
Also add CONFIG_VIRTIO_MEM to arm64 platform

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2025-03-26 22:31:00 +08:00
Fabiano Fidêncio
404e212102 tests: kata-deploy: Use helm_helper()
With this we switch to fully testing with helm, instead of testimg with
the kustomizations (which will soon be removed).

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-26 13:30:15 +01:00
Fabiano Fidêncio
f7976a40e4 tests: Create a helm_helper() common function
Let's use what we have in the k8s functional tests to create a common
function to deploy kata containers using our helm charts.  This will
help us immensely in the kata-deploy testing side in the near future.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-26 13:30:11 +01:00
Fabiano Fidêncio
eb884d33a8 tests: k8s: Export all the default env vars on gha-run.sh
This is not strictly needed, but it does help a lot when setting up a
cluster manually, while still relying on those scripts.

While here, let's also ensure the assignment is between quotes, to make
shellchecker happier.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-26 13:23:16 +01:00
Saul Paredes
ae5c587efc
Merge pull request #11074 from Sumynwa/sumsharma/genpolicy_test
genpolicy: Refactor tests to allow different request types in a testcases json.
2025-03-25 12:38:19 -07:00
Sumedh Sharma
3406df9133 genpolicy: Refactor tests to add different request types in testcases json
This commit introduces changes to add test data for multiple request
type in a single testcases.json file. This allows for stateful testing,
for ex: enable testing ExecProcessRequest using policy state set after testing
a CreateContainerRequest.

Fixes #11073.

Signed-off-by: Sumedh Sharma <sumsharma@microsoft.com>
2025-03-25 13:52:17 +05:30
Mikko Ylinen
85f3391bcf runtime: qemu: add support to use TDX QGS via Unix Domain Sockets
TDX Quote Generation Service (QGS) signs TDREPORT sent to it from
Qemu (GetQuote hypercall). Qemu needs quote-generation-socket
address configured for IPC.

Currently, Kata govmm only enables vsock based IPC for QGS but
QGS supports Unix Domain Sockets too which works well for host
process to process IPC (Qemu <-> QGS).

The QGS configuration to enable UDS is to run the service with "-port=0"
parameter. The same works well here too: setting
"tdx_quote_generation_service_socket_port=0" let's users to enable
UDS based IPC.

The socket path is fixed in QGS and cannot be configured: when "-port=0"
is used, the socket appears in /var/run/tdx-qgs/qgs.socket.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-03-25 10:18:40 +02:00
RuoqingHe
7a704453b6
Merge pull request #11075 from microsoft/danmihai1/genpolicy-debug-build
genpolicy: add support for BUILD_TYPE=debug
2025-03-25 14:59:15 +08:00