General doc enchancements including:
- Change `cd`s for `pushd` and `popd`s
- Remove hard coded architectures
- Tighten up the security where we `chmod 777`
- Add support for not running as source
- Updates so it doesn't do `ctr pull` if the image is on the
local system already
- Doc and Test running as non-root user (covered by #2879)
- Update doc to match image_rpc changes
Fixes: #3549Fixes: #2879
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
- Add scripts and documentation to build, configure and test
created a Kata CC unencrypted container using crictl
- Update documentation to better fit the kata documentation requirements
- Fixes: #3510
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Basic config, no debug endpoints, no exec/reseed. Uses the
`$AA_KBC_PARAMS` variable to be used with `envsubst`.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
With the new rust image pull service skopeo we can parameterise whether to build
and install skopeo and turn it off by default if we don't need
signature verification support
Fixes: #3170
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
- Document how to test the signature validation with
a number of different scenarios and test images
- Update ccv0.sh to add policy_path to kernel_params
Fixes: #2682
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
CRI-O deployment documentation was quite outdated, giving info from the
`1.x` era. Let's update this to reflect what we currently have.
Fixes: #2498
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The links are either pointing to the not-used-anymore `master` branch,
or to the kubernetes-incubator page.
Let's always point to the CRI-O github page, using the `main`branch.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Although the documentation removed is correct, it's not relevant to the
current supported versions of CRI-O.
Related: #2498
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
When the environment variable $SKOPEO_UMOCI is set to "yes", Skopeo and
umoci are built inside the guest build container and installed to the
guest rootfs. The respective build- and runtime dependencies are added.
This respects the (existing) $LIBC variable (gnu/musl) and avoids issues
with glibc mismatches.
This is currently only supported for Ubuntu guests, as the system Golang
packages included in the versions of other distros that we use are too
old to build these packages, and re-enabling installing Golang from
golang.org is cumbersome, given especially that it is unclear how long
we will keep using Skopeo and umoci.
Additionally, when the environment variable $AA_KBC is set,
attestation-agent (with that KBC) is included.
This replaces some logic in ccv0.sh that is removed.
Fixes: #2907
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Add a new PullImage endpoint to the shim API.
Add new PullImage functions to the virtcontainers files, which allows
the PullImage endpoint on the agent to be called.
Update the containerd vendor files to support new PullImage API changes.
Fixes#2651
Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
Co-authored-by: ashleyrobertson <ashleyro@uk.ibm.com>
Co-authored-by: stevenhorsman <steven@uk.ibm.com>
- Update the CCv0 demo script to use ubuntu instead of fedora
- Update the extra packages to reflect the apt vs dnf namings
- Build and add the skopeo binary to the rootfs image
- Minor kubernetes init fix
Fixes#2849
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Add support for a new source credentials environment variable in the
test script
Add documentation of it into the how-to guide
Fixes#2653
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit add documentation and a script to help people to build, run,
test and demo the CCv0 changes around PullImage on guest.
It is currently limited to the Agent pullimage, but can be expanded
as more code is shared.
Fixes#2574
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Add how-to-setup-swap-devices-in-guest-kernel.md to how-to to introduce
how to setup swap device in guest kernel.
Fixes: #2326
Signed-off-by: Hui Zhu <teawater@antfin.com>
Remove the `Kata Containers with Firecracker` additional configuration steps.
From kata 2.x, the config of `firecracker` is same to `qemu` and `cloud-hypervisor`.
Fixes: #2492
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
update cri plugin source path to containerd pkg in the
how-to-use-k8s-with-cri-containerd-and-kata.md file. The cri project was moved to containerd project pkg directory.
Fixes: #2490
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
Kata-proxy is not longer used in kata 2.x, this PR removes the
reference as well to an script that is not longer existing.
Fixes#2391
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Removed all TOCs now that GitHub auto-generates them.
Also updated the documentation requirements doc removing the requirement
to add a TOC.
Fixes: #2022.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The kata-deploy project path has changed from kata v2. fixed kata-deploy path in the document how-to-import-kata-logs-with-fluentd.md.
The correct path is `$GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy`
Fixes: #2273
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
Currently in kata 2.x, we do not have docker support, this PR removes
the docker documentation with sysctls.
Fixes#2029
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
The --skip-preflight-checks flag has been deprecated in the Kubernetes v1.9
and removed from Kubernetes v1.12.
We should use --ignore-preflight-errors=all flag instead of --skip-preflight-checks.
Fixes: #1919
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
After some enablement work, memory hotplug can be used on arm64.
Here we offer a document to instruct user to enable it.
Fixes: #1854
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
