- agent: fix container stop error with signal SIGRTMIN+3
- doc: Improve kata-deploy README.md by changing sh blocks to bash blocks
- docs: Remove kata-proxy reference
- kata-monitor: fix duplicated output when printing usage
- Stop getting OOM events from agent for "ttrpc closed" error
- tools/packaging: Fix error path in `kata-deploy-binaries.sh -s`
- kata-deploy: fix version bump from -rc to stable
- release: Include all the rust vendored code into the vendored tarball
- docs: Remove VPP documentation
- runtime: Remove the explicit VirtioMem set and fix the comment
- tools/packaging/kata-deploy: Copy install_yq.sh before starting parallel builds
- docs: Remove kata-proxy references in documentation
- agent: Signal the whole process group
- osbuilder/qat: don't pull kata sources if exist
- docs: fix markdown issues in how-to-run-docker-with-kata.md
- osbuilder/qat: use centos as base OS
- docs: Update vcpu handling document
- Agent: fix unneeded late initialization lint
- static-build,clh: Add the ability to build from a PR
- Don't use a globally installed mock hook for hook tests
- ci: Weekly check whether the docs url is alive
- Multistrap Ubuntu & enable cross-building guest
- device: using const strings for block-driver option instead of hard coding
- doc: update Intel SGX use cases document
- tools: update QEMU to 6.2
- action: Update link for format patch documentation
- runtime: properly handle ESRCH error when signaling container
- docs: Update k8s documentation
- rustjail: optimization, merged several writelns into one
- doc: fix kata-deploy README typo
- versions: Upgrade to Cloud Hypervisor v22.1
- Add debug and self-test control options to Kata Manager
- scripts: Change here document delimiters
- agent: add tests for get_memory_info function
- CI: Update GHA secret name
- tools: release: Do not consider release candidates as stable releases
- kernel: fix cve-2022-0847
- docs: Update contact link in runtime README
- Improve error checking of hugepage allocation
- CI: Create GHA to add PR sizing label
- release: Revert kata-deploy changes after 2.4.0-rc0 release
2b91dcfe docs: Remove kata-proxy reference
0d765bd0 agent: fix container stop error with signal SIGRTMIN+3
a63bbf97 kata-monitor: fix duplicated output when printing usage
9e4ca0c4 doc: Improve kata-deploy README.md by changing sh blocks to bash blocks
a779e19b tools/packaging: Fix error path in 'kata-deploy-binaries.sh -s'
0baebd2b tools/packaging: Fix usage of kata-deploy-binaries.sh
3606923a workflows,release: Ship *all* the rust vendored code
2eb07455 tools: Add a generate_vendor.sh script
5e1c30d4 runtime: add logs around sandbox monitor
fb8be961 runtime: stop getting OOM events when ttrpc: closed error
93d03cc0 kata-deploy: fix version bump from -rc to stable
a9314023 docs: Remove kata-proxy references in documentation
66f05c5b runtime: Remove the explicit VirtioMem set and fix the comment
0928eb9f agent: Kill the all the container processes of the same cgroup
c2796327 osbuilder/qat: don't pull kata sources if exist
154c8b03 tools/packaging/kata-deploy: Copy install_yq.sh in a dedicated script
1ed7da8f packaging: Eliminate TTY_OPT and NO_TTY variables in kata-deploy
bad859d2 tools/packaging/kata-deploy/local-build: Add build to gitignore
19f372b5 runtime: Add more debug logs for container io stream copy
459f4bfe osbuilder/qat: use centos as base OS
9a5b4770 docs: Update vcpu handling document
ecf71d6d docs: Remove VPP documentation
c77e34de runtime: Move mock hook source
86723b51 virtcontainers: Remove unused install/uninstall targets
0e83c95f virtcontainers: Run mock hook from build tree rather than system bin dir
77434864 docs: fix markdown issues in how-to-run-docker-with-kata.md
32131cb8 Agent: fix unneeded late initialization lint
e65db838 virtcontainers: Remove VC_BIN_DIR
c20ad283 virtcontainers: Remove unused Makefile defines
c776bdf4 virtcontainers: Remove unused parameter from go-test.sh
ebec6903 static-build,clh: Add the ability to build from a PR
24b29310 doc: update Intel SGX use cases document
18d4d7fb tools: update QEMU to 6.2
62351637 action: Update link for format patch documentation
aa5ae6b1 runtime: Properly handle ESRCH error when signaling container
efa19c41 device: use const strings for block-driver option instead of hard coding
dacf6e39 doc: fix filename typo
92ce5e2d rustjail: optimization, merged several writelns into one
7a18e32f versions: Upgrade to Cloud Hypervisor v22.1
5c434270 docs: Update k8s documentation
5d6d39be scripts: Change here document delimiters
be12baf3 manager: Change here documents to use standard delimiter
9576a7da manager: Add options to change self test behaviour
d4d65bed manager: Add option to enable component debug
019da91d manager: Whitespace fix
d234cb76 manager: Create containerd link
c088a3f3 agent: add tests for get_memory_info function
4b1e2f52 CI: Update GHA secret name
ffdf961a docs: Update contact link in runtime README
5ec7592d kernel: fix cve-2022-0847
6a850899 CI: Create GHA to add PR sizing label
2b41d275 release: Revert kata-deploy changes after 2.4.0-rc0 release
4adf93ef tools: release: Do not consider release candidates as stable releases
72f7e9e3 osbuilder: Multistrap Ubuntu
df511bf1 packaging: Enable cross-building agent
0a313eda osbuilder: Fix use of LIBC in rootfs.sh
2c86b956 osbuilder: Simplify Rust installation
0072cc2b osbuilder: Remove musl installations
5c3e5536 osbuilder: apk add --no-cache
42e35505 agent: Verify that we allocated as many hugepages as we need
608e003a agent: Don't attempt to create directories for hugepage configuration
168fadf1 ci: Weekly check whether the docs url is alive
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
This PR removes the kata-proxy reference from this document as it is
not longer a component in kata 2.0
Fixes#4013
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This release changes Docker images repository from DockerHub to Amazon
ECR. This resolves the `You have reached your pull rate limit` error
when building the firecracker tarball.
Fixes#4001
Signed-off-by: Greg Kurz <groug@kaod.org>
The nix::sys::signal::Signal package api cannot deal with SIGRTMIN+3,
directly use libc function to send the signal.
Fixes: #3990
Signed-off-by: Wang Xingxing <stellarwxx@163.com>
(default: "/run/containerd/containerd.sock") is duplicated when
printing kata-monitor usage:
[root@kubernetes ~]# kata-monitor --help
Usage of kata-monitor:
-listen-address string
The address to listen on for HTTP requests. (default ":8090")
-log-level string
Log level of logrus(trace/debug/info/warn/error/fatal/panic). (default "info")
-runtime-endpoint string
Endpoint of CRI container runtime service. (default: "/run/containerd/containerd.sock") (default "/run/containerd/containerd.sock")
the golang flag package takes care of adding the defaults when printing
usage. Remove the explicit print of the value so that it would not be
printed on screen twice.
Fixes: #3998
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
The idea is to pass this README file to kata-doc-to-script.sh script and
then execute the result.
Added comments with a file name on top of each YAML snippet.
This helps in assigning a file name when we cat the YAML to a file.
Fixes: #3943
Signed-off-by: David Esparza <david.esparza.borquez@intel.com>
`make kata-tarball` relies on `kata-deploy-binaries.sh -s` which
silently ignores errors, and you may end up with an incomplete
tarball without noticing it because `make`'s exit status is 0.
`kata-deploy-binaries.sh` does set the `errexit` option and all the
code in the script seems to assume that since it doesn't do error
checking. Unfortunately, bash automatically disables `errexit` when
calling a function from a conditional pipeline, like done in the `-s`
case:
if [ "${silent}" == true ]; then
if ! handle_build "${t}" &>"$log_file"; then
^^^^^^
this disables `errexit`
and `handle_build` ends with a `tar tvf` that always succeeds.
Adding error checking all over the place isn't really an option
as it would seriously obfuscate the code. Drop the conditional
pipeline instead and print the final error message from a `trap`
handler on the special ERR signal. This requires the `errtrace`
option as `trap`s aren't propagated to functions by default.
Since all outputs of `handle_build` are redirected to the build
log file, some file descriptor duplication magic is needed for
the handler to be able to write to the orignal stdout and stderr.
Fixes#3757
Signed-off-by: Greg Kurz <groug@kaod.org>
Instead of only vendoring the code needed by the agent, let's ensure we
vendor all the needed rust code, and let's do it using the newly
introduced enerate_vendor.sh script.
Fixes: #3973
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This script is responsible for generating a tarball with all the rust
vendored code that is needed for fully building kata-containers on a
disconnected environment.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
getOOMEvents is a long-waiting call, it will retry when failed.
For cases of agent shutdown, the retry should stop.
When the agent hasn't detected agent has died, we can also check
whether the error is "ttrpc: closed".
Fixes: #3815
Signed-off-by: bin <bin@hyper.sh>
This PR removes the kata-proxy references in VSocks documentation,
as this is not a component in kata 2.0 and all the examples that
were used belonged to kata 1.x.
Fixes#3980
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Modify the 2Mib in the comment to 4Mib.
VirtioMem is set by configuration file or annotation. And setupVirtioMem is called only when VirtioMem is true.
Fixes: #3750
Signed-off-by: yaoyinnan <yaoyinnan@foxmail.com>
For the library `procfs`, the unit of values in `CpuTime` is ticks,
and we do not know how many ticks per second from metrics because the
`tps` in `CpuTime` is private.
But there are some implements in `CpuTime` for getting these values,
e.g., `user_ms()` for `user`, and `nice_ms()` for `nice`. With these
values, accurate time can be obtained.
Fixes: #3979
Acked-by: zhaojizhuang <571130360@qq.com>
Signed-off-by: Yu Li <liyu.yukiteru@bytedance.com>
'make kata-tarball' sometimes fails early with:
cp: cannot create regular file '[...]/tools/packaging/kata-deploy/local-build/dockerbuild/install_yq.sh': File exists
This happens because all assets are built in parallel using the same
`kata-deploy-binaries-in-docker.sh` script, and thus all try to copy
the `install_yq.sh` script to the same location with the `cp` command.
This is a well known race condition that cannot be avoided without
serialization of `cp` invocations.
Move the copying of `install_yq.sh` to a separate script and ensure
it is called *before* parallel builds. Make the presence of the copy
a prerequisite for each sub-build so that they still can be triggered
individually. Update the GH release workflow to also call this script
before calling `kata-deploy-binaries-in-docker.sh`.
Fixes#3756
Signed-off-by: Greg Kurz <groug@kaod.org>
NO_TTY configured whether to add the -t option to docker run. It makes no
sense for the caller to configure this, since whether you need it depends
on the commands you're running. Since the point here is to run
non-interactive build scripts, we don't need -t, or -i either.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Greg Kurz <groug@kaod.org>
This directory consists entirely of files built during a make kata-tarball,
so it should not be committed to the tree. A symbolic link to this directory
might be created during 'make tarball', ignore it as well.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[greg: - rearranged the subject to make the subsystem checker happy
- also ignore the symbolic link created by
`kata-deploy-binaries-in-docker.sh`]
Signed-off-by: Greg Kurz <groug@kaod.org>
This PR updates the vcpu handling document by removing docker information
which is not longer being used in kata 2.x and leaving only k8s information.
Fixes#3950
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This PR is removing VPP documentation as it is not longer valid with
kata 2.x, all the instructions were used for kata 1.x
Fixes#3946
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
src/runtime/virtcontainers/hook/mock contains a simple example hook in Go.
The only thing this is used for is for some tests in
src/runtime/pkg/katautils/hook_test.go. It doesn't really have anything
to do with the rest of the virtcontainers package.
So, move it next to the test code that uses it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We've now removed the need to install the mock hook binary for unit tests.
However, it turns out that managing that was the *only* thing that the
install and uninstall targets in the virtcontainers Makefile handled.
So, remove them.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Running unit tests should generally have minimal dependencies on
things outside the build tree. It *definitely* shouldn't modify
system wide things outside the build tree. Currently the runtime
"make test" target does so, though.
Several of the tests in src/runtime/pkg/katautils/hook_test.go require a
sample hook binary. They expect this hook in
/usr/bin/virtcontainers/bin/test/hook, so the makefile, as root, installs
the test binary to that location.
Go tests automatically run within the package's directory though, so
there's no need to use a system wide path. We can use a relative path to
the binary build within the tree just as easily.
fixes#3941
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The VC_BIN_DIR variable in the virtcontainers Makefile is almost unused.
It's used to generate TEST_BIN_DIR, and it's created in the install target.
However, we also create TEST_BIN_DIR, which is a subdirectory of VC_BIN_DIR
with mkdir -p, so it will necessarily create VC_BIN_DIR along the way.
So we can drop the unnecessary mkdir and expand the definition of
VC_BIN_DIR in the definition of TEST_BIN_DIR.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The INSTALL_EXEC and UNINSTALL_EXEC definitions from the virtcontainers
Makefile (unlike those from the runtime Makefile in the parent directory)
are entirely unused. Remove them.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The check-go-test target passes the path to the mock hook test binary to
go-test.sh when it invokes it. But go-test.sh just calls run_go_test from
ci/lib.sh, which invokes a script from the tests repo *without* any
parameters.
That is, this parameter is ignored anyway, so remove it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Right now it doesn't do much for us, as we're always building from a
specific version. However, this opens the possibility for us to add a
CI, similar to the one we have for CRI-O, for testing against each
cloud-hypervisor PR, on the cloud-hypervisor branch.
Fixes: #3908
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Installation section is not longer needed because of the latest
default kata kernel supports Intel SGX.
Include QEMU to the list of supported hypervisors.
fixes#3911
Signed-off-by: Julio Montes <julio.montes@intel.com>
bring Intel SGX support
Changes tha may impact in Kata Containers
Arm:
The 'virt' machine now supports an emulated ITS
The 'virt' machine now supports more than 123 CPUs in TCG emulation mode
The pl031 real-time clock device now supports sending RTC_CHANGE QMP events
PowerPC:
Improved POWER10 support for the 'powernv' machine
Initial support for POWER10 DD2.0 CPU added
Added support for FORM2 PAPR NUMA descriptions in the "pseries" machine
type
s390x:
Improved storage key emulation (e.g. fixed address handling, lazy
storage key enablement for TCG, ...)
New gen16 CPU features are now enabled automatically in the latest
machine type
KVM:
Support for SGX in the virtual machine, using the /dev/sgx_vepc device
on the host and the "memory-backend-epc" backend in QEMU.
New "hv-apicv" CPU property (aliased to "hv-avic") sets the
HV_DEPRECATING_AEOI_RECOMMENDED bit in CPUID[0x40000004].EAX.
virtio-mem:
QEMU now fully supports guest memory dumps with virtio-mem.
QEMU now cleanly supports precopy migration, postcopy migration and
background snapshots with virtio-mem.
fixes#3902
Signed-off-by: Julio Montes <julio.montes@intel.com>
This PR updates the link for the format patch documentation for the
commit message check.
Fixes#3900
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Currently kata shim v2 doesn't translate ESRCH signal, causing container
fail to stop and shim leak.
Fixes: #3874
Signed-off-by: Feng Wang <feng.wang@databricks.com>
Currently, the block driver option is specifed by hard coding, maybe it
is better to use const string variables instead of hard coded strings.
Another modification is to remove duplicate consts for virtio driver in
manager.go.
Fixes: #3321
Signed-off-by: Jason Zhang <zhanghj.lc@inspur.com>
Update documentation with missing step to untaint node to enable
scheduling and update the example to run a pod using the kata runtime
class instead of untrusted workloads, which applies to versions of CRI-O
prior to v1.12.
Fixes#3863
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
All scripts should use `EOF` as the shell here document delimiter as
this is checked by the static checker.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Added new `kata-manager` options to control the self-test behaviour. By
default, after installation the manager will run a test to ensure a Kata
Containers container can be created. New options allow:
- The self test to be disabled.
- Only the self test to be run (no installation).
These features allow changes to be made to the installed system before
the self test is run.
Fixes: #3851.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Make the `kata-manager` create a `containerd` link to ensure the
downloaded containerd systemd service file can find the daemon when
using the GitHub packaged version of containerd.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add test coverage for get_memory_info function in src/rpc.rs. Includes
some minor refactoring of the function.
Fixes#3837
Signed-off-by: Braden Rayhorn <bradenrayhorn@fastmail.com>
Change the secret used by the GitHub Action that adds the PR size
label to one with the correct set of privileges.
Fixes: #3856.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
As 2.4.0-rc0 has been released, let's switch the kata-deploy / kata-cleanup
tags back to "latest", and re-add the kata-deploy-stable and the
kata-cleanup-stable files.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
- Enhancement: fix comments/logs and delete not used function
- storage: make k8s emptyDir volume creation location configurable
- Implement direct-assigned volume
- Bump containerd to 1.6.1
- experimentally enable vcpu hotplug and virtio-mem on arm64 in kernel part
- versions: Upgrade to Cloud Hypervisor v22.0
- katatestutils: remove distro constraints
- Minor fixes for the `disable_block_device_use` comments
- clh: stop virtofsd if clh fails to boot up the vm
- clh: tdx: Don't use sharedFS with Confidential Guests
- runtime: Build golang components with extra security options
- snap: Use git clone depth 1 for QEMU and dependencies
- snap: Don't build cloud-hypevisor on ppc64le
- build: always reset ARCH after getting it
- virtcontainers: remove temp dir created for vsock in test code
- docs: Add unit testing presentation
- virtcontainers: Use available s390x hugepages
- Update QEMU >= 6.1.0 in configure-hypervisor.sh
- Fix monitor listen address
- snap: clh: Re-use kata-deploy script here
- osbuilder: Add CentOS Stream rootfs
- runtime: Gofmt fixes
- Update `confidential_guest` comments
- cleanup runtime pkgs for Darwin build, add basic Darwin build/unit test
- docs: Update Readme document
- runtime: use Cmd.StdoutPipe instead of self-created pipe
- docs: Developer-Guide build a custom Kata agent with musl
- kata-agent: Fix mismatching error of cgroup and mountinfo.
- runtime, config: make selinux configurable
- Fix unbound variable / typo on error mesage
- clh: Add TDX support
- virtcontainers: Do not add a virtio-rng-ccw device
- kata-monitor: fix collecting metrics for sandboxes not started through CRI
- runtime: fix package declaration for ppc64le
- Make the hypervisor framework not Linux specific
- kata-deploy: Simplify Dockerfile and support s390x
- Support nerdctl OCI hooks
- shim: log events for CRI-O
- docs: Update contributing link
- kata-deploy: Use (kata with) qemu as the default shim-v2 binary
- kata-monitor: simplify sandbox cache management and attach kubernetes POD metadata to metrics
- nydus: add lazyload support for kata with clh
- kernel: remove SYS_SUPPORTS_HUGETLBFS from powerpc fragments
- packaging: Use `patch` for applying patches
- virtcontainers: Remove duplicated assert messages in utils test code
- versions: add nydus-snapshotter
- docs: Update limitations document
- packaging: support qemu-tdx
- Kata manager fix install
- versions: Linux 5.15.x
- trace-forwarder/agent-ctl: run cargo fmt/clippy in make check
- docs: Improve top-level README
- runtime: use github.com/mdlayher/vsock@v1.1.0
- tools: Build cloud-hypervisor with "--features tdx"
- virtiofsd: Use "-o announce_submounts"
- feature: hugepages support
- tools: clh: Allow to set when to build from sources and the build flags passed down to cargo
- docs: Remove docker run and shared memory from limitations
- versions: Udpate Cloud Hypervisor to 55479a64d237
- kernel: add missing config fragment for TDx
- runtime: The index variable is initialized multiple times in for
- scripts: fix a typo while to check build_type
- versions: bump CRI-O to its 1.23 release
- feature(nydusd): add nydusd support to introduce lazyload ability
- docs: Fix relative links in Markdown
- kernel: support TDx
- device: Actually update PCIDEVICE_ environment variables for the guest
- docs: Update link to EFK stack docs
- runtime: support QEMU SGX
- snap: update qemu version to 6.1.0 for arm
- Release process related fixes
- openshift-ci: switch to CentOS Stream
- virtcontainers: Split the rootless package into OS specific parts
- runtime: suppport split firmware
- kata-deploy: for testing, make sure we use the PR branch
- docs: Remove Zun documentation with kata containers
- agent: Fix execute_hook() args error
- workflows: stop checking revert commit
84dff440 release: Adapt kata-deploy for 2.4.0-rc0
b257e0e5 rustjail: delete function signal in BaseContainer
d647b28b agent: delete meaningless FIXME comment
1b34494b runtime: fix invalid comments for pkg/resourcecontrol
afc567a9 storage: make k8s emptyDir creation configurable
e76519af runtime: small refactor to improve readability
7e5f11a5 vendor: Update containerd to 1.6.1
42771fa7 runtime: don't set socket and thread for arm/virt
8828ef41 kernel: add arm experimental kernel build support
8a9007fe config: remove 2 config as they are removed in 5.15
1b6f7401 kernel: add arm experimental patches to support vcpu hotplug and virtio-mem
f905161b runtime: mount direct-assigned block device fs only once
27fb4902 agent: add get volume stats handler in agent
ea51ef1c runtime: forward the stat and resize requests from shimv2 to kata agent
c39281ad runtime: update container creation to work with direct assigned volumes
4e00c237 agent: add grpc interface for stat and resize operations
e9b5a255 runtime: add stat and resize APIs to containerd-shim-v2
6e0090ab runtime: persist direct volume mount info
fa326b4e runtime: augment kata-runtime CLI to support direct-assigned volume
b8844fb8 versions: Upgrade to Cloud Hypervisor v22.0
af804734 clh: stop virtofsd if clh fails to boot up the vm
97951a2d clh: Don't use SharedFS with Confidential Guests
c30b3a9f clh: Adding a volume is not supported without SharedFS
f889f1f9 clh: introduce supportsSharedFS()
54d27ed7 clh: introduce loadVirtiofsDaemon()
ae2221ea clh: introduce stopVirtiofsDaemon()
e8bc26f9 clh: introduce setupVirtiofsDaemon()
413b3b47 clh: introduce createVirtiofsDaemon()
55cd0c89 runtime: Build golang components with extra security options
76e4f6a2 Revert "hypervisors: Confidential Guests do not support Device hotplug"
fa8b9392 config: qemu: Fix disable_block_device_use comments
9615c8bc config: fc: Don't expose disable_block_device_use
c1fb4bb7 snap: Don't build cloud-hypevisor on ppc64le
58913694 snap: Use git clone depth 1 for QEMU and dependencies
b27c7f40 docs: Add unit testing presentation
e64c54a2 monitor: Listen to localhost only by default
e6350d3d monitor: Fix build options
a67b93bb snap: clh: Re-use kata-deploy script here
f31125fe version: Bump cloud-hypervisor to b0324f85571c441f
54d0a672 subsystem: build
edf20766 docs: Update Readme document
eda8ea15 runtime: Gofmt fixes
4afb278f ci: add github action to exercise darwin build, unit tests
e355a718 container: file is not linux specific
b31876ee device-manager: move linux-only test to a linux-only file
6a5c6344 resourcecontrol: SystemdCgroup check is not necessarily linux specific
cc58cf69 resourcecontrol: convert stats dev_t to unit64types
5be188cc utils: Add darwin stub
ad044919 virtcontainers: Convert stats dev_t to uint64
56751089 katautils: Use a syscall wrapper for the hook JSON state
7d64ae7a runtime: Add a syscall wrapper package
abc681ca katautils: Add Darwin stub for the netNS API
de574662 config: Expand confidential_guest comments
641d475f config: clh: Use "Intel TDX" instead of just "TDX"
0bafa2de config: clh: Mention supported TEEs
81ed269e runtime: use Cmd.StdoutPipe instead of self-created pipe
8edca8bb kata-agent: Fix mismatching error of cgroup and mountinfo.
a9ba7c13 clh: Fix typo on HotplugRemoveDevice
827ab82a tools: clh: Fix unbound variable
082d538c runtime: make selinux configurable
1103f5a4 virtcontainers: Use FilesystemSharer for sharing the containers files
533c1c0e virtcontainers: Keep all filesystem sharing prep code to sandbox.go
61590bbd virtcontainers: Add a Linux implementation for the FilesystemSharer
03fc1cbd virtcontainers: Add a filesystem sharing interface
72434333 clh: Add TDX support
a13b4d5a clh: Add firmware to the config file
a8827e0c hypervisors: Confidential Guests do not support NVDIMM
f50ff9f7 hypervisors: Confidential Guests do not support Memory hotplug
df8ffecd hypervisors: Confidential Guests do not support Device hotplug
28c4c044 hypervisors: Confidential Guests do not support VCPUs hotplug
29ee870d clh: Add confidential_guest to the config file
9621c596 clh: refactor image / initrd configuration set
dcdc412e clh: use common kernel params from the hypervisor code
4c164afb versions: Update Cloud Hypervisor to 5343e09e7b8db
b2a65f90 virtcontainers: Use available s390x hugepages
cb4230e6 runtime: fix package declaration for ppc64le
fec26f8e kata-monitor: trivial: rename symbols & labels
9fd4e551 runtime: Move the resourcecontrol package one layer up
823faee8 virtcontainers: Rename the cgroups package
0d1a7da6 virtcontainers: Rename and clean the cgroup interface
ad10e201 virtcontainers: cgroups: Move non Linux routine to utils.go
d49d0b6f virtcontainers: cgroups: Define a cgroup interface
3ac52e81 kata-monitor: fix updating sandbox cache at startup
160bb621 kata-monitor: bump version to 0.3.0
1a3381b0 docs: Developer-Guide build a custom Kata agent with musl
f6fc1621 shim: log events for CRI-O
1d68a08f docs: Update contributing link
9123fc09 kata-deploy: Simplify Dockerfile and support s390x
11220f05 kata-deploy: Use (kata with) qemu as the default shim-v2 binary
3175aad5 virtiofs-nydus: add lazyload support for kata with clh
94b831eb virtcontainers: remove temp dir created for vsock in test code
8cc1b186 kernel: remove SYS_SUPPORTS_HUGETLBFS from powerpc fragments
5c9d2b41 packaging: Use `patch` for applying patches
5b3fb6f8 kernel: Build SGX as part of the vanilla kernel
2c35d8cb workflows: Stop building the experimental kernel
32e7845d snap: Build vanilla kernel for all arches
27de212f runtime: Always add network endpoints from the pod netns
1cee0a94 virtcontainers: Remove duplicated assert messages in utils test code
6c1d149a docs: Update limitations document
7c4ee6ec packaging/qemu: create no_patches file for qemu-tdx
d47c488b versions: add qemu tdx section
77c29bfd container: Remove VFIO lazy attach handling
7241d618 versions: add nydus-snapshotter
26b3f001 virtcontainers: Split hypervisor into Linux and OS agnostic bits
fa0e9dc6 virtcontainers: Make all Linux VMMs only build on Linux
c91035d0 virtcontainers: Move non QEMU specific constants to hypervisor.go
10ae0591 virtcontainers: Move guest protection definitions to hypervisor.go
b28d0274 virtcontainers: Make max vCPU config less QEMU specific
a5f6df6a govmm: Define the number of supported vCPUs per architecture
a6b40151 tools: clh: Remove unused variables
5816c132 tools: Build cloud-hypervisor with "--features tdx"
e6060cb7 versions: Linux 5.15.x
9818cf71 docs: Improve top-level and runtime README
36c3fc12 agent: support hugepages for containers
81a8baa5 runtime: add hugepages support
7df677c0 runtime: Update calculateSandboxMemory to include Hugepages Limit
948a2b09 tools: clh: Ensure the download binary is executable
72bf5496 agent: handle hook process result
80e8dbf1 agent: valid envs for hooks
4f96e3ea katautils: Pass the nerdctl netns annotation to the OCI hooks
a871a33b katautils: Run the createRuntime hooks
d9dfce14 katautils: Run the preStart hook in the host namespace
6be6d0a3 katautils: Pass the OCI annotations back to the called OCI hooks
493ebc8c utils: Update kata manager docs
34b2e67d utils: Added more kata manager cli options
714c9f56 utils: Improve containerd configuration
c464f326 utils: kata-manager: Force containerd sym link creation
4755d004 utils: Fix unused parameter
601be4e6 utils: Fix containerd installation
ae21fcc7 utils: Fix Kata tar archive check
f4d1e45c utils: Add kata-manager CLI options for kata and containerd
395cff48 docs: Remove docker run and shared memory from limitations
e07545a2 tools: clh: Allow passing down a build flag
55cdef22 tools: clh: Add the possibility to always build from sources
3f87835a utils: Switch kata manager to use getopts
4bd945b6 virtiofsd: Use "-o announce_submounts"
37df1678 build: always reset ARCH after getting it
3a641b56 katatestutils: remove distro constraints
90fd625d versions: Udpate Cloud Hypervisor to 55479a64d237
573a37b3 osbuilder: Add CentOS Stream rootfs
f10642c8 osbuilder: Source .cargo/env before checking Rust
955d359f kernel: add missing config fragment for TDx
734b618c agent-ctl: run cargo fmt/clippy in make check
12c37faf trace-forwarder: add make check for Rust
c1ce67d9 runtime: use github.com/mdlayher/vsock@v1.1.0
42a878e6 runtime: The index variable is initialized multiple times in for
1797b3eb packaging/kernel: build TDX guest kernel
98752529 versions: add url and tag for tdx kernel
bc8464e0 packaging/kernel: add option -s option
2d9f89ae feature(nydusd): add nydusd support to introduse lazyload ability
b19b6938 docs: Fix relative links in Markdown
9590874d device: Update PCIDEVICE_ environment variables for the guest
7b7f426a device: Keep host to VM PCI mapping persistently
0b2bd641 device: Rework update_spec_pci() to update_env_pci()
982f14fa runtime: support QEMU SGX
40aa43f4 docs: Update link to EFK stack docs
54e1faec scripts: fix a typo while to check build_type
07b9d93f virtcontainer: Simplify the sandbox network creation flow
2c7087ff virtcontainers: Make all endpoints Linux only
49d2cde1 virtcontainers: Split network tests into generic and OS specific parts
0269077e virtcontainers: Remove the netlink package dependency from network.go
7fca5792 virtcontainers: Unify Network endpoints management interface
c67109a2 virtcontainers: Remove the Network PostAdd method
e0b26443 virtcontainers: Define a Network interface
5e119e90 virtcontainers: Rename the Network structure fields and methods
b858d0de virtcontainers: Make all Network fields private
49eee79f virtcontainers: Remove the NetworkNamespace structure
844eb619 virtcontainers: Have CreateVM use a Network reference
d7b67a7d virtcontainers: Network API cleanups and simplifications
2edea883 virtcontainers: Make the Network structure manage endpoints
8f48e283 virtcontainers: Expand the Network structure
5ef522f7 runtime: check kvm module `sev` correctly
419d8134 snap: update qemu version to 6.1.0 for arm
00722187 docs: update Release-Process.md
496bc10d tools: check for yq before using it
88a70d32 Revert "workflows: Ensure a label change re-triggers the actions"
a9bebb31 openshift-ci: switch to CentOS Stream
89047901 kata-deploy-push: only run if PR modifying tools path
7ffe9e51 virtcontainers: Do not add a virtio-rng-ccw device
1f29478b runtime: suppport split firmware
24796d2f kata-deploy: for testing, make sure we use the PR branch
1cc1c8d0 docs: Remove images from Zun documentation
5861e52f docs: Remove Zun documentation with kata containers
903a6a45 versions: Bump critools to its 1.23 release
63eb1158 versions: bump CRI-O to its 1.23 release
5083ae65 workflows: stop checking revert commit
14e7f52a virtcontainers: Split the rootless package into OS specific parts
ab447285 kata-monitor: add kubernetes pod metadata labels to metrics
834e199e kata-monitor: drop unused functions
7516a8c5 kata-monitor: rework the sandbox cache sync with the container manager
e78d80ea kata-monitor: silently ignore CHMOD events on the sandboxes fs
e9eb34ce kata-monitor: improve debug logging
4fc4c76b agent: Fix execute_hook() args error
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
kata-deploy files must be adapted to a new release. The cases where it
happens are when the release goes from -> to:
* main -> stable:
* kata-deploy-stable / kata-cleanup-stable: are removed
* stable -> stable:
* kata-deploy / kata-cleanup: bump the release to the new one.
There are no changes when doing an alpha release, as the files on the
"main" branch always point to the "latest" and "stable" tags.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
During the release of 2.4.0-rc0 @egernst noticed an incositency in the
way we handle release tags, as release candidates are being taken as
"stable" releases, while both the kata-deploy tests and the release
action consider this as "latest".
Ideally we should have our own tag for "release candidate", but that's
something that could and should be discussed more extensively outside of
the scope of this quick fix.
For now, let's align the code generating the PR for bumping the release
with what we already do as part of the release action and kata-deploy
test, and tag "-rc" as latest, regardless of which branch it's coming
from.
Fixes: #3847
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Use `multistrap` for building Ubuntu rootfs. Adds support for building
for foreign architectures using the `ARCH` environment variable.
In the process, the Ubuntu rootfs workflow is vastly simplified.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Requires setting ARCH and CC.
- Add CC linker option for building agent.
- Set host for building libseccomp.
Fixes: #3681
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
- Add a doc comment
- Pass to build container, e.g. to build x86_64 with glibc (would
always use musl)
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Remove a lot of cruft of musl installations -- we needed those for the
Go agent, but Rustup just takes care of everything. aarch64 on
Debian-based & Alpine is an exception -- create a symlink
`aarch64-linux-musl-gcc` to `musl-tools`'s `musl-gcc` or `gcc` on
Alpine. This is unified -- arch-specific Dockerfiles are removed.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Hadolint DL3019. If you're wondering why this is in this PR, that's
because I touch the file later, and we're only triggering the lints for
changed files.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
This change introduces the `disable_guest_empty_dir` config option,
which allows the user to change whether a Kubernetes emptyDir volume is
created on the guest (the default, for performance reasons), or the host
(necessary if you want to pass data from the host to a guest via an
emptyDir).
Fixes#2053
Signed-off-by: Evan Foster <efoster@adobe.com>
Let's bring in the latest release of Containerd, 1.6.1, released on
March 2nd, 2022.
With this, we take the opportunity to remove containerd/api reference as
we shouldn't need a separate module only for the API.
Here's the list of changes needed in the code due to the bump:
* stop using `grpc.WithInsecure()` as it's been deprecated
- use `grpc.WithTransportCredentials(insecure.NewCredentials())`
instead
Fixes: #3820
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As this is just a initial vcpu hotplug support, thread and socket has
not been supported. So, don't set socket and thread when hotadd cpu for
arm/virt.
Fixes: #3280
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Add a new entry of arm-kernel-experimental and let the kernel build
script support to build it.
Fixes: #3280
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
I'm sure that it is correct to remove CONFIG_ARM64_UAO and
CONFIG_MANDATORY_FILE_LOCKING and . Both are gone in 5.15. Maintain a
specific config files for a kernel version is a little ugly. If someone
needs them, shout at me.
Fixes: #3280
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
As the support for vcpu hotplug is on the road, I pick them up here as
experimental to let user try cpu hotplug and virtio-mem on arm64.
Fixes: #3280
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Mount the direct-assigned block device fs only once and keep a refcount
in the guest. Also use the ro flag inside the options field to determine
whether the block device and filesystem should be mounted as ro
Fixes: #3454
Signed-off-by: Feng Wang <feng.wang@databricks.com>
Translate the volume path from host-known path to guest-known path
and forward the request to kata agent.
Fixes: #3454
Signed-off-by: Feng Wang <feng.wang@databricks.com>
During the container creation, it will parse the mount info file
of the direct assigned volumes and update the in memory mount object.
Fixes: #3454
Signed-off-by: Feng Wang <feng.wang@databricks.com>
Add GetVolumeStats and ResizeVolume APIs for the runtime to query stat
and resize fs in the guest.
Fixes: #3454
Signed-off-by: Feng Wang <feng.wang@databricks.com>
To query fs stats and resize fs, the requests need to be passed to
kata agent through containerd-shim-v2. So we're adding to rest APIs
on the shim management endpoint.
Also refactor shim management client to its own go file.
Fixes: #3454
Signed-off-by: Feng Wang <feng.wang@databricks.com>
In the direct assigned volume scenario, Kata Containers persists
the information required for managing the volume inside the guest
on host filesystem.
Fixes: #3454
Signed-off-by: Feng Wang <feng.wang@databricks.com>
Add commands to add, remove, resize and get stats of a direct-assigned volume.
These commands are expected to be consumed by CSI.
Fixes: #3454
Signed-off-by: Feng Wang <feng.wang@databricks.com>
Highlights from the Cloud Hypervisor release v22.0: 1) GDB Debug Stub
Support; 2) `virtio-iommu` Backed Segments (to facilitate hotplug
devices that require being behind an IOMMU, e.g. QAT); 3) Before Boot
Configuration Changes; 4) `virtio-balloon` Free Page Reporting; 5)
Support for Direct Kernel Booting with TDX; 6) PMU Support for AArch64;
7) Documentation Under CC-BY-4.0 License; 8) Deprecation of "Classic"
virtiofsd (rust-based virtiofsd now is recommended); 9) Bug fixes on
`virtio-balloon`, `virtio-net` with multiple TAP fd support, REST APIs,
seccomp filters, migration with `vhost-user`, etc;
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v22.0Fixes: #3825
Signed-off-by: Bo Chen <chen.bo@intel.com>
If, for some reason, we're able to launch cloud hypervisor but not able
to boot the VM up, the virtiofsd process would be left behind.
Let's ensure, via defer, that we stop virtiofsd in case of errors.
Fixes: #3819
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
kata-containers/pulls#3771 added TDX support for Cloud Hypervisor, but
two big things got overlooked while doing that.
1. virtio-fs, as of now, cannot be part of the trust boundary, so the
Confidential Guest will not be using it.
2. virtio-block hotplug should be enabled in order to use virtio-block
for the rootfs (used with the devmapper plugin).
When trying to use cloud-hypervisor with TDX using virtio-fs, we're
facing the following error on the guest kernel:
```
virtiofs virtio2: device must provide VIRTIO_F_ACCESS_PLATFORM
```
After checking and double-checking with virtiofs and cloud-hypervisor
developers, it happens as confidential containers might put some
limitations on the device, so it can't access all of the guests' memory
and that's where this restriction seems to be coming from. Vivek
mentioned that virtiofsd do not support VIRTIO_F_ACCESS_PLATFORM (aka
VIRTIO_F_IOMMU_PLATFORM) yet, and that for ecrypted guests virtiofs may
not be the best solution at the moment.
@sboeuf put this in a very nice way: "if the virtio-fs driver doesn't
support VIRTIO_F_ACCESS_PLATFORM, then the pages corresponding to the
virtqueues and the buffers won't be marked as SHARED, meaning the VMM
won't have access to it".
Interestingly enough, it works with QEMU, and it may be due to some
change done on the patched QEMU that @devimc is packaging, but we won't
take the path to figure out what was the change and patch
cloud-hypervisor on the same way, because of 1.
Fixes: #3810
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As mounting volumes into the guest requires SharedFS setup, let's ensure
we error out if trying to do so in a situation where SharedFS is not
supported.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
supportsSharedFS() is a new method to be used to ensure that no SharedFS
specifics are called when, for a reason or another, Cloud Hypervisor is
in a mode where SharedFSs are not supported.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Similarly to the `createVirtiofsDaemon` and `stopVirtiofsDaemon` methos,
let's introduce and use loadVirtiofsDaemon, at it'll also be handy later
in this series.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Similary to the `createVirtiofsDaemon` method, let's introduce and use
its counterpart, as it'll also be handy later in this series.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Similarly to what's been done with the `createVirtiofsDaemon`, let's
create a `setupVirtiofsDaemon` one.
It will also become handy later in this series.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's introduce and use a new `createVirtiofsDaemon` method. Its name
says it all, and it'll be handy later in this series when, spoiler
alert, SharedFS cannot be used (in such cases as in Confidential
Guests).
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This reverts commit df8ffecde0, as device
hotplug *is* supported and, more than that, is very much needed when
using virtio-blk instead of virtio-fs.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
allocate_hugepages() writes to the kernel sysfs file to allocate hugepages
in the Kata VM. However, even if the write succeeds, it's not certain that
the kernel will actually be able to allocate as many hugepages as we
requested.
This patch reads back the file after writing it to check if we were able to
allocate all the required hugepages.
fixes#3816
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
allocate_hugepages() constructs the path for the sysfs directory containing
hugepage configuration, then attempts to create this directory if it does
not exist.
This doesn't make sense: sysfs is a view into kernel configuration, if the
kernel has support for the hugepage size, the directory will already be
there, if it doesn't, trying to create it won't help.
For the same reason, attempting to create the "nr_hugepages" file
itself is pointless, so there's no reason to call
OpenOptions::create(true).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
virtio-fs, instead of virtio-9p, is the default shared file system type
in case virtio-blk is not used.
Fixes: #3813
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Relying on virtio-block is the *only* way to use Firecracker with Kata
Containers, as shared FS (virtio-{fs,fs-nydus,9p}) is not supported by
Firecracker.
As configuration doesn't make sense to be exposed, we hardcode the
`false` value in the Firecracker configuration structure.
Fixes: #3813
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
snapcraft build is failing due to:
``
utils.mk:130: "WARNING: powerpc64le-unknown-linux-musl target is unavailable"
```
It seems to happen as powerpc64-unknown-linux-musl is a target that
although there's support for it, it's not exactly built or
automatically tested, at least according to:
https://doc.rust-lang.org/rustc/platform-support.htmlFixes: #3803
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Use `git clone --depth 1 ...` for QEMU and its dependencies
to speed up checkouts.
Fixes: #3799.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add the Kata Containers unit testing presentation I gave to the Kata
outreach students as this may be of some use to others.
Fixes: #3781
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Change `kata-monitor` to listen to port `8090` on the local interface
only by default.
> **Note:**
>
> This is a breaking change as previously it listened on all interfaces.
Fixes: #3795.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Removed redundant and duplicated build options to build
`kata-monitor` the same way as the other components:
- `CGO_ENABLED=0` is not necessary.
- `-buildmode=exe` is not necessary since `BUILDFLAGS` already sets the
build mode.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The current snap build for clh is broken as it's not aware of how to
build the binary from sources.
Instead of fixing it here, let's take advantage of the kata-deploy
script, which is capable of building from sources, and re-use it here.
Fixes: #3693
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This bump brings a fix on the build script, for ARM, so we can use the
very same build script everywhere.
The commit of our interest is b0324f85571c441f840e9bdeb25410514a00bb74:
```
scripts: Fix musl build on aarch64
Adding the missing TARGET_CC environment variable to get the build to
complete correctly.
Fixes#3776
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
With the ACPI PCI hotplug changes introduced in 2.3, QEMU >= 6.1 is required.
Remove unnecessary qemu version check in build script.
Fixes#3547
Signed-off-by: goodluckbot <tangbo_gl@hotmail.com>
This PR updates the README document by using the proper link for
the contributing guide as well as a misspelling.
Fixes#3791
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
- Mostly blank lines after `+build` -- see
https://pkg.go.dev/go/build@go1.14.15 -- this is, to date, enforced by
`gofmt`.
- 1.17-style go:build directives are also added.
- Spaces in govmm/vmm_s390x.go
Fixes: #3769
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
There are a few outstanding changes required to build the runtime on
Darwin.
Let's add a GitHub action to exercise build and unit tests of the
packages which we do expect to work. Eventually this should be dropped
and we can run any Darwin specific tests, or just add MacOS to the
matrix for our static check OSes.
Fixes: #3778
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
This utility function is also used to check the spec that will run in
the guest - no need for this to be linux specific.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Their types may differ on various host OSes, but
unix.Major|Minor always takes a uint64
Depends-on: github.com/kata-containers/tests#4516
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Add a stub for utils_darwin to facilitate building this package on
Darwin. We can probably drop this empty stub if we have better
abstraction for the various parts of virtcontainers that call it
today...
Fixes:# 3777
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
We need to convert them to uint64 as their types may differ on various
host OSes, but unix.Major|Minor takes a uint64 regardless.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Let's clarify that an error will be reported in case confidential_guest
is enabled, but the hardware where Kata Containers is running doesn't
provide the required feature set.
Fixes: #3787
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's use "Intel TDX" rather than just "TDX", as it can ease the
understanding of the terminology.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's mention the supported TEEs to be used with confidential guests.
Right now, Cloud Hyperisor supports only Intel TDX, used together with
TD Shim.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Nydusd uses a bufio.Scanner to check if nydusd process has
existed, but stderr/stdout passed to Cmd is self-created pipe,
this pipe will not be closed if the process start failing.
Use standard Cmd.StdoutPipe can close the stdout and kata shim
will detect the existence of the nydusd process, then call cmd.Wait to
reap the process' resources.
Fixes: #3783
Signed-off-by: bin <bin@hyper.sh>
The content about systemd in "/proc/self/cgroup" is as:
1:name=systemd:/kubepods/pod1815643d-3789-4e4e-aaf4-00de024912e1/0e15a65bd5f7b30a0b818d90706212354d8b3f0998a1495473c3be9a24706ccf
and in "/prol/self/mountinfo" is as:
30 29 0:26 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:6 - cgroup cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
The keys extracted from the two files are the same as "name=systemd". So no need to rename the key to "systemd".
Fixes: #3385
Signed-off-by: sailorvii <challengingway@hotmail.com>
A copy and paste mistake was made and the error on HotplugRemoveDevice()
should be about removal and not about addition.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
4c164afbac renamed extra_build_args to
features, but did it only in one place, leading to:
```
21:15:28 /home/jenkins/workspace/kata-containers-2.0-ubuntu-ARM-PR/go/src/github.com/kata-containers/kata-containers/tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh: line 55: features: unbound variable
21:15:29 make[1]: *** [tools/packaging/kata-deploy/local-build/Makefile:30: cloud-hypervisor-tarball-build] Error 1
```
Fixes: #3775
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
removes --tags selinux handling in the makefile (part of it introduced here: d78ffd6)
and makes selinux configurable via configuration.toml
Fixes: #3631
Signed-off-by: Tanweer Noor <tnoor@apple.com>
Switching to the generic FilesystemSharer brings 2 majors improvements:
1. Remove container and sandbox specific code from kata_agent.go
2. Allow for non Linux implementations to provide ways to share
container files and root filesystems with the Kata Linux guest.
Fixes#3622
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
With the Linux implementation of the FilesystemSharer interface, we can
now remove all host filesystem sharing code from kata_agent and keep it
where it belongs: sandbox.go.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
This gathers the current kata agent and container filesystem sharing
code into a FilesystemSharer implementation.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Filesystem sharing here means the ability to share some parts of the
host filesystem with the guest. It's mostly about sharing files and
container bundle root filesystems.
In order to allow for different file and rootfs sharing implementations,
we define a FilesystemSharer interface.
This interface provides a preparation step, where concrete
implementations will be able to e.g. prepare the host filesysstem.
Then it provides 2 methods, one for sharing any file (regular file or a
directory) and another one for sharing a container root filesystem
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Let's enable TDX support for Cloud Hypervisor, using td-shim as its
desired firmware.
Fixes: #3632
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
"firmware" option was already present for a while, but it's never been
exposed to the configuration file before.
Let's do it now as it can be used, in combination with the newly added
confidential_guest option, to boot a guest VM using the so called
`td-shim`[0] with Cloud Hypervisor.
[0]: https://github.com/confidential-containers/td-shim
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
NVDIMM is also not supported with Confidential Guests and Virtio Block
devices should be used instead.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Similarly to VCPUs and Device hotplug, Confidential Guests also do not
support Memory hotplug.
Let's make it clear in the documentation and guard the code on both QEMU
and Cloud Hypervisor side to ensure we don't advertise Memory hotplug as
being supported when running Confidential Guests.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Similarly to VCPUs hotplug, Confidential Guests also do not support
Device hotplug.
Let's make it clear in the documentation and guard the code on both QEMU
and Cloud Hypervisor side to ensure we don't advertise Device hotplug as
being supported when running Confidential Guests.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As confidential guests do not support VCPUs hotplug, let's set the
"DefaultMaxVCPUs" value to "NumVCPUs".
The reason to do this is to ensure that guests will be started with the
correct amount of VCPUs, without giving to the guest with all the
possible VCPUs the host could provide.
One clear side effect of this limitation is that workloads that would
require more VCPUs on their yaml definition will not run on this
scenario.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
ConfidentialGuest is an option already present and exposed for QEMU,
which is used for using Kata Containers together with different sorts of
Guest Protections, such as TDX and SEV for x86_64, PEF for ppc64le, and
SE for s390x.
Right now we error out in case confidential_guest is enabled, as we will
be implementing the needed blocks for this as part of this series.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This is a small code refactor removing a deadcode based the checks
already done in the generic hypervisor abstraction.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The hypervisor code already defines 3 common kernel root params for the
following cases:
* NVDIMM
* NVDIMM without DAX support
* Virtio Block
As parameters used for cloud-hypervisor have an overlap with the ones
provided by the NVDIMM case, let's take advantage of that.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's bump the Cloud Hypervisor version to 5343e09e7b8db, as that brings
a few fixes we're interested in, such as:
* hypervisor, vmm: Handle TDX hypercalls with INVALID_OPERAND
- https://github.com/cloud-hypervisor/cloud-hypervisor/pull/3723
- This is needed for the TDX support on the cloud hypervisor driver,
which is part of this very same series.
* openapi: Update the PciBdf types
- https://github.com/cloud-hypervisor/cloud-hypervisor/pull/3748
- This is needed due to a change in a DeviceNode field, which would
cause a marshalling / demarshalling error when running with a
version of cloud-hypervisor that includes the TDX fixes mentioned
above.
* scripts: dev_cli: Don't quote $features_build
* scripts: dev_cli: Add --features option
- https://github.com/cloud-hypervisor/cloud-hypervisor/pull/3773
- This is needed due to changes in the scripts used to build Cloud
Hypervisor, which are used as part of Kata Containers CIs and
github actions.
Due to this change, we're also adapting the build scripts as part
of this very same commit.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
in TestHandleHugepages. On s390x, hugepage sizes must be set at boot, so
test with any that are present (default is 1M).
Depends-on: github.com/kata-containers/kata-containers#3770
Fixes: #3763
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
We introduced collection of sandboxes metadata from the CRI that will be
attached to the sandbox metrics: this will allow to immediately match
sandboxes metrics with CRI workloads.
Rename the symbols from *Kube* to *CRI* as the metadata will be there
every time pods are created through CRI, also if kubernetes is not
installed (e.g., 'crictl runp').
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
To resourcecontrol, and make it consistent with the fact that cgroups
are a Linux implementation of the ResourceController interface.
Fixes: #3601
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
We call it a ResourceController, and we make it not so Linux specific.
Now the Linux implementations is the cgroups one.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
We now rely on fs events only to update the sandbox cache. This is not
true anyway for sandboxes already present at kata-monitor startup: we
just retrieve the list and add them in the cache only when we get their
CRI metadata. If CRI metadata is not available we will never add them to
the sandbox cache.
Fix this by immediately adding the sandboxes we find at startup time to
the sandbox cache.
Fixes: #3705
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Since kata-monitor now:
- relies on fs events *only* to update the sandbox cache
- adds CRI meta-data as labels (CRI pod name, namespace and uid)
it deserves a version bump.
Note that while we could let kata-monitor match the runtime version,
kata-monitor will usually work flawlessy with different kata shim
releases: so it makes sense to keep kata-monitor version separated.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
The Developer-Guide.md build a custom kata agent with `x86_64-unknown-linux-musl`.
The `musl` should be changed by the system arch. The system arch is aarch64,
ppc64le and s390x, the musl should be changed. When the arch is ppc64le or s390x,
the musl should be replaced by the gnu.
Fixes: #3731
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
CRI-O start shim process without setting TTRPC_ADDRESS,
that the forwarding events goroutine will get errors.
For CRI-O runtime, we can log the events to log file.
Fixes: #3733
Signed-off-by: bin <bin@hyper.sh>
This PR updates the contributing documentation link to the
one that is using kata 2.0
Fixes#3740
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
The kata-deploy Dockerfile is based on CentOS 7, which has no s390x
support. Add an `IMAGE` argument to specify the registry, which still
defaults to CentOS, but e.g. ClefOS can be selected instead.
Other x86_64 assumptions are also removed. Other general simplicifations
are made.
This does not address the more general issue of #3723 -- what we're
doing here does not seem to be working with systemd >= something between
235-237.
Fixes: #3722
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
When using kata-deploy, no `containerd-shim-kata-v2` binary is deployed,
but we do deploy a `kata` runtime class, which seems very much
incosistent.
As the default configuration for kata-containers points to QEMU, let's
also use kata with QEMU as the default shim-v2 binary.
Fixes: #3228, #3734
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As kata with qemu has supported lazyload, so this pr aims to
bring lazyload ability to kata with clh.
Fixes#3654
Signed-off-by: luodaowen.backend <luodaowen.backend@bytedance.com>
The name of SYS_SUPPORTS_HUGETLBFS has been changed to
ARCH_SUPPORTS_HUGETLBFS which is being selected on default
by another kernel config.
More info- 855f9a8e87
Change applicable from v5.13.
Fixes: #3720
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
`tools/packaging/scripts/apply_patches.sh` uses `git apply $patch`, but
this will not apply to subdirectories. If one wanted to apply with
`git apply`, they'd have to run it with `--directory=...`
_relative to the Git tree's root_ (absolute will not work!). I suggest
we just use `patch`, which will do what we expected `git apply` would
do.
`patch` is also added to build containers that require it.
Fixes: #3690
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Let's take advantage of the fact that we've bumped to our kernel version
ot the 5.15 LTS and enable SGX by default, as it's present there.
Fixes: #3692
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's stop building the experimental kernel as, currently, we have
all the needed contents as part of the vanilla kernel.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
There's no need to build an experimental kernel for x86_64 as all the
bits which were part of the experimental one (SGX only, really) are now
part of the vanilla one.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As the container runtime, we're never inspecting, adding or configuring
host networking endpoints.
Make sure we're always do that by wrapping addSingleEndpoint calls into
the pod network namespace.
Fixes#3661
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
This PR updates the limitations document by removing the docker
references belonged to kata 1.x and add as a limitation the
docker and podman support for kata 2.0
Fixes#3709
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Keep all the OS agnostic bits in the hypervisor.go and
hypervisor_ARCH.go files.
Fixes#3614
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Some of them (e.g. QEMU) can run on other OSes (e.g. Darwin) but the
current virtcontainers implementation is Linux specific.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Even though it's still actually defined as the QEMU upper bound,
it's now abstracted away through govmm.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Right now we're getting the info for the Cloud Hypervisor repo and
version, but we don't do anything with them, as those are not passed
down to the build script.
Morever, the build script itself gets the info from exactly the same
place when those are not passed, making those redundant.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Right now TDx support on Cloud Hypervisor is gated behind a "--features
tdx" flag. However, having TDx support enabled should not and does not
impact on the general usability of cloud-hypervisor.
As sooner than later we'll need kata-deploy binaries to be tested on a
CI that's TDx capable, for the confidential containers effort, let's
take the bullet and already enable it by default.
By the way, touching kata-deploy-binaries.sh as it's ensure the change
will be used in the following workflows:
* kata-deploy-push
* kata-deploy-test
* release
Fixes: #3688
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Various improvements to the top-level README file:
- Moved the following sections from the runtime's README to the
top-level README:
- License
- Platform support / Hardware requirements
- Added the following sections to the top-level README:
- Configuration
- Hypervisors
- Improved formatting of the Documentation section in the top-level
README.
- Removed some unused named links from the top-level README.
Also improvements to the runtime README:
- Removed confusing mention of the old 1.x runtime name.
- Clarify the binary name for the 2.x runtime and the utility program.
> **Note:**
>
> We cannot currently link to the AMD website as that site's
> configuration causes the CI static checks to fail. See
> https://github.com/kata-containers/tests/issues/4401Fixes: #3557.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Mount hugepage directories and configure the requested number of hugepages
dynamically by writing to sysfs files
Port from:
78b307b5bdFixes: #3342
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Signed-off-by: bin <bin@hyper.sh>
We're downloading the released cloud-hypervisor binary from GitHub, but
we should also ensure we set the binary as executable.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Current hook process is handled by just calling
unwrap() on it, sometime it will cause panic.
By handling all Result type and check the error can
avoid panic.
Fixes: #3649
Signed-off-by: bin <bin@hyper.sh>
Envs contain null-byte will cause running hooks to panic,
this commit will filter envs and only pass valid envs to hooks.
Fixes: #3667
Signed-off-by: bin <bin@hyper.sh>
The OCI spec is very specific about it:
"The prestart hooks MUST be executed in the runtime namespace."
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
That allows us to amend those annotations with information that could be
used when running those hooks.
For example nerdctl will use those annotations to resolve the networking
namespace path in where to run the CNI plugin, i.e. the created pod
networking namespace.
Fixes#3629
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Update the `kata-manager.sh` README to recommend users view the
available options before running the script.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Added CLI options to the `kata-manager.sh` script to:
- Force installation
- Disable cleanup (retain downloaded files)
- Only install Kata (don't consider containerd).
> **Note:**
>
> This change introduces a subtle behaviour difference:
>
> - Previously, the script would error if containerd was already installed.
>
> - Now, the script will detect the existing installation and skip
> trying to install containerd.
>
> This new behaviour makes more sense for most users but if you wish
> to use the old behaviour, you (now) need to run the script specifying
> the `-f` (force) option.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
`kata-manager.sh` improvements for containerd:
- Fixed containerd default branch (which is now `main`).
- Only install service file if it doesn't already exist.
- Enable the containerd service to ensure it can be started.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
For consistency with the rest of the script force the creation of a
symbolic link for containerd in `kata-manager.sh`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Actually make use of the `requested_version` parameter in
`kata-manager.sh` and added a comment.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Fix bug introduced inadvertently on #3330 which fixes the Kata
installation, but unfortunately breaks installing containerd.
The new approach is to check that the download URL matches a
project-specific regular expression.
Also improves the architecture test to handle the containerd
architecture name (`amd64` rather than `x86_64`).
Fixes: #3674.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The static tar archive published on GitHub (now) contains `./` which is
being being flagged as an "unknown path" and resulting in the
`kata-manager.sh` script failing.
Partially fixes: #3674.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This PR removes the docker run and shared memory segment from the
limitations document as for kata 2.0 we do not support docker
and this is not longer valid.
Fixes#3676
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Let's allow passing down a build flag to cargo, when building Cloud
Hypervisor.
By doing this we allow calling this script with:
```
extra_build_flags="--features tdx" ./build-static-clh.sh
```
Fixes: #3671
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The current code will always pull the release binaries in case the
version requested by Kata Containers matches with a released version.
This, however, has a limitation of preventing users / CIs to build
cloud-hypervisor from source for a reason or another, such as passing a
specific build flag to cloud-hypervisor.
This is a pre-req to solving
https://github.com/kata-containers/kata-containers/issues/3671.
While here, a small changes were needed in order to improve readability
and debugability of why we're building something from the sources rather
than simply downloading and using a pre-built binary.
Fixes: #3672
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
German Maglione, one of the current virtio-fs developers, has brought to
our attention that using "announce-submounts" could help us to prevent
inode number collisions.
This feature was introduced a year ago or so by Hanna Reitz as part of
the 08dce386e77eb9ab044cb118e5391dc9ae11c5a8, and as we already mandate
QEMU >= 6.1.0, let's take advantage of that.
Fixes: #3507
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
When building with `ARCH=x86_64`, the previous `Makefile` will use it
without checking and cause:
Makefile:319: *** "ERROR: No hypervisors known for architecture x86_64 (looked for: acrn firecracker qemu cloud-hypervisor)". Stop.
This commit fix the above issue by checking `ARCH` no matter where it
is assigned.
Fixes: #3444
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Yu Li <liyu.yukiteru@bytedance.com>
The distro constraint parses os release files, which may not contain
distro version(VERSION_ID field), for example rolling release distributions
like Debian testing, archlinux.
These distro constraints are not used anyway, so removing them instead
of fixing the complex version detection.
Fixes: #1864
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
Let's update cloud-hypervisor to a version that exposes the TDx support
via the OpenAPI's auto-generated code.
Fixes: #3663
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
to cover a Red Hat (adjacent) rootfs with great cross-platform compatibility
and a workable release cadence. The previous CentOS & Fedora workflows are
simplified.
Also remove unnecessary `/usr/share` files as on Ubuntu and mark Alpine
as unuspported on ppc64le (due to musl, for a while already).
Fixes: #3340
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
We install Rust in the build containers, but we also install Rust in
`rootfs.sh` if it is missing. It makes sense to install Rust in the build
containers so it does not have to be installed every time, but for that check
to work on non-login shells, we should source `.cargo/env` before running it.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Change the variables `mountTypeFieldIdx := 8`, `mntDestIdx := 4` and `netNsMountType := "nsfs"` to const.
And unify the variable naming style, modify `mntDestIdx` to `mountDestIdx`.
Fixes: #3646
Signed-off-by: yaoyinnan <yaoyinnan@foxmail.com>
Add support for building TDX kernel from github.com/intel/tdx
To build a guest kernel that supports Intel TDx run:
```
./build-kernel.sh -s -x tdx -d setup
./build-kernel.sh -s -x tdx -d install
```
fixes#3650
Signed-off-by: Julio Montes <julio.montes@intel.com>
Pulling image is the most time-consuming step in the container lifecycle. This PR
introduse nydus to kata container, it can lazily pull image when container start. So it
can speed up kata container create and start.
Fixes#2724
Signed-off-by: luodaowen.backend <luodaowen.backend@bytedance.com>
Relative links within this repository allow for easier navigation to
the corresponding file / directory in the current commit / for the
selected version.
Link text was slightly changed / fixed in
- docs/Unit-Test-Advice.md
- docs/how-to/how-to-run-docker-with-kata.md
Fixes#3045
Signed-off-by: Daniel Höxtermann <daniel@hxtm.dev>
In commit 78dff468bf1 we introduced logic to rewrite PCIDEVICE_ environment
variables for the container so that they contain correct addresses for the
Kata VM rather than for the host. Unfortunately, we never actually invoked
the function to do this.
It turns out we need to do this not only at container creation time, but
also for environment variables supplied to processes exec-ed into the
container after creation (e.g. with crictl exec). Add calls to make both
those updates.
fixes#3634
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
add_devices() generates a mapping of host to guest PCI addresses which is
used to update some environment variables for the workload. Currently it
just does this locally, but it turns out we're going to need the same map
again in order to correct environment variables for processes exec-ed into
the existing container.
Move the map to the sandbox structure so we can keep it around for those
later uses.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This function updates PCIDEVICE_ environment variables (such as those
supplied by the Kubernetes SR-IOV plugin) in the OCI spec to be correct
for the Kata VM, rather than for the host.
We neglected to actually call this function, however, and it turns out that
when we do, we need to do things slightly different. We actually need to
adjust envionment variables both in the OCI spec when creating a container
and also in the variables supplied for exec-ing a new process within an
existing container.
Adjust the function so that it can be used for both these cases.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We don't need to call NewNetwork() twice, and we can have the VM factory
case return immediatly. That makes the code more readable.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Move the netlink dependent code into network_linux.go.
Other OSes will have to provide the same functions.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
And only have AddEndpoints/RemoveEndpoints for all cases (single
endpoint vs all of them, hotplug or not).
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
We are converting the Network structure into an interface, so that
different host OSes can have different networking implementations for
Kata.
One step into that direction is to rename all the Network structure
fields and methods to something that is less Linux networking namespace
specific. This will make the Network interface naming consistent.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
We are replacing the NetworkingNamespace structure with the Network
one, so we should have the hypervisor interface switching to it as well.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Remove unused parameters.
Reduce the number of parameters by deriving some of them (e.g. a
networking config) from their outer structure (e.g. a Sandbox
reference).
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Endpoints creations, attachement and hotplug are bound to the networking
namespace described through the Network structure.
Making them Network methods is natural and simplifies the code.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
For simplicity sake, there should only be one networking structure per
sandbox, as opposed to two (Network and NetworkingNamespace) currently.
This commit start expanding the Network structure in order to eventually
make it the single representation of a virtcontainers sandbox
networking.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Runtime now accepts both `1` and `Y` as valid values for
kvm_amd module parameter kvm_amd.sev.
Fixes#3273
Signed-off-by: Pierre Kohler <pierre.kohler@cysec.systems>
Update qemu version of snap for arm to 6.1.0 thus the arch specific qemu
version for arm needs clean up.
Fixes: #3627
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
This reverts commit 7a879164bd, as it's
been proved that re-triggering the checks at every single change is more
painful than having to close / re-open a PR in case we ever use the
`force-skip-ci` label again.
Fixes: #2804
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The build root container is switched from CentOS 8 to Stream 8 as
the former reached EOL.
Fixes#3605
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Since we are using this to exercise any changes to osbuilder or
packaging scripts, let's make sure that we only run the test in that
case.
Similarly, don't run for every single push. Just run this workflow for
pull requests.
Fixes: #3594
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
On s390x, skip adding a virtio-rng device. The on-chip CPACF provides
entropy instead. For Confidential Containers, when using Secure
Execution, entropy attacks on virtio-rng are mitigated.
Fixes: #3598
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
firmware can be split into FIRMWARE_VARS.fd (UEFI variables as
configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI
variables can be customized per each user while UEFI code is kept same.
fixes#3583
Signed-off-by: Julio Montes <julio.montes@intel.com>
Since we are already checking that only an admin is triggering the job,
let's go ahead and make sure we are testing against the PR itself. This
will ensure that we are exercising changes to kata-deploy tooling, which
is important for this test.
While at it, cleanup and simplify some of the tarball creation.
Fixes: #3586
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
This PR removes the images belonged to the Zun documentation at
the use cases directory.
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This PR removes the zun documentation use case with kata containers mainly
because is not longer valid as it is using as a reference docker with
clear containers 2.0 which are not longer being supported and it is also
using docker to test kata with openstack zun and docker is also not supported.
Fixes#3581
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
critools v1.23.0 has been released a few days ago. As we're already
bumping kubernetes, and CRI-O, let's also update critools.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As done for kubernetes, CRI-O should also be bumped to its 1.23 release
so those are in sync.
Fixes: #3481
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
- virtcontainers: Enable initrd for Cloud Hypervisor
- versions: update Rust to 1.58.1
- Sandbox sizing feature
- kata-deploy: Fix the tag replacement logic
- docs: Update networking details in the architecture doc
- Fix and re-enable s390x GoVMM tests
- runtime: fix handling container spec's memory limit
- ci: Pass function arguments in static-checks.sh
- docs: Remove docker run and sysctl limitation
- runtime: update runc and image-spec dependencies
- agent: resolve unused variables in tests
- Upgrade to Cloud Hypervisor v21.0
- runtime: rectify passing empty options to -ldflags
- osbuilder: Remove libseccomp from Dockerfile
- agent: fix the issue of creating new namespaces for agent
- docs: Remove kata-pkgsync reference
- docs: Redirect glossary to the wiki
- workflows: Use base instead of head ref for kata-deploy-test
- govmm: Use it from our own repo
- tools: Fix groupname if it differs from username
- workflows: Fix typo in kata-deploy-push action
- release: Escape backticks in Libseccomp Notices
- packaging: Remove kata-pkgsync tool
- govmm: Bring the project in
- version: bump to kubernetes 1.23
- vendor: update govmm
- workflows: Ensure force-skip-ci skips all actions
- runtime: -Wl,--s390-pgste for s390x
- workflows: Use the correct branch ref on test kata-deploy
- update apiVersion
- scripts: Use shebang /usr/bin/env bash
- packaging: Make kernel config accessible to guest
- docs: fix a typo in host-cgroups.md doc
- qemu: add support for SGX
- experimentally enable the vcpu-hotplug for arm in qemu side
- Remove all the non-tested rootfs
- docs: Remove ccloudvm reference
- runtime: Provide protection for shared data
- kata-deploy: validate conf file can be created
- runtime: it should rollback when failed in Sandbox AddInterface
- libs: add some generated files to .gitignore
- runtime: close span before return from function in case of error
- packaging: Remove ccloudvm instructions and script
- docs: Default machine type is q35 meanwhile
- CI: Revert "CI: Switch to a mirror as gnu.org is down"
- agent: fix the broken protobuf generation code
- packaging: Remove obs packages testing for kata 2.0
- runtime: Remove docker comments for kata 2.0 configuration.tomls
- docs: fix agent proto file path
- qemu: update readonly flag for block devices
- qemu: only set wait parameter for server mode socket based char device
- qemu: Fix 32 bit int overflow in test file
- qemu: Add support for legacy serial device
- qemu: Remove -realtime in favor of -overcommit
- Add clean shutdown support
- govmm/qemu: Let IO/memory reservations be specified for bridge devices
- QMP: Add ExecuteBlockdevAddWithDriverCache
- qemu: Fix iommu_platform for CCW
- qemu: Add credentials to qemu Cmd
- Don't use deprecated 'props' argument to QMP 'object-add'
- Use 'host_device' driver for blockdev backends
- add support for "sandbox" feature to qemu
- qemu: support read-only nvdimm
- Support golang 1.16
- qemu: Consistent parameter building
- qemu: Allow hot-plugging memory devices on PCI bridges
- qemu: Add support for PEF
- qemu: Add support for Secure Execution
- qemu: VhostUserDevice CCW device numbers
- qmp: remove chatty log
- Fix qemu commandline issue with empty romfile
- qemu: add support for tdx-guest object
- qemu: Append memory backend for non-DIMM setups
- qemu: add support for device loaders
- qemu: support QEMU 6
- qmp: Add ro argument for block-device hotplug funcs
- qemu: add arm64 to support list of dimm
- qemu: enable "-pflash"
- qemu: add pvpanic and dump guest memory support
- Add serial ID to blk device
- Make fw_cfg a slice
- contributors: remove CONTRIBUTORS.md file
- misc: Update for new GitHub organisation name
- qemu: add fw_cfg flag to config
- Add qom-get function
- typo fix
- Add support for hot-plugging IBM Adjunct Processor (AP) devices
- github: enable github actions
- travis: Run coveralls after success
- qemu: add iommu_platform knob for qemuParams
- qemu: Add NoReboot config Knob for qemuParams
- Add multidevs option to fsdev
- qemu/qmp: use boolean type for the vhost
- qemu: add IOMMU Device
- Enable Numa support for Power (ppc64le) architecture
- qemu: Add max_ports option to virtio-serial device
- Add rt clock definition for rtc clock in qemu
- qemu: Add microvm machine type support
- qemu: add pmem flag to memory-backend-file
- Refactor code to support multiple virtio transports at runtime
- qemu: Don't set ".cache-size=" when CacheSize is 0
- qemu: Add pcie-root-port device support.
- qmp: Add ExecMemdevAdd and ExecQomSet API
- qmp: add ExecutePCIVhostUserDevAdd and ExecuteChardevDel to hotplug vhost-user device
- s390x: add s390x travis support
- virtio-blk: Add support for share-rw flag
- s390x: dimm not supported
- improve qemu interaction
- qmp: support command 'query-qmp-schema'
- qmp: add checks for the CPU toplogy
- qemu: support x86 SMP die
- Support x-pci-vendor-id and x-pci-device-id pass to qemu
- Support for virtio-blk-ccw
- Allow sharing of memory backend file
- qemu: add migration incoming defer support
- qmp: add virtio-blk multiqueue
- qemu: fix the issue of wrong driver for VirtioBlock
- qemu: use MiB instead of Gib for virtio-fs cache size
- qemu/qmp: re-implement mainLoop
- qemu/qmp: fix readLoop() reuse scanner.Bytes() underlying array problem
- govmm: add VhostUserFS vhost-user device type
- qmp: Conditionally pass threadID and socketID when CPU device add
- Fix travis
- qmp: Add nvdimm support
- qemu: Allow disable-modern option from QMP
- qmp: Output error detail when execute QMP command failed
- Run tests for the s390x build
- Contributors: Add Clare Chen to CONTRIBUTORS.md
- Verify govmm builds on s390x
- Contributors: Add my name
- qemu: Add s390x support
- Update file headers , CONTRIBUTING.md and add CONTRIBUTORS.md
- qmp: fix mem-path properties for hotplug memory.
- qemu: change Context ID for Vsock to uint64
- qemu/qmp: preparation for s390x support
- qemu/qmp: add new function ExecuteBlockdevAddWithCache
- qemu: add support for pidfile option
- qemu: Fix virtio-net-pci QMP command
- qemu: Add support for romfile option
- Update guidelines on security issue reporting
- qemu: Add virtio-balloon device suppport.
- qemu: Show full path to qemu binary at launch time
- qemu: Fix the support of PCIe bridge
- qmp: add ExecuteQueryMigration
- qemu: skip setting system memory if it is set via dimm device
- qmp: add "query-cpus" support
- qemu/qmp: add vfio mediated device support on root bus
- qemu/image: Reduce permissions of .iso creation dir
- qemu/qmp: nic can works without vhost
- qemu: Add rng device .
- qemu/qmp: support query-memory-devices qmp command.
- govmm: modify govmm to be compatible with qemu 2.8
- qemu/qmp: support hotplug a nic whose qdisc is mq
- qmp: Remind users that you must first call ExecuteQMPCapabilities()
- qemu/qmp: Add netdev_add with chardev support
- Add some negative test cases
- qemu: Use the supplied context.Context for launching
- disk: Add --share-rw option for hotplugging disks
- qemu/qmp: add vfio mediated device support
- qemu: Do not try and generate invalid RTC parameters
- qemu/qmp: add addr and bus to hotplug vsock devices
- qemu/qmp: add function for hotplug network by fds
- qemu/qmp: implement functions to hotplug chardevs and serial ports
- qemu: add vhostfd and disable-modern to vsock hotplug
- Add two additional static analysis tools to the travis builds
- qemu/qmp: implement function for hotplug network
- qemu: add vhostfd and disable-modern to vhost-vsock-pci
- qemu/qmp: implement function to hotplug vsock-pci
- Add APIs to enable vm templating
- qemu: Add qemu parameter for PCI address for a bridge.
- Add ability to associate a SCSI controller device with an iothread
- qemu: add initrd support
- qemu: add DisableModern to SCSIController
- qemu: add extra options for the machine type
- scsi: Add function to send device_add qmp command for a scsi device
- Compute coverage statistics for unit tests in Travis builds
- scsi: Add a scsi controller device
- qemu: Add VSOCK support
- Vhost-user: add block device support
- qemu: Add maxcpus attribute to -smp
- Add badges to the README.md file
- Enable Travis builds
- qemu: introduce vhost-user handling
bcce1a19 versions: update Rust to 1.58.1
7c956e0d virtcontainers: Enable initrd for Cloud Hypervisor
aa3fae13 kata-deploy: Fix the tag replacement logic
8cde5413 runtime: introduce static sandbox resource management
13eb1f81 docs: describe vCPU handling when hotplug is unavailable
c3e97a0a config: updates to configuration clh, fc toml template
75ae5361 docs: Update networking details in the architecture doc
fc0e0951 runtime: fix handling container spec's memory limit
7af40fbc docs: Remove docker run, sysctl and docker daemon limitations
17211979 ci: Pass function arguments in static-checks.sh
5643c6dc runtime: update runc and image-spec dependencies
2f37165f govmm: Unite VirtioNet tests
4a428fd1 govmm: readonly=on in s390x blkdev test
79ecebb2 govmm: TestAppendPCIBridgeDevice et al. on !s390x
dc285ab1 govmm: Remove unnecessary comma in iommu_platform
d23f2eb0 govmm: Revert "govmm: s390x: Skip broken tests"
f52ce302 runtime: rectify passing empty options to -ldflags
2d799cbf virtcontainers: clh: Re-generate the client code
7e15e99d versions: Upgrade to Cloud Hypervisor v21.0
9c2f1de1 docs: Remove kata-pkgsync reference
df6ae1e7 osbuilder: Remove libseccomp from Dockerfile
0338fc65 docs: Redirect glossary to the wiki
3924470c workflows: Use base instead of head ref for kata-deploy-test
5ce9011a govmm: s390x: Skip broken tests
8bcaed0b govmm: Adapt license headers to kata-containers
6dd65779 govmm: Ignore govet checks, at least for now
de678a3a govmm: Remove non-relevant top files
ec6655af govmm: Use govmm from our own pkg
8cc088b5 packaging: Remove kata-pkgsync tool
a8b66de5 release: Escape backticks in Libseccomp Notices
c3785f66 workflows: Fix typo in kata-deploy-push action
f4a4c3c7 version: bump to kubernetes 1.23
49223e67 runtime: remove enable_swap option
7a879164 workflows: Ensure a label change re-triggers the actions
d87ab14f workflows: Ensure force-skip-ci skips all actions
5285ac2b runtime: -Wl,--s390-pgste for s390x
fc646434 workflows: Use the correct branch ref on test kata-deploy
e347694f tools: Fix groupname if it differs from username
41e0c414 vendor: update govmm
a5829a29 docs: fix a typo in host-cgroups.md doc
92773170 agent: resolve unused variables in tests
8939b0f8 qemu: add support for SGX
2d0ec00a Qemu: Enable the vcpu-hotplug for arm
e22a4e2a packaging: Make kernel config accessible to guest
adffd3f8 scripts: Use shebang /usr/bin/env bash
e4b7a12b qat: Add Debian to the distro examples
6979d5be osbuilder: Remove gentoo rootfs-builder
22c1a093 osbuilder: Remove suse rootfs-builder
85dd5873 osbuilder: Remove fedora rootfs-builder
06fae29f osbuilder: Remove centos rootfs-builder
01005c5a docs: Remove ccloudvm reference
878ab93c runtime: Provide protection for shared data
ac7acbf8 kata-deploy: validate conf file can be created
7e2bc4d7 packaging: Remove ccloudvm instructions and script
85f5ae19 runtime: close span before return from function in case of error
106df33f libs: add some generated files to .gitignore
b133a236 runtime: it should rollback when failed in Sandbox AddInterface
7f546748 CI: Revert "CI: Switch to a mirror as gnu.org is down"
c486c2ca agent: fix the broken protobuf generation code
f6cdf464 docs: Default machine type is q35 meanwhile
b48322d4 packaging: Remove obs packages testing for kata 2.0
ad16d75c runtime: Remove docker comments for kata 2.0 configuration.tomls
905e124b docs: fix agent proto file path
ea1a1738 agent: fix the issue of creating new namespaces for agent
b17f0739 qemu: update readonly flag for block devices
b5b9de1d kata-deploy: Update API Version of RuntimeClass to v1
f971801b qemu: only set wait parameter for server mode socket based char device
82cc01d2 qemu: Fix 32 bit int overflow in test file
1d1a2313 qemu: Add support for legacy serial device
9a2bbeda qemu: Remove -realtime in favor of -overcommit
fe83c208 qemu: Add support for --no-shutdown Knob
1ed52714 qmp: wait for POWERDOWN event in ExecuteSystemPowerdown()
de039da2 govmm/qemu: Let IO/memory reservations be specified for bridge devices
5c7998db QMP: Add ExecuteBlockdevAddWithDriverCache
3a9a6749 qemu: Add credentials to qemu Cmd
d27256f8 qmp: Don't use deprecated 'props' field for object-add
d8cdf9aa qemu: Drop support for versions older than 5.0
18352c36 qemu: Fix iommu_platform for vhost user CCW
1b021929 Use 'host_device' driver for blockdev backends
9518675e add support for "sandbox" feature to qemu
335fa816 qemu: fix golangci-lint errors
61b63787 .github/workflows: reimplement github actions CI
9d6e7970 go: support go modules
0d21263a qemu: support read-only nvdimm
ff34d283 qemu: Consistent parameter building
0e19ffb6 qemu: Allow hot-plugging memory devices on PCI bridges
c135681d qemu: Add support for PEF
03b55ea5 qemu: Add support for Secure Execution
7a367dc0 qemu: Simplify (Object).Valid()
a6cec2d3 qemu: add support for SevGuest object
abd3c7ea qemu: VhostUserDevice CCW device numbers
3eaeda7f qemu: Refactor vhostuserDev.QemuParams
511cf58b Fix qemu commandline issue with empty romfile
b3eac95b qmp: remove frequent, chatty log
31418940 qemu: add support for tdx-guest object
4b136f3f qemu: Append memory backend for non-DIMM setups
6213dea4 qemu: support QEMU 6
0d47025d qemu: add support for device loaders
e2eb549f qmp: Add ro argument for block-device hotplug funcs
0592c825 qemu: add arm64 to support list of dimm
2079c15c qemu: enable "-pflash"
b8cd7059 qmp: add dump-guest-memory support
d7836877 qemu: add pvpanic device to get GUEST_PANICKED event
43d774d2 Add serial to blk device
8cb8b24c Make fw_cfg a slice
cb0d3391 contributors: remove CONTRIBUTORS.md file
29ba5a90 qemu: add fw_cfg flag to config
9f309c2a misc: Update for new GitHub organisation name
3d46d08a Add qom-get function
39c372a2 Add support for hot-plugging IBM VFIO-AP devices
f5bdd53c travis: disable amd64 jobs
1af1c0d7 github: enable github actions
4831c6e0 travis: Run coveralls after success
cf0f05d2 qemu: add iommu_platform knob for qemuParams
6645baf2 qemu: Add NoReboot config Knob for qemuParams
abca6f3c Add multidevs option to fsdev
cc538766 qemu/qmp: use boolean type for the vhost
e57e86e2 qemu: add IOMMU Device
b2aa0225 Enable Numa support for Power (ppc64le) architecture
29529a5d Add rt clock definition for rtc clock in qemu
0e98b613 qemu: Add max_ports option to virtio-serial device
787c86b7 qemu: Add microvm machine type support
5378725f qemu: add pmem flag to memory-backend-file
3700c55d qemu: add block device readonly support
88a25a2d Refactor code to support multiple virtio transports at runtime
2ee53b00 qemu: Don't set ".cache-size=" when CacheSize is 0
f1252f6e qemu: Add pcie-root-port device support.
6667f4e9 qmp_test: Add TestExecMemdevAdd and TestExecQomSet
201fd0ae qmp: Add ExecMemdevAdd and ExecQomSet API
e04be2cc qmp: add ExecutePCIVhostUserDevAdd API
13aeba09 qmp: support command 'chardev-remove'
6d6b2d88 s390x: add s390x travis support
175ac499 typo fix
cb9f640b virtio-blk: Add support for share-rw flag
9463486d s390x: dimm not supported
164bd8cd test/fmt: drop extra newlines
73555a40 qmp: add query-status API
234e0edf qemu: fix memory prealloc handling
30bfcaaa qemu: add debug logfile
79e0d533 qmp: support command 'query-qmp-schema'
68cdf64f test: add cpu topology tests
e0cf9d5c qmp: add checks for the CPU toplogy
a5c11908 qemu: support x86 SMP die
8fd28e23 Support x-pci-vendor-id and x-pci-device-id pass to qemu
713d0d94 s390x: add virtio-blk-ccw type
65cc343f test: add devno in the tests for s390x
9cf98da0 s390x: add devno support
0c900f59 Allow sharing of memory backend file
f695ddf8 qemu: add migration incoming defer support
f0f18dd0 qmp: add virtio-blk multiqueue
7d3deea4 qemu: Add a virtio-blk-pci device driver support
058cda06 qemu: use MiB instead of Gib for virtio-fs cache size
694a7b1c qemu/qmp: re-implement mainLoop
5712b119 qemu/qmp: fix readLoop() reuse scanner.Bytes() underlying array problem
3c84b1da govmm: add VhostUserFS vhost-user device type
4692f6b9 qmp: Conditionally pass threadID and socketID when CPU device add
1f51b438 Update the versions of Go used to build GoVMM
ad310f9f Fix staticcheck S1023
932fdc7f Fix staticcheck S1023
cb2ce933 Fix staticcheck S1008
f0172cd2 Fix staticcheck (S1002)
5f2e630b Fix staticcheck (S1025)
4beea513 Fix staticcheck (ST1005) errors
97fc3435 contributors: add my name
c891f5f8 qmp: Add nvdimm support
f9b31c0f qemu: Allow disable-modern option from QMP
d6173077 Run tests for the s390x build
b36b5a8f Contributors: Add Clare Chen to CONTRIBUTORS.md
b41939c6 Contributors: Add my name
dab4cf1d qmp: Add tests
5ea6da14 Verify govmm builds on s390x
ee75813a contributors: add my name
c80fc3b1 qemu: Add s390x support
ca477a18 Update source file headers
e68e0056 Update the CONTRIBUTING.md
2b7db547 Add the CONTRIBUTORS.md file
b3b765cb qemu: test Valid for Vsock for Context ID
3becff5f qemu: change of ContextID from uint32 to uint64
f30fd135 qmp: Output error detail when execute QMP command failed
7da6a4c7 qmp: fix mem-path properties for hotplug memory.
e4892e33 qemu/qmp: preparation for s390x support
110d2fa0 qemu/qmp: add new function ExecuteBlockdevAddWithCache
a0b0c86e qmp_test: Change QMP version from 2.6 to 2.9
10c36a13 qemu: add support for pidfile option
9c819db5 qemu: Fix virtio-net-pci QMP command
7fdfc6a4 qemu: Add support for romfile option
e74de3c7 Update guidelines on security issue reporting
ec83abe6 qemu: Add virtio-balloon device suppport.
46970781 qemu: Show full path to qemu binary at launch time
ef725050 qemu: Fix the support of PCIe bridge
56f645ea qmp: add ExecuteQueryMigration
a429677a govmm: fix memory prealloc
1130aab8 qmp: add "query-cpus" support
de5d2788 qemu/qmp: add vfio mediated device support on root bus
de00d7a6 qemu/image: Reduce permissions of .iso creation dir
1a1fee75 qemu/qmp: nic can works without vhost
6c3d84ea qemu: Add virtio RNG device.
b16291cf qemu/qmp: support query-memory-devices qmp command.
ce070d11 govmm: modify govmm to be compatible with qemu 2.8
0286ff9e qemu/qmp: support hotplug a nic whose qdisc is mq
8515ae48 qmp: Remind users that you must first call ExecuteQMPCapabilities()
21504d31 qemu/qmp: Add netdev_add with chardev support
ed34f616 Add some negative test cases for qmp.go
17cacc72 Add negative test cases for qemu.go
2706a07b qemu: Use the supplied context.Context for launching
e46092e0 qemu: Do not try and generate invalid RTC parameters
fcaf61dc qemu/qmp: add vfio mediated device support
4461c459 disk: Add --share-rw option for hotplugging disks
68519998 qemu/qmp: add addr and bus to hotplug vsock devices
10efa841 qemu/qmp: add function for hotplug network by fds
80ed88ed qemu/qmp: implement function to hotplug serial ports
ca46f21f qemu/qmp: implement function to hotplug character devices
03f1a1c3 qemu/qmp: implement getfd
84b212f1 qemu: add vhostfd and disable-modern to vsock hotplug
12dfa872 qemu/qmp: implement function for hotplug network
3830b441 qemu: add vhostfd and disable-modern to vhost-vsock-pci
f700a97b qemu/qmp: implement function to hotplug vsock-pci
4ca232ec qmp_test: Fix Warning and Error level logs
430e72c6 qemu,qmp: Enable gas security checker
ffc06e6b qemu,qmp: Add staticcheck to travis and fix errors
54caf781 qmp: add hotplug memory
e66a9b48 qemu: add appendMemoryKnobs helper
8aeca153 qmp: add migrate set arguments
a03d4968 qmp: add set migration capabilities
0ace4176 qemu: allow to set migration incoming
723bc5f3 qemu: allow to create a stopped guest
283d7df9 qemu: add file backed memory device support
30aeacb8 qemu: Add qemu parameter for PCI address for a bridge.
9130f375 scsi: Allow scsi controller to associate with an IO thread.
a54de183 iothread: Add ability to configure iothreads
0c0ec8f3 qemu: add initrd support
68f30718 qemu: add DisableModern to SCSIController
693d9548 qemu: add options for the machine type
3273aafd scsi: Add function to send device_add qmp command for a scsi device
6d198b8a Compute coverage statistics for unit tests in Travis builds
3a31da32 scsi: Add a scsi controller device
5316779d qemu: Add VSOCK support
f5655366 vhost-user: add blk device support
e9e27673 vhost-user: updating comments for accuracy, rename device field
8fe57236 qemu: Add maxcpus attribute to -smp
3baa7765 Add badges to the README.md file
d74e3b66 Fix errcheck failures in the unit tests
db60e32f Enable Travis builds
9cb47fc0 Add .gitignore file.
a8aaf534 Add project documentation
57aafb56 Remove all references to and dependencies on ciao
27709fce Move files to the qemu folder
48feb29f qemu: introduce vhost-user handling
b8ddd244 qemu: Add function to list hotpluggable CPUs
8c428ed7 qemu: Add function to hotplug CPUs
24b14059 qemu: Add functions to process QMP response
e39da6ca qmp: Add support for hot plugging VFIO devices on PCI(E) bridges
bc030d13 qemu: Add a SysProcAttr parameter to CreateCloudInitISO
11977072 qemu: Add a SysProcAttr parameter to LaunchCustomQemu
b639da45 qemu: Add function to hotplug vfio device
7e5614b8 Networking: Add vhost fd support
14316ce0 qemu/qmp: Implement function to hot plug PCI devices
83485dc9 qemu: Implement Bridge struct
cfa8a995 Networking: Add support for handling macvtap interfaces
83126d3e bios: add support for custom bios
3da2ef9d QEMU: Knobs: Huge Page Support: Add support for huge pages
9bfa7927 vfio: Add ability to pass VFIO devices to qemu
a70ffd19 Build: Fix the build after repo move.
0c206170 Knobs: Modify the behaviour of the Mlock knob.
ddee41d5 QEMU: Enable realtime options
4ecb9de5 qemu: Add support for memory pre-allocation
1fbe6c5d qmp: Update block device deletion for newer versions of qemu
e74aeef1 qemu: Add disable-modern option for virtio devices
8d617ff5 qemu: Update virtio-net-pci command line
25a2dc8f qemu: Update blockdev-add qmp command to support newer qemu versions
d4f77103 misc: Remove some of the code flagged by unused linter
a1600dc1 misc: Remove unused fields identified by structcheck
58a835e6 misc: Remove unused variables identified by varcheck
d48b5b5f qemu: Add PCI option to the NetDevice
a84228ae qemu: Document how cancelling works.
1e7202a5 qemu: Fix spelling error in qmp_test.go
c6f33453 qemu: Fix command cancelling.
a8a798b0 qemu, ciao-launcher: Move ConfigDrive ISO creation code to qemu
30cf1163 Add missing bus parameter for a CharDevice
2aa5f5a3 qemu: Add support for serial port addition
6fe338d6 qemu: Support creating multiple QMP sockets
992b861e qemu: Add the daemonize qemu option to the Knobs structure
997cb233 qemu: Remove dead code
e555f565 qemu: Add support for socket based consoles
eae8fae0 qemu: Fix security model typo
db067857 qemu: Make Config's FDs field private
12f6ebe3 qemu: Embed the qemu parameters into the Config structure
e193a77b qemu: Add support for block devices
3908185c qemu: Add MACVTAP support
6d7dfa04 qemu: Get rid of the Driver structure
cc9cb33a qemu: Add QMPSocket specific type
2d736d71 qemu: Add RTC specific types
e543c338 qemu: Probe each qemu device with a driver
eda8607c qemu: Add netdev options to the Device structure
4780e237 qemu: Add multi-queue and vhost definitions to NetDevice
137e7c72 qemu: Add a NetDevice slice to the Config structure
c0e2aaca qemu: Add one unit test for the Config strings
5ba8ef79 qemu: Add QMP socket unit tests
7b2f7eb5 qemu: Add Memory and SMP unit tests
2ea9b9a3 qemu: Add a Kernel unit test
8e495f6e qemu: Add a Knobs unit test
8aeb3d45 qemu: Add an Object unit test
38e041dc qemu: Add Device unit tests
54d32c24 qemu: Add parameters adding unit tests
ebfa382d qemu: Add a Knobs field to the Config structure
fe1bdcd2 qemu: Remove the extra parameters field from the Config structure
15bce61a qemu: Group all machine configurations into one structure
d94b5af8 qemu: Add a VGA parameter field to the Config structure
4892d041 qemu: Add a Global parameter field to the Config structure
612a5a9e qemu: Add a RTC field to the Config structure
c63ec096 qemu: Add a SMP field to the Config structure
7cf386a8 qemu: Add a Memory field to the Config structure
b198bc67 qemu: Add a UUID field to the Config structure
6239e846 qemu: Add a Character Devices slice field to the Config structure
73e2d53c qemu: Add a Filesystem Devices slice field to the Config structure
518ba627 qemu: Add a Kernel field to the Config structure
b973bc59 qemu: Add an Object slice field to the Config structure
8744dfe8 qemu: Add a Device slice field to the Config structure
5458de70 qemu: Add a QMP socket field to the Config structure
17118270 qemu: Add qemu's name to the Config structure
37a1f500 qemu: Add configuration structure to simplify LaunchQemu
5ccbaf2b ciao-launcher, qemu: Upgrade to new context package.
f5720198 qemu: Use null QMP logger when the logger parameter is nil
7d4199a4 qemu: Fix ineffassign error
7f50a415 qemu: Fix a silly bug in LaunchQemu
fc6bf8cf qemu: Add package documentation
306f54a9 ciao-launcher, qemu: Move launchQemu to qemu
344aa22b qemu: Add the qemu package
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
The commit message of a revert commit usually generated by
`git revert`, we should consider this as legal.
Consider the commit as the merge commit if the subject
starts with 'Reject "'
Follow the pr kata-containers/tests/#3938, the suttle diffrence
is we skip all commit checks for revert commit including fixes checking
and subsystem checking. Because the commit was reverted must have passed
the check so the revert-commit should have the Fixes and Subsystem.
Fixes: #3568Fixes: kata-containers/tests#3934
Signed-off-by: Tim Zhang <tim@hyper.sh>
When building a non-stable release, the tag is **always** "latest¨,
instead of the version. The same magic done for setting the correct
tags up should be done for replacing the tag on the kata-deploy and
kata-cleanup yaml files, as part of the kata-deploy test.
Fixes: #3559
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
There are software and hardware architectures which do not support
dynamically adjusting the CPU and memory resources associated with a
sandbox. For these, today, they rely on "default CPU" and "default
memory" configuration options for the runtime, either set by annotation
or by the configuration toml on disk.
In the case of a single container (launched by ctr, or something like
"docker run"), we could allow for sizing the VM correctly, since all of
the information is already available to us at creation time.
In the sandbox / pod container case, it is possible for the upper layer
container runtime (ie, containerd or crio) could send a specific
annotation indicating the total workload resource requirements
associated with the sandbox creation request.
In the case of sizing information not being provided, we will follow
same behavior as today: start the VM with (just) the default CPU/memory.
If this information is provided, we'll track this as Workload specific
resources, and track default sizing information as Base resources. We
will update the hypervisor configuration to utilize Base+Workload
resources, thus starting the VM with the appropriate amount of CPU and
memory.
In this scenario (we start the VM with the "right" amount of
CPU/Memory), we do not want to update the VM resources when containers
are added, or adjusted in size.
This functionality is introduced behind a configuration flag,
`static_sandbox_resource_mgmt`. This is defaulted to false for all
configurations except Firecracker, which is set to true.
This'll greatly improve UX for folks who are utilizing
Kata with a VMM or hardware architecture that doesn't support hotplug.
Note, users will still be unable to do in place vertical pod autoscaling
or other dynamic container/pod sizing with this enabled.
Fixes: #3264
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Describe the static_sandbox_resource_mgmt flag, and how this applies to
configurations that do not utilize hotplug.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Add the POD metadata we get from the container manager to the metrics by
adding more labels.
Fixes: #3551
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Kata-monitor detects started and terminated kata pods by monitoring the
vc/sbs fs (this makes sense since we will have to access that path to
access the sockets there to get the metrics from the shim).
While kata-monitor updates its sandbox cache based on the sbs fs events,
it will schedule also a sync with the container manager via the CRI in
order to sync the list of sandboxes there.
The container manager will be the ultimate source of truth, so we will
stick with the response from the container manager, removing the
sandboxes not reported from the container manager.
May happen anyway that when we check the container manager, the new kata
pod is not reported yet, and we will remove it from the kata-monitor pod
cache. If we don't get any new kata pod added or removed, we will not
check with the container manager again, missing reporting metrics about
that kata pod.
Let's stick with the sbs fs as the source of truth: we will update the
cache just following what happens on the sbs fs.
At this point we may have also decided to drop the container manager
connection... better instead to keep it in order to get the kube pod
metadata from it, i.e., the kube UID, Name and Namespace associated with
the sandbox.
Every time we get a new sandbox from the sbs fs we will try to retrieve the
pod metadata associated with it.
Right now we just attach the container manager sandbox id as a label to
the exposed metrics, making hard to link the metrics to the running pod
in the kubernetes cluster.
With kubernetes pod metadata we will be able to add them as labels to map
explicitly the metrics to the kubernetes workloads.
Fixes: #3550
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
We currently WARN about unexpected fs events, which includes CHMOD
operations (which should be actually expected...).
Just ignore all the fs events we don't care about without any warn.
We dump all the events with debug log in any case.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Improve debug log formatting of the sandbox cache update process.
Move raw and tracing logs from the DEBUG to the TRACE log level.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Updated the doc to clarify certain networking details and
external links to some of the networking terms used.
Fixes#3308
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
The OCI container spec specifies a limit of -1 signifies
unlimited memory. Update the sandbox memory calculator
to reflect this part of the spec.
Fixes: #3512
Signed-off-by: Braden Rayhorn <bradenrayhorn@fastmail.com>
This PR removes the docker run and sysctl limitation reference
for kata 2.0 as well as docker daemon limitation as currently
for kata we are not supporting docker and this reference belonged
to kata 1.0
Fixes#3545
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
1. The hook.args[0] is the hook binary name which shouldn't be included
in the Command.args.
2. Add new unit tests
Fixes: #2610
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
no explicit PCI test, just switch path depending on architecture
(CCW for s390x, PCI for others). Also fixes an unknown variable error.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
When no options are passed to -ldflags, it passes
incorrect values(in this case, $BUILDFLAGS) to it.
Fix passing empty values by passing $KATA_LDFLAGS
in quotes.
Fixes: #3521
Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
Now that kata-pkgsync has been removed, this PR removes the reference
in the documentation.
Fixes#3513
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Remove the libseccomp package from Dockerfile of `alpine` and `clearlinux`
because the libseccomp library is installed by the `ci/install_libseccomp.sh`
script when building the kata-agent.
Fixes: #3508
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Weekly check(at 23:00 every Sunday) whether the docs url is ALIVE, so that
we can find the failed url in time
Fixes#815
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
Although I've done tests on my own fork using `head_ref` and those
worked, it seems those only worked as the PR was coming from exactly the
same repository as the target one.
Let's switch to base_ref, instead, which we for sure have as part of our
repo.
The downside of this is that we run the test with the last merged PR,
rather than with the "to-be-approved" PR, but that's a limitation we've
always had.
Fixes: #3482
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
For now a bunch of tests are simply not working.
Let's skip them all, and re-enable them once
kata-containers/kata-containers/issues/3500 gets fixed.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Both projects follow the same license, Apache-2.0, but the header saying
that comes from govmm is different from the one expected for the tests
present on the kata-containers repo.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
govet checks have been ignored on govmm repo, but those are enabled on
kata-containers one. So, in order to avoid failing our CIs let's just
keep ignoring the checks for the govmm structs and have an issue opened
for fixing it whenever someone has cycles to do it.
The important bit here is, we're not making anything worse that it
already is. :-)
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
govmm, from now on, should follow the same guidelines from contributing,
copying, and etc as kata-containers does.
The go.mod is not needed anymore as the project lives inside the
runtime.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's stop using govmm from kata-containers/govmm and let's start using
it from our own repo.
Fixes: #3495
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This PR removes the kata-pkgsync tool that is mainly used for OBS
packages, currently for kata 2.0 we do not have OBS packages and
this tool is not being used for kata 2.0
Fixes#3493
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Escape (with backslash) backticks (`) to prevent them from being
evaluated by the shell.
Fixes: #3487
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Current latest release is 1.23.1. Let's update to this version for our
integration testing.
Fixes: #3477
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
`enable_swap` option was added long time ago to add
`-realtime mlock=off` to the QEMU's command line.
Kata now supports QEMU 6, `-realtime` option has been deprecated and
`mlock=on` is causing unexpected behaviors in kata.
This patch removes support for `enable_swap`, `-realtime` and `mlock=`
since they are causing bugs in kata.
Signed-off-by: Julio Montes <julio.montes@intel.com>
This is needed in order to ensure that, for instance, if `force-skip-ci`
label is either added or removed later, the jobs related to the actions
will be restarted and accordingly checked.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Before this change it was only applied to the static-checks, but if
we're already taking the extreme path of skipping the CI, we better
ensure we skip all the actions and not just a few of them.
Fixes: #3471
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The action used for testing kata-deploy is entirely based on the action
used to build the kata-deploy tarball, but while the latter is able to
use the correct branch, the former always uses `main`.
This happens as the `issue_comment`, from GitHub actions, passed the
"default branch" as the GITHUB_REF.
As we're not the first ones to face such a issue, I've decided to take
one of the approaches suggested at one of the checkout's issues,
https://github.com/actions/checkout/issues/331, and take advantage of a
new action provided by the community, which will get the PR where the
comment was made, give us that ref, and that then can be used with the
checkout action, resulting on what we originally wanted.
Fixes: #3443
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The script `tools/packaging/static-build/qemu/build-base-qemu.sh`
previously failed on systems where the user's groupname differs from the
username
Fixes: #3461
Signed-off-by: Sebastian Hasler <sebastian.hasler@stuvus.uni-stuttgart.de>
bring SGX support and other fixes
shortlog:
8939b0f qemu: add support for SGX
b17f073 qemu: update readonly flag for block devices
f971801 qemu: only set wait parameter for server mode socket based
char device
82cc01d qemu: Fix 32 bit int overflow in test file
1d1a231 qemu: Add support for legacy serial device
9a2bbed qemu: Remove -realtime in favor of -overcommit
fe83c20 qemu: Add support for --no-shutdown Knob
1ed5271 qmp: wait for POWERDOWN event in ExecuteSystemPowerdown()
fixes#3080
Signed-off-by: Julio Montes <julio.montes@intel.com>
Provide the `/proc/config.gz` file in guest kernels that allow the guest
to determine the kernel configuration used to build the running kernel.
Note that since `gunzip` expects to rename the gzip'ed file it operates
on, to use this feature you need to run something like the following in
the container environment:
```bash
# cat /proc/config.gz|gunzip -c
```
Fixes: #3445.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Debian is a supported rootfs that uses systemd as init, thus, it should
be mentioned in the QAT README document.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As the gentoo rootfs is not tested in our CI, we can't guarantee it
actually works as expected.
Whenever we have someone willing to maintain this rootfs we can have it
added back, and also add a CI job to test it altogether, avoiding then
any possible regression.
Fixes: #2144
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As the suse rootfs is not tested in our CI, we can't guarantee it
actually works as expected.
Whenver we have someone willing to maintain this rootfs we can have it
added back, and also add a CI job to test it altogether, avoiding then
any possible regression.
Fixes: #2145
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As the fedora rootfs is not tested in our CI, we can't guarantee it
actually works as expected.
Whenever we have someone willing to maintain the rootfs we can have it
added back, and also add a CI job to test it altogether, avoiding then
any possible regression.
Fixes: #2143
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As the centos rootfs is not tested in our CI, we can't guarantee it
actually works as expected.
Whenever we have someone willing to maintain the rootfs we can have it
added back, and also add a CI job to test it altogether, avoiding then
any possible regression.
Fixes: #2140
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This PR removes the ccloudvm reference at the README document as the
setup of scripts of ccloudvm were removed.
Fixes#3448
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This PR removes ccloudvm for kata 2.0, ccloudvm was used in kata 1.x
and we are not longer using it for kata 2.0.
Fixes#3427
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Generated protocols files should not be inclued in Git repo.
And also add Cargo.lock in oci/protocols directory to .gitignore.
Fixes: #3422
Signed-off-by: bin <bin@hyper.sh>
When Sandbox AddInterface() is called, it may fail after endpoint.HotAttach,
we'd better rollback and call save() in the end.
Fixes: #3419
Signed-off-by: yangfeiyu <yangfeiyu20102011@163.com>
This reverts commit 321995b7df.
Now that gnu.org is back online, we don't need to use a mirror.
Fixes: #3313.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
After the protocols are moved to upper libs (PR3355),
the runtime protocol generation is broken. This fixes it.
Fixes: #3414
Signed-off-by: Feng Wang <feng.wang@databricks.com>
This PR removes the scripts and the dockerfiles that were used in kata 1.x
to test the different kata components for different distributions in OBS.
Currently for kata 2.0 we are not generating packages in OBS so these scripts
are not longer being used.
Fixes#3404
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This PR removes the reference of how to use disable_new_netns
configuration with docker as for kata 2.0 we are not supporting docker
and this information was used for kata 1.x
Fixes#3400
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
- kata-deploy: fix tar command in dockerfile
- vendor: update to containerd v1.6.0-beta.4
- versions: Upgrade to Cloud Hypervisor v20.2
- vc: remove swagger binary
- agent: Refactor command line parsing to use a framework
- move the oci and protocols crates from agent to upper libs
- docs: Remove word duplication
- osbuilder: Restore Debian as a rootfs
- runtime: fix a typo in kata-collect-data.sh
- agent: return detail error message for RPC calls from shim
- use-cases: clarify SPDK vhost-user-nvme target status in using-spdk-v…
- Delint dockerfiles
- Makefile: update `make go-test` call
- docs: add how-to on DinD in Kata
- agent: Ignore unknown seccomp system calls
- agent: mount: Remove unneeded mount_point local variable
- docs: Fix outdated links
- docs: Fix kernel configs README spelling errors
- security: Update rust crate versions
- kata-manager: Retrieve static tarball
- osbuilder: avoid to copy versions.txt which already deprecated
- qemu: Disable libudev for QEMU 5.2 and newer
- osbuilder: Add protoc to the alpine container
- docs: Clarify where to run agent API generation commands
- packaging/qemu: partial git clone
- docs: Fix arch doc formatting
- CI: Switch to a mirror as gnu.org is down
- Split architecture doc into separate files
- docs: Update the stable branch strategy
- tracing: Add span name to logging error
- docs: Update code PR advice document
- agent: Add config file option to cli
- update container type handling
- docs: Update architecture document
- runtime: update golang to 1.16 and remove ioutil package
- kata-deploy: Deal with empty containerd conf file
- src: reorg source code directory
- osbuilder: show usage if no options/arguments specified
- Upgrade to Cloud Hypervisor v20.1
- image_build: add help info for '-f' option and 'BLOCK_SIZE' env.
- osbuilder: be runtime consistent with podman build
- osbuilder: Revert to using apk.static for Alpine
- runtime/template: Handling new attributes for hypervisor config
- docs: fix check-markdown test
- runtime: correct span name for stopSandbox function
- runtime: only call stopVirtiofsd when shared_fs is virtio-fs
- snap: read initrd and image distros from version.yaml
- versions: Use Ubuntu initrd for non-musl archs
- packaging: Fix missing commit message in building kata-runtime
- virtcontainers: clh: Upgrade to openapi-generator v5.3.0
- agent: user container ID as watchable storage key for hashmap
- runtime: enable vhost-net for rootless hypervisor
- packaging: add help information for '-f' option in install_go.sh
- Cleanup some unused variables, definitions
- Upgrade to Cloud Hypervisor v20.0
- docs: Update limitation document regarding docker swarm
- runtime: Enable FUSE_DAX kernel config for DAX
- agent: copy empty directories for watchable-bind mounts
- runtime: Update comments for virtcontainers to use kata 2.0
- Update rust crate versions
- osbuilder: Remove debian as a rootfs
e2c1e65e kata-deploy: fix tar command in dockerfile
615224e9 agent: move the protocols to upper libs
330e3dcc agent: move the oci crate to upper libs
7b03d78f vendor: update to containerd v1.6.0-beta.4
1f581a04 versions: Upgrade to Cloud Hypervisor v20.2
623d8f08 docs: Remove word duplication
1c4edb96 agent: Refactor arg parsing to use clap
3093f93a osbuilder: Restore Debian as a rootfs
073a3459 use-cases: clarify vhost-user-nvme status in using-spdk-vhost-user
2254fa86 runtime: fix a typo in kata-collect-data.sh
2d0f9d2d vc: remove swagger binary
cf91307c agent: return detail error message for rpc calls from shim
137e217b docs: Fix outdated k8s link
55bac67a docs: Fix kernel configs README spelling errors
205420d2 docs: Replicate branch rename on runtime-spec
91abebf9 agent: mount: Remove unneeded mount_point local variable
b1f4e945 security: Update rust crate versions
d79268ac tools/packaging: add copyright to kata-monitor's Dockerfile
428cf0a6 packaging: delint tests dockerfiles
1ea9b703 packaging: delint kata-deploy dockerfiles
3669e1b6 ci/openshift-ci: delint dockerfiles
aeb2b673 osbuilder: delint dockerfiles
bc120289 packaging: delint kata-monitor dockerfiles
bc71dd58 packaging: delint static-build dockerfiles
99ef52a3 osbuilder: Add protoc to the alpine container
c2578cd9 docs: Clarify where to run agent API generation commands
321995b7 CI: Switch to a mirror as gnu.org is down
fb1989b2 docs: Fix arch doc formatting
2938bb7f packaging/qemu: Use QEMU script to update submodules
5d49ccd6 packaging/qemu: Use partial git clone
87a219a1 docs: Update the stable branch strategy
d1bc409d osbuilder: avoid to copy versions.txt which already deprecated
1653dd4a tracing: Add span name to logging error
12c8e41c qemu: Disable libudev for QEMU 5.2 and newer
233015a6 docs: Split guest assets details out of arch doc
db411c23 docs: Split k8s info out of arch doc
7ac619b2 docs: Split networking out of arch doc
5df0cb64 docs: Split storage out of arch doc
7229b7a6 docs: Split background and example out of arch doc
283d7d52 docs: Split history out of arch doc
6f9efb40 docs: Move arch doc to separate directory
02608e13 docs: Update code PR advice document
cb5c948a kata-manager: Retrieve static tarball
51bf9807 docs: Update architecture document
f3a97e94 docs: add how-to on Docker in Kata
7a989a83 runtime: api-test: fixup
52f79aef utils: update container type handling
5b002f3c docs: change io/ioutil to io/os packages
03546f75 runtime: change io/ioutil to io/os packages
24a530ce versions: bump minimum golang version to 1.16.10
7c4263b3 src: reorg source directories
1a34fbcd agent: Add config file option to cli
bbfb10e1 versions: Upgrade to Cloud Hypervisor v20.1
84571506 kata-deploy: Deal with empty containerd conf file
3f7cf7ae osbuilder: show usage if no options/arguments specified
2ebaaac7 osbuilder: be runtime consistent also with podman build
f3103696 docs: fix check-markdown test
2204ecac versions: Upgrade Alpine, using minor version
dfd0732f osbuilder: Revert to using apk.static for Alpine
6b3e4c21 image_build: add help info for '-f' option and 'BLOCK_SIZE' env.
b92babf9 runtime/template: Handling new attributes for hypervisor config
40bd34ca runtime: only call stopVirtiofsd when shared_fs is virtio-fs
33f343ee runtime: correct span name for stopSandbox function
d7cc952c versions: Use Ubuntu initrd for non-musl archs
ff929fc0 snap: read initrd and image distros from version.yaml
8fae2631 packaging: Fix missing commit message in building kata-runtime
99530026 virtcontainers: clh: Upgrade to openapi-generator v5.3.0
b3bcb7b2 runtime: enable vhost-net for rootless hypervisor
7cb7b9d5 agent: remove unused field in mount handling
f6ae1582 agent: drop unused fields from network
4756a04b virtcontainers: clh: Re-generate the client code
0bf4d257 versions: Upgrade to Cloud Hypervisor v20.0
647082b2 docs: Update limitation document regarding docker swarm
39b35d00 agent: user container ID as watchable storage key for hashmap
1e6f58e5 packaging: add help information for '-f' option in install_go.sh
2af95bc5 agent: create directories for watchable-bind mounts
6105e3ee runtime: enable FUSE_DAX kernel config for DAX
591d4af1 runtime: Update comments for virtcontainers to use kata 2.0
923e098d osbuilder: Remove debian as a rootfs
afb96c00 agent: Wrap remaining nix errors with anyhow
aba572e0 rustjail: Wrap remaining nix errors with anyhow
30d60078 uevent: Fix clippy issue in test code
4a2be13c agent: Upgrade nix version for security fix
256d5008 agent: Update crate versions
13257986 agent-ctl: Update rust lockfile
4ebdd424 forwarder: Update rust lockfile
6007322d agent: Fixed invalid error message
7b356151 agent: Log unknown seccomp system calls
7304e52a Makefile: update `make go-test` call
c66b5668 agent: Ignore unknown seccomp system calls
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
move the protocols to upper libs thus it can
be shared between agent and other rust runtime.
Depends-on: github.com/kata-containers/tests#4306
Fixes: #3348
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
Move the oci crate to upper libs thus it can be
shared between agent and other rust runtimes.
Fixes: #3348
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
Update our containerd vendoring. In particular, we're interested in
grabbing the updated annotation definitions for defining sandbox sizing.
- go get github.com/containerd/containerd@v1.6.0-beta.4
- edit go.mod to remove containerd v1.5.8 replacement directive
- go mod vendor
- go mod tidy
Fixes: #3276
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
This is a bug release from Cloud Hypervisor addressing the following
issues: 1) Don't error out when setting up the SIGWINCH handler (for
console resize) when this fails due to older kernel; 2) Seccomp rules
were refined to remove syscalls that are now unused; 3) Fix reboot on
older host kernels when SIGWINCH handler was not initialised; 4) Fix
virtio-vsock blocking issue.
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v20.2Fixes: #3383
Signed-off-by: Bo Chen <chen.bo@intel.com>
Restore Debian as a rootfs.
1. revert of #3154, but some change
2. update debian version to 10.11
3. update `libstdc++-6-dev` to `libstdc++-8-dev`
4. changes discarded in QAT are not restored
Fixes: #3372
Signed-off-by: zhaojizhuang <571130360@qq.com>
SPDK vhost-user-nvme target is removed from SPDK 21.07 release since
upstreamed QEMU version does not support. Fixes this usage.
Fixes#3371
Signed-off-by: Ziye Yang <ziye.yang@intel.com>
The tokio's spawn will only create an future async task
instead of a new real thread, thus executing unshare to
create a new namespace in tokio's async task would make
the agent process to join in the new created namespace,
which isn't expected.
Thus, we'd better to to the unshare in a real thread to
prevent moving the agent process into a new namespace.
Fixes: #3369
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
For calls from shim to agent, the return error will be processed like this:
match self.do_start_container(req).await {
Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e.to_string())),
Ok(_) => Ok(Empty::new()),
}
The e.to_string() return only a part of the error(for example set by context()),
this may lead lack of information.
The `format!("{:?}", err)` will return more info.
Fixes: #3353
Signed-off-by: bin <bin@hyper.sh>
We already have a `mount_path` local Path variable which holds the mount
point.
Use it instead of creating a new `mount_point` variable with identical
type and content.
Fixes: #3332
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
The kata-monitor's Dockerfile was added by Eric Ernst on commit 2f1cb7995f
but for some reason the static checker did not catch the file misses the copyright statement
at the time it was added. But it is now complaining about it. So this assign the copyright to
him to make the static-checker happy.
Fixes#3329
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Removed all errors/warnings pointed out by hadolint version 2.7.0, except for the following
ignored rules:
- "DL3008 warning: Pin versions in apt get install"
- "DL3041 warning: Specify version with `dnf install -y <package>-<version>`"
- "DL3033 warning: Specify version with `yum install -y <package>-<version>`"
- "DL3048 style: Invalid label key"
- "DL3003 warning: Use WORKDIR to switch to a directory"
- "DL3018 warning: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>"
- "DL3037 warning: Specify version with zypper install -y <package>[=]<version>"
Fixes#3107
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Removed all errors/warnings pointed out by hadolint version 2.7.0, except for the following
ignored rules:
- "DL3008 warning: Pin versions in apt get install"
- "DL3041 warning: Specify version with `dnf install -y <package>-<version>`"
- "DL3033 warning: Specify version with `yum install -y <package>-<version>`"
- "DL3048 style: Invalid label key"
- "DL3003 warning: Use WORKDIR to switch to a directory"
- "DL3018 warning: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>"
- "DL3037 warning: Specify version with zypper install -y <package>[=]<version>"
Fixes#3107
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Removed all errors/warnings pointed out by hadolint version 2.7.0, except for the following
ignored rules:
- "DL3008 warning: Pin versions in apt get install"
- "DL3041 warning: Specify version with `dnf install -y <package>-<version>`"
- "DL3033 warning: Specify version with `yum install -y <package>-<version>`"
- "DL3048 style: Invalid label key"
- "DL3003 warning: Use WORKDIR to switch to a directory"
- "DL3018 warning: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>"
- "DL3037 warning: Specify version with zypper install -y <package>[=]<version>"
Fixes#3107
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Removed all errors/warnings pointed out by hadolint version 2.7.0, except for the following
ignored rules:
- "DL3008 warning: Pin versions in apt get install"
- "DL3041 warning: Specify version with `dnf install -y <package>-<version>`"
- "DL3033 warning: Specify version with `yum install -y <package>-<version>`"
- "DL3048 style: Invalid label key"
- "DL3003 warning: Use WORKDIR to switch to a directory"
- "DL3018 warning: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>"
- "DL3037 warning: Specify version with zypper install -y <package>[=]<version>"
Fixes#3107
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Removed all errors/warnings pointed out by hadolint version 2.7.0, except for the following
ignored rules:
- "DL3008 warning: Pin versions in apt get install"
- "DL3041 warning: Specify version with `dnf install -y <package>-<version>`"
- "DL3033 warning: Specify version with `yum install -y <package>-<version>`"
- "DL3048 style: Invalid label key"
- "DL3003 warning: Use WORKDIR to switch to a directory"
- "DL3018 warning: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>"
- "DL3037 warning: Specify version with zypper install -y <package>[=]<version>"
Fixes#3107
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Removed all errors/warnings pointed out by hadolint version 2.7.0, except for the following
ignored rules:
- "DL3008 warning: Pin versions in apt get install"
- "DL3041 warning: Specify version with `dnf install -y <package>-<version>`"
- "DL3033 warning: Specify version with `yum install -y <package>-<version>`"
- "DL3048 style: Invalid label key"
- "DL3003 warning: Use WORKDIR to switch to a directory"
- "DL3018 warning: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>"
- "DL3037 warning: Specify version with zypper install -y <package>[=]<version>"
Fixes#3107
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
It seems the lack of protoc in the alpine containers is causing issues
with some of our CIs, such as the VFIO one.
Fixes: #3323
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Make it clear when reading the table in the agent's "Change the agent
API" documentation that the commands in the "Generation method" column
should be run in the agent repo.
Fixes: #3317.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
All CI jobs are failing as www.gnu.org is down, so switch to a mirror
for the time being.
Fixes: #3314.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
PR #3298 failed to move the named link for the debug console to the
`guest-assets.md` meaning the debug console cells in the "User
accessible" column in the table in the "Root filesystem image" section
do not work as a link.
Fixes: #3311.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Currently QEMU's submodules are git cloned but there is the scripts/git-submodule.sh
which is meant for that. Let's use that script.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The static build of QEMU takes a good amount of time on cloning the
source tree because we do a full git clone. In order to speed up that
operation this changed the Dockerfile so that it is carried out a
partial clone by using --depth=1 argument.
Fixes#3291
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
On the last architecture committee meeting, the one held on December
14th 2021, we reached the agreement that minor releases will be cut once
every 16 weeks (instead of 12), and that patch releases will be cut
every 4 weeks (instead of 3)
Fixes: #3298
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Currently the versions.txt in rootfs-builder dir is already removed,
so avoid to copy it in list of helper files.
Fixes: #3267
Signed-off-by: zhanghj <zhanghj.lc@inspur.com>
Add span name to logging error to help with debugging when the context
is not set before the span is created.
Fixes#3289
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Commit 112ea25859 disabled libudev for static builds because it was
breaking snap. It turns out that the only users of libudev in QEMU are
qemu-pr-helper and USB. Kata already disables USB and doesn't use
qemu-pr-helper. Disable libudev for all builds if QEMU supports it, i.e.
version 5.2 or newer.
Fixes#3078
Signed-off-by: Greg Kurz <groug@kaod.org>
Move the guest assets details out of the architecture doc and into a
separate file.
Fixes: #3246.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Move the Kubernetes information out of the architecture doc and into a
separate file.
Partially fixes: #3246.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Move the networking details out of the architecture doc and into a
separate file.
Partially fixes: #3246.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Move the background and example command details out of the architecture
doc and into separate files.
Partially fixes: #3246.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Move the historical details out of the architecture doc
and into a separate file.
Partially fixes: #3246.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Move the architecture document into a new `docs/design/architecture/` directory
in preparation for splitting it into more manageable pieces.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Allow using `expect()` for `Mutex.lock()` because it is almost
unrecoverable if failed in the lock acquisition
Fixes: #3285
Signed-off-by: Zack <zmlcc@linux.alibaba.com>
In `utils/kata-manager.sh`, we download the first asset listed for the
release, which used to be the static x86_64 tarball. If that happened to
not match the system architecture, we would abort. Besides that logic
being invalid for !x86_64 (despite not distributing other tarballs at
the moment), the first asset listed is also not the static tarball any
more, it is the vendored source tarball. Retrieve all _static_ tarballs
and select the appropriate one depending on architecture.
Fixes: #3254
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Refresh the content and formatting of the architecture document.
Out of scope of these changes:
- Diagram updates.
- Updates to the Networking section.
Fixes: #3190.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
not clear why this was commented out before -- ensure that we set
approprate annotation on the sandbox container's annotations to indicate
this is a sandbox.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Today we assume that if the CRI/upper layer doesn't provide a container
type annotation, it should be treated as a sandbox. Up to this point, a
sandbox with a pause container in CRI context and a single container
(ala ctr run) are treated the same.
For VM sizing and container constraining, it'll be useful to know if
this is a sandbox or if this is a single container.
In updating this, we cleanup the type handling tests and we update the
containerd annotations vendoring.
Fixes: #2926
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Change io/ioutil to io/os packages because io/ioutil package
is deprecated from 1.16:
TempDir => os.MkdirTemp
Details: https://go.dev/doc/go1.16#ioutilFixes: #3265
Signed-off-by: bin <bin@hyper.sh>
since qemu 6.0, readonly flag for block devices must be enable or
disable with `on` or `off` respectively.
Signed-off-by: Julio Montes <julio.montes@intel.com>
According to https://endoflife.date/go golang 1.11.10 is not supported
anymore, 1.16.10 is the minimum supported version.
Fixes: #3265
Signed-off-by: bin <bin@hyper.sh>
This is a bug release from Cloud Hypervisor addressing the following
issues: 1) Networking performance regression with virtio-net; 2) Limit
file descriptors sent in vfio-user support; 3) Fully advertise PCI MMIO
config regions in ACPI tables; 4) Set the TSS and KVM identity maps so
they don't overlap with firmware RAM; 5) Correctly update the DeviceTree
on restore.
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v20.1Fixes: #3262
Signed-off-by: Bo Chen <chen.bo@intel.com>
As containerd can properly run without having a existent
`/etc/containerd/config.toml` file (it'd run using the default
cobnfiguration), let's explicitly create the file in those cases.
This will avoid issues on ammending runtime classes to a non-existent
file.
Fixes: #3229
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Tested-by: Jakob Naucke <jakob.naucke@ibm.com>
Now if no options/arguments specified, the shell scripts will return an error:
ERROR: Invalid rootfs directory: ''
This commit will show usage if no options/arguments specified.
Fixes: #3256
Signed-off-by: bin <bin@hyper.sh>
Use the same runtime used for podman run also for the podman build cmd
Additionally remove "docker" from the docker_run_args variable
Fixes: #3239
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Unit-Test-Advice.md was moved to kata-containers repo but URLs pointing
to that document were not updated. This patch updates these URLs.
Depends-on: github.com/kata-containers/tests#4273
fixes#3240
Signed-off-by: Julio Montes <julio.montes@intel.com>
- Upgrade Alpine guest rootfs to 3.15
- Specify a minor version rather than patch level as the Alpine
repositories use that.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
#2399 partially reverted #418, missing on returning to bootstrapping a
rootfs with `apk.static` instead of copying the entire root, which can
result in drastically larger (more than 10x) images. Revert this as well
(requires some updates to URL building).
Fixes: #3216
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The help information of '-f' option is missing, and same issue
with 'BLOCK_SIZE' env variables, fix it in usage() function.
Fixes: #3231
Signed-off-by: zhanghj <zhanghj.lc@inspur.com>
Some new attributes are added to hypervisor config:
- VMStorePath
- RunStorePath
- SharedPath
These attributes should be handled in two places:
- reset when check the new hypervisor's config is suitable
to the base config.
- copy from new hypervisor's config when create new VM
Fixes: #3193
Signed-off-by: bin <bin@hyper.sh>
ppc64le & s390x have no (well supported) musl target for Rust,
therefore, the agent must use glibc and cannot use Alpine. Specify
Ubuntu as the distribution to be used for initrd.
Fixes: #3212
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
vhost-net is disabled in the rootless kata runtime feature, which has been abandoned since kata 2.0.
I reused the rootless flag for nonroot hypervisor and would like to enable vhost-net.
Fixes#3182
Signed-off-by: Feng Wang <feng.wang@databricks.com>
This PR removes the information about docker swarm and docker compose
as currently for kata 2.0 we have not support for docker swarm and docker
compose and the links and references that the document is referring are
currently not part of kata 1.0
Fixes#3174
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
In function `update_target`, if the updated source is a directory,
we should create the corresponding directory.
Fixes: #3140
Signed-off-by: bin <bin@hyper.sh>
This PR updates the comments in the configuration.toml to point to
the current kata containers repository instead of the kata 1.x.
Fixes#3163
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Currently we do not have debian as part of the kata CI as we
do not have a mantainer, this PR removes debian as a supported
rootfs in order to have only the distros that we are supporting
and mantainining.
Fixes#3153
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Wrap `nix` `Error`'s in an `anyhow` error for consistency with the way
`rustjail` handles errors.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Replace `Result` values that use a "bare" `nix` `Error` like this:
```rust
return Err(nix::Error::EINVAL.into());
```
... to the following which wraps the nix` error in an `anyhow` call for
consistency with the other errors returned by `rustjail`:
```rust
return Err(anyhow!(nix::Error::EINVAL));
```
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Remove a bare `return` from a test function. This looks wrong but isn't
because the callers are all tests that just wait for a state change
caused by this test function.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Running `cargo audit` showed that the `nix` package for the agent and
the `rustjail` and `vsock-exporter` local crates need to be updated to
resolve rust security issue
[RUSTSEC-2021-0119](https://rustsec.org/advisories/RUSTSEC-2021-0119).
Hence, bumped `nix` to the latest version (which required changes to
work with the new, simpler `errno` handling).
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Run `cargo update` to update to the latest crate dependency versions.
The agent is an application so this includes expanding the partially
specified semvers to full semver values for the following crates,
which makes those crates consistent with the other agent dependencies:
- `futures`
- `regex`
- `scan_fmt`
- `tokio`
Fixes: #3124.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Remove the format specifier in the `"failed to get VFIO group"` error
returned by `vfio_device_handler()`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
- osbuilder: fix missing cpio package when building rootfs-initrd image
- osbuilder: add coreutils to guest rootfs
- workflows: only allow org members to run `/test_kata_deploy`
- agent: use temp directory for test containers
- tools/osbuilder: build QAT kernel in fedora 34
- agent: refactor find_process function and add test cases
- Hypervisor cleanup, refactoring
- agent: clear cargo test warnings
- docs: Add a code PR advice document
- tools: Automatically revert kata-deploy changes
- runtime: delete netmon
- agent: Remove some unwrap and expect calls
- agent: fixed the `make optimize` bug
- docs: make kata-deploy more visible
- workflows: Add back the checks for running test-kata-deploy
- kata-deploy: Ensure we test HEAD with `/test_kata_deploy`
- docs: update using-SPDK-vhostuser-and-kata.md
- Update k8s SR-IOV plugin environment variables to work properly with Kata
- watchers: don't dereference symlinks when copying files
- kata-deploy: Add back stable & latest tags
- agent: fix the issue of missing create a new session for container
- runtime: Update containerd to 1.5.8
- qemu: fix snap build on ppc64le
- virtcontainers: fix failing template test on ppc64le
- agent: Update README
- Remove cruft, do some simple non-functional cleanup in the runtime
- macvlan: drop bridged part of name
- clh: Fix race condition that prevent start pods
- Update CRI-O documentation
- cgroups: Fix systemd cgroup support
- runtime: merge virtcontainers/pkg/types into virtcontainers/types
- workflows: Remove non-used main.yaml
- agent/src: improve unit test coverage for src/namespace.rs
- doc: update kata metrics documentation
- runtime: delete not used codes
- versions: bump golang to 1.17.x
- release: Use ${GOPATH}/bin/yq for upload-libseccomp-tarball action
- agent-ctl: Allow API specification in JSON format
- virtcontainers: Lint protection types
- agent: check environment variables if empty or invalid
- runtime: Revert "runtime: use containerd package instead of cri-containerd"
- rustjail: Fix created time of container
- agent: Remove dynamic tracing APIs
- kernel: add VFIO kernel dependencies for ppc64le
- logging: Always run crate tests
8ee67aae osbuilder: fix missing cpio package when building rootfs-initrd image
f59d3ff6 osbuilder: add coreutils to guest rootfs
5e7c1a29 workflows: only allow org members to run `/test_kata_deploy`
857501d8 tools/osbuilder: build QAT kernel in fedora 34
a32e02a1 agent: use temp directory as root of test containers
f0734f52 docs: Remove extraneous whitespace
aff32756 docs: Add a code PR advice document
d41c375c docs: Add more advice to the UT advice doc
baf4f76d docs: More detail on running tests as different users
fcf45b0c docs: Use more idiomatic rust string check
9fed7d0b docs: Mention anyhow for error handling in UT doc
318b3f18 docs: No present continuous in UT advice doc
e8bb6b26 docs: Correct repo name usage
c1111a1d docs: Use leading caps for lang names in UT advice doc
597b239e docs: Remove TOC in UT advice doc
cf360fad docs: Move unit test advice doc from tests repo
bc955814 docs: Move doc requirements section higher
6a0b7165 agent: refactor find_process function and add test cases
5ba2f52c tools: Quote functions arguments in the update repos script
5dbd752f tools: Remove the check for the VERSION file
85eb743f tools: Make hub usage slightly less fragile
76540dbd tools: Automatically revert kata-deploy changes
36d73c96 tools: Do the kata-deploy changes on its own commit
c8e22daf tools: Use vars for the registry in the update repo script
ac958a30 tools: Use vars for the yaml files used in the update repo script
edca8292 tools: Rewrite the logic around kata-deploy changes
31f6c2c2 tools: Update comments about the kata-deploy yaml changes
75bb3401 shimv2/service: fix defer funtions never run with os.Exit()
bd3217da agent: Remove redundant returns
adab6434 agent: Remove some unwrap and expect calls
351cef7b agent: Remove unwrap from verify_cid()
a7d1c70c agent: Improve baremount
09abcd4d agent-ctl: Remove some unwrap and expect calls
35db75ba agent-ctl: Remove redundant returns
46e45958 agent-ctl: Simplify main
c7349d0b agent-ctl: Simplify error handling
ddc68131 runtime: delete netmon
705687dc docs: Add kata-deploy as part of the install docs
acece849 docs: Use the default notation for "Note" on install README
143fb278 kata-deploy: Use the default notation for "Note"
45d76407 kata-deploy: Don't mention arch specific binaries in the README
0c6c0735 agent: fixed the `make optimize` bug
a7c08aa4 workflows: Add back the checks for running test-kata-deploy
ce0693d6 agent: clear cargo test warnings
ce92cadc vc: hypervisor: remove setSandbox
2227c46c vc: hypervisor: use our own logger
4c2883f7 vc: hypervisor: remove dependency on persist API
34f23de5 vc: hypervisor: Remove need to get shared address from sandbox
c28e5a78 acrn: remove dependency on sandbox, persistapi datatypes
a0e0e186 hypervisors: introduce pkg to unbreak vc/persist dependency
b5dfcf26 watcher: tests: ensure there is 20ms delay between fs writes
78dff468 agent/device: Adjust PCIDEVICE_* container environment variables for VM
4530e7df agent/device: Use simpler structure in update_spec_devices()
b6062278 agent/device: Correct misleading comment on test case
89ff7000 agent/device: Remove unnecessary check for empty container_path
c855a312 agent/device: Make DevIndex local to update_spec_devices()
084538d3 agent/device: Change update_spec_device to handle multiple devices at once
d6a3ebc4 agent/device: Obtain guest major/minor numbers when creating DevNumUpdate
f4982130 agent/device: Check for conflicting device updates
f10e8c81 agent/device: Batch changes to the OCI specification
46a4020e agent/device: Types to represent update for a device in the OCI spec
e7beed54 agent/device: Remove unneeded clone() from several device handlers
2029eeeb agent/device: Improve update_spec_device() final_path handling
57541315 agent/device: Correct misleading parameter name in update_spec_device()
0c51da3d agent/device: Correct misleading error message in update_spec_device()
94b7936f agent/device: Use nix::sys::stat::{major,minor} instead of libc::*
296e76f8 watchers: handle symlinked directories, dir removal
2b6dfe41 watchers: don't dereference symlinks when copying files
3c9ae7fb kata-deploy: Ensure we test HEAD with `/test_kata_deploy`
0380b9bd runtime: Update containerd to 1.5.8
112ea258 qemu: fix snap build by disabling libudev
d5a18173 virtcontainers: fix failing template test on ppc64le
6955d144 kata-deploy: Add back stable & latest tags
bbaf57ad agent: fix the issue of missing create a new session for container
46fd5069 docs: update using-SPDK-vhostuser-and-kata.md
7e6f2b8d vc-utils: don't export unused function
860f3088 virtcontainers: move oci, uuid packages top level
8acb3a32 virtcontainers: remove unused package nsenter
4788cb82 vc-network: remove unused functions
b6ebddd7 oci: remove unused function GetContainerType
599bc0c2 agent: Update README
1e7cb4bc macvlan: drop bridged part of name
55412044 monitor: Fix monitor race condition doing hypervisor.check()
eb11d053 cri-o: Update deployment documentation
92e3a140 cri-o: Update links for the CRI-O github page
0a19340a cri-o: Remove outdated documentation
a3b3c85e workflows: Remove non-used main.yaml
09f7962f runtime: merge virtcontainers/pkg/types into virtcontainers/types
6acedc25 runtime: delete not used codes
395638c4 versions: bump golang to 1.17.x
570915a8 docs: update kata 2.0 metrics documentation
bcf181b7 cgroups: Fix systemd cgroup support
34307235 release: Use ${GOPATH}/bin/yq for upload-libseccomp-tarball action
6339fdd1 docs: update kata metrics architecture image
57bb7ffa agent: check environment variables if empty or invalid
8ab90e10 agent-ctl: Allow API specification in JSON format
eacfcdec runtime: Revert "runtime: use containerd package instead of cri-containerd"
e7856ff1 rustjail: Fix created time of container
b7b89905 virtcontainers: Lint protection types
7566b736 kernel: add VFIO kernel dependencies for ppc64le
87f67606 agent: Remove dynamic tracing APIs
b09dd7a8 docs: Fix typo
d47484e7 logging: Always run crate tests
5c9c0b6e build: Fix default target
b34ed403 cgroups: pass vhost-vsock device to cgroup
7362e1e8 runtime: remove prefix when cgroups are managed by systemd
1b1790fd agent/src: improve unit test coverage for src/namespace.rs
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
So that the debug console is more useful. In the meantime, remove
iptables as it is not used by kata-agent any more.
Fixes: #3138
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Let's take advantage of the "is-organization-member" action and only
allow members who are part of the `kata-containers` organization to
trigger `/test_kata_deploy`.
One caveat with this approach is that for the user to be considered as
part of an organization, they **must** have their "Organization
Visibility" configured as Public (and I think the default is Private).
This was found out and suggested by @jcvenegas!
Fixes: #3130
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
kernel compiled in fedora 35 (latest) is not working, following error
is reported:
```
qemu-system-x86_64: Error loading uncompressed kernel without PVH ELF
Note
```
Build QAT kernel in fedora 34 container to fix it
fixes#3135
Signed-off-by: Julio Montes <julio.montes@intel.com>
Some tests in sandbox.rs need root user to run, because they need create
directories under /run/agent directories, actually this is a limit
that shouldn't be there. By using a temp directory for test containers
will not need run tests as root user.
Fixes: #3122
Signed-off-by: bin <bin@hyper.sh>
Kata agent logs unknown system calls given by seccomp profiles
in advance before the log file descriptor closes.
Fixes: #2957
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Rather than comparing a string to a literal in the rust example,
use `.is_empty()` as that approach is more idiomatic and preferred.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add a comment stating that `anyhow` and `thiserror` should be used in
real rust code, rather than the unwieldy default `Result` handling
shown in the example.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Change some headings to avoid using the present continuous tense which
should not be used for headings.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Use a capital letter when referring to Golang and Rust (and remove
unnecessary backticks for Rust).
> **Note:**
>
> We continue refer to "Go" as "Golang" since it's a common alias,
> but, crucially, familiarity with this name makes searching for
> information using this term possible: "Go" is too generic a word.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Unit tests necessarily need to be maintained with the code they test so
it makes sense to keep the Unit Test Advice document into the main repo
since that is where the majority of unit tests reside.
Note: The
[`Unit-Test-Advice.md` file](https://github.com/kata-containers/tests/blob/main/Unit-Test-Advice.md)
was copied from the `tests` repo when it's `HEAD` was
38855f1f40.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Move the documentation requirements document link up so that it appears
immediately below the "How to Contribute" section.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
`grep`ing by a specific output, in a specific language, is quite fragile
and could easily break `hub`. For now, let's work this around following
James' suggestion of setting `LC_ALL=C LANG=C` when calling `hub`.
> **Note**: I don't think we should invest much time on fixing `hub`
> usage, as it'll be soon replaced by `gh`, see:
> https://github.com/kata-containers/kata-containers/issues/3083
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
When branching the "stable-x.y" branch, we need to do some quite
specific changes to kata-deploy / kata-cleanup files, such as:
* changing the tags from "latest" to "stable-x.y".
* removing the kata-deploy / kata-cleanup stable files.
However, after the branching is done, we need to get the `main` repo to
its original state, with the kata-deploy / kata-cleanup using the
"latest" tag, and with the stable files present there, and this commit
ensures that, during the release process, a new PR is automatically
created with these changes.
Fixes: #3069
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Rather than doing the kata-deploy changes as part of the release bump
commit, let's split those on its own changes, as it will both make the
life of the reviewer less confusing and also allows us to start
preparing the field for a possible automated revert of these changes,
whenever it becomes needed.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Similarly to what was done for the yaml files, let's use a var for
representing the registry where our images will be pushed to and avoid
repetition and too long lines.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Instead of always writing the full path of some files, let's just create
some vars and avoid both repetition (which is quite error prone) and too
long lines (which makes the file not so easy to read).
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We can simplify the code a little bit, as at least now we group common
operationr together. Hopefully this will improve the maintainability
and the readability of the code.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The comments were mentioning kata-deploy-base files while it really
should mention kata-deploy-stable files.
While here, I've also added a missing '"' to one of the tags.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
os.Exit() will terminate program immediately, the defer functions
won't be executed, so we add defer functions again before os.Exit().
Refer to https://pkg.go.dev/os#ExitFixes: #3059
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
Replace some `unwrap()` and `expect()` calls with code to return the
error to the caller.
Fixes: #3011.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Improved the `verify_cid()` function that validates container ID's by
removing the need for an `unwrap()`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Change `baremount()` to accept `Path` values rather than string values
since:
- `Path` is more natural given the function deals with paths.
- This minimises the caller having to convert between string and `Path`
types, which simplifies the surrounding code.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Although the binary name of the shipped binary is `qemu-system-x86_64`,
and we only ship kata-deploy for `x86_64`, we better leaving the
architecture specific name out of our README file.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The unrecognized option: 'deny-warnings' args caused `make optimize` failed.
Fixed the Makefile of the agent project, make sure the `make optimize` command
execute correctly. This PR modify the rustc args from '--deny-warnings' to
'--deny warnings'.
Fixes: #3104
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
Commit 3c9ae7f made /test_kata_deploy run
against HEAD, but it also mistakenly removed all the checks that ensure
/test_kata_deploy only runs when explicitly called.
Mea culpa on this, and let's add the tests back.
Fixes: #3101
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Function parameters in test config is not used. This
commit will add under score before variable name
in test config.
Fixes: #3091
Signed-off-by: bin <bin@hyper.sh>
1. use ci/go-test.sh to replace the direct call to go test
2. fix data race test
3. install hook whether it is root or not
Fixes#1494
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
This'll end up moving to hypervisors pkg, but let's stop using virtLog,
instead introduce hvLogger.
Fixes: #2884
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Today the hypervisor code in vc relies on persist pkg for two things:
1. To get the VM/run store path on the host filesystem,
2. For type definition of the Load/Save functions of the hypervisor
interface.
For (1), we can simply remove the store interface from the hypervisor
config and replace it with just the path, since this is all we really
need. When we create a NewHypervisor structure, outside of the
hypervisor, we can populate this path.
For (2), rather than have the persist pkg define the structure, let's
let the hypervisor code (soon to be pkg) define the structure. persist
API already needs to call into hypervisor anyway; let's allow us to
define the structure.
We'll probably want to look at following similar pattern for other parts
of vc that we want to make independent of the persist API.
In doing this, we started an initial hypervisors pkg, to hold these
types (avoid a circular dependency between virtcontainers and persist
pkg). Next step will be to remove all other dependencies and move the
hypervisor specific code into this pkg, and out of virtcontaienrs.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Today, acrn relies on sandbox level information, as well as a store
provided by common parts of the hypervisor. As we cleanup the
abstractions within our runtime, we need to ensure that there aren't
cross dependencies between the sandbox, the persistence logic and the
hypervisor.
Ensure that ACRN still compiles, but remove the setSandbox usage as
well as persist driver setup.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
We noticed s390x test failures on several of the watcher unit tests.
Discovered that on s390 in particular, if we update a file in quick
sucecssion, the time stampe on the file would not be unique between the
writes. Through testing, we observe that a 20 millisecond delay is very
reliable for being able to observe the timestamp update. Let's ensure we
have this delay between writes for our tests so our tests are more
reliable.
In "the real world" we'll be polling for changes every 2 seconds, and
frequency of filesystem updates will be on order of minutes and days,
rather that microseconds.
Fixes: #2946
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
The k8s SR-IOV plugin, when it assigns a VFIO device to a container, adds
an variable of the form PCIDEVICE_<identifier> to the container's
environment, so that the payload knows which device is which. The contents
of the variable gives the PCI address of the device to use.
Kata allows VFIO devices to be passed in to a Kata container, however it
runs within a VM which has a different PCI topology. In order for the
payload to find the right device, the environment variables therefore need
to be converted to list the guest PCI addresses instead of the host PCI
addresses.
fixes#2897
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
update_spec_devices() takes a bunch of updates for the device entries in
the OCI spec and applies them, adjusting things in both the linux.devices
and linux.resources.devices sections of the spec.
It's important that each entry in the spec only be updated once. Currently
we ensure this by first creating an index of where the entries are, then
consulting that as we apply each update, so that earlier updates don't
cause us to incorrectly detect an entry as being relevant to a later
update. This method works, but it's quite awkward.
This inverts the loop structure in update_spec_devices() to make this
clearer. Instead of stepping through each update and finding the relevant
entries in the spec to change, we step through each entry in the spec and
find the relevant update. This makes it structurally clear that we're only
updating each entry once.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We have a test case commented as testing the case where linux.devices is
empty in the OCI spec. While it's true that linux.devices is empth in this
example, the reason it fails isn't specifically because it's empty but
because it doesn't contain a device for the update we're trying to apply.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
update_spec_devices() explicitly checks for being called with an empty
container path and fails. We have a unit test to verify this behaviour.
But while an empty container_path probably does mean something has gone
wrong elsewhere, that's also true of any number of other bad paths. Having
an empty string here doesn't prevent what we're doing in this function
making sense - we can compare it to the strings in the OCI spec perfectly
well (though more likely we simply won't find it there).
So, there's no real reason to check this one particular odd case.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The DevIndex data structure keeps track of devices in the OCI
specification. We used to carry it around to quite a lot of
functions, but it's now used only within update_spec_devices(). That
means we can simplify things a bit by just open coding the maps we
need, rather than declaring a special type.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
update_spec_device() adjusts the OCI spec for device differences
between the host and guest. It is called repeatedly for each device
we need to alter. These calls are now all in a single loop in
add_devices(), so it makes more sense to move the loop into a renamed
update_spec_devices() and process all the fixups in one call.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently the DevNumUpdate structure is created with a path to a
device node in the VM, which is then used by update_spec_device().
However the only piece of information that update_spec_device()
actually needs is the VM side major and minor numbers for the device.
We can determine those when we create the DevNumUpdate structure.
This means we detect errors earlier and as a bonus we don't need to
make a copy of the vm path string.
Since that change requires updating 2 of the log statements, we take the
opportunity to update all the log statements to structured style.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
For each device in the OCI spec we need to update it to reflect the guest
rather than the host. We do this with additional device information
provided by the runtime. There should only be one update for each device
though, if there are multiple, something has gone horribly wrong.
Detect and report this situation, for safety.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
As we process container devices in the agent, we repeatedly call
update_spec_device() to adjust the OCI spec as necessary for differences
between the host and the VM. This means that for the whole of a pretty
complex call graph, the spec is in a partially-updated state - neither
fully as it was on the host, not fully as it will be for the container
within the VM.
Worse, it's not discernable from the contents itself which parts of the
spec have already been updated and which have not. We used to have real
bugs because of this, until the DevIndex structure was introduced, but that
means a whole, fairly complex, parallel data structure needs to be passed
around this call graph just to keep track of the state we're in.
Start simplifying this by having the device handler functions not directly
update the spec, but instead return an update structure describing the
change they need. Once all the devices are added, add_devices() will
process all the updates as a batch.
Note that collecting the updates in a HashMap, rather than a simple Vec
doesn't make a lot of sense in the current code, but will reduce churn
in future changes which make use of it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently update_spec_device() takes parameters 'vm_path' and 'final_path'
to give it the information it needs to update a single device in the OCI
spec for the guest. This bundles these parameters into a single structure
type describing the updates to a single device. This doesn't accomplish
much immediately, but will allow a number of further cleanups.
At the same time we change the representation of vm_path from a Unicode
string to a std::path::Path, which is a bit more natural since we are
performing file operations on it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
virtio_blk_device_handler(), virtio_blk_ccw_device_handler() and
virtio_scsi_device_handler() all take a clone of their 'device' parameter.
They appear to do this in order to get a mutable copy in which they can
update the vm_path field.
However, the copy is dropped at the end of the function, so the only thing
that's used in it is the vm_path field passed to update_spec_device()
afterwards.
We can avoid the clone by just using a local variable for the vm_path.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
update_spec_device() takes a 'final_path' parameter which gives the
name the device should be given in the "inner" OCI spec. We need this
for VFIO devices where the name the payload sees needs to match the
VM's IOMMU groups. However, in all other cases (for now, and maybe
forever), this is the same as the original 'container_path' given in
the input OCI spec. To make this clearer and simplify callers, make
this parameter an Option, and only update the device name if it is
non-None.
Additionally, update_spec_device() needs to call to_string() on
update_path to get an owned version. Rust convention[0] is to let the
caller decide whether it should copy, or just give an existing owned
version to the function. Change from &str to String to allow that; it
doesn't buy us anything right now, but will make some things a little
nicer in future.
[0] https://rust-lang.github.io/api-guidelines/flexibility.html?highlight=clone#caller-decides-where-to-copy-and-place-data-c-caller-control
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
update_spec_device() takes a 'host_path' parameter which it uses to locate
the device to correct in the OCI spec. Although this will usually be the
path of the device on the host, it doesn't have to be - a traditional
runtime like runc would create a device node of that name in the container
with the given (host) major and minor numbers. To clarify that, rename it
to 'container_path'.
We also update the block comment to explain the distinctions more
carefully. Finally we update some variable names in tests to match.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This error is returned if we have information for a device from the
runtime, but a matching device does not appear in the OCI spec. However,
the name for the device we print is the name from the VM, rather than the
name from the container which is what we actually expect in the spec.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
update_spec_devices() includes an unsafe block, in order to call the libc
functions to get the major and minor numbers from a device ID. However,
the nix crate already has a safe wrapper for this function, which we use in
other places in the file.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
- Even a directory could be a symlink - check for this. This is very
common when using configmaps/secrets
- Add unit test to better mimic a configmap, configmap update
- We would never remove directories before. Let's ensure that these are
added to the watched_list, and verify in unit tests
- Update unit tests which exercise maximum number of files per entry. There's a change
in behavior now that we consider directories/symlinks watchable as well.
For these tests, it means we support one less file in a watchable mount.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
The current implementation just copies the file, dereferencing any
simlinks in the process. This results in symlinks no being preserved,
and a change in layout relative to the mount that we are making
watchable.
What we want is something like "cp -d"
This isn't available in a crate, so let's go ahead and introduce a copy
function which will create a symlink with same relative path if the
source file is a symlink. Regular files are handled with the standard
fs::copy.
Introduce a unit test to verify symlinks are now handled appropriately.
Fixes: #2950
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Is the past few releases we ended up hitting issues that could be easily
avoided if `/test_kata_deploy` would use HEAD instead of a specific
tarball.
By the end of the day, we want to ensure kata-deploy works, but before
we cut a release we also want to ensure that the binaries used in that
release are in a good shape. If we don't do that we end up either
having to roll a release back, or to cut a second release in a really
short time (and that's time consuming).
Note: there's code duplication here that could and should be avoided,b
but I sincerely would prefer treating it in a different PR.
Fixes: #3001
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
While building snap, static qemu is considered. Disable libudev
as it doesn't have static libraries on most of the distros of all
archs.
Fixes: #3002
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
If a file/directory doesn't exist, os.Stat() returns an
error. Assert the returned value with os.IsNotExist() to
prevent it from failing.
Fixes: #2920
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
stable-2.3 was the first time we branched the repo since
43a72d76e2 was merged. One bit that I
didn't notice while working on this, regardless of being warned by
@amshinde (sorry!), was that the change would happen on `main` branch,
rather than on the branched `stable-2.3` one.
In my mind, the workflow was:
* we branch.
* we do the changes, including removing the files.
* we tag a release.
However, the workflow actually is:
* we do the changes, including removing the files.
* we branch.
* we tag a release.
A better way to deal with this has to be figured out before 2.4.0 is
out, but for now let's just re-add the files back.
Fixes: #3067
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now the `wait` is passed to qmp command, even at non-server mode. This
will cause qemu return this error:
'wait' option is incompatible with socket in client connect mode
Fixes: #205
Signed-off-by: bin liu <liubin0329@gmail.com>
When the container didn't had a tty console, it would be in a same
process group with the kata-agent, which wasn't expected. Thus,
create a new session for the container process.
Fixes: #3063
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
Many of these functions are just used on one place throughout the rest
of the code base. If we create hypervisor package, newtork package, etc, we may want to
parse this out.
Fixes: #3049
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
This will be useful at runtime level; no need for oci or uuid to be subpkg of
virtcontainers.
While at it, ensure we run gofmt on the changed files.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Update the agent README by removing the historical details about the
conversion from golang to rust which (occurred at the start of Kata 2.x
development) and replacing it with information that developers and
testers should find more useful.
Fixes: #3056.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The fact that we need to "bridge" the endpoint is a bit irrelevant. To
be consistent with the rest of the endpoints, let's just call this
"macvlan"
Fixes: #3050
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
The thread monitor will check if the agent and the VMM are alive every
second in a blocking thread. The Cloud hypervisor API server is
single-threaded, if the monitor does a `check()`, while a slow request
is still in progress, the monitor check() method will timeout. The
monitor thread will stop all the shim-v2 execution.
This commit modifies the monitor thread to make it check the status of
the hypervisor after 5 seconds. Additionally, the `check()` method from
cloud-hypervisor will use the method `clh.isClhRunning(timeout)` with a
10 seconds timeout. The monitor function does no timeout, so even if
`hypervisor.check()` takes more 10 seconds, the isClhRunning method
handles errors doing a VmmPing and retry in case of errors until the
timeout is reached.
Reduce the time to the next check to 5 should not affect any functionality,
but it will reduce the overhead polling the hypervisor.
Fixes: #2777
Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
CRI-O deployment documentation was quite outdated, giving info from the
`1.x` era. Let's update this to reflect what we currently have.
Fixes: #2498
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The links are either pointing to the not-used-anymore `master` branch,
or to the kubernetes-incubator page.
Let's always point to the CRI-O github page, using the `main`branch.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Although the documentation removed is correct, it's not relevant to the
current supported versions of CRI-O.
Related: #2498
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The main.yaml workflow was created and used only on 1.x. We inherited
it, but we didn't remove it after deprecating the 1.x repos.
While here, let's also update the reference to the `main.yaml` file,
and point to `release.yaml` (the file that's actually used for 2.x).
Fixes: #3033
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
There are two types packages under virtcontainers, and the
virtcontainers/pkg/types has a few codes, merging them into
one can make it easy for outstanding and using types package.
Fixes: #3031
Signed-off-by: bin <bin@hyper.sh>
According to https://endoflife.date/go golang 1.15 is not supported
anymore. Let's remove it from out tests, add 1.17.x, and bump the
newest version known to work when building kata to 1.17.3.
Fixes: #3016
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We now support any container engine CRI compliant in kata-monitor.
Update documentation to reflect it.
Fixes: #980
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
As github.com/containerd/cgroups doesn't support scope
units which are essential in some cases lets create
the cgroups manually and load it trough the cgroups
api
This is currently done only when there's single sandbox
cgroup (sandbox_cgroup_only=true), otherwise we set it
as static cgroup path as it used to be (until a proper
soultion for overhead cgroup under systemd will be
suggested)
Fixes: #2868
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
We need to explicitly call `${GOPATH}/bin/yq` that is installed by
`ci/install_yq.sh`.
Fixes: #3014
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
We now support any CRI container engine in kata-monitor, notably CRI-O.
Add both containerd and CRI-O in the kata metrics architecture image.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Update the `agent-ctl` tool to allow API fields to be specified in JSON
format, either directly on the command-line, or via a file URI.
This feature is made possible by enabling `serde` support in the agent
`protocols` crate. Careful use of the `serde` macros allows the
`agent-ctl` tool to accept _partially_ specified API objects in JSON
format; fields that are not specified are set to the default value for
their respective types.
`build.rs` changes based on work by Fupan.
Fixes: #2978.
Contributions-by: Fupan Li <lifupan@gmail.com>
Contributions-by: Bin Liu <bin@hyper.sh>
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This reverts commit 76f16fd1a7 to bring
back cri-containerd crioptions parsing so that kata works with older
containerd versions like v1.3.9 and v1.4.6.
Fixes: #2999
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Protection types like tdxProtection or seProtection were marked nolint,
remove this. As a side effect, ARM needs dummy tests for these.
Fixes: #2801
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
If Kata agent cannot resolve the system calls given by seccomp profiles,
the agent ignores the system calls and continues to run without an error.
Fixes: #2957
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
- runtime# make sure the "Shutdown" trace span have a correct end
- tracing: Accept multiple dynamic tags
- logging: Enable agent debug output for release builds
- agent: "Revert agent: Disable seccomp feature on aarch64 temporarily"
- runtime: Enhancement for Makefile
- osbuilder: build image-builder image from Fedora 34
- agent: refactor process IO processing
- agent-ctl: Update for Hybrid VSOCK
- docs: Fix outdated links
- ci/install_libseccomp: Fix libseccomp build and misc improvement
- virtcontainers: simplify read-only mount handling
- runtime: add fast-test to let test exit on error
- test: Fix random failure for TestIoCopy
- cli: Show available guest protection in env output
- Update k8s, critools, and CRI-O to their 1.22 release
- package: assign proper value to redefined_string in build-kernel.sh
- agent: Make wording of error message match CRI-O test suite
- docs: Moving from EOT to EOF
- virtcontainers: api: update the functions in the api.md docs
- release: Upload libseccomp sources with notice to release page
- virtcontainers: check that both initrd and image are not set
- agent: Fix the configuration sample file
- runtime: set tags for trace span
- agent-ctl: Implement Linux OCI spec handling
- runtime: Remove comments about unsupported features in config for clh
- tools/packaging: Add options for VFIO to guest kernel
- agent/runtime: Add seccomp feature
- ci: test-kata-deploy: Get rid of slash-command-action action
- This is to bump the OOT QAT 1.7 driver version to the latest version.…
- forwarder: Drop privileges when using hybrid VSOCK
- packaging/static-build: s390x fixes
- agent-ctl: improve the oci_to_grpc code
- agent: do not return error but print it if task wait failed
- virtcontainers: delete duplicated notify in watchHypervisor function
- agent: Handle uevent remove actions
- enable unit test on arm
- rustjail: Consistent coding style of LinuxDevice type
- cli: Fix outdated kata-runtime bash completion
- Allow VFIO devices to be used as VFIO devices in the container
- Expose top level hypervisor methods -
- Upgrade to Cloud Hypervisor v19.0
- docs: use-cases: Update Intel SGX use case
- virtcontainers: clh: Enable the `seccomp` feature
- runtime: delete cri containerd plugin from versions.yaml
- docs: Write tracing documentation
- runtime: delete useless src/runtime/cli/exit.go
- snap: add cloud-hypervisor and experimental kernel
- osbuilder: Call detect_rust_version() right before install_rust.sh
- docs: Updating Developer Guide re qemu-img
- versions: Add libseccomp and gperf version
- Enable agent tracing for hybrid VSOCK hypervisors
- runtime: optimize test code
- runtime: use containerd package instead of cri-containerd
- runtime: update sandbox root dir cleanup behavior in rootless hypervisor
- utils: kata-manager: Update kata-manager.sh for new containerd config
- osbuilder: Re-enable building the agent in Docker
- agent: Do not fail when trying to adding existing routes
- tracing: Fix typo in "package" tag name
- kata-deploy: add .dockerignore file
- runtime: change name in config settings back to "kata"
- tracing: Remove trace mode and trace type
09d5d88 runtime: tracing: Change method for adding tags
bcf3e82 logging: Enable agent debug output for release builds
a239a38 osbuilder: build image-builder image from Fedora 34
375ad2b runtime: Enhancement for Makefile
b468dc5 agent: Use dup3 system call in unit tests of seccomp
1aaa059 agent: "Revert agent: Disable seccomp feature on aarch64 temporarily"
1e331f7 agent: refactor process IO processing
9d3ec58 runtime: make sure the "Shutdown" trace span have a correct end
3f21af9 runtime: add fast-test to let test exit on error
9b270d7 ci/install_libseccomp: use a temporary work directory
98b4406 ci/install_libseccomp: Fix fail when DESTDIR is set
338ac87 virtcontainers: api: update the functions in the api.md docs
23496f9 release: Upload libseccomp sources with notice to release page
e610fc8 runtime: Remove comments about unsupported features in config for clh
7e40195 agent-ctl: Add stub for AddSwap API
82de838 agent-ctl: Update for Hybrid VSOCK
d1bcf10 forwarder: Remove quotes from socket path in doc
e66d047 virtcontainers: simplify read-only mount handling
bdf4824 tools/packaging: Add options for VFIO to guest kernel
c509a20 agent-ctl: Implement Linux OCI spec handling
42add7f agent: Disable seccomp feature on aarch64 temporarily
5dfedc2 docs: Add explanation about seccomp
45e7c2c static-checks: Add step for installing libseccomp
a3647e3 osbuilder: Set up libseccomp library
3be50ad agent: Add support for Seccomp
4280415 agent: Fix the configuration sample file
b0bc71f ci: test-kata-deploy: Get rid of slash-command-action action
309dae6 virtcontainers: check that both initrd and image are not set
a10cfff forwarder: Fix changing log level
6abccb9 forwarder: Drop privileges when using hybrid VSOCK
bf00b8d agent-ctl: improve the oci_to_grpc code
b67fa9e forwarder: Make explicit root check
e377578 forwarder: Fix docs socket path
5f30633 virtcontainers: delete duplicated notify in watchHypervisor function
5f5eca6 agent: do not return error but print it if task wait failed
d2a7b6f packaging/static-build: s390x fixes
6cc8000 cli: Show available guest protection in env output
2063b13 virtcontainers: Add func AvailableGuestProtections
a13e2f7 agent: Handle uevent remove actions
34273da runtime/device: Allow VFIO devices to be presented to guest as VFIO devices
68696e0 runtime: Add parameter to constrainGRPCSpec to control VFIO handling
d9e2e9e runtime: Rename constraintGRPCSpec to improve grammar
57ab408 runtime: Introduce "vfio_mode" config variable and annotation
730b9c4 agent/device: Create device nodes for VFIO devices
175f9b0 rustjail: Allow container devices in subdirectories
9891efc rustjail: Correct sanity checks on device path
d6b62c0 rustjail: Change mknod_dev() and bind_dev() to take relative device path
2680c0b rustjail: Provide useful context on device node creation errors
42b92b2 agent/device: Allow container devname to differ from the host
827a41f agent/device: Refactor update_spec_device_list()
8ceadcc agent/device: Sanity check guest IOMMU groups
ff59db7 agent/device: Add function to get IOMMU group for a PCI device
13b06a3 agent/device: Rebind VFIO devices to VFIO driver inside guest
e22bd78 agent/device: Add helper function for binding a guest device to a driver
b40eedc rustjail: Consistent coding style of LinuxDevice type
57c0f93 agent: fix race condition when test watcher
1a96b8b template: disable template unit test on arm
43b13a4 runtime: DefaultMaxVCPUs should not greater than defaultMaxQemuVCPUs
c59c367 runtime: current vcpu number should be limited
fa92251 runtime: kernel version with '+' as suffix panic in parse
52268d0 hypervisor: Expose the hypervisor itself
a72bed5 hypervisor: update tests based on createSandbox->CreateVM change
f434bcb hypervisor: createSandbox is CreateVM
76f1ce9 hypervisor: startSandbox is StartVM
fd24a69 hypervisor: waitSandbox is waitVM
a6385c8 hypervisor: stopSandbox is StopVM
f989078 hypervisor: resumeSandbox is ResumeVM
73b4f27 hypervisor: saveSandbox is SaveVM
7308610 hypervisor: pauseSandbox is nothing but PauseVM
8f78e1c hypervisor: The SandboxConsole is the VM's console
4d47aee hypervisor: Export generic interface methods
6baf258 hypervisor: Minimal exports of generic hypervisor internal fields
37fa453 osbuilder: Update QAT driver in Dockerfile
8030b6c virtcontainers: clh: Re-generate the client code
8296754 versions: Upgrade to Cloud Hypervisor v19.0
2b13944 docs: Fix outdated links
4f75ccb docs: use-cases: Update Intel SGX use case
4f018b5 runtime: delete useless src/runtime/cli/exit.go
7a80aeb docs: Moving from EOT to EOF
09a5e03 docs: Write tracing documentation
b625f62 runtime: delete cri containerd plugin from versions.yaml
24fff57 snap: make curl commands consistent
2b9f79c snap: add cloud-hypervisor and experimental kernel
273a1a9 runtime: optimize test code
76f16fd runtime: use containerd package instead of cri-containerd
6d55b1b docs: use containerd to replace cri-containerd
ed02bc9 packaging: add containerd to versions.yaml
50da26d osbuilder: Call detect_rust_version() right before install_rust.sh
b4fadc9 docs: Updating Developer Guide re qemu-img
b8e69ce versions: Add libseccomp and gperf version
17a8c5c runtime: Fix random failure for TestIoCopy
f34f67d osbuilder: Specify version when installing Rust
135a080 osbuilder: Pass CI env to container agent build
eb5dd76 osbuilder: Re-enable building the agent in Docker
bcffa26 tracing: Fix typo in "package" tag name
e61f5e2 runtime: Show socket path in kata-env output
5b3a349 trace-forwarder: Support Hybrid VSOCK
e42bc05 kata-deploy: add .dockerignore file
321be0f tracing: Remove trace mode and trace type
7d0b616 agent: Do not fail when trying to adding existing routes
3f95469 runtime: logging: Add variable for syslog tag
adc9e0b runtime: fix two bugs in rootless hypervisor
51cbe14 runtime: Add option "disable_seccomp" to config hypervisor.clh
98b7350 virtcontainers: clh: Enable the `seccomp` feature
46720c6 runtime: set tags for trace span
d789b42 package: assign proper value to redefined_string
4d7ddff utils: kata-manager: Update kata-manager.sh for new containerd config
f5172d1 cli: Fix outdated kata-runtime bash completion
d45c86d versions: Update CRI-O to its 1.22 release
c4a6426 versions: Update k8s & critools to v1.22
881b996 agent: Make wording of error message match CRI-O test suite
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
- Add support for legacy serial device
- Additionally add support for the file backend for chardev
Legacy serial plus char backend file will allow us to support
capture early boot messages.
Signed-off-by: Manohar Castelino <mcastelino@apple.com>
Upgrade from v0.20.0 to v1.0.0, first stable release.
Git log
4bfa0034 Release prep v1.0.0-RC3 (2218)
c7ae470a Refactor SDK span creation and implementation (2213)
db317fce Verify and update OTLP trace exporter documentation (2053)
04de34a2 Update the website getting started docs (2203)
a7b9d021 Rename metric instruments to match feature-freeze API specification (2202)
1f527a52 Update trace API config creation functions (2212)
361a2096 Fix RC2 header in changelog (2215)
e209ee75 chore(exporter/zipkin): improves logging on invalid collector. (2191)
c0c5ef65 Fix typos in resource.go. (2201)
abf6afe0 Update otel example guide (2210)
3b05ba02 Bump actions/setup-go from 2.1.3 to 2.1.4 (2206)
bcd7ff7b Bump codecov/codecov-action from 2.0.2 to 2.0.3 (2205)
c912b179 Print JSON objects to stdout without a wrapping array (2196)
add511c1 Make WithoutTimestamps work (2195)
85c27e01 Bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 in /internal/tools (2199)
bf6500b3 Bump google.golang.org/grpc from 1.39.1 to 1.40.0 in /exporters/otlp/otlptrace (2184)
9392af96 Bump google.golang.org/grpc in /exporters/otlp/otlptrace/otlptracegrpc (2185)
c95694dc Bump google.golang.org/grpc from 1.39.1 to 1.40.0 in /example/otel-collector (2183)
0528fa66 Bump google.golang.org/grpc from 1.39.1 to 1.40.0 in /exporters/otlp/otlpmetric (2186)
3a26ed21 Deprecate the oteltest package (2188)
c885435f Website: support GH page links to canonical src (2189)
6da20a27 Add cross-module test coverage (2182)
dfc866bd Support capturing stack trace (2163)
41588fea Deprecate the attribute.Any function (2181)
4e8d667f Support a single Resource per MeterProvider in the SDK (2120)
a8bb0bf8 Make the tracetest.SpanRecorder concurrent safe (2178)
87d09df3 Deprecate Array attribute in favor of *Slice types (2162)
df384a9a Move InstrumentKind into the new metric/sdkapi package (2091)
1cb5cdca Unify the OTLP attribute transform (2170)
a882ee37 Clarify the attribute package documentation and order/grouping (2168)
5d25c4d2 Add support for int32 in attribute.Any (2169)
2b0e139e Refactor attributes benchmark tests (2167)
4c7470d9 Bump google.golang.org/grpc from 1.39.0 to 1.39.1 in /exporters/otlp/otlptrace (2176)
990c534a Bump google.golang.org/grpc in /example/otel-collector (2172)
b45c9d31 Bump google.golang.org/grpc from 1.39.0 to 1.39.1 in /exporters/otlp/otlpmetric (2174)
a3d4ff5c Deprecated the bridge/opencensus/utils package (2166)
b1d1d529 Move OC bridge integration tests to own mod (2165)
89a9489c Add OC bridge internal unit tests (2164)
56c743ba Allow global ErrorHandler to be set multiple times (2160)
d18c135f Add OpenCensus bridge internal package (2146)
fcf945a4 Just a little typo fix in code documentation. (2159)
59a82eba Update version.go (2157)
21d4686f Add ErrorHandlerFunc to simplify creating ErrorHandlers (2149)
23cb9396 Remove `internal/semconv-gen` (2155)
39acab32 Fix code sample in otel.GetTraceProvider (2147)
2b1bb29e Update OpenCensus bridge docs with limitations (2145)
fd7c327b Fix Jaeger exporter agent port default value and docs (2131)
b8561785 fix(2138): add guard to constructOTResources to return an empty resource (2139)
11f62640 Add a SpanRecorder to the sdk/trace/tracetest (2132)
fd9de7ec rename assertsocketbuffersize.go to *_test (2136)
a6b4d90c nit doc fix (2135)
79398418 pre-release v1.0.0-RC2 (2133)
2501e0fd Use semconv.SchemaURL in STDOUT exporter example (2134)
ef03dbc9 Bump codecov/codecov-action from 1 to 2.0.2 (2129)
bbe6ca40 Deprecate oteltest.Harness for removal (2123)
7a624ac2 Deprecated the oteltest.TraceStateFromKeyValues function (2122)
ece1879f Removed dropped link's attributes field from API package (2118)
03902d98 Rename sdk/trace/tracetest test.go -> exporter.go (2128)
cb607b0a Unify OTLP exporter retry logic (2095)
abe22437 API: create new linked span from current context (2115)
db81d4aa Update internal/global/trace testing (2111)
7f10ef72 Remove propagation testing types from oteltest (2116)
25d739b0 Remove resource.WithBuiltinDetectors() which has not been maintained (2097)
d57c5a56 Remove several metrics test helpers (2105)
49359495 Simplify trace_context tests (2108)
56d42011 Simplify trace context benchmark test (2109)
63dfe64a Correct status transform in OTLP exporter (2102)
9b1a5f70 Performance improvement: avoid creating multiple same read-only objects (2104)
ab78dbd0 Update release URL (2106)
647af3a0 Pre release experimental metrics v0.22.0 (2101)
0a562337 Fixed OS type value for DragonFly BSD (2092)
62c21ffb Bump golang.org/x/tools from 0.1.4 to 0.1.5 in /internal/tools (2096)
4a3da55a Ensure sample code in website_docs getting started page works (2094)
d3063a3d Update otel.Meter to global.Meter in Getting Started Document.(2087) (2093)
00a1ec5f Add documentation guidelines and improve Jaeger exporter readme (2082)
12f737c7 oteltest: ensure valid SpanContext created for span started WithNewRoot (2073)
484258eb OS description attribute detector (1840)
d8c9a955 Bump google.golang.org/grpc from 1.38.0 to 1.39.0 in /example/otel-collector (2054)
4ffdf034 Add @pellard as an Approver (2047)
1a74b399 Bump google.golang.org/protobuf from 1.26.0 to 1.27.0 in /exporters/otlp/otlpmetric (2040)
57c2e8fb Bump golang.org/x/tools from 0.1.3 to 0.1.4 in /internal/tools (2036)
7cff31a9 Bump google.golang.org/protobuf from 1.26.0 to 1.27.0 in /exporters/otlp/otlptrace (2035)
9e8f523d when using WithNewRoot, don't use the parent context for sampling (2032)
62af6c70 semconv-gen: fix capitalization at word boundaries, add stability/deprecation indicators (2033)
0bceed7e Fix docs on otel-collector example (2034)
6428cd69 Update doc.go (2030)
311a6396 fix documentation for trace.Status (2029)
16f83ce6 export ToZipkinSpanModels for use outside this library (2027)
d5d4c87f Add HTTP metrics exporter for OTLP (2022)
d6e8f60f Bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 in /internal/tools (2023)
51dbe3cb Remove deprecated exporters (2020)
257ef7fc Update project status in README (2017)
ced177b7 Pre-release 1.0.0-RC1 (2013)
694c9a41 Interface stability documentation (2012)
39fe8092 Add span.TracerProvider() (2009)
d020e1a2 Add more tests for go.opentelemetry.io/otel/trace package. (2004)
6d4a38f1 replace WithSyncer with WithBatcher in opencensus example (2007)
c30cd1d0 Split stdout exporter into stdouttrace and stdoutmetric (2005)
80ca2b1e otlp: mark unix endpoints to work without transport security (2001)
65140985 Update codecov ignore (2006)
3be9813d Deprecate the exporters in the "trace" and "metric" sub-directories (1993)
377f7ce4 remove WithTrace* options from otlptrace exporters (1997)
b33edaa5 OTLP metrics gRPC exporter (1991)
64b640cc Remove old OTLP exporter (1990)
7728a521 Remove dependency on metrics packages (1988)
135ac4b6 Moved internal/tools duplicated findRepoRoot function to common package (1978)
cdf67ddf Update semantic conventions to v1.4.0, move to versioned package (1987)
4883cb11 Refactor exporter creation functions (1985)
87cc1e1f Test BatchSpanProcessor export timeout directly (1982)
7ffe2845 Added inputPath validation to semconv-gen (1986)
a113856a Add caveat about installing opencensus bridge (1983)
741cb9a3 Fix generator.go call typo in RELEASING.md (1977)
7a0cee7b Replaces golint by revive and fix newly reported linter issues (1946)
46d9687a Add Schema URL support to Resource (1938)
0827aa62 Use mock server as jaeger agent listener. (1930)
20886012 Bugfix jaeger exporter test panic (1973)
4bf6150f Add baggage implementation based on the W3C and OpenTelemetry specification (1967)
bbe2b8a3 Bump github.com/itchyny/gojq from 0.12.3 to 0.12.4 in /internal/tools (1971)
4949bf05 Bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 in /exporters/otlp/otlptrace (1972)
015b4c17 Bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 in /exporters/otlp (1970)
13eb12ac Bump github.com/prometheus/client_golang from 1.10.0 to 1.11.0 in /exporters/metric/prometheus (1974)
2371bb0a add otlp trace http exporter (1963)
a75ade4e sdk/resource: honor OTEL_SERVICE_NAME in fromEnv resource detector (1969)
aed45802 Bump go.opentelemetry.io/proto/otlp from 0.8.0 to 0.9.0 in /exporters/otlp/otlptrace (1959)
c4ebae6a Bump go.opentelemetry.io/proto/otlp (1960)
b1d2be3b Bump google.golang.org/grpc from 1.37.1 to 1.38.0 in /exporters/otlp/otlptrace (1958)
f6daea5e Generate semantic conventions according to specification latest tagged version (1933)
435a63b3 Bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (1954)
6c46af66 Bump github.com/google/go-cmp from 0.5.5 to 0.5.6 in /exporters/trace/jaeger (1953)
4d294853 Bump actions/cache from 2.1.5 to 2.1.6 (1952)
dfe2b6f1 OTLP trace gRPC exporter (1922)
5a8f7ff7 Bump go.opentelemetry.io/proto/otlp from 0.8.0 to 0.9.0 in /exporters/otlp (1943)
bd935866 Add schema URL support to Tracer (1889)
c1f460e0 Update API configs. (1921)
270cc603 Small fixes on some Span method's documentation headers (1950)
8603b902 Fix typo in doc (1949)
acbb1882 Bump google.golang.org/grpc from 1.37.1 to 1.38.0 in /exporters/otlp (1942)
b1621501 Add codecov badge (1940)
ea1434c3 Fix some golint issues (1947)
0eeb8f87 Refactor Tracestate (1931)
d3b12808 Add Passthrough example (1912)
f06cace6 Add @MadVikingGod as a project Approver (1923)
ab5facb3 Bump github.com/golangci/golangci-lint in /internal/tools (1925)
d23cc61b Refactor configs (1882)
6324adaa Add tracer option argument to global Tracer function (1902)
035fc650 Do not include authentication information in the http.url attribute (1919)
d8ac212c Fix sporadic test failure in otlp exporter http driver (1906)
a3df00f4 Create .gitattributes (1920)
fb88e926 Bump google.golang.org/grpc from 1.37.0 to 1.37.1 in /exporters/otlp (1914)
1982dc46 Bump google.golang.org/grpc in /example/prom-collector (1915)
1759c630 Bump github.com/golangci/golangci-lint in /internal/tools (1916)
7342aa47 Bump google.golang.org/grpc in /example/otel-collector (1913)
21c16418 Add support for scheme in OTEL_EXPORTER_OTLP_ENDPOINT (1886)
5cb62636 Semantic Convention generation tooling (1891)
6219221f Move the unit package to the metric module (1903)
63e0ecfc Implement global default non-recording span (1901)
b6d5442f Remove the Tracer method from the Span API (1900)
ae85fab3 Document functional options (1899)
cabf0c07 Fix default Jaeger collector endpoint (1898)
1e3fa3a3 Bump go.opentelemetry.io/proto/otlp from 0.7.0 to 0.8.0 in /exporters/otlp (1872)
696af787 Bump github.com/benbjohnson/clock from 1.0.3 to 1.1.0 in /sdk/metric (1532)
97eea6c3 Fix some golint issues (1894)
79d9852e fix container port mismatch issue (1895)
d20e7228 CI builds validate against last two versions of Go, dropping 1.14 and adding 1.16 (1865)
cbcd4b1a Redefine ExportSpans of SpanExporter with ReadOnlySpan (1873)
c99d5e99 Split large jaeger span batch to admire the udp packet size limit (1853)
42a84509 Unembed SpanContext (1877)
b7d02db1 Add Status type to SDK (1874)
f90d0d93 Update README (1876)
a1349944 Update resource.go (1871)
f40cad5e Add markdown link check configuration and action (1869)
9bc28f6b Fix existing markdown lint issues (1866)
08f4c270 Add documentation for tracer.Start() (1864)
2bd4840c remove Set.Encoded(Encoder) enconding cache (1855)
7674eebf Removed different types of Detectors for Resources. (1810)
f92a6d83 Implement retry policy for the OTLP/gRPC exporter (1832)
ec75390f Fix BSP context done tests (1863)
8e55f10a Move the Event type from the API to the SDK (1846)
e399d355 drop failed to exporter batches and return error when forcing flush a span processor (1860)
f6a9279a Honor context deadline or cancellation in SimpleSpanProcessor.Shutdown (1856)
aeef8e00 Add markdown lint GitHub action (1849)
d4c8ffad Replace spaces to tabs in Go code snippets (1854)
cb097250 fixed typo (1857)
392a44fa Refine configuration design docs (1841)
62cd933d Handle Resource env error when non-nil (1851)
24a91628 Document the SSP is not for production use (1844)
ec26ac23 Update RELEASING.md (1843)
8eb0bb99 Fix golint issue caused by typo (1847)
ca130e54 Markdownlint (1842)
1144a83d Small typo fixes to existing CHANGELOG entries (1839)
e6086958 Update website_docs to v0.20.0 (1838)
0f4e454c Change NewSplitDriver paramater and initialization (1798)
92551d39 Prerelease v1.0.0 (2250)
61839133 zipkin: remove no-op WithSDKOptions (2248)
568e7556 Set Schema URL when exporting traces to OTLP (2242)
ec26b556 Fix RC tags in docs (2239)
767ce26c Bump github.com/itchyny/gojq from 0.12.4 to 0.12.5 in /internal/tools (2216)
fe7058da adding NewNoopMeterProvider to follow trace api (2237)
c338a5ef Bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 in /internal/tools (2236)
ef126f5c Remove deprecated Array from attribute package (2235)
360d1302 Add tests for nil *Resource (2227)
9e7812d1 Remove the deprecated oteltest package (2234)
486afd34 Remove the deprecated bridge/opencensus/utils pkg (2233)
eaacfaa8 Fix slice-valued attributes when used as map keys (2223)
df2bdbba Fix the import comments of otelpconfig (2224)
7aae2a02 otlptrace: Document supported environment variables (2222)
Fixes#2591
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Update OpenTelemetry from v0.15.0 to v0.20.0.
Git log
02d8bdd5 Release v0.20.0 (1837)
aa66fe75 OS and Process resource detectors (1788)
7374d679 Fix Links documents (1835)
856f5b84 Add feature request issue template (1831)
0fdc3d78 Remove bundler from Jaeger exporter (1830)
738ef11e Fix flaky global ErrorHandler delegation test (1829)
e43d9c00 Update Default Value for Jaeger Exporter Endpoint (1824)
0032bd64 Fix default merging of resource attributes from environment variable (1785)
96c5e4ba Add SpanProcessor example for Span annotation on start (1733)
543c8144 Remove the WithSDKOptions from the Jaeger exporter (1825)
66389ad6 Update function docs in sdk.go (1826)
70bc9eb3 Adds support for timeout on the otlp/gRPC exporter (1821)
081cc61d Update Jaeger exporter convenience functions (1822)
1b9f16d3 Remove the WithDisabled option from Jaeger exporter (1806)
6867faa0 Bump actions/cache from v2.1.4 to v2.1.5 (1818)
a2bf04dc Build context pipeline in Jaeger upload process (1809)
2de86f23 Remove locking from Jaeger exporter shutdown/export (1807)
4f9fec29 Add ExportSpans benchmark to Jaeger exporter (1805)
d9566abe Fix OTLP testing flake: signal connection from mock collector (1816)
a2cecb6e add support for env var configuration to otlp/gRPC (1811)
d616df61 Fix flaky OTLP exporter reconnect test (1814)
b09df84a Changes stdout to expose the `*sdktrace.TracerProvider` (1800)
04890608 Remove options field from Jaeger exporter (1808)
6db20e00 Remove the abandoned Process struct in Jaeger exporter (1804)
086abf34 docs: use test example to document prometheus.InstallNewPipeline (1796)
d0cea04b Bump google.golang.org/api from 0.43.0 to 0.44.0 in /exporters/trace/jaeger (1792)
99c477fe Fixed typo for default service name in Jaeger Exporter (1797)
95fd8f50 Bump google.golang.org/grpc from 1.36.1 to 1.37.0 in /exporters/otlp (1791)
9b251644 Zipkin Exporter: Use default resouce's serviceName as default serivce name (1777) (1786)
4d141e47 Add k8s.node.name and k8s.node.uid to semconv (1789)
5c99a34c Fix golint issue caused by incorrect comment (1795)
c5d006c0 Update Jaeger environment variables (1752)
58432808 add NewExportPipeline and InstallNewPipeline for otlp (1373)
7d8e6bd7 Zipkin Exporter: Adjust span transformation to comply with the spec (1688)
2817c091 Merge sdk/export/trace into sdk/trace (1778)
c61e654c Refactor prometheus exporter tests to match file headers as well (1470)
23422c56 Remove process config for Jaeger exporter (1776)
0d49b592 Add test to check bsp ignores `OnEnd` and `ForceFlush` post Shutdown` (1772)
e9aaa04b Record links/events attribute drops independently (1771)
5bbfc22c Make ExportSpans for Jaeger Exporter honor deadline (1773)
0786fe32 Add Bug report issue templates (1775)
3c7facee Add `ExportTimeout` option to batch span processor (1755)
c6b92d5b Make TraceFlags spec-compliant (1770)
ee687ca5 Bump github.com/itchyny/gojq from 0.12.2 to 0.12.3 in /internal/tools (1774)
52a24774 add support for configuring tls certs via env var to otlp/HTTP (1769)
35cfbc7e Update precedence of event name in Jaeger exporter (1768)
33699d24 Adds semantic conventions for exceptions (1492)
928e3c38 Modify ForceFlush to abort after timeout/cancellation (1757)
3947cab4 Fix testCollectorEndpoint typo and add tag assertions in jaeger_test (1753)
ecc635dc add website docs (1747)
07a8d195 Fix Jaeger span status reporting and unify tag keys (1761)
4fa35c90 add partial support for env var config to otlp/HTTP (1758)
bf180d0f improve OTLP/gRPC connection errors (1737)
d575865b Fix span IsRecording when not sampling (1750)
20c93b01 Update SamplingParameters (1749)
97501a3f Update SpanSnapshot to use parent SpanContext (1748)
604b05cb Store current Span instead of local and remote SpanContext in context.Context (1731)
c61f4b6d Set @lizthegrey to emeritus status (1745)
b1342fec Bump github.com/golangci/golangci-lint in /internal/tools (1743)
54e1bd19 Bump google.golang.org/api from 0.41.0 to 0.43.0 in /exporters/trace/jaeger (1741)
4d25b6a2 Bump github.com/prometheus/client_golang from 1.9.0 to 1.10.0 in /exporters/metric/prometheus (1740)
0a47b66f Bump google.golang.org/grpc from 1.36.0 to 1.36.1 in /exporters/otlp (1739)
26f006b8 Reinstate @paivagustavo as an Approver (1734)
382c7ced Remove hasRemoteParent field from SDK span (1728)
862a5a68 Remove setting error status while recording error with Span from oteltest package (1729)
6defcfdf Remove links on NewRoot spans (1726)
a9b2f851 upgrade thrift to v0.14.1 in jaeger exporter (1712)
5a6a854d Bump google.golang.org/protobuf from 1.25.0 to 1.26.0 in /exporters/otlp (1724)
23486213 Migrate to using go.opentelemetry.io/proto/otlp (1713)
5d559b40 Remove makeSamplingDecision func (1711)
e24702da Update the TraceContext.Extract docs (1720)
9d4eb1f6 Update dates in CHANGELOG.md for 2021 releases (1723)
2b4fa968 Release v0.19.0 (1710)
4beb7041 sdk/trace: removing ApplyConfig and Config (1693)
1d42be16 Rename WithDefaultSampler TracerProvider option to WithSampler and update docs (1702)
860d5d86 Add flag to determine whether SpanContext is remote (1701)
0fe65e6b Comply with OpenTelemetry attributes specification (1703)
88884351 Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger (1700)
345f264a breaking(zipkin): removes servicName from zipkin exporter. (1697)
62cbf0f2 Populate Jaeger's Span.Process from Resource (1673)
28eaaa9a Add a test to prove the Tracer is safe for concurrent calls (1665)
8b1be11a Rename resource pkg label vars and methods (1692)
a1539d44 OpenCensus metric exporter bridge (1444)
77aa218d Fix issue #1490, apply same logic as in the SDK (1687)
9d3416cc Fix synchronization issues in global trace delegate implementation (1686)
58f69f09 Span status from HTTP code: Do not set status message if it can be inferred (1681)
9c305bde Flush metric events prior to shutdown in OTLP example (1678)
66b1135a Fix CHANGELOG (1680)
90bd4ab5 Update employer information for maintainers (1683)
36841913 Remove WithRecord() option from trace.SpanOption when starting a span (1660)
65c7de20 Remove trace prefix from NoOp src files. (1679)
e88a091a Make SpanContext Immutable (1573)
d75e2680 Avoid overriding configuration of tracer provider (1633)
2b4d5ac3 Bump github.com/golangci/golangci-lint in /internal/tools (1671)
150b868d Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (1667)
76aa924e Fix the examples target info messaging (1676)
a3aa9fda Bump github.com/itchyny/gojq from 0.12.1 to 0.12.2 in /internal/tools (1672)
a5edd79e Removed setting error status while recording err as span event (1663)
e9814758 chore(zipkin): improves zipkin example to not to depend on timeouts. (1566)
3dc91f2d Add ForceFlush method to TracerProvider (1608)
bd0bba43 exporter: swap pusher for exporter (1656)
56904859 Update the SimpleSpanProcessor (1612)
a7f7abac SpanStatus description set only when status code is set to Error (1662)
05252f40 Jaeger Exporter: Fix minor mapping discrepancies (1626)
238e7c61 Add non-empty string check for attribute keys (1659)
e9b9aca8 Add tests for propagation of Sampler Tracestate changes (1655)
875a2583 Add docs on when reviews should be cleared (1556)
7153ef2d Add HTTP/JSON to the otlp exporter (1586)
62e2a0f7 Unexport the simple and batch SpanProcessors (1638)
992837f1 Add TracerProvider tests to oteltest harness (1607)
bb4c297e Pre release v0.18.0 (1635)
712c3dcc Fix makefile ci target and coverage test packages (1634)
841d2a58 Rename local var new to not collide with builtin (1610)
13938ab5 Update SpanProcessor docs (1611)
e25503a0 Add compatibility tests to CI (1567)
1519d959 Use reasonable interval in sdktrace.WithBatchTimeout (1621)
7d4496e0 Pass metric labels when transforming to gaugeArray (1570)
6d4a5e0d Bump google.golang.org/grpc from 1.35.0 to 1.36.0 in /exporters/otlp (1619)
a93393a0 Bump google.golang.org/grpc in /example/prom-collector (1620)
e499ca86 Fix validation for tracestate with vendor and add tests (1581)
43886e52 Make timestamps sequential in lastvalue agg check (1579)
37688ef6 revent end-users from implementing some interfaces (1575)
85e696d2 Updating documentation with an working example for creating NewExporter (1513)
562eb28b Unify the Added sections of the unreleased changes (1580)
c4cf1aff Fix Windows build of Jaeger tests (1577)
4a163bea Fix stdout TestStdoutTimestamp failure with sleep (1572)
bd4701eb Stagger timestamps in exact aggregator tests (1569)
b94cd4b2 add code attributes to semconv package (1558)
78c06cef Update docs from gitter to slack for communication (1554)
1307c911 Remove vendor exclude from license-check (1552)
5d2636e5 Bump github.com/golangci/golangci-lint in /internal/tools (1565)
d7aff473 Vendor Thrift dependency (1551)
298c5a14 Update span limits to conform with OpenTelemetry specification (1535)
ecf65d79 Rename otel/label -> otel/attribute (1541)
1b5b6621 Remove resampling on span.SetName (1545)
8da52996 fix: grpc reconnection (1521)
3bce9c97 Add Keys() method to propagation.TextMapCarrier (1544)
0b1a1c72 Make oteltest.SpanRecorder into a concrete type (1542)
7d0e3e52 SDK span no modification after ended (1543)
7de3b58c Remove extra labels types (1314)
73194e44 Bump google.golang.org/api from 0.39.0 to 0.40.0 in /exporters/trace/jaeger (1536)
8fae0a64 Create resource.Default() with required attributes/default values (1507)
76f93422 Release v0.17.0 (1534)
9b242bc4 Organize API into Go modules based on stability and dependencies (1528)
e50a1c8c Bump actions/cache from v2 to v2.1.4 (1518)
a6aa7f00 Bump google.golang.org/api from 0.38.0 to 0.39.0 in /exporters/trace/jaeger (1517)
38efc875 Code Improvement - Error strings should not be capitalized (1488)
6b340501 Update default branch name (1505)
b39fd052 nit: Fix comment to be up-to-date (1510)
186c2953 Fix golint error of package comment form (1487)
9308d662 Bump google.golang.org/api from 0.37.0 to 0.38.0 in /exporters/trace/jaeger (1506)
1952d7b6 Reverse order of attribute precedence when merging two Resources (1501)
ad7b4715 Remove build flags for runtime/trace support (1498)
4bf4b690 Remove inaccurate and unnecessary import comment (1481)
7e19eb6a Bump google.golang.org/api from 0.36.0 to 0.37.0 in /exporters/trace/jaeger (1504)
c6a4406a Bump github.com/golangci/golangci-lint in /internal/tools (1503)
9524ac09 Update workflows to include main branch as trigger (1497)
c066f15e Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /internal/tools (1478)
894e0240 Bump github.com/golangci/golangci-lint in /internal/tools (1477)
71ffba39 Bump google.golang.org/grpc from 1.34.0 to 1.35.0 in /exporters/otlp (1471)
515809a8 Bump github.com/itchyny/gojq from 0.12.0 to 0.12.1 in /internal/tools (1472)
3e96ad1e gitignore: remove unused example path (1474)
c5622777 Histogram aggregator functional options (1434)
0df8cd62 Rename Makefile.proto to avoid interpretation as proto file (1468)
979ff51f Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (1453)
1df8b3b8 Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /exporters/otlp (1456)
4c30a90a Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /sdk (1455)
5a9f8f6e Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/stdout (1454)
7786f34c Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/zipkin (1457)
4352a7a6 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/otlp (1460)
6990b3b3 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/metric/prometheus (1461)
7af40d22 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/jaeger (1463)
f16f1892 Bump google.golang.org/grpc in /example/otel-collector (1465)
fe363be3 Move Span Event to API (1452)
43922240 Bump google.golang.org/grpc in /example/prom-collector (1466)
0aadfb27 Prepare release v0.16.0 (1464)
207587b6 Metric histogram aggregator: Swap in SynchronizedMove to avoid allocations (1435)
c29c6fd1 Shutdown underlying span exporter while shutting down BatchSpanProcessor (1443)
dfece3d2 Combine the Push and Pull metric controllers (1378)
74deeddd Handle tracestate in TraceContext propagator (1447)
49f699d6 Remove Quantile aggregation, DDSketch aggregator; add Exact timestamps (1412)
9c949411 Rename internal/testing to internal/internaltest (1449)
8d809814 Move gRPC driver to a subpackage and add an HTTP driver (1420)
9332af1b Bump github.com/golangci/golangci-lint in /internal/tools (1445)
5ed96e92 Update exporters/otlp Readme.md (1441)
bc9cb5e3 Switch CircleCI badge to GitHub Actions (1440)
716ad082 Remove CircleCI config (1439)
0682db1e Adding Security Workflows to GitHub Actions (2/2): gosec workflow (1429)
11f732b8 Adding Security Workflows to GitHub Actions (1/2): codeql workflow (1428)
40f1c003 Add Tracestate into the SamplingResult struct (1432)
db06c8d1 Flush metric events before shutdown in collector example (1438)
f6f458e1 Fix golint issue caused by typo in trace.go (1436)
fe9d1f7e Use uint64 Count consistently in metric aggregation (1430)
3a337d0b Bump github.com/golangci/golangci-lint in /internal/tools (1433)
1e4c8321 cleanup: drop the removed examples in gitignore (1427)
5c9221cf Unify endpoint API that related to OTel exporter (1401)
045c3ffe Build scripts: Replace mapfile with read loop for old bash versions (1425)
2def8c3d Add Versioning Documentation (1388)
6bcd1085 Bump github.com/itchyny/gojq from 0.11.2 to 0.12.0 in /internal/tools (1424)
38e76efe Add a split protocol driver for otlp exporter (1418)
439cd313 Add TraceState to SpanContext in API (1340)
35215264 Split connection management away from exporter (1369)
add9d933 Bump github.com/prometheus/client_golang from 1.8.0 to 1.9.0 in /exporters/metric/prometheus (1414)
93d426a1 Add @dashpole as a project Approver (1410)
6fe20ef3 Fix small typo (1409)
b22d0d70 Mention the getting started guide (1406)
3fb80fb2 Fix duplicate checkout action in GitHub workflow (1407)
2051927b Correct CI workflow syntax (1403)
f11a86f7 Fix typo in comment (1402)
bdf87a78 Migrate CircleCI ci.yml workflow to GitHub Actions (1382)
4e59dd1f Bump google.golang.org/grpc from 1.32.0 to 1.34.0 in /example/otel-collector (1400)
83513f70 Bump google.golang.org/api from 0.32.0 to 0.36.0 in /exporters/trace/jaeger (1398)
a354fc41 Bump github.com/prometheus/client_golang from 1.7.1 to 1.8.0 in /exporters/metric/prometheus (1397)
3528e42c Bump google.golang.org/grpc from 1.32.0 to 1.34.0 in /exporters/otlp (1396)
af114baf Call otel.Handle with non-nil errors (1384)
c3c4273e Add RO/RW span interfaces (1360)
Fixes#2591
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Ensure the tests in the local `logging` crate are run for all consumers
of it.
Additionally, add a new test which checks that output is generated by a
range of different log level `slog` macros. This is designed to ensure
debug level output is always available for the consumers of the
`logging` crate.
Fixes: #2969.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
In later versions of OpenTelemetry label.Any() is deprecated. Create
addTag() to handle type assertions of values. Change AddTag() to
variadic function that accepts multiple keys and values.
Fixes#2547
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Fixed the top-level build which was broken: the kata deploy
Makefile was being sourced, but it was defining the first target, which
became the default.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Raise the `slog` maximum log level feature for release code from `info`
to `debug` by changing the `slog` maximum level features in the shared
`logging` crate. This allows the consumers of the `logging` crate (the
agent, the `trace-forwarder` and the `agent-ctl` tool) to produce debug
output when their debug options are enabled. Currently, those options
will essentially be a NOP (unless using a debug version of the code).
Testing showed that setting the `slog` maximum level features in the
rust manifest files for the consumers of the `logging` crate has no
impact: those values are ignored, so they have been removed and replaced
with a comment stating the levels are set in the `logging` crate.
Fixes: #2966.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Currently the image-builder image is built from `fedora:latest` and
this is error-prone as any update of the base image can lead to
breakage. Instead let's create the image from Fedora 34, which is the
last known version to build fine.
Fixes#2960
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
There are some issues with Makefile for runtime:
- default target can't be used as a dependent of other targets.
- empty target `check`
And also add two targets for locally development/tests.
- lint: run golangci-lint
- pre-commit: run lint and test
Fixes: #2942
Signed-off-by: bin <bin@hyper.sh>
Use `dup3` system call instead of `dup2` in unit tests of seccomp
because `dup2` is obsolete on aarch64.
Fixes: #2939
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
We only added span.End() in the main process of the shim2 Shutdown method.
The "Shutdown" span would keep alive, when the containers number is not 0.
This PR make sure the "Shutdown" trace span have a correct end.
Fixes: #2930
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
Add -failfast option to let test exit on error, but -failfast option
can't cross package, so there is a for loop used to test on all packages
in src/runtime, and the parallel number is set to 1, this may lead test
to be slow.
Fixes: #1997
Signed-off-by: bin <bin@hyper.sh>
It is safer to download the tarballs and work on a temporary directory
which can be proper cleaned up when the script finishes.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
If DESTDIR is set on the environment then gperf will be installed
in an unexpected directory, resulting on the libseccomp's configure
not being able to find it. To avoid that issue this changed the
ci/install_libseccomp.sh so that PREFIX and DESTDIR are unset
inside the script.
Fixes#2932
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Virtcontainers API document functions weren't sync with the codes Sandbox and VCImpl.
And we have two functions named `CreateSandbox` functions, diff by one parameter,
very confused. So this pr sync the codes to api documents.
Fixes: #2928
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
The `kata-agent` binaries inside the Kata Containers images provided
with release are statically linked with the GNU LGPL-2.1 licensed
libseccomp library by default.
Therefore, we attach the complete source code of the libseccomp
to the release page in order to comply with the LGPL-2.1 (6(a)).
In addition, we add the description about the libseccomp license
to the release page.
Fixes: #2922
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Cloud hypervisor is only supporting virtio-blk, this PR removes comments
that make a wrong reference of other features that are not supported
by clh.
Fixes#2924
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Allow the `agent-ctl` tool to connect to a Hybrid VSOCK hypervisor such
as Cloud Hypervisor or Firecracker.
Fixes: #2914.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Update the trace forwarder README to remove the quotes around the socket
path, which makes manipulating that path easier.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Current handling of read-only mounts is a little tricky.
However, a clearer solution can be used here:
1. make a private ro bind mount at privateDest to the mount source
2. make a bind mount at mountDest to the mount created in step 1
3. umount the private bind mount created in step 1
One important aspect is that the mount in step 2 is duplicated from
the one we created in step 1. So the MS_RDONLY flag is properly
preserved in all mounts created in the propagtion.
Fixes: #2205
Depends-on: github.com/kata-containers/tests#4106
Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
Pull #2795 recently added support for a closer-to-OCI behaviour for
VFIO devices, in which they appear to the container as VFIO devices,
rather than being interpreted by the guest kernel. However, in order
to use this, the Kata guest kernel needs to include the VFIO PCI
driver, along with dependencies like the Intel IOMMU driver.
The kernel as built by the scripts within Kata don't currently include
those, so this patch adds them.
fixes#2913
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
- convert linux field from oci spec to grpc spec
- include all the fields below linux oci spec
Fixes: #2715
Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
In order to pass CI test of aarch64, it is necessary to run
`ci/install_libseccomp.sh` before ruuning unit tests in
`jenkins_job_build.sh`.
However, `ci/install_libseccomp.sh` is not available
until PR #1788 including this commit is merged in the mainline.
Therefore, we disable seccomp feature on aarch64 temporarily.
After #1788 lands and CI is fixed, this commit will be reverted.
Fixes: #1476
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This adds explanation about how to enable seccomp in the kata-runtime and
build the kata-agent with seccomp capability.
Fixes: #1476
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This adds a step for installing libseccomp because the kata-agent
supports seccomp feature.
Fixes: #1476
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
The osbuilder needs to set up libseccomp library to build the kata-agent
because the kata-agent supports seccomp currently.
The library is built from the sources to create a static library for musl libc.
In addition, environment variables for the libseccomp crate are set to
link the library statically.
Fixes: #1476
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
The kata-agent supports seccomp feature based on the OCI runtime specification.
This seccomp capability in the kata-agent is enabled by default.
However, it is not enforced by default: users need to enable that by setting
`disable_guest_seccomp` to `false` in the main configuration file.
Fixes: #1476
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
All endpoint names share the `Request` suffix.
Also, the current list is based on functions, not requests.
Fixes#2916
Reported-by: Jakob Naucke <jakob.naucke@ibm.com>
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
There is a problem with slash-command-action which is on absence of a slash command
the job fails (instead of simply ignore, i.e., skip). This is documented on
https://github.com/xt0rted/slash-command-action/issues/124. There is a workaround
also documented on that issue, but here instead let's get rid of the action.
In this new implementation all comments sent to the pull request are parsed, if any
starts with "/test_kata-deploy" then the job is triggered.
Fixes#2836
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This changed valid() in hypervisor to check the case where both
initrd and image path are set; in this case it returns an error.
Fixes#1868
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Fix `-l <log-level>` for the trace forwarder which didn't work
previously as it lacked the magic Cargo configuration.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Hybrid VSOCK requires `root` privileges to access the sandbox-specific
host-side AF_UNIX socket created by the hypervisor (CLH or FC). However,
once the socket has been bound, privileges can be dropped, allowing the
forwarder to run as user `nobody`.
Fixes: #2905.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The oci_to_grpc function just handles part of oci fields,
and others are not copied from oci spec to grpc spec,
such as process.env, process.capabilities, mounts and so on.
Try to implement more handlings to convert thoses fields.
Fixes#2686
Signed-off-by: Lei Li <cdlleili@cn.ibm.com>
Rather than generating a potentially misleading error message if the
socket bind fails, perform an explicit check for `root` for Hybrid
VSOCK.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Updated the trace forwarder README to ensure the real socket path is
created, not the template socket path returned by `kata-runtime env`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
- Install OpenSSL for key generation in kernel build
- Do not install libpmem
- Do not exclude `*/share/*/*.img` files in QEMU tarball since among
them are boot loader files critical for IPLing.
Fixes: #2895
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Show available guest protections in the
`kata-runtime env` output. Also bump the formatVersion.
Fixes: #1982
Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
Add functions to return guestProtection as a string slice, which
can be then used in `kata-runtime env` output.
Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
uevents with action=remove was ignored causing the agent to reuse stale
data in the device map. This patch adds handling of such uevents.
Fixes#2405
Signed-off-by: Haitao Li <lihaitao@gmail.com>
On a conventional (e.g. runc) container, passing in a VFIO group device,
/dev/vfio/NN, will result in the same VFIO group device being available
within the container.
With Kata, however, the VFIO device will be bound to the guest kernel's
driver (if it has one), possibly appearing as some other device (or a
network interface) within the guest.
This add a new `vfio_mode` option to alter this. If set to "vfio" it will
instruct the agent to remap VFIO devices to the VFIO driver within the
guest as well, meaning they will appear as VFIO devices within the
container.
Unlike a runc container, the VFIO devices will have different names to the
host, since the names correspond to the IOMMU groups of the guest and those
can't be remapped with namespaces.
For now we keep 'guest-kernel' as the value in the default configuration
files, to maintain current Kata behaviour. In future we should change this
to 'vfio' as the default. That will make Kata's default behaviour more
closely resemble OCI specified behaviour.
fixes#693
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently constrainGRPCSpec always removes VFIO devices from the OCI
container spec which will be used for the inner container. For
upcoming support for VFIO devices in DPDK usecases we'll need to not
do that.
As a preliminary to that, add an extra parameter to the function to
control whether or not it will remove the VFIO devices from the spec.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
"constraint" is a noun, "constrain" is the associated verb, which makes
more sense in this context.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In order to support DPDK workloads, we need to change the way VFIO devices
will be handled in Kata containers. However, the current method, although
it is not remotely OCI compliant has real uses. Therefore, introduce a new
runtime configuration field "vfio_mode" to control how VFIO devices will be
presented to the container.
We also add a new sandbox annotation -
io.katacontainers.config.runtime.vfio_mode - to override this on a
per-sandbox basis.
For now, the only allowed value is "guest-kernel" which refers to the
current behaviour where VFIO devices added to the container will be bound
to whatever driver in the VM kernel claims them.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add and adjust the vfio devices in the inner container spec so that
rustjail will create device nodes for them.
In order to do that, we also need to make sure the VFIO device node is
ready within the guest VM first. That may take (slightly) longer than
just the underlying PCI device(s) being ready, because vfio-pci needs
to initialize. So, add a helper function that will wait for a
specific VFIO device node to be ready, using the existing uevent
listening mechanism. It also returns the device node name for the
device (though in practice it will always /dev/vfio/NN where NN is the
group number).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Many device nodes go directly under /dev, however some are conventionally
placed in subdirectories under /dev. For example /dev/vfio/vfio or
/dev/pts/ptmx.
Currently, attempting to pass such a device into a Kata container will fail
because mknod() will get an ENOENT because the parent directory is missing
(or an equivalent error for bind_dev()).
Correct that by making subdirectories as necessary in create_devices().
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
For each user supplied device, create_devices() checks that the given path
actually is in /dev, by checking that its path starts with /dev and does
not contain "..".
However, this has subtle errors because it's interpreting the path as a raw
string without considering separators. It will accept the path /devfoo
which it should not, while it will not accept the valid (though weird)
paths /dev/... and /dev/a..b.
Correct this by using std::path::Path methods designed for the purpose.
Having done this, it's trivial to also generate the relative path that
mknod_dev() or bind_dev() will need, so do that at the same time.
We also move this logic into a helper function so that we can add some unit
tests for it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Both these functions take the absolute path from LinuxDevice and drop the
leading '/' to make a relative path. They do that with a simple
&dev.path[1..]. That can be technically incorrect in some edge cases such
as a path with redundant /s like "//dev//sda".
To handle cases like that, have the explicit relative path passed into
these functions. For now we calculate it in the same buggy way, but we'll
fix that shortly.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
create_devices() within the rustjail module is responsible for creating
device nodes within the (inner) containers. Errors that occur here will
be propagated up, but are likely to be low level failures of mknod() - e.g.
ENOENT or EACCESS - which won't be very useful without context when
reported all the way up to the runtime without the context of what we were
trying to do.
Add some anyhow context information giving the details of the device we
were trying to create when it failed.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently, update_spec_device() assumes that the proper device path in the
(inner) container is the same as the device path specified in the outer OCI
spec on the host.
Usually that's correct. However for VFIO group devices we actually need
the container to see the VM's device path, since it's normal to correlate
that with IOMMU group information from sysfs which will be different in the
guest and which we can't namespace away.
So, add an extra "final_path" parameter to update_spec_device() to allow
callers to chose the device path that should be used for the inner
container. All current callers pass the same thing as container_path, but
that will change in future.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
update_spec_device_list() is used to update the container configuration to
change device major/minor numbers configured by the Kata client based on
host details to values suitable for the sandbox VM, which may differ. It
takes a 'device' object, but the only things it actually uses from there
are container_path and vm_path.
Refactor this as update_spec_device(), taking the host and guest paths to
the device as explicit parameters. This makes the function more
self-contained and will enable some future extensions.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Each VFIO device passed into the guest could represent a whole IOMMU group
of devices on the host. Since these devices aren't DMA isolated from each
other, they must appear as the same IOMMU group in the guest as well.
The VMM should enforce that for us, but double check it, since things can't
work otherwise. This also means we determine the guest IOMMU group for the
VFIO device, which we'll be needing later.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
For upcoming VFIO extensions we'll need to work with the IOMMU groups of
VFIO devices. This helps us towards that by adding pci_iommu_group() to
retrieve the IOMMU group (if any) of a given PCI device.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
VFIO devices can be added to a Kata container and they will be passed
through to the sandbox guest. However, inside the guest those devices
will bind to a native guest driver, so they will no longer appear as VFIO
devices within the guest. This behaviour differs from runc or other
conventional container runtimes.
This code allows the agent to match the behaviour of other runtimes,
if instructed to by kata-runtime. VFIO devices it's informed about
with the "vfio" type instead of the existing "vfio-gk" type will be
rebound to the vfio-pci driver within the guest.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
For better VFIO support, we're going to need to take control of which guest
driver controls specific guest devices. To assist with that, add the
pci_driver_override() function to force a specific guest device to be
bound to a specific guest driver.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Use `"c".to_string` in the device type of `dev/full`
in order to consistent with the coding style of other devices
Fixes: #2890
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
create_tmpfs won't pass as the race condition in watcher umount. quote
James's words here:
1. Rust runs all tests in parallel.
2. Mounts are a process-wide, not a per-thread resource.
The only test that calls watcher.mount() is create_tmpfs().
However, other tests create BindWatcher objects.
3. BindWatcher's drop() implementation calls self.cleanup(),
which calls unmount for the mountpoint create_tmpfs() asserts.
4. The other tests are calling unmount whenever a BindWatcher goes
out of scope.
To avoid that issue, let the tests using BindWatcher in watcher and
sandbox.rs run sequentially.
Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
DefaultMaxVCPUs may be larger than the defaultMaxQemuVCPUs that should
be checked and avoided.
Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
The physical current vcpu number should not be used directly as the
largest vcpu number is limited to defaultMaxQemuVCPUs.
Here, a new helper is introduced in pkg/katautils/config.go to get
current vcpu number.
Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
The current kernel version parse lib can't process suffix '+', as the
modified kernel version will add '+' as suffix, thus panic will occur.
For example, if the current kernel version is "5.14.0-rc4+", test
TestHostNetworkingRequested will panic:
--- FAIL: TestHostNetworkingRequested (0.00s)
panic: &{DistroName:ubuntu DistroVersion:18.04
KernelVersion:5.11.0-rc3+ Issue: Passed:[] Failed:[] Debug:true
ActualEUID:0}: failed to check test constraints: error: Build meta data
is empty
Here, remove the suffix '+' in kernel version fix helper.
Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Last of a series of commits to export the top level
hypervisor generic methods.
s/createSandbox/CreateVM
Fixes#2880
Signed-off-by: Manohar Castelino <mcastelino@apple.com>
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Export commonly used hypervisor fields and utility functions.
These need to be exposed to allow the hypervisor to be consumed
externally.
Note: This does not change the hypervisor interface definition.
Those changes will be separate commits.
Signed-off-by: Manohar Castelino <mcastelino@apple.com>
This is to bump the OOT QAT 1.7 driver version to the
latest version. I dida test on my QAT enabled system and
everything functioned as expected.
Fixes: #2877
Signed-off-by: Eric Adams <eric.adams@intel.com>
Highlights from the Cloud Hypervisor release v19.0: 1) Improved PTY
handling for serial and virtio-console; 2) PCI boot time optimisations;
3) Improved TDX support; 4) Live migration enhancements (support with
virtio-mem and virtio-balloon); 5) virtio-mem support with vfio-user; 6)
AArch64 for virtio-iommu; 7) Various bug fixes for live-migration and
VFIO passthrough.
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v19.0Fixes: #2871
Signed-off-by: Bo Chen <chen.bo@intel.com>
The upstream kernel SGX support has changed drastically since
the initial version of the Intel SGX use case doc was written.
The updated use case documents how to easily setup SGX with
Kata Containers running in a Kubernetes cluster.
Fixes: #2811
Depends-on: github.com/kata-containers/tests#4079
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Co-authored-by: James O. D. Hunt <james.o.hunt@intel.com>
This PR includes these optimize changes:
- Remove the dependency on the container engine.
The old code uses runc to generate config.json and
Docker to export rootfs, that will be heavy and need
additional dependency.
Using a fixed config for busybox image can avoid
the heavy processing above.
- Moved duplicate code to pkg/katatestutils package
Fixes: #2752
Signed-off-by: bin <bin@hyper.sh>
cri-containerd project has been merged into containerd repo, and
we should not reference it any more in code and docs.
This commit will use containerd package instead of cri-containerd
package.
Fixes: #2791
Signed-off-by: bin <bin@hyper.sh>
This commit will add containerd to versions.yaml.
Please at now there are both containerd and cri-containerd
in the versions.yaml.
After updating of kata-containers/tests repo, the cri-containerd
should be removed.
Fixes: #2791
Signed-off-by: bin <bin@hyper.sh>
When building with dracut method the build_rootfs_distro() is not called, in turn
detect_rust_version() isn't either, so the install_rust.sh script is gave a null
rust version. This changed the script to call detect_rust_version() right before
install_rust.sh.
Related to commit: f34f67d610Fixes#2862
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Add `libseccomp` and `gperf` version information to support
for seccomp feature in Kata agent: #1788.
Fixes: #2858
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
When running the TestIoCopy test, on some occasions, the test
runs too quick, and closes the stdin pipe before the ioCopy()
routine start to read from it. This causes a SIGSEGV error.
To fix this issue, I am adding additional read/write tests before
closing the pipes. As the read operation waits for the writer to
be done, this actually synchronizes the threads and make sure
the final tests (with closed pipes) works as expected.
Fixes: #2042
Signed-off-by: Julien Ropé <jrope@redhat.com>
and update the script in `ci/` accordingly.
When only parts of the Kata Containers repositories are checked out
(e.g. when building with Snap) and no Rust version is provided in
calling `install_rust.sh`, the scripts will attempt to clone the
appropriate repos to read the version, which will fail because the
directories already exist. Since we have read the version already, we
can just specify it.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The agent build inside a Docker or Podman container has been re-enabled,
but we have since introduced the `$CI` environment variable. Pass it to
avoid checking out the tests repo to main when there is a dependency.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
or Podman. This is a partial revert of
76c18aa345. The rationale behind that
commit was the fact that the agent could not be built on Alpine, and
then this capability was removed altogether. The issue in Alpine has
since been resolved (see
https://github.com/kata-containers/osbuilder/issues/386). At the same
time, this ensures being able to run a glibc agent on hosts with distros
more recent than the osbuilder distro used (i.e. as of now, when you
build the agent on the host, and its glibc is newer than the one used in
the guest, the agent may encounter unresolved symbols).
Fixes#2398
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The tracing tags for api.go contain `"packages"` as a tag name,
whereas all other tags contain `"package"`.
Fixes: #2847
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Display a pseudo path to the sandbox socket in the output of
`kata-runtime env` for those hypervisors that use Hybrid VSOCK.
The path is not a real path since the command does not create a sandbox.
The output includes a `{ID}` tag which would be replaced with the real
sandbox ID (name) when the sandbox was created.
This feature is only useful for agent tracing with the trace forwarder
where the configured hypervisor uses Hybrid VSOCK.
Note that the features required a new `setConfig()` method to be added
to the `hypervisor` interface. This isn't normally needed as the
specified hypervisor configuration passed to `setConfig()` is also
passed to `createSandbox()`. However the new call is required by
`kata-runtime env` to display the correct socket path for Firecracker.
The new method isn't wholly redundant for the main code path though as
it's now used by each hypervisor's `createSandbox()` call.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add support for Hybrid VSOCK. Unlike standard vsock (`vsock(7)`), under
hybrid VSOCK, the hypervisor creates a "master" *UNIX* socket on the
host. For guest-initiated VSOCK connections (such as the Kata agent uses
for agent tracing), the hypervisor will then attempt to open a VSOCK
port-specific variant of the socket which it expects a server to be
listening on. Running the trace forwarder with the new `--socket-path`
option and passing it the Hypervisor specific master UNIX socket path,
the trace forwarder will listen on the VSOCK port-specific socket path
to handle Kata agent traces.
For further details and examples, see the README or run the
trace forwarder with `--help`.
Fixes: #2786.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
.dockerignore file is similar to .gitignore and serves the purpose to
simply ignore paths in the build context.
For now, let me just use it to fix the following problem:
```
docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz .
error checking context: 'no permission to read from
'(...)/local-build/build/firecracker/builddir/firecracker/(...)/crc64-1.0.0/.gitignore''.
```
Fixes: #2845
Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Adding a route that already exists should not be a reason for the agent to fail
booting and thus preventing the sandbox to start.
Fixes#2712
Signed-off-by: zhaojizhuang <571130360@qq.com>
- kata-monitor: add index page
- clh: Refine the usage of guest console and kernel parameters with Cloud Hypervisor
- agent: exec should inherit container process capabilities
- GitHubActions: fix invalid format of require-pr-porting-labels.yaml
- agent: flush root span before process finish
- Extend PCI submodules to represent non-zero functions and addresses
- packaging/kernel: Add CONFIG_PCI_MMCONFIG to x86 guest kernel configuration
- runtime: don't start shim management server in tests
- qemu: use GitLab repos instead of qemu.org
- runtime: optimize code for managing temp users for rootless mode
- Agent configuration file and API restriction
- Delete file virtcontainers-setup.sh
- vendor: Update containerd to v1.5.7
- runtime: Optimize func noNeedForOutput and add test cases
- runtime: Fix !x86 static checks
- #2676: fixing centos gpg key url for ppc64le
- Pass the host route IP family to the guest
- cmd: get return value for setCPUtype
- packaging: Configure QEMU with --enable-pie
- clh: Enable guest userland output
- cmd: Fix mismatched types in testModuleData
- runtime: update .gitignore to ignore monitor_address file
- runtime: fix the make check-go-static command error
- virtcontainers: clean up useless code
- Remove forced PCI rescans from agent
- kernel: Enable SGX in experimental kernel.
- runtime: fix nil reference in cleanup rootless user
- qemu: prepare to upgrade qemu version to 6.1.0 for arm
- kata-monitor (minor) improvements
- virtcontainers: Fix incorrect scripts path
- runtime: clear virtcontainers cgroup duplicated function
- Kata monitor: cache improvements
- virtiofs: fix error report in TestVirtiofsdStart when go test running
176dee6f agent: exec should inherit container process capabilities
7b2bfd4e virtcontainers: clh: Use 'quiet' as the default kernel parameter
3e24e46c virtcontainers: clh: Turn-off serial and virtio-console by default
2d7b65e8 agent: flush root span before process finish
5c77cc2c runtime: don't start shim management server in tests
72044180 agent/device: Return PCI address from wait_for_pci_device()
e50b05d9 agent/pci: Add type to represent PCI addresses
8528157b agent/pci: Extend Slot type to represent PCI function as well
bf8f582c runtime: optimize code for managing temp users for rootless mode
a9c2a4ba GitHubActions: fix invalid format of require-pr-porting-labels.yaml
c4236cb2 packaging/kernel: Add CONFIG_PCI_MMCONFIG to x86 guest kernel configuration
08360c98 agent: Add an agent configutation file example
8a4e69d2 agent: rpc: Return UNIMPLEMENTED for not allowed endpoints
0ea2e3af agent: config: Allow for building the configuration from a file
63539dc9 agent: config: Add allowed endpoints
a953fea3 agent: config: Simplify configuration creation
b888edc2 agent: config: Implement Default
7eac2ec7 protection: add confidential compute frame for arm
8acfc154 check: fix typecheck failure in qemu_arm64_test.go
5b02d54e virtcontainers: fix lint failure on ppc64le
ff9728f0 virtcontainers: nolint guestProtection
5c138c8f runtime: Fix field alignment on s390x
191d0016 vendor: Update containerd to v1.5.7
f7f6bd01 kata-monitor: add index page
a44cde7e agent: netlink: Use the grpc IP family field when updating the route
71ce6cfe runtime: Pass the route IP family to the agent
99450bd1 agent: protos: Add a Family field to the Route payload
f85fe702 runtime: vendor: Bump the netlink package dependency
e439cec7 cmd: fix field alignment on ppc64le
e5159ea7 cmd: get return value for setCPUtype
2ce8d426 clh: Suppress hypervisor output to make guest output visible
cd1064b1 packaging: Configure QEMU with --enable-pie
762922a5 runtime: delete func ConstraintsToVCPUs
4f485430 runtime: delete virtcontainers-setup.sh
80f6b977 osbuilder: fixing centos gpg key url for ppc64le
bb99bfb4 runtime: fix the make check-go-static command error
870771d7 runtime: update .gitignore to ignore monitor_address file
18bff584 runtime: Optimize func noNeedForOutput and add test cases
e5fe53f0 runtime: fix nil reference in cleanup rootless user
2304a596 runtime: set the sandbox storage path static
315295e0 runtime: rename GetSanboxesStoragePath() --> GetSandboxesStoragePath()
13e65f2e cmd: Fix mismatched types in testModuleData
da42cbc0 actions: Build experimental kernel on kata-deploy push action
dffc5092 kernel: Enable SGX in experimental kernel.
ff6a677d kernel-build: Enable multiple config types.
90046964 experimental-kernel: bump 5.13.10
1fbb7304 build: kata-deploy kernel experimental
907459c1 agent/device: Don't force PCI rescans
75f426dd agent: Simplify do_add_swap()
aad1a873 runtime/device: Give the agent information about VFIO devices
ebd7b618 runtime: Don't repeat GetDeviceByID between appendDevices() and append*()
ad45c52f runtime/device: Record guest PCI path for VFIO devices
5c2af3e3 runtime/device: Refactor hotplugVFIODevice() to have common exit path
8bc71105 agent/device: Add device type for VFIO devices
f7a27075 agent: Move driver type constants into device.rs
5b1eb08b agent/uevent: Improve logging of wait_for_uevent()
cf36fd87 runtime: Fix some leftover go fmt errors
6d94957a kernel: reduce alignment size of memory hotplug to 128M
48090f62 qemu: disable plug on arm64 when pie is added
57e3712d virtiofs: fix error report in TestVirtiofsdStart when go test running
8b0bc1f4 kata-monitor: bump version to 0.2.0
bfb556d5 kata-monitor: refresh kata sandbox list on fs events
0e854f3b kata-monitor: improve detection of kata workloads
80463b44 qemu: use GitLab repos instead of qemu.org
3b0c4bf9 runtime: clear virtcontainers cgroup duplicated function
afad910d kata-monitor: add getSandboxFS()
e38686f7 runtime: add GetSandboxesStoragePath()
245a12bb kata-monitor: improve sandbox caching
fc067d61 kata-monitor: warn when unable to retrive the lower level runtime
53ec4df9 kata-monitor: minor fixes
47516988 virtcontainers: Fix incorrect scripts path
814cea96 virtcontainers: clean up useless code
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The 'quiet' kernel parameter can avoid guest kernel logs while booting,
which can reduce boot time.
Fix: #2820
Signed-off-by: Bo Chen <chen.bo@intel.com>
We will need to have console output from the guest only for debugging
purposes. As a result, we can turn-off both the serial and
virtio-console devices by default for better boot time.
Fixes: #2820
Signed-off-by: Bo Chen <chen.bo@intel.com>
Variables in rust will be dropped at the end of the function.
In function real_main the trace will be shut down by `tracer::end_tracing()`,
but at this time the root span is in an active state, so this root span
will not be sent to the trace collector.
This can be fixed by dropping the root span manually.
Fixes: #2812
Signed-off-by: bin <bin@hyper.sh>
The variable for 'name' in config-settings.go.in was previously
hardcoded as "kata". In e7c42fb it was changed to the runtime name,
which is "kata-runtime". Add a variable to specify a syslog identifier
for consistency for tests and documentation that use it.
Fixes#2806
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Update the sandbox dir clean up logic to be more appropriate
Add different seeds for randInt() method
Fixes#2770
Signed-off-by: Feng Wang <feng.wang@databricks.com>
This patch adds an option "disable_seccomp" to the config
hypervisor.clh, from which users can disable the `seccomp`
feature from Cloud Hypervisor when needed (for debugging purposes).
Fixes: #2782
Signed-off-by: Bo Chen <chen.bo@intel.com>
This patch enables the `seccomp` feature from Cloud Hypervisor which
provides fine-grained allowed syscalls for each of its worker
threads. It brings important security benefits, while would increase
memory footprint.
Fixes: #2782
Signed-off-by: Bo Chen <chen.bo@intel.com>
Shim management server is running in a go routine, in test mode
this will cause the directory where the listen socket
file(/run/vc/sbs/777-77-77777777/shim-monitor.sock) in leak
after the tests finished.
Fixes: #2805
Signed-off-by: bin <bin@hyper.sh>
wait_for_pci_device() waits for the PCI device at the given path to become
ready, but it doesn't currently give you any meaningful handle on that
device.
Change the signature, so that it returns the PCI address of the device.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a new pci::Address type which represents a guest PCI address in
DDDD:BB:SS.F form.
fixes#2745
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
pci::Slot represents a PCI slot. However, in all cases where we use it, we
actually care about addressing a specific PCI function. So, at the moment
we can only refer to function 0 in each slot.
Replace pci::Slot with pci::SlotFn to represent both the slot and function.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This commit does two chagnes:
- move code for managing temp users to rootless.go.
- use common function in qemu.go when shutdown the VM.
Fixes: #2759
Signed-off-by: bin <bin@hyper.sh>
The yaml file has an indent issue from line 15.
And the branches filter should be under pull_request_target but
not the pull_request trigger.
Also actions/checkout@v2 does not need the token parameter.
Fixes: #2798
Signed-off-by: bin <bin@hyper.sh>
The guest kernel configuration suggested for Kata, and which is used by the
CI didn't include CONFIG_PCI_MMCONFIG. That's kind of weird, MMCONFIG is
the modern normal way of handling configuration cycles.
In addition, due to a complex set of interactions through the ACPI code,
disabling MMCONFIG means that SHPC hotplug doesn't work: the driver is
included in the guest kernel, but will fail to probe on PCI to PCI bridges,
meaning it won't actually be activated.
Enable MMCONFIG so that we suggest and testa more typical guest kernel
configuration.
fixes#2288
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
From the endpoints string described through the configuration file, we
build a hash set of allowed enpoints. If a configuration files does not
include an endpoints section, we assume all endpoints are not allowed.
If there is no configuration file, then all endpoints are allowed.
Then for every ttrpc request, we check if the name of the endpoint is
part of the hashset. If it is not, then we return ttrcp::UNIMPLEMENTED.
Fixes: #1837
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
When the kernel command line includes a agent.config_file=<path> entry,
then we will try to override the default confiuguration values with the
ones we parse from a TOML file at <path>.
As the configuration file overrides the default values, we need to go
through a simplified builder that convert a set of Option<> fields into
the actual AgentConfig structure.
Fixes: #1837
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
They will define the list of endpoints that an agent supports.
They're empty and non actionable for now.
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
A single constructor setting default value is a typical pattern for a
Default implementation.
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
Even CCA, which is the confidential compute archtecture, has not been
ready, add a empty implementation to avoid static check error.
Fixes: #2789
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Suggested-by: Fabiano Fidêncio <fidencio@redhat.com>
Exclude from lint checking for it is ultimately only used in
architecture-specific code.
Fixes: #2273
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Bump containerd to v1.5.7 in order to bring in a fix for CVE-2021-41103,
"insufficiently restricted permissions ons plugins directories
(https://github.com/advisories/GHSA-c2h3-6mxw-7mvq)".
dependabot found a potential security vulnerability and raised a PR to
fix it. However, dependabot does not properly follows nor understands
the needed of our CIs (mainly related to formatting the PR and whatnot),
thus I'm re-raising it.
Fixes: #2796
Supersedes: #2787
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Not all routes have either a gateway or a destination IP.
Interface routes, where the source, destination and gateway are undefined,
will default to IP v4 with the current is_ipv6() check even when they
are v6 routes.
We use the provided gRPC Route.Family field instead. This field is built
from the host netlink messages, and is a reliable way of finding out
a route's IP family.
Fixes: #2768
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Our check for the IP family is working as long as we have either a
gateway or a destination IP. Some routes are missing both.
The RT netlink messages provide the IP family information for each
route, so we can carry that piece of information up to the guest. That
will allow for a more reliable route IP family determination.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
We need to be able to get the IP family from the netlink route meesages,
and the Route.Family field only got recently added to the netlink
package.
The update generates static check warnings about the call for
nethandler.Delete() being deprecated in favor of a Close() call instead.
So we include the s/Delete()/Close()/ change as part of this PR.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
Reduce the cloud-hypervisor log level from `Debug` to `Info` when hypervisor
debug is enabled. This is required since `Debug` level:
- Is overkill for debugging hypervisor failures.
- Effectively hides the output from the guest kernel and userland: CLH
generates so much output that the output from the guest gets "lost in
the noise" (experiments show that for each full CLH debug message, at most
1 _byte_ of guest output is displayed).
Fixes: #2726.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
We explicitely set the Postion Independant Executlable (PIE) options
in the extra CFLAGS and LDFLAGS that are passed to the QEMU configure
script for all archs. This means that these options are used pretty
much everywhere, including when building the sample plugins under the
test directory. These cannot be linked with -pie and break the build,
as experienced recently on ARM (see PR #2732).
This only broke on ARM because other archs are configured with
--disable-tcg : this disables plugins which are built by default
otherwise.
The --enable-pie option is all that is needed. The QEMU build system
knows which binaries should be created as PIE, e.g. the important
bits like QEMU and virtiofsd, and which ones should not, e.g. the
sample plugins that aren't used in production.
Rely on --enable-pie only, for all archs. This allows to drop the
workaround that was put in place in PR #2732.
Fixes: #2757
Signed-off-by: Greg Kurz <groug@kaod.org>
The centos ppc64le gpg key at mirror.centos.org doesn't exist (link rot?).
Replacing it with url from CentOS/sig-core-AltArch on github.
Fixes: #2676
Signed-off-by: Aaron Simmons <paleozogt@gmail.com>
modify the make script of the check-go-static, changing the `./cli` path to `./cmd/kata-runtime`
Fixes: #2765
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
Run tests sometimes generate pkg/containerd-shim-v2/monitor_address,
and `git status` will treat it as a new file.
Package containerd-shim-v2 has moved to pkg/containerd-shim-v2,
the monitor_address in .gitignore should be updated too.
Fixes: #2762
Signed-off-by: bin <bin@hyper.sh>
It seems the client (crio) can send multiple requests to stop the Kata VM,
resulting a nil reference if the uid has already been cleaned up by a different thread.
Fixes#2743
Signed-off-by: Feng Wang <feng.wang@databricks.com>
Since we now have "unix://" kind of socket returned by the
SocketAddress() function, there is no more need to build the sandbox
storage path dynamically to keep OS compatibility.
Fixes: #2738
Suggested-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Rectify the values of testModuleData with the correct
types in TestCCCheckCLiFunction in kata-check_(!x86)_test.go
Fixes: #2735
Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
Optional build types are common for early adoption.
Lets add a flag to build and optional config.
e.g.
kernel-build.sh -b experimental
In the future instead of add more flags just add a new build type.
Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
The agent initiates a PCI rescan from two places. One is triggered
for each virtio-blk PCI device, and one is triggered unconditionally
when we start a new container.
The PCI bus rescan code was added long time ago in Clear Containers due to
lack of ACPI support in QEMU 2.9 + q35. Since Kata routinely plugs devices
under a PCIe-to-PCI bridge, that left SHPC as the only available hotplug
mechanism.
However, while Kata was using SHPC on the qemu side, it wasn't actually
using it on the guest side. Due to a quirk of our guest kernel
configuration, the SHPC driver never bound to the bridge, and *no* hotplug
was working at all. To work around that, Kata was forcing the rescan
manually, which would discover the new device. That was very fragile (we
were arguably relying on a kernel bug). Even if we were using SHPC
propertly, it includes a mandatory 5s delay during plug operations
(designed for physical cards and human operators), which makes it
unsuitable quick start up.
Worse, the forced PCI rescans could race with either SHPC or PCIe native
hotplug sequences, causing several problems. In some cases this could put
the device into an entirely broken state where it wouldn't respond to
config space accesses at all.
Since pull request #2323 was merged, we have instead used ACPI hotplug
which is both fast, and more solid in terms of semantics and races. So,
the forced PCI rescans are no longer necessary. Remove them all.
fixes#683
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
do_add_swap() has some mildly complex code to translate the PCI path of
a virtio-blk device (where the swap will reside) into a /dev path. However,
the device module already has get_virtio_blk_pci_device_name() which does
exactly that. The existing code has some further advantages: it uses
more precise matching of the sysfs paths, and if necessary it will wait for
the device to be added to the guest.
While we're there, remove an unnecessary 'as u8' from the PCI path
construction: pci::Path::new() already accepts anything which implements
TryInfo<u8>, which u32 certainly does.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We send information about several kinds of devices to the agent so
that it can apply specific handling. We don't currently do this with
VFIO devices. However we need to do that so that the agent can
properly wait for VFIO devices to be ready (previously it did that
using a PCI rescan which may not be reliable and has some very bad
side effects).
This patch collates and sends the relevant information.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Both appendBlockDevice and appendVhostUserBlkDevice start by using
GetDeviceByID to lookup the api.Device object corresponding to their
ContainerDevice object. However their common caller, appendDevices() has
already done this.
This changes it so the looked up api.Device is passed to the individual
append*Device() functions. This slightly reduces duplicated work, but more
importantly it makes it clearer that append*Device() don't need to check
for a nil result from GetDeviceByID, since the caller has already done
that.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
For several device types which correspond to a PCI device in the guest
we record the device's PCI path in the guest. We don't currently do
that for VFIO devices, but we're going to need to for better handling
of SR-IOV devices.
To accomplish this, we have to determine the guest PCI path from the
information the VMM gives us:
For qemu, we query the slot of the device and its bridge from QMP.
For cloud-hypervisor, the device add interface gives us a guest PCI
address. In fact this represents a design error in the clh API -
there's no way it can really know the guest PCI address in general.
It works in this case, because clh doesn't use PCI bridges, so the
device will always be on the root bus. Based on that, the PCI path is
simply the device's slot number.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
hotplugVFIODevice() has several different paths depending if we're
plugging into a root port or a PCIE<->PCI bridge and if we're using a
regular or mediated VFIO device.
We're going to want some common code on the successful exit path here,
so refactor the function to allow that without duplication.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently, VFIO devices attached to a Kata container aren't described to
the agent at all. We essentially just hope they're ready by the time
we've entered the container proper, which is usually the case because of
the PCI rescan - but that causes other problems.
This adds a new device type to the agent representing VFIO devices. The
agent will use its existing uevent watching mechanisms to wait for the
associated guest PCI device to appear before proceeding.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently the constants giving the names for each device/driver type in
the protocol are in mount.rs, and used in device.rs. Since these constants
are inherently related to, well, devices, it makes more sense to put them
in device.rs and use them from mount.rs.
This will become even more so with planned extensions which will add some
device types that will not be used in mount.rs at all.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
A few "go fmt" errors appear to have crept it. Clean them up with
"go fmt ./..." in the src/runtime directory.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
After 5.11-rc4, memory hotplug alignment size is reduced to 128M for 4K
page.
It works better for memory hotplug and nvdimm plug in kata on arm.
without this patch, memory hotplug will fail for the current memory
hotplug alignment is 1G but the nvdimm size align with 128M in kata.
After port it here, we can avoid a fix in qemu side.
Note: if you change the page size to other size than 4K, memory hotplug
will has no effect.
Fixes: #2707
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
For qemu 6.1.0 build on arm64, compile error occurs when "-pie" is added
to ldflag.
tests/plugins/empty.c won't be linked as a sysmbol is missing.
I consider there maybe a bug.
Before figure it out, we should disable plugins for qemu 6.1.0 on arm64.
Fixes: #2707
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
There's a typo in the file that should receive the output of `cargo
vendor`. We should use forward the output to `.cargo/config` instead of
`.cargo/vendor`.
This was introduced by 21c8511630.
Fixes: #2729
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
While releasing kata-containers 2.3.0-alpha1 we've hit some issues as
the tags attribution is done incorrectly. We want an array of tags to
iterate over, but the currently code is just lost is the parenthesis.
This issue was introduced in a156288c1f.
Fixes: #2725
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
- virtiofs: Create shared directory with 0700 mode, not 0750
- watcher: ensure we create target mount point for storage
- packaging: fix qemu build on ppc64le
- runtime: tracing: Use root context to stop tracing
- Replace SHPC with ACPI PCI hotplug for Kata guests
- kata-deploy: Also provide "stable" & "latest" tags
- runtime: tracing: Fix logger passed in newContainer
- virtcontainers: update VC SandboxConfig API add SandboxBindMounts field
- sandbox: Allow the device to be accessed,such as /dev/null and /dev/u…
- qemu: add v5.1.0 dir under tag_patches
- threat-model: Add missing threat-model document
- docs: documentation for running non-root VMM
- workflows,release: Upload the vendored cargo code
- runtime: run the QEMU VMM process with a non-root user
- runtime: update .gitignore file cleare the vc shim config
- runtime: fix empty cgroup path validation error
- ci: Call agent shutdown test only in the correspondent CI_JOB
- runtime: Remove outdated TestStoreContainer
- runtime: refactor commandline code directory
- virtcontainers: update VC HypervisorConfig API add three lost fields
- virtcontainers: add unit tests for container.go
- runtime: clh: Enable hugepages support
- agent: Simplify mount point creation
- versions: Allow newer Rust versions
- runtime/qemu: Move from query-cpus to query-cpus-fast
- Update Kata to use qemu-6.1
- Host cgroups improvements and simplifications
- Add doc for guest swap
- versions: Upgrade to Cloud Hypervisor v18.0
- runtime: Fix README link
- qemu: remove default config for arm64.
- sandbox: Add device permissions such as /dev/null to cgroup
- virtcontainers: fc: parse vcpuID correctly
- kata-tarball: Build and test fixes
- test: enable running tests under root user
- osbuilder: Change to "=" operator to make script more portable
- makefile: Fix error exit status code
- osbuilder: fix inconsistent calculation of fs size
- virtcontainers: Remove NewStoreFeature
- snap: Test variable instead of executing "branch"
- license: drop redundent license files
- Fix swap fail insert fail issue
272771dc watcher: ensure we create target mount point for storage
439e5ac3 packaging: fix qemu build on ppc64le
8bbcb06a qemu: Disable SHPC hotplug
cc4983ee runtime: Remove unused qemuArchBase.appendBridges definition
e248de46 vendor: Update govmm
0ca8c272 qemu: add v5.1.0 dir under tag_patches
3bdcfaa6 kata-deploy: Add more info about the stable tag
41c590fa kata-deploy: Improve README
debf3c9f kata-deploy: Remove qemu-virtiofs runtime class
43a72d76 release: update the kata-deploy yaml files accordingly
ea9b2f9c kata-deploy: Add "stable" info to the README
e5411056 kata-deploy: Update the README
9acf4e5d kata-deploy: Add `stable` yaml files
a86babe0 kata-deploy: Point to the `latest` release
a156288c workflows: Add "stable" & "latest" tags to kata-deploy
305afc8b docs: documentation for running non-root VMM
1fe080fd threat-model: Add missing threat-model document
21c85116 workflows,release: Upload the vendored cargo code
9a6d56f1 runtime: fix empty cgroup path validation error
90e63887 ci: Call agent shutdown test only in the correspondent CI_JOB
48fb1d92 virtiofs: Create shared directory with 0700 mode, not 0750
077b77c1 runtime: tracing: Fix logger passed in newContainer
39cd05e0 runtime: tracing: Use root context to stop tracing
1cfe5930 runtime: Run QEMU using a non-root user/group
fd983738 runtime: update .gitignore file cleare the vc shim config
067c44d0 runtime: fix UT build failure
9353cd77 runtime: Remove outdated TestStoreContainer
9a311a2b docs: fix invalid kernel dax doc url
e7c42fbc runtime: unify generated config
4f7cc186 runtime: refactor commandline code directory
9d3cd984 agent/mount: Remove unused ensure_destination_exists()
64aa5623 agent: Correct mount point creation
08d7aebc agent/mount: Split out regular file case from ensure_destination_exists()
9fa3beff agent: Remove unnecessary BareMount structure
49282854 agent: Simplify BareMount::mount by using nix::mount::mount
d00decc9 runtime: clh: Enable hugepages support
64bb803f runtime/qemu: Move from query-cpus to query-cpus-fast
25ac3524 versions: Allow newer Rust versions
851d5f86 tests: Correct heading in static checks test
4b7e4a4c runtime: Vendoring update
8d9d6e6a docs: Host cgroups documentation update
9bed2ade virtcontainers: Convert to the new cgroups package API
b42ed393 virtcontainers: cgroups: Add a containerd API based cgroups package
f17752b0 virtcontainers: container: Do not create and manage container host cgroups
dc7e9bce virtcontainers: sandbox: Host cgroups partitioning
f811026c virtcontainers: Unconditionally create the sandbox cgroup manager
a6066404 virtcontainers: update VC HypervisorConfig API add three lost fields
bb18cd47 virtcontainers: update VC SandboxConfig API add SandboxBindMounts field
58e77a3c sandbox: Allow the device to be accessed,such as /dev/null and /dev/urandom
d67a414b src/runtime/README.md: Fix URL of Licence
13b8bb0c runtime: Fix README link
25670d30 packaging/qemu: Update qemu-exerimental version to v6.1.0
041a513f versions: Update qemu to v6.1.0
62baa48e virtcontainers: fc: parse vcpuID correctly
81de2d47 packaging: Correct error message in apply_patches.sh
f785ff0b virtcontainers: clh: Revert the workaround incorrect default values
0e0e59dc virtcontainers: clh: Re-generate the client code
f0b53314 versions: Upgrade to Cloud Hypervisor v18.0
11652136 actions: test make kata-tarball
626d659f actions: kata-deploy on PRs and use makefile
78d99f51 kata-deploy: Make verbose single builds
59486b85 kata-deploy: Add tarball suffix to makefile targets
96e1246b makefile: Include kata-deploy targets
74d645cd how-to: Add how-to-setup-swap-devices-in-guest-kernel.md
d865c809 virtcontainers: add unit tests for container.go
71f915c6 sandbox: Add device permissions such as /dev/null to cgroup
2174fee4 docs: Add swap annotations introduction
2abc450a test: enable running tests under root user
924a68d0 osbuilder: Change to "=" operator to make script more portable
1fff9be7 qemu: remove default config for arm64.
e2a9e78c virtcontainers: Remove NewStoreFeature
bfcee911 osbuilder: fix inconsistent calculation of fs size
4996f9b7 snap: Test variable instead of executing "branch"
256c3b27 license: drop redundent license files
bcc9fa3b hotplugAddBlockDevice: Use ExecuteBlockdevAddWithDriverCache with swap
bd85da04 vendor: Update vendor/github.com/kata-containers/govmm
d422789f makefile: Fix error exit status code
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
We would only create the target when updating files. We need to make
sure that we create the target if the source is a directory. Without
this, we'll fail to start a container that utilizes an empty configmap,
for example.
Add unit tests for this.
Fixes: #2638
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
We now support any container engine CRI compliant. Let's bump the
kata-monitor version to 0.2.0.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
This commit stops the container engine polling in favor of
the kata sandbox storage path monitoring.
The pod cache list is now refreshed based on fs events and synced with
the container engine only when needed.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
When the container engine is different than containerd or CRI-O we
lack proper detection of kata workloads and consider all the pods as
kata ones.
Instead of querying the container engine for the lower level runtime
used in each pod, check if a directory matching the pod exists in
the virtualcontainers sandboxes storage path.
This provides a container engine independent way to check for kata pods.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Since the qemu upgrade to v6.1.0, the build fails
with a linking issue. Adding --disable-tcg to fix
it.
Fixes: #2710
Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
Under certain circumstances[0] Kata will attempt to use SHPC hotplug
for PCI devices on the guest. In fact we explicitly enable SHPC on
our PCI to PCI bridges, regardless of the qemu default.
SHPC was designed a long, long time ago for physical hotplugging and
works very poorly for a virtual environment. In particular it has a
mandatory 5s delay to allow a (real, human) operator to back out the
operation if they press a button by mistake. This alone makes it
unusable for a fast start up application like Kata.
Worse, the agent forces a PCI rescan during startup. That will race
with the SHPC hotplug operation causing the device to go into a bad
state where config space can't be accessed from the guest at all.
The only reason we've sort of gotten away with this is that our
default guest kernel configuration triggers what's arguably a kernel
bug effectively disabling SHPC. That makes the agent rescan the only
reason we see the new device.
Now that we require a qemu >=6.1, which includes ACPI PCI hotplug on
the q35 machine, we can explicitly disable SHPC in all cases. It's
nothing but trouble.
fixes#2174
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
qemuArchBase.appendBridges is never actually used, because the bare
qemuArchBase type is itself never used (outside of unit tests). Instead
*all* the subclasses of qemuArchBase override appendBridges() to call
the very similar, but not identical genericAppendBridges. So, we can
remove the qemuArchBase.appendBridges implementation.
Furthermore, all those subclasses override appendBridges() in exactly
the same way, and so we can remove *those* definitions and replace the
base class qemuArchBase appendBridges() with that version, calling
genericAppendBridges().
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
A related dir is needed when apply qemu patch using script. As qemu 5.1
is used for arm, a dir of "v5.1.0" is needed under tag_patches.
Fixes: #2696
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
as `-realtime` has been removed in QEMU 6. `-overcommit` has been
supported since at least QEMU 3.1.
Fixes: #189
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
There are `DeviceToDeviceCgroup` and `deviceToDeviceCgroup` two functions,
creating a `specs.LinuxDeviceCgroup` object. We clear the new function `deviceToDeviceCgroup`.
Fixes: #2694
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
Let's make it as clear as possible for the user that if they go for a
tagged version of kata-deploy, eg, 2.2.1, they'll have the kata runtime
2.2.1 deployed on their cluster.
Suggested-by: Eric Adams <eric.adams@intel.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's add more instructions in the README in order to make clear to the
reader what they can do to check whether kata-deploy is ready, or
whether they have to wait till proceeding with the next instruction.
Suggested-by: Eric Adams <eric.adams@intel.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
There's only one QEMU runtime class deployed as part of kata-deploy, and
that includes virtiofs support (which is the default for quite some time
already). Knowing this, let's just remove the `qemu-virtiofs` runtime
class definition.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's teach our `update-repository-version.sh` script to properly update
the kata-deploy tags on both kata-deploy and kata-cleanup yaml files.
The 3 scenarios that we're dealing with, based on which branch we're
targetting, are:
```
1) [main] ------> [main] NO-OP
"alpha0" "alpha1"
+----------------+----------------+
| from | to |
-----------------+----------------+----------------+
kata-deploy | "latest" | "latest" |
-----------------+----------------+----------------+
kata-deploy-base | "stable | "stable" |
-----------------+----------------+----------------+
2) [main] ------> [stable] Update kata-deploy and
"alpha2" "rc0" get rid of kata-deploy-base
+----------------+----------------+
| from | to |
-----------------+----------------+----------------+
kata-deploy | "latest" | "rc0" |
-----------------+----------------+----------------+
kata-deploy-base | "stable" | REMOVED |
-----------------+----------------+----------------+
3) [stable] ------> [stable] Update kata-deploy
"x.y.z" "x.y.(z+1)"
+----------------+----------------+
| from | to |
-----------------+----------------+----------------+
kata-deploy | "x.y.z" | "x.y.(z+1)" |
-----------------+----------------+----------------+
kata-deploy-base | NON-EXISTENT | NON-EXISTENT |
-----------------+----------------+----------------+
```
And we can easily cover those 3 cases only with the information about
the "${target_branch}" and the "${new_version}", where:
* case 1) if "${target_branch}" is "main" *and* "${new_version}"
contains "alpha", do nothing
* case 2) if "${target_branch}" is "main" *and* "${new_version}"
contains "rc":
* change the kata-deploy & kata-cleanup tags from "latest" to
"${new_version}".
* delete the kata-deploy-stable & kata-cleanup-stable files.
* case 3) if the "${target_branch}" contains "stable":
* change the kata-deploy & kata-cleanup tags from "${current_version}"
to "${new_version}".
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Similar to the instructions we have for the "latest" images, let's also
add instructions about the "stable" images.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's just point to our repo URLs rather than assume users using
kata-deploy will have our repo cloned.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This is **not** the nicest patch of my career, and I know it adds code
duplication. However, I've decided to take this approach in order to
have easier / better instructions for users who're consuming
kata-deploy.
Having both stable & latest yaml on `main` will let us point to just one
place, without having to update the instructions.
I know, would be better to have those generated from a .in file,
wouldn't it? For sure, but then we'd lose the ability to just point to
those files from kata-deploy pages (either on dockerhub or quay.io).
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Instead of point to a specific release number, let's point to the
`latest` tag on the main branch.
There's still some work needed in order to point to the `stable` tag on
the stable-x.y branches, as this is something that should be done
automagically as part of the release process.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
When releasing a tarball, let's *also* add the "stable" & "latest" tags
to the kata-deploy image.
The "stable" tag refers to any official release, while the "latest" tag
refers to any pre-release / release candidate.
Fixes: #2302
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This was added in the 1.x repo and is missing in the 2.x repo.
Copying over the document from 1.x.
This is a starting point and focuses on the devices / interfaces
with the virtual machine, and ultimately to the container itself.
We then discuss how these devices/interfaces vary by VMM/hypervisor.
The threat model drawing is created via gdocs, located here:
https://docs.google.com/drawings/d/1dPi9DG9bcCUXlayxrR2OUa1miEZXewtW7YCt4r_VDmA/edit?usp=sharing
For Kata 2.x, the block named as `kata-runtime` has been changed to
`kata-shim`.
Fixes: #2340
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
As part of the release, let's also upload a tarball with the vendored
cargo code. By doing this we allow distros, which usually don't have
access to the internet while performing the builds, to just add the
vendored code as a second source, making the life of the downstream
maintainers slightly easier*.
Fixes: #1203
*: The current workflow requires the downstream maintainer to download
the tarball, unpack it, run `cargo vendor`, create the tarball, etc.
Although this doesn't look like a ridiculous amount of work, it's better
if we can have it in an automated fashion.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The agent shutdown test should only run on the CI JOB of CRI_CONTAINERD_K8S_MINIMAL
which is the only one where testing tracing is being enabled, however, this
test is being triggered in multiple CI jobs where it should not run. This PR
fixes that issue.
Fixes#2683
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
A discussion on the Linux kernel mailing list [1] exposed that virtiofsd makes a
core assumption that the file systems being shared are not accessible by any
non-privileged user. We currently create the `shared` directory in the sandbox
with the default `0750` permissions, which gives read and directory traversal
access to the group. There is no real good reason for a non-root user to access
the shared directory, and this is potentially dangerous.
Fixes: #2589
[1]: https://lore.kernel.org/linux-fsdevel/YTI+k29AoeGdX13Q@redhat.com/
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Retrieve the absolute sandbox storage path. We will soon need this to
monitor the creation/deletion of new kata sandboxes.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
The storage path we use to collect the sandbox files is defined in the
virtcontainers/persist/fs package.
We create the runtime socket in that storage path, by hardcoding the
full path in the SocketAddress() function in the runtime package.
This commit splits the hardcoded path by the socket address path so that
the runtime package will be able to provide the storage path to all the
components that may need it.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
In order to retrieve the list of sandboxes, we poll the container engine
every 15 seconds via the CRI. Once we have the list we have to inspect
each pod to find out the kata ones.
This commit extend the sandbox cache to keep track of all the pods,
marking the kata ones, so that during the next polling only the new
sandboxes should be inspected to figure out which ones are using the
kata runtime.
Fixes: #2563
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
this is an unexpected event (likely a change in how containerd/cri-o
record the lower level runtime in the pod) and should be more visible:
raise the log level to "warning".
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Change logger in Trace call in newContainer from sandbox.Logger() to
nil. Passing nil will cause an error to be logged by kataTraceLogger
instead of the sandbox logger, which will avoid having the log message
report it as part of the sandbox subsystem when it is part of the
container subsystem.
The kataTraceLogger will not log it as related to the container
subsystem, but since the container logger has not been created at this
point, and we already use the kataTraceLogger in other instances where a
subsystem's logger has not been created yet, this PR makes the call
consistent with other code.
Fixes#2665
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Call StopTracing with s.rootCtx, which is the root context for tracing,
instead of s.ctx, which is parent to a subset of trace spans.
Fixes#2661
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
A random generated user/group is used to start QEMU VMM process.
The /dev/kvm group owner is also added to the QEMU process to grant it access.
Fixes#2444
Signed-off-by: Feng Wang <feng.wang@databricks.com>
Add support for --no-shutdown Knob. This allows us to
shutdown the VM without quitting QEMU.
Note: Also fix the comment around --no-reboot to be
more accurate.
Signed-off-by: Manohar Castelino <mcastelino@apple.com>
ExecuteSystemPowerdown issues `system_powerdown` and waits
for `SHUTDOWN`. The event emitted is `POWERDOWN` per spec.
Without this we get an error even though the VM has shutdown
gracefully.
Per QEMU spec:
```
POWERDOWN (Event)
Emitted when the virtual machine is powered down through the power
control system, such as via ACPI.
Since
0.12
Example
<- { "event": "POWERDOWN",
"timestamp": { "seconds": 1267040730, "microseconds": 682951 } }
SHUTDOWN (Event)
Emitted when the virtual machine has shut down, indicating that qemu is
about to exit.
Arguments
guest: boolean
If true, the shutdown was triggered by a guest request (such as a
guest-initiated ACPI shutdown request or other hardware-specific action)
rather than a host request (such as sending qemu a SIGINT). (since 2.10)
reason: ShutdownCause
The ShutdownCause which resulted in the SHUTDOWN. (since 4.0)
Note
If the command-line option “-no-shutdown” has been specified, qemu will
not exit, and a STOP event will eventually follow the SHUTDOWN event
Since
0.12
Example
<- { "event": "SHUTDOWN", "data": { "guest": true },
"timestamp": { "seconds": 1267040730, "microseconds": 682951 } }
```
Signed-off-by: Manohar Castelino <mcastelino@apple.com>
Due to #2332 being merged after running tests for #2604, and the latter
being merged now, a test for the now removed `storeContainer` was added.
Remove it.
Fixes: #2652
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
And use a released version instead of the master branch so that it no
longer gets invalidated.
Depends-on: github.com/kata-containers/kata-containers#2645
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
The only remaining callers of ensure_destination_exists() are in its own
unit tests. So, just remove it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
mount_storage() first makes sure the mount point for the storage volume
exists. It uses fs::create_dir_all() in the case of 9p or virtiofs volumes
otherwise ensure_destination_exists(). But.. ensure_destination_exists()
boils down to an fs::create_dir_all() in most cases anyway. The only case
it doesn't is for a bind fstype, where it creates a file instead of a
directory. But, that's not correct anyway because we need to create either
a file or a directory depending on the source of the bind mount, which
ensure_destination_exists() doesn't know.
The 9p/virtiofs paths also check if the mountpoint exists before calling
fs::create_dir_all(), which is unnecessary (fs::create_dir_all already
handles that case).
mount_storage() does have the information to know what we need to create,
so have it explicitly call ensure_destination_file_exists() for the bind
mount to a non-directory case, and fs::create_dir_all() in all other cases.
fixes#2390
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
ensure_destination_exists() can create either a directory or a regular file
depending on the arguments. This patch extracts the regular file specific
option into its own helper: ensure_destination_file_exists(). This:
- Avoids doing some steps in the directory case (they're already handled
by create_dir_all())
- Enables some further future cleanups
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
struct Baremount contains the information necessary to make a new mount.
As a datastructure, however, it's pointless, since every user just
constructs it, immediately calls the BareMount::mount() method then
discards the structure.
Simplify the code by making this a direct function call baremount().
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
BareMount::mount does some complicated marshalling and uses unsafe code to
call into the mount(2) system call. However, we're already using the nix
crate which provides a more Rust-like wrapper for mount(2). We're even
already using nix::mount::umount and nix::mount::MsFlags from the same
module.
In the same way, we can replace the direct usage of libc::umount() with
nix::mount::umount() in one of the tests.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch adds the configuration option that allows to use hugepages
with Cloud Hypervisor guests.
Fixes: #2648
Signed-off-by: Bo Chen <chen.bo@intel.com>
We recently updated to using qemu-6.1 (from qemu 5.2). Unfortunately one
breaking change in qemu 6.0 wasn't caught by the CI.
The query-cpus QMP command has been removed, replaced by query-cpus-fast
(which has been available since qemu 2.12). govmm already had support for
query-cpus-fast, we just weren't using it, so the change is quite easy.
fixes#2643
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Rust 1.47.0 which is the latest we note as tested in versions.yaml is now
getting fairly old - many current distros have newer versions (e.g.
Rust 1.54.0 in Fedora 34). Bring this more up to date.
Note that this is only updating the 'newest-version', not the minimum
required version.
The new version changes the name of the 'clippy::unknown_clipp_lints'
option to simply 'unknown_lints' so we need to change that as well to avoid
warnings.
fixes#2633
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The github static checks action has a section heading called "Building
rust". It doesn't actually build rust, though, just installs it with
rustup. Correct the misleading message.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The new API is based on containerd's cgroups package.
With that conversion we can simpligy the virtcontainers sandbox code and
also uniformize our cgroups external API dependency. We now only depend
on containerd/cgroups for everything cgroups related.
Depends-on: github.com/kata-containers/tests#3805
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Eventually, we will convert the virtcontainers and the whole Kata
runtime code base to only rely on that package.
This will make Kata only depends on the simpler containerd cgroups API.
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
The only process we are adding there is the container host one, and
there is no such thing anymore.
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
This is a simplification of the host cgroup handling by partitioning the
host cgroups into 2: A sandbox cgroup and an overhead cgroup.
The sandbox cgroup is always created and initialized. The overhead
cgroup is only available when sandbox_cgroup_only is unset, and is
unconstrained on all controllers. The goal of having an overhead cgroup
is to be more flexible on how we manage a pod overhead. Having such
cgroup will allow for setting a fixed overhead per pod, for a subset of
controllers, while at the same time not having the pod being accounted
for those resources.
When sandbox_cgroup_only is not set, we move all non vCPU threads
to the overhead cgroup and let them run unconstrained. When it is set,
all pod related processes and threads will run in the sandbox cgroup.
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
Regardless of the sandbox_cgroup_only setting, we create the sandbox
cgroup manager and set the sandbox cgroup path at the same time.
Without doing this, the hypervisor constraint routine is mostly a NOP as
the sandbox state cgroup path is not initialized.
Fixes#2184
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
Sync the virtcontainers api.md document, add `ConfidentialGuest` `EntropySourceList` `GuestSwap` three
fields to the HypervisorConfig API.
Fixes#2625
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
sync the virtcontainers api.md document, add SandboxBindMounts field to the SandboxConfig API.
And update the order of the SandboxConfig API fields.
Fixes#2621
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
If the device has no permission, such as /dev/null, /dev/urandom,
it needs to be added into cgroup.
Fixes: #2615
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
This brings it back into line with the normal qemu version. We refer to
v6.1.0 by full SHA in versions.yaml, rather than the tag, so that
apply_patches.sh sees it as different and applies the virtiofs DAX patches
which is what the experimental version is actually about having.
The virtiofs DAX patches themselves are updated to the version from
https://gitlab.com/virtio-fs/qemu, virtio-fs-dev branch as of commit
3620cb0a.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We need qemu-6.1 for ACPI PCI hotplug support for the q35 machine. At the
moment qemu will use SHPC hotplug under the PCIe to PCI bridge on q35.
SHPC is too slow to use for our purposes (it requires a 5s delay).
Update the qemu version to v6.1.0. This leaves the experimental version
*older* than the normal version, but we'll fix that up later.
We also need to tweak the snapcraft.yaml, since the location for configs
has changed in the new qemu version.
fixes#1691
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In getThreadIDs(), the cpuID variable is derived from a string that
already contains a whitespace. As a result, strings.SplitAfter returns
the cpuID with a leading space. This makes any go variant of string to int
fail (strconv.ParseInt() in our case). This patch makes sure that the
leading space character is removed so the string passed to
strconv.ParseInt() is "CPUID" and not " CPUID".
This has been caused by a change in the naming scheme of vcpu threads
for Firecracker after v0.19.1.
Fixes: #2592
Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
If the script doesn't find a patches directory it expects, it gives an
error saying to create a dummy 'no_patches' file if you really don't want
any patches applied for that version.
But actual practice in the tree is to call the dummy file 'no_patches.txt'
rather than simply 'no_patches'. Correct the message to match existing
practice.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Highlights from the Cloud Hypervisor release v18.0: 1) Experimental User
Device (vfio-user) support; 2) Migration support for vhost-user devices;
3) VHDX disk image support; 4) Device pass through on MSHV hypervisor;
5) AArch64 for support virtio-mem; 6) Live migration on MSHV hypervisor;
7) AArch64 CPU topology support; 8) Power button support on AArch64; 9)
Various bug fixes on PTY, TTY, signal handling, and live-migration on
AArch64.
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v18.0Fixes: #2543
Signed-off-by: Bo Chen <chen.bo@intel.com>
make kata-tarball is the main way to
build a kata in a single host. Lets
test it to make sure it works on every PR.
Fixes: #2416
Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
- Run kata-deploy tarball generation action on every PR.
- Use kata-deploy makefile targets.
Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
If a binary tarball for a single component is done,
the logs will be shown in stdout.
e.g.
make kernel-tarball
To build all a the same time still store logs in files.
make kata-tarball
Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
Now that local-build kata-deploy makefile is inlucded in toplevel
makefile, lets use the suffix `-tarball` to avoid name collitions
and identify the tarball releted targets.
Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
Use kata-deploy targets from toplevel.
This will help if want to build and
reinstall just one single kata component.
Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
Add how-to-setup-swap-devices-in-guest-kernel.md to how-to to introduce
how to setup swap device in guest kernel.
Fixes: #2326
Signed-off-by: Hui Zhu <teawater@antfin.com>
adds the default devices for unix such as /dev/null, /dev/urandom to
the container's resource cgroup spec
Fixes: #2539
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
This adds fields to BridgeDevice struct to allow qemu's io-reserve,
mem-reserve and pref64-reserve properties to be set for PCI bridges.
This is needed for Kata's upcoming change to ACPI hotplug.
fixes#200
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
zsh doesn't support "==" as equal comparison operator, so
replace "==" with "=" to make the script more portable
Fixes: #2584
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
The current default config in qemu for arm64 doesn't suit for qemu
version 5.1+, so remove them here.
Fixes: #2595
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
This patch fixes inconsistent calculations of the rootfs size.
For `du` and `df`, `-B 1MB` is different from `-BM`. The
former is the power of 1000, and the latter is the power of
1024. So comparing them doesn't make sense. The bug may result
in a larger image than needed.
Fixes: #2560
Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
In snapcraft.yaml we have a case statement on $(branch) - that is on the
output of executing a command "branch". From the selections it appears
that what it actually wants is to simply select on the contents of the
$branch variable, which should be ${branch} instead.
fixes#2558
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There is no need to keep multiple copies of the license file in
different directory. We can just use the top level one for the project.
Fixes: #2553
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Use ExecuteBlockdevAddWithDriverCache with swap in
hotplugAddBlockDevice to handle swap file cannot work OK with
ExecuteBlockdevAddWithCache issue.
Fixes: #2548
Signed-off-by: Hui Zhu <teawater@antfin.com>
- tracing: Change runtime tracing tags to vars
- shimv2: add logging to shimv2 api calls
- drop qemu-lite support
- runtime: delete types or const that no longer needed
- runtime: Optimize the way slice created
- virtcontainers: simplify tests
- virtcontainers: clh: Upgrade to the openapi-generator v5.2.1
- build_image: Fix error soft link about initrd.img
- ci: Temporarily skip agent shutdown test on s390x
- Fix version parsing for firecracker version 0.25 and over
- Osbuilder fixes
- docs: update the GoDoc url from runtime project to kata-containers/sr…
- docs: update `how-to` README file for Firecracker config
- ci/openshift-ci: Pull centos from registry.centos.org
- docs: update containerd CRI plugin url
2250360b docs: remove mentioning of qemu-lite
a9de761d runtime: drop qemu-lite support
8ae3edbc runtime: fix default hypervisor path
0c7789fa runtime: Add container field to logs
72e3538e shimv2: add information to method comment
8dadca9c shimv2: add logging to shimv2 api calls
a99fcc3a virtcontainers: simplify tests
39ffd8ee runtime: delete types or const that no longer needed
ff37f5c7 runtime: Optimize the way slice created
8f0f949a tracing: Move dynamically added attributes to Trace()
932ee41b virtcontainers: clh: Workaround incorrect default values
bff38e4f virtcontainers: clh: Fix the unit test
d967d3cb virtcontainers: clh: Use constructors to ensure proper default value
87de26bd tracing: Modify Trace() to accept multiple tag maps
8058e972 tracing: Change runtime tracing tags to vars
a6a2e525 virtcontainers: clh: Migrate to use the updated client APIs
9de1129b osbuilder: Fix rootfs-builder when running in VMs
65a1e131 osbuilder: Allow running the tool several times
a4214738 osbuilder: Fix Makefile
b8717f35 ci: Temporarily skip agent shutdown test on s390x
938981be build_image: Fix error soft link about initrd.img
2304f935 docs: update the GoDoc url from kata 1.x to 2.x
2a614577 docs: update `how-to` README file for Firecracker config
486baba7 docs: update containerd CRI plugin url
46eb07e1 virtcontainers: clh: Re-generate the client code
80fba4d6 virtcontainers: clh: Upgrade to the openapi-generator v5.2.1
8594f80c ci/openshift-ci: Pull centos from registry.centos.org
87bbae1b fc: fix version parsing for fc >= 0.25
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
ExecuteBlockdevAddWithDriverCache has three one parameter driver
than ExecuteBlockdevAddWithCache.
Parameter driver can set the driver of block device.
Fixes: #198
Signed-off-by: Hui Zhu <teawater@antfin.com>
Where possible, move attributes added with AddTag() to Trace() call to
reduce the amount of code used for tracing.
Fixes#2512
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Two default values defined in the 'cloud-hypervisor.yaml' have typo, and this
patch manually overwrites them with the correct value as a workaround
before the corresponding fix is landed to Cloud Hypervisor upstream.
Signed-off-by: Bo Chen <chen.bo@intel.com>
With the updated openapi-generator, the client code now handles optional
attributes correctly, and ensures to assign the right default
values. This patch enables to use those constructors to make sure the
proper default values being used.
Signed-off-by: Bo Chen <chen.bo@intel.com>
The general Trace() function accepts one map as a set of tags. Modify it
to accept multiple sets of tags so that additional ones can be added at
Trace() and not as a subsequent call.
Additionally, we should not iterate over the maps unless tracing tracing
is enabled.
Fixes#2512
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Tracing tags are stored inconsistently throughout the runtime. Change
all instances of tracing tags to variables.
Fixes#2512
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
The client code (and APIs) for Cloud Hypervisor has been changed
dramatically due to the upgrade to `openapi-generator` v5.2.1. This
patch migrate the Cloud Hypervisor driver in the kata-runtime to use
those updated APIs.
The main change from the client code is that it now uses "pointer" type
to represent "optional" attributes from the input openapi specification
file.
Signed-off-by: Bo Chen <chen.bo@intel.com>
The script runs apt sync at some point which scans all possible fds
in order to close them. The operation is incredibly slow on VMs
and may lead to build timeouts.
Fix it by limiting the container runtime fds to a sane limit.
Fixes: #2510
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Once the ${ROOTFS_DIR} is created, the tool can't run the second
time since the directory is populated and the debootstrap tool
will fail.
Fix by deleting the contents of ${ROOTFS_DIR} if the directory exists.
Note that running make clean will also allow the re-run, it
is only an optimization for some cases the build fails in the middle.
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Let the DISTRO variable to be set from outside,
allowing "sudo -E DISTRO=<ANY> make clean" to delete the correct files.
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
the katatestutils GoDoc url stilled using the kata 1.x branch url. This PR fixed the
url from kata-containers/runtime/pkg/katatestutils to
kata-containers/kata-containers/src/runtime/pkg/katatestutils
Fixes: #2500
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
Remove the `Kata Containers with Firecracker` additional configuration steps.
From kata 2.x, the config of `firecracker` is same to `qemu` and `cloud-hypervisor`.
Fixes: #2492
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
update cri plugin source path to containerd pkg in the
how-to-use-k8s-with-cri-containerd-and-kata.md file. The cri project was moved to containerd project pkg directory.
Fixes: #2490
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
To improve the quality and correctness of the auto-generated code, this
patch upgrade the `openapi-generator` to its latest stable release
v5.2.1.
Fixes: #2487
Signed-off-by: Bo Chen <chen.bo@intel.com>
In order to avoid hit the pull requests limit of docker.io, this changed the
openshift-ci/images/Dockerfile.buildroot dockerfile to pull the centos image
from registry.centos.org.
Fixes#1636
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Generate `config-generated.go` file under src/runtime/cli/containerd-shim-kata-v2 before excuting test or coverage.
Fixes#2479
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
- use CRI in kata-monitor
- config: Enable jailer by default when using firecracker
- workflows: Actually push the release to quay.io
- docs: update general wording for installation documentation
- Cleanup kernel packaging
- tracing: Return context in runHooks() span creation
- osbuilder: Document no Alpine support on s390x
- osbuilder: Upgrade Ubuntu guest to 20.04
- agent: watcher / inotify stability fixes
- enable snap build for arm64
- agent: Fix cargo 1.54 clippy warning
- osbuilder: Drop Go agent support
- kernel: PTP_KVM support for arm/arm64 in Kata
- docs: update the docs project url from kata 1.x to 2.x
- clh: correct cloud-hypervisor installation on non-x86
- virtcontainers: fc: properly remove jailed block device
- CI: Call agent shutdown test
- kata deploy: always update the base image
- docs: Remove kata-proxy and invalid script reference
- workflows: Actually login to quay.io
- kata-deploy: Update our content to use / point to quay.io/kata-containers rather than katadocker
- agent: Create the process CWD when it does not exist
- Update Kata to allow it to use Qemu 6.1
- osbuilder/dracut: Add missing libraries
- osbuilder: pass env OS_VERSION
- tools: shorten directory path
- virtcontainers: clh: Do not use the default HTTP client
- docs: update kata deploy README doc to add cloud-hypervisor test command
- Container: Add initConfigResourcesMemory and call it in newContainer
- qemu/arm: remove nvdimm/"ReadOnly" option on arm64
- Fix issue container start fail if io.katacontainers.container.resource.swap_in_bytes and memory_limit_in_bytes are not set
- docs: Add tracing proposals doc
- docs: Remove table of contents
- static-checks: Check for the `force-skip-ci` label on each step
- docs: update the kata release url in the kata deploy document
- kata-deploy: Allow build kata-deploy tarball from HEAD
- mod: unify runc and containerd dependencies
- how-to-use-virtio-mem-with-kata.md: Remove undefined ${REPORT_DIR}
- ci: Run static checks when PRs are updated
- docs: update url for log parser in how-to-import-kata-logs-with-fluen…
- versions: Upgrade to Cloud Hypervisor v17.0
- snap: Substitute image configuration with initrd
- docs: Update url for log parser in Developer guide
- mount: fix the issue of missing check file exists
- build(deps): bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /src/runtime
- docs: Update experimental documentation
- snap: do not export agent version
- Upgrade runc to 1.0.1
- runtime: read-only NVDIMM
- osbuilder/scripts: add support to yq version 4 and above
- osbuilder: update centos arm rootfs image config 'GPG_KEY_ARCH_URL'
- monitor: mv the monitor socket into sbs directory
- fix govet fieldalignment
- docs: added a glossary to support SEO tactics
- ci: expand $CI to nothing
- Add swap support
- snap: fixed snap aarch64 qemu patches dir in snapcraft.yaml file
- agent: clear MsFlags if the option has clear flag set
- snap: Remove QEMU before clone
- docs: fix minikube installation guide runtimeclasses error
- docs: fixed kata-deploy path for kata logs with fluentd doc
- agent/agent-ctl: update tokio to 1.8.1
- ci: set -o nounset
- static-checks: Add a make target to run static-checks locally
- virtiofsd: fix the issue of missing stop virtiofsd
- docs: Update containerd configuration format
- osbuilder: Skip installing golang for building rootfs
- agent-ctl: Use a common Makefile style like other components
- vsock-exporter: switch to tokio runtime
- config: Fix description for OCI hooks
- shimv2: fix the issue of kata-runtime exec failed
7a5ffd4a config: Enable jailer by default when using firecracker
2cb7b513 docs: update general wording for installation documentation
76f4588f workflows: Actually push the release to quay.io
b980c62f packaging/kernel: Update kernel build doc
99e9a6ad packaging/kernel: Update versions.yaml kernel urls
c23ffef4 packaging/kernel: Remove old Jenkins pipeline
9586d482 tracing: Return context in runHooks() span creation
6a6dee7c osbuilder: Document no Alpine support on s390x
71f304ce agent: watcher: cleanup mount if needed when container is removed
f1a505db agent: Temporarily allow unknown linters
961aaff0 agent: watcher: fixes to make more robust
7effbdeb osbuilder: Upgrade Ubuntu guest to 20.04
99ab91df docs: update the docs project url from kata 1.x to 2.x
4fe23b19 kernel: PTP_KVM support for arm/arm64 in Kata
f981fc64 clh: correct cloud-hypervisor installation
f87cee9d kata-deploy: Rely directly on a centos:7 image
6871aeaa snap: enable snap build for arm64
15e0a3c8 kata-deploy: Remove unneeded yum cached files
d01aebeb kata-deploy: Ensure the system is up-to-date
77160e59 workflows: Actually login to quay.io
b9e03a1c docs: update the image repository to quay.io
f47cad3d tools: Update the image repository to quay.io
9fa1febf workflows: Also push the image to quay.io
233b53c0 agent: Fix cargo 1.54 clippy warning
2d8386ea kata-monitor: add few unit tests
8714a350 kata-monitor: make code to identify kata pods simpler
68a6f011 kata-monitor: drop the runtime info from the sandbox cache
97dcc5f7 kata-monitor: drop getMonitorAddress()
0b03d97d vendor: update vendors for kata-monitor
c2f03e89 kata-monitor: talk to the container engine via the CRI
c867d1e0 osbuilder: Drop Go agent support
1d25d7d4 docs: Remove kata-proxy and binaries reference
64dd35ba virtcontainers: fc: properly remove jailed block device
b8133a18 osbuilder/dracut: Add missing libraries
831c2fee packaging: Remove reference to sheepdog driver
2e28b714 packaging: Drop support for qemu < 5.0
d5f85698 vendor: Update govmm
31650956 runtime/qemu: Use explicit "on" for kernel_irqchip parameter
a72b0811 osbuilder: pass env OS_VERSION
d007bb85 kata-deploy: shorten directory path
e6408fe6 Container: Add initConfigResourcesMemory and call it in newContainer
49083bfa agent: Create the process CWD when it does not exist
ee90affc newContainer: Initialize c.config.Resources.Memory if it is nil
767a41ce updateResources: Log result after calculateSandboxMemory
760ec4e5 virtcontainers: clh: Do not use the default HTTP client
3fe6695b static-checks: Check for the `force-skip-ci` label on each step
7df56301 CI: Call agent shutdown test
57b696a5 docs: Removed mention of 1.x
4f0726bc docs: Remove table of contents
f186c5e2 docs: Fix invalid URLs
7c610a6f docs: Fix shell code
80afba15 docs: update kata deploy README doc to add cloud-hypervisor test command
5a0d3c4f docs: update the kata release url in the kata deploy document
9514dda5 mod: unity containerd dependency
6ffe37b9 mod: unify runc dependency
5b514177 docs: Add tracing proposals doc
b53e8405 how-to-use-virtio-mem-with-kata.md: Remove undefined ${REPORT_DIR}
5957bc7d ci: Run static checks when PRs are updated
81e6bf6f kata-deploy: Split shimv2 build in a separate container.
d46ae324 kernel: build: Add container build
b789a935 actions: release: Use new kata-deploy scripts.
85987c6d kata-deploy: Add Makefile
b9d2eea3 kata-deploy: Add script to merge kata tarballs.
4895747f Rootfs: Add curl to alpine rootfs builder.
fc90bb53 Actions: Add new workflow to create static tarballs
bbb06c49 actions: Remove scripts from actions directory.
2f9859ab build: Reuse firecracker directory on builds.
3533a5b6 Packaging: stop using GOPATH for yq.
0c5ded4b kata-deploy: build kata only with docker in host
2ec31093 docs: update url for log parser in how-to-import-kata-logs-with-fluentd.md
cc0bb9ae versions: Upgrade to Cloud Hypervisor v17.0
8e9ffe6f snap: Substitute image configuration with initrd
8b15eafa docs: Update url for log parser in Developer guide
77604de8 qemu/arm: remove nvdimm/"ReadOnly" option on arm64
4fbae549 docs: Update experimental documentation
07f7ad9d build(deps): bump github.com/containerd/containerd in /src/runtime
9c0b8a7f snap: do not export agent version
3727caf7 versions: Update runc to 1.0.1
116c29c8 cgroups: manager's Set() now takes Resources as its parameter
c0f801c0 rootless: RunningInUserNS() is now part of userns namespace
b5293c52 runtime: update runc dependency to 1.0.1
2859600a runtime: virtcontainers: make rootfs image read-only
8befb1f3 kata-deploy: Refactor builder options.
7125f5d8 image-builder: Allow build image and initrd independently.
0f8c0dbc osbuilder/scripts: add support to yq version 4 and above
070590fb vendor: update govmm
b4c45df8 runtime: tools/packaging/cmd/kata-pkgsync: fix govet fieldalignment
aec53090 runtime: virtcontainers/utils: fix govet fieldalignment
1e4f7faa runtime: virtcontainers/types: fix govet fieldalignment
bb9495c0 runtime: virtcontainers/pkg: fix govet fieldalignment
80ab91ac runtime: virtcontainers/persist: fix govet fieldalignment
54bdd018 runtime: virtcontainers/factory: fix govet fieldalignment
dd58de36 runtime: virtcontainers/device: fix govet fieldalignment
47d95dc1 runtime: virtcontainers: fix govet fieldalignment
8ca7a7c5 runtime: netmon: fix govet fieldalignment
31de8eb7 runtime: pkg: fix govet fieldalignment
2b80091e runtime: containerd-shim-v2: fix govet fieldalignment
0dc59df6 runtime: cli: fix govet fieldalignment
c1042523 ci: expand $CI to nothing
add480ed monitor: mv the monitor socket into sbs directory
f7c6f170 docs: added a glossary to support SEO tactics
a8649acf snap: fixed snap aarch64 qemu patches dir in snapcraft.yaml file
38826194 osbuilder: update centos arm rootfs image config 'GPG_KEY_ARCH_URL'
c5fdc0db docs: fix minikube installation guide runtimeclasses error
f2ef25c6 docs: fixed kata-deploy path for kata logs with fluentd doc
cb6b7667 runtime: Add option "enable_guest_swap" to config hypervisor.qemu
a733f537 runtime: newContainer: Handle the annotations of SWAP
2c835b60 ContainerConfig: Set ocispec.Annotations to containerConfig.Annotations
243d4b86 runtime: Sandbox: Add addSwap and removeSwap
e1b91986 runtime: Update golang proto code for AddSwap
4f066db8 agent: agent.proto: Add AddSwap
4f23b8cd ci: set -o nounset
35cbc93d agent: clear MsFlags if the option has clear flag set
ff87da72 config: Fix description for OCI hooks
8e0daf67 shimv2: fix the issue of kata-runtime exec failed
b12b21f3 osbuilder: Skip installing golang for building rootfs
558f1be6 snap: Remove QEMU before clone
5371b921 mount: fix the issue of missing check file exists
27b299b2 agent-ctl: Use a common Makefile style like other components
05084699 agent-ctl: bump to latest tokio
acf69328 agent: update tokio to 1.8.1
dcd29867 static-checks: Call the static-checks make target
afd97850 makefile: Add static-checks target
34828df9 virtiofsd: fix the issue of missing stop virtiofsd
73d3798c vsock-exporter: switch to tokio runtime
7960689e tracing: replace SimpleSpanProcessor with BatchSpanProcessor
e887b39e docs: Update containerd configuration format
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Now that we have enabled CI tests for jailed firecracker and we have
fixed the issue with removing the block storage device #2387, we
should leverage the full power of firecracker and enable jailer by
default.
Fixes: #2455
Signed-off-by: Jack Rieck <jack.rieck@sendgrid.com>
Remove duplicated information, reduce text separation, and rewrite notes
to be more clear and concise.
Fixes: #2449
Signed-off-by: Joao Vanzuita <joaovanzuita@me.com>
As quay.io is becoming our de-facto image registry, let's actually push
the kata-deploy release to it. This commit should've been part of
9fa1febfd9 but ended up slipping out.
Fixes: #2306
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The call to Trace() in runHooks() should return a context so that
subsequent calls to runHook() produce properly ordered trace spans.
Fixes#2423
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
As kubernetes version has been bumped to 1.22, let's bump the CRI-O
version accordingly.
Related: #2434
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's test our `main` branch against the latest version of k8s. In
order to do the bump, let's also update critools version accordingly.
Depends-on: github.com/kata-containers/tests#3818
Fixes: #2433
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Alpine used to work as guest under 1.x, but because there is no musl
target for Rust on s390x, Alpine will not work for 2.x. Document this.
Fixes: #2436
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
inotify/watchable-mount changes...
- Allow up to 16 files. It isn't that uncommon to have 3 files in a secret.
In Kubernetes, this results in 9 files in the mount (the presented files,
which are symlinks to the latest files, which are symlinks to actual files
which are in a seperate hidden directoy on the mount). Bumping from eight to 16 will
help ensure we can support "most" secret/tokens, and is still a pretty
small number to scan...
- Now we will only replace the watched storage with a bindmount if we observe
that there are too many files or if its too large. Since the scanning/updating is racy,
we should expect that we'll occassionally run into errors (ie, a file
deleted between scan / update). Rather than stopping and making a bind
mount, continue updating, as the changes will be updated the next time
check is called for that entry (every 2 seconds today).
To facilitate the 'oversized' handling, we create specific errors for too large
or too many files, and handle these specific errors when scanning the storage entry.
- When handling an oversided mount, do not remove the prior files -- we'll just
overwrite them with the bindmount. This'll help avoid the files
disappearing from the user, avoid racy cleanup and simplifies the flow.
Similarly, only mark it as a non-watched storage device after the
bindmount is created successfully.
- When creating bind mount, make sure destination exists. If we hadn't
had a successful scan before, this wouldn't exist and the mount would
fail. Update logic and unit test to cover this.
- In several spots, we were returning when there was an error (both in
scan and update). For update case, let's just log an warning and continue;
since the scan/update is racy, we should expect that we'll have
transient errors which should resolve the next time the watcher runs.
Fixes: #2402
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
- no need to create `/usr/lib/systemd/systemd` link any more
- install `chrony` as extra package and install extra packages in chroot
rather than `debootstrap`, because `chrony` provides `time-daemon`,
which under 20.04 is provided by `systemd-timesyncd`, which is
required by `systemd`, and `debootstrap`'s conflict resolvement can't
handle this, but `apt`'s can.
Fixes: #2147
Depends-on: github.com/kata-containers/tests#3636
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
changed the document project url in the using-vpp-and-kata.md and
runtime experimental README.md files.
Fixes: #2418
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
This work patched the 4.19, 5.4 and 5.10 kernels, and now ptp_kvm can work
correctly when the host and guest use different kernel versions..
Fixes: #2123
Signed-off-by: Damon Kwok <damon-kwok@outlook.com>
Currently, there is cloud hypervisor binary released only for x86, thus
we must build from source code when install cloud hypervisor on arm64.
Fixes: #2410
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Instead of relying on a centos/docker image, present only on dockerhub,
let's rely on the centos:7 image from the centos registry, and apply
the same modifications applied when generating the centos/systemd image.
The main reason for doing this is avoiding to update an image from 3
years ago, making the delta of the packages updated smaller.
If you're curious why we keep using CentOS 7 though, the reason is
because CentOS 8, and UBI images have a different systemd configuration
that works quite well when mounting the image using podman, but systemd
can't connect dbus when running on environments like AKS or even
minikube. So, in order to be as compatible as possible, let's keep
using the CentOS 7 image for now, at least till we find a suitable
substitute for that.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
snap build for arm64 fail for a long time, here we enable it.
the changes:
1. correct the variable of "branch"
2. add v5.1.0 under tag_patchs
Fixes: #2194
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Let's just remove the cached failes as those are not needed for anything
we do when using this image.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
In order to avoid providing an image with security issues, let's ensure
we run `yum update` as part of our image build process. This is needed
as even with the latest CentOS images there may be fix provided by some
CVE that's already part of the updates but not yet part of the image.
In our case, it's even more needed as the `centos/systemd` image has not
been updated for 3 years or so and those are the vulnerabilities found
in the current images:
https://quay.io/repository/kata-containers/kata-deploy?tab=tagsFixes: #2303
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
9fa1febfd9 added the support to also push
the image to quay.io. However, we didn't try explicitly pass quay.io as
the registry server, causing then to login to fail.
Fixes: #2306
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
just search for the "kata" substring in the runtime value and log at
info level when the runtime name/type is not found.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
We keep the container engine info in the sandbox cache map, as the value
associated to the pod id (the key). Since we used that in
getMonitorAddress() only (which is gone) we can avoid storing that
information. Let's drop it.
Keep the map structure and the [put,delete]IfExists functions as we may
want to move to an event based cache update process sooner or later, and
we will need those.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
since the shim socket path is statically defined in the containerd-shimv2
code, we don't need to retrieve the socket name from the filesystem:
construct the socket name using the containerd-shimv2 code.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
kata-monitor switched from containerd client to CRI. Update the
dependencies and vendored code.
go mod tidy
go mod vendor
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
kata-monitor uses containerd client to retrieve information from the
container engine. This makes kata-monitor work with the containerd
container engine only.
Bin Liu (bin <bin@hyper.sh>) worked on a kata-monitor version able
to talk to any container engine leveraging the standard CRI[1].
Here, the original work of Bin Lui has been adapted on the current
kata-monitor to make it container engine independent.
[1] https://github.com/liubin/kata-containers/tree/fix/1030-use-cri-in-kata-monitorFixes: #1030
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
With Kata 1.x EOL, the Go agent is no more. So, remove support for it from
the osbuilder scripts. This removes the RUST_AGENT variable, treating it
as always true.
fixes#2396
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Kata-proxy is not longer used in kata 2.x, this PR removes the
reference as well to an script that is not longer existing.
Fixes#2391
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
When running a firecracker instance jailed, block devices
are not removed correctly, as the jailerRoot path is not
stripped from the PATCH command sent to the FC API.
This patch differentiates the jailed case from the non-jailed
one and allows the firecracker instance to be properly
terminated.
Fixes#2387
Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
When the guest is built using dracut and the agent uses glibc (esp.
ppc64le/s390x), libraries might be missing. In my case, it was
`libutil.so`, but more can be added easily. Add a script to configure
`install_items` for dracut w.r.t. `ldd` of the agent.
Fixes: #2384
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The CRI-O integration test suite has two tests that fail because they search for
"not found" in the error message, but we emit "is not exist".
Change the error message to match the expectations of the test suite.
Fixes: #2036
Reported-by: Julien Ropé <jrope@redhat.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
The QEMU sheepdog driver was deprecated in 5.2.0 and removed entirely in
6.1. Explicitly disabling, therefore is unnecessary from 5.2.0 and will
give an error from 6.1.
fixes#2337
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We only test qemu 5.2 in the CI (5.1 for ARM), and I believe we already
have some subtle dependencies that will stop things working on older qemu
versions.
We just updated govmm to a version that explicitly only works with qemu 5.0
and later, so we can drop stale checks for older qemu versions. More
specifically that means we can drop patches for older qemu versions, and
remove checks for older qemu versions from configure-hypervisor.sh.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Update to commit 3c64244cbb, in particular to get these fixes which
are needed to work with qemu-6.0 and later:
https://github.com/kata-containers/govmm/pull/192https://github.com/kata-containers/govmm/pull/194
Git log
d27256f (qmp: Don't use deprecated 'props' field for object-add, 2021-08-03)
d8cdf9a (qemu: Drop support for versions older than 5.0, 2021-08-03)
1b02192 (Use 'host_device' driver for blockdev backends, 2021-07-29)
9518675 (add support for "sandbox" feature to qemu, 2021-07-20)
335fa81 (qemu: fix golangci-lint errors, 2021-07-21)
61b6378 (.github/workflows: reimplement github actions CI, 2021-07-21)
9d6e797 (go: support go modules, 2021-07-21)
0d21263 (qemu: support read-only nvdimm, 2021-07-21)
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Kata uses the 'kernel_irqchip' machine option to qemu. By default it
uses it in what qemu calls the "short-form boolean" with no parameter.
That style was deprecated by qemu between 5.2 and 6.0 (commit
ccd3b3b8112b) and effectively removed entirely between 6.0 and 6.1
(commit d8fb7d0969d5).
Update ourselves for newer qemus by using an explicit
"kernel_irqchip=on".
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Use of the 'props' argument to 'object-add' has been deprecated since QEMU
5.0 (commit 5f07c4d60d09) in favor of flattening the properties directly
into the 'object-add' arguments. Support for 'props' is removed entirely
in qemu 6.0 (commit 50243407457a).
fixes#193
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Kata requires version 5.2 (or 5.1 on ARM) anyway. Simplify code by
dropping support for older versions. In any case explicit checks against
version number aren't necessarily reliable for patched qemu versions.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With lines like
0a2e2c6038/tools/osbuilder/rootfs-builder/fedora/config.sh (L8)
we imply that one can set another OS_VERSION and it will get picked up.
This is not the case when building inside Docker/Podman because the
variable is not passed to the container, which can lead to confusion.
Forward this env.
Fixes: #2378
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
long file paths are difficult to read, this change adds a new readonly variable to shorten the full file path of the static build folder files.
Fixes: #2354
Signed-off-by: Joao Vanzuita <joaovanzuita@me.com>
The swappiness is not right if just set
io.katacontainers.container.resource.swappiness:
$ pod_yaml=pod.yaml
$ container_yaml=container.yaml
$ image="quay.io/prometheus/busybox:latest"
$ cat << EOF > "${pod_yaml}"
metadata:
name: busybox-sandbox1
EOF
$ cat << EOF > "${container_yaml}"
metadata:
name: busybox-killed-vmm
annotations:
io.katacontainers.container.resource.swappiness: "100"
image:
image: "$image"
command:
- top
EOF
$ sudo crictl pull $image
$ podid=$(sudo crictl runp $pod_yaml)
$ cid=$(sudo crictl create $podid $container_yaml $pod_yaml)
$ sudo crictl start $cid
crictl exec $cid cat /sys/fs/cgroup/memory/memory.swappiness
60
The cause of this issue is there are two elements store the resources
infomation. They are c.config.Resources for calculateSandboxMemory and
c.GetPatchedOCISpec() for agent.
This add initConfigResourcesMemory to Container and call it in
newContainer to handle the issue.
Fixes: #2372
Signed-off-by: Hui Zhu <teawater@antfin.com>
Although the OCI specification does not explictly requires that, we
should create the process CWD if it does not exist, before chdir'ing
to it. Without that fizx, the kata-agent fails to create a container
and returns a grpc error when it's trying to change the containerd
working directory to an non existing folder.
runc, the OCI runtime reference implementation, also creates the process
CWD when it's not part of the container rootfs.
Fixes#2374
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
When enabling tracing with Cloud Hypervisor, we end up establishing 2
connections to 2 different HTTP servers: The Cloud Hypervisor API one
that runs over a UNIX socket and the Jaeger endpoint running over UDP.
Both connections use the default HTTP golang client instance, and thus
share the same transport layer. As the Cloud Hypervisor implementation
sets it up to be over a Unix socket, the jaeger uploader ends up going
through that transport as well, and sending its spans to the Cloud
Hypervisor API server.
We fix that by giving the Cloud Hypervisor implementation its own HTTP
client instance and we avoid sharing it with anything else in the shim.
Fixes#2364
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
This is not the most beautiful solution, but when do the check on every
single step we ensure the test at least started, and consequently will
succeed.
Without this the tests wouldn't even start, making any PR using the
`force-skip-ci` label not mergeable.
Fixes: #2362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Run the agent shutdown test as part of CI testing code in this repo.
Fixes: #1808.
Depends-on:github.com/kata-containers/tests#3495
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
All users should be running 2.x releases so remove the legacy details
since it's arguably confusing to have two sets of details.
Reworked the components listed in the main README so that rather than
being sorted alphabetically, they are now sorted in semi-order of
importance and split into two tables to make the point more clearly.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Removed all TOCs now that GitHub auto-generates them.
Also updated the documentation requirements doc removing the requirement
to add a TOC.
Fixes: #2022.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Kata deploy README document only contains Firecracker and Qemu. This PR adds
cloud-hypervisor test command to the README.md file.
Fixes: #2357
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
The old ones are carrying CVEs, do not use them.
PS: In order to update the modules, we're running `make handle_vendor`
target from the runtime's Makefile. This is now part of the CI and
ensures that the vendored code is up-to-date. It's important to note
that older versions of golang may generate different results for those,
but those versions are not supported anymore, so we're good to go with
what we have in the CI (1.15 and 1.16).
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Since the old ones are carrying CVEs. Do not use them.
PS: In order to update the modules, we're running `make handle_vendor`
target from the runtime's Makefile. This is now part of the CI and
ensures that the vendored code is up-to-date. It's important to note
that older versions of golang may generate different results for those,
but those versions are not supported anymore, so we're good to go with
what we have in the CI (1.15 and 1.16).
Fixes: #2338
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Create a document summarising the tracing design proposals
from PR #1937.
Fixes: #2061.
Signed-off-by: bin <bin@hyper.sh>
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
ExecuteBlockdevAdd() and ExecuteBlockdevAddWithCache() both appear to be
intended to create block devices in the guest which backend onto a block
device in the host. That seems to be the way that Kata always uses it.
However blockdevAddBaseArgs(), used by both those functions always uses the
"file" driver, which is only intended for use with regular file backends.
Use of the "file" driver for host block devices was deprecated in qemu-3.0,
and has been removed entirely in qemu-6.0 (commit 8d17adf34f5). We should
be using the "host_device" driver instead.
fixes#191
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Looking at the changes that could cause the static-checks not to run
when a PR is updated I think 7db8a85a1f
could be the one that introduced such a regression.
Let's (try to) fix this by enforcing the workflow to run also when the
PR has been "edited" and "synchronized".
Fixes: #2343
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Add makefile to document possible options to run.
e.g
Default: Create a kata tarball, it will build assets concurrently.
```
$ make
```
Create a tarball build for cloud-hypervisor.
```
$ make cloud-hypervisor
```
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
If alpine image is created inside a container,
it does not get any golang version data. It will try
to get it by installing yq. To install yq curl is used.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Tarballs are generated on push and merge events.
push: Allows get a tarball from the PR and use locally.
merge: After a PR is merged we have a quick way to get latest
kata-tarball.
The tarball can be downloaded from github page only.
Fixes: #1710
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
kata-deploy buider now reuses the build directory, this
makes faster rebuilds. Update firecracker builder to
not fail if is called twice.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Use the yq installed in the env. Needed
to build kata from docker. The container builder
has not an initial Go env.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Add script to build kata using docker.
Allow build kata-deploy binaries using docker.
kata-deploy-binaries-in-docker.sh is a wrapper of
kata-deploy-binaries.sh it will call kata-deploy-binaries.sh in a
container with all the dependencies installed.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
rather than removing the other line because configuration only contains
the image line ever more and this is how we already do it in tests.
Fixes: #2330
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
This PR updates the proper url for log parser for kata 2.x for
the Developer Guide document.
Fixes#2328
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
There is a new "ReadOnly" option added to nvdimm device in qemu
and now added to kata. However, qemu used for arm64 is a little
old and has no this feature. Here we remove this feature for arm.
Fixes: #2320
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
This PR updates the experimental documentation with the proper reference
to kata 2.x
Fixes#2317
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This causes the repository to be checked out to a version tag, which is
inconsistent with how we build runtime, and reverts us to a buggy
`snap/snapcraft.yaml`.
Fixes: #2313
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Let's ensure the runc version installed and used for running our tests
matches the vendored version.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Pior our bump to runc 1.0.1 the manager's Set() would take a Config as
its parameter. Now it takes the Resources directly.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Previously part of the "system" namespace, the RunningInUserNS() has
been moved to the "userns" namespace.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Dependabot brought to us attention that we were still vendoring the runc
code which was affected by CVE-2021-30465.
Although the vulnerability doesn't seem to affect kata-containers, we
better keep our dependencies up-to-date anyways. With this in mind,
let's bump our runc dependency to the latest release.
Fixes: #2309
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Improve security by making rootfs image read-only, nobody
will be able to modify it from the guest.
fixes#1916
Signed-off-by: Julio Montes <julio.montes@intel.com>
Update the govmm code in order to support "sandbox" feature on qemu,
which can introduce another protect layer on the host,
to make the secure container more secure.
Fixes: #185
Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
Update kata-deploy-binaries.sh cli options.
Add options to allow ask build a tarball for a specific asset.
It will help developers build a specific component and update
a kata-deploy installation. Also build each asset independetly
can help to create cache tarballs per asset in the future.
e.g. Build a tarball with shimv2.
```
./kata-deploy-binaries.sh --build=shim-v2
```
Additionally, the script path is moved to a new directory
as not only will work for releases.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
yq changed syntax in an incompatible way starting from version 4 and
above. Deal with that.
Fixes: #2297
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Bring read-only nvdimm support
Shortlog:
335fa81 qemu: fix golangci-lint errors
61b6378 .github/workflows: reimplement github actions CI
9d6e797 go: support go modules
0d21263 qemu: support read-only nvdimm
ff34d28 qemu: Consistent parameter building
Signed-off-by: Julio Montes <julio.montes@intel.com>
* Remove golang 1.13 and 1.14, add golang 1.16
* gometalinter has been deprecated, use golangci-lint instead
Signed-off-by: Julio Montes <julio.montes@intel.com>
Append `readonly=on` to a `memory-backend-file` object and
`unarmed=on` to a `nvdimm` device when `ReadOnly` is set to `true`
Signed-off-by: Julio Montes <julio.montes@intel.com>
PR #2252 put `set -o nounset` in `ci/lib.sh`. It turns out that this
won't work when `$CI` is unset (it is always set in CI). Expand `$CI` to
nothing.
Fixes: #2283
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Since the monitor socket used the unix socket path file,
which needed to be cleaned after the pod terminated,
thus put it into the sandbox data directory, and it
would be cleaned up once the sandbox termianted.
Fixes: #2269
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
This commit is a result of Assisted PR Process for PR #1515. It
deviates from it in that the original commits were not retained as the
original commit structure was unnecessarily complex - the same commit
was added to two parallel branches which were then merged, producing the
same result in the end as any of the original two non-merge commits.
Also, a squash was requested by an original PR review.
Other changes to the original PR were changing capitalisation of the word
"Kubelet" in Glossary.md to placate spell checker and fixing link names and
syntax.
The original commit message follows:
The terms added are: Kata Containers, container software, container
runtime interface, virtual machine software, container virtualization,
container security solutions, serverless containers, pod containers,
virtual machine monitor, private cloud, infrastructure architecture,
public cloud, and auto scaling.
Fixes: #1509
Signed-off-by: Helena Spease <helena@openstack.org>
Signed-off-by: Pavel Mores <pmores@redhat.com>
fixed arm qemu patches dir in snap part. Clear the old `packaging/obs-packaging` path.
Fixes: #2279
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
the kata-deploy project scripts were changed, but minikube installation guide doc still use old yaml script.
fix guide doc use the new yaml script of runtimeClasses.
Fixes: #2276
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
The kata-deploy project path has changed from kata v2. fixed kata-deploy path in the document how-to-import-kata-logs-with-fluentd.md.
The correct path is `$GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy`
Fixes: #2273
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
This commit add option "enable_guest_swap" to config hypervisor.qemu.
It will enable swap in the guest. Default false.
When enable_guest_swap is enabled, insert a raw file to the guest as the
swap device if the swappiness of a container (set by annotation
"io.katacontainers.container.resource.swappiness") is bigger than 0.
The size of the swap device should be
swap_in_bytes (set by annotation
"io.katacontainers.container.resource.swap_in_bytes") - memory_limit_in_bytes.
If swap_in_bytes is not set, the size should be memory_limit_in_bytes.
If swap_in_bytes and memory_limit_in_bytes is not set, the size should be
default_memory.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
This commit add code to handle the annotations
"io.katacontainers.container.resource.swappiness" and
"io.katacontainers.container.resource.swap_in_bytes".
It will set the value of "io.katacontainers.resource.swappiness" to
c.config.Resources.Memory.Swappiness and set the value of
"io.katacontainers.resource.swap_in_bytes" to
c.config.Resources.Memory.Swap.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
ocispec.Annotations is dropped in ContainerConfig.
This commit let it to be set to containerConfig.Annotations in
ContainerConfig.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
addSwap will create a swap file, hotplug it to hypervisor as a special
block device and let agent to setup it in the guest kernel.
removeSwap will remove the swap file.
Just QEMU support addSwap.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
Add new fuction AddSwap. When agent get AddSwap, it will get the device
name from PCIPath and set the device as the swap device.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
'FLAGS' hash map has bool to indicate if the flag should be cleared or
not. But in parse_mount_flags_and_options() we set the flag even 'clear'
is true. This results in a 'rw' mount being mounted as 'MS_RDONLY'.
Fixes: #2262
Signed-off-by: Eryu Guan <eguan@linux.alibaba.com>
Seems that at least some versions of container, when using ConifgPath,
still rely on the runtime options and its APIs from the not in use
anymore github.com/containerd/cri-containerd/pkg/api/runtimeoptions/v1.
The fact backward compat breaks when moving from the old to the new
runtime options, which happened as part of f60641a6e6d, strongly feels
like a containerd bug. Regardless, we can easily work this around on
our side without much hassle.
Just by importing old runtime options the unmarshalling doesn't break
anymore and we can easily check whether getting the options fails or not
and fallback to the old way if it does.
Fixes: #2258
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Always join by ",", do not put commas in the parameter slices. Always
use the variable name `deviceParams`.
Fixes: #180
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Commit 32c9ae1388 upgrade the
containerd vendor, which used the socket path to replace
the abstract socket address for socket listen and dial, and
there's an bug in containerd's abstract socket dialing.
Thus we should replace our monitor and exec socket server
with the socket path to fix this issue.
Fixes: #2238
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Building rootfs does not depend on golang, delete intalling
golang may save build time.
And there is only rust agent now, the code for golang agent should
be deleted too.
Fixes: #2170
Signed-off-by: bin <bin@hyper.sh>
If you snap in an environment where you previously snapped,
`git clone`ing QEMU will fail. Remove the checkout directory.
Fixes: #2249
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
It's better to check whether the destination file exists
before creating them, if it had been existed, then return
directly.
Fixes: #2247
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Update to latest tokio to address RUSTSEC-2021-0072:
Task dropped in wrong thread when aborting `LocalSet` task
Update the toml to specify just 1.x for the tokio version.
Fixes: #2165
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
While doing the release we've faced the following issue:
```
Dockerfile for action: '/home/runner/work/kata-containers/kata-containers/./packaging/kata-deploy/action/Dockerfile'.
/usr/bin/docker build -t 8a33c1:c0625fe487ce5e4c8217747bef28861f -f "/home/runner/work/kata-containers/kata-containers/./packaging/kata-deploy/action/Dockerfile" "/home/runner/work/kata-containers/kata-containers/packaging/kata-deploy/action"
Sending build context to Docker daemon 15.87kB
Step 1/12 : FROM microsoft/azure-cli:latest
pull access denied for microsoft/azure-cli, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
```
Carlos pointed out that the image has gone awry and that we could use
mcr.microsoft.com/azure-cli instead.
Fixes: #2240
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Instead of calling the ci/static-checks.sh script directly, it was changed the
workflow to call `make static-checks`. And because the `static-checks` target
depends on build, the build step in the workflow is not longer needed.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Added the 'static-checks' make target to allow developers to easily run
the static checks locally.
Fixes#2206
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
- runtime: Register defer function at early stage
- Ensure the go vendored code is up-to-date and that we actually can call `cargo vendor` on every pull-request
- ci: add golang 1.16 to the CI
- Update outdated comments and do some minor reworks
- snap: Build initrd on ppc64le & s390x
- ci: static checks: use defined target_branch
- trace-forwarder: Add option rustflags, target, build-type for the make
- CI: Honour force-skip-ci label
- qemu: stop the virtiofsd specifically
- tracing: Consolidate tracing into a new katatrace package
- runtime: return error if clh's binary doesn't have a normal stat
- osbuilder: Fix the order of checking the distro config directory
- agent: Fix to parsing of /proc/self/mountinfo
- runtime: Fix lint issues
- snap: Miscellaneous s390x fixes
- runtime: Use CC=gcc on all RPM-based s390x
- s390x: Enable virtio-blk-ccw
- forwarder: Add dump only option
- shimv2: fix the issue of leaking the hypervisor processes
- runtime: Remove the version check for cloud hypervisor
- agent: fix wrong regular exp to fetch guest-cid
- runtime: refact virtcontainers/pkg/oci
- agent: enhance tests of execute_hook
- agent: Cleanup config
- Pass span context from runtime to agent to get a full trace #1968
- agent: update netlink libraries
- shimv2: update containerd vendor
- runtime: Format golang proto code
- agent: delete some lint attributes
- docs: Fix url in virtiofs documentation
- tools: agent-ctl: Fix build failure
- cargo: Use latest nix crate for all Rust code bases
- virtcontainers: Don't fail memory hotplug
- Add "watchable-mounts" concept to allow for inotify support of specific types of mounts.
- tracing: Make runHooks() span creation return context
- kernel: Add Secure Execution guest
- packaging: Support Podman in QEMU build
- Update qat version
- docs: Set LIBC=gnu for s390x too
- shimv2: fix the issue of leaking wait goroutines
- runtime: report finish time in containers stats
- docs: Fix typos in Developer Guide
- docs: Update urls for Documentation Requirements document
- runtime: update default machine type to q35
- docs: fix brackets usage error for developer guide
- Remove the pc machine
- runtime: do not hot-remove PMEM devices
- docs: Update kata-deploy urls for installation document
- docs: Update url for installation guides
- agent: Add some mount options and sort the options alphabetically
- runtime: using detail propertites instead of function name in log field
- qemu: Add nvdimm read-only file support
- ci: snap: Fetch history to all branches and tags
- memory_offset must be larger than 32 bit
- containerd-shim-v2: Skip TestIoCopy unit test
- ppc64le: Adding test for appendProtectionDevice
- agent: Update rust version for tokio
- Upgrade mio to v0.7.13 to fix epoll_fd leak problem
- osbuilder: fix log message that is not error but seems like an error
- docs: Update url for breaking compatibility
- docs: Remove docker support with kata 2.x and sysctls
- docs: Update README for runtime documentation
- Support SEV
- test: Add a unit test for ioCopy()
- versions: Upgrade to cloud-hypervisor v16.0
e3860691 static-checks: Restrict static checks to go 1.15 and 1.16
f4fbf723 runtime: Update vendored code
a20074d4 static-checks: Check the vendored code
ac8f972e build: Add `make vendor`
f9643d83 agent-ctl: Add `make vendor`
5e69b498 trace-forwarder: Add `make vendor`
a104f132 agent: Add `make vendor`
579b3f34 runtime: Add `make vendor`
930ca55d runtime: Add `make handle_vendor`
39546a10 runtime: delete not used functions
d0bc148f runtime: Register defer function at early stage
350acb2d virtcontainers: refactoring code for error handling in sandbox
858f39ef virtcontainers: update wrong comments for code
e0a19f6a virtcontainers: update API documentation
8d6dd2ad snap: support golang 1.16.x
a48dc93f versions: update newest golang version
37996791 ci: add 1.16 to the list of golang versions to test
6999dcca trace-forwarder: Add option rustflags, target, build-type for the make
7db8a85a CI: Honour force-skip-ci label
007a6561 snap: Build initrd on ppc64le & s390x
9b8cc458 ci: static checks: use defined target_branch
9081bee2 runtime: return error if clh's binary has not a normal stat
b10e3e22 tracing: Consolidate tracing into a new katatrace package
88e70759 osbuilder: Fix the order of checking the distro config directory
1ab72518 agent: Fix to parsing of /proc/self/mountinfo
8f76626f qemu: stop the virtiofsd specifically
da3de3c2 shim-v2: Fix `gosimple` issue on utils_test.go
305fb054 virtcontainers: Fix `gosimple` issue on client.go
89cf168c virtcontainers: Ignore a staticcheck error on cpuset.go
2cc9006c snap: Miscellaneous s390x fixes
28b2c629 runtime: Use CC=gcc on SUSE s390x too
cfd690b6 virtcontainers: Use virtio-blk-ccw on s390x
8758ce26 agent: Enable virtio-blk-ccw
a33d6bae forwarder: Add dump only option
4c809a53 shimv2: fix the issue of leaking the hypervisor processes
d08603be runtime: Remove the version check for cloud hypervisor
2c943012 agent: fix wrong regular exp to fetch guest-cid
e6b1766f agent: Cleanup config
55c5c871 agent: enhance tests of execute_hook
bd595124 runtime: add spans and attributes for agent/mount
65d2fb5d agent: remove instrument attribute for some simple functions
cfb8139f agent: add more instruments for RPC calls
ae46e7bf runtime: pass span context to agent in ttRPC client
66dd8719 runtime: refact virtcontainers/pkg/oci
d671f789 agent: fix the issue of convert OCI spec to RPC spec
f607641a shimv2: fix the issue bring by updating containerd vendor
79e632bc version: update the cri-containerd to v1.5.2
32c9ae13 shimv2: update containerd vendor
aa264f91 agent: update netlink libraries
34bdddbe docs: Fix url in virtiofs documentation
3e8a07c4 tools: agent-ctl: Fix build failure
f6294226 cargo: Use latest nix crate for all Rust code bases
064dfb16 runtime: Add "watchable-mounts" concept for inotify support
3f0f1ceb docs: inotify: add initial documentation
6a93e5d5 agent: Initial watchable-bind implementation
57c0cee0 runtime: Cleanup mountSharedDirMounts, shareFile parameters
772c117d kernel: Add Secure Execution guest
f35ba94d packaging: Support Podman in QEMU build
8310a3d7 virtcontainers: Don't fail memory hotplug
ecd13ec4 docs: Update QAT docs with newer driver version
a822cdf6 osbuilder: Update QAT driver version
6a1a051c runtime: report finish time in containers stats
fe0085ca docs: Set LIBC=gnu for s390x too
08984b6e docs: Update urls for Documentation Requirements document
b3623a2c shimv2: fix the issue of leaking wait goroutines
2322f935 runtime: update default machine type to q35
11f9a914 docs: fix brackets usage error for developer guide
1316fa53 docs: Fix typos in Developer Guide
ac6b9c53 runtime: Hot-plug virtio-mem device on PCI bridge
789a5954 virtcontainers: Remove the pc machine
caf5760c runtime: Update golang proto code
bd20701f docs: Update kata-deploy urls for installation document
a9aa36ce docs: Update url for installation guides
ecdd137c runtime: do not hot-remove PMEM devices
000049b6 agent: delete some lint attributes
3f39df0d qemu: Add nvdimm read-only file support
23d31d5a ci: snap: Fetch history to all branches and tags
2022c64f runtime: using detail propertites instead of function name in log field
361bee91 runtime/virtcontrainers: fix alignment structures
6be8bf5c docs: update annotations documentation
7834f412 virtcontainers: change memory_offset to uint64
bd27f7ba agent: Sort PROPAGATION and OPTIONS alphabetically to scan easily
ad06eb90 containerd-shim-v2: Skip TestIoCopy unit test
ea9bb8e9 ppc64le: Adding test for appendProtectionDevice
799cb272 agent: Upgrade mio to v0.7.13 to fix epoll_fd leak problem
45fd58d1 osbuilder: fix log message that is not error but seems like an error
2fb176dd docs: Update url for breaking compatibility
601e2b65 docs: Remove docker support with kata 2.x and sysctls
be316945 virtcontainers: Fix TestQemuAmd64AppendProtectionDevice()
240aae96 docs: Update README for runtime documentation
8825bb29 agent: Update rust version for tokio
cabddcc7 tracing: Make runHooks() span creation return context
e544779c agent: Add some mount options
85c40001 versions: Upgrade to cloud-hypervisor v16.0
b26d5b1d virtcontainers: Support SEV
81c6e4ca runtime/vendor: add github.com/intel-go/cpuid
a918c46f test: Add a unit test for ioCopy()
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Make the vsock-exporter async totally using tokio runtime.
And delay the timing of the connection to trace-forwarder so that
it is easy to reconnect when the connection was broken.
Fixes: #2234
Signed-off-by: Tim Zhang <tim@hyper.sh>
Seems that we get different results when running it with go 1.13.
Instead of figuring out why it doesn't work as expected with an EOL
version of go, let's just not run the tests on go versions that are
already dead.
https://endoflife.date/go
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's ensure we always have the go vendored code up-to-date and that the
rust vendor does actually work.
Fixes: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Add a top-level `vendor` entry, which will help us when adding the
vendor check as part of the static checks.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This has a similar intent as the go code, but not totally equal. For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.
We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This has a similar intent as the go code, but not totally equal. For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.
We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This has a similar intent as the go code, but not totally equal. For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.
We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's add this target so we can actually enforce, as part of the static
checks (which will be added in a follow-up commit), that our vendored go
code is up-to-date.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This will help us to ensure that we always update the vendored code when
needed. Right now we've been lacking behind and we tend to realise
something change during the next mandatory update, which is not exactly
optimal.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Use a defined error variable replade inplace error, and shortcut
for handling errors returned from function calls.
Fixes: #2187
Signed-off-by: bin <bin@hyper.sh>
instead of image, does not require privileged containers since `losetup`
is not used and is thus more portable for various build environments.
Fixes: #2218
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
`containerd` has adopted a new configuration style. Update the example configuration to reflect the change.
Fixes: #2180
Signed-off-by: Yujia Qiao <qiaoyujia@bytedance.com>
When checking clh's binary path if valid, return error even
though the error is not a IsNotExist error.
And add errors to log filed when errors occurred.
Fixes: #2208
Signed-off-by: bin <bin@hyper.sh>
Removes custom trace functions defined across the repo and creates
a single trace function in a new katatrace package. Also moves
span tag management into this package and provides a function to
dynamically add a tag at runtime, such as a container id, etc.
Fixes#1162
Signed-off-by: Benjamin Porter <bporter816@gmail.com>
get_mounts() parses /proc/self/mountinfo in order to get the mountpoints
for various cgroup filesystems. One of the entries in mountinfo is the
"device" for each filesystem, but for virtual filesystems like /proc, /sys
and cgroups, the device entry is arbitrary. Depending on the exact rootfs
setup, it can end up being "-".
This breaks get_mounts() because it uses " - " as a separator. There
really is a " - " separator in mountinfo, but in this case the device entry
shows up as a second one. Fix this, by changing a split to a splitn, which
will effectively only consider the first " - " in the line.
While we're there, make the warning message more useful, by having it
actually show which line it wasn't able to parse.
fixes#2182
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We'd better stop the virtiofsd specifically after stop qemu,
instead of depending on the qemu's termination to notify virtiofsd
to exit.
Fixes: #2211
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
For some reason our static check started to get opinionated about code
that's been there for ages.
One of the suggestions is to improve:
```
INFO: Running golangci-lint on /home/fidencio/go/src/github.com/kata-containers/kata-containers/src/runtime/containerd-shim-v2
utils_test.go:76:36: S1039: unnecessary use of fmt.Sprintf (gosimple)
testDir, err = ioutil.TempDir("", fmt.Sprintf("shimV2-"))
```
And that's what this PR is about.
Fixes: #2204
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
For some reason our static check started to get opinionated about code
that's been there for ages.
One of the suggestions is to improve:
```
INFO: Running golangci-lint on /home/fidencio/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols/client
client.go:431:2: S1017: should replace this `if` statement with an unconditional `strings.TrimPrefix` (gosimple)
if strings.HasPrefix(sock, "mock:") {
```
And that's what this PR is about.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
First of all, cpuset.go just comes from kubernetes and we shouldn't be
doing much with this file apart from updating it every now and then
(but that's material for another PR).
Right now, due to some change on the static checks we use as part of our
CI, we started getting issues as:
```
INFO: Running golangci-lint on /home/fidencio/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/cpuset
cpuset.go:60:2: SA4005: ineffective assignment to field Builder.done (staticcheck)
b.done = true
```
For those, let's just ignore the lint and move on.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
- Ported from https://github.com/kata-containers/tests/pull/3612:
Install protobuf-compiler for agent build on ppc64le & s390x
- Fixes in image target for ppc64le & s390x
- Install image instead of initrd since it's preferred
- Use Ubuntu as base since Alpine requires a musl agent (cannot be
built on ppc64le & s390x because there is no such Rust target)
- Ported from
https://github.com/kata-containers/kata-containers/pull/1265:
Fix vmlinux install path
- Install libseccomp-dev on all architectures, not just x86_64
Fixes: #2192
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Added a `--dump-only` option which disables forwarding of trace spans.
This essentially makes the forwarder a NOP but can be useful for testing
purposes.
Fixes: #2132.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Since we only send an shutdown qmp command to qemu when do
stopSandbox, and didn't wait until qemu process's exit, thus
we'd better to make sure it had exited when shimv2 terminated.
Thus here to do the last cleanup of the hypervisor.
Fixes: #2198
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
It looks like the version check for cloud hypervisor (clh) was added
initially when clh was actively evolving its API. We no longer need the
version check as clh API has been fairly stable for its recent releases.
Fixes: #1991
Signed-off-by: Bo Chen <chen.bo@intel.com>
Fix the incorrect regular expression to fetch the guest context ID.
In " [^,][^,]* ", [^,]* will match to the next ",",
which is after "socket", so finally got incorrect result.
Use egrep -o "guest-cid=[0-9]*" instead.
Fixes: #2124
Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
This commit clean up config parsing and testing code to make it a bit more easy to maintain.
- Adds `with_context` from anyhow to include the underlying error. This helps to understand what exactly went wrong.
- Uses ensure and bail as a shorter alternative for `if` checks.
- TestData in test_parse_cmdline is now implements Default to reduce boilerplate code
- Remove `make_err` as it doesn’t make any sense.
Fixes: #2177
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Use which to find the full path of exe before run execute_hook
to avoid error: 'No such file or directory'
Fixes: #2172
Signed-off-by: Tim Zhang <tim@hyper.sh>
For some simple functions that only process memory data(list/hashmap),
they don't need to be instrumented.
And sometime they may generate non-parent spans, if they are called from
daemon-style "threads".
Fixes: #1968
Signed-off-by: bin <bin@hyper.sh>
Pass span context through ttRPC metadata, that
agent can get parent from the context to create
new sub-spans.
Fixes: #1968
Signed-off-by: bin <bin@hyper.sh>
Use common functions wrapping logic of getting values
from annotations, parsing bool/uint32/uint64 and setting
to struct fields.
Fixes: #2082
Signed-off-by: bin <bin@hyper.sh>
Since the rpc spec used an interface to represen the ErrnoRet,
thus the transform function of OCItoGRPC should take care of
this case.
Depends-on: github.com/kata-containers/tests#3629
Fixes: #1441
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Fix the mismatch bring by the upgrading of vendor of containerd,
cgroup and runtime spec.
Fixes: #1441
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Since the latest containerd's shimv2 had changed the socket
from abstract unix socket to path unix socket, thus we'd
better to update the vendor to match with the latest containerd.
containerd from v1.3.9, v1.4.3 and v1.5.0 used the path unix socket
instead of abstract socket, thus kata wouldn's support the
containerd's version older than them.
Fixes: #1441
short logs:
15d9703d6 Remove ARM64 releases from release notes
5d2e8e86d Revert "Release artifacts for Linux ARM64"
7942ae68b Revert "Specify seccomp target arch for CC"
3187b6dc8 tests: Adds consumed memory stats test
969ec8949 Specify seccomp target arch for CC
c19b7b64d RELEASES.md: recommend alternatives for deprecated
features
8a62aa1c3 Deprecate built-in aufs snapshotter
4e7915f80 CI: allow Go 1.13 for Docker/Moby compatibility
8e589e873 Vagrantfile: update to Fedora 34
5847340a7 tests: Refactors container image usage
9f43eade6 Prepare v1.5.0-rc.3 release notes
4c7b960cb prow needs some additional setup for docker buildx
2e4c1d4b7 Use the multi-arch version of the test images
4e00c4b65 integration tests needs lsof
177273680 Add script to build test images
1b5d59dfe Add multi-arch support for test images
78e529727 add integration tests
2b0e6cdd4 Separate jobs for build and test for openlab/arm64
cdd075853 Release artifacts for Linux ARM64
efcb18742 Add unit tests for PID NamespaceMode_TARGET validation
b48f27df6 Support PID NamespaceMode_TARGET
909660ea9 process: use the unbuffered channel as the done signal
0f332dadd Update cgroups for regenerated protos
391b123a5 adds quiet option for ref
ab1654d0e Fix PushHandler cannot push image that contains duplicated
blobs
00f8d32ef add not found debug out for check cmd; update usage
55734b1c5 Prepare 1.5.0-rc.2 release notes
3ef337ae3 Update containerd vendors to tags
fbe1e140f Update Go to 1.16.3
c1d1edbad gha: use sudo -E in some places to prevent dropping
env-vars
7966a6652 Cleanup code
5d79d3adb go.mod: update kubernetes to v1.20.6
1c03c377e go.mod: github.com/containerd/fifo v1.0.0
12a2a2108 go.mod: github.com/google/uuid v1.2.0
3292ea586 pkg/seccomp: use sync.Once to speed up IsEnabled
00b5c99b1 pkg/seccomp: simplify IsEnabled, update doc
6dd29c25f go.mod: github.com/containerd/aufs
330a2a809 go.mod: github.com/containerd/zfs
34780d67a runtime/shim: check the namespace flag first
c3dde8c4b freebsd: add zfs to the default plugins
b431fe4fc freebsd: don't run shim delete in deleted dir
1f4192daf freebsd: exclude v1 runtimes
cb1580937 metadata: improve deleting a non-empty namespace's error
message
5bf84034d Remove junit test result processor
b83d04f91 Add variable names to runtime's interface definitions
993b86399 Add shim start opts
9e576b889 Optimize backoff
5c02688b5 converter: use OpenWriter helper function
fcf3b275f Add lock for ListPids
fdb76f55d Fix backword-compatibility issue of non-versioned config
file
d21fe4625 adds log for each failed host and status not found on host
8a4cbabc6 Reimport windows layers when comitting snapshots
2de38a926 fix(windows): create debug npipe failure
41fc516a2 docs/rootless.md: recommend "easy way" over "hard way"
864a3322b go.mod: github.com/containerd/go-cni v1.0.2
ee34caccb go.mod: github.com/Microsoft/go-winio v0.4.17
d478676d3 go.mod: github.com/containerd/imgcrypt v1.1.1
1dd45d51c go.mod: github.com/containerd/typeurl v1.0.2
abd4be07a fix the 404 url
978ebbef6 Prepare 1.5.0-rc.1 release
ce116d4c5 go.mod: github.com/containerd/imgcrypt
v1.1.1-0.20210412181126-0bed51b9522c
0550c3233 containerd-stress: add snapshotter option for stress test
to use
8a04bd052 address recent runtimes config confusion
c4778fe1b go.mod: github.com/containernetworking/plugins v0.9.1
5ce35ac39 devmapper: log pool status when mkfs fails
75097b8ca hcsshim seems to have been updated
9ad087947 Switch all our tests to version 2
e96d2a5d9 Revert "remove two very old no longer used runtime
options"
14f357b90 CI: update crun to 0.19
294331060 go.mod: github.com/containerd/console v1.0.2
bb6c0c2de Add more bolt utils
0ad8c0a16 Decouple shim start from task creation
c7504987e Implement windowsDiff.Compare via hcsshim/pkg/ociwclayer
a64a76846 Replace inline applyWindowsLayer using hcsshim
149fa366f Don't tease the logger with a %-less format string
b399e2ef6 Don't lose Compare failure if aborting diff upload fails
36bf3f0e8 go.mod: github.com/Microsoft/hcsshim v0.8.16
8e1a8ecd8 Prepare v1.5.0-rc.0
45df696bf Fix return event publishing error
4bc8f692f optimize cri redirect logs
9bc8d63c9 cri/server: use containerd/oci instead of
libcontainer/devices
dd16b006e merge in the move to the new options type
9144ce967 shows our runc.v2 default options in the containerd
default config
3d20fa930 fix TestSetOOMScoreBoundaries
4d4117415 Change CRI config runtime options type
21ebeef74 integration: use busybox:1.32.0 since latest is
unavailable
f9bcf4a8a add section link
d4be6aa8f rm mirror defaults; doc registry deprecations
7bb73da6b runtime/v2/shim: remove unused SetScore() and remove
sys.OOMScoreMaxKillable
91e7d21ee sys: add AdjustOOMScore() utility
44240116a sys: add boundary checks to SetOOMScore()
ace1912bb sys: use assert for error checks in OOM tests
6e7271522 sys: add missing pre-condition checks in tests
badd60d3f sys: un-export runningPrivileged(), remove
runningUnprivileged()
21a175860 go.mod github.com/klauspost/compress v1.11.13
58c5fd09e re-enable cri test
da998c81e move to gcr.io/k8s-staging-cri-tools test images
8ba8533bd pkg/cri/opts.WithoutRunMount -> oci.WithoutRunMount
92ea98eda cri-cni-release: add imgcrypt binaries (v1.1.0)
4c1fa5719 remotes/docker: Only return "already exists" on push when
the upload was successful
0186a329e remove two very old no longer used runtime options
58a07754a Temporarily disable cri-tools critest
7ae0a60fb Add OCI ref.name to unique key in remotes handler
5ada2f74a Keep host order as defined in TOML file
d9ff8ebef support multi-arch images for windows via ctr
af1e2af72 ci: upload junit formatted test results
6866b36ab Add workaround to keep docker hosts structs private
c54d92c79 image: use generic decompressor for calculating DiffID
1faca349e integration/client: rename package to "client"
6fc9e4500 synchronize replace rules in integration/client go.mod
with main go.mod
9e19a2984 Fix hosts test on Windows
3f406d4af Cleanup vendor
d56b49c13 Rewrite Docker hosts parser
e1f51ba73 Use os.File#Seek() to get the size of a block device
ddd4298a1 Migrate current TOML code to github.com/pelletier/go-toml
499c2f7d4 Vendor github.com/pelletier/go-toml
61c749036 integration/util: remove dependency on k8s.io/klog/v2
d9765f7bf Extend default timeout for nested VM integration run
5e94745f2 ctr: add --user for task exec
f8c2f0475 remotes/ctr: allow to limit max concurrent uploads like
downloads
4674ad7be Ignore some tests on darwin
55450e773 Run unit tests on CI for MacOS
311e326a1 Add CI job to cross compile all the things
10a498c7c Update go-winio to fix compile error on armv7
1a9c6f557 Revendor zfs to to fix integer overflow
1fd3d12f9 `go mod tidy` the client integration test module
da7d96ba3 Clean up WCOW layers after tests in the correct order
9ad87b9ba adds critools-version
72b7f4bab task: allow checkpoint on pause state
e4b9b1038 Make CRI registry docs more clear
ec4d7736d Increase timeout for linux integration tests
eb7c7c71e Fix oom tests on non Linux
708299ca4 Move RunningInUserNS() to its own package
0886ceaea Fix reference ordering in CRI image store
bf9db47e8 add caller info to the testHook
305b42583 use happy-eyeballs for port-forwarding
22ef69d77 Support HTTP debug in ctr
01765d097 night ci fix: add packages for ubuntu 20.04
8cdc1f13b go.mod: github.com/containerd/zfs
v0.0.0-20210322090317-0e92c2247fb7
30e1e66e5 runtime/v2: Fix defer cleanup
33776ada0 Use specific image for user namespaces tests
7704fe72d Specifically mention "mkfs.ext4" on the error from the
command
1410220d8 Fix error log when copy file
fe787efa2 Fix error log when kill shim
8d8c15ca5 contentproxy: ensure grpc stream is closed on commit
6e343f25e Switch test image to a non rate-limited manifest list
9fdc96c09 runtime/v2: add comment for checkCopyShimLogError
24602e7a9 change default runtime for containerd-stress app
8731888ec Re-enable CRIU tests by not using overlayfs snapshotter
b520428b5 Fix CRIU
4e76bcf06 gofmt -s -w all the things
569023fd5 go.mod: github.com/containerd/nri
v0.0.0-20210316161719-dbaa18c31c14
0e1f59e89 go.mod: github.com/containerd/zfs
v0.0.0-20210315114300-dde8f0fda960
ffff68866 upgrade pause image to 3.5 for non-root
88d3881e1 go.mod: github.com/containerd/fifo
v0.0.0-20210316144830-115abcc95a1d
a22c43fa4 go.mod: github.com/containerd/aufs
v0.0.0-20210316121734-20793ff83c97
f6f861736 go.mod: github.com/containerd/btrfs
v0.0.0-20210316141732-918d888fb676
460b35236 go.mod: kubernetes v1.20.4
5e484c961 runtime/v2/runc: fix the defer cleanup of the NewContainer
e6086d9c0 Prepare release notes for v1.5.0-beta.4
34b7a5f09 Update mailmap
ba8f9845e move overlay-checks to an overlayutils package
7776e5ef2 Support adding devices by dir
d895118c7 runtime/v2/runc: fix leaking socket path
a76cefd12 plugin status should be skip, not error
766e7953a Change dgst to digest in debug
4e8b2f309 rootfs: fix the error handling of the createInitLayer
d3ad7f390 cmd/ctr: use e.g. in the command usage
231bbdc37 cmd/ctr: fix export command
ecb881e5e add imgcrypt stream processors to the default config
ac2726e12 cmd/containerd: deduplicate config*.go
9a7ca39cb defaults: add DefaultConfigDir
8f863afd3 Use net.IP.IsLoopback() to match loopback addresses
eabd9b98b runtime: ignore file-already-closed error if dead shim
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Our dependencies already bring several versions of nix, we should avoid
adding even more fragementation.
Fixes#2114
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
To workaround virtiofs' lack of inotify support, we'll special case
particular mounts which are typically watched, and pass on information
to the agent so it can ensure that the mount presented to the container
is indeed watchable (see applicable agent commit).
This commit will:
- identify watchable mounts based on file count and mount source
- create a watchable-bind storage object for these mounts to
communicate intent to the agent
- update the OCI spec to take the updated watchable mount source into account
Unit tests added and updated for the newly introduced
functionality/functions.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
We're introducing a workaround for enabling users to utilize inotify on
mounts that are backed by virtiofs. Let's add some documentation on how
this work.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Add support for watchable-bind storage driver. When watchable-bind storage
is present, the agent will create a watchable path in a tmpfs, and poll the
watchable-bind source to keep this new mount-point up to date.
This poll will allow the agent to present the mount-point to the
container, allowing for inotify usage by the container workload.
If a mount becomes too large, either in file count or in overall size,
we want to stop treating it as watchable, and instead just treat as a
bindmount. This'll help avoid DoS by growing tmpfs too large, as well
as limiting time spent scanning files. If a watchable-bind grows beyond
8 files (arbitrary sane number for certs/secrets) or 1MB (limit on ConfigMap size),
we treat it as a normal bind.
Fixes: #1879
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
agent: watcher: SandboxStorages check loop cleanup
There's no reason to pass the paths; they can be
determined when they are actually used.
Let's make the return values more comparable to the other mount handling
functions (we'll add storage object in future commit), and pass the mount maps as
function parameters.
...No functional changes here...
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Add `CONFIG_PROTECTED_VIRTUALIZATION_GUEST=y` to s390's guest kernel
config, which enables running with a secure image (as generated by
s390-tools' `genprotimg`).
Fixes: #2106
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Use Podman instead of Docker when $USE_PODMAN is set. This enables
running with Podman, e.g. to import images for CRI-O.
Fixes: #2067
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Architectures that do not support memory hotplugging will fail when
memory limits are set because that amount is hotplugged. Issue a warning
instead. The long-term solution is virtio-mem.
Fixes: #1412
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The Developer Guide instructs to install the agent from
`${ARCH}-unknown-linux-${LIBC}`, where `$LIBC` is set to `gnu` for
ppc64le (because Rust has no musl target there). The same is true for
s390x. Also set this for s390x.
Fixes: #2092
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
After create an container/exec successfully, containerd
would wait it immediately, and if start it failed, there
is no chance to send value to exitCh, thus the wait goroutine
would blocked for ever and had no chance to exit.
Fixes: #2087
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Fixed 3 errors which misused the bracket to substitute parameter for initrd-img creation at the developer guide.
Fixes: #2079
Signed-off-by: focus-zhaos <zhaos@nbjl.nankai.edu.cn>
- Adding missing `$` symbols to 3 references to `sandbox_id` variable
- Adding missing `'` symbol to QEMU-related `socat` command
Fixes#2075
Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
Currently the virtio-mem device is hotplugged on the root bus.
This doesn't work for PCIe machines like q35.
Hotplug the virtio-mem device into the pci bridge instead.
Fixes#1953
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Keeping around two different x86 machines has no added value
and require more tests and maintenance. Prefer the q35 machine
since it has more features and drop the pc machine.
Fixes#1953
Depends-on: github.com/kata-containers/tests#3586
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Currently virtio-mem-pci devices can be hotplugged only on the root bus.
This doesn't work for PCIe machines like q35.
Extend the API to optionally support hotplugging on PCI bridges.
Fixes: #176
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
We should update golang proto files.
These changes are updated using libprotoc v3.6.1.
Fixes: #2064
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This PR updates the proper url for kata-deploy scripts at the
minikube installation.
Fixes#2072
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
For QEMU 5.0.0 it is applied the patches/5.0.x/0002-memory-backend-file-nvdimm-support-read-only-files-a.patch
to fix an issue with the use of read-only files as backend memory of nvdimm devices. When Kata Containers bumped
to QEMU 5.2.0 that patch was left behind by mistake. In meanwhile a proper feature ("nvdimm: read-only file support")
was proposed and merged upstream (see https://mail.gnu.org/archive/html/qemu-devel/2021-01/msg00258.html).
This contain the backport of the commit 8360ebeb4f4a from QEMU master which should be applied on QEMU 5.2.0
so that feature is available to Kata Containers.
Fixes#2011
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The snap/snapcraft.yaml set AGENT_VERSION to the current VERSION. The osbuilder script
will try to checkout the AGENT_VERSION tag. Let's ensure that all tags and branches
are fetched by the github's checkout action so the tag checkout does not fail.
Fixes#2052
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
To print the correct value of kernel parameters, the log field
value should not be a function name. And for that qemuArchBase
doesn't contain debug flag, so the log contains debug/non-debug
parameters.
Fixes: #2048
Signed-off-by: bin <bin@hyper.sh>
`memory_offset` is used to increase the maximum amount of memory
supported in a VM, this offset is equal to the NVDIMM/PMEM device that
is hot added, in real use case workloads such devices are bigger than
4G, which is the current limit (uint32).
fixes#2006
Signed-off-by: Julio Montes <julio.montes@intel.com>
It's hard to visually scan over the list currently.
Therefore, we should sort the list alphabetically to scan easily.
Fixes: #1999
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Currently in kata 2.x, we do not have docker support, this PR removes
the docker documentation with sysctls.
Fixes#2029
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Since SEV support has been added, an implementation mistake was also
added to TestQemuAmd64AppendProtectionDevice.
appendProtectionDevice() will, as it name says, append the protection
device to whatever was there previously. So, when SEV was added, we
broke the comparison done for TDX as we didn't append the expected
output for TDX with what we already had for SEV.
This should be enough to get the tests passing.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This PR removes old links that were used in kata 1.x but not
longer valid for kata 2.x
Fixes#2019
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
- Update CC=gcc setting for Fedora s390x
- osbuilder: Streamline s390x CMake & musl handling
- runtime: remove the call to storeSandbox at the end of createSandboxFromConfig
- virtcontainers: Add support for Secure Execution
- agent: Conform to the latest nix version (0.21.0)
- docs: Update the stable branch strategy to what was proposed in our ML
- runtime: add more traces for network
- tools/packaging: clone meson and dependencies before building QEMU
- runtime: remove covertool from cli test
- factory: Use lazy unmount
- docs: Fix Release Process document
- Add sandbox and container ID to trace spans
- agent: Fix fd leak caused by netlink
- metrics: Add virtiofsd exporter
- versions: Update kubernetes to 1.21.1
- tracing: Add basic VSOCK tracing
- agent: Upgrade tokio-vsock to fix fd leak of vsock socket
- runtime: fix some comments and logs
- runtime: Add support for PEF
- cleanup TODOs in runtime
- tracing: Make runtime span attributes more consistent
- virtiofsd: refactor qemu.go to use code in virtiofsd.go
- runtime: remove unused doc.go
- cgroup: fix the issue of set mem.limit and mem.swap
- agent: re-enable the standard SIGPIPE behavior
- virtiofsd: Fix file descriptors leak and return correct PID
- runtime: and cgroup and SandboxCgroupOnly check for check sub-command
- kernel: add ppc64le fragments
- docs: Use --ignore-preflight-errors=all flag
- agent: fix start container failed when dropping all capabilities
- agent: Remove unnecessary underscore(_) variables
- docs: Add instructions for getting QEMU source
- qemu: align before memory hotplug on arm64
- workflows: release kata 2.x snap through the stable channel
- Sandbox bindmount cleanup
- docs: Update add customer agent command
- agent: Stop relying in the unmaintained prctl crate
- how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
- docs: Add document for memory hotplug on arm64
- github: Run require porting labels only at main
- kernel: add confidential guest build option
- rustjail: separated the propagation flags from mount flags
- runtime: improve sandbox cleanup logic
- docs: add note for connecting debug console for old versions
- image_build: align image size to 128M for arm64
- agent: avoid reaping the exit signal of execute_hook in the reaper
- agent: move the dependency tempfile to the dev-dependencies section
- docs: Document test repository changes when creating a stable branch
- docs: Remove horizontal ruler markers that disable spell checks
- docs/Developer-Guide: Add instructions to apply QEMU patches
- runtime: make dialing timeout configurable
- Get sandbox metrics cli
- Support TDx
- packaging/kata-cleanup: add k3s containerd volume
- osbuilder: Upgrade alpine version to 3.13.5
- Monitor cleanup
- Open CONFIG_VIRTIO_MEM in x86_64 Linux kernel
- agent: delete code which is no longer used
- cli: delete tracing code for kata-runtime binary
- docs: add per-Pod Kata configurations for `enable_pprof`
- Fix issue of virtio-mem
- Set fixed NOFILE limit value for kata-agent
- ci/install_yq.sh: install_yq: Check version before return
- runtime: use s.ctx instead ctx for checking cancellation
- runtime: fix some comments
a1247bc0 agent: Conform to the latest nix version (0.21.0)
3130e66d runtime: remove storeSandbox at the end of createSandboxFromConfig
7593ebf9 runtime: Use CC=gcc on Fedora s390x
a484d6db osbuilder: Streamline s390x CMake & musl handling
da2d9ab8 osbuilder: Remove CC=gcc for Fedora s390x
c0c05c73 virtcontainers: Add support for Secure Execution
78f21710 virtcontainers/s390x: Put consts into one block
784025bb runtime: add more traces for network
9ec9bbba tools/packaging: clone meson and dependencies before building QEMU
9158ec68 docs: Fix Release Process document
9e3349c1 agent: Fix fd leak caused by netlink
3d0e0b27 tracing: Add network model to span
8ca02072 tracing: Add sandbox and container ID to trace spans
a9a0eccf tracing: Add basic VSOCK tracing
2234b730 metrics: Add virtiofsd exporter
9bf781d7 agent: Upgrade tokio-vsock to fix fd leak of vsock socket
b68334a1 runtime: fix some comments and logs
1f5b229b runtime: remove FIXME in SandboxState about CgroupPath
fee0004a runtime: remove TODO about hot add memory in qemu.go
2e29ef9c runtime: remove TODO comment from StatusContainer
72cd8f5e virtiofsd: refactor qemu.go to use code in virtiofsd.go
0b22c48d runtime: remove unused doc.go
30f4834c cgroup: fix the issue of set mem.limit and mem.swap
0ae364c8 agent: re-enable the standard SIGPIPE behavior
05a46fed tracing: Make runtime span attributes more consistent
727bfc45 runtime: and cgroup and SandboxCgroupOnly check for check sub-command
b25ad1ab tracing: Make trace-forwarder async
45f02227 tracing: Add trace points
773deca2 virtiofsd: Fix file descriptors leak and return correct PID
37a426b4 runtime: Add support for PEF
fe670c5d docs: Use --ignore-preflight-errors=all flag
5b5047bd docs: Add instructions for getting QEMU source
3e4ebe10 agent: fix start container failed when dropping all capabilities
9a43d76d workflows: release kata 2.x snap through the stable channel
7f1030d3 sandbox-bindmount: persist mount information
089a7484 sandbox: Cleanup if failure to setup sandbox-bindmount occurs
f65acc20 docs: Update add customer agent command
20a382c1 agent: Remove unnecessary underscore(_) variables
4b88532c docs: Don't use Docker as an example of a container manager
4142e424 docs: Don't mention 1.x components as part of the stable branch strategy
a0af2bd7 docs: Use stable-2.x / 2.x.y as example in the branch strategy document
a5e1f66a docs: Maintain only one stable branch per major release
419773b8 docs: Emphasize behaviour changes may be a reason for a major bump
54a75008 docs: Refer to `main` branch in the stable branch strategy document
7dde0b5d kernel: add ppc64le fragments
84906181 kernel: skip fragments for ppc64le
9676b86b kernel: move CONFIG_RANDOMIZE_BASE
bd0cde40 factory: Use lazy unmount
f52468be agent/agent-ctl: Replace prctl crate by the capctl one
d289b1d6 agent-ctl: Perform a `cargo update`
bc36b7b4 qemu: align before memory hotplug on arm64
8aefc793 agent: Perform a `cargo update`
785be0bb how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
f8a16c17 kernel: add confidential guest build option
a65f11ea docs: Add document for memory hotplug on arm64
1b607056 runtime: remove covertool from cli test
fc42dc07 github: Run require porting labels only at main
dbef2b29 versions: Update kubernetes to 1.21.1
35151f17 runtime: sandbox delete should succeed after verifying sandbox state
e5fe572f rustjail: separated the propagation flags from mount flags
ffbb4d9b docs: add note for connecting debug console for old versions
a5bb383c agent: avoid reaping the exit signal of execute_hook in the reaper
ce7a5ba2 agent: move the dependency tempfile to the dev-dependencies section
e24e9462 docs/Developer-Guide: Add instructions to apply QEMU patches
850cf8cd docs: Document test repository changes when creating a stable branch
8068a469 kata-runtime: add `metrics` command
37873061 kata-monitor: export get stats for sandbox
01b56d6c runtime: make dialing timeout configurable
e8038718 osbuilder: Upgrade alpine version to 3.13.5
3caed6f8 runtime: shim: dedup client, socket addr code
4bc006c8 runtime: Short the shim-monitor path
5fdf617e docs: Fix spell-check errors found after new text is discovered
42425456 docs: Remove horizontal ruler markers that disable spell checks
3883e4e2 kernel: configs: Open CONFIG_VIRTIO_MEM in x86_64 Linux kernel
4f61f4b4 virtcontainers: Support TDX
0affe886 virtcontainers: define confidential guest framework
539afba0 runtime: define config options to enable confidential computing
79831faf runtime: use s.ctx instead ctx for checking cancellation
f6d5fbf9 runtime: fix some comments
9381e5f3 packaging/kata-cleanup: add k3s containerd volume
7f7c3fc8 qemu.go: qemu: resizeMemory: Fix virtio-mem resize overflow issue
c9053ea3 qemu.go: qemu: setupVirtioMem: let sizeMB be multiple of 2Mib
a188577e agent: Set fixed NOFILE limit value for kata-agent
88cf3db6 runtime: implement CPUFlags function
2b0d5b25 image_build: align image size to 128M for arm64
d601ae34 agent: delete not used comments
6038da19 agent: delete rustjail/src/configs directory
84ee8aa8 agent: delete not used functions
d8896157 ci/install_yq.sh: install_yq: Check version before return
95e54e3f docs: add per-Pod Kata configurations for enable_pprof
13c23fec cli: delete tracing code for kata-runtime binary
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The call to Trace() in runHooks() does not return a context; fix this so
that the subsequent calls to runHook() produces a properly ordered trace
span.
Fixes#2001
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Add the following mount options to catch up with the runtime spec
- silent
- loud
- (no)acl
- (no)iversion
- (no)lazytime
Fixes: #1999
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This PR removes the travis reference as we currently for kata 2.0,
travis is not being supported.
Fixes#1994
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
We need to fix some agent's code to conform to the latest nix crate
to be able to use new features of the nix.
Fixes: #1987
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Remove storeSandbox() at the end of createSandboxFromConfig(),
because this callchain createSandboxFromConfig -> createContainers
has already calls storeSandbox().
This can improve the startup speed of the container,
even just for a little.
Fixes: #1980
Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
- Merge codepath in lib.sh with ppc64le -- do not install CMake
- Like ppc64le, do not install musl rather than just not using it
Fixes: #1975
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Secure Execution is a confidential computing technology on s390x (IBM Z
& LinuxONE). Enable the correspondent virtualization technology in QEMU
(where it is referred to as "Protected Virtualization").
- Introduce enableProtection and appendProtectionDevice functions for
QEMU s390x.
- Introduce CheckCmdline to check for "prot_virt=1" being present on the
kernel command line.
- Introduce CPUFacilities and avilableGuestProtection for hypervisor
s390x to check for CPU support.
Fixes: #1771
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Previously, all consts were in single lines in
virtcontainers/qemu_s390x.go. Put them into a const block.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
In some distros (Ubuntu 18 and 20) it's not possible to clone meson
and QEMU dependencies from https://git.qemu.org due to problems with
its certificates, let's pull these dependencies from github before
building QEMU.
fixes#1965
Signed-off-by: Julio Montes <julio.montes@intel.com>
This PR updates the correct url for github actions as well as it
corrects a misspelling.
Fixes#1960
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Trace spans erroneously set the network model to default in all cases.
Add function to return network model string and use it to set attribute
in spans.
Fixes#1878
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Add sandbox, container, and hypervisor IDs to trace spans. Note that
some spans in sandbox.go are created with a trace() call from api.go.
These spans have additional attributes set after span creation to
overwrite the api attributes.
Fixes#1878
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Implement an openTelemetry custom exporter that sends trace spans to a
VSOCK socket. A VSOCK-to-span converter (such as the Kata trace
forwarder) needs to be running on the host to allow systems like Jaeger
to capture the trace spans.
By default, tracing is not enabled (meaning a NOP tracer is used). To
activate tracing, set the `agent.kata.enable_tracing=true` in the
configuration file.
The type of tracing this change introduces is "static isolated"
tracing. See [1] for further details.
> **Note:**
>
> This change only provides the foundational changes for agent
> tracing work. The feature is _not_ yet complete since it does
> not yet show the correct trace hierarchy.
Fixes: #60.
[1] - https://github.com/kata-containers/agent/blob/master/TRACING.md
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Export proc stats for virtiofsd.
This commit only adds for hypervisors that have support for it.
- qemu
- cloud-hypervisor
Fixes: #1926
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
It is in real life usage as we put non constrained sandbox processes
(like shim) in a separate cgroup path.
Fixes: #1944
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
CloudHypervisor is using virtiofsd.go to manage virtiofsd process,
but qemu has its code in qemu.go. This commit let qemu to re-use
code in virtiofsd.go to reduce code and improve maintenanceability.
Fixes: #1933
Signed-off-by: bin <bin@hyper.sh>
When update memory limit, we should adapt the write sequence
for memory and swap memory, so it won't fail because
the new value and the old value don't fit kernel's
validation.
Fixes: #1917
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
The Rust standard library had suppressed the default SIGPIPE
behavior, see https://github.com/rust-lang/rust/pull/13158.
Since the parent's signal handler would be inherited by it's child
process, thus we should re-enable the standard SIGPIPE behavior as a
workaround.
Fixes: #1887
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Span attributes (tags) are not consistent in runtime tracing, so
designate and use core attributes such source, package, subsystem, and
type as span metadata for more understandable output.
Use WithAttributes() during span creation to reduce calls to
SetAttributes().
Modify Trace() in katautils to accept slice of attributes so multiple
functions using different attributes can use it.
Fixes#1852
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
In kata-runtime check sub-command, checks cgroups and SandboxCgroupOnly
to show message if the SandboxCgroupOnly is not set to true
and cgroup v2 is used.
Fixes: #1927
Signed-off-by: bin <bin@hyper.sh>
Use the tracing crate to create automatic trace spans for the _majority_
of top-level modules.
Note that not all functions in the top-level modules can be traced:
- Some functions cannot be traced due to the requirement that all
function parameters implement the `Debug` trait. In some cases (such
as `netlink.rs`), objects are being passed that are defined in
different crates and which do not implement `Debug`.
- Some functions may never return (`signal.rs`).
- Some functions are inlined.
- Some functions are very simple getter/setter functions.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This commit will fix two problems:
- Virtiofsd process ID returned to the caller will always be 0,
the pid var is never being assigned a value.
- Socket listen fd may leak in case of failure of starting virtiofsd process.
This is a port of be9ca0d58bFixes: #1931
Signed-off-by: bin <bin@hyper.sh>
Protected Execution Facility(PEF) is the confidential computing
technology on ppc64le. This PR adds the support for it in Kata.
Also re-vendor govmm for the latest changes.
Fixes: #1881
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
The --skip-preflight-checks flag has been deprecated in the Kubernetes v1.9
and removed from Kubernetes v1.12.
We should use --ignore-preflight-errors=all flag instead of --skip-preflight-checks.
Fixes: #1919
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Update the developer guide to add instructions of how to get the
correct version of the QEMU source and sets your_qemu_directory
variable, so that follow on steps are easier for a new joiner to the
community to understand
Fixes#1907
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
When starting a container and dropping all capabilities,
the init child process has no permission to read the exec.fifo
file because the parent set the file mode 0o622. So change the exec.fifo file mode to 0o644.
fixes#1913
Signed-off-by: quanweiZhou <quanweiZhou@linux.alibaba.com>
Without this, if the shim dies, we will not have a reliable way to
identify what mounts should be cleaned up if `containerd-shim-kata-v2
cleanup` is called for the sandbox.
Before this, if you `ctr run` with a sandbox bindmount defined and SIGKILL the
containerd-shim-kata-v2, you'll notice the sandbox bindmount left on
host.
With this change, the shim is able to get the sandbox bindmount
information from disk and do the appropriate cleanup.
Fixes#1896
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
If for any reason there's an error when trying to setup the sandbox
bindmounts, make sure we roll back any mounts already created when
setting up the sandbox.
Without this, we'd leave shared directory mount and potentially
sandbox-bindmounts on the host.
Fixes: #1895
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Update the developer guide to correct the
command that adds a customer kata-agent to the rootfs image
putting it in /usr/bin/kata-agent rather than /bin/kata-agent
Fixes#1904
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Let's slightly rewrite the text to ensure users of 2.x that never had
contact with kata-containers 1.x would be able to understand the
sentences.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This is a proposal that was sent to the ML and can be accessed via
http://lists.katacontainers.io/pipermail/kata-dev/2021-May/001894.html
Shortly, the proposal is to maintain only one stable branch per major
active release.
This will help the developers and the CI maintainers, to spend more time
on what's coming, rather on backporting and debugging issues with old
releases; while still providing one stable branch that downstream
companies can rely on.
Hopefully, with this we'll be able to lower the maintainance burden and
spend more time on getting things rock solid / move forward in a faster
pace with the project.
Fixes: #1876
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The current wording is good, but we could emphasize better that changes
on behaviour from a previous release by simply making the text bold
rather than italic.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
As there's no active `master` branch as part of kata-containers 2.x,
let's avoid referring to it, and let's referr to the `main` branch
instead.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This config is not selected for ppc64le. It is
only supported on PPC32 for now. Moved it to
respective arch base.conf.
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
Adding the support for Protected Execution Facility(PEF) is
which is the confidential computing technology on ppc64le.
Fixes: #174
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
Secure Execution, also known as Protected Virtualization in QEMU, is a
confidential computing technology for s390x (IBM Z & LinuxONE). Allow
the respective object.
Fixes: #172
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
we can have the following case,
1. start kata container with factory feature, this need kata-runtime
config to enable factory and use initrd as base image.
2. start a kata container.
3. cd /root; cd /run/vc/vm/template dir, this will make
/run/vc/vm/template to be in used.
4. destroy vm template with kata-runtime factory destroy , and check
the template mountpoint.
we can see the template mountpoints will add everytime we repeat the above steps .
[root@centos1 template]# mount |grep template
[root@centos1 template]# docker run -ti --rm --runtime untrusted-runtime --net none busybox echo
[root@centos1 template]# cd /root; cd /run/vc/vm/template/
[root@centos1 template]# /kata/bin/kata-runtime factory destroy
vm factory destroyed
[root@centos1 template]# mount |grep template
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
[root@centos1 template]# docker run -ti --rm --runtime untrusted-runtime --net none busybox echo
[root@centos1 template]# cd /root; cd /run/vc/vm/template/
[root@centos1 template]# /kata/bin/kata-runtime factory destroy
vm factory destroyed
[root@centos1 template]# mount |grep template
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
Fixes: #938
Signed-off-by: Shukui Yang <keloyangsk@gmail.com>
While evaluating the possibility of having kata-agent statically linked
to the GNU libc, we've ended up facing some issues with prctl.
When debugging the issues, we figured out that the crate hasn't been
maintained since 2015 and that the capctl one is a good 1:1 replacement
for what we need.
Fixes: #1844
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
When hotplug memory on arm64 in kata, kernel will shout:
[ 0.396551] Block size [0x40000000] unaligned hotplug range: start 0xc8000000, size 0x40000000
[ 0.396556] acpi PNP0C80:01: add_memory failed
[ 0.396834] acpi PNP0C80:01: acpi_memory_enable_device() error
[ 0.396948] acpi PNP0C80:01: Enumeration failure
It means that kernel will check if the memory range to be hotplugged
align with 1G before plug the memory. So we should twist the qemu to
make sure the memory range align with 1G to pass the kernel check.
Fixes: #1841
Signed-off-by: Yuanzhe Liu <yuanzheliu09@gmail.com>
After some enablement work, memory hotplug can be used on arm64.
Here we offer a document to instruct user to enable it.
Fixes: #1854
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
covertool has no active since 2018 and is not compatible with go1.16
../vendor/github.com/dlespiau/covertool/pkg/cover/cover.go:76:29: cannot use f (type dummyTestDeps) as type testing.testDeps in argument to testing.MainStart:
dummyTestDeps does not implement testing.testDeps (missing SetPanicOnExit0 method)
Fixes: #1862
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
Since the propagation flags couldn't be combinted with the
standard mount flags, and they should be used with the remount,
thus it's better to split them from the standard mount flags.
Fixes: #1699
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Following the fix for #1713, adding a unit test for ioCopy() that
verifies that data is properly copied from source to destination
whatever the order in which the pipes are closed.
Fixes#1831
Signed-off-by: Julien Ropé <jrope@redhat.com>
Occasionally patches are necessary to build QEMU with the kata containers
configuration. This changed the developer guide to make it clear it is
recommended to apply the patches; and tell how.
Fixes#1807
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
When we create a new stable branch, it is good practice to ensure that the test
repository points to that stable branch, to make sure that it is not impacted by
later changes to the CI made on the stable branch.
Fixes: #1823
Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
For easier debug, let's add subcommand to kata-runtime for gathering
metrics associated with a given sandbox.
kata-runtime metrics --sandbox-id foobar
Fixes: #1815
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Gathering stats for a given sandbox is pretty useful; let's export a
function from katamonitor pkg to do this.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
(1) Add an accessor function, SocketAddress, to the shim-v2 code for
determining the shim's abstract domain socket address, given the sandbox
ID.
(2) In kata monitor, create a function, BuildShimClient, for obtaining the appropriate
http.Client for communicating with the shim's monitoring endpoint.
(3) Update the kata CLI and kata-monitor code to make use of these.
(4) Migrate some kata monitor methods to be functions, in order to ease
future reuse.
(5) drop unused namespace from functions where it is no longer needed.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Instead of having something like
"/containerd-shim/$namespace/$sandboxID/shim-monitor.sock", let's change
the approach to:
* create the file in a more neutral location "/run/vc", instead of
"/containerd-shim";
* drop the namespace, as the sandboxID should be unique;
* remove ".sock" from the socket name.
This will result on a name that looks like:
"/run/vc/$sandboxID/shim-monitor"
Fixes: #497
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The spell-checker scripts has some bugs that caused large chunks of texts to not
be spell checked at all (see #1793). The previous commit worked around this bug,
which exposed another bug:
The following source text:
are discussions about using VM save and restore to
give [`criu`](https://github.com/checkpoint-restore/criu)-like
functionality, which might provide a solution
yields the surprising error below:
WARNING: Word 'givelike': did you mean one of the following?: give like, give-like, wavelike
Apparently, an extra space is removed, which is another issue with the
spell-checking script. This case is somewhat contrived because of the URL link,
so for now, I decided for a creative rewriting, inserting the word "a" knowing
that "alike" is a valid word ;-)
Fixes: #1793
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
There is a bug in the CI script checking spelling that causes it
to skip any text that follows a horizontal ruler.
(https://github.com/kata-containers/tests/issues/3448)
Solution: replace one horizontal ruler marker with another that
does not trip the spell-checking script.
Fixes: #1793
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Define the structure and functions needed to support confidential
guests, this commit doesn't add support for any specific technology,
support for TDX, SEV, PEF and others will be added in following
commits.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Define config options to enable or disable confidential computing and
its features, for example:
* Image service offloading
* Image decryption keys
Signed-off-by: Julio Montes <julio.montes@intel.com>
This commint include two types of fixes for comments
in src/runtime/containerd-shim-v2/start.go.
- Update comment for calling of watchOOMEvents.
- Comments without heading spaces.
Fixes: #1750
Signed-off-by: bin <bin@hyper.sh>
kata-deploy cleanup expects to find containerd configuration
in /etc/containerd/config.toml. In case of k3s mount the k3s
containerd config as a volume.
Fixes#1801
Signed-off-by: Orestis Lagkas Nikolos <olagkasn@nubificus.co.uk>
Got:
FATA[0000] run pod sandbox: rpc error: code = Unknown desc = failed to
create containerd task: Add 189759MB virtio-mem-pci fail QMP command
failed: backend memory size must be multiple of 0x200000: unknown
This commit let sizeMB be multiple of 2Mib to fix the issue.
Fixes: #1796
Signed-off-by: Hui Zhu <teawater@antfin.com>
Some applications may fail if NOFILE limit is set to unlimited.
Although in some environments this value is explicitly overridden,
lets set it to a more sane value in case it doesn't.
Fixes#1715
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
`CPUFlags` returns a map with all the CPU flags, these CPU flags
may help us to identiry whether a system support confidential computing
or not.
Signed-off-by: Julio Montes <julio.montes@intel.com>
There is an inconformity between qemu and kernel of memory alignment
check in memory hotplug. Both of qemu and kernel will do the start
address alignment check in memory hotplug. But it's 2M in qemu
while 128M in kernel. It leads to an issue when memory hotplug.
Currently, the kata image is a nvdimm device, which will plug into the VM as
a dimm. If another dimm is pluged, it will reside on top of that nvdimm.
So, the start address of the second dimm may not pass the alginment
check in kernel if the nvdimm size doesn't align with 128M.
There are 3 ways to address this issue I think:
1. fix the alignment size in kernel according to qemu. I think people
in linux kernel community will not accept it.
2. do alignment check in qemu and force the start address of hotplug
in alignment with 128M, which means there maybe holes between memory blocks.
3. obey the rule in user end, which means fix it in kata.
I think the second one is the best, but I can't do that for some reason.
Thus, the last one is the choice here.
Fixes: #1769
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
- Update kata-deploy to use CRI-O drop-in files
- Update dependencies versions
- fix build kernel shell error when setup with `-f`
- virtcontainers: Fix virtio-fs on s390x
- Runtimeclass updates
- versions: Upgrade to cloud-hypervisor v15.0
- clh: return error if apiSocketPath failed
- runtime: fix dropped error
- agent: Update seccomp configuration for errnoRet and flags
- Fix the issue that sandbox size is not right after update
- docs: Document limitation regarding subpaths
- qemu: kill virtiofsd if failure to start VMM
- runtime/virtcontainers: Fix typo on qmp error msg
- cli: delete not used files
- runtime: delete not used function parameter builtIn
- add io.katacontainers.config.hypervisor.virtio_fs_extra_args handling
- Entropy source annotation
- runtime: Fix stdout/stderr output from container being truncated
- fix the issue of missing set fsGroup for EphemeralStorage
- qemu: Fix assertion failure on shutdown
- Assorted clippy fixes for Rust agent
- agent: use channel instead of pipe(2) to send exit signal of process
- Improve agent shutdown handling
- Enable virtio-fs on s390x
- block: Generate PCI path for virtio-blk devices on clh
- runtime: Disable trace for healthcheck
- agent/rustjail: Fix accidental damage from tokio conversion
- cli: Use genericGetExpectedHostDetails on s390x
- runtime/tests: Change "moo FAILURE" message
- Update the information about the release process
- remove ProcessListContainer API
2047f26f kata-deploy: Adapt CRI-O config to use drop-in files
8de2f914 kata-deploy: Rely on CRIO default's values for manage_ns_lifecycle
ea9936e0 versions: Bump runc to v1.0.0-rc93
9c333b2c versions: Bump CRI-O version to 1.21.x
e33f207b versions: Bump critools version to 1.21.0
8e5df723 versions: Bump kubernetes version to 1.21.0
d15f84c9 versions: Remove Docker entry
516f4ec0 versions: Remove OpenShift entry
be101ac1 versions: Remove CRI-O meta dependencies
1ca6bedf versions: Upgrade to cloud-hypervisor v15.0
906c0df4 kata-deploy: don't update worker pool nodes
3ee61776 virtcontainers: Enable virtio-fs on s390x
8385ff95 runtime: Re-vendor GoVMM
adba4532 virtcontainers: Revert "virtcontainers: Allow s390x appendVhostUserDevice"
ede078bc kata-deploy: aks-test: bump kubernetes/containerd
484af12b kata-deploy: update to handle new runtimeclass path
05c224c3 runtimeclass: add nodeSelector
ee7de8ab tools: fix build kernel shell error
7d5a4252 docs: Document limitation regarding subpaths
36776408 runtime/virtcontainers: Fix typo on qmp error msg
12a65d23 runtimeclass: drop stale runtimeclass definitions
0787ea80 cgroupsCreate: not set resources to c.config.Resources
831224aa Sandbox: Fix ContainerConfig ptr in CreateContainer and createContainers
a57c8ab1 qemu: kill virtiofsd if failure to start VMM
ff2b9e54 cli: delete not used files
0d0a520d clh: return error if apiSocketPath failed
fc6bb01a runtime: fix dropped error
30ff6ee8 runtime: handle io.katacontainers.config.hypervisor.virtio_fs_extra_args
677f0d99 runtime: delete not used function parameter builtIn
dcb9f403 config: Protect annotation for entropy_source
f4c26aad agent: fix the issue of missing set fsGroup for EphemeralStorage
628d55bf kata-agent: fix the issue of fsGroup missing
0405beb2 agent: Remove unused Default implementation for NamespaceType
7b83b7ec agent/uevent: Better initialize Uevent in test
b0190a40 agent: Use vec![] macro rather than init-then-push
1c43245e agent/device: Remove unneeded Result<> wrappers from uev matchers
e41cdb8b agent: Use str::is_empty() method in config::get_string_value()
2377c097 agent: Use CamelCase for NamespaceType values
75eca6d5 agent/rustjail: Clean up error path in execute_hook()s async task
6ce1e56d agent/rustjail: Remove an unnecessary PathBuf
3c4485ec agent/rustjail: Clean up some static definitions with vec! macro
eaec5a6c agent/oci: Change name case to make clippy happy
3f5fdae0 agent/rustjail: (trivial) Clean up comment on process_grpc_to_oci()
210f39a4 agent/rustjail: Simplify renaming imports
d4a54137 runtime: Fix stdout/stderr output from container being truncated
8ecf8e5c agent: use channel instead of pipe to send exit signal of process
81c5ff12 agent: Update seccomp configuration for errnoRet and flags
8a33bd4c qemu: Fix assertion failure on shutdown
7f609113 virtcontainers: Allow s390x appendVhostUserDevice
67ac4f45 runtime: update GoVMM for memory backend support
6577b01a agent/rustjail: Fix accidental damage from tokio conversion
de2631e7 utils: Make WaitLocalProcess safer
9256e590 shutdown: Don't sever console watcher too early
51ab8700 utils: Improve WaitLocalProcess
507ef636 utils: Add waitLocalProcess function
1d5098de agent/block: Generate PCI path for virtio-blk devices on clh
e7c97f0f runtime/tests: Change "moo FAILURE" message
8bc53498 docs: Simplify the repo bumping section
8a47b05a docs: Mention that an app token should be used with hub
d434c2e9 docs: OBS account is not require anymore
543f9da3 runtime: Disable trace for healthcheck
421439c6 API: remove ProcessListContainer/ListProcesses
1366f0fb cli: Use genericGetExpectedHostDetails on s390x
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
By using drop-in file it simplifies the deployment and maintenance of
the CRI-O configurations by a lot, and all versions of CRI-O that should
be used together with the currently supported versions of kubenertes
support the drop-in configuration file.
Depends-on: github.com/kata-containers/kata-containers#1689
Fixes#1781
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
manage_ns_lifecycle (previously known as manage_network_ns_lifecycle)
has its default value as `true` for all CRI-O versions that should be
used with the kubernetes versions that are still supported / didn't
reach their EOL.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
In file src/agent/rustjail/src/validator.rs,
these two functions are not used:
- get_namespace_path
- check_host_ns
Fixes: #1783
Signed-off-by: bin <bin@hyper.sh>
For CRI-O, let's rely on the "release-1.21" branch, as this is the
branch getting backports for the 1.21.x cycle.
Relying on the branch avoids our needs to keep bumping it every now and
then.
Fixes: #1688
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Tested between Kata Containers and OpenShift are already being done via
the OpenShift CI. This entry is only related to the OpenShift 3.x,
which is not tested anymore via our CI in any possible way.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
CRI-O meta dependencies (crictl and openshift) are a left over from the
OCP 3.x era. Currently we don't need those as we have Kata Containers
onboard with the OpenShift CI, and we don't test OCP 3.x in any way
nowadays.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Quotes from the cloud-hypervisor release v15.0:
This release is the first in a new version numbering scheme to represent that
we believe Cloud Hypervisor is maturing and entering a period of stability.
With this new release we are beginning our new stability guarantees.
Other highlights from the latest release include: 1) Network device rate
limiting; 2) Support for runtime control of `virtio-net` guest offload;
3) `--api-socket` supports file descriptor parameter; 4) Bug fixes on
`virtio-pmem`, PCI BARs alignment, `virtio-net`, etc.; 5) Deprecation of
the "LinuxBoot" protocol for ELF and bzImage in the coming release.
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v15.0
Note: The client code of cloud-hypervisor's OpenAPI is automatically
generated by `openapi-generator` [1-2]. As the API changes do not
impact usages in Kata, no additional changes in kata's runtime are
needed to work with the current version of cloud-hypervisor.
[1] https://github.com/OpenAPITools/openapi-generator
[2] https://github.com/kata-containers/kata-containers/blob/main/src/runtime/virtcontainers/pkg/cloud-hypervisor/README.mdFixes: #1779
Signed-off-by: Bo Chen <chen.bo@intel.com>
Our cluster's life is shorter than time it takes to update nodes; for
better stability of the kata-deploy test, let's not update the nodes.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Allow and configure vhost-user-fs devices (virtio-fs) on s390x. As a
consequence, appendVhostUserDevice now takes a context, which affects
its signature for other architectures.
Fixes: #1753
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
This reverts commit 7f60911333.
Patch allowed other vhost user devices besides FS not supported on s390x
and failed to attach a CCW device number, which results in the
inavailability to use more devices after vhost-user-fs-ccw.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
To ensure we run on nodes which have Kata installed, let's add the
nodeSelector to the runtimeclass definition, and have it match the label
that we applied during installation of the kata artifacts.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Build kernel shell setup with -f, don't find patches directory path,
because patches_path is none, so fix this error.
Fixes: #1768
Signed-off-by: zyt312074545 <zyt312074545@hotmail.com>
Add CCW (s390x) device numbers to VhostUserDevices, as is with other
device types. Add them to VhostUserFS devices (the only type currently
supported on s390x) when building QEMU parameters.
Fixes: #170
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
by splitting out the respective functionality to QemuNetParams,
QemuSCSIParams, QemuBlkParams, and QemuFSParams. This allows adding
functionality to these functions without going beyond the cyclomatic
complexity of 15 mandated by the lint checks.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
- 1.13/1.14 are very old now; let's drop
- move from k8s-1.18 to just runtimeclasses directoy
- update docs to reflect the new reality
Fixes: #1425
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
cgroupsCreate will just keep the CPU resources infomation but not the
others.
Set it to c.config.Resources will clean most of resources of the
container.
This commit remove it to handle the issue.
Fixes: #1758
Signed-off-by: Hui Zhu <teawater@antfin.com>
The pointer that send to newContainer in CreateContainer and
createContainers is not the pointer that point to the address in
s.config.Containers.
This commit fix this issue.
Fixes: #1758
Signed-off-by: Hui Zhu <teawater@antfin.com>
If the QEMU VMM fails to launch, we currently fail to kill virtiofsd,
resulting in leftover processes running on the host. Let's make sure we
kill these, and explicitly cleanup the virtiofs socket on the
filesystem.
Ideally we'll migrate QEMU to utilize the same virtiofsd interface that
CLH uses, but let's fix this bug as a first step.
Fixes: #1755
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Now enabling enable_pprof for individual pods is supported,
but not documented.
This commit will add per-Pod Kata configurations for `enable_pprof`
in file `docs/how-to/how-to-set-sandbox-config-kata.md`
Fixes: #1744
Signed-off-by: bin <bin@hyper.sh>
Users can specify extra arguments for virtiofsd in a pod spec using the
io.katacontainers.config.hypervisor.virtio_fs_extra_args annontation.
However, this annotation was ignored so far by the runtime. This commit
fixes the issue by processing the annotation value (if present) and
translating it to the corresponding hypervisor configuration item.
Fixes#1523
Signed-off-by: Pavel Mores <pmores@redhat.com>
Parametr builtIn is not used in function updateRuntimeConfigAgent,
delete it from updateRuntimeConfigAgent and LoadConfiguration
function signature.
Fixes: #1731
Signed-off-by: bin <bin@hyper.sh>
It would be undesirable to be given an annotation like "/dev/null".
Filter out bad annotation values.
Fixes: #1043
Suggested-by: James O. D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
For k8s emptyDir volume, a specific fsGroup would
be set for it, thus guest should get this fsGroup
from runtime and set it properly on the EphemeralStorage
volume in guest.
Fixes: #1580
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
For k8s emptyDir volume, a specific fsGroup would
be set for it, thus runtime should pass this fsGroup
for EphemeralStorage to guest and set it properly on
the emptyDir volume in guest.
Fixes: #1580
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Currently, if romfile field is empty, the commandline will
shows like below:
-device driver=virtio-net-pci,...,mq=on,vectors=4,romfile=
This does not make sense, just remove this field in commandline
Add unittest support.
Signed-off-by: Michael Qiu <qiudayu@huayun.com>
Currently we implement the Default trait for NamespaceType. It doesn't
really make sense to have a default for this type though - you really need
to know what type of namespace you're setting. In fact the Default
implementation is never used, so we can just drop it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We had some code that initialized a Uevent to the default value, then set
specific fields to various values. This can be accomplished inside the one
initialized using the ..Default::default() syntax. Making this change
stops clippy from complaining.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We have one place where we create an empty vector then immediately push
something into it. We can do this in one step using the vec![] macro,
which stops clippy complaining.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The various type implementing the UeventMatcher trait have new() methods
which return a Result<>, however none of them can actually fail. This is
a leftover from their development where some versions could fail to
initialize. Remove the unneccessary wrappers to silence clippy.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently these are in all-caps, to match typical capitalization of IPC,
UTS and PID in the world at large. However, this violates Rust's
capitalization conventions and makes clippy complain.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Clippy (in Rust 1.51 at least) has some complaints about this closure
inside execute_hook() because it uses explicit returns in some places
where it doesn't need them, because they're the last expression in the
function.
That isn't necessarily obvious from a glance, but we can make clippy happy
and also make things a little clearer: first we replace a somewhat verbose
'match' using Option::ok_or_else(), then rearrange the remaining code to
put all the error path first with an explicit return then the "happy" path
as the stright line exit with an implicit return.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
PathBuf is an owned, mutable Path. We don't need those properties in
get_value_from_cgroup() so we can use a Path instead. This may be slightly
safer, and definitely stops clippy (version 1.51 at least) from
complaining.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
DEFAULT_ALLOWED_DEVICES and DEFAULT_DEVICES are essentially global
constant lists. They're implemented as a lazy_static! initialized Vec
values.
The code to initialize them creates an empty Vec then pushes values
onto it. We can simplify this a bit by using the vec! macro. This
might be slightly more efficient, and it definitely stops recent
clippy versions (e.g. 1.51) from complaining about it.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Recent versions of clippy (e.g. in Rust 1.51) complain about a number
of names in the oci crate, which don't obey Rust's normal CamelCasing
conventions.
It's pretty clear that these don't obey the usual rules because they
are attempting to preserve conventional casing of existing acronyms
they incorporate ("VM", "POSIX", etc.). However, it's been my
experience that matching the case and name conventions of your
environs is more important than matching case with external norms.
Therefore, this patch changes all the identifiers in the oci crate to
match Rust conventions. Their users in the rustjail crate are updated
to match.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This comment appears to be connected specifically with this function, but
has some other items separating it for no particular reason. It also has
a typo. Correct both.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Functions in rustjail deal with both the local oci module's data structure
and the protocol::oci module's data structure. Since these both cover the
OCI container config they are quite similar and have many identically named
types.
To avoid conflicts, we import many things from those modules with altered
names. However the names we use oci* and grpc* don't fit the normal Rust
capitalization convention for types.
However by renaming the import of the 'protocols::oci' module itself to
'grpc', we can actually get rid of the many renames by just qualifying at
each use site with only a very small increase in verbosity. As a bonus
this gets rid of multiple 'use' items scattered through the file.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Do not close the tty as part of the stdout redirection routine.
The close is already happening a couple lines below, after all routines
have finished.
Fixes#1713
Signed-off-by: Julien Ropé <jrope@redhat.com>
The situation is not a IPC scene, pipe(2) is too heavy.
We have tokio::sync::watch::channel after tokio has been introduced.
The channel has better performance and easy to use.
Fixes: #1721
Signed-off-by: Tim Zhang <tim@hyper.sh>
Update:
- Make the type of errnoRet in oci.proto oneof
- Update seccomp_grpc_to_oci that can set errnoRet as EPREM if the
value is empty.
- Update the oci.pb.go based on the above fixes
- Add seccomp errnoRet and flags option to configs in rustjail
Fixes: #1719
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Occassional coredumps and OOMs observed on shutdown path due to improper
BH handling during aio cleanup in QEMU. Thankfully this has been fixed
in upstream already -- let's carry this patch.
Fixes: #1717
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Remove the prohibition of vhost-user devices on s390x, which are by now
supported (e.g. vhost-user-fs-ccw). As a consequence,
appendVhostUserDevice no longer needs an error in its signature.
This enables virtio-fs support on s390x.
Fixes: #1469
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Update GoVMM to get memory backend support for non-DIMM setups. This is
necessary for virtio-fs on s390x.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
register_memory_event_v2() includes a closure spawned as an async task
with tokio. At the end of that closure, there's a test for a closed fd
exiting if so. But this is right at the end of the closure when it was
about to exit anyway, so this does nothing.
This code was originally an explicit thread, converted to a tokio task
by 332fa4c "agent: switch to async runtime". It looks like there was an
error during conversion, where this logic was accidentally moved out of the
while loop above, where it makes a lot more sense.
Put it back into the loop.
fixes#1702
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Rather than relying on the system clock, use a channel timeout to avoid
problems if the system time changed.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Fixed logic used to handle static agent tracing.
For a standard (untraced) hypervisor shutdown, the runtime kills the VM
process once the workload has finished. But if static agent tracing is
enabled, the agent running inside the VM is responsible for the
shutdown. The existing code handled this scenario but did not wait for
the hypervisor process to end. The outcome of this being that the
console watcher thread was killed too early.
Although not a problem for an untraced system, if static agent tracing
was enabled, the logs from the hypervisor would be truncated, missing the
crucial final stages of the agents shutdown sequence.
The fix necessitated adding a new parameter to the `stopSandbox()` API,
which if true requests the runtime hypervisor logic simply to wait for
the hypervisor process to exit rather than killing it.
Fixes: #1696.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Previously, the hypervisors were sending a signal and then checking to
see if the process had died by sending the magic null signal (`0`). However,
that doesn't work as it was written: the logic was assuming sending the
null signal to a process that was dead would return `ESRCH`, but it
doesn't: you first need to you `wait(2)` for the process before sending
that signal. This means that previously, all affected hypervisors would
appear to take `timeout` seconds to end, even though they had _already_
finished.
Now, the hypervisors true end time will be seen as we wait for the
processes before sending the null signal to ensure the process has
finished.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Refactored some of the hypervisors to remove the duplicated code used to
trigger a shutdown.
Also added some unit tests.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Currently runtime and agent special case virtio-blk devices under clh,
ostensibly because the PCI address information is not available in that
case.
In fact, cloud-hypervisor's VmAddDiskPut API does return a PciDeviceInfo,
which includes a PCI address. That API is broken, because PCI addressing
depends on guest (firmware or OS) actions that the hypervisor won't know
about. clh only gets away with this because it only uses a single PCI root
and never uses PCI bridges, in which case the guest addresses are
accurately predictable: they always have domain and bus zero.
Until https://github.com/kata-containers/kata-containers/pull/1190, Kata
couldn't handle PCI addressing unless there was exactly one bridge, which
might be why this was actually special-cased for clh.
With #1190 merged, we can handle more general PCI paths, and we can derive
a trivial (one element) PCI path from the information that the clh API
gives us. We can use that to remove this special case.
fixes#1431
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Change the "moo FAILURE" message shown in a couple of the unit tests to
"moo message". This means that searching for unrelated failures in the
test output by looking for "FAIL" won't show these messages as false
positives any more.
fixes#1683
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Instead of giving too many options, let's just mention the script and
rely on it entirely for the release.
This helps to simplify the document and have one well stablished
process.
Fixes: #1680
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
During the 2.1.0-alpha2 / 2.0.3 release, I had a hard time trying to
perform anything related to hub as the app token should be used instead
of the user password. Thankfully Carlos pointed me out to that
direction, but it'd be good to have it explicitly documented.
Fixes: #1680
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Since we stopped building kata-containers packages as part of our
release process, there's no need to have an OBS account to be able to do
the release.
Fixes: #1680
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
With tracing enabled, grpc health check generates a large number of
spans which creates too much data for tasks running longer than a few
minutes. To solve this, remove span creation from kata agent check() and
sendReq() where the majority of the spans come from. Leave contexts in
functions for subsequent calls that create spans.
Fixes#1395
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
- release: Do not git add kata-{deploy,cleanup}.yaml for the tests repo
- kata-deploy: add runtimeclass that includes pod overhead
- release: automatically bump the version of the kata-deploy images
- Refine uevent matching conditions
- docs: update dev-guide to include fixes from 1.x
- virtcontainers: replace newStore by store in Sandbox struct
- agent: log the mount point if it is already mounted
- tools/agent-ctl: Update Cargo.lock
- agent: Rework the debug console
- oci: Update seccomp configuration
- kernel: update experimental kernel to 5.10.x
- kata-deploy: Fix `test-kata.sh` and do some small cleanups / improvements in the kata-deploy script
- github: Fix slash-command-action usage
- rustjail: fix the issue of missing default home env
- Make uevent watching mechanism more flexible
- ci/openshift-ci: Prepare to build on CentOS 8
- docs: update configuration for passing annotations in conatinerd
- Revert "github: Remove kata-deploy-test action"
- runtime: increase dial timeout
- qemu experimental: Move to latest tree on virtio-fs-dev (qemu 6.0 + DAX patches).
- github: Remove kata-deploy-test action
- agent: s390x statfs constants
- kernel: upgrade kernel to 5.10.x for arm64.
- Don't do anything in Pipestream::shutdown
- Fix fsgroup
- agent: Remove many "panic message is not string literal" warnings
- osbuilder: Update QAT Dockerfile with new QAT driver version
- osbuilder: update dockerfiles to utilize IMAGE_REGISTRY
- Only keep one VERSION file
- Dechat deruntime
- runtime: Format auto-generated client code for cloud-hypervisor API
- runtime: use concrete KataAgentConfig instead of interface type
- versions: Update cloud-hypervisor to release v0.14.1
- runtime: import runtime/v2/runc/options to decode request from Docker
- virtcontainers/fc: Upgrade Firecracker to v0.23.1
- docs: Remove ubuntu installation guide
- docs: Update snap install guide
- docs: update how-to-use-k8s-with-cri-containerd-and-kata.md
- Update install docs for Fedora and CentOS
- action: fix missing qemu tag
- Remove installation guides for SLE and openSUSE
- kernel: Enable OVERLAY_FS_{METACOPY,XINO_AUTO}
- versions: kernel 5.10.x
- virtcontainers: Fix missing contexts in s390x
- runtime: makefile allow override DAX value
11897248 release: Do not git add kata-{deploy,cleanup}.yaml for the tests repo
2b5f79d6 release: automatically bump the version of the kata-deploy images
8682d6b7 docs: update dev-guide to include fixes from 1.x
f444adb5 kata-cleanup: Explicitly add tag to the container image
12582c2f kata-deploy: add runtimeclass that includes pod overhead
d75fe956 virtcontainers: replace newStore by store in Sandbox struct
342eb765 tools/agent-ctl: Update Cargo.lock
24b0703f agent: fix test for the debug console
79033257 agent: async the debug console
8ea2ce9a agent/device: Remove legacy uevent matching
5d007743 agent/device: Refine uevent matching for pmem devices
9017e110 agent: start to rework the debug console
a59e07c1 agent/define: Refine uevent matching for virtio-scsi devices
484a3647 agent/device: Rework uevent handling for virtio-blk devices
7873b7a1 github: Fix slash-command-action usage
eda8da1e github: Revert "github: Remove kata-deploy-test action"
a938d903 rustjail: fix the issue of missing default home env
b0e4618e docs: update configuration for passing annotations in conatinerd
d43098ec kata-deploy: Adapt regex for testing kata-deploy
107ceca6 kernel: update experimental kernel to 5.10.x
ca4dccf9 release: Get rid of "master"
c2197cbf release: Use sudo to install hub
49eec920 agent: log the tag and mount point if it is already mounted
16f732fc ci/lib: Use git to clone the tests repository
9281e567 ci/openshift-ci: Add build root dockerfile
1cce9300 github: Remove kata-deploy-test action
0828f9ba agent/uevent: Introduce wait_for_uevent() helper
16ed55e4 agent/device: Use consistent matching for past and future uevents
4b16681d agent/uevent: Put matcher object rather than "device address" in watch list
b8b32248 agent/uevent: Consolidate event matching logic
d2caff6c agent: Re-organize uevent processing
55ed2ddd agent: Store uevent watchers in Vec rather than HashMap
91e0ef5c agent/uevent: Report whole Uevents to device watchers
36420054 agent: Store whole Uevent in map, rather than just /dev name
06162025 agent/device: Move GLOBAL_DEVICE_WATCHER into Sandbox
11ae32e3 agent/device: Fix path matching for PCI devices
4f608804 agent/device: Update test_get_device_name()
ee6a590d agent: add test test_pipestream_shutdown
4a2d4370 agent: don't do anything in Pipestream::shutdown
e3e670c5 agent/device: Forward port test for get_device_name() from Kata 1.x
ed08980f agent: Remove many "panic message is not string literal" warnings
f365bdb7 versions: qemu-experimental: 6.0~rc 470dd6
6491b9d7 qemu: Add support to build static qemu for dev tree
13653e7b runtime: increase dial timeout
935460e5 osbuilder: update dockerfiles to utilize IMAGE_REGISTRY
010d57f4 osbuilder: Update QAT Dockerfile with new QAT driver version
adb866ad kata-deploy: Adapt to the correct tag name
60adc7f0 VERSION: Use the correct form
a4c125a8 trace: move gRPC requests from debug to trace
50fff977 trace: move trace span chatter to trace rather than info
28bd8c11 kernel: upgrade kernel to 5.10.x for arm64.
6fe48329 runtime: use concrete KataAgentConfig instead of interface type
64939425 mount: fix the issue of missing set fsGroup
88e58a4f agent: fix the issue of missing pass fsGroup
572aff53 build: Only keep one VERSION file
0c38d9ec runtime: Fix the format of the client code of cloud-hypervisor APIs
52cacf88 runtime: Format auto-generated client code for cloud-hypervisor API
84b62dc3 versions: Update cloud-hypervisor to release v0.14.1
4a38ff41 docs: Update snap install guide
ede1ab86 docs: Remove ubuntu installation guide
6255cc19 virtcontainers/fc: Upgrade Firecracker to v0.23.1
2c47277c docs: update how-to-use-k8s-with-cri-containerd-and-kata.md
317f55f8 docs: Update minimum version for Fedora
1ce29fc9 docs: Update CentOS install docs
3f90561b docs: Update Fedora install docs
8a1c6c3f action: fix missing qemu tag
a9ff9c87 docs: Remove openSUSE installation guide
2888ceb0 docs: Remove SLE installation guide
09d454ac runtime: import runtime/v2/runc/options to decode request from Docker
0b502d15 runtime: makefile allow override DAX value
a65519b9 versions: keep using kernel 5.4.x for ARM
31ced01e virtcontainers: Fix missing contexts in s390x
52a276fb agent: Fix type for PROC_SUPER_MAGIC on s390x
5b7c8b7d agent: Update cgroups-rs to 0.2.5
c035cdb3 versions: kernel 5.10.x
660b0473 oci: Update seccomp configuration
8c1e0d30 kernel: Enable OVERLAY_FS_{METACOPY,XINO_AUTO}
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's teach `update-repository-version.sh` to automatically bump the
version of the kata-deploy images to be used within that release, when
running against the `kata-containers` repo.
Fixes: #1665
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This addresses a few gaps with respect to fixes in 1.x docs:
- Cleanup QEMU information in order to drop references to qemu-lite
- Make sure we include directions for debug console in case of QEMU
Fixes: #574
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
The property name make newcomers confused when reading code.
Since in Kata Containers 2.0 there will only be one type of store,
so it's safe to replace it by `store` simply.
Fixes: #1660
Signed-off-by: bin <bin@hyper.sh>
While performing a `make` in the top directory of the project, I've
noticed that agent-ctl's Cargo.lock file was not up-to-date.
Fixes: #1655
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
DevAddrMatcher existed purely as a transitional step as we refined the
uevent matching logic for each of the different device types we care about.
We've now done that, so it can be removed along with several related
pieces.
fixes#1628
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Use the new uevent matching infrastructure to refine the matching for pmem
devices to something more pinned down to that device type. While we're
there, fix a few anciliary problems with get_pmem_device_name():
- The name is poor - the *input* to this function is the expected device
name, so the result isn't helpful, except that it needs to wait for the
device to be ready in the guest. Change it to wait_for_pmem_device() and
explicitly check that the returned device name matches the one expected.
- Remove an incorrect comment in nvdimm_storage_handler() (the only caller)
which appears to have been copied from the virtio-blk path, but then
become stale.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Current get_scsi_device_name() uses the legacy uevent matching which
isn't very precise. This refines it to use a specific matcher
implementation. While we're at it:
- No longer insist on the SCSI controller being under the PCI root.
It generally will be, but there's no particular reason to require
it.
The matcher still has a problem in that it won't work sensibly if
there are multiple SCSI busses in the guest. Fixing that requires
changes on the runtime side as well, though, so it's beyond scope for
this change.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There are some problems with get_pci_device_name():
1) It's misnamed: in fact it is only used for handling virtio-blk PCI
devices. It's also only correct for virtio-blk devices, the event
matching doesn't locate the "raw" PCI device, but rather the block
device created by virtio-blk as a child of the PCI device itself.
2) The uevent matching is imprecise. As all things using the legacy
DevAddrMatcher, it matches on a bunch of conditions used across several
different device types, not all of which make sense for virtio-blk pci
devices specifically.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
`/test-kata-deploy` command does **not** work, and the output returned
is:
```
Error: Comment didn't contain a valid slash command
```
So, why does this happen?
This is the regex used: `^\/([\w]+)\b *(.*)?$`, being the important part
of the command "\/([\w]+)\b", with the rest being arguments to it.
Okay, `\w` is the key here, as `\w` means: a-z, A-Z, 0-9, including the
_.
Our command is `/test-kata-deploy`, and `-` is not present as part of
`\w`. Knowing this we need to update the command to something like:
`/test_kata_deploy`
Fixes: #1645
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This partially reverts commit 1cce930071.
As mentioned in #1635, the malformed yaml wouldn't allow us to actually
test changes that were supposed to be test by this action.
So, this is now reverted and adapted accordingly.
Main differences from what we had before:
* As it tests kata-deploy itself, not the statically built binaries,
let's just use the binaries from 2.0.0 release;
* Adapt download and deploy location to the
`kata-containers/kata-containers` repo, as the original action was
based on 1.x repos;
Fixes: #1640
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
first get the "HOME" env from "/etc/passwd", if
there's no corresponding uid entry in /etc/passwd,
then set "/" as the home env.
Fixes: #1643
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
On commit 60f6315 we've started adding the specific version of the image
to be used, in order to ensure people using our content from a tarball
would be relying on the correct image.
However, later on, @bergwolf figured out it had some undesired side
effects, such as
https://github.com/kata-containers/kata-containers/runs/2235812941?check_suite_focus=true
What happens there is that the regular expression used to point the
image to a testing one doesn't take into consideration the $VERSION, and
that breaks the deployment.
Depends-on: github.com/kata-containers/kata-containers#1641
Fixes: #1632
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Relevant changes for experimental :
42d3e2d04 virtiofs: calculate number of scatter-gather elements accurately
413daa1a3 fuse: connection remove fix
bf109c640 fuse: implement crossmounts
1866d779d fuse: Allow fuse_fill_super_common() for submounts
fcee216be fuse: split fuse_mount off of fuse_conn
8f622e949 fuse: drop fuse_conn parameter where possible
24754db27 fuse: store fuse_conn in fuse_req
c6ff213fe fuse: add submount support to <uapi/linux/fuse.h>
d78092e49 fuse: fix page dereference after free
9a752d18c virtiofs: add logic to free up a memory range
d0cfb9dcb virtiofs: maintain a list of busy elements
6ae330cad virtiofs: serialize truncate/punch_hole and dax fault path
9483e7d58 virtiofs: define dax address space operations
2a9a609a0 virtiofs: add DAX mmap support
c2d0ad00d virtiofs: implement dax read/write operations
ceec02d43 virtiofs: introduce setupmapping/removemapping commands
fd1a1dc6f virtiofs: implement FUSE_INIT map_alignment field
45f2348ec virtiofs: keep a list of free dax memory ranges
1dd539577 virtiofs: add a mount option to enable dax
22f3787e9 virtiofs: set up virtio_fs dax_device
f4fd4ae35 virtiofs: get rid of no_mount_options
b43b7e81e virtiofs: provide a helper function for virtqueue initialization
Fixes: #1639
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
This doesn't make much difference for the automated process we have in
place, but makes a whole lot of difference for those trying to have the
binaries deployed locally.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
On commit 17e9a2cff5 it was introduced a guard for the case the mount point is already
mounted. Instead of log only the mount tag ("kataShared") with this change it will print
both tag and mount point path.
Fixes: #1398
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
On clone_tests_repo() use git instead of `go get` to clone and/or
update the tests repository.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This adds the dockerfile which is used by the OpenShift CI operator to build
the build root image. It is installed git as it is required by the operator
to clone repositories. The sudo package is also installed because many scripts
relies on the command but it is not installed by tests/.ci/setup_env_centos.sh.
Fixes#1636
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Currently the action is not running because it's broken, and it was
broken by 50fea9f.
Sadly, I cannot just test a fix on a PR as every single time we end up
triggering what's currently on main, rather than triggering the content
of the PR itself.
With this in mind, let me just remove the file and re-add it as part of
a new PR and, hopefully, have it tested in this way.
Sorry for the breakage, by the way.
Fixes: #1634
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
get_device_name() contains logic to wait for a specific uevent, then
extract the /dev node name from it. In future we're going to want similar
logic to wait on uevents, but using different match criteria, or getting
different information out.
To simplify this, add a wait_for_uevent() helper in the uevent module,
which takes an explicit UeventMatcher object and returns the whole uevent
found.
To make testing easier, we also extract the cut down uevent watcher from
test_get_device_name() into a new spawn_test_watcher() helper. Its used
for both test_get_device_name() and a new test_wait_for_uevent() amd will
be useful for more tests in future.
fixes#1484
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
get_device_name() looks at kernel uevents to work out the device name for
a given PCI (usually) address. However, when we call it we can't know if
the uevent we're interested in has already happened (in which case it will
have been recorded in Sandbox::uevent_map) or yet to come, in which case
we need to register to watch it.
However, we currently match differently against past and future events.
For past events we simply look for a sysfs path including the address, but
for future events we use a complex bit of logic in the is_match() closure.
Change it to use the exact same matching logic in both cases.
fixes#1397
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently, Sandbox::uevent_watchers lists uevents to watch for by a
"device address" string. This is not very clearly defined, and is
matched against events with a rather complex closure created in
Uevent::process_add().
That closure makes a bunch of fragile assumptions about what sort of
events we could ever be interested in. In some ways it is too
restrictive (requires everything to be a block device), but in others
is not restrictive enough (allows things matching NVDIMM paths, even
if we're looking for a PCI block device).
To allow the clients more precise control over uevent matching, we
define a new UeventMatcher trait with a method to match uevents. We
then have the atchers list include UeventMatcher trait objects which
are used directly by Uevent::process_add(), instead of constructing
our match directly from dev_addr.
For now we don't actually change the matching function, or even use
multiple different trait implementations, but we'll refine that in
future.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The event matching logic in Uevent::process_add() is split into two parts.
The first checks if we care about the event at all, the second checks
whether the event is relevant to a particular watcher.
However, we're going to be adding more types of watchers in future, which
will make the global filter too restrictive. Fold the two bits of logic
together into a per-watcher filter function.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Uevent::process() is a bit oddly organized. It treats the onlining of
hotplugged memory as the "default" case, although that's quite specific,
while treating the handling of hotplugged block devices more like a special
case, although that's pretty close to being very general.
Furthermore splitting Uevent::is_block_add_event() from
Uevent::handle_block_add_event() doesn't make a lot of sense, since their
logic is intimately related to each other.
Alter the code to be a bit more sensible: first split on the "action" type
since that's the most fundamental difference, then handle the memory
onlining special case, then the block device add (which will become a lot
more general in future changes).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Sandbox:dev_watcher is a HashMap from a "device address" to a channel used
to notify get_device_name() that a suitable uevent has been found.
However, "device address" isn't well defined, having somewhat different
meanings for different device/event types. We never actually look up this
HashMap by key, except to remove entries.
Not looking up by key suggests that a map is not the appropriate data
structure here. Furthermore, HashMap imposes limitations on the types
which will prevent some future extensions we want.
So, replace the HashMap with a Vec<Option<>>. We need the Option<> so that
we can remove entries by index (removing them from the Vec completely would
hange the indices of other entries, possibly breaking concurrent work.
This does mean that the vector will keep growing as we watch for different
events during startup. However, we don't expect the number of device
events we watch for during a run to be very large, so that shouldn't be
a problem. We can optimize this later if it becomes a problem.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently, when Uevent::handle_block_add_event() receives an event matching
a registered watcher, it reports the /dev node name from the event back
to the watcher.
This changes it to report the entire uevent, not just the /dev node name.
This will allow various future extensions. It also makes the client side
of the uevent watching - get_device_name() - more consistent between its
two paths: finding a past uevent in Sandbox::uevent_map() or waiting for
a new uevent via a watcher.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Sandbox::pci_device_map contains a mapping from sysfs paths to /dev entries
which is used by get_device_name() to look up the right /dev node. But,
the map only supplies the answer if the uevent for the device has already
been received, otherwise get_device_name() has to wait for it.
However the matching for already-received and yet-to-come uevents isn't
quite the same which makes the whole system fragile.
In order to make sure the matching for both cases is identical, we need the
already-received side to store the whole uevent to match against, not just
the sysfs path and device name.
So, rename pci_device_map to uevent_map and store the whole uevent there
verbatim.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In Kata 1.x, both the sysToDevMap and the deviceWatchers are in the sandbox
structure. For some reason in Kata 2.x, the device watchers have moved to
a separate global variable, GLOBAL_DEVICE_WATCHER.
This is a bad idea: apart from introducing an extra global variable
unnecessarily, it means that Sandbox::pci_device_map and
GLOBAL_DEVICE_WATCHER are protected by separate mutexes. Since the
information in these two structures has to be kept in sync with each other,
it makes much more sense to keep them both under the same single Sandbox
mutex.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
For the case of virtio-blk PCI devices, when matching uevents we create
a pci_p temporary. However, we build it incorrectly: the dev_addr values
we use for PCI devices are a relative sysfs paths from the PCI root to the
device in question *including an initial /*. But when we construct pci_p
we add an extra /, meaning the resulting path will *not* match properly.
AFAICT the only reason we got away with this is because in practice the
virtio-blk devices where discovered by the kernel before we looked for them
meaning the loosed matching in get_device_name() was used, rather than the
pci_p logic in handle_block_add_event().
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The current test_get_device_name(), ported from Kata 1.x doesn't really
reflect how the function is used in practice. The example path appears
to be for a virtio-blk device, but it's an s390 specific variant, not a
PCI device. The s390 form isn't actually supported by any of the existing
users of get_device_name().
Change it to a plausible virtio-blk-pci style path to better test how
get_device_name() will actually be used in practice.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The only right way to shutdown pipe is drop it
Otherwise PipeStream will conflict with its twins
Because they both have the same fd, and both registered.
Fixes: #1614
Signed-off-by: Tim Zhang <tim@hyper.sh>
Kata 1.x had a testcase for the equivalent getDeviceName function in Go,
this adapts it to Rust and adds it to Kata 2.x.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Rust 1.51 appears to have added a new warning in anticipation of Rust 2021,
which requires the format string for panic!()s (including via the various
assert!() macros) to be a string literal. This triggers quite a few times
in the agent code. This patch fixes them.
fixes#1626
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Update static build scripts to allow build qemu dev tree.
When qemu starts the process for a new version the patch number
from the qemu version is more than 50. Add logic to detect it
and not apply patches fro the base branch.
For example:
Qemu 5.2.50 means the beginning for 6.0 development. After detect a
development version, patches for 5.2.x will not be applied.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
On some setups, starting multiple kata pods (qemu) simultaneously on the same node
might cause kata VMs booting time to increase and the pods to fail with:
Failed to check if grpc server is working: rpc error: code = DeadlineExceeded desc = timed
out connecting to vsock 1358662990:1024: unknown
Increasing default dialing timeout to 30s should cover most cases.
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Fixes: #1543
While we introduced IMAGE_REGISTRY, we didn't actually update the
corresponding Dockerfiles to utilize it. Let's add
Fixes: #1622
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
This fixes the QAT driver version and provides a check early in the
building process to make sure the driver exists. It also provides
hints to users on how to fix themselves if the driver changes again.
Fixes: #1618
Signed-off-by: Eric Adams <eric.adams@intel.com>
Following what's been done in the past for 1.x repos, the version should
be 2.1.0-alpha1 (instead of 2.1-alpha1).
Fixes: #1617
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
In Kata, we are getting a *lot* of logs at runtime from QMP, in particular `read from QMP: xxxx`
Ideally we'd set this to only be visible for trace, but I did not see this working when adding a
V(7) check around these prints. To avoid filling journal with info that isn't useful, let's drop.
Fixes: #165
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
There are many requests to the agent that happen with relatively
high frequency when a workload is running (checkRequest, as an example).
Let's move from Debug to Trace to avoid bombarding journal.
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
In kernel 5.10.x on arm64 side, When CONFIG_RANDOM_BASE is enabled,
physical base address can be a negative number. It may lead to bug
when a PA is taken as a unsigned number in comparison, as PA is
calculated based on the physical base address. The bug has been fixed
latest code by commit ee7febce051945be2 in memory hotplug zone. We can
eliminate the bug in an easy way by casting the PA as a signed value in
the current code base to avoid lots of backport.
Depends-on: github.com/kata-containers/tests#3388
Fixes: #1596
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
For k8s emptyDir volume, a specific fsGroup would
be set for it, thus guest should get this fsGroup
from runtime and set it properly on the emptyDir volume
in guest.
Fixes: #1580
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
For k8s emptyDir volume, a specific fsGroup would
be set for it, thus runtime should pass this fsGroup
to guest and set it properly on the emptyDir volume
in guest.
Fixes: #1580
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Instead of having different VERSION files spread accross the project,
let's always use the one in the topsrcdir and remove all the others,
keeping only a synlink to the topsrcdir one.
Fixes: #1579
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This patch extends the current process of generating client code for
cloud-hypervisor API with an additional step, `go-fmt`, which will remove
the generated `client/go.mod` file and format all auto-generated code.
Fixes: #1606
Signed-off-by: Bo Chen <chen.bo@intel.com>
Highlights for cloud-hypervisor version 0.14.0 include: 1) Structured
event monitoring; 2) MSHV improvements; 3) Improved aarch64 platform; 4)
Updated hotplug documentation; 6) PTY control for serial and
virtio-console; 7) Block device rate limiting; 8) Plan to deprecate the
support of "LinuxBoot" protocol and support PVH protocol only.
Highlights for cloud-hypervisor version 0.13.0 include: 1) Wider VFIO
device support; 2) Improve huge page support; 3) MACvTAP support; 4) VHD
disk image support; 5) Improved Virtio device threading; 6) Clean
shutdown support via synthetic power button.
Details can be found:
https://github.com/cloud-hypervisor/cloud-hypervisor/releases
Note: The client code of cloud-hypervisor's OpenAPI is automatically
generated by `openapi-generator` [1-2]. As the API changes do not
impact usages in Kata, no additional changes in kata's runtime are
needed to work with the latest version of cloud-hypervisor.
[1] https://github.com/OpenAPITools/openapi-generator
[2] https://github.com/kata-containers/kata-containers/blob/main/src/runtime/virtcontainers/pkg/cloud-hypervisor/README.mdFixes: #1591
Signed-off-by: Bo Chen <chen.bo@intel.com>
As this repo is specific to the kata-containers 2.x, let's stop
mentioning / referring to the 1.x here, including how to setup and use
the snap package for 1.x.
Fixes: #1601
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The installation guide points to 1.x packages from OBS. For 2.x we
decided to stop building packages on OBS in favour of advertising
kata-deploy.
Apart from this, Ubuntu itself doesn't provide packages for
kata-containers.
Fixes: #1588
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This patch upgrades Firecracker version from v0.21.1 to v0.23.1
* Generate swagger models for v0.23.1 (from firecracker.yaml)
* Change uint64 types in TokenBucket object according to rate-limiter
implementation (introduced in commit #cfeb966)
* Update Firecracker Logger/Metrics to support the new API
* Update payload in fc.vmRunning to support the new API
* Add Metrics type to fcConfig
Fixes: #1518
Signed-off-by: Orestis Lagkas Nikolos <olagkasn@nubificus.co.uk>
Update how-to-use-k8s-with-cri-containerd-and-kata.md to fit the latest
Kubernetes way.
And also changed CNI plugin from flannel to bridge, that will be easy to run.
Fixes: #1325
Signed-off-by: bin <bin@hyper.sh>
There are two changes here. There first one being relying on the
`centos-release-advanced-virtualization` package instead providing the
content of the repo ourselves; and the second one being installing
`kata-containers` (2.x) instead of the `kata-runtime` one (1.x).
Fixes: #1583
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The package to be installed on Fedora is `kata-containers` instead of
`kata-runtime`. The difference being `kata-runtime` is the 1.x package,
while `kata-containers` is the 2.x one.
Fixes: #1582
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The content of the openSUSE installation guide is related to the 1.x
packages, as openSUSE doesn't provide katacontainers 2.x packages.
Fixes: #1585
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The content of the SLE installation guide is related to the 1.x
packages, as SUSE doesn't provide katacontainers 2.x packages.
Fixes: #1586
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Shimv2 protocol CreateTaskRequest.Options has a type of *google_protobuf.Any.
If the call is from Docker, to decode the request,
the proto types(github.com/containerd/containerd/runtime/v2/runc/options)
should be imported.
Fixes: #1576
Signed-off-by: bin <bin@hyper.sh>
- test: install mock hook binary before test
- cgroups: fix the issue of get wrong online cpus
- build: remove unused variables from Makefile
- container: on cleanup, rm container directory for mounts path
- runtime: add support for QEMU 6
- agent: Enable clean shutdown
- runtime: fix virtiofsd RO volume sharing
- runtime: update virtcontainers API documentation
- runtime: Fix trace span ordering and static checks
- fix runtime UTs and enable static check
- kata-deploy: Use the correct tag for 2.1-alpha1 release
- ci: fix virtiofs-experimental build
- Verify container ID
- rustjail: rework execute_hook
- agent: Allow server address to be specified on kernel command-line
- agent: disconnect rpc get_oom_event when destroy_sandbox.
- docs: Update QAT instructions to work with Kata 2.0 repos
- agent: Update Cargo.lock for earlier dependency change
- osbuiler: fixing USE_DOCKER for ppc64le
- agent: Fix unused import warning in unit tests
- [forwardport] Fixup systemd cgroup handling
- runtime: Fix ordering of trace spans
- runtime: add support for readonly sandbox bindmounts
- Bump to QEMU 5.2.0 - respin
- runtime: return hypervisor Pid in TaskExit event
- agent: makefile: Add codecov target
- Bump to QEMU 5.2.0
- exec: ensure sup groups are added to agent request
- rustjail: fix the issue of home_dir function
- osbuilder: Port QAT Dockerfile to 2.0 repo
- agent-ctl: Unbreak build
- rustjail: fix the issue of bind mount device file from guest
- musl/arm64: decompression before use the tarball.
- osbuilder/arm64: build musl toolchain from source code if needed
- runtime: Fix missing 'name' field on containerd-shim-v2 logs
- agent: don't error of virtiofs share is already mounted
- shimv2: return the hypervisor's pid as the container pid
- runtime: check if error loading runtime config
- agent: fix clippy for rustc 1.5
- agent: Upgrade tokio to 1.2.0
- rustjail: fix blkio conversion
- agent: Agent invokes OCI hooks with wrong PID
- kata-deploy: stop mentioning qemu-virtiofsd, as the default qemu supports virtiofsd already (plus some cleanups)
- agent: Stop receive message from Receiver if got None
- Remove "Docker" & "[kata] runtime" references from the release scripts & process documentation
- kata-deploy: Ensure CRI-O uses shimv2 & the "vm" runtime type
- makefile: agent: Add self documented help
- runtime: connect guest debug console bypass kata-monitor
- Clean up PCI path handling
- runtime: Create tracer later in shimv2
- Agent: OCI hooks return malformed json
- osbuilder: Allow image registry to be customizable
- docs: Update licensing strategy to use kata 2.0 repository
- runtime: clh-config: add runtime hooks to the clh toml
- Fix Snap CI
- runtime: cpuset: when creating container, don't pass cpuset details
- agent: Remove bogus check from list_interfaces() unit test
- cli: Add aliases for `kata-` options
- github: Only run kata-deploy-test on pull-requests
- docs: Fix the installation directory of virtiofsd
- osbuilder: Fix USE_DOCKER on s390x
- Add katacontainers end-to-end arch image
- Build for glibc on s390x
- packaging: Fix vmlinux kernel install on s390x
- ci: Upgrade to yq 3.4.1
- kernel: Don't fail if "experimental" dir doesn't exist
- kata-deploy: Remove kata-deploy-docker.sh
- runtime: migrate from opentracing to opentelemetry
- rustjail: use rlimit crate
- rustjail: get all capabilities dynamically
- agent: README update to install protoc for ppc64le
- qemu: Add security fixes for CVE-2020-35517
- Fix lints and remove allow attributes which silence these warnings
- arm64: enable acpi for qemu/virt.
- osbuilder: Enforcing LIBC=gnu to rootfs build for ppc64le
- Fix async problems
- kata-monitor: set buildmode to exe to avoid build failing
- osbuilder: add description for how to use DISTRO variable
- kata-monitor: allow for building for alpine
- shimv2: log a warning and continue on post-stop hook failure
- kernel: Updates to kernel config for ppc64le
- agent: add secure_join to prevent softlink escape
- rustjail: fix the issue of container's cgroup root path
- osbuilder: remove traces of cmake
- versions: Update cloud-hypervisor to release v0.12.0
- clh: Use vanilla kernel.
- osbuilder: miscelaneous fixes/improvements
- branch: change 2.0-dev to main
- snap: Don't release Kata Alpha/RC in snap store
- Migrate to rtnetlink
- agent: Add underscore for constants
- github: Update ubuntu version to 20.04
- agent: implement NVDIMM/PMEM block driver
- rustjail: fix the issue of missing destroy contaienr cgroups
- agent: switch to async runtime
9a4e866 container: on cleanup, rm container directory for mounts path
48e5e4f test: install mock hook binary before test
1d44881 uevent: Add shutdown channel for task
d8d5b4c signal: Move to a new module
011f7d7 logging: Rework for shutdown
7d5f88c agent: Enable clean shutdown
dcb39c6 main: Create logger task
2cf2897 main: Use task list for stopping tasks
039df1d main: Refactor main logic into new async function
2a648fa logging: Use guard to make threaded logging safe
38f0d8d config: Fix assert_error testing macro
3f46e63 cgroups: fix the issue of getting wrong online cpus
e349244 runtime: fix virtiofsd RO volume sharing
532ff7c runtime: update virtcontainers API documentation
6fcfea8 runtime: Fix static check errors
f3ebbb1 runtime: Fix trace span ordering
5a3ee7d snap: Use qemu.version to build snap
0f78a5d kernel: rename exeperimental kernel symlink.
f791052 qemu: Build experimental qemu.
1555bfd runtime: add support for QEMU 6
fc0f93a actions: enable unit tests in PR check
74192d1 runtime: fix static check errors
a2dee1f runtime: fix vm factory UT failure
076bc50 agent-ctl: update Cargo.lock
0153f76 runtime: gofmt code
60f6315 kata-deploy: Use the correct tag for 2.1-alpha1 release
b0e51e5 qemu: Improve cache build
bc587da qemu: Add suffix for qemu binaries.
5493517 qemu: add CACHE_TIMEOUT
98d01ce qemu: Apply patches for specific versions.
190f813 runtime/katautils: PFlash should be initialized
b2ec5a4 runtime: fix cleanupSandboxBindMounts panic
9b689ea runtime/cli: fix TestMainBeforeSubCommandsLoadConfigurationFail failure
8e71c4f runtime: fix missing context argument in mocked sandbox APIs
8ff62be runtime: fix vcmock build failure
0e4b28e rustjail: rework execute_hook
a09e58f packaging: Use local file for assets.
451b45f agent: Make use of test consts for error messages
8c4d334 agent: disconnect rpc get_oom_event when destroy_sandbox.
07cfa4c qemu: patches: Fail if not patches directory
e221c45 versions: Update qemu database
5abdd2a qemu: move 5.0.0 patches to its own dir.
259c179 docs: Update QAT instructions to work with Kata 2.0 repos
34e7d5e agent: Validate CID
b265870 runtime: Validate CID
12e9f7f runtime: Add missing test mock function
ea51c17 agent: Allow server address to be specified on kernel command-line
4bf84b4 runtime: Add contexts to calls in unit tests
9e4932a runtime: use root span for shimv2 tracing
6b0dc60 runtime: Fix ordering of trace spans
3a77e4e build: remove unused variables from Makefile
d7cb3df cgroups: Add systemd detection when creating cgroup manager
f659871 cgroups: remove unused SystemdCgroup variable and accessor/mutators
b0e966c agent: Fix unused import warning in unit tests
d5a9d56 agent: Update Cargo.lock for earlier dependency change
0f7950f packaging: configure QEMU with -O2
224c50f snap: Package virtiofsd and fix path
f0d4985 exec: ensure sup groups are added to agent request
b034458 runtime: return hypervisor Pid in TaskExit event
81607e3 rustjail: fix the issue of home_dir function
c258ea2 agent-ctl: Function parameter cleanup
fcd45de agent-ctl: Unbreak build
efe625d build: Remove whitespace
48ed8f3 runtime: add support for readonly sandbox bindmounts
7ae349c agent: makefile: Add codecov target
f580d33 musl/arm64: decompression before use the tarball.
2da058e osbuild: build musl toolchain from source if needed
6417067 osbuilder: Port QAT Dockerfile to 2.0 repo
85601cd snap: Update for QEMU 5.2.0
88cef33 versions: update QEMU to 5.2.0
21bdaaf runtime: Fix missing 'name' field on containerd-shim-v2 logs
74a893f packaging: Refactor version comparisons on configure-hypervisor.sh
34dc861 rustjail: fix the issue of bind mount device file from guest
0f70983 runtime: check if error loading runtime config
6f72076 agent: fix clippy for rustc 1.5
4a21472 agent: Fix test
02079db agent: upgrade tokio to 1.0
a42dc74 agent: Agent invokes OCI hooks with wrong PID
17e9a2c agent: don't error of virtiofs share is already mounted
947913f agent/protocols: Remove cargo:rerun-if-changed in build.rs
bc0ac52 shimv2: return the hypervisor's pid as the container pid
10ed3da release: Rename runtime-release-notes to release-notes
f5dab6a release: We're not compatible with Docker.
2c8ea0a kata-deploy: Add copyright to the kata-deploy's Dockerfile
4e494e3 packaging: Remove NEMU mentions
f21c54a kata-deploy: QEMU, for 2.x, already includes virtiofs
657bd78 kata-deploy: Get rid of references to the docker script
dcea086 rustjail: fix blkio conversion
bc34cbb agent: Stop receive message from Receiver if got None
01481d6 kata-deploy: Ensure CRI-O uses the VM runtime type
d1c7173 kata-deploy: Move the containerd workarounds to their own functions
5013634 kata-deploy: Stop shipping kata-{clh,fc,qemu,qemu-virtiofs} binaries
2270f19 kata-deploy: Update README to reflect the current distributed artifacts
a494c4d makefile: agent: Add self documented help
72cb928 vhost-user-blk: Use PciPath type for vhost user devices
74f5b5f runtime/block: Use PciPath type through block code
32b40f5 runtime/network: Use PciPath type through network handling
87c5823 agent/device: Add unit test for pcipath_to_sysfs()
066ce7a agent/device: Pass root bus sysfs path to pcipath_to_sysfs()
fda48a9 agent/device: Use pci::Path type, name things consistently
c12b86d agent/device: Generalize PCI path resolution to any number of bridges
3715c57 agent/device: Rename and clarify semantics of get_pci_device_address()
7e92831 protocols: Update PCI path names / terminology in agent protocol def
8e5fd8e runtime: Introduce PciSlot and PciPath types
7464d05 agent: PCI path type
b22259a agent: PCI slot type
8c2f9e6 gitignore: Ignore *~ editor backup files
b412e15 osbuilder: Port QAT Dockerfile to 2.0 repo
5096103 osbuiler: fixing USE_DOCKER for ppc64le
a44b272 runtime: Create tracer later in shimv2
49bdbac osbuilder: Allow image registry to be customizable
fdc573d docs: Update licensing strategy to use kata 2.0 repository
2e2749a runtime: clh-config: add runtime hooks to the clh toml
ef72926 ci: snap: run snap CI on every pull request
919d512 snap: fix kernel setup
d054841 ci: snap: build targets that not need sudo first
a115338 ci: snap: define proxy variables
df14d38 Agent: OCI hooks return malformed json
3721351 runtime: cpuset: when creating container, don't pass cpuset details
c9c7c12 agent: Remove bogus check from list_interfaces() unit test
cb6d2f3 osbuilder: alphabetize fields
056d742 docs: Update documentation with new prefixless config options
fdcde79 cli: use new prefixless config options in tools scripts
02ee8b0 cli: Add aliases for kata- options
c6bc43b docs: Fix broken link to fluentbit.io docs
20b27a1 docs: Fix the installation directory of virtiofsd
11fe6a3 osbuilder: Fix USE_DOCKER on s390x
10f1c30 kata-runtime: use filepath.Join() to compose file path
f4ae9c8 docs: Update Developer-Guide.md
9963428 docs: update document for using debug console
44cde6e runtime: connect guest debug console bypass kata-monitor
3406502 runtime: add jaeger configuration items
fbab262 kernel: Don't fail if "experimental" dir doesn't exist
e1dce3a rustjail: use rlimit crate
8045104 ci: Upgrade to yq 3.4.1
3d3e4dc packaging: Fix vmlinux kernel install on s390x
a252d86 rustjail: get all capabilities dynamically
62cbaf4 kata-deploy: Remove kata-deploy-docker.sh
50fea9f github: Only run kata-deploy-test on pull-requests
b548114 qemu: Add security fixes for CVE-2020-35517
11680ef agent: README update to install protoc for ppc64le
f16ab49 agent: fix non_camel_case_types lint and stop hiding the warning
8ffe4d6 agent: fix unused_parens lint and stop hiding the warning
f70ca69 agent: remove #![allow(unused_unsafe)]
e28bf7a agent: fix dead_code lint
05da23a agent: fix non_snake_case lint and remove ![allow(non_snake_case)]
afb4197 osbuilder: Build for glibc on s390x
a1cedc5 agent: Build for glibc on s390x
9f237aa docs: add katacontainers end-to-end arch image
254b98d rustjail: fix unit test test_process
b25575b agent: remove crate signal-hook which are no longer used
b1880b3 rustjail: remove unnecessary #[async_trait]
83e9414 rustjail: add unittest test_execute_hook
d204100 rustjail: close stdin in execute_hook after it was sent
bb08131 rustjail: fix fork/child in execute_hook
17df9b1 runtime: migrate from opentracing to opentelemetry
71aeb92 osbuilder: updates for feedback
8e2b19a osbuilder: add description for how to use DISTRO variable
b6c2a60 kata-monitor: set buildmode to exe to avoid build failing
9f7a7a4 osbuilder: Enforcing LIBC=gnu to rootfs build for ppc64le
a88b896 kernel: Updates to kernel config for ppc64le
b7a1f75 arm64: enable acpi for qemu/virt.
448771f rustjail: fix the issue of container's cgroup root path
fd39f0f osbuilder: Add "Agent init" on terms glossary
e111093 agent: add secure_join to prevent softlink escape
1273e48 osbuilder: Fix urls to repositories
ba9fa49 osbuilder: Use Fedora and CentOS registries
c2d14cd versions: Update cloud-hypervisor to release v0.12.0
0e57393 shimv2: log a warning and continue on post-start hook failure
e7043fe shimv2: log a warning and continue on post-stop hook failure
3718df6 osbuilder: Remove leftover pieces related to cmake
d1bf829 kernel: ACPI: Always build evged for stable kernel
6f3d591 clh: Use vanilla kernel.
fd5592d branch: change 2.0-dev to main
2b880d2 snap: Don't release Kata Alpha/RC in snap store
14a63cc agent: Add underscore for constants
fa93831 agent: Address linter and tests
96762ab agent: Remove old netlink crate
0ea8243 github: Update ubuntu version to 20.04
33367be agent: Integrate netlink
23f3aef agent: Implement new netlink module
12551de agent: implement NVDIMM/PMEM block driver
6abb1be rustjail: fix the issue of missing destroy contaienr cgroups
fe67f57 agent: set edition = "2018" in .rustfmt.toml to fix rustfmt about async fn
df68771 agent-ctl: Update ttrpc to 0.4.14 for agent-ctl
37e285b agent: Make debug console async
f3bd439 agent: fix tests for async functions
9f79ddb agent: use tokio Notify instead of epoll to fix#1160332fa4c agent: switch to async runtime
5561755 agent: Initial switch to async runtime
2f1cb79 kata-monitor: allow for building for alpine
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
ARM CI fails with new kernel. Lets use 5.4.x until
fixed.
Depends-on: github.com/kata-containers/tests#3363
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
A wrong path was being used for container directory when
virtiofs is utilized. This resulted in a warning message in
logs when a container is killed, or completes:
level=warning msg="Could not remove container share dir"
Without proper removal, they'd later be cleaned up when the shared
path is removed as part of stopping the sandbox.
Fixes: #1559
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
getExpectedHostDetails did not offload any work to
genericGetExpectedHostDetails on s390x. By using that function, much
redundant code can be saved. This also resolves 2 issues with the
previous version:
- The number of CPUs was not calculated.
- vcUtils.SupportsVsocks() still used the Kata v1 signature.
Fixes: #1564
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
#1389 has added a context for many signatures to improve trace spans.
Functions specific to s390x lack this. Add context where required. This
affects some common code signatures, since some functions that do not
require context on other architectures do require it on s390x.
Also remove an unnecessary import in test_qemu_s390x.go.
Fixes: #1562
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
statfs f_types are long on most architectures, but not on s390x, where
they are uint. Following the fix in rust-lang/libc at
https://github.com/rust-lang/libc/pull/1999, the custom defined
PROC_SUPER_MAGIC must be updated in a similar way.
Fixes: #1204
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
`make test` depends mock hook in virtcontainers directory,
before test, install it first.
And also run test as normal user and root in GitHub actions.
Fixes: #1554
Signed-off-by: bin <bin@hyper.sh>
Some architectures and setups do not support DIMM/NUMA. However, they
can still use memory backends, provided a memory backend of the same ID
is specified under -machine. This was introduced in QEMU 5.0. Enable
this functionality in appendMemoryKnobs.
Fixes: #160
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Move the signal handling code into a new module and refactor into the
main handler and a new SIGCHLD handling function to make the code
simpler and easier to understand.
Also added a unit test for shutdown.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Make changes to logger thread to allow the logger to be replaced with
a NOP logger (required for agent shutdown).
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The agent doesn't normally shutdown: it doesn't need to be as it is
killed *after* the workload has finished. However, a clean and ordered
shutdown sequence is required to support agent tracing, since all trace
spans need to be completed to ensure a valid trace transaction.
Enable a controlled shutdown by allowing the main threads (tasks) to be
stopped.
To allow this to happen, each thread is now passed a shutdown channel
which it must listen to asynchronously, and shut down the thread if
activity is detected on that channel.
Since some threads are created for I/O and since the standard `io::copy`
cannot be stopped, added a new `interruptable_io_copier()` function
which shares the same semantics as `io::copy()`, but which is also
passed a shutdown channel to allow asynchronous I/O operations to be
stopped cleanly.
Fixes: #1531.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Encapsulate the logic for handling the task that displays logger output
into a new function to simplify the code and remove another anonymous
async block.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Maintain a list of tasks and wait on them all before main returns.
This is preparatory work for the agent shutdown: all tasks that are
started need to be added to the list. This aggregation makes it easier
to identify what needs to stop before the agent can exit cleanly.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Move most of the main logic into a separate async function. This makes
the code clearer and avoids the anonymous async block.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Return a guard variable from `create_logger()` which the caller can
implicitly drop to guarantee that all threads started by the async log
drain are stopped.
This fixes a long-standing bug [1] whereby the agent could panic with
the following error, generated by the `slog` logging crate:
```
slog::Fuse Drain: Custom { kind: Other, error: "serde serialization error: Bad file descriptor (os error 9)" }
```
[1] - See https://github.com/kata-containers/kata-containers/issues/171.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Fixed the `assert_error!()` test macro so that it correctly handles the
scenario where the test expects an error, but the actual result was `Ok`
(no error).
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
It's better to get the online cpus from
"/sys/devices/system/cpu/online" instead of from
cpuset cgroup, cause there would be an latency
between one cpu online and present in the root
cpuset cgroup.
Fixes: #1536
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Right now we rely heavily on mount propagation to share host
files/directories to the guest. However, because virtiofsd
pivots and moves itself to a separate mount namespace, the remount
mount is not present in virtiofsd's mount. And it causes guest to be
able to write to the host RO volume.
To fix it, create a private RO mount and then move it to the host mounts
dir so that it will be present readonly in the host-guest shared dir.
Fixes: #1552
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Linux 5.10.x is the new LTS branch, move
kata to a more recent kernel branch.
Fixes: #1288
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Split qemu script to build qemu experimental using
same dockerfile.
Fixes: #1421
Depends-on: github.com/kata-containers/tests#3255
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
It turns out we have managed to break the static checker in many
difference places with the absence of static checker in github action.
Let's fix them while enabling static checker in github actions...
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Let's ensure we use the appropriate tag for the release, even before it
was actually created.
Fixes: #1493
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Add arguments and files as needed, if only of them
changes the build will start from the change and
not from scratch.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Add docker ARG to provide a date to invalid cache, if the date changes
the image will be rebuild. This is required to keep build dependencies
with security fixes, but still take advantage of build qemu faster using
docker cache.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Today we apply patches per base branch. Having
two qemu versions in a similar base version can make
can have problems if one of the trees already has a patch.
If a patch is needed only for one specific tag/commit
add only the patch to that version.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
newQemuHypervisorConfig() sets it to an empty slice. We have to set the
same in the test config otherwise it is nil and reflect DeepEqual would
fail.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/vcmock
virtcontainers/pkg/vcmock/container.go:19:10: cannot use c.MockSandbox
(type *Sandbox) as type virtcontainers.VCSandbox in return argument:
*Sandbox does not implement virtcontainers.VCSandbox (missing
GetHypervisorPid method)
github.com/kata-containers/kata-containers/src/runtime/pkg/katautils
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When kata used multiple repositories, versions file was
downloaded. This is not needed anymore as the file is part
of the same repository.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Make use of the `const` values for error messages that were previously
only used for the unit tests. This guarantees consistency.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Fail if not patches directory is found. Help to prevent
build a new qemu version with missing patches.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Only use 'version' key to build qemu..
The version could be used as any valid target:
branch, tag or commit.
Using different keys to build is confusing.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Some patches has conflicts with old experimental kernel. Move patches to its own specific version.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
This fixes the guide to work with the Kata 2.0 repos and provide more
details on how to verify with ctr and kubernetes.
Fixes: #1362
Signed-off-by: Adams, Eric <eric.adams@intel.com>
Validate the container ID as we cannot / should not rely on the
container manager / runtime to do this.
Fixes: #1520.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Validate the container ID as we cannot rely on the container manager
doing this.
Fixes: #1520.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
To make debugging and testing easier, allow the ttRPC server address to
be specified via `/proc/cmdline` as `agent.server_addr=`.
Fixes: #1516.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Modify calls in unit tests to use context since many functions were
updated to accept local context to fix trace span ordering.
Fixes#1355
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Add rootCtx to service struct in shimv2 to use as parent of spans
created in shimv2 for a more organized trace ouput.
Fixes#1355
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
A significant number of trace calls did not use a parent context that
would create proper span ordering in trace output. Add local context to
functions for use in trace calls to facilitate proper span ordering.
Additionally, change whether trace function returns context in some
functions in virtcontainers and use existing context rather than
background context in bindMount() so that span exists as a child of a
parent span.
Fixes#1355
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Some variable are initialized in the Makefile, but never used.
Removing them to clean up the Makefile.
Fixes: #1003
Signed-off-by: Julien Ropé <jrope@redhat.com>
Commit 81607e34 updated src/agent/rustjail/Cargo.toml, to remove an
unneeded dependency. That causes cargo to update src/agent/Cargo.lock
on each build. However, the change to Cargo.lock wasn't checked in
meaning anyone working on the agent code will get bogus diffs with every
build. Check in the missing file to fix this.
fixes#1505
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently the the configure-hypervisor.sh doesn't set any optimization flag when
compiling QEMU >= 5.2.0 since the configure script will implicitly set -O2 on Ubuntu. But
on other environments, for example CentOS 7, it won't be set any optimization and this
results on the compiler warn:
# warning _FORTIFY_SOURCE requires compiling with optimization (-O)
To avoid this inconsistent behavior across different build environments, let's explicitly
set the -O2 flag.
Reported-by: Eric Ernst <eric.g.ernst@gmail.com>
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This contain to fixes for the virtiofsd on snap:
* removed the "-/usr/libexec" so that virtiofsd is copied to prime
* The configuration.toml expects virtiofsd in /usr/libexec/kata-qemu so it should be passed "kata-qemu"
to configure_hypervisor.sh script and it wil configure to install the executable onto the right directory.
Fixes#1238
Depends-on: github.com/kata-containers/kata-containers#1349
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Extra groups were not being handled when exec'ing. Ensure
that these are handled.
Before this, running a pod with:
```
...snippet...
securityContext:
fsGroup: 266
runAsGroup: 51020
runAsUser: 264
```
And then exec'ing would not supply the fsGroup:
```
$ kubectl exec -it kata-bb -- sh -c id
uid=264 gid=51020
```
Fixes: #1500
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Since the crate dirs::home_dir function depends on the
libc's api: getpwuid_r, but this api function wouldn't
be static linked on glibc, thus we'd better to figure
out an alternative way to get the home dir from /etc/passwd.
For much more info about this glibc's issue, please see:
https://sourceware.org/bugzilla/show_bug.cgi?id=19341.
This commit read and parse the "/etc/passwd" directly and
fetch the corresponding uid's home dir.
Fixes: #675
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Remove unused function parameters from the following types:
- `AgentCmdFp`: Removed the config parameter and made
the context parameter the first (à la golang).
- `BuiltinCmdFp`: Removed the config and options parameters.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The recent switch to an async rust agent broke the `agent-ctl` tool.
However, we didn't notice because that isn't being built by the CI.
Fix the breakage by passing a ttRPC context to all ttRPC API calls and
also build the tool as part of the static checks CI.
Fixes: #1471.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
If specified, sandbox_bind_mounts identifies host paths to be
mounted (ro) into the sandboxes shared path. This is only valid
if filesystem sharing is utilized.
The provided path(s) will be bindmounted (ro) into the shared fs directory on
the host, and thus mapped into the guest. If defaults are utilized,
these mounts should be available in the guest at
`/var/run/kata-containers/shared/containers/sandbox-mounts`
These will not be exposed to the container workloads, and are only
added for potential guest-services to consume (example: expose certs
into the guest that are available on the host).
Fixes: #1464
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Add target to run codecov report locally.
Useful to identify what are the missing lines
to be covered by unit test.
Fixes: #1487
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Currently, musl toolchain installation on arm64 is just downloading from
a website. It's unsafe in case the website corrupts. So build musl
toolchain from source if it can't be downloaded.
Fixes: #1481
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Update the Intel QAT Dockerfile to work with the 2.0 repos, fix some
bugs with building Debian/Ubuntu rootfs, and update the latest QAT
driver. Updated copyright.
Fixes: #1419
Signed-off-by: Adams, Eric <eric.adams@intel.com>
QEMU 5.2.0 needs ninja-build package installed on the build environment.
The default-configs were copied to $QEMU_SRC/default-configs but that does
take any effect, so instead it is now copied to $QEMU_SRC/default-configs/devices
and the configs for i386 were updated.
Also it had to change some arguments being passed to configure as Meson was failing
due inconsistent paths:
./meson.build:1:0: ERROR: The value of the 'libdir' option is '/usr/lib/qemu' which must be a subdir of the prefix '/snap/kata-containers/current/usr'.
Note that if you pass a relative path, it is assumed to be a subdir of prefix.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This change the version of QEMU used in the tests and CI.
The scripts/configure-hypervisor.sh was changed so that:
- Passing the `--enable-virtiofsd` flag
- Do not compiling with -O3 to avoid the warning:
Program python3 found: YES (/usr/bin/python3)
../meson.build:104: WARNING: Consider using the built-in optimization level instead of using "-O3".
../meson.build:108: WARNING: Consider using the built-in optimization level instead of using "-O3".
The qemu.blacklist files was changed so that new and uneeded firmware files are removed from the
final tarball. Except for qboot.rom which is new but kept, since it can be used with microvm
machine type (in case we want to enable microvm in the future).
The patches which are applied on QEMU sources:
- 0001-virtiofsd-Allow-to-build-it-without-the-tools.patch
(Build fix for Meson - allows passing `--disable-tools --enable-virtiofsd`)
- 0002-virtiofsd-extract-lo_do_open-from-lo_open.patch
0003-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch
0004-virtiofsd-prevent-opening-of-special-files-CVE-2020-.patch
0005-virtiofsd-Add-_llseek-to-the-seccomp-whitelist.patch
0006-virtiofsd-Add-restart_syscall-to-the-seccomp-whiteli.patch
(Security fixes for virtiofsd)
- 0007-9p-removing-coroutines-of-9p-to-increase-the-I-O-per.patch
(Performance improvement for 9p driver)
- 0008-hw-s390x-fix-build-for-virtio-9p-ccw.patch
(Build fix for virtio-9p-ccw machine type)
Fixes: #1238
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Each Kata Containers application should generate log records with a specified
structure. Currently on containerd-shim-v2's logs, the required 'name' field
is missing. This changed its logger to append the application name on each
and every emitted entries.
Fixes#1479
Related-to: github.com/kata-containers/tests/issues/3260
Suggested-by: James O. D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The scripts/configure-hypervisor.sh split the QEMU and GCC version
in major and minor versions then use those values on shell conditionals
to compare versions. This is error prone, so instead this change the script
to use the `sort -V -C ` command for version comparisons.
Fixes: #1349
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
When do pass guest device files to container, the source
file wouldn't be a regular file, but we also need to create
a corresponding destination file to bind mount source file
to it. Thus it's better to check whether the source file
was a directory instead of regular file.
Fixes: #1477
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Looks like we inadvertantly removed the check on the loadRuntimeConfig
error return value. Adding back...
Fixes: #1474
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Agent sends -1 PID when invoking OCI hooks.
OCI state struct is initialized before obtaining PID, so this PR moves
`oci_state` call down, right after we get the id.
Fixes: #1458
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Port kata-containers/agent#883 to the Rust Agent.
In the event that the virtiofs device is already mounted at the
requested destination, don't error out. We'll check before attempting to
mount to see if the destination is already a mount point. If so, skip
doing the mount in the agent.
This facilitates mounting the sharedfs automatically in the guest before
the agent service starts.
Signed-off-by: Eric Ernst eric.g.ernst@gmail.comFixes: #1398
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Since the kata's hypervisor process is in the network namespace,
which is close to container's process, and some host metrics
such as cadvisor can use this pid to access the network namespace
to get some network metrics. Thus this commit replace the shim's
pid with the hypervisor's pid.
Fixes: #1451
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
There's no runtime repo anymore, let's avoid making a reference to it,
which may end up confusing people reading the Release-Process file.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
All the work done on this file, apart from merging the 2.x repo, and now
removing unused lines, comes from Intel.
The reason it's being added is to silent a complaint from the static
checker.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
There's no more NEMU, for some time already. Considering this, let's
just remove any mention to it as part of our project.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
There's no reason to ship qemu & qemu-virtiofs when the former already
includes vitiofs support (and that's the default for 2.x deployments).
In case we will enable experimental qemu DAX support, we should add a
new target, a "qemu-experimental" target, as Carlos has been working on.
Fixes: #1424
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The docker script has been removed as part of
62cbaf4de4, but references to it were left
behind in the artifact-list.sh, release/kata-deploy-binaries.sh, and
kata-deploy/Dockerfile.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
If the container has exited, the sender in notifier watching OOM events
will be dropped after the loop exited, and recv() from the according
receiver will get None.
This will lead two problems for get_oom_event rpc all from agent:
- return an wrong OOM event.
- continuously return OOM events.
Fixes: #1369
Signed-off-by: bin <bin@hyper.sh>
For Kata Containers 2.x, CRI-O should always be using the
`containerd-shim-kata-v2` binary, and always be configured to use the
"vm" runtime type, developed specifically for the shimv2, instead of the
default "oci" runtime type.
I've taken the liberty to try to simplify the CRI-O script and make it
less error prone. In the future, we can start dropping a configuration
file to /etc/crio/crio.conf.d and just removing it as part of the
cleanup, but that's for the future.
Fixes: #1357
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Factoring those pieces of code to their own functions allows us to
easily re-use them when creating & cleaning up the CRI-O configuration
files, as CRI-O is also affected by the issues that are still opened.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Our list was based on what we used to ship for Kata Containers 1.x, not
even taking into account the shimv2 binary.
Let's update it in order to reflect better what we currently distribute.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
VhostUserDeviceAttrs::PCIAddr didn't actually store a PCI address
(DDDD:BB:DD.F), but rather a PCI path. Use the PciPath type and
rename things to make that clearer.
TestHandleBlockVolume previously used the bizarre value "0001:01"
which is neither a PCI address nor a PCI path for this value. Change
it to a valid PCI path - it appears the actual value didn't matter for
that test, as long as it was consistent.
Forward port of
3596058c67fixes#1040
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
BlockDrive::PCIAddr doesn't actually store a PCI address
(DDDD:BB:DD.F) but a PCI path. Use the PciPath type and rename things
to make that clearer.
TestHandleBlockVolume() previously used a bizarre value "0002:01" for
the "PCI address" which was neither an actual PCI address, nor a PCI
path. Update it to use a PCI path - the actual value appears not to
matter in this test, as long as its consistent throughout.
Forward port of
64751f377bfixes#1040
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The "PCI address" returned by Endpoint::PciPath() isn't actually a PCI
address (DDDD:BB:DD.F), but rather a PCI path. Rename and use the
PciPath type to clean this up and the various parts of the network
code connected to it.
Forward port of
3e589713cffixes#1040
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently pcipath_to_sysfs() generates the path to the root bus node in
sysfs via create_pci_root_bus_path(). This is inconvenient for testing,
though, so instead make it take this as a parameter and generate the path
in the (single) caller. As a bonus this will make life a bit easier when
we want to support machines with multiple PCI roots.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
pcipath_to_sysfs takes a PCI path, with a particular format. A number of
places implicitly need strings in that format, many of them repeat the
description. To make things safer and briefer use the pci::Path type for
the purpose more widely, and just describe the string formatting of it at
the type definition.
Then, update variable names and comments throughout to call things in
this format "PCI path", rather than "PCI identifier", which is vague,
or "PCI address" which is just plain wrong. Likewise we change names and
comments which incorrectly refer to sysfs paths as a "PCI address".
This changes the grpc proto definitions, but because it's just
changing the name of a field without changing the field number, it
shouldn't change the actual protocol.
A loose forward port of
da4bc1d184
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently pcipath_to_sysfs(), which translates PCI paths into sysfs paths
accepts only pci paths with exactly 2 components; which represents PCI
devices separated from the root bus by exactly one PCI to PCI bridge (which
could be a virtual P2P bridge, such as a PCI-E root port).
There are cases we might reasonably want to support which have devices
either plugged directly into the root bus (zero bridges), or under
multiple layers of P2P bridge (a PCI-E switch would require at least 2
layers).
So, generalize pcipath_to_sysfs to support any number of components in the
PCI path. We also make it use the new type for PCI paths internally rather
than plain strings.
This is a loose forward port of
9804b1e55dfixes#1040
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
get_pci_device_address() has pretty confusing semantics. Both its input
and output are in other parts of the code described as a "PCI address", but
neither is *actually* a PCI address (in the standard DDDD:BB:DD.F format).
What it's really about is resolving a "PCI path" - that is way to locate a
PCI device by using it's slot number and the slot number of the bridge
leading to it - into a sysfs path.
Rename the function, and change a bunch of variable names to make those
semantics clearer.
Forward port of
https://github.com/kata-containers/agent/pull/855/commits/0eb612f06484
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Now that we have types to represent PCI paths on both the agent and
runtime sides, we can update the protocol definitionto use clearer
terminology.
Note that this doesn't actually change the agent protocol, because it just
renames a field without changing its field ID or type.
While we're there fix a trivial rustfmt error in
src/agent/protocols/build.rs
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This is a dedicated data type for representing PCI paths, that is, PCI
devices described by the slot numbers of the bridges we need to reach
them.
There are a number of places that uses strings with that structure for
things. The plan is to use this data type to consolidate their
handling. These are essentially Go equivalents of the pci::Slot and
pci::Path types introduced in the Rust agent.
Forward port of
185b3ab044
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Introduce a Rust type to represent a "PCI path" - that is a way of
locating a PCI device from a given root by listing the slots of all
the bridges leading to it and finally the slot of the device itself.
It's implemented as a vector of the previously added pci::Slot type,
and includes the necessary validation and conversions to/from strings.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a Rust type for representing a PCI slot on a single bus. This is
essentially just an integer from 0..31 (inclusive), but includes the
code for converting from integers with appropriate validation and
formatting back to a string.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Update the Intel QAT Dockerfile to work with the 2.0 repos, fix some
bugs with building Debian/Ubuntu rootfs, and update the latest QAT
driver. Updated copyright.
Fixes: #1419
Signed-off-by: Adams, Eric <eric.adams@intel.com>
For building rootfs with docker, glibc based rust target should be installed on ppc64le.
Additionally, protobuf-compiler would be required on ppc64le as it is not present by default.
Fixes: #1417
Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
Remove loading of configuration from New() because we do not know the
correct configuration file for the runtime until Create() and so that it
is not loaded more than once. Start tracer in create() so that it is
created after the runtime config is loaded in its original location.
Fixes#1411
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Give the user chance to specify their own registry in event the default
provided are not accessible, desirable.
Fixes: #1393
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
This PR updates the licensing strategy document to use the proper
tests repository for kata 2.0
Fixes#1413
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Today hooks are only described in the QEMU toml. This shouldn't be VMM
specific -- let's make sure these are advertised for Cloud Hypervisor as
well.
Fixes: #1401
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
kernel setup fails when `yes "n"` is used and `make oldconfig` doesn't
read anything from STDIN, `yes "n"` was added in the past as a
workaround to fix incomplete kernel configs.
Enable `build-kernel.sh` debug.
Signed-off-by: Julio Montes <julio.montes@intel.com>
`sudo` is required to build the image, once the image has been built
the permission of some directories may change, let's build first the
targerts that not need `sudo`
Signed-off-by: Julio Montes <julio.montes@intel.com>
This PR fixes wrong serialization of OCI state object.
OCI hooks end up with a JSON string with double quotes in `state` field.
This happens because of confusion `Debug` and `Display` traits. Debug trait
returns a string representation with double quotes.
Ideally we should not use Debug as a part of serialization process, so a bit
more safer fix would be to move container states to `oci` crate and simply
disallow wrong values in that field.
`ContainerState` in go spec: https://github.com/opencontainers/runtime-spec/blob/master/specs-go/state.go#L4Fixes: #1404
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Today we only clear out the cpuset details when doing an update call on
existing container/pods. This works in the case of Kubernetes, but not
in the case where we are explicitly setting the cpuset details at boot
time. For example, if you are running a single container via docker ala:
docker run --cpuset-cpus 0-3 -it alpine sh
What would happen is the cpuset info would be passed in with the
container spec for create container request to the agent. At that point
in time, there'd only be the defualt number of CPUs available in the
guest (1), so you'd be left with cpusets set to 0. Next, we'd hotplug
the vCPUs, providing 0-4 CPUs in the guest, but the cpuset would never
be updated, leaving the application tied to CPU 0.
Ouch.
Until the day we support cpusets in the guest, let's make sure that we
start off clearing the cpuset fields.
Fixes: #1405
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Seccomp configuration should be updated to prepare for the future seccomp support based on the latest OCI specification.
Add:
- flags which is used with seccomp(2) in struct LinuxSeccomp
- errnoRet which is errno return code in struct LinuxSyscall
- some new seccomp actions and an architecture
Fixes: #1391
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
The unit test for list_interfaces() checks that the hardware address
returned for each interface has non-zero length. However, that need not be
the case. Point-to-point devices, such as ppp, or tun devices in certain
configurations may not have a hardware address, which is represented as
a zero length address here.
This happens on my machine with a tun0 device created by OpenVPN.
fixes#1377
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Remove the old config options from the documentation and replace them
with the new form (without the redundant `kata-` prefix).
Signed-off-by: Daniel Knittl-Frank <knittl89+git@googlemail.com>
Update all tools/packaging scripts to prefer the new options over the
old ones (e.g. `--config` instead of `--kata-config`).
Signed-off-by: Daniel Knittl-Frank <knittl89+git@googlemail.com>
Remove `kata-` prefix from options `kata-config` and
`kata-show-default-config-paths`.
Fixes#1011
Signed-off-by: Daniel Knittl-Frank <knittl89+git@googlemail.com>
* CONFIG_OVERLAY_FS_METACOPY is needed to have reasonable performance
for chmod and similar calls;
* CONFIG_OVERLAY_FS_XINO_AUTO is recommended for POSIX compliance.
Fixes: #1075
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
- Install the required protobuf-compiler on Ubuntu
- Install correct libc Rust target (glibc on s390x)
- Do not skip Rust installation on s390x
Fixes: #1266
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Add description for difference of namespace in containerd and Kuberenetes.
Co-authored-by: Eric Ernst <eric.g.ernst@gmail.com>
Signed-off-by: bin <bin@hyper.sh>
add configuration items in Kata Containers
configuration file to let users specify jaeger
collector address, and user/password.
Signed-off-by: bin <bin@hyper.sh>
This directory has been automatically removed as there's no files inside
it, as part of d3c9862059
Let's improve the logic in the scripts to avoid failing in case the
"experimental" dir is not present.
Fixes: #1328
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The current implementation of rustjail uses the specific setrlimit.
This patch uses rlimit crate for maintainability.
Fixes: #1372
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Installing the built uncompressed vmlinux kernel will not work on s390x,
QEMU will complain:
Linux kernel boot failure: An attempt to boot a vmlinux ELF image
failed.
This image does not contain all parts necessary for starting up. Use
bzImage or arch/s390/boot/compressed/vmlinux instead.
Hence, use that kernel image on s390x.
Fixes: #1264
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Kata Containers 2.x is not supported outside of the kubernetes world.
With this in mind, let's remove leftovers from the 1.x deployments &
documentation.
Fixes: #1356
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
We're currently running kata-deploy-test for every issue opened, for
every comment in the issue. Issues, themselves, shouldn't be triggering
those as they can't cause any code change.
With this in mind, let's restrict ourselves to run those on
pull-requests only.
Fixes: #1341
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Add a bit to the agent README about installing protoc manually for Power (ppc64le)
Fixes: #1068
Signed-off-by: Christy Norman <christy@linux.vnet.ibm.com>
Since there is no Rust target for musl on s390x, builds on s390x should use
glibc. This commit removes the "Cannot build Rust agent on s390x" restriction
in rootfs.sh and only installs musl in the build environment when it is
required.
Fixes: #1262
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Since there is no Rust target for musl on s390x, builds on s390x should
use glibc. This commit makes glibc the default on s390x as per the agent
Makefile.
Fixes: #1262
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Added a Katacontainers e2e flow figure, the figure can be used in many places or simply just as a reference.
It contains pieces from Kata 1.x and Kata 2.0 (e.g., kata-monitor).
The figures are produced via excalidraw.com, also in the commit is the
source .excalidraw which can be used to modify the figure if needed.
Fixes#1185
Signed-off-by: Adel Zaalouk <azaalouk@redhat.com>
test_process has a assertion that waitpid(-1) will fail
because there is no child process in most cases.
But if there is any child process forked by other unit test,
the test test_process will fail.
Because waitpid(-1) will wait for any child process including the
process created by other unit tests.
Signed-off-by: Tim Zhang <tim@hyper.sh>
This commit includes two changes:
- migrate from opentracing to opentelemetry
- add jaeger configuration items
Fixes: #1351
Signed-off-by: bin <bin@hyper.sh>
CGO_ENABLED=0 and -buildmode=pie are not compatible and may lead build failing in some OS.
Specify buildmode=exe to overwrite the value set in BUILDFLAGS
Fixes: #1343
Signed-off-by: bin <bin@hyper.sh>
acpi is enabled for kata 1.x, port and rebase code for 2.x
including:
runtime: enable pflash;
agent: add acpi support for pci bus path;
packaging: enable CONFIG_RTC_DRV_EFI;
Fixes: #1317
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
We should create the container's cgroup under the system's
cgroup default path such as "/sys/fs/cgroup/<sub system>",
instead of under the kata-agnet's process's cgroup path,
which would under the systemd's cgroup such as
"/sys/fs/cgroup/systemd/system.slice/kata-agent.service"
Fixes: #1319
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Include on the terms glossary some words about the agent init as
later on README its explain how the agent can be switched between
systemd and init.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This patch fixed the security issue if the container images has
unsafe symlink to the container rootfs and hackers can be exploit
this symlink to hack the guest system. e.g. make directory or files
on guest.
CVE-2015-3629
Fixes: #1219
Signed-off-by: Qingyuan Hou <qingyuan.hou@linux.alibaba.com>
Changed the user-visible urls to point to the right Kata Containers
files/repositories.
Fixes#234
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
To avoid hitting quota limit on docker.io, this changes the Fedora
and CentOS dockerfiles to pull the image from the projects registries.
Fixes#1324
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Highlights for cloud-hypervisor version v0.12.0 include: removal of
`vhost-user-net` and `vhost-user-block` self spawning, migration of
`vhost-user-fs` backend, ARM64 enhancements with full support of
`--watchdog` for rebooting, and enhanced `info` HTTP API to include the
details of devices used by the VM including VFIO devices.
Fixes: #1315
Signed-off-by: Bo Chen <chen.bo@intel.com>
According to runtime-spec:
The poststart hooks MUST be invoked by the runtime. If any poststart
hook fails, the runtime MUST log a warning, but the remaining hooks
and lifecycle continue as if the hook had succeeded
Fixes: #1252
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
According to runtime-spec:
The poststop hooks MUST be invoked by the runtime. If any
poststop hook fails, the runtime MUST log a warning, but
the remaining hooks and lifecycle continue as if the hook
had succeeded.
Fixes: #1252
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
The osbuilder scripts include a bunch of code for installing cmake, even
though cmake is never invoked. versions.yaml claims it's needed to build
grpc-rs, but that doesn't appear to be in our dependency graph.
Presumably, we used to need this, but don't any more. So, remove all cmake
references.
Fixes#1309
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Qemu config alredy use vanilla kernel build for virtiofs.
Lets make cosisntent the usage of kernel.
Depends-on: github.com/kata-containers/tests#3172
Fixes: #1302
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Stable and candidate snapcraft's channels are used to release Kata
Containers 1.x and 2.x respectively. Alpha and RC releases shouldn't
be pushed to the snap store because there are not enough channels
for all the releases of Kata Containers 1.x and 2.x.
fixes#1303
Signed-off-by: Julio Montes <julio.montes@intel.com>
This PR updates the ubuntu version from 18.04 to 20.04 that will be
used for the github actions.
Fixes#1295
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This patch integrates new netlink module routines with the agent (mainly
replaces calls to old netlink module with the new one).
Fixes: #1294
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
This PR adds new netlink module (based on `rtnetlink` crate), so we don’t have to
write a low level code to interact with netlink sockets, but use a high level API.
As a side effect, `rtnetlink` crate got full IPv6 support, so it fixes#1171Fixes: #1294
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Support pmem-csi[1] k8s pluging, unlike SCSI and virtio devices,
NVDIMM/PMEM devices support DAX, improving IO Read and Write
operations.
fixes#1289
Signed-off-by: Julio Montes <julio.montes@intel.com>
[1]: https://github.com/intel/pmem-csi
Got:
find . -type f -name "*.rs" | egrep -v "target/|grpc-rs/|protocols/" | xargs rustfmt --check
error[E0670]: `async fn` is not permitted in the 2015 edition
This commit fixes this issue.
Signed-off-by: Tim Zhang <tim@hyper.sh>
There were still issues. Tested in fork, verified environment variable
passing works as before now.
Fixes: #1273
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
- snap: Fix yq error in build
- storage: cleanup and support read only block dev hotplug
- rootfs: Don't fallthrough in the docker_extra_args() switch
- github: Add github actions
- shimv2: Avoid double removing of container from sandbox
- Agent: return error on trying to persist a pid namespace and minor improvements
- rustjail: allow network sysctls
- rustjail: fix the issue of sync read
- rustjail: fix the issue of bind mount /dev
- qemu: no state to save if QEMU isn't running
- packaging/qemu: Build and package completely inside the container
- agent: upgrade cgroups to 0.2.0
- agent: Simplify .or_else() to .or()
- Fix error reporting in listInterfaces() and listRoutes()
- improve rustjail validator
- Add void "install" targets for both "trace-forwarder" and "agent-ctl"
- [forwardport] Add support for Gentoo
- oci: fix a typo in "addtionalGids"
- Don't update cpusets if no CPUs changed closes#1172
- rootfs: reduce size of debian image
- runtime: Allow to overwrite DESTDIR
- snap: fix snap release channel
- Don't leak fd when reseeding rng
- Fixes for make generate-protocols
- docs: Fix docs in docs/architecture.md
- docs: Update the Cloud Hypervisor description in virtualization.md
- agent: exit from exec hangs if background process is present
- [forwardport] install: Improve snap documentation
- handle vcpus properly utilized in the guest
- docs: fix the custom agent binary file path for creating initrd image
- shimv2: handle ctx passed by containerd
- runtime: clh: Enforce to call 'cleanupVM' for 'stopSandbox'
- agent: Adjust OOM Score to avoid agent being killed.
- [forward port] cli: make check subcommand more tolerant to failures
- docs: add link to VMT on top level README
- rustjail: fork a new child process to change the pid ns
- rustjail: remove the network ns validation against container
- snap: update apps section
- runtime: don't wait the second shim process in shim start
- agent: create pci root Bus Path for arm64
- agent: enable lto flag for Cargo to get better optimized code
- virtcontainers: revert CleanupContainer from PR 1079
- docs: Create hypervisor summary document
- Add hyperlink and fix typo
- versions: Use CRI-O v1.18.4-4-g6dee3891e
- runtime: change configuration key name from EnablePprof to enable_pprof
- runtime: delete sandboxlist.go and sandboxlist_test.go
- versions: Use release-1.18 (commit ee9128444bec10)
- runtime: clh: disable virtiofs DAX when FS cache size is 0
- release: Fix release candidate to major version upgrade check
- runtime: sleep 1 second after GetOOMEvent failed
- Agent: README updates for build on ppc64le
- runtime: clean/refactor code
- Forward port annotation doc
- versions: Update cloud-hypervisor to release v0.11.0
- docs: Add instructions for enabling VM templating
- Revert "version: revert back to crio 1.8.3"
- Dump guest memory when kernel panic for QEMU
- clh: Consolidate the code path for device unplug
- agent: Log ttrpc messages
- annotations: Improve asset annotation handling
- runtime: readonly volume should be bind mounted readonly on the host
- docs: Fix incorrect docs in config file
- CI: Fix incorrect URL
- docs: Update top-level README
- versions: Update crio version
- runtime: cloud-hypervisor: reduce memory footprint
- agent: Improve unit test coverage for src/sandbox.rs
- rustjail: fix the issue of create thread failed causing current thread panic
- Improve unit test coverage for rustjail/container.rs
- agent: Update build instructions
- cli: Provide aliases for kata-* subcommands and options
- runtime: Restore QEMUVIRTIOFSPATH variable in Makefile
- Use apply_patches.sh in qemu and kernel scripts
- clean up agent proto files
- agent: fixes the permissions of PID 1's STDIO
- Feature/1004 add version for kata monitor
- agent: Generate proto files programmatically
- runtime: Fix firecracker config
- docs: remove the 1.x version description about shim and proxy
- arm64: correct bridge type for QEMUVIRT
- snap: add GH actions jobs to release the snap package
- agent: clear clippy warnings
- agent: simplify ttrpc error construction
- Replace @RUNTIME_NAME@ with the target in generated files
- 2.0 update doc for hypervisor related information
- virtcontainers: Append max_ports to virtio-serial device
- snap: install libseccomp-dev
- runtime: set virtio-fs as default fs sharing method
- VirtioFS: backports & default settings to improve performance
- tools: Make agent-ctl support more APIs
- Validate runtime annotations
- kernel: update to 5.4.71
- config: make virtio-fs part of standard kernel
- agent: Optimize error handling
- versions: Update Kubernetes, containerd, cri-o and cri-tools
- agent: fix crashers if API requests empty
- rustjail: add length check for uid_mappings in rootless euid mapping
- kata-monitor: use regexp to check if runtime is kata containers
- docs: update the build kata containers kernel document
- cgroup and cpuset fixes from 1.x
- docs: Update upgrading guide
- agent: fix panic on malformed device resource in container update
- Forward port device conflict fixes from Kata 1 / Go agent
- docs: Add containerd install guide
- agent: simplify codes
- agent: fix errorneous parsing for guest block size
- agent: use macro to simplify parse_cmdline function in config.rs
- fix arm CI
- packaging: fix missing cloud_hypervisor_repo
- docs: Add crictl example json files
- ci: snap: add event filtering
- agent: do not follow link when mounting container proc and sysfs
- agent-ctl: include cargo lock updates
- agent: set init process non-dumpable
- runtime: Clear the VCMock 1.x API Methods from 2.0
- virtiofs: Disable DAX
- docs: Update docs for enabling agent debug console
- Remove compilation warnings
- osbuilder: Create target directory for agent
- versions: add plugins section
- snap: specify python version
- packaging: fix image build script
- Main packaging fixups
- clh: Support VFIO device unplug
- ci: add github action to test the snap
- docs: update networking description
- docs: update dev guide for agent build
- rust-agent: Update README
- docs: update architecture.md
- runtime: add support for SGX
- version: upgrade qemu version to v5.1.0 for arm64
- agent: Fix OCI Windows network shared container name typo
- github: Remove issue template and use central one
- docs: fix broken links
- Packaging: release notes script using error kernel path urls
- rust-agent: Replaces improper use of match for non-constant patterns
- devices: fix go test warning in manager_test.go
- action: Allow long lines if non-alphabetic
- Indicates never return function and remove unreachable code
- agent: propagate the internal detail errors to users
- Update Installation Guide to better reflect the current state of the project
- ci: fix clone_tests_repo function
- agent: Set LIBC=gnu for ppc64le arch by default
- fc: integrate Firecracker's metrics
- Fix to qemu experimental and improvements
- ci: resurrect travis static checkers
- agent: fix UT failures due to chdir
- agent: Only allow proc mount if it is procfs
- kata 2.0: add debug console service
- runtime: Call s.newStore.Destroy if globalSandboxList.addSandbox
- shimv2: add a comment in checkAndMount()
- osbuilder: specify default toolchain verion in rust-init
- runtime: Update CLH client pkg to version v0.10.0
- agent/oci: Don't use deprecated Error::description() method
- runtime: Fix linter errors in release files
- packaging: Build from source if the clh release binary is missing
- runtime: add podman configuration to data collection script
- ci: use Travis cache to reduce build time
- agent: update cgroups crate
- docs: Update the reference path of kata-deploy in the packaging
- runtime: make kata-check check for newer release
- how-to: add privileged_without_host_devices to containerd guide
- agent: Unit tests for rustjail/mount.rs
- docs: Fix the kata-pkgsync tool's docs script path
- Fix developer guide
- fix guest panic when running agent as init
- packaging: update version file url for kata 2.0 in Makefile
- Fix release notes
789fd7c1 blk-dev: hotplug readonly if applicable
12777b26 volumes: cleanup / minor refactoring
fbc1d123 vendor: revendor govmm
6cc1920c snap: Fix yq error in build
b329a74f rootfs: Fix indentation inside a switch
8879f9a0 rootfs: apparmor=unconfined is needed for non Red Hat host OSes
bbeebcdb rootfs: Always add SYS_ADMIN, CHROOT, and MKNOD caps to docker cmdline
90ec2fa8 rootfs: Don't fallthrough in the docker_extra_args() switch
ebd9fcc2 actions: Run static checks before make agent
0d3736d5 rustjail: fix the issue of sync read
0dc02f6d rustjail: fix the issue of bind mount /dev
894fa42a rustjail: allow network sysctls
d4cd2554 agent: Avoid container stats panic caused by cgroup controller non-exist
157e055f agent: upgrade crate cgroups to 0.2.0
e3ec1d50 agent: Simplify .or_else() to .or()
14e7042c agent: Clean up commented use declarations
5fe5b321 agent: Fix temp prefix on Namespace::test_setup_persistent_ns
3a891d4e agent: Return error on trying to persist a pid namespace
5c464018 shimv2: Avoid double removing of container from sandbox
b366af93 jail: add more test cases for validator
d38a5d3f jail/validator: introduce helpers to reduce duplicated code
76ad3213 jail/validator: avoid unwrap() for safety
51fd624f rustjail: add more context info for errors
9321e1b2 oci: fix two incompatible issues with OCI spec
406a91ff agent: consume ttrpc crate from crates.io
9a7bcccc qemu: no state to save if QEMU isn't running
6181570c oci: fix a typo in "addtionalGids"
a5372e00 github: Add github actions
4af5beda agent/sandbox: Don't update cpuset when ncpus = 0
e004616b runtime/network: Fix error reporting in listRoutes()
1ae8e81a runtime/network: Correct error reporting in listInterfaces()
a19263e5 agent/protocols: Remove unneeded import from oci.proto
a19cf28c agent/protocols: Remove some unnecessary include directives from protoc
2b452090 agent/protocols: Remove some unneeded dependencies for protocol generation
b36c9ea3 docs: Fix docs in docs/architecture.md
3db1c805 agent: Don't leak fd when reseeding rng
8ac93f65 rootfs-builder: add support for gentoo
9897238f rootfs: reduce size of debian image
d47122e9 docs: Update the Cloud Hypervisor description in virtualization.md
10e9bfc6 runtime: Allow to overwrite DESTDIR
f740032c packaging/qemu: Delete the temporary container
e5c710e8 packaging/qemu: Build and package completely in the container
4c3377de packaging/qemu: Add QEMU_DESTDIR argument to dockerfiles
faed2369 rootfs-builder: add functions to run before and after the container
8e5603e6 snap: fix snap release channel
8f538935 install: Improve snap documentation
1ca415d8 agent: exit from exec hangs if background process is present
a00f7c34 docs: fix the custom agent binary file path for creating initrd image
0155fe12 shimv2: handle ctx passed by containerd
a793b8d9 agent: update cpuset of container path
705182d0 agent: ignore updating cpuset error when update cgroups
647331ac runtime: clh: Enforce to call 'cleanupVM' for 'stopSandbox'
e684a541 docs: add link to VMT on top level README
68f66c51 agent-ctl: Add void "install" target
5e407758 trace-forwarder: Add void "install" target
70f198d7 cli: check modules and permissions before loading a module
cb684cf8 cli: don't fail if rate limit is exceeded
9216f2ad rustjail: fork a new child process to change the pid ns
3b08376c rustjail: remove the network ns validation against container
c388ec5b runtime: don't wait the second shim process in shim start
d6acc4c0 agent: enable lto flag for Cargo to get better optimized code
13a8e4e3 snap: update apps section
fdbf7d32 virtcontainers: revert CleanupContainer from PR 1079
91a390f0 docs: Create hypervisor summary document
3eeb25a1 docs: Tidied up virtualisation summary table
8ec3cf08 docs: Adding hyperlink to virtio-net in kata documentation 2.0
b5b67db8 docs: Fixing typo in virtualization.md file
4d46d0f0 versions: Use CRI-O v1.18.4-4-g6dee3891e
53b5d063 agent: Adjust OOM Score to avoid agent being killed.
14a21c3a runtime: change configuration key name from EnablePprof to enable_pprof
4e3a8c01 runtime: remove global sandbox variable
29020394 runtime: delete sandboxlist.go and sandboxlist_test.go
9b88a96b versions: Use release-1.18 (commit ee9128444bec10)
36f65ce1 runtime: clh: update cloud-hypervisor
e1396f04 runtime: clh: disable virtiofs DAX when FS cache size is 0
8f38265b release: Fix release candidate to major version upgrade check
2e0bf40a tests: Ensure semver build metadata is ignored
4024a827 release: Make error format string consistent
cb0e6094 runtime: sleep 1 second after GetOOMEvent failed
4c78814b docs: Fix pre-existing spelling mistakes caught by the CI
6c083d94 docs: Add a link to document describing how to use annotations
d67921a2 docs: Document restricted annotations
1fc7b764 docs: Repair inconsistencies between 2.0 and 1.x
21801a11 versions: Revert "version: revert back to crio 1.8.3"
b8414045 runtime: remove nsenter
e3510be8 runtime: use one line if statement to check if err is nil for qemu.go
378308e2 docs: Add instructions for enabling VM templating
92c1c4c6 versions: Update cloud-hypervisor to release v0.11.0
8907a339 agent: Only show ttrpc logs for trace log level
21cd7ad1 agent: Log ttrpc messages
286eebf0 agent: Add env var to set log level
b9c6db4b agent: Add env var tests
705e9955 agent: Add env var comment
5ced96e9 hypervisor: Remove unused methods
e82c9dae annotations: Improve asset annotation handling
0f26f1cd annotations: Add missing hypervisor control annotation
76064e3e asset: Formatting, grammar and whitespace
40418f6d runtime: add geust memory dump
ff13bde3 version: revert back to crio 1.8.3
6c2fc233 agent: create pci root Bus Path for arm64
a958eaa8 runtime: mount shared mountpoint readonly
125e21ce runtime: readonly mounts should be readonly bindmount on the host
5f0abc20 CI: Fix incorrect URL
b6f8a1d5 docs: Fix incorrect docs in config file
93d79625 clh: Consolidate the code path for device unplug
18a22459 Agent: README updates for build on ppc64le
655f2649 Agent: README updates for build on ppc64le
62c7e094 docs: Remove credits
679df0fb docs: Update top-level README
dfe364f8 Agent: README updates for build on ppc64le
77b50969 runtime: cloud-hypervisor: reduce memory footprint
2e1a8f0a agent: Improve unit test coverage for src/sandbox.rs
87848e87 versions: Update crio version
172d015e rustjail: fix the issue of create thread failed causing thread panic
9e93463b agent/rustjail: improve unit test coverage for rustjail/container.rs
ad4f7b86 agent/rustjail: make mount and umount2 public
926a6186 agent/rustjail: fix typo
8130d9b2 agent/rustjail: don't use unwrap in container::oci_state
5d111071 rustjail: add mock implementation for cgroup manager
e3eff0eb agent: Update build instructions
0896ce80 agent: update proto file copyright
6e9ca457 agent: generate proto files properly
837343f0 agent-ctl: update cargo.lock
b3166618 runtime: remove the unused proto files
54e23c83 agent: move gogo.proto out of the github.com namespance
583e6ed3 agent: types.pb.go is not regenerated
bb19fcb9 docs: Update documentation with new subcommand forms
d2fe7091 cli: Use new subcommand forms in kata-manager script
4d9ab0cd cli: Support new subcommand forms in bash completion
c5d355e1 cli: Remove `kata-` prefix from env and check subcommands
f134b4a3 agent: Update build instructions
9e9988df agent/protocols: Move agent.proto out of the mock folder of agent
e90aa7b4 agent: fixes the permissions of PID 1's STDIO
b9b281e7 packaging: Use apply-patches.sh in build-kernel.sh
163e6104 packaging: Make qemu/apply_patches.sh common
d4cf3057 packaging: qemu/apply_patches.sh should sort the patches
5b065eb5 runtime: change govmm package
9cb41507 agent/protocols: Fix copyright header checking
0d58d919 agent/protocols: Stop generate agent proto files in the shellscript
7559382b agent/protocols: Ignore generated files and remove these files from repo
fdc33fb7 agent/protocols: Generate proto files programmatically
f1c3bf6b runtime: let kata-collect-data.sh collect kata-monitor info
993a8da3 kata-monitor: add version subcommand
4ee78120 runtime: Restore QEMUVIRTIOFSPATH variable in Makefile
df4ce9fa ci: add `cargo clippy` for agent
2e138788 agent: clear match_like_matches_macro/vec_resize_to_zero warnings
227edfdc agent: clear module_inception/type_complexity warnings
698d25b7 agent: clear redundant_field_names clippy warning
4dd9bd7a agent: clear clippy `len_zero` warnings
bf7dec5c agent: clear clippy warnings
56f867ee rustjail: clear clippy warnings
16757ad4 oci: clear clippy warnings
f32f49bd logging: clear clippy warnings
5b079a3b snap: add GH actions jobs to release the snap package
2738b18b runtime: Fix firecracker config
e5d4259a runtime: Simplify make variables for clh
9eab3015 arm64: correct bridge type for QEMUVIRT
b88aac04 docs: Update how-to Readme with hypervisor information.
d6464117 docs: Update Readme to remove hypervisor information
b4f9fb51 docs: Remove docs for nemu
96a4ed7d Makefile: Replace @RUNTIME_NAME@ with the target in generated files
7159fc2e agent: simplify ttrpc error construction
0f894986 snap: install libseccomp-dev
9a351509 package: drop qemu-virtiofs shim
6ed669a1 packaging: install virtiofsd for normal qemu build as well
da79b4be virtcontainers: Append max_ports to virtio-serial device
bcf48530 runtime: enable virtiofs by default
e2221d34 tools: Improve agent-ctl README
2d1f2c7b kernel: update to 5.4.71
d3c98620 config: make virtio-fs part of standard kernel
edf02af1 tools: Make agent-ctl support more APIs
56201803 tools: Remove commented out code in agent-ctl
9bac4ee6 tools: Log request in agent-ctl tool if debug enabled
68821f08 tools: Rename agent-ctl command to GetGuestDetails
8553f062 tools: Fix comment in agent-ctl
6ba294a1 agent: remove `unwrap()` for `e.as_errno()`
e77482fe agent: Use `?` instead of `match` when the error returns directly
1b7ed328 kata-monitor: use regexp to check if runtime is kata containers
47ff2fb9 agent: use anyhow `context` to attach context to `Error` instead of `match`
2f690a2b agent: remove useless match
1d8def66 agent: Use `ok_or_else` instead of match for Option -> Result
84953066 agent: Fix crasher if AddARPNeighbors request empty
3d084c7d agent: Fix crasher if UpdateRoutes request empty
5615e5a7 agent: Fix crasher if UpdateInterface request empty
0dce817e agent: replace `match Result` with `or_else`
7bf4073d agent: replace unnecessary `match Result` with `map_err`
7f9e5913 agent: replace check! with map_err for readability
09aca49e agent: remove `check!` in child process because we cant' see logs.
a18899f1 agent: refactor namespace::setup to optimize error handling
a3c64e5c agent: replace `if let Err` with `or_else`
6ffa8283 agent: replace `if let Err` with `map_err`
863f918a rustjail: add length check for uid_mappings in rootless euid mapping
720eab78 versions: Update Kubernetes, containerd, cri-o and cri-tools
c5771be2 annotations: Correct unit tests to validate new protections
398d7918 annotations: Split addHypervisorOverrides to reduce complexity
b2b3bc7a annotations: Add unit test for checkPathIsInGlobs
6f52179c annotations: Add unit test for regexpContains function
966bd573 makefile: Add missing generated vars to `USER_VARS`
be6ee255 makefile: Improve names of config entries for annotation checks
b1194274 annotations: Give better names to local variabes in search functions
b5db114a annotations: Rename checkPathIsInGlobList with checkPathIsInGlobs
d65a7d10 config: Add better comments in the template files
7c6aede5 config: Whitelist hypervisor annotations by name
f047fced config: Use glob instead of regexp to match paths in annotations
11b9c90c annotations: Fix typo in comment
c16cdcb2 config: Add makefile variables for path lists
4e89b885 config: Protect file_mem_backend against annotation attacks
aae9656d config: Protect vhost_user_store_path against annotation attacks
55881653 config: Add security warning on configuration examples
b21a829c config: Protect ctlpath from annotation attack
27b6620b config: Protect jailer_path annotation
07669017 config: Add examples for path_list configuration
2d431c61 annotations: Simplify negative logic
2ca9ca89 config: Add hypervisor path override through annotations
2e093dfd config: Fix typo in function name
bf13ff0a config: Protect virtio_fs_daemon annotation
8c75de19 config: Add 'List' alternates for hypervisor configuration paths
fc6468ef agent: fix panic on malformed device resource in container update
d8a8fe47 cpuset: don't set cpuset.mems in the guest
88cd7128 sandbox: consider cpusets if quota is not enforced
77a463e5 cpuset: support setting mems for sandbox
2d690536 cpuset: add cpuset pkg
1a9515a9 runtime: Pass `--thread-pool-size=1` to virtiofsd
1c528cd1 packaging: Apply virtiofs performance related fixes to 5.x
5b520003 docs: Update upgrading guide
0e0564a5 docs: update the build kata containers kernel document
ae6b8ec7 agent/device: Check type as well as major:minor when looking up devices
859301b0 agent/device: Index all devices in spec before updating them
2477c355 agent/device: Forward port update_spec_device_list() unit test
08d80c1a agent/device: update_spec_device_list() should error if dev not found
12cc0ee1 sandbox: don't constrain cpus, mem only cpuset, devices
b6cf68a9 cgroups: add ability to update CPUSet
b812d4f7 virtcontainers: add method for calculating cpuset for sandbox
f63f7405 agent: fix errorneous parsing for guest block size
43d70a32 docs: Add containerd install guide
11c1ab8b agent: use ok_or/map_err instead of match
6b9f9915 rustjail: use Iterator to manipulate vector elements
a7251651 docs: remove the 1.x version description about shim and proxy
dc1442c3 rustjail: delete codes commented out
aa04111d rustjail: delete unused test code
eae685dc agent: use chain of Result to avoid early return
5e3d1fb6 agent: add blank lines between methods
980e48ca agent: delete unused field in agentService
52b821fa agent: use no-named closure to reduce codes
82e94501 packaging: fix cloud-hypervisor binary path
b1f95e8d agent: use a local fn to reduce duplicated codes
154a356a packaging: apply qemu v5.1 stable fixes
c781a808 agent: fix aarch64 build
906b3844 agent: update not accurate comments
78318c18 packaging: fix missing cloud_hypervisor_repo
b7309943 agent: use macro to simplify parse_cmdline function in config.rs
9834a766 docs: add namespace key to pod/container config files
37e7de72 ci: snap: add event filtering
9a02e6eb docs: Add crictl example json files
b7147eda agent: do not follow link when mounting container proc and sysfs
15b71563 agent: set init process non-dumpable
00ad3fd3 agent-ctl: include cargo lock updates
8cd62d7b versions: add plugins section
c4472481 virtiofs: Disable DAX
3e56de81 snap: specify python version
e3cdc89b osbuilder: Create target directory for agent
7cad865d packaging: fix image build script
0e898c6b rust-agent: Treat warnings as error
0e4baaab rust-agent: Identify unused results in tests
5b2b5652 rust-agent: Log returned errors rather than ignore them
d617caf1 rust-agent: Remove unused imports
ee739c5d rust-agent: Report errors to caller if possible
d5b492a1 rust-agent: Ignore write errors while writing to the logs
c635c46a rust-agent: Remove unused code that has undefined behavior
ec24f688 rust-agent: Remove 'mut' where not needed
c8f406d4 rust-agent: Remove uses of deprecated functions
f832d8a6 rust-agent: Remove or rename unused parameters
5a1d3311 rust-agent: Remove or rename unused variables
27efe291 rust-agent: Remove unused functions
d76ece0c rust-agent: Remove useless braces
3682812e rust-agent: Remove unused macros
483209bf actions: add kata deploy test
07930024 packaging: cleaning, updating based on new filepaths
f0f205cd packaging: remove obs-packaging
4b1753c5 packaging: pull versions, build-image out from obs dir
3f6cd4d5 packaging: Revert "packaging: Stop providing OBS packages"
c33ee54a clh: Support VFIO device unplug
1f4dfa31 clh: Remove unnecessary VmmPing
cc80ae0a versions: cloud-hypervisor: Bump to version 6d30fe05
0fec7a4d docs: Change kata_tap0 to tap0_kata
3394a6a5 docs: update networking description
2e83f405 dev-guide: update kata-agent install details
ffea705a docs: Update docs for enabling agent debug console
777f3981 docs: update dev guide for agent build
aa8eefd8 ci: add github action to test the snap
ea1cb37b versions: cloud-hypervisor: bump version
0ebffdf2 runtime: cloud-hypervisor: tag openapi-generator-cli container
e51a1ea3 docs: use-cases: Add Intel SGX use case
7d638231 runtime/vendor: add k8s.io/apimachinery/pkg/api/resource
6df165c1 runtime: add support for SGX
a5b3e1cd docs: drop docker installation guide
6c4300c6 docs: fix static check errors in docs/install/README.md
59224a76 docs: update architecture.md
a89deb3e rust-agent: Update README
80c52834 github: Remove issue template and use central one
0ccbca3b agent: Fix OCI Windows network shared container name typo
a6221a74 qemu: upgrade qemu version to 5.1.0 for arm64.
f30b86f1 Packaging: release notes script using error kernel path urls
a7faeaac docs: fix broken links
4501c25a agent: propagate the internal detail errors to users
1984e635 ci: fix clone_tests_repo function
02c1a59f agent: Set LIBC=gnu for ppc64le arch by default
7019e72c agent: remove unreachable code
942999ed agent: Change do_exec return type to ! because it will never return
757dfa70 fc: integrate Firecracker's metrics
b03d958e gitignore: ignore agent service file
64b4f698 agent: fix UT failures due to chdir
85d22301 runtime: fix TestNewConsole UT failure
e90e9a2c travis: skip static checker for ppc64
5611283e runtime: fix golint errors
daf2a54d agent: fix cargo fmt
c05c4ba5 ci: always checkout 2.0-dev of test repository
1569b3b3 docs: fix static check errors
df3119b6 runtime: fix make check
484a595f runtime: add enable_debug_console configuration item for agent
febdf8f6 runtime: add debug console service
07d339c7 devices: fix go test warning in manager_test.go
a4afe3af rust-agent: Replaces improper use of match for non-constant patterns
acaa806c agent: Only allow proc mount if it is procfs
ca501e54 osbuilder: specify default toolchain verion in rust-init.
03517327 action: Allow long lines if non-alphabetic
33513fb4 rustjail: make the mount error info much more clear
45b0b4ed agent/oci: Don't use deprecated Error::description() method
a34478ff runtime: Update cloud-hypervisor client pkg to version v0.10.0
ce675075 static-build/qemu-virtiofs: Refactor apply virtiofs patches
512b38cf packaging/qemu: Add common code to apply patches
edce2712 static-build/qemu-virtiofs: Fix to apply QEMU patches
86a864b8 packaging: Build from source if the clh release binary is missing
33585a8e runtime: Fix linter errors in release files
e3a0f9b3 ci: use export command to export envs instead of env config item
36ce7018 agent: update cgroups crate
3523167d runtime: Call s.newStore.Destroy if globalSandboxList.addSandbox
9e5a4b8b ci: use Travis cache to reduce build time
52984b67 docs: Update the reference path of kata-deploy in the packaging
eae21591 runtime: add podman configuration to data collection script
d1277848 how-to: add privileged_without_host_devices to containerd guide
98c4d11b docs: fix k8s containerd howto links
f107b12b docs: fix up developer guide for 2.0
9f2f5201 docs: Fix the kata-pkgsync tool's docs script path
96f8769a travis: enable RUST_BACKTRACE
cda7acf7 agent/rustjail: add more unit tests
98cc979a agent/rustjail: remove makedev function
b99fefad agent/rustjail: add unit tests for ms_move_rootfs and mask_path
d79fad2d agent/rustjail: implement functions to chroot
25c91afb agent/rustjail: add unit test for pivot_rootfs
7cf0fd95 agent/rustjail: implement functions to pivot_root
672da4d0 agent/rustjail: add unit test for mount_cgroups
ab61cf7f agent/rustjail: add unit test for init_rootfs
0a0714c9 agent/rustjail/mount: don't use unwrap
3dc9452b agent/rustjail: add tempfile crate as depedency
d756f52c rustjail: implement functions to mount and umount files
a02d1787 gitignore: ignore agent version.rs
b518ddea agent: fix agent panic running as init
1a77f69e runtime: make kata-check check for newer release
61181b9f packaging: use local version file for kata 2.0 in Makefile
e1c6aa27 docs: fix release process doc
1acfba4d packaging: fix release notes
1839dfd9 runtime: Clear the VCMock 1.x API Methods from 2.0
7225460a shimv2: add a comment in checkAndMount()
22ca2da6 packaging: Stop providing OBS packages
afa88c1b install: Add contacts to the distribution packages
3955cc89 install: Update information about Community Packages
218f77d7 install: Update SUSE information
2a0e76a8 install: Update openSUSE information
691f1364 install: Update RHEL information
270fc4b2 install: Update Fedora information
492b4e90 install: Update CentOS information
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
yq major releases are not backward compatible, install the same
major version used in the CI to avoid conflics building the kata
components.
We should update yq when the CI updates it, not before.
fixes#1232
Signed-off-by: Julio Montes <julio.montes@intel.com>
This reverts commit 6cc1920c37.
Instead of updating the syntax of yq, let's use yq 3.x, otherwise
yq must be updated in the CI and the syntax updated in all the
tools (osbuilder, packging).
Signed-off-by: Julio Montes <julio.montes@intel.com>
The snap build pulls the latest release of `yq`, but `yq` version 4
changed the CLI syntax for reading a YAML file.
Update the snap config file to use the new `yq` v4 syntax.
Fixes: #1232.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This commit includes minimal changes in order to switch to Tokio:
- Update protocol crate to generate async server code
- Adds async entry point to the Agent
- Updates agent services signatures in rpc.rs
Fixes: #1209
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
This is not needed for Fedora, RHEL, and CentOS, but it is required when
using any other host OS. Having --security-opt apparmor=unconfined used
unconditionally is a no go as it'd break podman.
The reason this was only added when building for SUSE (as target distro)
was because debian and ubuntu condition would fall-through the switch to
the suse case (which makes me think that the fall-through was not
accidental).
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Falling through the switch cases in docker_extra_args() looks like a
typo and causes issues when building with podman, as `--security-opt
apparmor=unconfinded" shouldn't be passed if Apparmor is no enable on
the system.
Fixes: #1241
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Run static checks prior to building the agent.Checks
fail if run after since the compilation process
produces new rust code.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
It should check the read count and return an
error if read count didn't match the expected
number.
Fixes: #1233
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
In case the container rootfs's /dev was overrided
by binding mount from another directory, then there's
no need to create the default devices nodes and symlinks
in /dev.
Fixes: #692
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Return SingularPtrField::none() instead of panic when getting stats
from cgroup failed caused by cgroup controller missing.
Signed-off-by: Tim Zhang <tim@hyper.sh>
Fixes: #1224
35ecd6f (origin/change-name, change-name) Update readme
eb6577e Change package name to cgroups-rs
8f6a7e0 Merge pull request #19 from Tim-Zhang/0.2.0
9baa065 (origin/0.2.0, 0.2.0) release: v0.2.0
e160df0 Make read_i64_from private and merge read_str_from to its caller
e1e05d3 Make new_with_relative_paths=new and load_with_relative_paths=new in v2
a89f4a0 Support set notify_on_release & release_agent
61a0957 Fix set_swappiness in cgroup v2
0592045 Ignore kmem in cgroup v2
c254fff Update readme
438d774 Fix test
42ee1ba Make Cgroup can be stored in struct
b6bb5ae docs: Hide Re-exports
d2882b1 Print cause when println!("{}")
abcb5ed Add more logs for create_dir error in controller.create
1f188be Detect subsystems and get root from /proc/self/mountinfo
fbd7164 Fix warnings in tests
f342254 Remove Box wrap of Cgroup.hire
cd998f3 Do not place cgroup under relative path read from cgroup by default
1ac76b6 Make function find_v1_mount pub
121f78d Expose deletion error
0f76570 Avoid exception caused by cgroup writeback feature
10650e2 Update tests to adapt new type of fields in resource
567cdb4 Use Option as resource fields, remove the update switch: update_values
0c18b08 Support customized attributes for CpuController and MemController
ca610bb add add_task_by_tgid
Signed-off-by: Tim Zhang <tim@hyper.sh>
get_bool_value() in src/agent/src/config.rs includes a Result::or_else()
call with a trivial closure which can be replaced by a Result::or. This
removes a clippy warning.
fixes#1201
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Wrong prefix on the created temp directory on the test_setup_persistent_ns
for uts namesmpace type test.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
An pid namespace cannot be persisted, so add a check-and-error on
Namespace::setup() for handling that case.
Fixes#1220
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
RemoveContainerRequest results in calling to deleteContainer, according
to spec calling to RemoveContainer is idempotent and "must not return
an error if the container has already been removed", hence, don't
return error if the error reports that the container is not found.
Fixes: #836
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
The first incompatible issue is caused by a typo, "swapiness" should
be "swappiness". The second incompatible issue is caused by a serde
format. The struct LinuxBlockIODevice is introduced for convenience,
but it also changes serialized data, so "#[serde(flatten)]" should
be used for compatibility with OCI spec.
Fixes: #1211
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
On pod delete, we were looking to read files that we had just deleted. In particular,
stopSandbox for QEMU was called (we cleanup up vmpath), and then QEMU's
save function was called, which immediately checks for the PID file.
Let's only update the persist store for QEMU if QEMU is actually
running. This'll avoid Error messages being displayed when we are
stopping and deleting a sandbox:
```
level=error msg="Could not read qemu pid file"
```
I reviewed CLH, and it looks like it is already taking appropriate
action, so no changes needed.
Ideally we won't spend much time saving state to persist.json unless
there's an actual error during stop/delete/shutdown path, as the persist will
also be removed after the pod is removed. We may want to optimize this,
as currently we are doing a persist store when deleting each container
(after the sandbox is stopped, VM is killed), and when we stop the sandbox.
This'll require more rework... tracked in:
https://github.com/kata-containers/kata-containers/issues/1181Fixes: #1179
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
When receiving an OnlineCpuMemory RPC, if the number of CPUs to be
made available is 0, then updating the cpusets is a redundant operation.
Fixes: #1172
Signed-off-by: Maruth Goyal <maruthgoyal@gmail.com>
If the upcast from resultingRoutes to *grpc.IRoutes fails, we return
(nil, err), but previous code ensures that err is nil at that point, so we
return no error.
fixes#1206
Forward port of
0ffaeeb5d8
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If the upcast from resultingInterfaces to *grpc.Interfaces fails, we
return (nil, err), but previous code ensures that err is nil at that
point, so we return no error.
Forward port of
b86e904c2dfixes#1206
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
oci.proto imports "google/protobuf/wrappers.proto", but doesn't appear to
use it, which causes a warning from protoc when we compile it. Remove the
import to fix the warning.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The generate_go_sources() function in update-generate-proto.sh adds a
number of include directives to the protoc command line. Some of these
don't appear to be necessary to correctly compile the agent's protocol
files, so remove them.
Amongst other things were directives pointing at the old Kata1 runtime and
agent repositories. Those ones could be actively harmful by causing odd
dependencies of the Kata2 build on the Kata1 repositories.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
src/agent/protocols/hack/update-generated-proto.sh checks for the presence
of protoc-gen-rust and ttrpc_rust_plugin, but it doesn't actually need
them. Those tools are needed to generate Rust code from the gRPC proto
files, but that's already handled in src/agent/protocols/build.rs using
Cargo for dependency management.
This script is only needed for the Go code, for which the other tools are
sufficient.
fixes#1198
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This PR wraps fd raw descriptor with File, so it'll be properly closed once exited.
Fixes: #1192
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Improve Kata Containers memory footprint by reducing debian
image size.
Without this change:
Debian image -> 256MB
With this change:
Debian image -> 128MB
Note: this change *will not* impact ubuntu image.
fixes#1188
Signed-off-by: Julio Montes <julio.montes@intel.com>
The current description on the Cloud Hypervisor support in Kata
containers were introduced back to kata 1.10 and are out-dated.
Depends-on: github.com/kata-containers/tests#3106
Fixes: #1167
Signed-off-by: Bo Chen <chen.bo@intel.com>
On runtime/Makefile the value of DESTDIR is set to "/", unless one
pass that variable as an argument to `make`. This change will
allow its overwrite if DESTDIR is exported in the environment as
well.
Fixes#1182
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
It is used a temporary container to pull the QEMU tarball out
of the build image, but this container is never deleted. This
will ensure it gets deleted after its execution.
Fixes#1168
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Currently QEMU is built inside the container, its tarball pulled to
the host, files removed then packaged again. Instead, let's run all
those steps inside the container and the resulting tarball will
be the final version. For that end, it is introduced the
qemu-build-post.sh script which will remove the uneeded files and
create the tarball.
The patterns for directories on qemu.blacklist had to be changed
to work properly with `find -path`.
Fixes#1168
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The dockerfiles used to build qemu and qemu-virtiofs have the QEMU destination
path hardcoded, which in turn is also on the build scripts. This refactor
the dockerfiles to add the QEMU_DESTDIR argument, which value is passed by the scripts.
Fixes#1168
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Define `before_starting_container` and `after_stopping_container`
functions, these functions run before and after the container that
builds the rootfs respectively.
Signed-off-by: Julio Montes <julio.montes@intel.com>
According to the new snap document
`docs/install/snap-installation-guide.md`, Kata Containers 2.x should
be available in the snapcraft `candidate` channel.
fixes#1174
Signed-off-by: Julio Montes <julio.montes@intel.com>
Improve snap documentation, document how to install
kata 1.x and 2.x, how to configure them and their integration
with container engines.
fixes#1138
Signed-off-by: Julio Montes <julio.montes@intel.com>
This is the Rust porting of https://github.com/kata-containers/agent/pull/371
`read_stdout`/`read_stderr` is blocking rpc calls, if exec process
exited, these calls is on blocking state for reading on process's
term master fd, and can't get a chance to break the wait.
In this PR, `read_stdout`/`read_stderr` will not read directly from
a term master of a process, instead, it will first have to get
an fd to read from newly added `epoller.poll()`. `epoller.poll()` may returns:
- the term master fd of exec process, if the process is running.
- a fd(piped fd) will return EOF when reading to indicate that th process is exited.
Fixes: #1160
Signed-off-by: bin liu <bin@hyper.sh>
Add trace calls to shimv2 that create spans for functions in service.go.
Tracing starts in New(), which is forked twice and is followed by either
StartShim() or Create().
Tracing cannot start without the value for Trace enabled from the
runtime config so load the config in New(), which results in it being
loaded every time New() is called in addition to where it is originally
loaded after Create().
Fixes#903
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
fix the custom agent binary file path for creating an initrd image in
the Developer-Guide.md file.
Fixes: #919
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
Sometimes shim process cannot be shutdown because of container list
is not empty. This container list is written in shim service, while
creating container. We find that if containerd cancel its Create
Container Request due to timeout, but runtime didn't handle it properly
and continue creating action, then this container cannot be deleted at
all. So we should make sure the ctx passed to Create Service rpc call
is effective.
Fixes#1088
Signed-off-by: Yves Chan <shanks.cyp@gmail.com>
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
After cpu hot-plugged is available, cpuset for containers will be written into
cgroup files recursively, the paths should include container's cgroup path, and up
to root path of cgroup filesystem.
Fixes: #1156, #1159
Signed-off-by: bin liu <bin@hyper.sh>
The result of `cpuset_controller.set_cpus(&cpu.cpus)` is unwrapped,
this will lead creating container to fail if cpuset is set.
The sandbox's `CreateContainer` sequence is:
c, err := newContainer(s, &contConfig)
err = c.create()
c.sandbox.agent.createContainer(c.sandbox, c) (1)
err = s.updateResources()
oldCPUs, newCPUs, err := s.hypervisor.resizeVCPUs(sandboxVCPUs) (2)
cpuset only avaiable after `s.hypervisor.resizeVCPUs` has been called at (2),
and then cpuset is written to cgourps file.
Fixes: #1159
Signed-off-by: bin liu <bin@hyper.sh>
We should always cleanup the vm directory when doing `stopSandbox`,
while we are skipping the cleanup process on some error code paths when
using cloud-hypervisor driver.
Fixes: #1098
Signed-off-by: Bo Chen <chen.bo@intel.com>
- add a reference Dockerfile to tools
- update kata-monitor build to:
1) utilize the kata buildflags, which were dropped before
2) disable CGO, so we have option for building in alpine
From root of the repository, example build:
$ docker build -f tools/packaging/kata-monitor/Dockerfile -t kata-monitor .
Fixes: #1135
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
The VMT process is well documented, but users would need to land on
community repo to find it. Let's make it easier to identify the correct
way to disclose vulnerabilities.
Fixes: #1136
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Otherwise `make install` run from the top directory would just fail as
the target is not defined.
Fixes: #1149
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Otherwise `make install` run from the top directory would just fail as
the target is not defined.
Fixes: #1149
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Before loading a module, the check subcommand should check if the
current user can load it.
fixes#3085
Signed-off-by: Julio Montes <julio.montes@intel.com>
Don't fail if rate limit is exceeded since this is a
limitation/restriction of Github not a problem in the host.
Print a warning when the rate limit is exceeded.
For more information about Github's rate limit, see
https://developer.github.com/v3/#rate-limiting
Signed-off-by: Julio Montes <julio.montes@intel.com>
The main process do unshare pid namespace, the process
couldn't spawn new thread, in order to avoid this issue,
fork a new child process and do the pid namespace unshare
in the new temporary process.
Fixes: #1140
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Since kata containers shared the network ns with
the guest system, thus there's no need to do the
network ns check.
Fixes: #1047
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
In first shim v2 startup(with `start` command-line option), it will start
the second shim v2 process running as ttrpc server, there is no needs to
wait the second process, because the current shim v2 process will exit immediately.
Fixes: #1127
Signed-off-by: bin liu <bin@hyper.sh>
Add `kata-runtime` and `kata-collect-data.sh` commands to the apps
section, these two command will be accessible through the commands
`kata-containers.runtime` and `kata-containers.collect-data`
respectively.
Henceforth the snap command for `containerd-shim-kata-v2` will be
`kata-containers.shim`
fixes#1122
Signed-off-by: Julio Montes <julio.montes@intel.com>
In PR 1079, CleanupContainer's parameter of sandboxID is changed to VCSandbox, but at cleanup,
there is no VCSandbox is constructed, we should load it from disk by loadSandboxConfig() in
persist.go. This commit reverts parts of #1079Fixes: #1119
Signed-off-by: bin liu <bin@hyper.sh>
Split some of the core hypervisor details out of the virtualisation
document and present in a simpler fashion for new users.
Fixes: #1063.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
- Removed the `QEMU-virtio-fs` entry from the virtualization doc since
support is now available upstream and the QEMU virtio-fs-specific
configuration file has been removed.
- Removed NEMU as this is no longer used.
- Sorted the remaining rows.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Referring virtio-net mentioning in the kata virtualization
documentation to the virtio-networking blog series published
and explaining how it works.
Fixes#612
Signed-off-by: Ariel Adam <aadam@redhat.com>
Changing "implementor" to "implementer"
Fixes: #612
Signed-off-by: Ariel Adam <aadam@redhat.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This (unreleased) version of CRI-O brings in the possibility of enabling
the `k8s-oom.bats` test.
Depends-on: github.com/kata-containers/tests#3060
Fixes: #1116
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Under stress, the agent can be OOM-killed, which exists the sandbox.
One possible hard-to-diagnose manifestation is a virtiofsd crash.
Fixes: #1111
Reported-by: Qian Cai <caiqian@redhat.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Key name in configuration file is in snake case but not camel case.
And the key is processed as `enable_pprof` in code, the configuration
template file should replace `EnablePprof` it by `enable_pprof`
Fixes: #1109
Signed-off-by: bin liu <bin@hyper.sh>
Remove global sandbox variable, and save *Sandbox to hypervisor struct.
For some needs, hypervisor may need to use methods from Sandbox.
Signed-off-by: bin liu <bin@hyper.sh>
Let's update CRI-O version to the commit which introduced the fix for
the "k8s-copy-file" tests.
Depends-on: github.com/kata-containers/tests#3042
Fixes: #1080
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Update cloud-hypervisor to commit 2706319.
Fixes a limitation in OpenAPITools/openapi-generator tool,
it's impossible to send go zero types, like false and 0 to
cloud-hypervisor because `omitempty` is added if a field is not
required.
See cloud-hypervisor/cloud-hypervisor#1961 for more information
Signed-off-by: Julio Montes <julio.montes@intel.com>
Guest consumes 120Mb more of memory when DAX is enabled and the default
FS cache size (8G) is used. Disable dax when it is not required
reducing guest's memory footprint.
Without this patch:
```
7fdea4000000-7fdee4000000 rw-s 18850589 /memfd:ch_ram (deleted)
Size: 1048576 kB
KernelPageSize: 4 kB
MMUPageSize: 4 kB
Rss: 187876 kB
```
With this patch:
```
7fa970000000-7fa9b0000000 rw-s 612001 /memfd:ch_ram (deleted)
Size: 1048576 kB
KernelPageSize: 4 kB
MMUPageSize: 4 kB
Rss: 57308 kB
Pss: 56722 kB
```
fixes#1100
Signed-off-by: Julio Montes <julio.montes@intel.com>
Fix `kata-runtime kata-check`'s network version check which was failing
when the user was running a release candidate build and the latest
release was a major one, two examples of the error being:
- `BUG: unhandled scenario: current version: 1.12.0-rc0, latest version: 1.12.0`
- `BUG: unhandled scenario: current version: 2.0.0-rc0, latest version: 2.0.0`
Fixes: #1104.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
According to the Semantic Versioning specification, build metadata must
be ignored for version comparisions, so add some explicit tests for this
scenario to `TestGetNewReleaseType()`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
In some cases, for example agent crashed and not marked dead yet, the GetOOMEvent
will return errors like `connection reset by peer` or `ttrpc: closed`. Do a sleep
with 1 second (agent check interval) and let agent health check to do the check.
Fixes: #991
Signed-off-by: bin liu <bin@hyper.sh>
The documentation contains existing spelling mistakes that are caught by the CI
and prevent checking in. The errors include:
INFO: Spell checking file 'docs/how-to/how-to-load-kernel-modules-with-kata.md'
WARNING: Word 'configurated': did you mean one of the following?: configuration, reconfigured, Confederate, confederate
WARNING: Word 'cri': did you mean one of the following?: cir, crib, chi, cry, Fri, crier
ERROR: Spell check failed for file: 'docs/how-to/how-to-load-kernel-modules-with-kata.md'
INFO: spell check failed for document docs/how-to/how-to-load-kernel-modules-with-kata.md
INFO: Spell checking file 'docs/how-to/how-to-set-sandbox-config-kata.md'
INFO: Spell check successful for file: 'docs/how-to/how-to-set-sandbox-config-kata.md'
ERROR: spell check failed, See https://github.com/kata-containers/documentation/blob/master/Documentation-Requirements.md#spelling for more information.
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
The documentation `how-to/how-to-set-sandbox-config-kata.md` contains a number
of differences relative to the 1.x variant, which do not seem to correspond to
missing features in the actual code.
Fixes: #1046
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This reverts commit ff13bde3c1, which
moved back CRI-O to v1.18.3.
The was, IMHO, a little bit premature. We want to know exactly what are
the issues on v1.18.4, solve those, and be prepared for a v1.18.5 bump
(or even a bump to a specific commit, if needed).
Just for the sake of the completeness, v1.18.4 caused a regression on
"k8s-copy-file" tests, which is tracked on CRI-O side as
https://github.com/cri-o/cri-o/issues/4353.
Fixes: #1080
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Use `if err := q.qmpSetup(); err != nil` to reduce code and make it easy
to read. And remove checking err if last function call also return an error,
return the function call directly.
Fixes: #1081
Signed-off-by: bin liu <bin@hyper.sh>
Kata 2.0 uses virtio-fs as the shared_fs by default,
bug VM templating cannot be used with virtio-fs.
Fixes: #1091
Signed-off-by: AIsland <yuchunyu01@inspur.com>
The release v0.11.0 of cloud-hypervisor features the following changes:
1) Improved Linux Boot Time, 2) `SIGTERM/SIGINT` Interrupt Signal,
Handling 3) Default Log Level Changed, 4) `io_uring` support by default
for `virtio-block` (on host kernel version 5.8+), 5) Windows Guest
Support, 6) New `--balloon` Parameter Added, 7) Experimental
`virtio-watchdog` Support, 8) Bug fixes.
Fixes: #1089
Signed-off-by: Bo Chen <chen.bo@intel.com>
Only display the `ttrpc` crate log output when full logging
(trace level) is enabled.
This is a slight abuse of log levels but provides developers and testers
what they need whilst also keeping the logs relatively quiet for the
default info log level (the `ttrpc` crate logging is a bit "chatty").
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The `ttrpc` crate uses the `log` crate for logging. But the agent uses
the `slog` crate. This means that currently, all `ttrpc` log messages
are being discarded.
Use the `slog-stdlog` create to redirect `log` crate logging calls into
`slog` so they are visible in the agents log output.
Fixes: #978.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add support for a `KATA_AGENT_LOG_LEVEL` environment variable for testing.
This is the equivalent to the `agent.log=` kernel command line option.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Make `asset.go` the arbiter of asset annotations by removing all asset
annotations lists from other parts of the codebase.
This makes the code simpler, easier to maintain, and more robust.
Specifically, the previous behaviour was inconsistent as the following
ways:
- `createAssets()` in `sandbox.go` was not handling the following asset
annotations:
- firmware:
- `io.katacontainers.config.hypervisor.firmware`
- `io.katacontainers.config.hypervisor.firmware_hash`
- hypervisor:
- `io.katacontainers.config.hypervisor.path`
- `io.katacontainers.config.hypervisor.hypervisor_hash`
- hypervisor control binary:
- `io.katacontainers.config.hypervisor.ctlpath`
- `io.katacontainers.config.hypervisor.hypervisorctl_hash`
- jailer:
- `io.katacontainers.config.hypervisor.jailer_path`
- `io.katacontainers.config.hypervisor.jailer_hash`
- `addAssetAnnotations()` in the `oci` package was not handling the
following asset annotations:
- hypervisor:
- `io.katacontainers.config.hypervisor.path`
- `io.katacontainers.config.hypervisor.hypervisor_hash`
- hypervisor control binary:
- `io.katacontainers.config.hypervisor.ctlpath`
- `io.katacontainers.config.hypervisor.hypervisorctl_hash`
- jailer:
- `io.katacontainers.config.hypervisor.jailer_path`
- `io.katacontainers.config.hypervisor.jailer_hash`
This change fixes the bug where specifying a custom hypervisor path via an
asset annotation was having no effect.
Fixes: #1085.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add missing annotation definitions for a hypervisor control binary:
- `io.katacontainers.config.hypervisor.ctlpath`
- `io.katacontainers.config.hypervisor.hypervisorctl_hash`
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
When guest panic, dump guest kernel memory to host filesystem.
And also includes:
- hypervisor config
- hypervisor version
- and state of sandbox
Fixes: #1012
Signed-off-by: bin liu <bin@hyper.sh>
bindmount remount events are not propagated through mount subtrees,
so we have to remount the shared dir mountpoint directly.
E.g.,
```
mkdir -p source dest foo source/foo
mount -o bind --make-shared source dest
mount -o bind foo source/foo
echo bind mount rw
mount | grep foo
echo remount ro
mount -o remount,bind,ro source/foo
mount | grep foo
```
would result in:
```
bind mount rw
/dev/xvda1 on /home/ubuntu/source/foo type ext4 (rw,relatime,discard,data=ordered)
/dev/xvda1 on /home/ubuntu/dest/foo type ext4 (rw,relatime,discard,data=ordered)
remount ro
/dev/xvda1 on /home/ubuntu/source/foo type ext4 (ro,relatime,discard,data=ordered)
/dev/xvda1 on /home/ubuntu/dest/foo type ext4 (rw,relatime,discard,data=ordered)
```
The reason is that bind mount creats new mount structs and attaches them to different mount subtrees.
However, MS_REMOUNT only looks for existing mount structs to modify and does not try to propagate the
change to mount structs in other subtrees.
Fixes: #1061
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Correct the link in the GitHub action commit message check showing users how to format all commits.
Fixes: #1053
Signed-off-by: AIsland <yuchunyu01@inspur.com>
Correct the default configuration of [hypervisor.qemu] shared_fs in configuration-qemu.toml to virtio-fs in kata 2.0.
Fixes: #1054
Signed-off-by: AIsland <yuchunyu01@inspur.com>
In cloud-hypervisor, it provides a single unified way of unplugging
devices, e.g. the `/vm.RemoveDevice` HTTP API. Taking advantage of this
API, we can simplify our implementation of `hotplugRemoveDevice` in
`clh.go`, where we can consolidate similar code paths for different
device unplug (e.g. no need to implement `hotplugRemoveBlockDevice` and
`hotplugRemoveVfioDevice` separately). We will only need to retrieve the
right `deviceID` based on the type of devices, and use the single
unified HTTP API for device unplug.
Fixes: #1076
Signed-off-by: Bo Chen <chen.bo@intel.com>
Cloud-hypervisor supports DAX, let's enable it to reduce its memory
footprint.
Before this patch:
**19.96M**
```
20448kB -- [/usr/share/kata-containers/kata.img]
```
With this patch:
**10.83M**
```
11100kB -- [/usr/share/kata-containers/kata.img]
```
fixes#1056
Signed-off-by: Julio Montes <julio.montes@intel.com>
It's should catch the failed error of spawning a new thread, otherwise,
it would cause the current thread panic.
Fixes: #1034
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Only root is able to create and manipulate cgroups, this mock
implementation of a cgroup manager can used in unit testing.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Fix the instructions explaining how to build the agent from source now that make needs to be run to auto-generate some source files.
Fixes: #889.
Signed-off-by: LiYa'nan <oliverliyn@gmail.com>
Remove the old subcommands from the documentation and replace them with
the new form (without the redundant `kata-` prefix).
Signed-off-by: Daniel Knittl-Frank <knittl89+git@googlemail.com>
Update the `kata-manager` script to call the new subcommand forms
without `kata-` prefix.
Signed-off-by: Daniel Knittl-Frank <knittl89+git@googlemail.com>
Provide the subcommands `kata-env` and `kata-check` as `env` and `check`
respectively.
Fixes#1011
Signed-off-by: Daniel Knittl-Frank <knittl89+git@googlemail.com>
fixup! cli: Add aliases to kata-env and kata-check commands
Fix the instructions explaining how to build the agent from source now that make needs to be run to auto-generate some source files.
Fixes: #889
Signed-off-by: LiYa'nan <oliverliyn@gmail.com>
Because the repos have been merged and the agent repo will be removed in the future,
we do not need mock the file structure any more.
Signed-off-by: Tim Zhang <tim@hyper.sh>
Fix the permissions of PID 1's STDIO within the container to
the specified user.
The ownership needs to match because it is created outside of the
container and needs to be localized.
Fixes: #1022
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Calls apply-patches.sh in kernel/build-kernel.sh to apply the
kernel patches.
Fixes#1014
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Moved the qemu/apply_patches.sh to the common scripts directory and
refactor it so that it can be used as a generic and consistent way
to apply patches.
Fixes#1014
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Changed apply_patches.sh script so that patches are sorted before
they be applied.
Fixes#1014
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
To run `cargo clippy`, this commit includes changes:
- add a new Makefile target to run `cargo clippy`
- move `make`/`make check` to last step to let a fast retrun if `fmt`/`clippy` failed
Fixes: #951
Signed-off-by: bin liu <bin@hyper.sh>
To clear these two warnings, this commit did changes:
- add `#![allow(clippy::module_inception)]` to target files
- use type alias for tuple of `(MessageHeader, Vec<u8>)`
Signed-off-by: bin liu <bin@hyper.sh>
add `#![allow(clippy::redundant_field_names)]` can skip check
`protocols` package, and fix redundant_field_names in other
packages.
Signed-off-by: bin liu <bin@hyper.sh>
Use Github actions to build and release the snap package automatically
when a new tag is pushed.
fixes#1006
Signed-off-by: Julio Montes <julio.montes@intel.com>
The build was setting a `FCVALIDPATHS` variable for firecracker, but
that was never being used. Conversely, the firecracker configuration
template was expecting a `FCVALIDHYPERVISORPATHS`, but that variable was
never being set.
Resolve by only setting the `FCVALIDHYPERVISORPATHS` variable to ensure
the generated firecracker config is valid once again.
Fixes: #1001.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Simplify definition of the `CLHVALIDHYPERVISORPATHS` build variable to
use the already defined `CLHPATH`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
While we have setup guides for firecracker and ACRN, as these
need additional configuration, it may confuse users looking
at this guide to find mentions of just these 2 hypervisors.
Call out all the hypervisors supported with Kata here.
Fixes#996
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
In commit 966bd57 for PR #902, the makefile was changed to automate
the replacement of user variables. However, one variable was treated
specially in the original `sed` replacements, namely `RUNTIME_NAME`
which was replaced by `$(TARGET)`.
This commit adds the `RUNTIME_NAME` variable to the makefile in order
to ensure that the replacement works correctly.
Fixes: #993
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Listening to the events channel from QEMU and a guest
panic event issued, then we can get the event and do some
work for the special event.
Fixes: #152
Signed-off-by: bin liu <bin@hyper.sh>
For experimental-virtiofs, we use it to test virtiofs with DAX. Let's
rename its virtiofsd to virtiofsd-dax.
Depends-on: github.com/kata-containers/tests#2951
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Allow API consumers to change the maximum number of ports in the
virtio-serial devices, setting a lower number of ports can improve the
boot time and reduce the attack surface.
Before this patch on arm64:
[ 0.028664] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[ 0.055031] printk: console [hvc0] enabled
After this patch on arm64:
[ 0.028484] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[ 0.031370] printk: console [hvc0] enabled
Fixes: #2676
Signed-off-by: Jia He <justin.he@arm.com>
We've been shipping it for a long time. It's time to make it default
replacing the old obsolet 9pfs.
Fixes: #935
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Basic virtio-fs support has made it upstream in the Linux kernel, as
well as in QEMU and Cloud Hypervisor. Let's go ahead and add it to the
standard configuration.
Since the device driver / DAX handling is still in progress for
upstream, we will want to still build a seperate experimental kernel for
those who are comfortable trading off bleeding edge stability/kernel
updates for improved FIO numbers.
Fixes: #963
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Added new `agent-ctl` commands to allow the following agent API calls to
be made:
- `AddARPNeighborsRequest`
- `CloseStdinRequest`
- `CopyFileRequest`
- `GetMetricsRequest`
- `GetOOMEventRequest`
- `MemHotplugByProbeRequest`
- `OnlineCPUMemRequest`
- `ReadStreamRequest`
- `ReseedRandomDevRequest`
- `SetGuestDateTimeRequest`
- `TtyWinResizeRequest`
- `UpdateContainerRequest`
- `WriteStreamRequest`
Fixes: #969.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Use `{:?}` to print `e.as_errno()` instead of using `{}`
to print `e.as_errno().unwrap().desc()`.
Avoid panic only caused by error's content.
Signed-off-by: Tim Zhang <tim@hyper.sh>
To support a few common configurations for Kata, including:
- `io.containerd.kata.v2`
- `io.containerd.kata-qemu.v2`
- `io.containerd.kata-clh.v2`
`kata-monintor` changes to use regexp instead of direct string comparison.
Fixes: #957
Signed-off-by: bin liu <bin@hyper.sh>
Check if the ARP neighbours specified in the `AddARPNeighbors` API is
set before using it to avoid crashing the agent.
Fixes: #955.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Check if the routes specified in the `UpdateRoutes` API is set before
using it to avoid crashing the agent.
Fixes: #949.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Check if the interface specified in the `UpdateInterface` API is set
before using it to avoid crashing the agent.
Fixes: #950.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Kubernetes: from 1.17.3 to 1.18.9
CRI-O: from 0eec454168e381e460b3d6de07bf50bfd9b0d082 (1.17) to 1.18.3
Containerd: from 3a4acfbc99aa976849f51a8edd4af20ead51d8d7 (1.3.3) to 1.3.7
cri-tools: from 1.17.0 to 1.18.0
Fixes: #960.
Depends-on: github.com/kata-containers/tests#2958
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Add the verification of some basic protections, namely that:
- EnableAnnotations is honored
- Dangerous paths cannot be modified if no match
- Errors are returned when expected
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Warning from gocyclo during make check:
virtcontainers/pkg/oci/utils.go:404:1: cyclomatic complexity 37 of func `addHypervisorConfigOverrides` is high (> 30) (gocyclo)
func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig, runtime RuntimeConfig) error {
^
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
There are a few interesting corner cases to consider for this
function.
Fixes: #901
Suggested-by: James O.D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
James O.D Hunt: "But also, regexpContains() and
checkPathIsInGlobList() seem like good candidates for some unit
tests. The "look" obvious, but a few boundary condition tests would be
useful I think (filenames with spaces, backslashes, special
characters, and relative & absolute paths are also an interesting
thought here)."
There aren't that many boundary conditions on a list with regexps,
if you assume the regexp match function itself works. However, the
tests is useful in documenting expectations.
Fixes: #901
Suggested-by: James O.D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This was discovered while checking a massive change in variables.
The root cause for the error is a very long list of manual
replacements, that is best replaced with a $(foreach).
All individual variables in the output configuration files were
checked against the old build using diff.
This is a forward port of a makefile fix included in
PR https://github.com/kata-containers/runtime/issues/3004
for issue https://github.com/kata-containers/runtime/issues/2943Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
The entries used to be things like PATH_LIST, which are too generic.
Replace them with more precise name with a distinguishing keyword,
namely VALID. For example valid_hypervisor_paths.
Fixes: #901
Suggested-by: James O.D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
When there is a default value from the code (usually empty) that
differs from a possible suggested value from the distro, then the
wording "default: empty" is confusing.
Fixes: #901
Suggested-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Add a field "enable_annotations" to the runtime configuration that can
be used to whitelist annotations using a list of regular expressions,
which are used to match any part of the base annotation name, i.e. the
part after "io.katacontainers.config.hypervisor."
For example, the following configuraiton will match "virtio_fs_daemon",
"initrd" and "jailer_path", but not "path" nor "firmware":
enable_annotations = [ "virtio.*", "initrd", "_path" ]
The default is an empty list of enabled annotations, which disables
annotations entirely.
If an anontation is rejected, the message is something like:
annotation io.katacontainers.config.hypervisor.virtio_fs_daemon is not enabled
Fixes: #901
Suggested-by: Peng Tao <tao.peng@linux.alibaba.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
When filtering annotations that correspond to paths,
e.g. hypervisor.path, it is better to use a glob syntax than a regexp
syntax, as it is more usual for paths, and prevents classes of matches
that are undesirable in our case, such as matching .. against .*
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
A comment talking about runtime related annotations describes them as
being related to the agent. A similar comment for the agent
annotations is missing.
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Add variables to override defaults at build time for the various lists
used to control path annotations.
Fixes: #901
Suggested-by: Fabiano Fidencio <fidencio@redhat.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This one could theoretically be used to overwrite data on the host.
It seems somewhat less risky than the earlier ones for a number
of reasons, but worth protecting a little anyway.
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Add the following text explaining the risk of using regular
expressions in path lists:
Each member of the list can be a regular expression, but prefer names.
Otherwise, please read and understand the following carefully.
SECURITY WARNING: If you use regular expressions, be mindful that
an attacker could craft an annotation that uses .. to escape the paths
you gave. For example, if your regexp is /bin/qemu.* then if there is
a directory named /bin/qemu.d/, then an attacker can pass an annotation
containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This also adds annotation for ctlpath which were not present
before. It's better to implement the code consistenly right now to make
sure that we don't end up with a leaky implementation tacked on later.
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
The jailer_path annotation can be used to execute arbitrary code on
the host. Add a jailer_path_list configuration entry providing a list
of regular expressions that can be used to filter annotations that
represent valid file names.
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
The path_list configuration gives a series of regular expressions that
limit which values are acceptable through annotations in order to
avoid kata launching arbitrary binaries on the host when receiving an
annotation.
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
The annotation is provided, so it should be respected.
Furthermore, it is important to implement it with the appropriate
protetions similar to what was done for virtiofsd.
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Sending the virtio_fs_daemon annotation can be used to execute
arbitrary code on the host. In order to prevent this, restrict the
values of the annotation to a list provided by the configuration
file.
Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Paths mentioned in the hypervisor configuration can be overriden
using annotations, which is potentially dangerous. For each path,
add a 'List' variant that specifies the list of acceptable values
from annotations.
Bug: https://bugs.launchpad.net/katacontainers.io/+bug/1878234Fixes: #901
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Somehow containerd is sending a malformed device in update API. While it
should not happen, we should not panic either.
Fixes: #946
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Kata doesn't map any numa topologies in the guest. Let's make sure we
clear the Cpuset fields before passing container updates to the
guest.
Note, in the future we may want to have a vCPU to guest CPU mapping and
still include the cpuset.Cpus. Until we have this support, clear this as
well.
Fixes: #932
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
CPUSet cgroup allows for pinning the memory associated with a cpuset to
a given numa node. Similar to cpuset.cpus, we should take cpuset.mems
into account for the sandbox-cgroup that Kata creates.
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
CPUSet cgroup allows for pinning the memory associated with a cpuset to
a given numa node. Similar to cpuset.cpus, we should take cpuset.mems
into account for the sandbox-cgroup that Kata creates.
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Pulled from 1.18.4 Kubernetes, adding the cpuset pkg for managing
CPUSet calculations on the host. Go mod'ing the original code from
k8s.io/kubernetes was very painful, and this is very static, so let's
just pull in what we need.
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Dave Gilbert brough up that passing --thread-pool-size=1 to virtiofsd
may result in a performance improvement especially when using
`cache=none`. While our current default is `cache=auto`, Dave mentioned
that he seems no harm in having it set and he also mentiond that it may
use a lot less stack space on aarch/arm.
Fixes: #943
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Vivek Goyal found out that using "shared" thread pool, instead of
"exclusive" results in better performance.
Knowning that and with the plan to have virtio-fs as the default fs for
the 2.0, let's bring this patch in for both 5.0 and 5.1.
Fixes: #944
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Update the build kata containers kernel document for 2.0 release. Fixed
the 1.x release project paths and urls, using the kata-containers
project file paths and urls.
Fixes: #929
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
To update device resource entries from host to guest, we search for
the right entry by host major:minor numbers, then later update it.
However block and character devices exist in separate major:minor
namespaces so we could have one block and one character device with
matching major:minor and thus incorrectly update both with the details
for whichever device is processed second.
Add a check on device type to prevent this.
Port from the Kata 1 Go agent
https://github.com/kata-containers/agent/commit/27ebdc9d2761Fixes: #703
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The agent needs to update device entries in the OCI spec so that it
has the correct major:minor numbers for the guest, which may differ
from the host.
Entries in the main device list are looked up by device path, but
entries in the device resources list are looked up by (host)
major:minor. This is done one device at a time, updating as we go in
update_spec_device_list().
But since the host and guest have different namespaces, one device
might have the same major:minor as a different device on the host. In
that case we could update one resource entry to the correct guest
values, then mistakenly update it again because it now matches a
different host device.
To avoid this, rather than looking up and updating one by one, we make
all the lookups in advance, creating a map from (host) device path to
the indices in the spec where the device and resource entries can be
found.
Port from the Go agent in Kata 1,
https://github.com/kata-containers/agent/commit/d88d46849130Fixes: #703
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The Kata 1 Go agent included a unit test for updateSpecDeviceList, but no
such unit test exists for the Rust agent's equivalent
update_spec_device_list(). Port the Kata1 test to Rust.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If update_spec_device_list() is given a device that can't be found in the
OCI spec, it currently does nothing, and returns Ok(()). That doesn't
seem like what we'd expect and is not what the Go agent in Kata 1 does.
Change it to return an error in that case, like Kata 1.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Allow for constraining the cpuset as well as the devices-whitelist . Revert
sandbox constraints for cpu/memory, as they break the K8S use case. Can
re-add behind a non-default flag in the future.
The sandbox CPUSet should be updated every time a container is created,
updated, or removed.
To facilitate this without rewriting the 'non constrained cgroup'
handling, let's add to the Sandbox's cgroupsUpdate function.
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
We were assuming base 10 string before, when the block size from sysfs
is actually a hex string. Let's fix that.
Fixes: #908
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Create a containerd installation guide and a new `kata-manager` script
for 2.0 that automated the steps outlined in the guide.
Also cleaned up and improved the installation documentation in various
ways, the most significant being:
- Added legacy install link for 1.x installs.
- Official packages section:
- Removed "Contact" column (since it was empty!)
- Reworded "Versions" column to clarify the versions are a minimum
(to reduce maintenance burden).
- Add a column to show which installation methods receive automatic updates.
- Modified order of installation options in table and document to
de-emphasise automatic installation and promote official packages
and snap more.
- Removed sections no longer relevant for 2.0.
Fixes: #738.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Sometimes `Option.or_or` and `Result.map_err` may be simpler
than match statement. Especially in rpc.rs, there are
many `ctr.get_process` and `sandbox.get_container` which
are using `match`.
Signed-off-by: bin liu <bin@hyper.sh>
Remove the build in shim and proxy desgin description from the
kata-api-design.md file.
Fixes: #912
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
There are some uses/codes/struct fields are commented out, and
may not turn into un-comment these codes, so delete these comments.
Signed-off-by: bin liu <bin@hyper.sh>
Use rust `Result`'s `or_else`/`and_then` can write clean codes.
And can avoid early return by check wether the `Result`
is `Ok` or `Err`.
Signed-off-by: bin liu <bin@hyper.sh>
Qemu v5.1 was released with an affending commit 9b3a35ec82
(virtio: verify that legacy support is not accidentally on).
As a result, it breaks commandline compatiblilities for old qemu
users. Upstream qemu has fixed it but no release has been put out yet.
Let's apply these fixes by hand for now.
Refs: https://www.mail-archive.com/qemu-devel@nongnu.org/msg729556.html
Depends-on: github.com/kata-containers/tests#2945
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
This commit includes:
- update comments that not matched the function name
- file path with doubled slash
Fixes: #922
Signed-off-by: bin liu <bin@hyper.sh>
In function parse_cmdline there are some similar codes, if we want
to add more commandline arguments, the code will grow too long.
Use macro can reduce some codes with the same logic/processing.
Fixes: #914
Signed-off-by: bin liu <bin@hyper.sh>
If no namespace field in config files, CRI-O will failed:
setting pod sandbox name and id: cannot generate pod name without namespace
Signed-off-by: bin liu <bin@hyper.sh>
Run the snap CI on every PR is not needed. Don't run the snap CI
on PRs that don't change the source code (*.go/*.rs), a configuration
file or Makefile.
fixes#896
Signed-off-by: Julio Montes <julio.montes@intel.com>
Remove CONTRIBUTORS.md file since, this repo is now part of the
kata-containers organization, the other repos don't have this file
and we are not willing to maintain (update) it.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Attackers might use it to explore other containers in the same pod.
While it is still safe to allow it, we can just close the race window
like runc does.
Fixes: #885
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
On old kernels (like v4.9), kernel applies CLOECEC in wrong order w.r.t.
dumpable task flags. As a result, we might leak guest file descriptor to
containers. This is a former runc CVE-2016-9962 and still applies to
kata agent. Although Kata container is still valid at protecting the
host, we should not leak extra resources to user containers.
This sets the init processes that join and setup the container's
namespaces as non-dumpable before they setns to the container's pid (or
any other ) namespace.
This settings is automatically reset to the default after the Exec in
the container so that it does not change functionality for the
applications that are running inside, just our init processes.
This prevents parent processes, the pid 1 of the container, to ptrace
the init process before it drops caps and other sets LSMs.
The order during the exec syscall is that the process is set back to
dumpable before O_CLOEXEC are processed.
Refs:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=613cc2b6f272c1a8ad33aefa21cad77af23139f7https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318opencontainers/runc@50a19c6https://nvd.nist.gov/vuln/detail/CVE-2016-9962Fixes: #890
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
`govmm` is now part of the `kata-containers` GitHub organisation, so
update to reflect this.
Fixes: #145.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Simply running `make` would generate some cargo lock updates for
agent-ctl. Let's include them so that we have fixed dependencies.
Fixes: #883
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
plugins sections contains the details of plugins required for
the components or testing.
Add sriov-network-device-plugin url and version that are consumed
by the VFIO test in the tests repository.
fixes#879
Signed-off-by: Julio Montes <julio.montes@intel.com>
virtiofs DAX support is not stable today, there are
a few corner cases to make it default.
Fixes: #862Fixes: #875
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
In order to avoid `unmet dependencies` error in the CI,
the python version must be specified in the yaml.
fixes#877
Signed-off-by: Julio Montes <julio.montes@intel.com>
When building with AGENT_SOURCE_BIN pointing to an already built
kata-agent binary, the target directory needs to be created in the
rootfs tree.
Fixes#873
Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
There were a couple of issues with the build-scripts discovered while
doing release:
- Relative paths are error prone. Fix error.
- short_commit_length is used to truncate sha for commits when
appending agent version to resulting files. Before this was
in pkglib.sh, which is otherwise an unused file from when we
supported OBS. Add this define to lib.sh, which is sourced by
the applicable packaging scripts.
There's plenty of room for improvement, but these fixes make the
existing scripts functional again.
Fixes: #871
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Assign unused results to _ in order to silence warnings.
This addresses the following warnings:
warning: unused `std::result::Result` that must be used
--> rustjail/src/mount.rs:1182:16
|
1182 | defer!(unistd::chdir(&olddir););
| ^^^^^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/mount.rs:1183:9
|
1183 | unistd::chdir(tempdir.path());
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
While in regular code, we want to log possible errors, in test code
it's OK to simply ignore the returned value.
Fixes: #750
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
In a number of cases, we have functions that return a Result<...>
and where the possible error case is simply ignored. This is a bit
unhealthy.
Add a `check!` macro that allows us to not ignore error values
that we want to log, while not interrupting the flow by returning
them. This is useful for low-level functions such as `signal::kill` or
`unistd::close` where an error is probably significant, but should not
necessarily interrupt the flow of the program (i.e. using `call()?` is
not the right answer.
The check! macro is then used on low-level calls. This addresses the
following warnings from #750:
This addresses the following warning:
warning: unused `std::result::Result` that must be used
--> /home/ddd/go/src/github.com/kata-containers-2.0/src/agent/rustjail/src/container.rs:903:17
|
903 | signal::kill(Pid::from_raw(p.pid), Some(Signal::SIGKILL));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> /home/ddd/go/src/github.com/kata-containers-2.0/src/agent/rustjail/src/container.rs:916:17
|
916 | signal::kill(Pid::from_raw(child.id() as i32), Some(Signal::SIGKILL));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:340:13
|
340 | write_sync(cwfd, SYNC_FAILED, format!("{:?}", e).as_str());
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:554:13
|
554 | / write_sync(
555 | | cwfd,
556 | | SYNC_FAILED,
557 | | format!("setgroups failed: {:?}", e).as_str(),
558 | | );
| |______________^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:340:13
|
340 | write_sync(cwfd, SYNC_FAILED, format!("{:?}", e).as_str());
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:340:13
|
340 | write_sync(cwfd, SYNC_FAILED, format!("{:?}", e).as_str());
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:554:13
|
554 | / write_sync(
555 | | cwfd,
556 | | SYNC_FAILED,
557 | | format!("setgroups failed: {:?}", e).as_str(),
558 | | );
| |______________^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:626:5
|
626 | unistd::close(cfd_log);
| ^^^^^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:627:5
|
627 | unistd::close(crfd);
| ^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:628:5
|
628 | unistd::close(cwfd);
| ^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:770:9
|
770 | fcntl::fcntl(pfd_log, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:799:9
|
799 | fcntl::fcntl(prfd, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:800:9
|
800 | fcntl::fcntl(pwfd, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:803:13
|
803 | unistd::close(prfd);
| ^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:930:9
|
930 | log_handler.join();
| ^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:803:13
|
803 | unistd::close(prfd);
| ^^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:804:13
|
804 | unistd::close(pwfd);
| ^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:842:13
|
842 | sched::setns(old_pid_ns, CloneFlags::CLONE_NEWPID);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/container.rs:843:13
|
843 | unistd::close(old_pid_ns);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
Fixes: #844Fixes: #750
Suggested-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Various recently added error-causing calls
This addresses the following warning:
warning: unused `std::result::Result` that must be used
--> rustjail/src/cgroups/fs/mod.rs:93:9
|
93 | cg.add_task(CgroupPid::from(pid as u64));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_must_use)]` on by default
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/cgroups/fs/mod.rs:196:17
|
196 | freezer_controller.thaw();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/cgroups/fs/mod.rs:199:17
|
199 | freezer_controller.freeze();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/cgroups/fs/mod.rs:365:9
|
365 | cpuset_controller.set_cpus(&cpu.cpus);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/cgroups/fs/mod.rs:369:9
|
369 | cpuset_controller.set_mems(&cpu.mems);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/cgroups/fs/mod.rs:381:13
|
381 | cpu_controller.set_shares(shares);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/cgroups/fs/mod.rs:385:5
|
385 | cpu_controller.set_cfs_quota_and_period(cpu.quota, cpu.period);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
warning: unused `std::result::Result` that must be used
--> rustjail/src/cgroups/fs/mod.rs:1061:13
|
1061 | cpuset_controller.set_cpus(cpuset_cpus);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: this `Result` may be an `Err` variant, which should be handled
The specific case of cpu_controller.set_cfs_quota_and_period is
addressed in a way that changes the logic following a suggestion by
Liu Bin, who had just added the code.
Fixes: #750
Suggested-by: Liu Bin <bin@hyper.sh>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
When we are writing to the logs and there is an error doing so, there
is not much we can do. Chances are that a panic would make things
worse. So let it go through.
warning: unused `std::result::Result` that must be used
--> rustjail/src/sync.rs:26:9
|
26 | write_count(lfd, log_str.as_bytes(), log_str.len());
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
::: rustjail/src/container.rs:339:13
|
339 | log_child!(cfd_log, "child exit: {:?}", e);
| ------------------------------------------- in this macro invocation
|
= note: this `Result` may be an `Err` variant, which should be handled
= note: this warning originates in a macro (in Nightly builds, run with -Z macro-backtrace for more info)
Fixes: #750
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Some functions have undefined behavior and are not actually used.
This addresses the following warning:
warning: the type `oci::User` does not permit zero-initialization
--> rustjail/src/lib.rs:99:18
|
99 | unsafe { MaybeUninit::zeroed().assume_init() }
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| |
| this code causes undefined behavior when executed
| help: use `MaybeUninit<T>` instead, and only call `assume_init` after initialization is done
|
= note: `#[warn(invalid_value)]` on by default
note: `std::ptr::Unique<u32>` must be non-null (in this struct field)
warning: the type `protocols::oci::Process` does not permit zero-initialization
--> rustjail/src/lib.rs:146:14
|
146 | unsafe { MaybeUninit::zeroed().assume_init() }
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| |
| this code causes undefined behavior when executed
| help: use `MaybeUninit<T>` instead, and only call `assume_init` after initialization is done
|
note: `std::ptr::Unique<std::string::String>` must be non-null (in this struct field)
Fixes: #750
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Addresses the following warning (and a few similar ones):
warning: variable does not need to be mutable
--> rustjail/src/container.rs:369:9
|
369 | let mut oci_process: oci::Process = serde_json::from_str(process_str)?;
| ----^^^^^^^^^^^
| |
| help: remove this `mut`
|
= note: `#[warn(unused_mut)]` on by default
Fixes: #750
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This addresses the following:
warning: use of deprecated item 'std::error::Error::description': use the Display impl or to_string()
--> rustjail/src/container.rs:1598:31
|
1598 | ... e.description(),
| ^^^^^^^^^^^
|
= note: `#[warn(deprecated)]` on by default
Fixes: #750
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Parameters that are never used were removed.
Parameters that are unused, but necessary because of some common
interface were renamed with a _ prefix.
In one case, consume the parameter by adding an info! call, and fix a
minor typo in a message in the same function.
This addresses the following warning:
warning: unused variable: `child`
--> rustjail/src/container.rs:1128:5
|
1128 | child: &mut Child,
| ^^^^^ help: if this is intentional, prefix it with an underscore: `_child`
warning: unused variable: `logger`
--> rustjail/src/container.rs:1049:22
|
1049 | fn update_namespaces(logger: &Logger, spec: &mut Spec, init_pid: RawFd) -> Result<()> {
| ^^^^^^ help: if this is intentional, prefix it with an underscore: `_logger`
Fixes: #750
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Remove variables that are simply not used.
Rename as _ variables where only initialization matters.
This addresses the following warnings:
warning: unused variable: `writer`
--> src/main.rs:130:9
|
130 | let writer = unsafe { File::from_raw_fd(wfd) };
| ^^^^^^ help: if this is intentional, prefix it with an underscore: `_writer`
|
= note: `#[warn(unused_variables)]` on by default
warning: unused variable: `ctx`
--> src/rpc.rs:782:9
|
782 | ctx: &ttrpc::TtrpcContext,
| ^^^ help: if this is intentional, prefix it with an underscore: `_ctx`
warning: unused variable: `ctx`
--> src/rpc.rs:808:9
|
808 | ctx: &ttrpc::TtrpcContext,
| ^^^ help: if this is intentional, prefix it with an underscore: `_ctx`
warning: unused variable: `dns_list`
--> src/rpc.rs:1152:16
|
1152 | Ok(dns_list) => {
| ^^^^^^^^ help: if this is intentional, prefix it with an underscore: `_dns_list`
warning: value assigned to `child_stdin` is never read
--> rustjail/src/container.rs:807:13
|
807 | let mut child_stdin = std::process::Stdio::null();
| ^^^^^^^^^^^^^^^
|
= note: `#[warn(unused_assignments)]` on by default
= help: maybe it is overwritten before being read?
warning: value assigned to `child_stdout` is never read
--> rustjail/src/container.rs:808:13
|
808 | let mut child_stdout = std::process::Stdio::null();
| ^^^^^^^^^^^^^^^^
|
= help: maybe it is overwritten before being read?
warning: value assigned to `child_stderr` is never read
--> rustjail/src/container.rs:809:13
|
809 | let mut child_stderr = std::process::Stdio::null();
| ^^^^^^^^^^^^^^^^
|
= help: maybe it is overwritten before being read?
warning: value assigned to `stdin` is never read
--> rustjail/src/container.rs:810:13
|
810 | let mut stdin = -1;
| ^^^^^^^^^
|
= help: maybe it is overwritten before being read?
warning: value assigned to `stdout` is never read
--> rustjail/src/container.rs:811:13
|
811 | let mut stdout = -1;
| ^^^^^^^^^^
|
= help: maybe it is overwritten before being read?
warning: value assigned to `stderr` is never read
--> rustjail/src/container.rs:812:13
|
812 | let mut stderr = -1;
| ^^^^^^^^^^
|
= help: maybe it is overwritten before being read?
Fixes: #750
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This addresses the following warning:
warning: unnecessary braces around assigned value
--> src/rpc.rs:1411:26
|
1411 | detail.init_daemon = { unistd::getpid() == Pid::from_raw(1) };
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: remove these braces
|
= note: `#[warn(unused_braces)]` on by default
Fixes: #750
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Pull over kata-deploy-test from the 1.x packaging repository. This is
intended to be used for testing any changes to the kata-deploy
scripting, and does not exercise any new source code changes.
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
This reverts commit c0ea910273.
Two scripts are still required for release and testing, which should
have never been under obs-packaging dir in the first place. Let's
revert, move the scripts / update references to it, and then we can
remove the remaining obs-packaging/ tooling.
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
We can rely on the error handling of the actual HTTP API calls to catch
errors, and don't need to call VmmPing explicitly in advance.
Signed-off-by: Bo Chen <chen.bo@intel.com>
The cloud-hypervisor commit `6d30fe05` introduced a fix on its API for
VFIO device hotplug (`VmAddDevice`), which is required for supporting
VFIO unplug through openAPI calls in kata.
Signed-off-by: Bo Chen <chen.bo@intel.com>
First, most people don't care about CNM. Move that out of main doc.
Second, tc-filter is the default. Let's add a bit more background on
our usage of tc-filter (and clarify why we use this instead of macvtap).
Fixes#797
Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
The systemd method of adding a debug console is not really
user friendly. Since we have added a much more straightforward
method to enable agent debug console, update developer guide to
reflect this.
Fixes#834
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Add github action to test that the snap package was generated
correctly, this CI don't test the snap, it just build it.
fixes#838
Signed-off-by: Julio Montes <julio.montes@intel.com>
Tag openapi-generator-cli container to v4.3.1 that is the latest
stable, this way we can have reproducible builds and the same
generated code in all the systems
Signed-off-by: Julio Montes <julio.montes@intel.com>
k8s.io/apimachinery/pkg/api/resource is a memory quantities parser,
we use it to parse the SGX EPC size defined by the `sgx.intel.com/epc`
annotation
Signed-off-by: Julio Montes <julio.montes@intel.com>
Support the `sgx.intel.com/epc` annotation that is defined by the intel
k8s plugin. This annotation enables SGX. Hardware-based isolation and
memory encryption.
For example, use `sgx.intel.com/epc = "64Mi"` to create a container
with 1 EPC section with pre-allocated memory.
At the time of writing this patch, SGX patches have not landed on the
linux kernel project.
The following github kernel fork contains all the SGX patches for the
host and guest: https://github.com/intel/kvm-sgxfixes#483
Signed-off-by: Julio Montes <julio.montes@intel.com>
We have removed cli support and that means dockder support is dropped
for now. Also it doesn't make sense to have so many duplications on each
distribution as we can simply refer to the official docker guide on how
to install docker.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
rust agent does not use grpc as submodule for a while, update README
to reflect the change.
Fixes: #196
Signed-off-by: Yang Bo <bo@hyper.sh>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Now, the qemu version used in arm is so old. As some new features have merged
in current qemu, so it's time to upgrade it. As obs-packaging has been removed,
I put the qemu patch under qemu/patch/5.1.x.
As vxfs has been Deprecated in qemu-5.1, it will be no longer exist in
configuration-hyperversior.sh when qemu version larger than 5.0.
Fixes: #816
Signed-off-by: Edmond AK Dantes <edmond.dantes.ak47@outlook.com>
2.0 Packaging runtime-release-notes.sh script is using 1.x Packaging
kernel urls. Fix these urls to 2.0 branch Packaging urls.
Fixes: #829
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
Some sections and files were removed in a previous commit,
remove all reference to such sections and files to fix the
check-markdown test.
fixes#826
Signed-off-by: Julio Montes <julio.montes@intel.com>
We should not checkout to 2.0-dev branch in the clone_tests_repo
function when running in Jenkins CI as it discards changes from
tests repo.
Fixes: #818.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
The code in the end of init_child is unreachable and need to be removed.
The code after do_exec is unreachable and need to be removed.
Signed-off-by: Tim Zhang <tim@hyper.sh>
Firecracker expose metrics through fifo file
and using a JSON format. This PR will parse the
Firecracker's metrics and convert to Prometheus metrics.
Fixes: #472
Signed-off-by: bin liu <bin@hyper.sh>
Current working directory is a process level resource. We cannot call
chdir in parallel from multiple threads, which would cause cwd confusion
and result in UT failures.
The agent code itself is correct that chdir is only called from spawned
child init process. Well, there is one exception that it is also called
in do_create_container() but it is safe to assume that containers are
never created in parallel (at least for now).
Fixes: #782
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Somehow we are not running static checks for a long time.
And that ended up with a lot for errors.
* Ensure debug options are valid is dropped
* fix snap links
* drop extra CONTRIBUTING.md
* reference kata-pkgsync
* move CODEOWNERS to proper place
* remove extra CODE_OF_CONDUCT.md.
* fix spell checker error on Developer-Guide.md
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Set enable_debug_console=true in Kata's congiguration file,
runtime will pass `agent.debug_console`
and `agent.debug_console_vport=1026` to agent.
Fixes: #245
Signed-off-by: bin liu <bin@hyper.sh>
Create "class" and "config" file in temporary device BDF dir,
and remove dir created by ioutil.TempDir() when test finished.
fixes: #746
Signed-off-by: zhanghj <zhanghj.lc@inspur.com>
The code used `match` as a switch with variable patterns `ev_fd` and
`cf_fd`, but the way Rust interprets the code is that the first
pattern matches all values. The code does not perform as expected.
This addresses the following warning:
warning: unreachable pattern
--> rustjail/src/cgroups/notifier.rs:114:21
|
107 | ev_fd => {
| ----- matches any value
...
114 | cg_fd => {
| ^^^^^ unreachable pattern
|
= note: `#[warn(unreachable_patterns)]` on by default
Fixes: #750Fixes: #793
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This only allows some whitelists files bind mounted under proc
and prevent other malicious mount to procfs.
Fixes: #807
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Overly long commit lines are annoying. But sometimes,
we need to be able to force the use of long lines
(for example to reference a URL).
Ironically, I can't refer to the URL that explains this
because of ... the long line check! Hence:
```sh
$ cat <<EOT | tr -d '\n'; echo
See: https://github.com/kata-containers/tests/tree/master/
cmd/checkcommits#handling-long-lines
EOT
```
Maximum body length updated to 150 bytes for parity with:
https://github.com/kata-containers/tests/pull/2848Fixes: #687.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The latest release of cloud-hypervisor v0.10.0 contains the following
updates: 1) `virtio-block` Support for Multiple Descriptors; 2) Memory
Zones; 3) `Seccomp` Sandbox Improvements; 4) Preliminary KVM HyperV
Emulation Control; 5) various bug fixes and refactoring.
Note that this patch updates the client code of clh's HTTP API in kata,
while the 'versions.yaml' file was updated in an earlier PR.
Fixes: #789
Signed-off-by: Bo Chen <chen.bo@intel.com>
In static-build/qemu-virtiofs/Dockerfile the code which
applies the virtiofs specific patches is spread in several
RUN instructions. Refactor this code so that it runs in a
single RUN and produce a single overlay image.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The qemu and qemu-virtiofs Dockerfile files repeat the code to apply
patches based on QEMU stable branch being built. Instead, this adds
a common script (qemu/apply_patches.sh) and make it called by the
respective Dockerfile files.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Fix a bug on qemu-virtiofs Dockerfile which end up not applying
the QEMU patches.
Fixes#786
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This patch add fall-back code path that builds cloud-hypervisor static
binary from source, when the downloading of cloud-hypervisor binary is
failing. This is useful when we experience network issues, and also
useful for upgrading clh to non-released version.
Together with the changes in the tests repo
(https://github.com/kata-containers/tests/pull/2862), the Jenkins config
file is also updated with new Execute shell script for the clh CI in the
kata-containers repo. Those two changes fix the regression on clh CI
here. Please check details in the issue below.
Fixes: #781
Fixes: https://github.com/kata-containers/tests/issues/2858
Signed-off-by: Bo Chen <chen.bo@intel.com>
This PR includes these changes:
- use Rust installed by Travis
- install x86_64-unknown-linux-musl
- install rustfmt
- use Travis cache
- delete ci/install_vc.sh
Fixes: #748
Signed-off-by: bin liu <bin@hyper.sh>
Use the relative path of kata-deploy to replace the 1.x packaging url in
the kata-deploy/README.md file. Fixed the path issue, producted by
creating new branch.
Fixes: #777
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
Be more verbose about podman configuration in the output of the data
collection script: get the system configuration as seen by podman and
dump the configuration files when present.
Fixes: #243
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
1. Until we restore docker/moby support, we should use crictl as
developer example.
2. Most of the hyperlinks should point to kata-containers repository.
3. There is no more standalone mode.
Fixes: #767
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Fix the kata-pkgsync tool's docs, change the download path of the
packaging tool in 2.0 release.
Fixes: #773
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
Add unit tests for finish_root, read_only_path and mknod_dev
increasing code coverage of mount.rs
fixes#284
Signed-off-by: Julio Montes <julio.montes@intel.com>
Use conditional compilation (#[cfg]) to change chroot behaviour
at compilation time. For example, such function will just return
`Ok(())` when the unit tests are being compiled, otherwise real
chroot operation is performed.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Use conditional compilation (#[cfg]) to change pivot_root behaviour
at compilation time. For example, such function will just return
`Ok(())` when the unit tests are being compiled, otherwise real
pivot_root operation is performed.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Don't use unwrap in `init_rootfs` instead return an Error, this way
we can write unit tests that don't panic.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Add tempfile crate as depedency, it will be used in the following
commits to create temporary directories for unit testing.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Use conditional compilation (#[cfg]) to change mount and umount
behaviours at compilation time. For example, such functions will just
return `Ok(())` when the unit tests are being compiled, otherwise real
mount and umount operations are performed.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Update `kata-check` to see if there is a newer version available for
download. Useful for users installing static packages (without a package
manager).
Fixes: #734.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
We should just download the official static build binary instead of
trying to build on our own.
Fixes: #760
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
- agent: add cgroup v2 support
- runtime: Don't use hard-coded crio config
- Generate version file with more information in it.
- ci: replace spaces by tabs as indent
- fix issues with short life time container/exec processes
- action: Add issue to project and move to "In progress" on linked PR
- virtiofsd: fix typo in test code
- agent: setup DNS for guest
- ci: run agent test under root user
- docs: update sandbox apis doc for kata 2.0-dev
- rustjail: fix the issue of invalid cgroup_parent path
- osbuilder: update usage of RUST_AGENT variable
- agent: add retry between doing CPU hotplug and make it online.
- kernel: update to the latest LTS kernel 5.4.60
- osbuilder: fix rootfs build on ppc64le
- kernel: Enabling PTP clock support in kernel
- rootfs-builder: fix unbootable dracut-based initramfs on Fedora
- [fwport-2.0] osbuilder/image-builder: disable reflink
- virtcontainers: Add unit test for utils/compare.go
- reimplement error handling: use anyhow
- docs: update yaml file link for prometheus deployment
- docs: Update the doc for minikube installing kata
- trivial: Fix spelling of "privilege"
- [port] image-builder: disable reflink
- runtime: qemu: reduce boot time and memory footprint
- snap for kata 2.0
- runtime: Fix typo in hotplugVFIODevice()
- drivers: Correct isPCIeDevice logic
- docs: Add documentation for VFIO-AP passthrough
- [fwport-2.0] qemu: update build dependencies to support QEMU 5
- kata-deploy: add ACRN runtime to Docker configuration
- runtime: Add support for VFIO-AP pass-through
- agent: update Cargo files authors
- packaging: adjustment for 2.0 branch
- Fix epthemeral mount issue
- clh: Disable the 'seccomp' option temporarily
- Subject: [PATCH] qemu: add annotations for iommu_platform for s390x v…
- Foward-port :virtiofs: Update virtiofs docs
- Forward-port kata deploy conf
- initrd: Increase Alpine Version to 3.12
- [forward port]: osbuilder: Update yq
- tools: Add Unix socket support to agentl-ctl
- agent: Add target optimize for Makefile
- server: Allow address to be specified
- rustjail: default permission of device node should be 666
- packaging: Add VFIO-AP fragment for s390x
- console: Fix crash if debug console disabled
- agent: support guest hooks
- virtcontainers: Add to utils unit tests
- sandbox: Disconnect from agent after VM shutdown
- runtime: Re-vendor GoVMM for hotplugging IBM Adjunct Processor (AP) devices over VFIO
- clh: Port cloud-hypervisor related changes from kata-runtime
- docs: remove outdated dependencies from agent docs
- [forward-port] packaging: s390x kernel config fragments
- action: Fix subsystem check
- osbuilder : ppc64le support for rust agent based rootfs/initrd image
- packaging: add usage instructions for -a (arch_target) option
- rustjail: add the "HOME" env for process
- rustjail: fix the issue of missing set propagation for bind mount
- agent: add unit tests for rustjail/process.rs
- ci: Update experimental kernel tag to enable CLH CI
- virtcontainers: fix outdated example code in api document
- agent: setup the "lo" interface run agent as init
- Fix commit-message-check and do some updates about github actions
- virtcontainers: cleanup codes, delete not used APIs
- Use github action to do Fixes/Length/Subsystem check for commit message
- docs: Remove installation of proxy
- virtcontainers: Add unit test for types/container.go
- shimv2: fix the issue of close IO stream
- docs: Update contributions section in limitations document kata 2.0
- Fix fd leakage in execute_hook
- Kata 2.0-dev port of #2867 (NoReboot Knob)
- qemu: remove multidev in fsdev parameter on arm64
- Makefile: add CLHCMD in arm64-options.mk
- runtime: change un-structured log to structured log
- virtcontainers: Add function to capabilities test
- virtcontainers: Expand unit test coverage for asset
615ffb93 agent: Generate version file with more adequate information in it.
f13ca94e agent: Fix setting of version
c823b4cd agent: Make build remove generated files on clean
357d7885 ci: replace spaces by tabs as indent
22876b2d agent: allow multiple wait on the same process
295f5100 runtime: Don't use hard-coded crio config
6487044f shimv2: trust cached status when deleting containers
325a4f86 shimv2: do not kill a stopped exec process
d7c77b69 runtime: write oom file to notify CRI-O tha OOM occurred
15065e44 agent: add cgroup v2 support
2ce97ec6 virtiofsd: fix typo in test code
b081f26a action: Add issue to project and move to "In progress" on linked PR
6520320f agent: setup DNS for guest
90e0dc88 ci: run agent test under root user
c133a456 rustjail: fix the issue of invalid cgroup_parent path
20a084ae docs: update sandbox apis doc for kata 2.0-dev
d86e7467 agent: add retry between doing CPU hotplug and make it online.
ebd3f316 osbuilder: fix rootfs build on ppc64le
2dfb8bc5 rootfs-builder: fix unbootable dracut-based initramfs on Fedora
2019f00e docs: update yaml file link for prometheus deployment
0be02a8f runtime: qemu: reduce boot time and memory footprint
8b07bc2c agent: fix unit tests - remove rustjail::errors
6c96d666 agent: update Cargo toml and lock
46d7b9b8 agent/rustjail: remove rustjail::errors
fbb79739 agent: Use anyhow for error handling
33759af5 agent: Add anyhow dependency
c192446a agent/rustjail: Use anyhow for error handling
2e3e2ce1 agent/rustjail/capabilities: Use anyhow for error handling
6a4c9b14 agent/rustjail/cgroups: Use anyhow for error handling
359286a8 agent/rustjail: Add anyhow dependency
dd60e56f trivial: Fix spelling of "privilege"
cb999375 runtime: Fix typo in hotplugVFIODevice()
0d198f93 virtcontainers: Add unit test for utils/compare.go
1de9bc0f snap: reimplement snapcraft.yaml to support kata 2.0
85642c32 snap: move snapcraft.yaml to the right place
92dfa463 drivers: Correct isPCIeDevice logic
b4748280 kernel: Remove arm patches for ptp
82efd2f2 kernel: Enabling PTP clock support in kernel
8666e01e qemu/default-configs: update default-config for QEMU 5
2d12da8e qemu: update default-configs
cf3ac9f7 docs: Add documentation for VFIO-AP passthrough
11e8a494 docs: update the docs for minikube installing kata
517dda02 kernel: update to the latest LTS kernel 5.4.60
ae98ea45 obs-packaging: fix wait for obs
f5b71d34 qemu: update build dependencies to support QEMU 5
fcd29a28 osbuilder/image-builder: disable reflink
dae6c7d9 osbuilder: update usage of RUST_AGENT variable
1236e224 runtime: Add support for VFIO-AP pass-through
65970d38 osbuilder: install-yq should not print on success
c624fa74 osbuilder: install musl for aarch64
b24f2cb9 gitignore: ignore vscode directory
cf1b72d6 osbuilder: install rust before sourcing cargo env
7b5ab586 packaging: fix kata-deploy yaml path
76c18aa3 osbuilder: fix alpine agent build
5216815d packaging: make build-kernel.sh work for 2.0
aa3fb4db packaging: make kata-deploy work for 2.0
86a6e0b3 packaging: fix build image scripts
ceebd06b release: add 2.0 release actions
dadab1fe osbuilder: build rust agent by default
1bd58259 packaging: tag releases on kata-containers repo
f56f68bf obs-packaging: adjust for building on kata-containers repo
60245a83 agent: update Cargo files authors
544219d9 mount: fix the issue of epthemeral storage handler
fd8f3ee9 mount: add much more error info using chain_err
10b1deb2 tools: Add Unix socket support to agentl-ctl
f5598a1b Subject: [PATCH] qemu: add annotations for iommu_platform
f879acd6 scripts: Foward port osbuilder scripts to update yq
7be95b15 tools: Simplify error handling in agent-ctl
5b0e6f37 kata-deploy: add ACRN runtime to Docker configuration
adf9ecc5 initrd: Increase Alpine Version to 3.12
32b86a8d agent: Add target optimize for Makefile
26506d83 virtiofs: Update virtiofs docs
bee17d1c kata-deploy: Add containerd configuration to support kata annotations.
219f93ff kata-deploy: Add default privileged_without_host_devices
4b62fc16 clh: Disable the 'seccomp' option temporarily
f7ff6d32 image-builder: disable reflink
0a9b8e0a rustjail: default permission of device node should be 666
81644003 server: Allow address to be specified
bb30759e agent: add guest hooks UT
095ebb8c agent: fix OCI hook handling
03a4d107 agent: support guest hooks
e7bfeb41 agent: construct container bundle in tmpfs location
2ee40027 packaging: Add VFIO-AP fragment for s390x
4c30b255 runtime: Re-vendor GoVMM for VFIO-AP support
282bff9f sandbox: Disconnect from agent after VM shutdown
9f1a3d15 kernel: add s390x fragment
f1350616 kernel: config CONFIG_GENERIC_MSI_IRQ_DOMAIN
b67325c3 kernel: add missing configs
454dd854 kernel: config CONFIG_ PARAVIRT
62b45064 kernel: config CONFIG_NO_HZ_FULL
6dca74ba kernel: moved acpi hotplug config
7c85decc kernel: config CONFIG_PCI_MSI_IRQ_DOMAIN
efe51b29 kernel: fragment for pmem
08d046d9 kernel: config CONFIG_HAVE_NET_DSA
7b49fa12 kernel: fragments not supported on s390x
ccfb73cb agent/agent-ctl: update Cargo.lock
fd13c93c virtcontainers: Add msg to existing utils unit tests
c3fc09b9 virtcontainers: Add to utils unit tests
96582556 docs: remove outdated dependencies from agent docs
d12f920b console: Fix crash if debug console disabled
572de288 sandbox: Remove unnecessary thread
d5fbba3b main: Remove commented out and redundant code
1b2fe4a5 agent: Refactor main function
bac79eee main: Display config in announce
e2952b53 main: Simplify version handling
cfa35a90 action: Fix subsystem check
39b53f44 clh: enable build using Podman
04b156f6 qemu-virtiofs: Update to qemu 5.0 + virtiofs + dax
3ec05a9f clh: Add support to unplug block devices
45e32e1b clh: Set 'Id' explicitly while hotplugging block device
895959d0 clh: Provide cpu topology to API
31594387 clh: opeanapi: update api for cloud hypervisor
89836cd3 versions: cloud-hypervisor 0.9.0
8d5a60ac versions: Update qemu-virtiofs to 5.0
76a64667 clh: Remove the use of deprecated '--memory file=' parameter
bfd78104 packaging: add usage instructions for -a (arch_target) option
ecaa1f9e clh: Enable versions and kernel tag to enable CLH CI for kata 2.0
64b06944 ppc64le: Support for rust agent based rootfs
2511cabb virtcontainers: fix outdated example code in api document
5c7f0016 rustjail: add the "HOME" env for process
58dfd503 rustjail: fix the issue of missing set propagation for bind mount
e79c5727 agent: setup the "lo" interface run agent as init
d0a45637 agent: add unit tests for rustjail/process.rs
2889af77 actions: Run subject-line-length check even if the previous checks failed
9f0fef5a actions: Add commit-body-missing check
d81af48a actions: Do not limit the length of single word in commit body
8c46a41b actions: Fix subsystem checking in github-action
2466ac73 actions: Fix 'Fixes checking' problem by update dependent action
e7d3ba12 virtcontainers: cleanup codes, delete not used APIs
998a6343 docs: Remove installation of proxy
c305911d actions: Use github action to do Fixes/Length/Subsystem check
bd78ccaf shimv2: fix the issue of close IO stream
06834931 agent: Fix fd leaks in execute_hook
b03cd1bf docs: Update contributions section in limitations document kata 2.0
c15ef219 qemu: Set govmmQemu NoReboot config Knob
57269262 qemu: Add test for qemuConfig Knobs
5010e3a3 vendor: update govmm
61d133f9 runtime: change un-structured log to structured log
f24ad25d virtcontainers: Add unit test for types/container.go
1637e9d3 qemu: remove multidev in qemu/fsdev parameter on arm64
b61c9ca2 Makefile: add CLHCMD in arm64-options.mk
e1a79e69 virtcontainers: Add function to capabilities test
d1d5c69b virtcontainers: Expand unit test coverage for asset
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Clear the 1.x branch api methods in the 2.0. Keep the same methods to
the VC interface, like the VCImpl struct.
Fixes: #751
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
The version.rs file is now generated to contain up-to-date information
from the makefile, including git commit and the full binary path.
The makefile has also been modified to make it easier to add changes
in generated files based on makefile variables.
Fixes: #740
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Fix the bug where the version string generated by the `Makefile` was not
being passed to the agent, resulting in a "unknown" version.
Fixes: #725.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Until a container is deleted, agent should allow runtime to wait for
a process in parallel, as being supported by the go agent.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Same as containers, it is possible for an exec process to stop so
quickly that containerd may send a parallel Kill request. We should
just return success in such case.
Fixes: #716
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
In checkAndMount(), it is not clear why we check IsBlockDevice() and if
DisableBlockDeviceUse == false and then only return "false, nil" instead
of "false, err". Adding a comment to make it a bit more readable.
Fixes: #732
Signed-off-by: Qian Cai <cai@redhat.com>
Let's add a new column to the Official packages table, and let the
maintainers of the official distro packages to jump in and add their
names there.
This will help us to ping & redirect to the right people possible issues
that are reported against the official packages.
Fixes: #623
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Kata Containers will stop distributing the community packages in favour
of kata-deploy.
Fixes: #623
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Following up a conversation with Ralf Haferkamp, we can safely drop the
instructions for using Kata Containers on SLES 12 SP3 in favour of using
the official builds provided for SLE 15 SP1, and SLE 15 SP2.
Fixes: #623
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's update the openSUSE Installation Guide to reflect the current
information on how to install kata packages provided by the distro
itself.
The official packages are present on Leap 15.2 and Tumbleweed, and can
be just installed. Leap 15.1 is slightly different, as the .repo file
has to be added before the packages can be installed.
Leap 15.0 has been removed as it already reached its EOL.
Fixes: #623
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Although the community packages are present for RHEL, everything about
them is extremely unsupported on the Red Hat side.
Knowing this, we'd be better to simply not mentioned those and, if users
really want to try kata-containers on RHEL, they can simply follow the
CentOS installation guide.
In the future, if the Fedora packages make their way to RHEL, we can add
the information here. However, if we're recommending something
unsupported we'd be better recommending kata-deploy instead.
Fixes: #623
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's update the Fedora Installation Guide to reflect the current
information on how to install kata packages provided by the distro
itself.
These are official packages and we, as Fedora members, recommend using
kata-containers on Fedora 32 and onwards, as from this version
everything works out-of-the-box. Also, Fedora 31 will reach its EOL as
soon as Fedora 33 is out, which should happen on October.
Fixes: #623
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's update the CentOS Installation Guide to reflect the current
information on how to install kata packages provided by the
Virtualiation Special Interest Group.
These are not official CentOS packages, as those are not coming from Red
Hat Enterprise Linux. These are the same packages we have on Fedora and
we have decided to keep them up-to-date and sync'ed on both Fedora and
CentOS, so people can give Kata Containers a try also on CentOS.
The nature of these packages makes me think that those are "as official
as they can be", so that's the reason I've decided to add the
instructions to the "official" table.
Together with the change in the Installation Guide, let's also update
the README and reflect the fact we **strongly recommend** using CentOS
8, with the packages provided by the Virtualization Special Interest
Group, instead of using the CentOS 7 with packages built on OBS.
Fixes: #623
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
A PR now needs *two* labels to be applied before it can be merged.
One label must be a backport label from the list below and the other
a forward port label:
- backport labels:
`needs-backport`, `no-backport-needed`, `backport`.
- forward-port labels:
`needs-forward-port`, `no-forward-port-needed`, `forward-port`.
This is to make the maintainer think carefully before merging a PR
and hopefully maximise efficient porting.
Related: https://github.com/kata-containers/kata-containers/issues/634Fixes: #639.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The cgroup_parent path is expected to be absolute path,
add an '/' prefix to the passed cgroup_parent path to make
sure it's an absolute path.
Fixes: #336
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Sync the api from the runtime codes to the documentation. Remove and add
some apis in the kata-api-design.md doc. And new table for Sandbox
Monitor APIs.
Fixes: #701
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
Sometimes runtime will fail in onlining CPU process,
because when the runtime calls to QMP
`device_add`, QEMU doesn't allocate all vCPUs inmediatelly.
Fixes: #665
Signed-off-by: bin liu <bin@hyper.sh>
The linux kernel feature RANDOMIZE_BASE improved the security and at
the same time increased the memory footprint of a kata container,
this feature was enabled in kata-containers/packaging#1006.
In order to mitigate this increase in memory consumption, we can
boot container using the uncompressed kernel.
Reduce boot time by ~5%
Reduce KSM memory footprint by ~14%
Reduce noKSM memory footprint by ~27%
fixes#669
Signed-off-by: Julio Montes <julio.montes@intel.com>
`rustjail::erros` was removed in a previous commit, hence some external crates
like `error_chain` are no longger required, update Cargo.toml and Cargo.lock
to reflect these changes.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Don't use `rustjail::errors` for error handling, since it's not
thread safe and there are better alternatives like `anyhow`.
`anyhow` attaches context to help the person troubleshooting
the error understand where things went wrong, for example:
Current error messages:
```
No such file or directory (os error 2)
```
With `anyhow`:
```
Error: Failed to read config.json
Caused by:
No such file or directory (os error 2)
```
fixes#641
Signed-off-by: Julio Montes <julio.montes@intel.com>
anyhow provides `anyhow::Error`, a trait object based error type for
easy idiomatic error handling in Rust applications
Signed-off-by: Julio Montes <julio.montes@intel.com>
Use `.to_string` to wrap up `caps::errors::Error`s since they are not
thread safe, otherwise `cargo build` will fail with the following error:
```
doesn't satisfy `caps::errors::Error: std::marker::Sync`
```
Signed-off-by: Julio Montes <julio.montes@intel.com>
Return `anyhow::Result` from all the functions in this directory.
Add function `io_error_kind_eq` to compare an `anyhow::Error` with an
`io::Error`, this function downcast the `anyhow::Error`.
Signed-off-by: Julio Montes <julio.montes@intel.com>
anyhow provides `anyhow::Error`, a trait object based error type for
easy idiomatic error handling in Rust applications.
Signed-off-by: Julio Montes <julio.montes@intel.com>
I noticed the spelling mistake while reviewing another change and
doing a "grep" for "privilege" that turned up nothing.
Fixes: #671
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
In order to use a build systemd like launchpad, the snapcraft.yaml file
must be in the root directory of the project or under the `snap`
directory, that way launchpad detects that this project can be build
using the `snapcraft` command
Signed-off-by: Julio Montes <julio.montes@intel.com>
Currently, isPCIeDevice() attempts to determine if a (host) device is
PCI-Express capable by looking up its link speed via the PCI slots
information in sysfs. This is a) complicated and b) wrong. PCI-e
devices don't have to have slots information, so this frequently fails.
Instead determine if devices are PCI-e by checking for the presence of
PCIe extended configuration space by looking at the size of the "config"
file in sysfs.
Forward ported from 6bf93b23 in the Kata 1.x runtime repository.
Fixes: #611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
These patches are causing compilation issues while building on x86.
Remove these while we fix the issue.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Disable the following IPMI configs, since they are not needed
for kata containers and fixes the snap job in launchpad
CONFIG_PCI_IPMI_KCS
CONFIG_PCI_IPMI_BT
CONFIG_IPMI_SSIF
fixes#581
Signed-off-by: Julio Montes <julio.montes@intel.com>
Add guide on how to pass a VFIO-AP device, such as Crypto Express cards
on IBM Z mainframes, to a Kata container. Like the documentation for
VFIO-PCI, this was put in the virtcontainers README.
Fixes: #658
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
The command for intalling kata in minikube still keeping the old path of
the packaging project from the 1.x branch. This commit changed the path
of the packaging's files to 2.0-dev branch.
Fixes: #619
Signed-off-by: Ychau Wang <wangyongchao.bj@inspur.com>
Reimplement the loop that waits for OBS. Look for the packages
that are still building, not for the repos.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Add the following packages as build dependencies to build QEMU
5 in OBS and launchpad (snap)
* libselinux1
* libffi
* libmount
* libblkid
* python3
fixes#1075
Signed-off-by: Julio Montes <julio.montes@intel.com>
Disable reflink when using DAX. Reflink is a xfs feature that cannot be
used together with DAX.
fixes#577
Signed-off-by: Julio Montes <julio.montes@intel.com>
Recognise when a device to be hot-plugged is an IBM Adjunct Processor
(AP) device and execute VFIO AP hot-plug accordingly. Includes unittest
for recognising and uses CCW for addDeviceToBridge in hotplugVFIODevice
if appropriate.
Fixes: #491
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Co-authored-by: Julio Montes <julio.montes@intel.com>
Reviewed-by: Alice Frosi <afrosi@redhat.com>
Since we always build musl kata-agent, there is no need to build
it inside a musl container. We can just build on the host and then
copy the binary to the target rootfs.
There are still a lot to clean up and it should be made so for ALL
target distros instead of just alpine. But this is at least working
for alpine first.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
We do not need to clone packaging repository, nor apply
virtio_vsock as virtio-fs-dev has already included that fix.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Anyone can collaborate in the Kata Containers project, so instead of
adding her/his name and email to the Cargo.toml files, use
`The Kata Containers community` as name and
`kata-dev@lists.katacontainers.io` as email.
fixes#643
Signed-off-by: Julio Montes <julio.montes@intel.com>
For ephemeral storage handler, it should return an
empty string instead of the mount destination.
Fixes: #635
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Rather than specifying the VSOCK address as two CLI options
(`--vsock-cid` and `--vsock-port`), allow the agent's ttRPC server
address to be specified to the `agent-ctl` tool using a single URI
`--server-address` CLI option. Since the ttrpc crate supports VSOCK and
UNIX schemes, this allows the tool to be run inside the VM by specifying
a UNIX address.
Fixes: #549.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
for s390x virtio devices
Add iommu_platform annotations for qemu for ccw,
other supported devices can also make use of that.
Fixes#603
Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
Don't format the error string before passing to the `anyhow!()` macro
since it can format strings itself.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add an ACRN runtime ('kata-acrn') to the Docker configuration
('/etc/docker/daemon.json').
Fixes: #579
Signed-off-by: Geoffroy Van Cutsem <geoffroy.vancutsem@intel.com>
Update this document to get rid of any nemu mentions.
Added comment to mention that number of containers that can be
launched may be limited by the size of `/dev/shm`.
Fixes#572
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
In case of containerd, not all annotations are passed down to the OCI
layer. We need to configure "pod_annotations" field for a runtime class.
This field is a list of annotations that can be passed by Kata as OCI
annotations. Add this as default configuration with kata-deploy.
Fixes: #594
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
For privieleged containers, all host devices are passed to
container. We have done work in crio and containerd to define a
scope of privileged in Kata to prevent this from happening.
Add this as the default as this falls under a best practice to follow
with Kata.
Note that if this flag has been already defined, then this change
does not override it.
Fixes#582
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
We kept observing instabilities from CLH CI jobs periodically (kata
1.x). To separate the random failures caused by `seccomp` from other
failures, this patch disables the 'seccomp' option from clh in kata for
now. We will bring this option back after completing the 'seccomp'
filter lists based on Kata's CI workload. Details are tracked in the
following two issues:
https://github.com/kata-containers/runtime/issues/2899 and
https://github.com/kata-containers/runtime/issues/2901
We are facing the similar challenge to stabilize CI jobs related to
cloud-hypervisor in Kata 2.0. We are disabling the `seccomp` option here
for the same reason. Related issue:
https://github.com/kata-containers/tests/issues/2813Fixes: #614
Signed-off-by: Bo Chen <chen.bo@intel.com>
Disable reflink when using DAX. Reflink is a xfs feature that cannot be
used together with DAX.
fixes kata-containers/osbuilder#456
fixes#577
Signed-off-by: Julio Montes <julio.montes@intel.com>
Allow the default (VSOCK) ttRPC server address to be changed using a new
`KATA_AGENT_SERVER_ADDR` environment variable (for testing and
debugging).
Fixes: #552.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Scan guest hooks upon creating new sandbox and append
them to guest OCI spec before running containers.
Fixes: #485
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Add vfio-ap.conf to the s390 kernel config fragments, which includes
the necessary flags for passing an IBM Adjunct Processor (AP) device
over VFIO.
Fixes: #567
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Reviewed-by: alicefr <afrosi@redhat.com>
This is a re-vendor of intel/govmm, with support for hot-plugging IBM
Adjunct Processor (AP) devices over VFIO. This is necessary for
enabling AP device pass-through in Kata (see #491).
39c372a Add support for hot-plugging IBM VFIO-AP devices
f5bdd53 travis: disable amd64 jobs
1af1c0d github: enable github actions
4831c6e travis: Run coveralls after success
cf0f05d qemu: add iommu_platform knob for qemuParams
175ac49 typo fix
Fixes: #565
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
When a one-shot pod dies in CRI-O, the shimv2 process isn't killed until
the pod is actually deleted, even though the VM is shut down. In this
case, the shim appears to busyloop when attempting to talk to the (now
dead) agent via VSOCK. To address this, we disconnect from the agent
after the VM is shut down.
This is especially catastrophic for one-shot pods that may persist for
hours or days, but it also applies to any shimv2 pod where Kata is
configured to use VSOCK for communication.
See github.com/kata-containers/runtime#2719 for details.
Fixes#2719
Signed-off-by: Evan Foster <efoster@adobe.com>
Moved CONFIG_GENERIC_MSI_IRQ_DOMAIN in arch base.conf.
The config is not selected for s390x
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Some kernel configs need additional dependencies:
- CONFIG_NO_HZ depends on
CONFIG_GENERIC_CLOCKEVENTS
- CONFIG_CGROUP_PERF depends on
CONFIG_PERF_EVENTS
CONFIG_HAVE_PERF_EVENTS
- CONFIG_BLK_DEV_LOOP depends on
CONFIG_BLK_DEV
CONFIG_BLOCK
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Moved CONFIG_ PARAVIRT to each arch base.conf.
CONFIG_ PARAVIRT only defined in x86, arm64, arm in arch/$arch/Kconfig.
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Moved CONFIG_NO_HZ_FULL config to each arch base.conf.
The config CONFIG_NO_HZ_FULL depends on CONFIG_HAVE_CONTEXT_TRACKING.
See https://github.com/torvalds/linux/blob/
a811c1fa0a02c062555b54651065899437bacdbe/kernel/time/Kconfig#L96
The context tracking is not supported on s390x yet.
See https://github.com/torvalds/linux/blob/
a811c1fa0a02c062555b54651065899437bacdbe/Documentation/features/time/
context-tracking/arch-support.txt#L27
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Moved:
---
CONFIG_HOTPLUG_PCI_ACPI=y
CONFIG_PNPACPI=y
---
from hotplug to acpi.
In this way, it is possible to skip these config if the acpi feature is
not supported.
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
The option CONFIG_VIRTIO_PMEM is not supported on s390x.
It requires nvdimm support.
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Add !s390x tag to skip these group of fragments for s390x.
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Expand unit tests for virtcontainers/utils/utils.go to include testing
CleanupFds, CPU calculations, ID string creation, and memory alignment
functions.
Fixes#490
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
The logic for the debug console meant that if the debug console was
_disabled_, the agent was guaranteed to crash on function exit due to
the unsafe code block. Fixed by simplifying the code to use the standard
`Option` idiom for optional values.
Fixes: #554.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Don't create a thread to wait for the ttRPC server to end - it isn't
required as the operation should be blocked on.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Print a simple version string rather than delaying the output
to display a structured version string. The structured output
is potentially more useful but:
- This output is not consistent with other components.
- Delaying the output makes `--version` unusable in some
environments (since a lot of setup is called before the
version string can be output).
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
\h is not a valid metacharacter in javascript which is used in
github-action.
Use \s\t to replace it.
Fixes: #551
Signed-off-by: Tim Zhang <tim@hyper.sh>
[ Port from packaging commit 4e1b5729f47d5f67902e1344521bc5b121673046 ]
Build clh with Podman, allow build the vmm in the Podman CI
Virtiofs qemu has to be build as this is requried by clh.
Fixes: #461
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from packaging commit cbe53bdb14e303830fa9f2d5a7f3c9161a32f033 ]
Update build scripts for qemu-virtiofs.
- virtiofs-0.3 patches are not needed
- Sync build on how vanilla qemu is built
- Apply patches for virtiofsd if any (none today)
- Apply patches that are used for the qemu vanilla
- Apply patches in order
Fixes: #461
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 44b58e4151d1fc7debed41274b65c37233a437e3 ]
This patch enables kata+clh to unplug block devices, which is required
to pass cri-o integration tests.
Fixes: #461
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 03fb9c50c180d3359178c30e06f1122df312ae76 ]
To support unplug block device, we need to set the 'Id' explicitly while
hotplugging devices with cloud-hypervisor HTTP API.
Fixes: #461
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 39897867bc89667daaafdd141367ec4a5fdc9247 ]
API now requires cpu topology.
Fixes: #461
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 40f49312a4881c904a1cbdace04c4c697bd2d429 ]
Update api geneated by openapi.
Fixes: #461
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 0dcbbd8dc113878c2aa8c78b5300e4853a7e64be ]
Highlights for cloud-hypervisor version 0.9.0 include:
virtiofs updates to new dax implementation based in qemu 5.0
Fixed random issues caused due to seccomp filters
io_uring Based Block Device Support
If the io_uring feature is enabled and the host kernel supports it then io_uring will be used for block devices. This results a very significant performance improvement.
Block and Network Device Statistics
Statistics for activity of the virtio network and block devices is now exposed through a new vm.counters HTTP API entry point. These take the form of simple counters which can be used to observe the activity of the VM.
HTTP API Responses
The HTTP API for adding devices now responds with the name that was assigned to the device as well the PCI BDF.
CPU Topology
A topology parameter has been added to --cpus which allows the configuration of the guest CPU topology allowing the user to specify the numbers of sockets, packages per socket, cores per package and threads per core.
Release Build Optimization
Our release build is now built with LTO (Link Time Optimization) which results in a ~20% reduction in the binary size.
Hypervisor Abstraction
A new abstraction has been introduced, in the form of a hypervisor crate so as to enable the support of additional hypervisors beyond KVM.
Snapshot/Restore Improvements
Multiple improvements have been made to the VM snapshot/restore support that was added in the last release. This includes persisting more vCPU state and in particular preserving the guest paravirtualized clock in order to avoid vCPU hangs inside the guest when running with multiple vCPUs.
Virtio Memory Ballooning Support
A virtio-balloon device has been added, controlled through the resize control, which allows the reclamation of host memory by resizing a memory balloon inside the guest.
Enhancements to ARM64 Support
The ARM64 support introduced in the last release has been further enhanced with support for using PCI for exposing devices into the guest as well as multiple bug fixes. It also now supports using an initramfs when booting.
Intel SGX Support
The guest can now use Intel SGX if the host supports it. Details can be found in the dedicated SGX documentation.
Seccomp Sandbox Improvements
The most frequently used virtio devices are now isolated with their own seccomp filters. It is also now possible to pass --seccomp=log which result in the logging of requests that would have otherwise been denied to further aid development.
Notable Bug Fixes
Our virtio-vsock implementation has been resynced with the implementation from Firecracker and includes multiple bug fixes.
CPU hotplug has been fixed so that it is now possible to add, remove, and re-add vCPUs (#1338)
A workaround is now in place for when KVM reports MSRs available MSRs that are in fact unreadable preventing snapshot/restore from working correctly (#1543).
virtio-mmio based devices are now more widely tested (#275).
Multiple issues have been fixed with virtio device configuration (#1217)
Console input was wrongly consumed by both virtio-console and the serial. (#1521)
Fixes: #461
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit d803f077c6fd26e4d020643eda415ea315f47e0c ]
Update to qemu 5.0.x with support for virtiofs + dax.
Fixes: #461
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Bo Chen <chen.bo@intel.com>
[ Port from runtime commit 30b40f5505fd46d23b89eb5fb38301d2f7454f35 ]
Along with the release of cloud-hypervisor v0.8.0, this option has been
deprecated. clh now enforces to use the alternative controls,
e.g. "shared" and "hugepages", which can infer the backing file
paths. Also, we don't use "hugepages" in kata, so we are fine now as the
"shared" control is already enabled.
Fixes: #461
Signed-off-by: Bo Chen <chen.bo@intel.com>
Add usage instructions for -a option in script and README,
currently supported architecture are aarch64/ppc64le/s390x/x86_64.
Fixes: #534
Signed-off-by: zhanghj <zhanghj.lc@inspur.com>
This PR updates the versions for the virtiofs kernel branch and
as there is a tag based in kernel 5.6 move patches to uses the tag name.
This PR is needed to enable CLH CI for kata 2.0. This PR is backporting
kata-containers/runtime#2843 and kata-containers/packaging#1098.
Fixes#532
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Add ExecuteAPVFIOMediatedDeviceAdd to qmp.go, which executes a hotplug
for an IBM Adjunct processor (AP) VFIO device (see also
https://www.kernel.org/doc/html/latest/s390/vfio-ap.html )
Also includes the respective unittest and adds the VfioAP DeviceDriver
constant to qemu.go.
Pushing again due to incidental CI failure
Fixes: #133
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Reviewed-by: alicefr <afrosi@redhat.com>
For building rust agent on ppc64le, the rust toolchain is built using
the LIBC implementation - gnu instead of musl.
Fixes: #481
Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
Some type declarations were changed. The example code here is outdated
according to the example_pod_run_test.go under virtcontainers directory.
And add the imports to make where the types from clear.
Fixes: #507
Signed-off-by: Li Ning <lining_yewu@cmss.chinamobile.com>
Use github actions to run unit tests.
Github actions service looks more stable and reliable than travis.
fixes#136
Signed-off-by: Julio Montes <julio.montes@intel.com>
Fix the following error:
```
Bad response status from coveralls: 422
{"message":"service_job_id (717167073) must be unique for Travis Jobs
not supplying a Coveralls Repo Token","error":true}
The command "$GOPATH/bin/goveralls -v -service=travis-ci" exited with 1.
```
fixes#135
Signed-off-by: Julio Montes <julio.montes@intel.com>
When creating a container process/exec process, it should set the
"HOME" env for this process by getting from /etc/passwd.
Fixes: #498
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
When do bind mount for container's volumes, the propagation
flags should be mount/set after bind mount.
Fixes: #530
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
If the line comprises of only a single word,
it may be something like a URL (it's certainly very unlikely to be a
normal word if the default lengths are being used), so length
checks won't be applied to it.
Signed-off-by: Tim Zhang <tim@hyper.sh>
The Fixes checking should pass as long as one of the commits of
pull-request pass the check.
update depdent github-action commit-message-checker-with-regex to v0.3.1
shortlog:
d6d9770 commit-message-checker-with-regex: Add input one_pass_all_pass
Fixes: #519
Signed-off-by: Tim Zhang <tim@hyper.sh>
This PR removes the installation of proxy in the Developer Guide as it
does not exist on kata 2.0
Fixes#502
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
The commit checks does not need to wait for CI dependencies to be
installed, It's a waste of time. we need show errors ASAP.
And we should display as many problems as possible at once
Fixes: #487
Signed-off-by: Tim Zhang <tim@hyper.sh>
It should wait until the stdin io copy
termianted to close the process's io stream,
otherwise, it would miss forwarding some contents
to process stdin.
Fixes: #439
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
This PR updates the contributions sections for the limitations document
for kata 2.0 that instead using the previous runtime repository as example,
it will use the new one.
Fixes#476
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
The Kata architecture does not support rebooting VMs (the lifecycle
being start/exec/kill) and if a VM is killed (e.g. using sysrq-trigger),
the VM does not exit fully and other layers do not notice the state change.
Set the NoReboot config Knob so that govmmQemu.LaunchQemu() runs QEMU
with the --no-reboot command-line option.
Fixes: #2866
Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Add unit tests for types/container.go. Tests were adapted from
sandbox_test.go since ContainerState is a sandbox state structure and
the transition tests are the same.
Fixes#451
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
As the current qemu of arm64 is so old, the new multidev parameter
in 9pfsdev is not supported on arm64, so disabled it temporarily.
Fixes:#466
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
The new alpha release brings in following changes:
1f8e4f67 docs: Update travis and go report card url
db93a163 runtime: remove mock shim
e5910c9b sandbox: Stop and clean up containers that fail to create
1283febd ci: checkout TRAVIS_BRANCH
d7f75dce docs: remove shim/proxy topics and fix docs links
0b3cbee8 virtcontainers: Add additional unit tests for sandbox
c0720179 package: enable cloud-hypervisor for arm64
07a307b4 virtcontainers: Remove duplicate unit tests
d914f018 virtcontainers: Move unit tests for types/sandbox.go
33b1865e actions: Pin to a particular sha for actions
8564c99e actions: Add github actions to perform DCO check
c5081624 actions: Add action to perform WIP check for pull requests
7bbb9e81 rootfs-builder: Don't modify /sbin/init on the build host
3d467505 device: Ease device access for rootfs device to allow node creation
f554cdec virtcontainers: Add to bridges unit test
1d7d944f fc: refactor --daemonize option
7f3e8959 console-watcher: use console watcher to monitor guest console outputs
1099a288 kata 2.0: delete use_vsock option and proxy abstraction
73bf9329 cgroup: fix the issue of crashed when meet unsupported cgroup
ab7afae6 docs: Clarifying minimum version of containerd for annotations
5b15e9ef runtime: consolidate types definition
c6e4d092 agent: sandbox shared pid namespace support
afcf269c rustjail: fix the issue of missing join pid namespace
f3da6900 docs: add link to CRI Configuration for pods
4291eb17 runtime: add monitor_address to .gitignore
1c56abb7 runtime: virtcontainers: vhost-user-blk/scsi are block device nodes
bbf85170 runtime: add pprof interface for shim
0790ca49 runtime: add pod overhead metrics
ae83c96d Modifie to proper CPU architecture name for ppc64le.
f404f4d9 Modified Makefile to pick up correct architecture name for ppc64le.
cdbba6ac agent: Make LIBC configurable
2afbfcab virtcontainers: print a warning when the device to append is not supported
919fc4cd virtcontainer/cgroup: create cgroup manager after creating the network
a134c2e0 virtcontainers/network: Change signature of Enpoint Attach method
9a9721c2 drivers: change BindDevicetoVFIO signature
66219d16 device: support vfio cold plug
3eb694c5 device: add ColdPlug flag
3cf8b470 runtime: delete Stateful from SandboxConfig
069505e2 runtime: delete unused sub-commands.
a0a96db2 runtime: handle unimplemented RPC call by NotFound status code
bd8f03a5 runtime: remove agent abstraction
41c04648 runtime: fix wrong issue links
83b23665 config: there is no need to check vhost-vosck for FC
d96b3063 docs: add metrics design documents for Kata 2.0
b28b850a versions: Revert "versions: update QEMU to 5.0.0"
5ff53037 tools: fix branch and runime repo
24ea3f01 virtcontainers: GetOOMEvent should have no timeout
1b75daa0 runtime: add new command to collect metrics from Kata containers
5200ac06 runtime: remove old store
186fed2a runtime: add implementation of GetMetrics
0c4c69de agent: add GetMetrics implementation
9fd3e48c agent: add new pb message GetMetrics
9c501f3d agent: device: Allow "VmPath" to be used when adding block devices
15af20b6 versions: update QEMU to 5.0.0
a06d01e1 versions: specify rust version
7ae4376b clh: vsock: Use the updated VsockConfig
d8a333b9 versions: Move to cloud-hypervisor v0.8.0
9177d3a3 virtiofsd: Use cache=auto
d66f2192 cli: Fix kata-env output on Power
94fdec4e clh: Allow add virtiofs args and cache options from config
653df674 kata_agent: Add unit tests
6da49a04 clh: Clear the "PCIAddr" field while blk device hotplug
2d6c0731 kata_agent: Pass "VirtPath" with "PCIAddr" of blk devices to agent
56ae2099 kata_agent: Allow to use "VirtPath" as volume source for blk devices
bdd386ba qemu: Fix rtc parameter is not set to qemu
51a6d60a qemu: Remove PMU feature for Power (ppc64le) platform
3ece4130 runtime: clean up shim abstraction
3a17e7aa qemu: Remove pmu limitation in nested virtualization of amd/ppc64le
06571f03 build: Add "pmu=off" to default cpu_features option
115dfa19 annotations: add cpu_features
fa9d619e qemu: add cpu_features option
520295b9 network: Detect and add static ARP entries
117ce4ac clh: remove slow boot debug flags from kernel cmdline
70137962 clh: Remove vsock log port in kernel cmdline
fd5d1394 clh: Improve hypervisor logging
21f83348 clh: Set 'virtio-blk' as the default block device driver
8b5eed70 clh: Enable disk block device hotplug support
883af9c7 agent: set hostname when running as init
899b75f2 agent: fix the issue of missing found right shell
2a8650ba agent-ctl: add Cargo.lock
a8430b37 gitignore: ignore more files
be9ca0d5 qemu: Don't leak file descriptors in case of error
60606647 virtiofsd: Improve logging
7e250f29 shim: exit out of oom polling if unimplemented
9f8d1baa virtcontainers: tests fix, nit fix
d3b3e8be virtcontainers: x86: Support microvm machine type
19833936 virtcontainers: add support for getOOMEvent agent endpoint to sandbox
7c205be2 virtcontainers: add support for getOOMEvent agent endpoint to sandbox
380f07ec proto: update agent protocol
dbc1c30d versions: Remove golangci-lint and gometalinter entries
6e7dd435 qemu: arm64: Set defaultGICVersion to 3 to limit the max vCPU number
93d1f7b4 versions: Misc changes to descriptions
17b3021b qemu: arm64: Don't detect gic version by /proc/interrupts
4cda90ab dax: enable dax on arm64
7a440254 Makefile: add trace-forwarder/agent-ctl missing targets
61e011e8 vc: Version support check is ineffective in createSandbox
ebfbca03 osbuilder: use newest golang
0fd1eb59 Makefile: add default rule
3f8d4b68 trace-forwarder: add Cargo.lock
b68d4e45 shimv2: Removing function as no longer used
f570a2cd shimv2 : Remove workaround for sharedPidNs
b2cc403e build: Improve top-level Makefile
f2a19966 agent: Rename check rule to test
ea1d799f qemu: Only one element of qemuPaths map is relevant
5dffffd4 qemu: Remove useless table from qemuArchBase
97a02131 qemu: Detect and fail a bad machine type earlier
d6e7a58a qemu: Clarify test with bad machine type
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Add additional test cases that cover more asset types and functions to
increase unit test coverage.
Fixes#424
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
This PR fixes travis and go report carl url for the runtime README for kata
2.0
Fixes#432
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Use 'remap' behaviour to deal with multiple devices being shared with
a 9p export.
Fixes the following warning:
```
9p: Multiple devices detected in same VirtFS export, which might lead to file
ID collisions and severe misbehaviours on guest!
You should either use a separate export for each device shared from host or
use virtfs option 'multidevs=remap'!
```
fixes#378
Signed-off-by: Julio Montes <julio.montes@intel.com>
New features that can improve/impact in kata containers:
x86:
VMX features can be enabled/disabled via the "-cpu" flag.
When nested virtualization is enabled with an option like
"-cpu Haswell,+vmx", the set of VMX features will also be constrained to
what was available on the corresponding CPU model.
New "microvm" machine type that has virtio-mmio instead of PCI, and no ACPI
support (so no hotplug too). The new machine type is meant as a baseline
for performance optimizations of QEMU, firmware and guests. While inspired
by Firecracker it is not entirely compatible with it (for example it does
not have Firecracker's userspace IP stack and MicroVM Metadata Service).
Reduce memory footprint when booting uncompressed kernels.
ARM:
We now correctly support more than 256 CPUs when using KVM
The virt board now supports memory hotplugging, when used with a UEFI
guest BIOS and ACPI.
virtio-iommu is now supported with machvirt.
The Cortex-M7 CPU is now supported.
s390:
Using KVM now explicitly requires a host kernel version of at least 3.15
(which includes the 'flic' KVM device). This had been broken since QEMU
2.10 already.
ppc64le:
pseries machine type, now consumes less host resources when running a KVM
guest with XIVE (with a recent enough host kernel). This allows running
more concurrent guests with KVM accelerated XIVE.
NVDIMMs with file backend is now supported and SLOF updated to work with
iommu_platform=on for virtio devices.
Signed-off-by: Julio Montes <julio.montes@intel.com>
The Kata architecture does not support rebooting VMs (the lifecycle
being start/exec/kill) and if a VM is killed (e.g. using sysrq-trigger),
the VM does not exit fully and other layers do not notice the state change.
Kata needs a way to tell QEMU to run with the '--no-reboot' option
so that the guest VM exits and does not attempt to reboot.
Add a NoReboot boolean Knob so when Knobs.NoReboot is set, the '--no-reboot'
command-line option will be passed to QEMU on startup.
Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
A container that is created and added to a sandbox can still fail
the final creation steps. In this case, the container must be stopped
and have its resources cleaned up to prevent leaking sandbox mounts.
Forward port of https://github.com/kata-containers/runtime/pull/2826Fixes#2816
Signed-off-by: Evan Foster <efoster@adobe.com>
Add tests for state change, empty string failures for Volumes and
Sockets. Change two function names to accurately reflect tests.
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Now, cloud-hypervisor is capable to work on arm64. it's time to
enable it in kata for arm64.
as cloud-hypervisor can only use virtio-fs, a new patch should be
applied to kernel for virtiofs and some config should be removed
temporarily.
Fixes: #446
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Remove tests from virtcontainers/sandbox_test.go which were moved to
virtcontainers/types/sandbox_test.go.
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Move unit tests that were in virtcontainers/sandbox_test.go relating
to Socket, Volume, and SandboxState to types/sandbox_test.go.
Change testSandboxStateTransition function to use SandboxState only
instead of Sandbox from virtcontainers/sandbox.go.
Fixes#435
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Since actions can access the github token, lets use a
particular version of sha rather than using master.
Fixes: #437
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
(cherry picked from commit 57b64f35e0)
Action performs a check to verify PR raised has commits
that are signed-off.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
(cherry picked from commit 1b157e5015)
Use github actions for performing WIP checks on PRs.
The action checks for keywords in subject line
as well labels.
Fixes: #437
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
(cherry picked from commit 0d96145c29)
multidevs specifies how to deal with multiple devices being shared with a 9p
export. `multidevs=remap` fixes the following warning:
```
9p: Multiple devices detected in same VirtFS export, which might lead to file
ID collisions and severe misbehaviours on guest!
You should either use a separate export for each device shared from host or
use virtfs option 'multidevs=remap'!
```
Signed-off-by: Julio Montes <julio.montes@intel.com>
Don't modify /sbin/init on the build host when using command `AGENT_INIT="yes" ./rootfs.sh centos` to build rootfs.
Fixes: #430
Signed-off-by: liangxianlong <liang.xianlong@zte.com.cn>
For docker in docker scenario, the nested container created
has entry "b *:* m" in the list of devices it is allowed to access
under /sys/fs/cgroup/devices/docker/{ctrid}/devices.list.
This entry was causing issues while starting a nested container
as we were denying "m" access to the rootfs block devices.
With this change we add back "m" access, the container would be
allowed to create a device node for the rootfs device but will
not have read-write access to the created device node.
This fixes the docker in docker use case while still making sure
the container is not allowed read/write access to the rootfs.
Note, this could also be fixed by simply skipping {"Type : "b"}
while creating the device cgroup with libcontainer.
But this seems to be undocumented behaviour at this point,
hence refrained from taking this approach.
Fixes#426
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Add function that creates new bridges to increase unit test coverage
for virtcontainers/types/bridges. Also adds test for address formats.
Fixes#422
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Import new console watcher to monitor guest console outputs, and will be
only effective when we turn on enable_debug option.
Guest console outputs may include guest kernel debug info, agent debug info,
etc.
Fixes: #389
Signed-off-by: Penny Zheng penny.zheng@arm.com
With kata containers moving to 2.0, (hybrid-)vsock will be the only
way to directly communicate between host and agent.
And kata-proxy as additional component to handle the multiplexing on
serial port is also no longer needed.
Cleaning up related unit tests, and also add another mock socket type
`MockHybridVSock` to deal with ttrpc-based hybrid-vsock mock server.
Fixes: #389
Signed-off-by: Penny Zheng penny.zheng@arm.com
Using pod annotations requires a minimum version of v1.3.0 of containerd
to pass annotations down to kata. This is already somewhat mentioned in
the corresponding how-to, however, it can be mis-read as the minimum
version of kata-containers instead of containerd. This can cause
extended and futile troubleshooting on older distributions such as
Ubuntu 16.04 which ship a version of 1.2.x of containerd. This patch
attempts to clarify this.
Fixes: #690
Signed-off-by: Georg Kunz <georg.kunz@est.tech>
We do not need the vc types translation for network data structures.
Just use the protocol buffer definitions.
Fixes: #415
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Add support shareProcessNamespace.
BTW, this commit only support shared pid namespace by
sharing the infrastructure pause container's pid namespace
with other containers, instead of creating a new pid
namespace different from pause container.
Fixes: #342
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
When checking if a device is an emulated vhost-user-blk or
vhost-user-scsi one, we should not only check for their major number but
also their device node type. They must be block devices.
Fixes: #401
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Makefile is determining the architecture by running uname command
which gives ppc64le as output. But rust toolchain target is available
with the name powerpc64le for ppc64le arch. So this change took care of that.
Signed-off-by: Abhishek Dasgupta <abdasgupta@in.ibm.com>
Currently the default LIBC used to build the agent is "musl". However,
"musl" is not preset in a big portion of the distros *and* "gnu" libc
just works as expected.
Knowing that, let's add the option to the one building the project to
simply do `make LIBC=gnu` instead of expected the person to go through
the Makefile and replace musl by gnu there.
Fixes: #369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Print a warning message when the device to append to a QEMU VM is not
supported. This change is just to improve debuggability.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Create the cgroup manager once the network has been created, this way the
list of device will include the network VFIO devices attached to the sandbox,
when the physical enpoint is the network driver.
fixes#2774
Signed-off-by: Julio Montes <julio.montes@intel.com>
In order to use the device manager and receiver from the network enpoints,
the signature of the Attach method must change to revice a Sandbox instead of
a Hypervisor, this way devices can be added through the device manager API.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Depending on ColdPlug flag, cold or hot plug vfio devices. The VFIO device
won't be hot removed when such flag is false
Signed-off-by: Julio Montes <julio.montes@intel.com>
Add ColdPlug flag to DeviceInfo and DeviceState to identify whether a device
must be or was cold plugged
Signed-off-by: Julio Montes <julio.montes@intel.com>
For now, agent return status of NotFound when calling getOOMEvents, runtime should handle it correctly.
Fixes: #393
Signed-off-by: bin liu <bin@hyper.sh>
Since the FC used the hybrid vsock, there's no need
to check whether the vhost vsock suported by host.
Fixes: #387
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
This reverts commit 15af20b6da.
kubernetes test are failing randomly with QEMU 5.0.0, let's go back to
QEMU 4.1.1 and debug the failures with QEMU 5
Depends-on: github.com/kata-containers/tests#2701
fixes#379
Signed-off-by: Julio Montes <julio.montes@intel.com>
Kata 2.0 lives in `github.com/kata-containers/kata-containers`, so all scripts
should point to it.
Currently the branch for Kata 2.0 is 2.0-dev not master, then the branch envar
must be used instead of hardcoding `master` as default branch.
Signed-off-by: Julio Montes <julio.montes@intel.com>
When the "PCIAddr" (BDF information) is available, we allow to use the
predicted "VmPath" (from kata-runtime) to locate the block device in the
agent. This is a special code path for supporting block-device/volume
passthrough w/ cloud-hypervisor when the BDF information is not
available (as of clh v0.8.0).
This is mainly porting the changes from kata-agent PR https://github.com/kata-containers/agent/pull/790,
as the related changes from kata-runtime is ported to kata 2.0 earlier
this week (https://github.com/kata-containers/kata-containers/pull/362).
Note that the upstream clh recently added the support of returning BDF
information for hotplugged devices. We will consolidate/remove this
special code path for the next upgrade of clh version in kata.
Fixes: #248
Signed-off-by: Bo Chen <chen.bo@intel.com>
New features that can improve/impact in kata containers:
x86:
VMX features can be enabled/disabled via the "-cpu" flag.
When nested virtualization is enabled with an option like
"-cpu Haswell,+vmx", the set of VMX features will also be constrained to
what was available on the corresponding CPU model.
New "microvm" machine type that has virtio-mmio instead of PCI, and no ACPI
support (so no hotplug too). The new machine type is meant as a baseline
for performance optimizations of QEMU, firmware and guests. While inspired
by Firecracker it is not entirely compatible with it (for example it does
not have Firecracker's userspace IP stack and MicroVM Metadata Service).
Reduce memory footprint when booting uncompressed kernels.
ARM:
We now correctly support more than 256 CPUs when using KVM
The virt board now supports memory hotplugging, when used with a UEFI
guest BIOS and ACPI.
virtio-iommu is now supported with machvirt.
The Cortex-M7 CPU is now supported.
s390:
Using KVM now explicitly requires a host kernel version of at least 3.15
(which includes the 'flic' KVM device). This had been broken since QEMU
2.10 already.
ppc64le:
pseries machine type, now consumes less host resources when running a KVM
guest with XIVE (with a recent enough host kernel). This allows running
more concurrent guests with KVM accelerated XIVE.
NVDIMMs with file backend is now supported and SLOF updated to work with
iommu_platform=on for virtio devices.
Depends-on: github.com/kata-containers/tests#2694
fixes#372
Signed-off-by: Julio Montes <julio.montes@intel.com>
[ port runtime commit 364435a6a18bfbb1277512431040bf085554ffdf ]
The new release of clh v0.8.0 updated the 'VsockConfig' of its HTTP API,
which requires changes on our clh driver.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 17d265af6fc1f0913545bfa64e3e1a497f3e44c0 ]
Major new functionalities added in clh v0.8.0 include Experimental
Snapshot and Restore Support, Experimental ARM64 Support, 5-level guest
paging support, etc. Also, there are quite some bug fixings and CLI/API
changes for cleanup. More details can be found in the release note:
https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v0.8.0.
Changes:
52b83969 build, release-notes: Document 0.8.0 release
776f8fc5 build: Update Cargo.lock
3f18f93f docs: Add a guide for testing on AArch64
97a1e5e1 vmm: Exit VMM event loop after guest shutdown for AArch64
5cd1730b vmm: Configure VM on AArch64
917219fa vmm: Enable VCPU for AArch64
b5f1c912 vmm: Enable memory manager for AArch64
eeeb45bb vmm: Enable device manager for AArch64
e9488846 vm-allocator: Enable vm-allocator for AArch64
5343b0ac net_util: Fix usage of deprecated mac_address method
bf37ebdc arch: x86_64: Add 5th level of paging when needed
abd6204d source: Fix file permissions
02ac1820 scripts: Ensure musl-gcc is used by musl build
cc85d896 tests: Extend test_*_reboot with checks on fd leaking
2ae547cf build(deps): bump vmm-sys-util from 0.6.0 to 0.6.1
f3556279 build(deps): bump serde_json from 1.0.54 to 1.0.55
dc034eb3 scripts: Only use musl for the Rust components
176d6716 build: Run musl builds in parallel to glibc builds
083189e5 build(deps): bump vcpkg from 0.2.9 to 0.2.10
2334b521 build(deps): bump syn from 1.0.30 to 1.0.31
99c99c24 build(deps): bump serde_json from 1.0.53 to 1.0.54
96a5e22b resources: kernel: Enable 5 levels of page table
653087d7 vmm: Reduce MMIO address space by 4KiB
5f0b6201 arch: x86_64: Enable CR4 LA57 feature
09fd3259 build: Use fork of vm-memory with less performance impact
5f9e079a device: Add AArch64 RTC PL031 implementation
625bab69 vmm: api: Allow to delete non-booted VMs
313883f6 remove duplicated structure InitrdConfig
afe60808 build(deps): bump synstructure from 0.12.3 to 0.12.4
aa79a92c tests: Add integration test for unprivileged network
9b71ba20 vmm, vm-virtio: Stop always autogenerating a host MAC address
1f8b6fa9 net_util: Allow retrieving the MAC address from the TAP device
929d70bc net_util: Only try and enable the TAP device if it not already enabled
eda9bfc7 vhost_user_fs: Replace the '--sock' parameter with '--socket'
a8cdf2f0 tests,vm-virtio,vmm: Use 'socket' for all CLI/API parameters
90e7accf ch-remote: Show response body from error
e436bbf3 build: Install libfdt in github cross-build workflow
2d13751d aarch64: Porting fdt related files from Firecracker
5a18dd36 aarch64: Porting AArch64 register implementation from Firecracker
d605fda3 aarch64: Porting GIC source files from Firecracker
ce624a6d aarch64: Add memory layout for AArch64
c7d44b88 build(deps): bump quote from 1.0.6 to 1.0.7
7c91dfae build(deps): bump proc-macro-nested from 0.1.4 to 0.1.5
17c16e5c build(deps): bump pin-project from 0.4.19 to 0.4.20
a2398742 build(deps): bump arc-swap from 0.4.6 to 0.4.7
b31fe72e build(deps): bump openssl-sys from 0.9.57 to 0.9.58
96497004 build(deps): bump dirs-sys from 0.3.4 to 0.3.5
eabf43fb Revert "tests: Extend test_*_reboot with checks on fd leaking"
7dc4e913 tests: Extend test_*_reboot with checks on fd leaking
601d898f build(deps): bump pin-project from 0.4.17 to 0.4.19
6ff107af vm-device: Switch to use get_host_address_range in vfio-ioctls
3336e801 vfio: Switch to the vfio-ioctls crate ch branch
d24aa72d vfio: Rename to vfio-ioctls
53ce5298 vfio: Move the PCI implementation to the PCI crate
8f7dc735 vmm: Move Vcpu::configure() to arch crate
969e5e0b vmm: Split configure_system() from load_kernel() for x86_64
20cf21cd vmm: Change booting process to cover AArch64 requirements
61aa4615 vhost_user_net: Implement VIRTIO_RING_F_EVENT_IDX
a4d377a0 vm-virtio: net: Implement VIRTIO_RING_F_EVENT_IDX
f0697073 vm-virtio: net: Handle lost interrupts on restore
a5596020 vm-virtio: Add some info! level debugging interrupt generation
cc51fdb8 vhost_user_net: Use NetQueuePair from vm-virtio
fcc62efc vm-virtio: net: Prepare NetQueuePair for use in vhost-user-net
2dbd1186 vm-virtio: net: Split network handling
237cb184 vm-virtio: net: Add further missing error reporting
36d072e6 vm-virtio: Add error propagation for TAP listener (un)registration
3151b5d8 vm-virtio: net: Refactor to support code reuse
22be88d3 build(deps): bump vfio-bindings from `887b3cf` to `f08cbcb`
6121f462 build(deps): bump vfio-bindings from `46ef9d4` to `887b3cf`
b731e63a build(deps): bump ryu from 1.0.4 to 1.0.5
d2d5ccb1 build(deps): bump proc-macro2 from 1.0.17 to 1.0.18
a1b9131b build(deps): bump syn from 1.0.29 to 1.0.30
2571b279 build(deps): bump vcpkg from 0.2.8 to 0.2.9
57f477ef build(deps): bump syn from 1.0.28 to 1.0.29
8a08ea46 build(deps): bump serde_derive from 1.0.110 to 1.0.111
b8ae30d4 build(deps): bump serde from 1.0.110 to 1.0.111
0a0fb246 build(deps): bump syn from 1.0.27 to 1.0.28
bc2921b2 build(deps): bump regex from 1.3.8 to 1.3.9
917ad530 build(deps): bump regex from 1.3.7 to 1.3.8
aac87196 build(deps): bump vm-memory from 0.2.0 to 0.2.1
4c2e6054 build: Update to latest version of container
c471ae94 Dockerfile: Update to latest Rust toolchain: 1.43.0
c31ad72e build: Address issues found by 1.43.0 clippy
fbd1a6c5 vmm: api: Return complete error responses in handle_http_request()
0728bece vmm: seccomp: Ensure that umask() can be reprogrammed
3497eeff main: Set the umask to 0077
c1d15de7 build(deps): bump syn from 1.0.25 to 1.0.27
a4bb96d4 build(deps): bump libc from 0.2.70 to 0.2.71
bfd52ad8 build(deps): bump linux-loader from `bd01b6d` to `1af92d2`
8f1f9d9e devices: Implement InterruptController on AArch64
b32d3025 devices: Refactor IOAPIC to cover other architectures
d5884180 build(deps): bump syn from 1.0.24 to 1.0.25
83c18de5 build(deps): bump proc-macro-hack from 0.5.15 to 0.5.16
7708b95e build(deps): bump syn from 1.0.23 to 1.0.24
749f2f03 build(deps): bump proc-macro2 from 1.0.15 to 1.0.17
c98d6fd0 build(deps): bump openssl-sys from 0.9.56 to 0.9.57
a9ca493b build(deps): bump proc-macro2 from 1.0.14 to 1.0.15
974c7138 build(deps): bump thiserror from 1.0.18 to 1.0.19
321c479b build(deps): bump proc-macro2 from 1.0.13 to 1.0.14
4f5c8be3 build: Added a workflow to cross-build targetting AArch64
1befae87 build: Fixed build errors and warnings on AArch64
0090ec2d build: Updated development utilities for AArch64
af8292b6 vmm, config, vhost_user_blk: remove "wce" parameter
9101bdd7 vm-virtio: block: Ensure backing file consistency
dc66eee8 vhost_user_block: Ensure backing file consistency
10db2131 vm-virtio: block: Add "writeback" control to Request
b94d9a30 vhost_user_backend: Allow backends to know features that can be used
9d88ba7a vhost_user_block: Use VirtioBlockConfig from vm-virtio
1fac2632 vm-virtio: Use config name as per spec
077a5c36 build(deps): bump syn from 1.0.22 to 1.0.23
a813b57f vm-virtio, vhost_user_{fs,block,backend}: Move EVENT_IDX handling
8ae7a38d build: Use same virtio-bindings version
3947809c vm-virtio: block: Ensure that VIRTIO_BLK_T_FLUSH requests actually sync
ca6edafb build(deps): bump cc from 1.0.53 to 1.0.54
a7f236b8 ci: Extend snapshot/restore to validate virtio-vsock
f442c62b vm-virtio: Implement Snapshottable trait for Vsock
f9759988 ci: Extend snapshot/restore test with virtio-iommu
646d33fe vm-virtio: Set queue fields explicitely during restore
02cbea54 vm-virtio: Implement Snapshottable trait for Iommu
4f89cb05 build(deps): bump linux-loader from `43d1c51` to `bd01b6d`
14db7b0a build(deps): bump addr2line from 0.12.0 to 0.12.1
9f2eddd9 ci: Fix test_serial_off
7c3e19c6 vhost_user_backend, vmm: Close leaked file descriptors
35782bd9 vm-virtio: Close file descriptors created by epoll::create()
039accc1 vhost_user_net, vm-virtio: Interrupt guest when TX queue is updated
c8a081e4 build(deps): bump pin-project from 0.4.16 to 0.4.17
b80a7d01 build(deps): bump vmm-sys-util from 0.5.0 to 0.6.0
e6fd6d63 vhost_user_block: Implement VIRTIO_BLK_F_FLUSH
95e3edda build(deps): bump quote from 1.0.5 to 1.0.6
d760010c build(deps): bump ppv-lite86 from 0.2.6 to 0.2.8
0cde08a7 build(deps): bump hermit-abi from 0.1.12 to 0.1.13
3adfe3fb build(deps): bump syn from 1.0.21 to 1.0.22
85aadd15 build(deps): bump proc-macro2 from 1.0.12 to 1.0.13
c764c212 build(deps): bump thiserror from 1.0.17 to 1.0.18
4366dd92 vm-virtio: block: Add support for VIRTIO_RING_F_EVENT_IDX
5a55fc07 vhost_user_fs: Fix seccomp filter for musl
391508f0 tests: Add tests checking for host MAC address setting
1b8b5ac1 vhost-user_net, vm-virtio, vmm: Permit host MAC address setting
11049401 vmm: seccomp: Add ioctl() commands interface hardware address
59e1361f net_util: tap: Add support for setting tap MAC address
68fc4329 vmm: Update seccomp filters with clock_nanosleep
badf8261 build(deps): bump anyhow from 1.0.30 to 1.0.31
7b10f732 build(deps): bump cc from 1.0.52 to 1.0.53
4120a7de vhost_user_fs: Add seccomp
6aa29bdb vmm: api: Use a common handler for data actions too
0fe223f0 vmm: api: Extend VmAction to reduce code duplication
6ec605a7 vmm: api: Refactor generic action handler
c652625b vmm: api: Add a default implementation for simple PUT requests
a3e8bea0 vmm: api: Move HttpError enum to http module
6aab0a54 vhost_user_fs: Implement support for optional sandboxing
c4bf383f vhost_user_*: Create a vhost::Listener in advance
fa844865 vhost_user_fs: Allow callers to provide a fd for /proc/self/fd
831cff3f vhost_user_fs: Use a fd for /proc/self/fd instead of /proc
ba4ec7fc ci: Extend snapshot_restore_test with hotplug
9e165c2c ci: Enable snapshot/restore integration test
c566f1f0 build(deps): bump once_cell from 1.3.1 to 1.4.0
7ffde295 build(deps): bump backtrace from 0.3.47 to 0.3.48
e9c2dbc8 build(deps): bump anyhow from 1.0.29 to 1.0.30
9ccc7daa build, vmm: Update to latest kvm-ioctls
80aa0a75 tests: Test unplugging virtio-fs
88ec93d0 vmm: config: Add missing "id" from FsConfig parsing
0f89f5ec build(deps): bump anyhow from 1.0.28 to 1.0.29
ab3d374a build(deps): bump syn from 1.0.20 to 1.0.21
35b8992e build(deps): bump thiserror from 1.0.16 to 1.0.17
3415b11d build(deps): bump quote from 1.0.4 to 1.0.5
6989bf05 build(deps): bump backtrace from 0.3.46 to 0.3.47
2991fd2a build(deps): bump libc from 0.2.69 to 0.2.70
c37da600 vmm: Update DeviceTree upon PCI BAR reprogramming
d0ae9d7c vmm: Share the DeviceTree across threads
5e9d2545 vmm: Store and restore virtio-pci BAR resources
02bd50f6 vm-virtio: Add helper to set the configuration BAR value
8a826ae2 vmm: Store and restore virtio-pci device on right PCI slot
98dac352 vmm: Add optional PCI b/d/f to each DeviceNode
1e0ebb76 pci: Allow specific PCI b/d/f to be reserved
e577b64a build(deps): bump syn from 1.0.19 to 1.0.20
36bffff2 tests: Expand the test_large_memory() test to cover lots of vCPUs
b9ba81c3 arch, vmm: Don't build mptable when using ACPI
16ac24d8 tests: Only test "noacpi" test when we don't build with ACPI
bb8d19bb arch: Check RSDP address does not go past memory
1c44e917 build(deps): bump clap from 2.33.0 to 2.33.1
4cd2eccf build(deps): bump signal-hook from 0.1.14 to 0.1.15
308b790c vm-virtio: Implement Snapshottable trait for VirtioPciDevice
6d594286 vm-virtio: Implement Snapshottable trait for VirtioPciCommonConfig
e1701f11 pci: Implement Snapshottable trait for PciConfiguration
376db311 pci: Implement Snapshottable trait for MsixConfig
52ac3779 tests: Remove network interface from test_memory_overhead
b57eeb96 vhost_user_block: Add "queue_size" to --block-backend
5016fcf8 vhost_user_block: Use config::OptionParser to simplify block backend parsing
592de97f vhost_user_net: Use config::OptionParser to simplify net backend parsing
f3f398eb vhost_user_block: Consolidate the vhost-user-block backend syntax
3220292d vhost_user_net: Consolidate the vhost-user-net backend syntax
0d2be3b6 build(deps): bump serde from 1.0.107 to 1.0.110
9d8754c6 build(deps): bump pin-project from 0.4.13 to 0.4.16
9bac13de build(deps): bump serde_json from 1.0.52 to 1.0.53
e8d4a13e build(deps): bump serde_derive from 1.0.107 to 1.0.110
d8f181c5 build(deps): bump futures from 0.3.4 to 0.3.5
1e44ac51 build(deps): bump serde_derive from 1.0.106 to 1.0.107
c197bd6f build(deps): bump serde from 1.0.106 to 1.0.107
475040b2 vm-virtio: Correctly reset the virtqueues
d809f2fe vm-virtio: Add virtio reset() support to MmioDevice
0d720cc3 bin: ch-remote: Ensure ch-remote supports syntax it advertises
74d88c4c build(deps): bump openssl-sys from 0.9.55 to 0.9.56
9adc32a0 tests: Print out details for smaps in test_memory_overhead
250f825f tests: Check that requesting tap name for virtio-net succeeds
006da040 tests: Check tap name provided is used for vhost_user_net tests
54b3329f tests: Add tests that use (non-existing) named tap
6fde2d18 build: Strip the binaries before using/releasing them
a4d23c3c build(deps): bump syn from 1.0.18 to 1.0.19
12e00c0f vmm: cpu: Retry sending signals if necessary
31bde4f5 vmm: Unpark the DeviceManager threads in shutdown
801e72ac vmm: cpu: Unpause vCPU threads
91a4a258 vmm: cpu: When coming out of the pause event check for a kill signal
cd60de8f Revert "vmm: vm: Unpark the threads before shutdown when the current state is paused"
797cd13d build(deps): bump vec_map from 0.8.1 to 0.8.2
f6a71bec vmm: Add unit tests for DeviceTree
64e01684 vmm: Create new module device_tree
3b77be90 vmm: Add device_node!() macro to improve code readability
83ec716e vmm: Create breadth-first search iterator for the DeviceTree
b91ab1e3 vmm: Remove the list of migratable devices
1be70372 vmm: Don't use migratable_devices for restore
bc608439 vmm: Add migratable field to the DeviceNode
7fec020f vmm: Create a dedicated DeviceTree structure
14b379de vmm: Add an identifier field to DeviceNode structure
0805d458 vmm: Add support for multiple children per DeviceNode
daaeba51 vmm: Change Node into DeviceNode
5c7df03e vmm: Store and restore virtio-pmem resources
2e6895d9 vmm: Store and restore virtio-fs resources
987f8215 vmm: Store and restore virtio-mmio resources
9cb1e1cc vmm: Perform MMIO allocation from virtio-mmio device creation
adf29706 vmm: Create devices in different path if restoring the VM
d39f91de vmm: Reorganize DeviceManager creation
89c2a586 vmm: Restore devices following the device tree
52c80cfc vmm: Snapshot and restore DeviceManager state
5b408eec vmm: Create a device tree
a6fde0bb vm-device: Define a Resource
b8841d7a tests: Validate vsock functionality works across a reboot
fec97e05 vm-virtio, vmm: Delete unix socket on shutdown
5109f914 vmm: config: Reject attempts to use VFIO or IOMMU without PCI
cb220ae1 tests: Add some debugging to test_memory_overhead
eb3d9d15 build(deps): bump ssh2 from 0.8.0 to 0.8.1
59b73034 build(deps): bump failure from 0.1.7 to 0.1.8
dd0791d7 build(deps): bump pnet from 0.25.0 to 0.26.0
7660a104 build(deps): bump failure_derive from 0.1.7 to 0.1.8
327d67fa virtio-mem: Return reize error in MemEpollHandler.run
bc318b64 build(deps): bump proc-macro2 from 1.0.10 to 1.0.12
5571c6af build(deps): bump signal-hook from 0.1.13 to 0.1.14
af3d0802 build(deps): bump pnet_macros from 0.25.0 to 0.26.0
678855e8 build(deps): bump term_size from 0.3.1 to 0.3.2
2a16ce7e build(deps): bump quote from 1.0.3 to 1.0.4
99e3a150 build(deps): bump backtrace-sys from 0.1.36 to 0.1.37
Signed-off-by: Bo Chen <chen.bo@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 4645d3e6ef2e99dae1f2b3a7bfded6fc304d3023 ]
Today for virtiofsd kata sets by default `cache=always`. This option is
useful for performance but if the shared files are modified from the
host changes are not updated in the guest as virtiofsd uses cached value
all time.
This patch changes to `cache=auto` to fix consistency issues. The option
can still be set to always if it is wanted by the user.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 9ac39116b08148de8e66abfca2e5407bc153af87 ]
kata-env output always shows "VMContainerCapable=false" on Power.
This patch fixes the same.
Signed-off-by: bpradipt@in.ibm.com
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit e5a3211c74e20e9878fd0f5d1c80a3c4354eabd1 ]
Today some options for virtiofsd could improve compatibility
for example xattrs for dnf or cache=auto for file consistency
for changes in the host. Allow users can enabled as requiered.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 6be76fcd07a3d74ca5521af2feaf966dd6f2c344 ]
This patch adds the unit test for 'handleDeviceBlockVolume()'.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 5b96e01f1ba3b0458539c1c920d0c1aab7d5968e ]
We explicitly set "PCIAddr" to NULL, so that the "VirtPath" field can be
used by the agent to create the container.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 50c1dce137bb3d608daa931c01e4941ed5fdb6cc ]
In case the "PCIAddr" of block devices is not available (e.g.
cloud-hypervisor), we also pass the "VirtPath" to the agent for adding
block devices to the container.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit aea29b64b66f75049cb045f9e41dff2becdbebdc ]
When the "PCIAddr" of block device is not available (e.g. cloud-hypervisor), we
allow to use the "VirtPath" as the volume source for creating containers.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 379f19f7ccd71ebe938d9d6fe3cfe5f05f4f02bf ]
Add default value for Clock, otherwise rtc parameter will be dropped
by Valid function. "host" is the default value in qemu for rtc clock.
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 6b32472c2138536ea7e859360498f175601d9ec9 ]
The bug got introduced in 06571f0
Signed-off-by: bpradipt@in.ibm.com
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 18662e16687453185ff4cf99b495a34e3ea9935f ]
It's up to the user enable/disable pmu. After previous commit, the default
pmu option has been set to off.
This patch removes the hard limitation and unit test codes.
Signed-off-by: Jia He <justin.he@arm.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 41a06d4961f51af4ec4799aaee202c744584f31e ]
The user sometimes doesn't care about pmu usage(e.g. perf tool profiling).
But pmu will cost significant overhead on boot time and virtualization
context switch. E.g. on arm64, if guest pmu is enabled, kvm should save
and restore all PMU registers when guest/host switching.
for dmesg comparision:
Before:
[ 0.007620] bus: 'platform': driver_probe_device: matched device pmu with driver armv8-pmu
[ 0.007622] bus: 'platform': really_probe: probing driver armv8-pmu with device pmu
[ 0.036282] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available
[ 0.036285] driver: 'armv8-pmu': driver_bound: bound to device 'pmu'
[ 0.036295] bus: 'platform': really_probe: bound device pmu to driver armv8-pmu
After:
[ 0.007935] bus: 'platform': driver_probe_device: matched device alarmtimer with driver alarmtimer
[ 0.007937] bus: 'platform': really_probe: probing driver alarmtimer with device alarmtimer
[ 0.007940] driver: 'alarmtimer': driver_bound: bound to device 'alarmtimer'
[ 0.007944] bus: 'platform': really_probe: bound device alarmtimer to driver alarmtimer
Because s390 doest support "pmu=off", keep the default CPUFEATURES to be ""
instead of "pmu=off".
Signed-off-by: Jia He <justin.he@arm.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit f03c17d107999fd68da87d98ab3e242ac7843051 ]
So that users can use annotations to set it.
Signed-off-by: Jia He <justin.he@arm.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 0100af18a2afdd6dfcc95129ec6237ba4915b3e5 ]
To control whether guest can enable/disable some CPU features. E.g. pmu=off,
vmx=off. As discussed in the thread [1], the best approach is to let users
specify them. How about adding a new option in the configuration file.
Currently this patch only supports this option in qemu,no other vmm.
[1] https://github.com/kata-containers/runtime/pull/2559#issuecomment-603998256
Signed-off-by: Jia He <justin.he@arm.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 67d3e2c5c5d11738c0c0ff46b1228909a6c81ab0 ]
Some network plugins add static arp entries in the network namespace.
Scan namespace for static entries and pass these on to the
agent to be added within the guest.
If the grpc api is not implemented by the agent due to a older running
agent, check for this and do not error out to maintain
backward compatibility.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 6c517548429da06d33172c8e135dc9b9a297175d ]
The systemd debug and kernel init call debug flags make slow the boot.
The flags are not really related with the hypervisor and
can be added if needed using extra kernel command line options.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 160e3a7c98043a52032b15cc8f6e32a91b032258 ]
Cloud hypervisor logs console via stdout. Using console logs help
to get not only agent logs but early boot kernel logs.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit e1ee00d16ed621594a92ce0456eb048362962ff0 ]
Use systemd-cat to collect hypervisor output. The `systemd-cat` program
will open a journal fd and call `cat(1)` to redirect all the output to
the fd. This requires an extra binary to read from hypervisor stdout
(that has combined stdin, stderr and serial terminal). But because it is
cat the overhead is minimal and only is started on Kata debug mode.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 5e5527204c03036f1d1a6b3122c1e0c3e1d1ba94 ]
The block device driver defaults to 'virtio-scsi' when it is not set in
the hypervisor configuration file, while cloud-hypervisor supports only
'virtio-blk' for its block devices.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit c5f97b24d7a1eaac216f144b2c5429feb3451553 ]
With this patch, the container image can be shared from host with guest
as a block device when the 'devicemapper' is used as the storage driver
for docker. Note: The 'block_device_driver="virtio-blk"' entry is
required in the hypervisor config file to work properly.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
It should iter the shells to find the existing shell
command instead of return an error directly when it
meet an absent shell command.
Fixes: #354
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
[ port from runtime commit 7b269ff7aa2d62fe12593ff7040798e6c9bd5d65 ]
If we take one of the error paths from setupVirtiofsd() after
opening the fd variable, the fd.Close() function is not called.
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 882a82393305a4b11a77744b5fc77b98e42d15b9 ]
Send virtiofsd logs to syslog in the same way that qemu implementation
does. This requires not to wait for messages from virtiofsd stdout. This
takes the qemu implementation approach. Give the socket fd to virtiofsd.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 86f581068eb9dc4b6862c7415cdc912e111177dd ]
This exits out of polling for OOM events if the getOOMEvent
method is unimplemented.
Signed-off-by: Alex Price <aprice@atlassian.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit b4833a48c81132e5a6b1c25a764cd0ebbdc6afff ]
fix tests and nit
Signed-off-by: Alex Price <aprice@atlassian.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 6aff077901021d9a0075c446dfe281b2487e1487 ]
With the addition of support to govmm for multiple transports (intel/govmm#111)
and microvm (intel/govmm#121) we can now enable support for the 'microvm'
machine type in kata-runtime.
Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 86686b56a2bf7f6dd62f620278ae289564da51d0 ]
This adds support for the getOOMEvent agent endpoint to retrieve OOM
events from the agent.
Signed-off-by: Alex Price <aprice@atlassian.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit 86686b56a2bf7f6dd62f620278ae289564da51d0 ]
This adds support for the getOOMEvent agent endpoint to retrieve OOM
events from the agent.
Signed-off-by: Alex Price <aprice@atlassian.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit ee985a608015d81772901c1d9999190495fc9a0a ]
After removing dectect of host gic version, we need to limit the max vCPU
in different cases.
Given that in most cases, Kata is running on gicv3 host, set it as default
value. If the user really want to run Kata on gicv2 host, he/she need to
set default_maxvcpus in toml file to 8 instead of 0.
In summary, If the user uses host gicv3 gicv4, everything is fine
If the user uses host gicv2, set default_maxvcpus=8
Signed-off-by: Jia He <justin.he@arm.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime commit c4b5922df2 ]
Most of the description fields have capitalized text,
some of those that don't are then converted on this
change.
Fixed spelling of 'required'.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime repository commit 4d4a153af5cb145215cb6e6e386eac2bcb8c3e32 ]
Commit b4385901da ("qemu/arm64: Detect host GIC version to configure guest
GIC") reads /proc/interrupts to detect the host gic version.
But on a ThunderX2 host with 224 cpus, the /proc/interrupts is ~762K bytes.
Hence it will costs ~900K bytes memory overhead.
From the go tool pprof results:
flat flat% sum% cum cum%
976.89kB 100% 100% 976.89kB 100% github.com/kata-containers/runtime/virtcontainers.getHostGICVersion
Although the allocated memory will be freed, seems it worthy removing that
for speed up the runtime.
As per [1], there is no perfect way to detect the gic version on host.
At qemu side, if we use "gic-version=host", qemu will automatically detect
the verion by kvm ioctl. So we'd better let qemu determine the gic version.
If the user really want to start vm with gic-verion=2, he/she can set it
in machine_accelerators option.
[1]https://lists.cs.columbia.edu/pipermail/kvmarm/2014-October/011690.html
Signed-off-by: Jia He <justin.he@arm.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime repository commit e36389e25e ]
After backporting patch series of enabling memory hot remove on aarch64
to v5.4.x, we finally could enable nvdimm/dax on aarch64.
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ port from runtime repository commit 7e47046111 ]
If major version matches max supported major, we continue comparing the minor version.
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Removing code that existed as a workaround for a bug in
how shared process namespaces were handled in the agent.
That has been long fixed in the agent.
With this, sharedPidNs will now work with shimv2.
Fixes#337
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Define a set of functions that support the standard rules (build,
install, test, *etc*). Then simply add new components and tools to the
appropriate variable to support all the standard build semantics.
Fixes#331.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Changed the name of the rule that runs the tests to "test" for
consistency, but retained `check` for backwards compatibility
for now.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The qemuPaths field in qemuArchBase maps from machine type to the default
qemu path. But, by the time we construct it, we already know the machine
type, so that entry ends up being the only one we care about.
So, collapse the map into a single path. As a bonus, the qemuPath()
method can no longer fail.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The supportedQemuMachines array in qemuArchBase has a list of all the
qemu machine types supported for the architecture, with the options
for each. But, the machineType field already tells us which of the
machine types we're actually using, and that's the only entry we
actually care about.
So, drop the table, and just have a single value with the machine type
we're actually using. As a bonus that means the machine() method can
no longer fail, so no longer needs an error return.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently, newQemuArch() doesn't return an error. So, if passed an invalid
machine type, it will return a technically valid, but unusable qemuArch
object, which will probably fail with other errors shortly down the track.
Change this, to more cleanly fail the newQemuArch itself, letting us
detect a bad machine type earlier.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The last stanza of TestQemuAmd64Bridges is rather odd. It tries to create
a qemu instance with a machine type of (QemuQ35 + QemuPC), or in other
words "q35pc", which isn't a thing.
What it's asserting about this is that the returned bridges list is empty
despite asking for bridges, so it looks like what this is really trying to
test is for sane behaviour when given a bad machine type.
So, split this out into a separate test, and make it explicit for clarity.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Implement tc-based tx rate limiter to control network I/O outbound traffic
on VM level for hypervisors which don't support built-in rate limiter.
We take different actions, based on various inter-networking models.
For tcfilters as inter-networking model, we simply apply htb
qdisc discipline on the virtual netpair.
For other inter-networking models, such as macvtap, we resort to ifb,
by redirecting interface ingress traffic to ifb egress, and then apply htb
to ifb egress.
Fixes: #250
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Ingress traffic shaping is very limited, and the htb
qdisc discipline couldn't be applied to interface ingress traffic.
Here, we import a new pseudo network interface, Intermediate Functional Block (ifb).
It is an alternative to tc filters for handling ingress traffic, by
redirecting interface ingress traffic to ifb and treat it as egress traffic there.
Fixes: #250
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
As for hypervisors that support built-in rate limiter, like firecracker,
we use this built-in characteristics to implement rate limiter in kata.
kata-defined rate is in bits with scaling factors of 1000, otherwise fc-defined
rate is in bytes with scaling factors of 1024, so need reversion.
Fixes: #250
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Implement tc-based rx rate limiter to control network I/O inbound traffic
on VM level for hypervisors which don't support built-in rate limiter.
In some detail, we use HTB(Hierarchical Token Bucket) qdisc shaping schemes
to control host interface egress traffic.
HTB shapes traffic based on the Token Bucket Filter algorithm, and one
fundamental part of the HTB qdisc is the borrowing mechanism.
Children classes borrow tokens from their parents once they have exceeded rate,
it will continue to attempt to borrow until it reaches ceil. See more details in
https://tldp.org/HOWTO/Traffic-Control-HOWTO/classful-qdiscs.htmlFixes: #250
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
We use tc-based or built-in rate limiter to shape network I/O traffic
and they all must be tied to one specific interface/endpoint.
In order to tell whether we've ever added rate limiter to this interface/endpoint,
we create get/set func to reveal/store such info.
Fixes: #250
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
We have defined specific config file configuration-fc.toml for firecracker,
including specific features and requirements, but the related unit test
TestNewFirecrackerHypervisor is missing.
Fixes: #250
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
As for some hypervisors, like firecracker, they support built-in rate limiter
to control network I/O bandwidth on VMM level. And for some hypervisors, like qemu,
they don't.
Fixes: #250
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Add configuration/annotation about network I/O throttling on VM level.
rx_rate_limiter_max_rate is dedicated to control network inbound
bandwidth per pod.
tx_rate_limiter_max_rate is dedicated to control network outbound
bandwidth per pod.
Fixes: #250
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
The virtiofs daemon may run into errors other than the file
not existing, e.g. the file may not be executable.
Fixes: #2682
Message is now:
virtiofs daemon /usr/local/bin/hello returned with error:
fork/exec /usr/local/bin/virtiofsd: permission denied
instead of
panic: runtime error: invalid memory address or nil
Fixes: #2582
Message is now:
virtiofs daemon /usr/local/bin/hello-not-found returned with error:
fork/exec /usr/local/bin/hello-not-found: no such file or directory
instead of:
virtiofsd path (/usr/local/bin/hello-no-found) does not exist
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The current path is hardcoded as follows:
virtio_fs_daemon = "/path/to/virtiofsd"
Switch to using the value of config.VirtioFSDaemon instead.
Fixes: #2686
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
In service#StartShim, there is no applicable error variable which is checked by deferred func because the err variable is redefined.
This PR fixes the error variable.
Fixes#2727
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Call the `pkg/cgroups` package `SetLogger()` function to ensure all its log
records contain all required structured logging fields.
Fixes: #2782
Signed-off-by: Julio Montes <julio.montes@intel.com>
[cherry picked from runtime commit 3c4fe035e8041b44e1f3e06d5247938be9a1db15]
Check if shm mount is backed by empty-dir memory based volume.
If so let the logic to handle epehemeral volumes take care of this
mount, so that shm mount within the container is backed by tmpfs mount
within the the container in the VM.
Fixes: #323
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[cherry picked from runtime commit d0dbd0485d2f4ec3760f6fa1252ded86a7709042]
Call the `device/config` package `SetLogger()` function to ensure all its log
records contain all required structured logging fields.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
[ cherry-picked from runtime commit 13887bf89da9d2d7c215d77ca63129e1813e4c4a ]
Call the `store` packages `SetLogger()` function to ensure all its log
records contain all required structured logging fields.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
We need to make sure containers cannot modify host path unless it is explicitly shared to it. Right now we expose an additional top level shared directory to the guest and allow it to be modified. This is less ideal and can be enhanced by following method:
1. create two directories for each sandbox:
-. /run/kata-containers/shared/sandboxes/$sbx_id/mounts/, a directory to hold all host/guest shared mounts
-. /run/kata-containers/shared/sandboxes/$sbx_id/shared/, a host/guest shared directory (9pfs/virtiofs source dir)
2. /run/kata-containers/shared/sandboxes/$sbx_id/mounts/ is bind mounted readonly to /run/kata-containers/shared/sandboxes/$sbx_id/shared/, so guest cannot modify it
3. host-guest shared files/directories are mounted one-level under /run/kata-containers/shared/sandboxes/$sbx_id/mounts/ and thus present to guest at one level under /run/kata-containers/shared/sandboxes/$sbx_id/shared/
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When an x86 sandbox has a vIOMMU (needed for VFIO), it needs the
'kernel_irqchip=split' option or it can't start. fdcd1f3a2 attempts to set
that, but ends up just writing it to a temporary (looks like Go for range
loops pass by value).
Fixes: #2694
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Add a configuration option and a Pod Annotation
If activated:
- Add kernel parameters to load iommu
- Add irqchip=split in the kvm options
- Add a vIOMMU to the VM
Fixes#2694
Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Add a new function appendIOMMU() to the qemuArch interface
and provide an implementation on amd64 architecture.
Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The ppc64 specific qemu setup code adds a "pmu=off" parameter to the cpu
model if the nestedRun option is set. But, not only does availability of
the pmu have nothing to do with nesting on POWER, there is no "pmu=" cpu
opton for ppc64 at all.
So, simply remove it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Hard-coded Qemu machine options create challenges when running Kata
with latest Qemu (v5.0) or with latest processor version.
This patch makes it configurable by leveraging the existing machine_accelerators
option in configuration.toml.
This patch fixes#2657 for ppc64le
Signed-off-by: bpradipt@in.ibm.com
The default ppc64le Qemu binary path was specific for Ubuntu.
This patch fixes the default binary path for both Fedora and Ubuntu
Fixes: #2738
Signed-off-by: bpradipt@in.ibm.com
qemu_ppc64le.go applies the "tsc=reliable", "no_timer_check" and
"noreplace-smp" kernel parameters, despite those being x86 specific. So,
just remove them.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Let's add information on how to debug shimv2 when using cri-o, similarly
to what already is present with containerd.
Fixes: #672
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Dup a new file descriptor for temporary logger writer,
since this logger would be dropped and it's writer would
be closed out of if definition scope, which would cause
the logger process thread terminated if it used the original
pipe write fd.
Fixes: #318
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
With this change, a container is not longer given access to
the underlying root partition.
This is done by explicitly adding the root partition
to the device cgroup of the container.
Fixes: #317
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
The Qemu version check in unit test case is no longer needed for
Power since we don't support Kata with Qemu version < 4.x.
Fixes: #315
Signed-off-by: bpradipt@in.ibm.com
Improve the output of the data collection script to use lots more folds.
This makes it easier to review the information when viewing the pasted
output in a GitHub issue.
Fixes: #313.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add `start_section()` and `end_section()` functions to the data
collection script to allow new unfoldable sections to be created.
Redefine `show_header()` and `show_footer()` to use the new functions.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Now that the Kata containerd shim v2 can display a version string,
add those details to the data collection script.
Fixes: #309.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
All components should support a `--version` option to allow clear
identification of the version of the component being used.
Note that the build changes are required to allow the shim binary to
access the golang code generated by the build (such as the `version`
variable).
Fixes: #307.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add a new system component, used only when tracing is enabled. The
component listens to the agent over VSOCK, forwarding trace spans
created by the agent in the virtual machine onwards to an OpenTelemetry
collector (such as Jaeger) running on the host.
Fixes: #224.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Fix a long-standing bug where the KSM throttler logs would not be
collected by removing the last (unused) parameter to the
`find_system_journal_problems()` function.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The function that checks for legacy packages in the collect script was
missing pipes denoting regex alternation.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Added new functions to convert to/from a log level name (like `debug`)
to/from the equivalent `slog::Level::Debug`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The agent logger is useful and generic enough that it can be used by
other components, so move the agent logging package to below a top level
`pkg` to encourage re-use.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add the following patches for QEMU 5:
* memory-backend-file/nvdimm: support read-only files as memory-backends
* 9p: removing coroutines of 9p to increase the I/O performance
fixes#1064
Signed-off-by: Julio Montes <julio.montes@intel.com>
Clean up all clippy warning.
Also fix a bug in dealing with IFLA_IFNAME attribute.
nlh.addattr_var(IFLA_IFNAME, name.as_ptr() as *const u8, name.len() + 1);
The `name` is a rust String, which doesn't including the trailing '\0',
so name.len() + 1 may cause invalid memory access.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Implment `TryFrom<IPAddress> for RtIPAddr` instead of From<IPAddress>,
so error code could be returned instead of unwrap().
Do the same for `TryFrom<Route> for RtRoute`.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
There are too much unsafe code in the netlink crate, we need to reduce
unsafe code as much as possible. To achieve this, methods are classified
as public interfaces and internal methods.
All public interface of RtnlHandle has been reimplemented as safe code,
only some public helper functions to manipulater Netlink message data
structures are implemented as unsafe code.
The code to parse IPv4/IPv6/MAC addresses has been moved to a dedicated
file named parser.rs.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
The scan_fmt crate has dependency on other four crates, and it's trivial
to use std library to implement the same logic. Get rid of scan_fmt to
reduce the dependency chain.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Use features to enable/disable slog and agent handler on demand.
This helps to reduce dependency chains if slog/agent handler is unused.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
The netlink crate is a library to communicate with Linux kenrel by using
the netlink socket. It's generic enough to be reused by other clients.
So get rid of dependency on the rustjail crate by:
1) normalize all pub interfaces to return Result<T, nix::Error>,
2) add helpers to reduce duplicated code,
3) move parse_mac() into lib.rs,
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
vhost is a Netdev Tap Option used to configure a host TAP network interface
backend, according to the QMP API documentation the type for such option must
be a boolean. Use boolean type for vhost option to fix the following
error on recent versions of QEMU:
```
Invalid parameter type for 'vhost', expected: boolean
```
Signed-off-by: Julio Montes <julio.montes@intel.com>
qemu contains all device support for all the board qemu supported
on arm. But we use virt machine in most cases, so there are lots
of code in no relationship with virt then never used.
Here, we add a customized config, named arm-softmmu.mak.virt for
virt board. There is around 5M decrease of qemu binary using this
customized config compared with the common config.
arm-softmmu.mak includes and customizes the pci.mak and usb.mak to let
the change in aarch64-softmmu take effect. also arm-softmmu.mak.virt
is base on arm-softmmu.mak.
comparison of qemu binary between using common config and virt config
-rwxr-xr-x 1 root root 64190080 May 28 12:49 qemu-system-aarch64*
-rwxr-xr-x 1 root root 59061584 May 27 18:14 qemu-system-aarch64.virt*
Fixes: #1062
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Update ubuntu version to 20.04, due to the following linkage errors
is not possible to build QEMU 5 on ubuntu 18.04.
```
libmount.a(libmount_la-fs.o): In function `__mnt_fs_set_source_ptr':
(.text+0x9b1): undefined reference to `blkid_parse_tag_string'
libmount.a(libmount_la-tab.o): In function `mnt_table_find_source':
(.text+0x1dbf): undefined reference to `blkid_parse_tag_string'
libmount.a(libmount_la-utils.o): In function `mnt_tag_is_valid':
(.text+0x618): undefined reference to `blkid_parse_tag_string'
libmount.a(libmount_la-cache.o): In function `mnt_free_cache':
(.text+0x834): undefined reference to `blkid_put_cache'
libmount.a(libmount_la-cache.o): In function `mnt_cache_read_tags':
(.text+0xa24): undefined reference to `blkid_new_probe_from_filename'
(.text+0xa3d): undefined reference to `blkid_probe_enable_superblocks'
(.text+0xa4a): undefined reference to `blkid_probe_set_superblocks_flags'
(.text+0xa57): undefined reference to `blkid_probe_enable_partitions'
(.text+0xa64): undefined reference to `blkid_probe_set_partitions_flags'
(.text+0xa6c): undefined reference to `blkid_do_safeprobe'
(.text+0xb32): undefined reference to `blkid_free_probe'
(.text+0xb7c): undefined reference to `blkid_free_probe'
(.text+0xba0): undefined reference to `blkid_probe_lookup_value'
libmount.a(libmount_la-cache.o): In function `mnt_get_fstype':
(.text+0xef0): undefined reference to `blkid_new_probe_from_filename'
(.text+0xf09): undefined reference to `blkid_probe_enable_superblocks'
(.text+0xf16): undefined reference to `blkid_probe_set_superblocks_flags'
(.text+0xf1e): undefined reference to `blkid_do_safeprobe'
(.text+0xf4a): undefined reference to `blkid_free_probe'
(.text+0xf68): undefined reference to `blkid_probe_lookup_value'
libmount.a(libmount_la-cache.o): In function `mnt_resolve_tag':
(.text+0x130b): undefined reference to `blkid_evaluate_tag'
```
fixes#1060
Signed-off-by: Julio Montes <julio.montes@intel.com>
The following options can be provided
Intremap: activates interrupt remapping
DeviceIotlb: enables device IOTLB support for the vIOMMU
CachingMode: enables Cahing Mode
See: https://wiki.qemu.org/Features/VT-d
Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
We only documented how to launch minikube/kata with CRI-O. It is
trivial to flip this to containerd, and that also works with kata-deploy,
so document it.
Fixes: #660
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Not all the fragments in common are needed by all the arch. The fragment
can be skipped if the have the tag !arch. For example:
# !s390x
Fixes: #1010
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Cloud hypervisor uses vsock, without this patch CI
for cloud hypervisor is not stable.
Patch information:
```
There was a race condition between bind() and listen() that was hit very
rarely when using Kata Containers and Cloud-Hypervisor. It's been
identified the problem is really coming from the virtio-vsock driver,
which is fixed by those new kernel patches uploaded for each version of
the kernels used by Kata Containers.
```
Update:
Fixed to make it build with kernel 5.6
Fixes#932
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
CRI has a v2 schema that seems to be the default in a lot of
containerd installations. It uses a "long" form for the plugin
id in the TOML config file.
Fixes#881
Signed-off-by: Dave Syer <dsyer@pivotal.io>
Debian 10 has been broken for a while but CI started
to detected recently.
Remove package until find a way to build it.
Fixes: #1052
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This remains the original aarch64-softmmu *explicit* default config. And
borrows the tuned configuration from i386-softmmu except the board specific
ones.
Fixes: #1044
Signed-off-by: Jia He <justin.he@arm.com>
Capstone is a disassembly framework which is not required for Kata.
Disabling it in configure can reduce ~6M bytes on arm64.
-rwxr-xr-x 71977368 May 8 09:32 qemu-system-aarch64.with.capstone*
-rwxr-xr-x 65676640 May 8 09:39 qemu-system-aarch64.without.capstone*
Fixes: #1044
Signed-off-by: Jia He <justin.he@arm.com>
There are three different types for the RTC clock: host, rt and vm.
Add `rt` to the list of RTC clocks.
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
This PR adds the documentation repository for the update-repository-version
verification.
Fixes#1027
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Enable the Travis CI configuration to perform static CI checks
on PRs to this repo.
Fixes: #1031
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Whilst enabling the static CI checks for this repo, it picked up
a spelling mistake. We'll need to fix that before we can enable
the CI.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
QEMU >= 4.0 is able to boot into the uncompressed kernel using the PVH
entry point, but to get this `CONFIG_PVH` must be enabled in the guest
kernel and `pvh.bin` installed in the host.
Booting uncompressed kernels in QEMU 5.0 can reduce the memory footprint,
~17% for KSM and ~15% nonKSM.
fixes#1029
Signed-off-by: Julio Montes <julio.montes@intel.com>
Allow API consumers to change the maximum number of ports in the virtio-serial
devices, setting a lower number of ports can improve the boot time and
reduce the attack surface.
fixes#120
Signed-off-by: Julio Montes <julio.montes@intel.com>
Following on from #111 which added support for multiple virtio transports,
add code to use virtio-mmio as the transport when booting a guest with
the microvm machine type and add a microvm case when checking for
NUMA support. Also add a test case for machine string parsing.
Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Support for passing sandbox annotations to the OCI layer was added
in containerd 1.3.0. Add this to the docs along with configuration
changes needed.
Fixes#653
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This PR updates the current version of the SLES obs packages that are
being generated.
Fixes#651
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
The config file created by kernel fragments scheme is quite different
with the old arm64_kata_kvm_5.4.x.
So I will update arm64_kata_kvm_5.4.x for consistency.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Backport Anshuman Khandual's patch series of Enabling memory hot
remove on aarch64(https://patchwork.kernel.org/cover/11419305/)
to v5.4.x.
XONE_DEVICE is dependent on the implementation of memory hot remove.
This patch series has already been merged, and queued for 5.7.
After backporting this series, we could finally enable nvdimm/dax
on arm64.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Add a few arm64-specific configs and classify them into seven new categories
, that is,
1. base architecture-dependent options(base.conf)
It also includes varient-specific features, like CONFIG_ARM64_PMEM is
one ARMv8.2 arichitectural features.
2. crypto-related options(crypto.conf)
ARMv8 adds cryptographic instructions that could significantly improve
performance on tasks such as AES encryption and SHA1 and SHA256 hashing.
3. device tree related options(dt.conf)
The "Open Firmware Device Tree", or simply Device Tree (DT), is a data
structure and language for describing hardware, which is commonly
used in arm architecture.
4. ARM errata workarounds options(errata.conf)
There are many Kconfig entires under "Kernel Features" ->
"ARM errata workarounds via the alternatives framework", which provides
software workarounds to mitigate systems affected by those erratum.
Vendor-specific option will be left to users to decide.
5. pci related options(pci.conf)
a simplified pci host controller for mach-virt.
6. serial devices options(serial.conf)
CONFIG_SERIAL_OF_PLATFORM is used for all 8250 compatible serial ports
that are probed through device tree.
7. rtc related options(rtc.conf)
we don't have KVM’s paravirtualized clock and ptp implementation is
still under experimental mode, so we need rtc on aarch64.
QEMU provides an emulated ARM AMBA PrimeCell PL031 RTC.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Compaction is the only memory management component to form high order
(larger physically contiguous) memory blocks reliably.
The page allocator relies on compaction heavily and the lack of the feature
can lead to unexpected OOM killer invocations for high order memory requests.
We shouldn't disable this option unless there really is a strong reason.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
mmio devices are required in firecracker, and for now, x86_64 and
aarch64 are all supporting kata containers with firecracker.
So, we need to move mmio-related configs to common dir.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
There exists a few security-related configs, which are x86-64 specific.
CONFIG_LEGACY_VSYSCALL_NONE=y
CONFIG_RETPOLINE=y
CONFIG_RELOCATABLE and CONFIG_RANDOMIZE_BASE are kinds of tangled on
aarch64, if CONFIG_RANDOMIZE_BASE=y, then CONFIG_RELOCATABLE will be
selected automatically.
CONFIG_RANDOMIZE_BASE will randomize the virtual address at which the
kernel image is loaded, which as a security feature could deter exploit
attempts relying on knowledge of the location of kernel internals.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
There exists a few configs about linux guest support or optimization
that are not supported on aarch64.
CONFIG_HYPERVISOR_GUEST is only defined under arch/x86/Kconfig and
unfortunately, CONFIG_KVM_GUEST is not supported on aarch64 for now.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
For now, a few configs as follows in common acpi dir are truly x86-spcecific
or disable by default on arm64.
CONFIG_ACPI_CPU_FREQ_PSS=y
CONFIG_ACPI_HOTPLUG_IOAPIC=y
CONFIG_ACPI_LEGACY_TABLES_LOOKUP
CONFIG_ACPI_LPIT=y
CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
CONFIG_ACPI_PROCESSOR_CSTATE=y
CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
CONFIG_HAVE_ACPI_APEI_NMI=y
And I also add a few configs which are aarch64-specific.
Like CONFIG_ACPI_REDUCED_HARDWARE_ONLY=y, since ARM64 can run properly
in ACPI hardware reduced mode.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
- release: Tag and fork documentation repo as part of release
- obs: let patch set in order before apply them
- scripts: Disable pie for qemu when static building
- kernel: Enable CONFIG_VIRTIO_PMEM for booting from pmem
- kernel: Fix patch ordering
- tests: Remove performing updates in Fedora dockerfile
- kata-deploy: fix k3s containerd check
- scripts: update configuration script to support QEMU 5.0
- obs: Update SLES version for packaging
- config: enable printk-time for kernel-5.4 for arm64
- actions: change trigger phrase for kata-deploy action
- kernel: enable virtio-fs for arm64.
- add kernel config for gpu
- Optimize the kata qemu binary size
- obs: Remove OpenSUSE Leap 15.0 from obs generation
- pod : optimization Some debian package manager tweaks
d271ee7 obs: let patch set in order before apply them
fbad186 kernel: Enable CONFIG_VIRTIO_PMEM for booting from pmem
652d1fd release: Tag and fork documentation repo as part of release
7e22144 scripts: Disable pie for qemu when static building
93da145 kernel: Fix patch ordering
59f7678 tests: Remove performing updates in Fedora dockerfiles
96f3b99 kata-deploy: fix k3s containerd check
fb42e38 scripts: update configuration script to support QEMU 5.0
9bdc51c obs: Update SLES version for packaging
32986db config: enable printk-time for kernel-5.4 for arm64
9b8f20c kernel: enable virtio-fs for arm64.
12d351d kernel: add usage in readme
1389500 kernel: support force setup
7a17b50 kernel: support bash debug
d248e41 kernel: support build guest kernel for gpu
cbfc7a1 obs: Remove OpenSUSE Leap 15.0 from obs generation
9a6bd12 debian: Install missing ca-certificates package
d527c4f debian: Don't install recommended software
3670074 scripts: Disable a few options to reduce qemu binary size on generic architectures
711eae6 scripts: Set --enable-pie on aarch64 arch
7cdf113 scripts: Relax the version limitation for qemu
0871391 scripts: Remove obsoleted --disable-uuid
878a223 scripts: Disable xen when builing qemu on generic architectures
e92f3db actions: change trigger phrase for kata-deploy action
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
The enablement of ptp_kvm for arm is under review, see [1].
So we have to apply private patch to enable it in 5.4 kernel.
ptp_kvm can offer the capability of time sync in kata even there
is no network available and higher precision than time sync
service depend on network.
note:
If you want to use this feature on your arm machine, the host kernel
also need apply this patch. we recommend that your host kernel version
is the 5.4, then you can apply this patch smoothly.
[1] https://patchwork.kernel.org/cover/11372743/Fixes: #997
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
obs ci for linuxcontainer will fail when apply patch set which have
dependency within. so patch set should be made in order before feed
to apply.
Fixes: #1015
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
To support booting from pmem with cloud-hypervisor, we need to enable
the virtio-pmem in our kernel.
Fixes: #1013
Signed-off-by: Bo Chen <chen.bo@intel.com>
Since we want to start tagging and branching this repo,
create a VERSION file starting with the last version released.
Fixes#246
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
We should start maintaining stable branches for the documentation
repo similar to other repos.
Fixes#1007
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
--enable-pie is not compatible with --static option for qemu building.
Without this patch, it will report a configure error during static building:
ERROR: static and pie are mutually incompatible
Fixes: #982
Signed-off-by: Jia He <justin.he@arm.com>
Add containerd and crio versions that support
`privileged_without_host_devices` behaviour.
Fixes#638
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Fix the `build-kernel.sh` script to sort patches correctly. Previously,
it relied on `find(1)` for the ordering. However, `find(1)` does not
guarantee any ordering of files within a directory. Since the ordering
could therefore be "random", it was quite possible for patches to be
applied in the wrong order, resulting in conflicts.
Fixes: #1003.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The default k3s containerRuntimeVersion takes the form of:
containerd://1.3.3-k3s2
The awk was stripping away the k3s portion before checking if it was a
k3s containerd.
fixes#996
Signed-off-by: Brandon Wilson <brandon@coil.com>
By default, SPDK's setup.sh will bind PCI devices to
userspace from kernel. This may confuse beginners.
So add PCI_WHITELIST="none" to blacklist all PCI devices.
Fixes: #626
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Configure parameter "enable_vhost_user_store" is
added as an indicator to enable vhost-user storage
device assignment.
Also notice user hugepage should be enabled for
SPDK vhost target currently.
Fixes: #626
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Sentences for how to do host setup for vhost-user devices
were not clear, so re-edit them.
Fixes: #626
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Currently for our CI, we have SLES 15 SP1, this PR updates the current obs
version to match with our current testing.
Fixes#983
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
We need to update the SLES installation guide, as we have obs packages
for SLES 12 SP4 and not for SLES 12 SP3.
Fixes#620
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
CRI-O config option manage_network_ns_lifecycle is replaced with
manage_ns_lifecycle in 1.17, which determines whether we pin and remove
namespaces and manage their lifecycle. Update docs to reflect both.
Fixes#617
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
This patch add patch file for virtio-fs-v0.3 kernel to enable memory hot
remove to let virtio-fs available on arm64. Also, kernel config file for
virtio-fs-v0.3x for arm64 is offered.
Fixes: #973
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Add option '-f' in build-kernel.sh to force the generation of .config
Signed-off-by: Jimmy Xu <junming.xjm@antfin.com>
n 请为您的变更输入提交说明。以 '#' 开始的行将被忽略,而一个空的提交
- Index the use-case of Intel and Nvidia GPUs
- Fix link to vfio-mediated-device in Intel GPU use-cases
Fixes#616
Signed-off-by: Jimmy Xu <junming.xjm@antfin.com>
This document decsribes how an Nvidia GPU can be used with Kata Containers in Nvidia GPU pass-through mode.
Fixes#616
Signed-off-by: Jimmy Xu <junming.xjm@antfin.com>
Because CI build is
1. Slow and in log it is showing because "apt-utils" not installed
2. to avoid CI build to exits with error without having certificate
Fixes: #970
Signed-off-by: Pratik Raj <rajpratik71@gmail.com>
By default, Ubuntu or Debian based "apt" or "apt-get" system installs recommended but not suggested packages .
By passing "--no-install-recommends" option, the user lets apt-get know not to consider recommended packages as a dependency to install.
This results in smaller downloads and installation of packages .
Refer to blog at [Ubuntu Blog](https://ubuntu.com/blog/we-reduced-our-docker-images-by-60-with-no-install-recommends) .
Fixes: #970
Signed-off-by: Pratik Raj <rajpratik71@gmail.com>
- ci: Provide source directory path for script execution
- kernel: Install uncompressed kernel by Image instead of vmlinux on arm64
- ACPI: Always build evged in for experimental kernel
- obs: Update obs packages for ppc64le
- scripts: enable libpmem only for x86_64
- scripts/qemu: enable libpmem
- release: Remove release docs
- test: Test for kata-containers packages on Fedora 31
- obs: Remove obs packages and testing for ubuntu 19.04 and fedora 29
- kernel: enable BPF to support libcontainer's cgroups V2 implementation
- kata-deploy: improve logic for crio.conf runtime additions
- yq: Use install_yq.sh script from tests repository
f599c8e kernel: Install uncompressed kernel by Image instead of vmlinux on arm64
c3949fd ACPI: Always build evged in for experimental kernel
83a69de scripts: enable libpmem only for x86_64
aad1e0e obs: Update obs packages for ppc64le
c0d45d8 scripts/qemu: enable libpmem
acf5b91 release: Remove release docs
3418d40 build: Enclose source dir for script execution
ac0d569 kernel: enable BPF to support libcontainer's cgroups V2 implementation
d7c2a38 obs: Remove obs packages and testing for ubuntu 19.04 and fedora 29
c8c3e46 test: Test for kata-containers packages on Fedora 31
43ab57f yq: Use install_yq.sh script from tests repository
cd6d364 kata-deploy: improve logic for crio.conf runtime additions
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
It explains the details of current supported annotations.
Fixes: #486Fixes: #294
Depends-on: github.com/kata-containers/tests#2240
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
The QAT instructions was broken after moving to a newer 4.19 kernel. Now
that the new 5.4 kernel is out, these instructions fix that.
Fixes#612
Signed-off-by: eric.adams@intel.com
shimv2/containerd logs are placed and formatted differently than for
kata CRI-O. Add some details to the Fluentd parsing document to aid
in parsing those.
Fixes: #610
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
PIE (position-independent executables) does good to security.
For some historical reason(compliation failure), it was disabled. But it
can be supported now on aarch64.
Fixes#926
Signed-off-by: Jia He <justin.he@arm.com>
Currently arm64 kata uses 3.0 qemu version. Hence aarch64 can't use some
--disable configure options between [3.1, 4.0].
Besides, due to upstream qemu bug about --disable-replication, still
enable the replication on aarch64 for qemu 3.0. Please refer to the
commit 3ebb9c4f52 ("migration/colo.c: Fix compilation issue when disable
replication")
Fixes#926
Signed-off-by: Jia He <justin.he@arm.com>
Qemu commit 315d318 uses built-in UUID implementation, hence we can't
disable uuid. This option is for generic arch, not only for aarch64.
Otherwise there is a warning during configure:
configure: --disable-uuid is obsolete, UUID support is always built
Fixes#926
Signed-off-by: Jia He <justin.he@arm.com>
Previously, it misses to add the --disable-xen for reducing qemu size
on aarch64. This patch add disable-xen on all arches, hence the case
switch is removed.
Fixes#926
Signed-off-by: Jia He <justin.he@arm.com>
vmlinux on arm64
arm64 does not use vmlinux to boot, Image is used instead.
Otherwise, kata can't boot from vmlinux.container
Besides, given that firecracker only supports booting from Image,
don't set vmlinux for firecracker target
Fixes#930
Signed-off-by: Jia He <justin.he@arm.com>
Let's change the kata-deploy github action trigger from:
'/test kata-deploy'
to
'/test-kata-deploy'
which will hopefully reduce the number of false triggers caused when
we issue the 'normal' CI runs that are triggered by other
'/test xxxx' phrases.
Fixes: #971
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
There are two 'debug' settings in the containerd config file that
affect the shimv2 runtime log output. Add the other method to the
existing documentation, and also note that enabling full containerd
debug also affects all of containerd.
The commit also re-generates the TOC, which seems to correct a
few anomolies there.
Fixes: #596
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Fedora versions 28 and 29 has come EOL, we should update the generation
of obs packages but now for Fedora 30.
Fixes#963
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
According to QEMU's nvdimm documentation: When 'pmem' is 'on' and QEMU is
built with libpmem support, QEMU will take necessary operations to guarantee
the persistence of its own writes to the vNVDIMM backend.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Enable libpmem to support PMEM when running under Kubernetes.
see https://github.com/kata-containers/runtime/issues/2262
According to QEMU's nvdimm documentation: When 'pmem' is 'on' and QEMU is
built with libpmem support, QEMU will take necessary operations to guarantee
the persistence of its own writes to the vNVDIMM backend.
fixes#958
Signed-off-by: Julio Montes <julio.montes@intel.com>
Much of the information is from the release docs from packaging repo.
Plan is to maintain all the release information in this repo.
Fixes#600
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Some of the information in this doc has gone stale.
Move the relevant information over to Stable-Branch-Strategy.md.
It is a good idea to not have information dispersed accross
too many docs.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
1. For the git clone operation, 'sh' step in a single line would suffice.
2. Provide directory context using 'dir', this avoids having to provide the
path to the scripts twice, while executing each and every script in that folder.
Signed-off-by: Ramanathan Muthaiah <rus.cahimb@gmail.com>
Document examples of how to import Kata logs with `fluentd`.
Show examples both from the systemd/logfmt method and the
file/JSON method.
Fixes: #601
Depends-on:github.com/kata-containers/tests/pull/2334
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
libcontainer's cgroups V2 implementation requires BPF to run a BPF
program in the container
fixes#955
Signed-off-by: Julio Montes <julio.montes@intel.com>
Now that ubuntu 19.04 and fedora 29 has come EOL, we should remove the generation of
the obs generation and testing for ubuntu 19.04.
Fixes#953
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This will test the kata-containers packages that are available on
Fedora 31 to see that they are working properly.
Fixes#951
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
document what cgroups are supported and what changes are needed in the
configuration file to support them.
fixes#603
Signed-off-by: Julio Montes <julio.montes@intel.com>
Add a section detailing the minimum debug you need to configure in
order to capture the kernel boot messages in the system journal.
Fixes: #593
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
This repo triggers the github action to create release tarballs.
It looks for release tags in other repos. So tag this repo
last to make sure tags have been created on other repos.
Fixes#947
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Removes two (similar) functions that install `yq`. Instead of
having different functions, use the one that we have in the
tests repository.
In addition, removes the `.ci/lib.sh` which only had an additional
`clone_tests_repo` function which was not being used.
Fixes: #939.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
We now make alpha releases before making a release candidate release.
Mention this in the docs.
Fixes#598
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Update release doc to mention that patch releases are not made
every 3 weeks, while minor releases are made every 12 weeks now.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
The containerd's debug option will determine whether
the kata's log forared to containerd's log pipe or
not.
Fixes:#596
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Do not check for 'not in final' in spec creation, the logic
to fully validate is longer that just one grep.
Next should:
Use the same script build-kernel.sh to generate spec and validate it.
For now is still safe as CI will run all the build-kernels.sh to verify
the resulting config.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Kernel build for packages got broken after upgrade, this add needed
changes to build again.
Fixes#924
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
- Config changes for 5.4 kernel
- kernel: Enable new LTS 5.4.x on ppc64le arch
- lib: yq: explode anchors to get real value of image values
- kernel: use the maximum number of CPUs supported by KVM
- release: use absolute path for kubeconfig
- network: Enable ipv6 config CONFIG_IPV6_MULTIPLE_TABLES
- actions: check for packaging before clone
- release: bump kata-containers repository
- kernel/configs: enable CONFIG_X86_MPPARSE
- obs: Add ubuntu 19.04 testing
- release: tag and branch kata-containers repository
- add workflow for testing kata-deploy
- fixes for qemu 4.2.0
- config: enable printk_time for arm64.
- kernel: Enable new LTS 5.4.3 on AArch64
- FC: ELF format kernel image unsupported with firecracker on AArch64
- kata-static: Add sudo while building cloud hypervisor docker image
- obs: Remove fedora 28 obs packages
- snap: fix how latest stable version is obtained
- qemu: Patch qemu to support image without write access.
- snap: fix snap in launchpad
- kata-deploy: action: take updated yaml paths into account
04386a6 kernel: Enable new LTS 5.4.x on ppc64le arch
ea8b775 lib: yq: explode anchors to get real value of image values
b66fb43 kernel: Remove CONFIG_INET6 options from fragments
17d86c3 kernel: Always apply whitelist
ba68012 kernel: use the maximum number of CPUs supported by KVM
e0a57b6 network: Enable ipv6 config CONFIG_IPV6_MULTIPLE_TABLES
0751072 release: use absolute path for kubeconfig
32f2ff1 actions: check for packaging before clone
0ff7072 release: bump kata-containers repository
a95b359 kernel/configs: enable CONFIG_X86_MPPARSE
b023d8d kata-deploy: use clh instead of cloud-hypervisor
59a34bb static-build: drop NEMU, add CLH
6c9db9b kata-deploy-action: test CLH
f184afc testing: add workflows for testing kata-deploy
c14ded3 obs: Add ubuntu 19.04 testing
3ce2d36 release: tag and branch kata-containers repository
2ef9bbc FC: ELF format kernel image unsupported with firecracker on AArch64
ca6df85 kata-static: Add sudo while building cloud hypervisor docker image
59dc61d kernel: Enable new LTS 5.4.3 on AArch64
34d2c81 obs: Remove fedora 28 obs packages
ce2accc qemu/patches: add patches for qemu 4.2.0
7c13dc3 static-build: update blacklist for qemu 4.2.0
a407c92 config: enable printk_time for arm64.
5877ab7 snap: fix how latest stable version is obtained
43a6e67 snap: overwrite Makefile variables
bfe65e0 kernel: make get_config_version quiet
076cfa9 qemu: Patch qemu to support image without write access.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
There was a race condition between bind() and listen() that was hit very
rarely when using Kata Containers and Cloud-Hypervisor. It's been
identified the problem is really coming from the virtio-vsock driver,
which is fixed by those new kernel patches uploaded for each version of
the kernels used by Kata Containers.
Fixes#932
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Linux has embraced another LTS kernel version v5.4.x.
Update the kernel config for Power as well.
Fixes: #936
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
yq is not exploding anchors anymore and requiere an extra flag.
Add flag to fix CI.
Fixes: #934
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Now crio.conf has some kata entries in by default, but commented
out and without the runtime_path elements to them, our deploy
script gets a little confused and fails to add the kata-qemu
elements to the config.
This is because the grep spots the commented out lines, and tries
to, unsuccessfully, update the matching runtime_path elements, that
don't actually exist.
Improve this by matching only uncommented config lines, so now the
script sees that the runtime is not really configured already, and
instead of trying to edit/update it, will place a entry at the
end of the file.
Fixes: #928
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Dont think these are options are required at all.
Remove them from fragments and whitelist.
Fixes#924
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
The whitelist contains options that we dont really care.
Always apply it, irrespective of if we are using an
experimental kernel.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Currently, virtio transports for each device are determined with
architecture dependent build time conditionals. This isn't the ideal
solution, as virtio transports aren't exactly tied to the host's
architecture.
For example, aarch64 VMs do support both PCI and MMIO devices, and
after the recent introduction of the microvm machine type, that's also
the case for x86_64.
This patch extends each device that supports multiple transports with
a VirtioTransport field, so users of the library can manually specify
a transport for each device. To avoid breaking the compatibility, if
VirtioTransport is empty a behavior equivalent to the legacy one is
achieved by checking runtime.GOARCH and Config.Machine.Type.
Keeping support for isVirtioPCI/isVirtioCCW in qmp.go is a bit
tricky. Eventually, the hot-plug API should be extended so callers
must manually specify the transport for the device.
Signed-off-by: Sergio Lopez <slp@redhat.com>
As there's no guarantee that ".cache-size" is a supported QEMU property,
let's not add it to the QEMU command line when the user explicitly set
virtio_fs_cache_size to zero.
By not always setting ".cache-size" property we avoid errors like:
```
$ sudo podman --runtime=/usr/bin/kata-runtime run --security-opt label=disable -it fedora:31 /bin/bash
Error: failed to launch qemu: exit status 1, error messages from qemu log: qemu-kvm: -device vhost-user-fs-pci,chardev=char-88c350403e95d3db,tag=kataShared,cache-size=0M: Property '.cache-size' not found: OCI runtime error
```
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Since we don't know how many CPUs can have the host, we should
use the maximum number of CPUs supported by KVM (240).
255 is the maximum number of CPUs supported in the kernel, but the
maximmum number of CPUs recommended by KVM is 240, if more than 240
CPUs are used, next error will be returned by QEMU
```
Number of hotpluggable cpus requested (255) exceeds the
recommended cpus supported by KVM (240)
```
fixes#922fixeskata-containers/runtime#2413
Signed-off-by: Julio Montes <julio.montes@intel.com>
Although CONFIG_IPV6 is enabled, this additional config is
needed so that multiple route tables are used for ipv6.
Without this, the kernel adds routes for "fe80::/64"
with proto kernel in the main table instead of the
local routing table.
This makes the behaviour similar to regular containers.
Fixes#920
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
These instructions cover how to install and setup SPDK
vhost-user target, construct a vhost-user-blk device based
memory, configure the vhost-user-blk device to be available
for kata container, and run kata container with SPDK
vhost-user-blk device via docker.
Fixes: #586
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
If already exit do not clone it, but fetch.
Fetch will keep repository is up-to-date before checkout.
Fixes: #911
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
kata-containers is now part of the release processs.
Lets update the version for that repository.
Fixes: #905
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Firecracker needs CONFIG_X86_MPPARSE to support `vcpu_count`, otherwise the
amount of cpus wil always be 1.
fixes#901
Signed-off-by: Julio Montes <julio.montes@intel.com>
Caller can hotplug vhost-user device via qmp.
The Qemu vhost-user device, like vhost-user-blk-pci and
vhost-user-scsi-pci can be hotplugged by qmp API:
ExecuteCharDevUnixSocketAdd() together with
ExecutePCIVhostUserDevAdd()
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Update start-up guide on setting up kata containers with ACRN hypervisor.
The udpated guide is tested using KBL-NUC and addresses 2 parts,
1. Fixes broken links.
2. Adds a pre-requisite to enable MACVTAP for networking
in the Service OS.
Fixes: #580
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
We still were adding NEMU binaries - remove, and make sure we create a
kata-clh file for kata-deploy binaries.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
1. AKS based action updated to be run from either packaging or remote
repository. We will only clone kata-deploy for yaml/scripts/tests if we
are running the action outside of the packaging repo. If in packaging,
the bits are already included. Misc. cleanup as well.
2. Workflow introduced which leverages the updated AKS action. This will
allow testing of packaging changes to kata-deploy.
The workflow itself uses the following github action: xt0rted/slash-command-action
The workflow will create a kata-deploy container image based off of the latest
release, utilizing the latest released Kata artifacts off of master. It
will then use the AKS kata-deploy GitHub action.
Users with admin access on the repo can trigger this test by:
/test kata-deploy
Fixes: #845
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Now that we have obs packages for ubuntu 19.04, we should add it in the
testing script.
Fixes#884
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Now CI depends on this repository, needed to make work stable
branches starting stable-1.10
Fixes: #894
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The bootloader in firecracker on ARM platform only supports kernel
in Portable Executable(PE) format.
So we need `build-kernel.sh` to provide correct kernel image format
when parameter `hypervisor_target`, `-t`, defined with firecracker.
Fixes: #886
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
If we want to run the build.sh by using a user this is failing by saying
that `failed to dial gRPC: cannot connect to the Docker daemon...
/var/run/docker.sock: connect: permission denied`. This PR fixes that issue.
Fixes#889
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Linux has embraced another LTS kernel version v5.4.x.
If we, AArch64, update stable guest kernel version
to v5.4.x, we could get rid of huge chunkes of backport
patches under patches/4.19.x/.
Except following configs are penny-defined turned on/off,
all the other are sort of `built-in` defined or inherited
from v4.19.x.
1. CONFIG_IO_URING = y
This option enables support for the io_uring interface.
2. CONFIG_RODATA_FULL_DEFAULT_ENABLED = n
Apply read-only attributes of VM areas to the linear
alias of the backing pages as well.
3. CONFIG_ARM64_TAGGED_ADDR_ABI = n
When this option is enabled, user applications can opt in to
a relaxed ABI allow virtual tagged addresses to be passed to
system calls as pointer arguments.
4. CONFIG_ARM64_PTR_AUTH = n
Pointer authentication provides instructions for signing and
authenticating pointers against secret keys, which can be used to
mitigate Return Oriented Programming (ROP) and other attacks.
Fixes: #882
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Fedora 28 has come to end of life status which makes not possible to
retrieve the repositories while performing an update. This PR removes
this distro with this version so we not longer create and test obs packages
for fedora 28.
Fixes#879
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
cri-o now supports running privilged containers without passing devices
from the host to the container.
Fixes#529
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
As no printk time enabled for arm64, printk and dmesg will show
without timestamp.
This patch enables printk_time in kernel for arm64.
Fixes: #875
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Use `sort -V -r` to sort versions and use a regexp to
make sure the tag has the right format, since not all
tags follow Semantic Versioning 2.0.0.
fixes#872
Signed-off-by: Julio Montes <julio.montes@intel.com>
Overwrite Makefile variable `DISTRO` in order to
build rootfs and initrd images with the right distro.
fixes#868
Signed-off-by: Julio Montes <julio.montes@intel.com>
`get_config_version` should not log anything because it's used
by functions that print a string as return value, hence its return value
can be tainted, i.e `get_config_version`.
fixes#867
Signed-off-by: Julio Montes <julio.montes@intel.com>
Modify existing patch to include EACCES condition to account for files
that do not have write access to be used as a memory backend.
With this not-only files on a read-only filesystem, but files without
write access on a read-write filesystem can be used as a memory
backend in qemu.
This will alow the image to be used read-only by a rootless user as
well.
Fixes#870
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Since kustomize was introduced, we need to take into account the new
paths for our kata-deploy yamls.
Fixes: #865
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
This test is not executed at all and it is problematic when
tags are not updated.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
NEW_VERSION may be unbound whereas kata_version should be defined
following manual release process docs and while using github actions.
Use kata_version instead to checkout correct version of patches.
Check if kata_version is not empty before doing so,
as the release may be triggered for master as well.
Fixes#857
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
- release: Fix bug in how version is determined for actions
- kata-deploy: improve debug message, longer cleanup timeout
- v4.19.86: patch update for v4.19.86 on AArch64
- kata-deploy: add k3s support
- ci: Add obs testing for packaging
- kernel: Fix that the help is not printed twice
- obs: Check for broken packages
- kata-deploy: Increase the wait timeout for control plane to come up
- obs: Failed when we have unresolvable packages
- obs: Add fakeroot dependency for ubuntu 19.04
ff20f20 release: Checkout right version of kernel patches
9377c5d release: Fix bug in how version is determined for actions
168709c v4.19.86: patch update for v4.19.86 on AArch64
bbcffc3 kata-deploy: improve debug message, longer cleanup timeout
34ce361 ci: Add obs testing for packaging
0d84085 kernel: Fix that the help is not printed twice
e9bb8e5 kata-deploy: Increase the wait timeout for control plane to come up
37bce87 obs: Check for broken packages
9e716ae kata-deploy: add k3s support
380bd92 kata-deploy: reorganize files to support kustomize
0b9b722 obs: Add fakeroot dependency for ubuntu 19.04
5956065 obs: Failed when we have unresolvable packages
Signed-off-by: katacontainersbot <katacontainersbot@gmail.com>
Improve our virtualization documentation, as well as introduce
the Cloud Hypervisor VMM. This creates a virtualization specific
document, and references this from the primary architecture document.
We are still limited on ACRN documentation: this should be augmented
in a follow on PR.
The PNGs included were grabbed from https://docs.google.com/presentation/d/1ZJg3w3O6F_j3ucQhdbBdj2hZUwg7L7qF347xC07L2_wFixes: #567
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Checkout tag for packaging repo based on env variable NEW_VERSION
or kata_version with kata_version taking precedence.
With this, we checkout to the right version of packaging repo before
applying kernel patches.
Fixes#849
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Althought, we changed the script "gen_versions_txt.sh" to accept a tag
rather than a branch, this change is not sufficient.
This script generates the right version file based on a tag, but
function `get_from_kata_deps` does not use this, and ends up using the
master branch instead. This is because this function looks at an env
variable called $BRANCH and ends up using master branch if the variable
is not defined.
Pass the tag/new version to the build scripts, so that this tag is
passed along to `get_from_kata_dep`.
With this change, the correct version information is consumed by the
build scripts for the various hypervisors and kernel.
Fixes#831
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
we need to do patch update for kernel bump to v4.19.86.
Fixes: #806
Depends-on: github.com/kata-containers/runtime#2185
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
I am seeing tests fail at times waiting for label cleanup. Let's improve
the error message when this fails, and give the control plane a bit more
time, to improve stability of this test.
Fixes: #846
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
This will test that is possible to install the obs packages in different
distributions.
Fixes#621
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
While running the build-kernel.sh script with no arguments, the help is
printed twice. This PR will fix that.
Fixes#433
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Recent runs of setting up aks with github workflows shows that a timeout
of 5m is not always sufficent fot aks control plane to come up.
Increase this from 5m to 10m.
Fixes#839
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
By default, k3s uses an embedded containerd. Reconfiguring this
containerd requires modifying a template config file and restarting the
k3s (master node) or k3s-agent (worker node) systemd service.
Signed-off-by: Brandon Wilson <brandon@coil.com>
It seems that to build ksm-throttler, proxy, runtime and shim OBS packages
for ubuntu 19.04, we need fakeroot in order to have unresolvable OBS packages. This adds that dependency so we can build the packages.
Fixes#776
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
We need to fail when we have unresolvable packages as they are not build
correctly.
Fixes#820
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
- kata-static: Add cloud-hypervisor to tarball
- obs: Do not wait on excluded packages
- kata-deploy: add or overwrite runtimes in containerd config
- kata-deploy: add support for Cloud Hypervisor and remove nemu
- qemu-virtiofs: Add one patch to fix libvhost-user
- release: Rename generated artifacts to a particular format
- scripts: Fix static build docker config script
- obs: Disable repo-publishing for CI builds
- release: Fix bug in evaluation kata_version.
- obs: Add ubuntu 19.04
- CI: Fix bump test
- kata-deploy: don't remove pre-existing containerd
- kernel: Enable configuration for fips mode.
- kata-deploy: action: reference kata-containers instead of fork
- snap: make launchpad happy again
dabef60 kata-static: Add cloud-hypervisor to tarball
233dfb6 static: fix qemu-virtiofs build
e4a8c6b obs: Do not wait on excluded packages
c745308 kata-deploy: add or overwrite runtimes in containerd config
c78f10f kata-deploy: remove nemu
5431096 kata-deploy: add support for Cloud Hypervisor
5d8f405 qemu-virtiofs: Add one patch to fix libvhost-user
c6f4313 release: Remove all traces of qemu-lite from packaging
e6c2a53 release: Pass the qemu tarball name as a docker build arg
7895958 release: Rename generated artifacts to a particular format
14558de scripts: Fix static build docker config script
627445e obs: Add ubuntu 19.04
4abfa70 obs: Disable repo-publishing for CI builds
c12c533 kata-deploy: don't remove pre-existing containerd
05a8d4b CI: Fix bump test
853a99c release: Fix bug in evaluation kata_version.
4d129fd kata-deploy: action: reference kata-containers instead of fork
ec95961 kernel: Enable configuration for fips mode.
27c7773 snap: reimplement image part
43a5d14 snap: use adopt-info to set grade and version
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
In case a package in obs is excluded ie no longer being built,
do not wait for it to be built. Wait as long as there are packages
being built or blocked on others to be built.
Fixes#815
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
In order to get both QEMU and Cloud-Hypervisor working with virtio-fs, a
patch needs to be applied in order to fix a libvhost-user bug.
Fixes#810
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Rather than hardcoding the tarball name to be generated in the
Dockerfile, pass this as an argument.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Rename artifacts to format kata-static-{artifact-name}.tar.gz.
These predictable names are intended to be consumed by github
actions in our release process.
Fixes#803
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
The existing document hasn't been updated since ~1.4. Updated to remove
references to qemu-lite, added details on Firecracker.
We still need details on ACRN added here as well.
Fixes: #570
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Fix bug in the `kata-configure-docker.sh` script which assumed
`/etc/docker/` existed by default.
Fixes: #800
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The repos of the CI builds are not used anywhere so let's be friendly to
the OBS infrastructure and do not publish them.
Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
Bump test fails because Kata version at this moment is alfa and
only bumps from alpha to rc0 are allowed. Just use rc0 as use-case
for all, there is not any other constrain at the moment.
Fixes: #795
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This will allow us to run a VM in fips mode.
The intention is to check if the host is running in fips mode
and then start a container in fips mode as well.
Fixes#787
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
in order to make launchpad happy again, next changes are required:
* Install podman and cni plugings
* Use podman to build the rootfs or initrd image
* Depending on the architecture, build rootfs or initrd image
fixes#678
Signed-off-by: Julio Montes <julio.montes@intel.com>
- release: Fix typos and organization issues
- kata-deploy: fix qemu-virtiofs entry on crio configuration
- Add actions release automation
- tags: Tag all repos with the same kata VERSION
- kata-deploy: Add qemu-virtiofs to containerd configuration
- release: Fixing message information
- kata-deploy: Add qemu-virtiofs wrapper
- doc: Fixes for release.md
- deploy: Skip installing nemu
84e004e kata-deploy: fix qemu-virtiofs entry on crio configuration
d56dec0 release: Fix typos and organization issues
9a7d692 kata-deploy: Add a simple GitHub Action
4eb376b artifact-list: provide script to get items to build
4f89e97 kata-deploy: look for kata artifacts locally
dc8fe05 release: Allow functions to take release versions
6c8df7f release: Call kata-deploy-binaries.sh main only if it not sourced
5307b03 release: Define a default value for destdir
7a932cf release: Create tarballs after every stage
420eb6e qemu-virtiofs: Fix tar naming for qemu with virtiofs support
f2ef841 release: don't checkout packaging from packaging
643ddf9 release: Add option to generate versions based on tag
b8dcb1c tags: Tag all repos with the same kata VERSION
eea8cea kata-deploy: Fix indentation issues.
8234f9a kata-deploy: Add qemu-virtiofs to containerd configuration
aafd329 release: Fixing message information
dab8087 kata-deploy: Add qemu-virtiofs wrapper
7c26509 doc: Fixes for release.md
8eb5cf3 deploy: Skip installing nemu
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
adopt-info is a snapcraft feature that allows us to specify the snap grade and
version at runtime. Depending on the environment the master or the latest
stable branch can be used to build the Kata Containers snap, for the kata
CI and launchpad snap-master branch, the master branch are used, otherwise
the latest stable branch.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Use correct key for the kata-qemu-virtiofs runtime class definition
in the crio configuration file.
Fixes: #771.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
For better reading, re-orginize the `release/README.md`
and fix a typo in `runtime-release-notes.sh`.
Fixes: #769.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Create a container based action which will test a Kata artifact tarball
in the kata-deploy daemonset on AKS. This AZ credentials are available
from the callers environment.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
artifact-list.sh is created so a builder can quickly determine which
artifacts may be built within this repository.
I user may get this list, which indicates exactly which functions are
available within ./release/kata-deploy-binaries.sh for building.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
When building the kata-deploy images before, we would look to pull the
latest artifacts from the release URL.
It would be better to allow the user to pull from this URL, or to create
the artifacts locally, and pass the location of this tar.xz to the build
process.
Instead of providing KATA_VER, builders should provide KATA_ARTIFACTS,
which is the filename that is assumed to be located within the docker
build path.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
We want to isupport calling individual functions from the script,
independendent of the actual script being called.
Define a default value for $destdir.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
We ran into issues in the past since we didn't create stable branches
for the packaging repository. We will maintain this appropriately going
forward, so let's go ahead and remove the notion of local versus remote.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Now that all files have a VERSION we
can check if there is a bump for the file.
We can now tag all repos with the same kata version.
As all of them are branched and have a VERSION file.
Fixes: #748
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We need an entry of `kata-qemu-virtiofs` on the
containerd configuration file.
In addition we need to add `kata-qemu-virtiofs` to the
shim list, so that the wrapper is created for shimv2.
Fixes: #760.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Add requirement for the user to be added to the docker group.
Observed firecracker failing due to this.
Add fixes for typos and missing spaces.
Fixes#754
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Instead of have special cases, just
bump all, bumps are check and more if are automated.
CI probbly not, but we can skip if necesary.
Fixes: #744
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This is a experimental feature for arm64 as linux kernel has
not enable kvm ptp for arm64.
ptp_kvm need co-work from host and guest, so you need add this
patch both to your guest and host. Host kernel version is better
lower than 5.0 and higher than 4.19.
another version of this patch base on kernel v5.3 is under review in kernel upstream, refer to [1]
to see the full info.
[1] https://lkml.org/lkml/2019/8/29/80Fixes: #692
Signed-off-by: Jianyong Wu jianyong.wu@arm.com
Apply qemu/patches/virtiofsd/0001-add-time-to-seccomp.patch
to be able to build virtiofsd statically.
Fixes: #742.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
time syscall on seccomp is needed to be able to build
virtiofsd successfully.
This patch is currently not availabe upstream, so lets
add it until it becomes available.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Removes `--vsock` flag when building Firecracker since
the flag was removed as vsock is enabled by default.
Also update the path where the binaries are placed.
Fixes: #739.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Since kernel version updated to v4.19.73, kernel config file should
also been updated accorindly.
Fixes: #736
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Haibo Xu <haibo.xu@arm.com>
Running for the first time the kata-deploy script can fail if hub
is not installed it, this will avoid this issue.
Fixes#728
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This will allow to test local changes to the kernel as well it will allow
us to have vmlinuz or vmlinux with virtiofs.
Depends-on: github.com/kata-containers/runtime#2078
Fixes#717
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
x86 has "releases" as the release branch. For
ppc64le, we have "alpha" branch. Update the scripts
for the same.
Fixes: #704
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
Overlay and veth support wasn't included when migrating to fragment
based configs. Re-add to fix DinD use case.
Fixes: #715
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
As per the comments in security.conf, the intention was to
enable STACKPROTECTOR and STACKPROTECTOR_STRONG.
The current config leaves them unset in the final .config
and also prevents other fragments from overriding the setting.
Set both to =y as indicated in the comments.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
This adds the kata deploy for QEMU and kernel with virtio-fs 3.0
Depends-on: github.com/kata-containers/runtime#2052
Fixes#709
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
When we try to run the kata-deploy-binaries.sh script, we have a failure on
the pkglib.sh script that we can not source the versions.txt. In order to
avoid these kind of failures, we introduce to detect if this file exists and
in case that it does not, we fail the script.
Fixes#712
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
kata deploy script setup a new GOPATH to pull
a fresh environment to install kata. This script
was using the local kernel install script and not the
one in the new environment
Fixes: #706
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Document how cgroups are done today and what is expected
for the upcoming SandboxCgroupOnly option.
Prior cgroup documentation are no longer accurate. Removing the cgroup
discussion from the cpu sizing discussion. Updating the
cpu-constraints.md file name to reflect this.
Fixes: #542
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
common/DAX:
- ARCH_ENABLE_MEMORY_HOTPLUG: not needed (auto-selected)
- ARCH_HAS_ZONE_DEVICE: already automatically selected. This is
also removed in future kernels, so let's go ahead and drop.
- RADIX_TREE_MULTIORDER: already autoselected, and dropped in future
kernels
common/net:
- NF_NAT_NEEDED, NF_NAT_PROTO_*: these don't exist in newer kernels, as
they are refactored and unecessary in the upstream kernel. Keep them for
now, but consider dropping if we move to newer LTS. These are part of
whitelist of options we expect to be dropped with newer kernels in our
fragment building.
- NF_NAT_MASQUERADE_IPV4: this is a select, not a tristate. Also, in
the future much of the ipv4/ipv6 nat code is combined, so this config
will not exist in newer kernels. Dropped.
- INET6_XFRM_MODE_* are not needed on newer kernels. While I'm not
confident they are needed today for Kata, we will just note them and add
to whitelist for options we expect to be dropped with newer kernels in
our fragment building.
- MAY_USE_DEVLINK: removed in future kernels, and should not be needed
anyway. Dropped.
x86_64/DAX:
- ARCH_HAS_HMM: should not be needed, and is dropped in future kernels.
Dropped
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
These will be handled directly from virtio-fs gitlab, which is utilized
when experimental support is requested in kernel build.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Experimental kernel is much newer, and many configuration options have
dropped since 4.19. Let's use a whitelist to itemize what we expect to
be dropped in the final config if experimental kernel us utilized.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
This isn't available in the baseline kernel, necessarily. Only
add these config options if an experimental kernel is being used.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Adding option `-e` to support experimental flag. When selected, the
kernel for virtio-fs is utilized instead of standard kernel.org.
This is a bit more hack-ish than I'd prefer, sorry.
Fixes: #700
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Improved the Docker installation instructions by making it clear *which*
of the multiple ways of configuration Docker for Kata is the default,
and that it is not necessary to do anything further if users select the
automatic installation method.
Fixes: #551.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The documentation says hugepages are required for virtio-fs. This
limitation was removed in Kata 1.8 in kata-runtime commit
a41894da18 ("runtime: Enable file based
backend").
Fixes: #544
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
Create a dedicate how-to guide for running Kata with k8s, and link to it
from the original guide location inside the Developer Guide.
Fixes: #333
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
This commit adds documentation for privileged containers and the mounting of host devices
when privileged is used. It has instructions for disabling this functionality when using
Containerd and CRI.
Fixes#529
Signed-off-by: Alex Price <aprice@atlassian.com>
Create symlink to patches directory, the list of patches will be
included in the spec and rules files.
Signed-off-by: Julio Montes <julio.montes@intel.com>
- Run depends-on for packaging CI.
- Change were yq is installed
Depends-on: github.com/kata-containers/runtime#1996
Fixes: #683
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
In order to trim the list of devices, default-configs/i386-softmmu.mak must
be copied after having configured QEMU. This change helps to reduce the
attack surface and the QEMU binary size.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Running the container with `ctr` when the image is not present
on the system gives an error.
Fixes#536
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Refresh installation guide README with a clearer structure, and provide
a list of distribution with official Kata packages. This also updates
the openSUSE Leap versions supported to 15 and 15.1.
Fixes: #533
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Upgrade the container before building qemu and nemu in order to install
the latest fixes for the CVEs.
fixes#676
Signed-off-by: Julio Montes <julio.montes@intel.com>
Do not use cache to build the docker images that build static qemu and nemu.
The latest version of the packages must be installed, since they may include
the fixes for theirs CVEs.
Signed-off-by: Julio Montes <julio.montes@intel.com>
In theory the latest ubuntu long term may have less CVE than previous versions,
so let's use it to build the static QEMU.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Use the rootfs image by defult since performance is better,
smaller memory footprint and boot time.
fixes#667
Signed-off-by: Julio Montes <julio.montes@intel.com>
Upgrade openSUSE Leap version from 42.3 to the latest 15.1, since 42.3
version is now discontinued.
Fixes: #637
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Memory preallocation is just a property of different memory backends.
We should treat it similar to memory sharing property. Also rename
FileBackedMemShared to MemShared as it is just another memory backend
property that works with different memory backends not just file backed
memory.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Fix `arch` assignment and define `Dockerfile` variable to avoid
usage of unbound variables.
fixes#671
Signed-off-by: Julio Montes <julio.montes@intel.com>
The job to wait for packages are built is failing randomly.
Seems that sometimes the command is not returning and expected
out out and may be mask by the
`while osc pr | grep; done`
This probably can fail at osc pr but because it failed at
osc and not grep we consider is working.
- We check for more states that we consider not ready,
like excluded or blocked.
First query the result, if fail the script will stop,
if not then try to find the string `state=building`.
Additionally, check for failed jobs in the same query to
stop the job earlier.
Fixes: #665
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
OBS fails because of a syntax error in debian.rules
```
/bin/sh: 1: Syntax error: end of file unexpected (expecting "fi")
```
Signed-off-by: Julio Montes <julio.montes@intel.com>
Use master branch to test the snap in order to detect errors earlier
before releasing the next snap
fixes#663
Signed-off-by: Julio Montes <julio.montes@intel.com>
`kata-fc` does not presently function under `minikube` due to
lack of block based storage. Make that clear in the installation
documents, to help prevent users going through the whole install
process, only to be disappointed when they find ti does not work.
Fixes: #526
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
The upper hyervisor manager application maybe need to wait some
QMP event to control boot sequence, but the event we wanted maybe
not exist in some older version, so we need query all QMP ABI and
check the event is supported or not.
related: kata-containers/runtime#1918
Signed-off-by: Ning Bo <ning.bo9@zte.com.cn>
Support for function isSocketIDSupported, isThreadIDSupported and isDieIDSupported.
The functions check if the cpu driver and the qemu version support the
id parameter.
Fixes: #102
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
In order to improve the security of Kata, nothing should be able to modify
the images. It would be really bad if a malicious container or process
modified them.
fixes#631
Signed-off-by: Julio Montes <julio.montes@intel.com>
use `merge_config.sh` script to generate the final `.config` file if the
`${arch}_kata_kvm_*` file doesn't exist.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Now we are using the fragments, drop the x86_64 4.19 config file
so we default to fragment mode.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Add the framework to build kernel config files from trees
of kernel fragments.
If no fragment directory is found for the requested kernel
version and architecture then revert to looking for a whole
prebuilt kernel config file instead.
Fixes: #234
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Create a script that will be added to the
`kata-static-${version}-${arch}.tar.xz` file and which can be either run
directly by the user to configure Docker, or can be run indirectly by
the `kata-manager` script.
Fixes: #648.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The networking part of the doc talks about the
two ends of the veth pair. One end is in the container
networking namespace and the other one should
be in the host networking namespace. Fix this info.
Fixes: #518
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Add Minikube to the list of 'cloud' providers installation instructions.
Whilst there, order the list alphabetically.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
In the workaround solution of ConfigPath, there is a '$@'
missing in the script, so add it.
Fixes: #515
Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>
These instructions cover how to install the out of tree
QAT drivers to the host, build a custom kata kernel and
rootfs, and build a QAT accelerated OpenSSL container
image.
Fixes: #509
Signed-off-by: <eric.adams@intel.com>
Then we can use x-ignore-shared to do migration and drop the
extra patch once we move to qemu 4.1.0 or later.
Fixes: #640
Depends-on: github.com/kata-containers/runtime#1799
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
In QEMU 4.1 the CPU topology for x86 will change to:
`socket > die > core > thread`.
Add `die-id` field to `CPUProperties` and include it in CPU hotplugging
Signed-off-by: Julio Montes <julio.montes@intel.com>
To avoid conflics between kata companents and their versions, all
components should be built using their tagged version.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Setup the kernel by hand is prone to errors.
Use `build-kernel.sh setup` to pull and setup the kata kernel.
fixes#438
Signed-off-by: Julio Montes <julio.montes@intel.com>
osbuilder shares the yq binary with the container that generates the image,
unfortunately the snap version of yq is not a static binary hence it's not
compatible with the alpine container.
Signed-off-by: Julio Montes <julio.montes@intel.com>
since some vendor id like 1ded can not be identified by virtio-pci
driver, so upper level need to pass a specified vendor id to qemu.
the upper level will change unavailable id and pass it to qemu.
Signed-off-by: Ace-Tang <aceapril@126.com>
Add missing kernel configs to avoid `make oldconfig` asks or
takes the default value for the missing configs.
fixes#623
Signed-off-by: Julio Montes <julio.montes@intel.com>
We want to use the same script for both
PRs and new package CD. Depending if CI
is set a release push will be done or
a ci.
Fixes: #617
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
qemu static is using all the patches that we have for qemu,
we only want to apply depending the version.
Fixes: #619
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The image tag opensuse:leap not longer exist
use the the new image format.
Fixes: #615
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The main purpose is that this script will be used to verify
that VERSION among the components are equal before merging the runtime.
Fixes#613
Depends-on: github.com/kata-containers/runtime#1858
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
After a rc0 is created the path to have an stable release starts, after that
any rc0 is to improve stabability and not more features are added. When it is
the projects is considered stable no more rc* are done.
Fixes: #611
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Sometimes get logs could fail, for example
when a tag does not exit, instead of fail
just log the error in the PR.
Fixes: #609
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Packeges uses fuzz 0, lets have the same behavior
in scripts and packages.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
- OBS packages are build based on kata head
- The OBS kata branch is created on demand
- TODO: Delete branch when is not needed anymore
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Add simple yaml definition to run job in azure pipelines.
- The pipeline should be triggerd with comments when is a PR
Fixes: #480
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We are looking to deprecate qemu-lite. As a first step,
let's go ahead and make qemu-vanilla (4.0) the default VMM.
We should probably rename qemu-vanilla to just qemu in a follow on
PR.
Fixes: #601
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Latest firecracker has moved the generated binaries to a new
location. Update the scripts to use the new location.
Fixes: #599
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
we need to do patch and config update for v4.19.52 on AArch64.
The config file adds a few configs involved with memory hot-plug
support.
Fixes: #591
Depends-on: github.com/kata-containers/runtime#1817
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Add jailer binary to kata-deploy. It allows us to enable jailer
with firecracker.
Fixes: #593
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Use the tag of qemu from `versions.yaml` instead of the
version number if the version does not exist in references
of the repository.
Fixes: #587.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Add further advice to the documentation requirements document to make it
easier for the spell checker to accept a document.
Fixes: #501.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Make the CI setup script call the "master" `setup.sh` script (in the
`tests` repo) and update the Travis config accordingly to ensure that
both setup and static checks are run.
Also updated Travis to use Ubuntu 16.04 LTS (Xenial).
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Instead of always having `prefix` hardcoded to `/opt/kata`,
change the script to be able to take the value from an
enviroment variable.
Fixes: #589.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Update the developer guide with instructions to
attach to the debug console of a initrd rootfs based
VM.
Fixes: #502
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Hotplugged memory could be backed by a file on the host with sharing
turned on. This change allows qmp to pass that option to a govmm.
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Add `--head` option to use the head of the branch instead of the kata
version to generated the hashes for the packages. With this new option
kata packages can be generated using the latest commit on master.
fixes#566
Signed-off-by: Julio Montes <julio.montes@intel.com>
runtime's `versions.yaml` was updated to support QEMU 4. Update
`gen_versions_txt.sh` to support the latest `versions.yaml`.
Signed-off-by: Julio Montes <julio.montes@intel.com>
The formula is not updated according on
how is done in kata-runtime.
Fixes: #489
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
For RPM packages (but not for DEBs), OBS does not use the release number
provided in the spec file, hence, when specifying a
`Requires: package = version-release` dependency, it's not possible to know
in advance the correct release number until that reuired package
is built.
Note that omitting the release number works for RPM packages but not for DEB.
This fixes/complements e6dac82Fixes: #563
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
This package is not installed with systemd in Clear. Add this
as an additional package requirement for debug console to make it
possible to debug.
This package contains utilties like `cat`, `ls`, `echo` etc required
for a useful debug.
Fixes#492
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Recent change to always build tools from the local repository if the
script is run in a CI environment fails during a release build as the
variable ${CI} is not initialized. This fix addresses that issue.
Fixes: #537
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
update yaml, and update README to describe creation of the CRD in
Kubernetes versions < 1.14.
Fixes: #560
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
The runtime package is faling to build due to
compatiblity issues with gcc + golang because
the redhat version provided in OBS old.
Disable temporarily to allow release CI work.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Disable PAM authentication for QEMU 4+: it's a feature used together with VNC
access that's not used in Kata.
See QEMU commit 8953caf for more details on PAM auth.
Fixes: #550
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Update pkgcloud pacakge to add Fedora 30 to the list of distros
supported by to Packagecloud.
Shortlog since last vendoring of github.com/mlafeldt/pkgcloud:
926cf4b Update list of distros (Add Fedora 30)
Fixes: #546
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
When specifying a "Depends: (= VERSION" match in deb packages, the full
"VERSION" needs to be specified, including the trailing release number.
This fixes a regression introduced in: 63413814Fixes: #531
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Correct typos and resolve formatting issues including incorrect heading
levels and missing TOC entries.
Fixes: #541.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Editing systemd unit files to customize Docker for Kata may generate conflicts
with what's specified in /etc/sysconfig/docker, so use that file directly.
Also, libcgroup1 dependency is wrong for newer distros, and should be
pulled automatically for older ones.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
normal users might not have the correct permissions to run
docker without sudo.
In addition, as docker will run with sudo, fix permissions
on the qemu and nemu files.
Fixes: #544.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Creating Kata packages fails
due to "Makefile:58: *** target pattern
contains no '%'. Stop" error. Fix it.
Fixes: #539
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
NEMU releases are build dynamically on a xenial platform and there
aren't any plans on providing packaging for various versions and distros
today. NEMU needs to be built statically as the current default release
to be consumable by Kata. Given we are doing that, it would be nice to
test it in our CI also the same way. This change is to aid with that.
Fixes: #521
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
the versions.yaml file in runtime carries the information on all the
components we use and ship with kata. It would be nice to have the CI
test the newer versions when the file is changed and CI is triggered.
The current code always fetches from the master tree from github and
that does not help to validate version changes before it lands in the
tree.
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
hub tool from github lets you show a particular tag that might exist in
the repostiory. Switching our tag checking logic to use that instead of
listing all tags and grepping for the one we want. For some reason the
existing grep logic always fails to return the right code and always
lands on the portion of the code to generate a new tag.
Fixes: #519
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Created a skeletal set of README for the packaging areas that didn't
have them:
- Jenkins
- OBS
- QEMU
- static build tooling
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
GFM doesn't require corresponding heading hashes at the end of line -
start of lines hashes are adequate.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add missing heading names and a table of contents.
Also, folded the long lines to make them easier to edit and diff.
Fixes#501.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
If a doc contains commands, they should be non-interactive where
possible to allow for the possibility of automating the testing of the
document in the CI.
Fixes#477.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
New documentation is great, but finding it should be easy. Require that
all new docs are referenced by an existing document in the repo.
Fixes#475.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
- Created a how-to README.
- Moved howto links in top-level README to the how-to README.
- Moved svc-mesh how to into the how-to directory.
Fixes#473.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Removed two list entries in the design README that don't have a
corresponding document to link to.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Fixed the Debian install guide which was pointing to the Ubuntu Docker
install guide by mistake.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
- Add more motivation, background on filesystem sharing
- simplify configuration, installation by utilizing kata deploy
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
virtio-fs has landed as an experimental feature in kata. This patch
enable the basic how-to for this feature.
Fixes: #468
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Strict dependencies guarantees that an older version of the runtime will
not be installed together with a more recent version of the other kata
packages.
This complements commit e73473f.
Fixes: #508
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
As shpchp used for pci hotplug on arm64 initialized
its bottom half work as a delay work for 5 seconds, pci bus
rescan triggered between up half and bottom half of shpc interrupt
handling will fail. so disable shpc and let bus rescan
to do the device hotplug on arm64.
Fixes: #498
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
We modified the kernel subdir, even thought it was only a doc
change, so we need to bump the config ver to reflect that.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
We don't append fullstops to section titles, and they mess the
ToC up (looks wise). Nuke the one we had in this file.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Note that to use the build script you need to have some prereqs,
including a new enough golang.
Fixes: #478
Reported-by: Rory Savage <rsavage@dispersivegroup.com>
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Change the kata-deploy doc to get rid of code-snippets
and instead include instructions to apply the provided
RuntimeClass yaml according to the k8s version being used.
Fixes#457
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
It's a little complicated to understand the note of the section
Install containerd with cri plugin, that says Just check if the cri plugin has
been disabled in the containerd configuration file but if it's disabled
containerd + the runtime class won't work.
fixes#462
Signed-off-by: Julio Montes <julio.montes@intel.com>
update-repository-version script no longer expects the repository name,
but just the version and the target branch. Modify associated Makefile
and jenkins pipeline files to adapt to that change.
Fixes: #443
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Prior to this, some of the binaries installed by kata were not owned by
root. Any user can write/replace these binaries.
This was happening as tar perserves ownership while creating the
archive.
Change the ownership of all binaries to root.
Fixes#489
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Simplify the bullet list of general requirements in the documentation
requirements document at the same time as making the wording
unambiguous.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The image now is generated using versions file. It is not generated
it will fail.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
If the container has had to restart, lack of overwrite here causes a benign error message to appear since the nodes already have `katacontainers.io/kata-runtime=true` label. Having a overwrite here means that we don't get the following error message:
error: 'katacontainers.io/kata-runtime' already has a value (true), and --overwrite is false
Signed-off-by: Bharat Kunwar <b.kunwar@gmail.com>
This patches adds virtio-fs capability to the kata kernel along with
config changes to enable the same on kata by default. The system will
only be exercised when `shared_fs` is set to `virtio-fs` in the kata
configuration file. the default still remains to be 9p
Fixes: #387
Depends-on: github.com/kata-containers/runtime#1016
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Previous tarball uploaded to github has a different hash length
this commit make the regex more flexible in case the commit
length is bigger.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Add script to wait until obs finish the process to build.
- check if process failed
Useful for CI job.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
SUSE does not support CONFIG_RETPOLINE.
This has being failing for a while in order
to allow the pipeline pass all the builds
must be successful.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
If branch is provided not use master.
When buiding packages the master repository is used
this is bad for stable releases. Use the BRANCH variable
exported in releases.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Simplify the pipeline code by doing all the bumps.
- Instead of get the repo to bump, make the script bump them all
- Do not bump osbuilder and ksm on stable branches.
- Simplify usage for automation.
Fixes: #443
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
When CI (re)create repos, this does not provide ubuntu
updates.
- Ubuntu 16.04 requiere enable more repositories to
get latest gcc and allow build with golang.
- Add support to define multiple repositories
Repositories are comma separated in distros file.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
If image is already uploaded to github dont build it again.
This Reduce pipeline time.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Some CI system timeout after some time of not output.
- Remove unused build variable
- remove quiet from image build, to know what is doing.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Reduce pipeline time by not installing golang.
golang is not needed to use osc, it makes slower the image creation.
- remove go dependency from pacakge lib
Remove calls to golang, this will be not not installed in
the docker image.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The conduit project seems to have renamed itself to linkerd so update
the service mesh document to reflect that.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
change short commit length to be the same to OBS.
Now that runtime has a strict depedency version from packages.
Like qemu-lite:
Now:
qemu-lite = 2.11.0+git.87517af
Before:
qemu-lite >= 2.11.0+git.87517af
The rpm fails because the real package version of qemu lite is
2.11.0+git.87517afd72
The commit length comes from the format of OBS '%h'
This change the shortcommit length to be the same to OBS
and runtime dependencies and packages that include git commit
as version use the same format.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Image tarball size is the same as the one defined
in lib, factor out to avoid future errors if is modified.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
When a repository holds more than one kata version
it is difficult to ask dnf or zypper for a kata version
because the version includes a git commit.
This commit removes the sha from the package version.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The runtime requiere the componets that were
build in are release. If other versions is used
it may fail.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
If we apply patches directly to qemu package
this will fail unless we use qemu 4.0 (not yet today).
This patch organize qemu patches per version. For following
PRs we should make scripts aware of this and apply the right
set of patches.
Fixes: #475
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
On ppc64le, qemu installed inside a snap image
is qemu-system-ppc64, but referred in config.toml
as qemu-system-ppc64le.
Fixes#467
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Simplify qemu rpm list files using wildcard
this will help to build different qemu versions
without change all the list of files.
- Exclude not needed binaries.
Kata does not use helper binaries, and
4.0 build has a missing qemu-ga by default,
excluding files does not fail if the file exist or not.
Fixes: #464
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Change weird condition to check qemu >=3.1
Add comment explaining the malloc-trim option.
fixes#462
Signed-off-by: Julio Montes <julio.montes@intel.com>
Fix installing docker on Debian by changing the docker install guide to
ensure that only the `kata-containers.conf` systemd service snippet is
created. Previously, both the snippet and the `daemon.json` Docker
config files were being updated because the latter also specified a bash
code block.
Note that the `daemon.json` section is now consistent with the other
install guides - it just displays the JSON code to add rather than
trying to set it.
Also, added missing shell prompts, changed code blocks into shell (but
not bash) code blocks and fixed a few minor grammar and whitespace
issues.
For further details, see:
- https://github.com/kata-containers/documentation/blob/master/Documentation-Requirements.md
- https://github.com/kata-containers/tests/tree/master/cmd/kata-managerFixes#442.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
modify configure-hypervisor.sh to support Qemu 4 and enable `malloc-trim`
for memory optimization.
fixes#459
Signed-off-by: Julio Montes <julio.montes@intel.com>
- Add information about package testing pipelines
- Fix release notes command
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Using only one directory to hold kernel patches lead to
difficult maintenance. Instead use a list of patches per
kernel version.
If patches for a kernel version does not exist, dont fail.
Fixes: #308
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Add the yaml for kata RuntimeClasses. It is useful to
include this explicitly, rather than just having it in the docs.
Also, this feature has transitioned from alpha to beta from k8s 1.13
to 1.14. Hence maintain separate yamls for these versions.
Fixes#444
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
All instances of the deprecated `arch` command are now replaced with `uname -m`.
Bumps kernel/kata_config_version to 34.
Fixes: #423
Signed-off-by: Rasmus Moorats <me@neonsea.uk>
Fixes: #429
Add zun-ui plugin for devstack when intergrated with zun.
Depends-on:github.com/kata-containers/tests#1484
Signed-off-by: Lei Xu <xulei@cmss.chinamobile.com>
build, install and test kata containers snap package.
Depends-on: github.com/kata-containers/tests#1454
fixes#428
Signed-off-by: Julio Montes <julio.montes@intel.com>
This patch is update version for [1] as kernel
upgrad to v4.19.
It derives from [2] which has accept by kernel
community after v4.20. Modifacation has been done
to make it be able to enable memory hotplug using
probe method as it originally aims to using acpi.
Also some corresponding configurations in kernel
config are opened.
[1] https://github.com/kata-containers/packaging/
commit/e654dbd8367371c1b34776445a402d3c90f0dc66
[2] https://git.kernel.org/pub/scm/linux/kernel/
git/torvalds/linux.git/commit/
?id=4ab215061554ae2a4b78744a5dd3b3c6639f16a7
Change-Id: I305435f1d7e38d5cfcee22799792d1f4b0f015f8
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Jira: ENTOS-899
QEMU supports finer-grained units than GiB. Change the cache size to
MiB so users have more control over the cache size.
Note that changing the semantics of the CacheSize field is fine because
there are no users of this API yet. kata-runtime will be the first
users and prefers MiB instead of GiB.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Kata OBS repositories provide multiple branch support.
Let define a variable to allow users define kata branch to use.
Fixes: #423
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
In newer versions of QEMU, like 4.0-rc2, QMP events can be thrown even before
the QMP-version response, one example of this behaviour is when a virtio serial
is closed and a VSERPORT_CHANGE event is thrown.
Re-implement mainLoop to check the data received from the VM channel, since
it's not a guarantee that the first data read from the VM channel is the
QMP version.
fixes https://github.com/kata-containers/runtime/issues/1474
Signed-off-by: Julio Montes <julio.montes@intel.com>
To assist in tracking older issues/PRs, let's add a tool for marking
issues and pull requests as being stale after 60 days of inactivity. A
stale issue/PR will be closed after 7 days of being marked stale.
Fixes: #366
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Unless we run kata VM as a hypervisor, we may need
CONFIG_S390_HYPFS_FS and CONFIG_SYS_HYPERVISOR.
CONFIG_S390_VMUR is for z/VM hypvervisor.
Remove CONFIG_ZSWAP and its dependencies to match other arches.
Fixes: #421
Signed-off-by: Tuan Hoang <tmhoang@linux.ibm.com>
api.proto moved, resulting in a broken link. The original link wasn't
very useful in the first place, so simply remove.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Let's keep all design documents in the same logical location. Updating
the file to be called 'cpu-constraints', though we may want to expand to
resource constraints going forward.
Fixes: #417
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
When writing our runtime configs to crio.conf, let's add some
whitespace and comments to make it clearer, and fit in with the
rest of the crio.conf file.
Fixes: #412
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
We no longer use the TrustedSandbox style annotations now we
have moved to the RuntimeClass method of choosing a runtime.
Drop the remaining Trusted items from the examples.
Fixes: #403
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Add a note to the developer guide explaining that the debug console
requires systemd support (hence nominally you cannot use alpine linux
for example as that doesn't use systemd).
Fixes#412.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Kata does support privileged flag but within the guest,
so explain how this works in the Limitations docs.
Fixes#362
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Change the debug console systemd job to specify the path to bash as
`/bin/bash`, *not* `/usr/bin/bash`. This unbreaks the debug console for
Ubuntu and Debian and also works for all other distros.
Fixes#410.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Don't force Docker to be kept at version 18.06 (to ensure devicemapper
is available). This feature won't be re-added by Docker and remaining on
an old version of Docker is not good from a security perspective.
Replace the pinning with a note pointing users at an issue which
provides details of alternatives to devicemapper.
Fixes#407.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Former snap configuration snapcraft.toml install qemu-lite for all
platforms, which isn't applicable on aarch64. We need qemu-aarch64
of specific version and extra patches.
Fixes: #399
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Kata supports multiple configuration file locations, so update the dev
guide to tweak config settings in
`/etc/kata-containers/configuration.toml` rather than the pristine
`/usr/share/defaults/kata-containers/configuration.toml` file. The
former is read first meaning the system can be reset to a vanilla Kata
configuration by simply deleting
`/etc/kata-containers/configuration.toml`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The debug console systemd job needs to specify `PrivateDevices=no` to
ensure the job can access the *real* console. Without this, connecting
to the socket does not provide access to the main guest root context.
Fixes#403.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
We use a packagecloud OSS account for package hosting.
As part of the arrangement with packagecloud we need to
credit them and add a link back to https://packagecloud.io
on our website and project README.
This was added to the kata-containers repository's README,
but it is also probably appropriate to add it to the packaging
README as well.
Signed-off-by: Thierry Carrez <thierry@openstack.org>
Update the how-to containerd-kata doc to support runtime option, by which
we can specify kata configure file for different kata runtime.
Fixes:#390
Signed-off-by: fupan <lifupan@gmail.com>
Rather than add the config for kata-qemu and kata-fc unconditionally,
the script now checks if the runtime config exists.
If it exists, then do not chnage the path for the runtime.
The user may have configured this to a specific path for testing
local chnages.
Fixes#374
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Since []byte channel type transfer slice info(include slice underlying array pointer, len, cap)
between channel sender and receiver. scanner.Bytes() function returned slice's underlying array
may point to data that will be overwritten by a subsequent call to Scan(reference from:
https://golang.org/pkg/bufio/#Scanner.Bytes), which may make consecutive scan() call write the
read data into the same underlying array which causes receiver read mixed data,so we need to
copy line to new allocated space and then send to channel receiver to solve this problem.
Fixes: #88
Signed-off-by: jiangpengfei <jiangpengfei9@huawei.com>
to make kata-linux-container package builds reproducible.
See https://reproducible-builds.org/ for why this is good.
Uses -u to be independent of timezone.
Uses LANG=C to not have Day-of-Week and Month names vary.
Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
new kernel, new dependencies. Add bison, build-essential and flex as
kernel dependencies
fixes#395
Signed-off-by: Julio Montes <julio.montes@intel.com>
let's open nvdimm-related kernel config parameters on arm64, such as
CONFIG_ACPI_NFIT, etc. and we also need to backport patch
'kvm:arm64:Dynamic IPA and 52bit IPA'(https://patchwork.kernel.org/cover/10616271/)
and related dependency into v4.19.X to fully support nvdimm from guest kernel.
Former patch has already been merged into v4.20.X.
Fixes: #376
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Unfortunately, at present we have no way of testing Kata packages for
Red Hat Enterprise Linux (RHEL) or SUSE Linux Enterprise (SLES).
Add warnings to the RHEL and SLES install guides explaining this and
advising users to exercise caution. Hopefully, we will be able to drop
this warning soon (either when we have the ability to test on RHEL/SLES
or when Kata packages are available in RHEL/SLES).
Fixes#396.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
enable ZONE_DEVICE config to support map pages, pmem_should_map_pages()
function fails if this config is not enabled.
fixes#378
Signed-off-by: Julio Montes <julio.montes@intel.com
Eventually containerd will allow us to provide an argument for a given
runtime handler, but in the meantime, let's use bash to provide
indirection to specify the appropriate configuration file.
Only QEMU is handled until we have a block based snapshotter available.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Add support for the v2-shim integration with containerd. This registers
a runtimeClass named 'kata', utilizing the containerd-shim-kata-v2
binary.
This change adds volume mounts (hopefully temporarily) for
/usr/local/bin, as containerd requires the shim binary be within the
existing path.
Fixes: #323
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Add a CODEOWNERS file so we get auto-review requests from github
for any .md file changes.
Fixes: #394
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
`build-kernel_test.sh` builds the kernel when there are changes
of it in a PR and then runs the whole CI tests. Now we are running
all CI tests on all changes[1] (not only when there is a kernel change).
This is making the CI to run all tests twice when there is a change
in the kernel, so we need to remove the script.
[1] https://github.com/kata-containers/packaging/pull/348Fixes: #380.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
This will add missing config option (DRM_FBDEV_LEAK_PHYS_SMEM) that are
being asked while running the installation script for kata kernel. Also,
this jumps to the current kernel version that is being used at the runtime.
Fixes#372
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Add documentation on how the kernel is tested and how changes could be
introduced.
Fixes: #344
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We do releases based on kata branches lets get a fresh
versions file as the one in the host may be not updated.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Add CONFIG_CFS_BANDWIDTH so CPU hotplug feature works on s390x. Note
that CPU hot-unplug does not work yet due to limitations in qemu s390x.
Fixes#360
Signed-off-by: Tuan Hoang <tmhoang@linux.vnet.ibm.com>
run all CI test to increase testing coverage on kernel config changes.
Fixes: #346
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We want to make sure Kata runs on latest stable kernels so that it
benefits from the latest features.
Fixes: #358
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
snap-build scripts were used to cross-build snap images in local environments.
Currently we are using launchpad to build and release the snaps, hence those
old scripts are no more needed.
fixes#350
Signed-off-by: Julio Montes <julio.montes@intel.com>
we add the rough kernel config v4.19.23 for arm64, here we let
'make oldconfig'(setting default) to do the transformation from
v4.14.X to v4.19.X.
Fixes: #337
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
The QEMU vhost-user-fs-pci device provides virtio-fs host<->guest file
system sharing (https://virtio-fs.gitlab.io/). The device is
instantiated like this:
$ qemu -chardev socket,path=/tmp/vhost-fs.sock,id=chr0
-device vhost-user-fs-pci,tag=myfs,chardev=chr0,cache-size=4G,versiontable=/dev/shm/fuse_shared_versions
This patch adds the VhostUserFS DeviceDriver and command-line generation
for this QEMU device.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
kata-deploy inserts 'manage_network_ns_lifecycle' into crio.conf without any
prior checks and if there is a previous entry in the file, this becomes a
duplicate causing crio service restart issues. This patch addresses that
particular scenario.
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Docker 18.09 removed devicemapper support but did not provide an
alternative. This can cause problems for users so update the install
docs to install Docker at version 18.06 (the last version that supports
devicemapper).
This is a temporary solution until either docker provide an alternative
or we find a way to work around the Docker feature being removed.
Note the extra logic required for Fedora since 18.06 is not available
for that release.
Fixes#373.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Document flow to create a release based in the tools
from this repository.
Fixes: #207
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
With the 1.5 release, we made several changes:
-simplification of daemonsets
-introduction of runtimeClass
Update documentation to take this into account.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Before the kata-deploy container image was intended to be
used with only Kubernetes. This commit adds a script for configuring
Kata to run with Docker.
This assumes > release 1.5 of Kata, as Firecracker is being configured
as well as QEMU based Kata. Note, in order for this to work, Docker must
be configured to use a block-based storage driver.
To succeed, it the following directories must be mounted:
- /opt/kata - this is the location that the kata artifacts are stored
- /run/systemd - for reloading the docker service
- /var/run/dbus - for reloading the docker service
- /etc/docker - for updating the docker configuration (daemon.json)
usage: kata-deploy-kata [install | remove]
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Simplify the yaml and combine the prior scripts. The resulting script,
kata-deploy.sh, is used for install and configuration and
removal for CRI-O and containerd. While this could be used standalone
outside of daemonsets, today it will sleep infinity after processing the
request, since it is assumed to be called by a daemon.
By checking the CRI runtime within the script itself, we no longer need
to support many daemonsets for deploy - just a single. Still requires a
seperate cleanup daemonset (for restarting the CRI runtime), and an
RBAC.
Verified with CRI-O -- containerd testing WIP
Throwing this up now for feedback since I do not bash good.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Signed-off-by: Saikrishna Edupuganti <saikrishna.edupuganti@intel.com>
Use a new GOPATH to build image in order to avoid clashes with user's GOPATH,
otherwise user's kata agent will be used causing problem if that repository is
not up to date.
Signed-off-by: Julio Montes <julio.montes@intel.com>
We have some initial Firecracker/Kata documentaiton, but for now
it lives in the wiki. Link off to it from the top level docs
README to make it more obvious and easier to find.
Fixes: #367
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
New hypervisor configs could be added in the future, add
any possible new config file.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Now there are 2 config paths lets update both to not use
initrd by default.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
For vCPU hotplug to work on ppc64le, we need not
pass threadID and socketID. So conditionally pass
arguments when executing CPU device add.
Fixes: #83
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Use a new GOPATH to build image in order to avoid clashes with user's GOPATH,
otherwise user's kata agent will be used causing problem if that repository is
not up to date.
Signed-off-by: Julio Montes <julio.montes@intel.com>
The .travis file was building GoVMM with some old of date versions of
Go that seem to be incompatible with the latest versions of gometalinter.
This commit updates the .travis file so that we build against 1.10 and
1.11.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
Static check was complaining about code that looked like
_ = <-ch
when it wants to see simply
<-ch
There was only one instance of this in govmm and this commit fixes
that instance.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
static check was complaining about code that looked like
if x == "" {
return false
}
return true
when what it wants to see is return x != "". This commit fixes the issue.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
staticcheck was complaining about code that looked like
if x == true {
}
rather than
if x {
}
This commit fixes the issue.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
staticcheck was complaining as there were quite a lot of
fmt.Sprintf("%s",d) in the code where d was either a string or
had string as its underlying type.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
staticcheck was complaining as some of the error messages returned by
govmm began with a capital letter. This commit fixes the issue.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
Although the installation instructions specify `apt-get -y ...`, the
installation blocks when trying to install the Kata pages with a message
like this:
```
...
Restart services during package upgrades without asking?
<Yes> <No>
```
Setting `DEBIAN_FRONTEND=noninteractive` avoids this.
Fixes#363.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The snap install doc only told you how to install the kata snap,
and did not then go further to describe how to configure and
intergrate it. Those details are available already over in the
packaging repo, so let's link out to them.
Fixes: #360
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
- update cri-containerd to containerd with cri plugin
- suggest the shimv2 to be the preferred kubernetes integration way.
Signed-off-by: Xu Wang <xu@hyper.sh>
- mentioned shimv2 in the configuration part of manual installation
- reference the link of shim v2 api and the k8s containerd howto
Signed-off-by: Xu Wang <xu@hyper.sh>
The OpenSUSE and SLES install guide for Docker used the --containerd
option. When this option is used on OpenSUSE Leap 15 or SLES 15, the
following error occurs when starting Docker:
Failed to connect to containerd: failed to dial
"/run/containerd/containerd.sock": context deadline exceeded
Removing the --containerd option from the configuration file allows the
Docker daemon to start successfully and a Kata container to be created.
Fixes: #350
Signed-off-by: John L. Jolly <jjolly@suse.com>
As memory hotplug for arm64 by acpi is not ready on qemu, we choose
"probe" instead. You can refer to [1] to get more infomation about
"probe". The process of memory hotplug by "probe" in kata lies below:
firstly, add memory in qemu qmp; secondly, echo the start phyical address
of that memory to /sys/devices/system/memory/probe, which will be done
through kata-agent; thirdly, excute online op, then this newly added
memory is capable to be used.
All functions in this patch will be called after "echo" op. It can be
divided into two parts:
1. create page table for that memory;
2. add that memory to memblock.
In this patch, NUMA must be turned off for not all arm64 machine supports
NUMA.
As the newly added memory should be placed from 2T to 6T which is decided
in qemu and phyical address and virtual address will be one-one mapping
when create pgd for that memory, we must config ARM64_VA_BITS as 48.
Also some configs should be turned on, especially "ARCH_MEMORY_PROBE".
We have tested this patch integrated with another patch which performed
that echo op. It works well when using "-m" in command line when start a
kata-container on aarch64 machine.
This patch derived from Maciej Bielski. You can refer to [2] to get full
infomation about it.
[1] https://www.kernel.org/doc/Documentation/memory-hotplug.txt
[2] https://lkml.org/lkml/2017/11/23/183Fixes: #309
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Signed-off-by: Jia He <justin.he@arm.com>
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
In some build systems like launchpad is not possible to run neither
custom commands or hooks, hence build a snap image with `make snap` is
not feasible, to deal with this limitation, the final snapcraft.yaml
is part of the repository and all packages versions are read from versions.yaml
in the runtime repository.
fixes#305
Signed-off-by: Julio Montes <julio.montes@intel.com>
Remove the `network connect` limitation from `Limitations.md` as the limitation has been removed.
Fixes#287.
Signed-off-by: Ayoub Bousselmi <abousselmi@users.noreply.github.com>
Remove the `ps` limitation from `Limitations.md` as the limitation has been removed.
Fixes#342.
Signed-off-by: Ayoub Bousselmi <abousselmi@users.noreply.github.com>
If the runtime repository is already cloned get version from it,
else keep getting from github.
Fixes: #299
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Update the developer guide to include documentation
for the inclusion of seccomp packages in initrd/rootfs
images.
Fixes: #339
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Add a reference to the release rotation wiki, and clarify that
the current stable release schedule is every-other-week.
Fixes: #337
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Fixes#310.
These install instructions are based on the katacontainers repository for Debian. For installation, a newer version of `librbd1` is required. This is available from the `unstable` repo.
Tested only on Debian 9 - Stretch (x86_64).
- tested with `docker-ce=17.12.0~ce-0~debian`
Signed-off-by: zeigerpuppy <zeigerpuppy@users.noreply.github.com>
1.5.0-rc2 packages for linux-container fail for Ubuntu. Let's use 1.4-stable instead of master for now.
Fixes#325
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Since aarch64 need custom QEMU binary and doesn't support OBS
packaging for now, we add this section to lead developers to build
required qemu-system-aarch64 binary.
Fixes: #320
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
We want to make sure Kata runs on latest stable kernels so that it
benefits from the latest features.
For instance, in case of Kata relying on NEMU hypervisor, the recent
kernel patches reworking the way timer calibration is handled are
solving some boot latency issues.
Fixes#287
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Fix version compare when specifying a pre-release version in
versions.txt. This is needed because kata on git uses strict semver,
while kata RPM packages uses ~ in place of - for PATCH version, to
allow RPM version comparison to work properly.
Fixes: #285
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
For supporting nvdimm, we need to update kernel on aarch64 to the
stable version 4.19.8 and backport Suzuki K Poulose's latest
Dynamic IPA and 52bit IPA support patch series
(https://patchwork.kernel.org/cover/10616271/)which has been included
in 4.20-rc3+ to the v4.19.8.
Fixes: #268
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Only create a new docker unit file if no other existing unit files
are detected. Creating a new docker file when not necessary may mask out
existing docker daemon configurations.
Fixes: #300
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
We want to make sure Kata runs on latest stable kernels so that it
benefits from the latest features.
For instance, in case of Kata relying on NEMU hypervisor, the recent
kernel patches reworking the way timer calibration is handled are
solving some boot latency issues.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Remove configs s390_kata_kvm_4.14.x
The patch 0003-serial-forbid-8250-on-s390 is no longer necessary as it
has been upstreamed since version 4.16
The kernel configs have been generated as described in https://github.com/kata-containers/packaging/issues/246
plus the vsock options have been manually enabled:
CONFIG_VSOCKETS=y
CONFIG_VIRTIO_VSOCKETS=y
CONFIG_VIRTIO_VSOCKETS_COMMON=y
Fixes: #280
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Remove modules from default kernel config.
Modules are not used in default kata images.
Lets remove them.
Fixes: #276
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
ExecuteNVDIMMDeviceAdd can add a nvdimm disk to qemu.
Not implement NVDIMM device delete function because qemu doesn't support it.
Signed-off-by: Hui Zhu <teawater@hyper.sh>
For devices that actually support the option disable-modern, this
current commit provides a proper flag to the caller. This will allow
for better support when used in nested environment as virtio-pci
devices should rely on virtio 0.9 instead of 1.0 due to a bug in
KVM.
Fixes#80
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Right golang version is installed before building kata-containers, skip go
version check to avoid including extra build dependencies.
fixes#265
Signed-off-by: Julio Montes <julio.montes@intel.com>
It turns out it is possible to run the unit tests for the s390x build
on travis by renaming the s390x specific files, so that their
inclusion in the build is determined only by tags and not by filename,
and by introducing a new tag s390x_test that we can use to force
their inclusion into a build by using this tag. The .travis file is
then updated to include the line
go test --tags s390x_test ./...
This creates a build on travis that includes the s390x specific
files and runs the unit tests.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This commit adds a single command to the travis script that checks
that the s390x build works. We can't run the unit tests but at
least we can check that everything builds on this architecture.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
Update the kernel package to allow building for multiple architectures with
a single set of sources.
Changes:
- Add kernel configs for all architectures
- Detect at runtime the correct target architecture and kernel
compressed image location. This is done with the script kata-multiarch.sh
Note that debian control files still need to be updated to handle Multi-Arch,
so that they are not tied to the architecture on which
`linux-container/update.sh` is run.
Fixes: #262
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
The PR adds the s390x support. It sets the CCW devices and sets to false
all the devices in the mapping isVirtioPCI. It reimplements the functions
QemuNetdevParam and QemuDeviceParam to print an error message if the vhost-user
devices are used. It introduces a new function ExecuteNetCCWDeviceAdd for qmp
for the CCW devices.
Fixes: #37
Co-authored-by: Yash D Jain <ydjainopensource@gmail.com>
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
This commit updates the headers in the Go source files to adhere
to the new guidelines in the CONTRIBUTING.md file.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
The CONTRIBUTING.md file is updated to provide a template for new
source files and to invite contributors to add themselves to the
CONTRIBUTORS.md file.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This file is a partial list of contributors to the Virtual Machine
Manager for Go project. To see the full list of contributors,
see the revision history in source control.
Contributors who wish to be recognized in this file should add
themselves (or their employer, as appropriate).
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
Only get 'QMP command failed' error message now when execute QMP
command by 'executeCommandWithResponse' failed. This patch will
output more error detail.
Signed-off-by: NingBo <ning.bo9@zte.com.cn>
Detect misalignments of versions between the content of versions.txt
file and the version found in the VERSION file in the git branch being
released on OBS.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Introduce the --compare option to compare the content of the local
versions.txt file with the one found at the specified git branch.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
This improves the guest kernel build section of Developer-Guide
on arm64.
This also improve the description of sriov use-case.
Fixes: #299
Signed-off-by: Jia He <justin.he@arm.com>
Remove the redundant dh-modaliases package as a build requirement
for deb packages. This allows to build packages for the Debian distro.
Fixes: #249
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
This PR prepares for the s390x support. It introduces:
- a generalization of ccw and pci devices. The variables for the pci devices
have been renamed by removing the Pci suffix. They have been moved to the
qemu_arch_base.go
- the mapping isVirtioPCI has been move to qemu_arch_base.go because in
this way a different mapping can be added for other architecture (e.g
s390x)
- the functions QemuNetdevParam and QemuDeviceParam have been moved to
qemu_arch_base.go. In this way, they could be reimplemented for other
architecture for the case VHOSTUSER
- a function disableModern has been introduced to check if the device is
a pci device and then returns the right parameters. In the case of ccw
devices, they don't have the disable-modern flag
- a function mqParameter has been introduced to return the right
parameters for the mq case. The virtio-net-ccw device doesn't have the
vectors flag
- in qemu_arch_base_test.go contains the test and strings that can be
overwritten for other architectures (e.g s390). The devices names and
the flags for the devices can be overwritten.
- the string for the romfile has been replaced by a variable romfile
that could be left empty if the devices doesn't support a romfile as
for the ccw devices for s390.
- clean-up: the disable-modern=on/off options have been changed to
disable-modern=true/false. In the code there was a mixture of on/true
off/false
Fixes: #61
Co-authored-by: Yash D Jain <ydjainopensource@gmail.com>
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
ExecuteBlockdevAddWithCache has two more parameters direct and noFlush
than ExecuteBlockdevAdd.
They are cache-related options for block devices that are described in
https://github.com/qemu/qemu/blob/master/qapi/block-core.json.
direct denotes whether use of O_DIRECT (bypass the host page cache)
is enabled. noFlush denotes whether flush requests for the device are
ignored.
Signed-off-by: Hui Zhu <teawater@hyper.sh>
The s390_kata_kvm_4.14.x configs have been obtained by applying the patch
serial-forbid-8250-on-s390 and the combination:
make defconfig kvmconfig localyesconfig
Fixes: #246
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
The patch 0003-serial-forbid-8250-on-s390.patch fixes a conflict between
the ttysclp0 and serial 8250 console. The patch is already upstream and
it has been introduce in version v4.16-rc1.
However, it is not backported. See https://lore.kernel.org/patchwork/patch/861679/
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Also change TestQMPXBlockdevDel to TestQMPBlockdevDel because QMP verion
2.9 and older use blockdev-del but not x-blockdev-del.
Signed-off-by: Hui Zhu <teawater@hyper.sh>
Add input for -pidfile option of qemu, so that we can get pid of
qemu main process, and apply resource limitations to it.
Fixes#62
Signed-off-by: l00397676 <lujingxiao@huawei.com>
Remove the `!` from the `echo` in the code example in the doc
requirements doc.
The current code is in fact invalid as the shell will try to interpret
the exclamation mark as it is a reserved word. Rather than escaping it
in the example, just remove it.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Skip the golang version check when building the runtime, passing to make
`SKIP_GO_VERSION_CHECK=1`. This check requires yq, that's not packaged
for most distributions and it can't be downloaded at build time on OBS.
It is the responsibility of the package maintainer to verify that the
correct golang version is used.
Fixes: #242
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Remove hardcoded golang version, as it overwrites the value previously
fetched from the runtime/versions.yaml.
NOTE: this has as consequence replacing the golang compiler version from
1.10.2 to 1.11.1 (that is currently the "newest-version" specified on
master).
Fixes: #242
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Usage:
- add more information about what the script does
- support for -h / --help flags
- tagging of error messages with `ERROR: ` prefix
Fixes: #244
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Add the ability to specify a list of projects to process, instead of
processing all projects (default behaviour).
Fixes: #244
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Use /snap/kata-containers/current as prefix on building but /usr on install.
This changes are needed to include all new kata components like netmon in the
final snap.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Without Real time clock the date could not work properly for Arm64.
fixes: #238
Change-Id: I5834a5e90dc648cc9599c50f259d5ae273052a39
Signed-off-by: Wei Chen <wei.chen@arm.com>
Instead of specifying a version for OVMF binary, this patch uses
a tiny script to retrieve the proper URL to download from.
Fixes#289
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Include in the release notes the kubernetes version that
has been tested with the release.
Fixes: #235.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
The Intel GPU support has been enabled in kata runtime, but the
guest kernel of kata container lacks the support of Intel GPU,
so this commit enables it as default in guest kernel.
CONFIG_DRM, CONFIG_DRM_I915 and CONFIG_DRM_I915_USERPTR are necessary.
Others are obtained by running command "make menuconfig" and selecting
the following options.
Device Drivers
---> Graphics support
---> Direct Rendering Manager (XFree86 4.1.0 and higher DRI support)
Device Drivers
---> Graphics support
---> Intel 8xx/9xx/G3x/G4x/HD Graphics
Fixes#232
Signed-off-by: Zhao Xinda <xinda.zhao@intel.com>
Add new CI tests to ensure that the following installation methods are
also tested:
- "Automatic" method ([`kata-manager`](https://github.com/kata-containers/tests/tree/master/cmd/kata-manager))
- "Scripted" method ([`kata-doc-to-script`](https://github.com/kata-containers/tests/blob/master/.ci/kata-doc-to-script.sh))
**Note:** the "Automatic" method is **not** the same as the existing
`kata-manager` test: the existing test executes the "Manual"
installation method (which runs `kata-manager` to execute the
appropriate distro-specific install guide). However, this new test
executes the `install/installing-with-kata-manager.md` document, which
subsequently calls the `kata-manager` script.
Since the "Automatic" and "Scripted" installation methods are designed
to run "standalone" (without requiring any local git repo clones), the
script which runs these new tests has to take care to ensure the
environment they run in is clean. It does this by using the following
approach:
- Removes any local Kata github repos from the standard `GOPATH`
locations (to ensure the scripts do not inadvertently access local
files) [1].
- Creates a temporary directory containing:
- A copy of *itself*.
- The scripts it generated from the "Automatic" and "Scripted" installation documents.
- Re-exec's itself to run the version in the temporary directory,
passing an option that tells itself to simply execute the scripts in
the specified directory.
- It then runs the scripts in the directory specified.
---
[1] - Since the recursive delete of all local Kata github repos is
potentially dangerous, the test will immediately fail if the standard
`KATA_DEV_MODE` variable is set (since this denotes a developer system)
and will also fail unless the standard `CI` variable is set (denoting
the script is running in a Continuous Integration environment, such as
JenkinsCI.
Fixes#278.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Wrap the function calls in the doc test script in a `main()` function to
simplify future changes.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Split out a function to create a container from
`test_distro_install_guide() in the script used to test install docs.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The script used to test the install docs does not actually use the
golang binary (it only uses the `GOPATH` variables) so remove the
unnecessary call to `go`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Rework the logic in `check_install_docs()` to make the intention
clearer and support adding additional tests.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Rename the `check_install_guides()` function to `check_install_docs()`
and clean up:
- Improve messages.
- Add more braces around variables.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Update the `kata-doc-to-script` install document to actually execute the
generated scripts, allowing the entire installation to be tested by the CI.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Converted the plain code blocks in
`install/installing-with-kata-doc-to-script.md` to bash code blocks so
that they are executable by... `kata-doc-to-script.sh`.
Also, removed the backslashes to let github render scroll bars for
consistency with other docs.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Use a one-line code block for the installation command, and document the
dry run option.
Fixes: #275
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Improvements to the table in the installation README:
- Fix the invalid link for the "Build from sources" option.
- Add column for "Packaged install" to make it clearer which
options result in a distro-packed install.
- Tweaked the "Suggested for" column to make the use-case options
clearer.
- Added detail for each use-case in a "Description" column.
Fixes#276.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
As discussed in issue #171 IPv6-in-IPv4 tunnel is useless in guest. So we
decide to disable the CONFIG_IPV6_SIT by default for Arm64.
Fixed#230
Signed-off-by: Wei Chen <wei.chen@arm.com>
This patch fixes the wrong behavior of specifying a netdev, MAC
address or PCI address entry when those were empty. Instead, it
does not provide those entries if the content is empty.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
As x86_64 has updated the guest kernel to enable EFI support for NEMU,
because OVMF that is used by NEMU is an EFI firmware. Although the
NEMU is not ready for Arm64, we'd better to enable EFI support in
kernel to keep sync with x86_64.
Fixes#228
Signed-off-by: Wei Chen <wei.chen@arm.com>
Linux-container OBS packaging for ppc64le
fails as the spec file is x86 specific for
kernel build and install process.
Fixes: #224
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
evged is required to make Kata work with NEMU.
Apply the kernel patch when building kernel.
Fixes: #268
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Refactor installation instruction to minimize duplicate content,
to document package source verification process, and to remove
some of the typos.
Fixes: #263
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
This commit bumps the default config from 4.14.49 to 4.14.67 first,
and then enables the support for EFI firmware as OVMF used by NEMU
is an EFI firmware.
Fixes#220
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This documentation is a short document explaining how to make Kata
Containers running with the NEMU hypervisor.
Fixes#267
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Any device inheriting from virtio-pci can specify a ROM file. This
option is provisioned by default with "efi-virtio.rom", but most
of the time, firmwares such as OVMF or seabios will already support
what is provided by this ROM file.
In order to reduce the "forced" dependency on such ROM file, govmm
should provide an empty path if the consumer of the library does not
provide one.
This patch reorganizes the list of devices, so that it gets easier to
list which devices inherit from virtio-pci, and then adds the romfile
option to every single device that support this option.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This document decsribes how an Intel GPU can be used with
Kata Containers in GVT-g and GVT-d mode.
An example of an actual workload will be added in the future.
Fixes#260
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Add support for virtio-balloon.
- Add test
- Support disable-modern
- Support deflate-on-oom
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The spec-template file looks for x86 specific
files irrespective of the arch on which
packaging is done for.
Fixes: #216
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Add patch to enable evged, the config option cannot be set normally since it
breaks current kata supported machine types.
Fixes: #214
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Rather than show the generic "qemu", log the full path to the
particular qemu binary being used.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
In case the type of bridge is PCIEBridge, which we expect as ending
up using pcie-pci-bridge device from Qemu, the properties chassis_nr
and shpc don't exist.
This commit simply fixes this use case by removing those parameters
from the command line.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Update variables needed by osbuilder.
Also fix query to get the initrd base OS.
Fixes: #210
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
make -f .obs-packaging/Makefile clean fails with
"No such file or directory" even after deleting the
files returned by find. Fix it by using -prune.
Fixes: #203
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
We do not currently support enablement of `selinux` in the
dockerd config. Document that.
Fixes: #252
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
The repository URLs in the installation guides needs to point to the
latest release version.
This impact tests execution too (kata-manager uses this guides as
installation recipes).
Fixes: #255
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
This PR is based on #124 but has been reworked and updated to take into
account review feedback and extra cleanups to bring this howto in line
with the latest documentation requirements.
Fixes#127.
Signed-off-by: T. Nichole Williams <tribecca@tribecc.us>
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
It is the only repo that requires LIBEXECDIR. Do not set it
for other repos, otherwise the runtime repo will mistakenly install
kata-netmon in a wrong path.
Signed-off-by: Peng Tao <bergwolf@gmail.com>
It fails with:
step 13/16 : RUN make clean
---> Running in 5385ba104ad8
find: '/root/qemu/tests/docker/dockerfiles/debian-alpha-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/debian-hppa-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/debian-m68k-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/debian-mips64-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/debian-powerpc-user-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/debian-riscv64-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/debian-sh4-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/debian-sid.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/debian-sparc64-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/debian-tricore-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/dockerfiles/fedora-i386-cross.docker': No such file or directory
find: '/root/qemu/tests/docker/test-debug': No such file or directory
find: '/root/qemu/tests/docker/test-unit': No such file or directory
Signed-off-by: Peng Tao <bergwolf@gmail.com>
We should make sure ${tag} fully matches otherwise we cannot
differentiate `1.3.0` vs. `1.3.0-rc1`, nor `1.3.0` vs. `11.3.0`.
Fixes: #196
Signed-off-by: Peng Tao <bergwolf@gmail.com>
The kata-runtime spec file, when specifying a `Requires:` version for
qemu-lite and qemu-vanilla, does not include the "+git.<commit hash>"
part.
As a result of this, versions of kata-runtime and qemu installed on a
system using RPM package management may be inconsistent.
Fixes: #193
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
The memory-backend-ram should also be set to a numa node instead of
being inserted as a new device. Otherwise it becomes additional memory
and requires explicit online to be available, instead of just being a
backend of the memory specified by -m option.
Signed-off-by: Peng Tao <bergwolf@gmail.com>
unable to prepare context, unable to evaluate symlinks
in context path when building target test-packaging-tools
on ppc64le.
Fixes: #189
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
"make clean" errors out if snap/snapcraft.yaml file
does not exsist and the recipe for target 'clean'
fails. Avoid this my adding a "-f" option to rm to
have a clean state.
Fixes: #187
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
It is expected that this document will change over time. This
represents an initial starting point as we create and release
our stable branches.
Fixes: #237
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
In addition to supporting hotplug for VFIO mediated device on PCI bridge,
this patch adds hotplug functionality on root bus.
When parameter bus and addr are set to be empty, the system will pick up
an empty slot on root bus.
Signed-off-by: Zhao Xinda <xinda.zhao@intel.com>
The contents of .iso used to bootstrap VMs with cloudinit are
initialised using a precreated, short-lived directory. The
permissions on this directory were too lenient. This commit
restricts access to this directory to the user and his/her group.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
We find for the tarball name with the package name.
If this is a `-rc` tha package versoin will have `~rc`,
lets replace `~` for `-` before get the tarball name.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Replace non-valid character from kata version.
This will make the version compatible with rpmbuild.
Fixes: #179
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Make sure we checkout the new_version tag before grabbing version
information from the runtime repository.
Fixes: #174.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Add script to generate release notes template
for runtime.
Will get the range of changes from two tags.
Get assets information from versions.yaml file.
Fixes: #169
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
When tries to get release number from a new repo, the
specfile wont exist. Dont do grep in this case.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Clean target tries to remove files multiples times.
Limit find max depth to not try to remove files more than once.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Fix image generation.
Instead of use agent code from the host checkout to the
agent source code in a clean GOPATH env.
Make sure that the agent `commit id` is the correct before
push to github or OBS.
Fixes: #166
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We need to update the way CNI is handled which is
mostly how CNM is taken care of. Start of by removing
the incorrect steps documented for CNI.
Fixes#236
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Checkout to a target branch before create a tag.
We dont checkout for repos that does not have stable branches.
We want to do is just push the tags to master branch
since we don't maintain a seperate one.
The repos are:
osbuilder
packaging
ksm-throttler
Fixes: #163
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Lets point to qemu repository instead of kata fork
for qemu-vanilla.
Fixes: #161
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The osbuilder version file wont be the same if
we tag a stable branch. But we still want to tag
the HEAD of osbuilder to do reproducible builds of
a Kata branch.
Fixes: #158
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
When we get changes from one version to a newer this
is empty because we dont get the current version.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We need to create the osc file before enter the container.
If build_all.sh is executed without a container and osc
is intalled osc will ask for setup but in the container
fails do to a missing tty.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
When we genete packages file we want to see
the resulting files. This changes to now
create repos in a tmpdir.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
If want to create pkgs based in new branch, this script will create
all the empty repositories in OBS for each kata package.
Then we can point use the rest of scripts to push changes to this new repo.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
pkglib.sh uses BUILD_ARCH and DEB_ARCH which are
by default not set and hence take the value of
x86_64 and amd64 respectively. Make this
architecture specific.
Fixes: #154
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
qemu-lite is required to be packaged only
for amd64 arch. Skip it for all other
architectures.
Fixes: #152
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Currently, since GOARCH is not passed as build-arg
to a Dockerfile, it by default always pick's up amd64
when building it. Also pass it as --env when running it.
Fixes#148
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Fixes#144
Current kata containers can't run with kernel 4.1 built from current x86 config,
it will report error:
```
$ docker run -ti --runtime kata busybox sh
docker: Error response from daemon: oci runtime error: rpc error: code = Internal
desc = Could not run process: container_linux.go:348: starting container process
caused "process_linux.go:402: container init caused \"open /dev/ptmx: no such
file or directory\"".
```
This is caused by bogus devpts mount options. When run container with docker,
docker will assign a default devpts mount for every container which equals to
command below:
```
$ mount -t devpts -o nosuid,noexec,newinstance,ptmxmode=0666,mode=0620,gid=5 \
devpts /dev/pts
```
This requires kernel config `CONFIG_DEVPTS_MULTIPLE_INSTANCES=y` to work properly
under kernel-4.1, but this option is already removed from latest kernel.
It's better to add it back for support older kernel than current 4.14.
Signed-off-by: Wei Zhang <zhangwei555@huawei.com>
When pcre-tools is installed before build/obs-service-tar_scm
then "build-mkbaselibs-20180629-289.1.noarch.rpm" is installed
as dependency but OBS repo does not have that rpm. So install
"pcre-tools" at the end and dockerfile builds fine on ppc64le.
Fixes: #139
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
govmm has ExecuteBlockdevAdd() function and ExecuteBlockdevDel() function
doesn't compatible with qemu 2.8,because blockdev-add and x-blockdev-del usages
are different between qemu 2.7 and qemu 2.8
Follow the qemu 2.7 and qemu 2.8 qmp-commands.txt documents to modify ExecuteBlockdevAdd()
function and ExecuteBlockdevDel() function to be compatible with qemu 2.8
Signed-off-by: flyflypeng <jiangpengfei9@huawei.com>
The minimum golang version should be defined *once* - in [1]. Since the
developer guide already provides a link to that human-readable file,
remove the hard-coded golang version number to avoid having to maintain
that part of the devguide.
Fixes#232.
[1] - https://github.com/kata-containers/runtime/blob/master/versions.yaml
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
If we hotplug a nic with args mq=on, its qdisc will be mq by default.
This aligns with cold plug nics.
Signed-off-by: Ruidong Cao <caoruidong@huawei.com>
Before calling any other command it is necessary to call
ExecuteQMPCapabilities() otherwise QEMU will not process the subsequent QMP
commands.
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
1.2.0 release changed the tarball file layout for the
Kata artifacts. Adjust scripts accordingly.
Fixes: #142
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
In order to be able to hotplug network devices such as vhost user
net, we need to be able to define a previously declared chardev as
a parameter of this new network device.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
create a use-cases subdirectory and add an initial use case,
booting a kata container which makes use of vpp vhost-user interface.
Fixes: #209
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
The tag_repos.sh script always check master. Now when we want
to know the version of kata we may want to choose a branch to check.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Kata is staring maintain mutiples braches. When we want to
update the project version now we need to have a target branch.
Add argument to choose kata branch we will use to create the PR.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This commit adds a couple of negative test cases for qmp.go, one
which checks that failed commands return errors and the other
checks that QMPStart exits gracefully when passed an invalid
socket path.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This commit adds some negative test cases for the append functions
in qemu.go that build up the qemu command line.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
Update install documentation guide for fedora to include the
support for fedora 28.
Fixes#218
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Now that this issue has solved kata-containers/packaging#39,
we can remove the workaround for the proxy and the shim.
Fixes#216
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
kata-deploy container image changed format slightly as we've changed
the release tarball. Update to 1.2.0 and make adjustments accordingly.
Fixes: #135
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
We want all the static qemu is intalled in /opt/kata
use PREFIX variable to notify to configure script.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We were using an static prefix let allow the user choose where will be installed.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
If the file is not found fail. We use this file
to identify what config we use to build the kernel.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Based ina a branch will query the current
kata version and needed hashes.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Accelerate the build process by not creating image again.
Add DEBUG flag to docker run.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
update scripts are relative to this script go to
it and then try to update.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Add script to generate a tarball with kata binaries install kata
whitout pkgs.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
For 1.2.0 we are changing the format of the kata-deploy container image.
To avoid issues, pull an explicit version in our daemonset.
In a follow on PR we'll update the yaml/scripts to 1.2.0 format
Fixes: #135
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
We want to create pacakges based in different branches modify
function to get the yaml version needed to to that.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Add long name bash options.
Make xtrace optional when DEBUG variable is set.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This will kill the process when the context is cancelled. As using a nil
context is not permitted it is necessary to substitute with a real
context if it is not initialised in the Config struct.
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
If we can not find a release number in a file this means
it is an new repository. This could happend when upload changes
for a new brach.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Since there have not been any major architecture changes
in Kata Containers since 1.0 release, bump version to latest
1.2.0 release. Also, add another supported machine type
"pseries" for IBM Power Systems. A typo is also fixed in this
commit.
Fixes#210
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
The #usage part of README talks about
cross building snap images for all "supported
architectures" not "supported images".
Also fold the "Usage" part into "Cross-build
snap images" section.
Fixes: #131
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Improve README by pointing to a specific sub-section
in runtime repo that actually talks about the possibility
of having multiple configurations files.
Fixes: #129
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
If no RTC is specified in the config then do not generate any RTC command line
options. RTC command line options are optional for QEMU so make Valid() return
false when presented with the empty version of the RTC struct containing empty
strings.
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
Kernel building fails as part of "make snap" as
the kernel config file is renamed from ppc64le_kata_kvm_4.14.x
to powerpc_kata_kvm_4.14.x
Fixes: #127
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
install_yq() has no arch entry for
ppc64le and hence installing yq
fails on Power systems.
Fixes: #124
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
In addition to normal VFIO device, this patch adds VFIO mediated device
as a supplement to do hot plug on PCI(E) bridges.
Signed-off-by: Zhao Xinda <xinda.zhao@intel.com>
Add scripts to cross-build snap images for all supported
architectures using virtual machines
fixes#98
Signed-off-by: Julio Montes <julio.montes@intel.com>
With qemu 2.10, a write lock was added for qcow images that
prevents the same image to be passed more than once.
This can be over-ridden using the --share-rw option which is
desired for raw images.
This solves an issue with running Kata with devicemapper
using the privileged mode as in this case all devices on the host
are passed to the container using the block device associated
with the rootfs, causing it to be passed twice to qemu.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
For machines types based on PCIe like q35, device addr and bus must be specified.
For machines types based on PCI like pc, device addr must be specified and bus
is optional since devices can be hot plugged directly on the root bus.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Implement function to hotplug a network device to QEMU by fds.
Macvtap can only be hotplug by this way.
Signed-off-by: Ruidong Cao <caoruidong@huawei.com>
The kernel config file name prefix changed from
ppc64le to powerpc. This change broke the kernel
build on ppc64le. Fix the kernel build steps
accordingly.
Fixes: #207
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Implement function to hotplug virtio serial ports, the serial ports
are visible in the guest at the directory /dev/virtio-ports.
Signed-off-by: Julio Montes <julio.montes@intel.com>
implement function to hotplug character devices using as backend
unix sockets, binding a character device with a serial port allows
the communnication between processes running in the guest with
processes running in the host.
Signed-off-by: Julio Montes <julio.montes@intel.com>
`getfd` receives a file descriptor via SCM rights and assign it a name,
this command is useful to send file descriptors from the host, and then
hot plug devices that needs file descriptors like vhost-vsock-pci devices.
Signed-off-by: Julio Montes <julio.montes@intel.com>
`vhostfd` is used to specify the vhost-vsock device fd, and it holds
the context ID previously opened.
`disable-modern` is to disable the use of "modern" devices, by using virtio 0.9
instead of virtio 1.0. Particularly, this is useful when running the VM in a
nested environment.
Signed-off-by: Julio Montes <julio.montes@intel.com>
libcontainer limits the memory+swap usage by writing the limit at
/sys/fs/cgroup/memory/docker/$CONTID/memory.memsw.limit_in_bytes, this path
doesn't exist if CONFIG_MEMCG_SWAP and CONFIG_MEMCG_SWAP_ENABLED are not
enabled.
fixes#103
Signed-off-by: Julio Montes <julio.montes@intel.com>
Post Fix#111, the kernel config name is
expected is to be prefixed with powerpc instead
of ppc64le. Just rename the file to suit the scripts.
Fixes: #113
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
Run new script in arm server to build kernel, then find a minor
typo. An extra "/" in the end of default_kernel_config_dir will
cause error:
ERROR: failed to find default config
../src/github.com/kata-containers/packaging/kernel/configs//aarch64_kata_kvm_4.14.x
Signed-off-by: Wei Chen <wei.chen@arm.com>
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
https://github.com/kata-containers/runtime/pull/527 Removed the
hard-coded `initcall_debug` kernel option (as it generates a lot of
kernel output at boot).
Add the `initcall_debug` option to the "Enable full debug" section to
allow users to enable these potentially useful messages when debugging.
Fixes#204.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
shift $((OPTIND-1)) can be unsafe.To prevent unwanted
word-splitting all parameter expansions should be
double-quoted. Use the safe form for the command:
shift "$((OPTIND-1))"
Fixes: #109
Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com
The debug console socket path looks to have moved from
the `sbs` dir to the `vm` dir. Update the docs to reflect
this.
Fixes: #202
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
After upgrading the kernel to latest 4.14.x kernel, there are new
kconfig options that need users to select in install-kata-kernel.sh.
the prompt will block the script. We update this config file to give
user a good defined default config.
The new kconfig options are about, “Meltdown” and “Spectre”. So I
selected them to yes by default in this config file:
CONFIG_ARM64_ERRATUM_1024718=y
CONFIG_QCOM_FALKOR_ERRATUM_E1041=y
CONFIG_UNMAP_KERNEL_AT_EL0=y
CONFIG_HARDEN_BRANCH_PREDICTOR=y
CONFIG_ARM64_SSBD=y
Fixed#106
Signed-off-by: Wei Chen <wei.chen@arm.com>
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Build image with agent and osbuilder with master by default.
If want to build a release tag just use -v <version> and
will use that osbuilder and agent tag.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
a few qemu options generated by configure-hypervisor.sh were only
suitable for amd64, leading compilation err in aarch64.
Fixes: #92
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Wei Chen <Wei.Chen@arm.com>
`vhostfd` is the vhost file descriptor that holds the socket context ID
`disable-modern` prevents qemu from relying on fast MMIO
Signed-off-by: Julio Montes <julio.montes@intel.com>
Make sure kernel config version is validated on test.
Also, increse Kata Kernel config version.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Today we have instructions to build the kernel
but there are a lot of manual steps to get one kernel.
This tries to automate the process to setup a kernel
for kata.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Implement function to hotplug vsocks, vsocks are needed
to communicate processes are running inside the VM
with processes are running on the host.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Now that initial files for kata-deploy have merged, we
have an initial image on dockerhub. s/egernst/katadocker
Fixes: #100
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
A Dockerfile is created and reference daemonsets are also
provided for deploying Kata Containers onto a running Kubernetes
cluster. A few daemonsets are introduced:
1) runtime-labeler: This daemonset will create a label on each node in
the cluster identifying the CRI shim in use. For example,
container-runtime=crio or container-runtime=containerd.
2) crio and containerd kata installer: Assuming either CRIO or
containerd is the CRI runtime on the node (determined based on label
from (1),, either the crio or containerd variant will execute. These daemonsets
will install the VM artifacts and host binaries required for using
Kata Containers. Once installed, it will add a node label kata-runtime=true
and reconfigure either crio or containerd to make use of Kata for untrusted workloads.
As a final step it will restart the CRI shim and kubelet. Upon deletion,
the daemonset will remove the kata binaries and VM artifacts and update
the label to kata-runtime=cleanup.
3) crio and containerd cleanup: Either of these two daemonsets will run,
pending the container-runtime label value and if the node has label
kata-runtime=cleanup. This daemonset simply restarts crio/containerd as
well as kubelet. This was not feasible in a preStepHook, hence the
seperate cleanup step.
An RBAC is created to allow the daemonsets to modify labels on the node.
To deploy kata:
kubectl apply -f kata-rbac.yaml
kubectl apply -f kata-deploy.yaml
To remove kata:
kubectl delete -f kata-deploy.yaml
kubectl apply -f kata-cleanup.yaml
kubectl delete -f kata-cleanup.yaml
kubectl delete -f kata-rbac.yaml
This initial commit is based on contributions by a few folks on
github.com/egernst/kata-deploy
Also-by: Saikrishna Edupuganti <saikrishna.edupuganti@intel.com>
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Signed-off-by: Jon Olson <jonolson@google.com>
Signed-off-by: Ricardo Aravena <raravena@branch.io>
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Add script that will help to bump versions for all the projects.
Fixes: #49
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Journald, by default on some systems, will rate limit log messages,
and in the case of our 'enable full debug', will likely drop some
of our debug.
Document how to identify if this is happening, and how to configure
`systemd-journald` appropriately.
Fixes: #181
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
the yaml file is the recipe to build a snap image
with all Kata Containers components inside.
fixes#81
Signed-off-by: Julio Montes <julio.montes@intel.com>
We populate all the conent of a OBS project.
Lets remove after we checkout to the OBS project.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Packaging scripts search for patches in a directory
called 'patches'. We store the kernel patches in a diferent place
to make easy to mantain them.
Lets do a symlink to allow the automation find the patches.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We dont have commit when we build the pkg.
Lets define the COMMIT variable to kwnow the commit from each project.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
the installation takes a long time without print anything
add verbose to know is doing something.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
On each release we want to know the kernel config what was used.
Lets create a tag ${kata_verson}-kernel-config.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Make sure the osbuilder VERSION file is updated before tag
Also, sort repos alphabetically.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This commit fixes an issue with the log handlers defined by qmp_test.
The issue was picked up by the latest version of go vet on go tip.
qemu/qmp_test.go:56::error: missing ... in args forwarded to printf-like function (vet)
qemu/qmp_test.go:60::error: missing ... in args forwarded to printf-like function (vet)
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This commit enables the gas security checker on govmm builds. The
security checker has signalled 4 issues all of which I've checked
and have determined to be non issues. These issues are disabled
by this commit.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This commit enables staticcheck in the travis builds and fixes the existing
errors detected by staticcheck. There was one type of error repeated in
qemu.go in which the type of some constants was not explicitly specified.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
It is useful when we want to specify migration incoming source.
Supported source are fd and exec right now.
Signed-off-by: Peng Tao <bergwolf@gmail.com>
This commit introduces the instructions to be able to run trendy
service mesh Istio and Conduit with Kata Containers. It provides
a bit of feedback on how they actually work to give the reader a
quick overview. After this introduction, it provides restrictions
and instructions to enable them with Kata Containers.
Fixes#171
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Excised an extraneous definite article in the install README.
How did we miss this in the review phase I wonder?
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add the new Google Compute Engine installation guide to the
installation README, reworking this doc to add in a table of contents
and a new "Cloud services" section.
Fixes#173.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Simplify the installation README by using relative URLs - let github
expand them automatically for readers.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The docker install guides end with a call to `docker run`. However, they
all specify `-ti` which is causing our CI to fail.
Remove the `-ti` so that the command works both under the CI and as
expected for the user.
Fixes#175.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Simplify the CI check that looks for modified install guides to catch
any modified document below `install/`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Build qemu if there is any change in static-build.
Do the same with the rest of projects in this repositoy.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This covers the GCP portion of #130.
Introduces a guide to configuring a VM image with nested virtualization. The
primary focus of the guide is the set of commands required for creating and
managing nested VMX GCE images. For Kata installation itself the guide defers
to the distribution-specific Kata documentation for actually installing Kata.
The upside is that it needn't be updated every time the instructions for a
given distribution change. The downside is that it is not a standalone
artifact.
Fixes: #155.
Signed-off-by: Jon Olson <jonolson@google.com>
Add functions to be used across the repository.
- get kata version deps
- die
- info
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
It allows a caller to use a local file as the memory backend of the
guest, and it also allows the file backed memory device to be set shared
or not.
Signed-off-by: Peng Tao <bergwolf@gmail.com>
This repository is growing is due to different projects are living
here, kernel config and patches, obs scripts, kata-deploy, release tools.
Lets move the obs scripts to its own directory.
Fixes: #75
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
As the Developer-Guide[1] mentioned, the progress of installing
guest kernel images need a default kernel config file. But for
Arm64 architecture, this config file is missing.
In this patch, we provide a default Arm64 kernel config file for
Linux kernel 4.14.x.
Notes:
[1] https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md
Signed-off-by: Wei Chen <Wei.Chen@arm.com>
kernel_arch was being set to amd64 instead of x86_64
on intel. The kernel config file name starts with
x86_64 and hence this needs to be fixed.
Fixes: #158
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
This will add the RHEL installation guide for the OBS packages for
kata runtime.
Fixes#86
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
The install guides assumed that users wanted to install Docker. Since
there are other container managers, split the Docker-specific
instructions into separate documents (with backlinks) and allow the
user to choose between Docker or Kubernetes from the install guides.
Fixes#144.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Ensure the first mention of all the distro names in the install guides:
- Have the required asterisk after the name.
- Have a link to the website.
Also folded the overly long lines.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
We have new CPU constraints docs, now in this repo. Update the
Limitations document to reflect that.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Move all the Zun docs into their own subdir, and add a
Zun reference and link to the top level README index.
Fixes: #131
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Puts the nested virt/bare metal requirement in the top line
of the Install Guide and references the Kata hardware
check.
Signed-off-by: Anne Bertucio <anne@openstack.org>
The design subdir README index was a little slim and
potentially out of date, and was missing hotlinks to
some documents that did exist.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
The top level README.md index for the repository was a bit
slim on entries.
Add all the other docs in this repo to the index, and sort them
alphabetically by symbolic name (which may be slightly different
from the filename itself).
Fixes: #146
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
This commit updates all 3 installation instructions related to
Ubuntu, Fedora and Centos, providing a disclaimer about the k8s
installation. Particularly, it says that those docs are only
explaining how to run Kata Containers with Docker, and that the
user should refer to the developer documentation to read how
to install Kata for k8s.
Fixes#134
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This documentation update purpose is to propose an alternative to the
default Docker usage that was described. The developer wanting to
interact with Kubernetes will have the proper information to start.
Fixes#134
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
A few assumption were made, making the steps not working directly on
a clean system.
Fixes#134
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Moved static tests to CI setup script and added a new CI test to
execute all install guides if any one changes.
Fixes#132.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Updated the `Upgrading.md` document to ensure users remove the Clear
Containers throttler package to avoid conflicts with the Kata Container
equivalent.
Fixes#138.
Signed-off-by: Liu Changcheng <changcheng.liu@intel.com>
Add the version of config and patches we are using in a package.
Kernel version before:
4.14.22-128
Now:
4.14.22.1-128
Fixes: #45
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
In order to track the changes that we add to the kernel, lets
add a kata_config_version file that should be bumped whenever
a change is added to the kernel directory
Fixes#43.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Add details to documentation requirements document explaining how we use
and format notes.
Fixes#125.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Update the install README and the install guides to point to the
upgrading document.
Fixes#119.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add document to describe to to setup kubernetes and "cri" containerd
Fixes: #87
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Now that we have a README for the installation guides, update the
developer guide to refer to that page, to avoid hard-coding links to
(some of) the installation guides.
Fixes#117.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The CentOS install guide was referencing an invalid package
(`dnf-plugins-core`) so update for the yum equivalent.
Fixes#329.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Remove backslash from centos url that was
preventing the $VERSION_ID to take its correct value.
Fixes: #112.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Remove the `bash` tag from the last command in the install guides where
we show the user how to create a container with a busybox shell. This
doesn't change the content of the document but it ensures that all bash
blocks can be run non-interactively (by the `kata-doc-to-script.sh`
script in the tests repo).
Fixes#109.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
cli events is now partly supported.It returns
the stats of a certain container.
OOM notification and Intel RDT stats are not supproted
as what runc does
Fixes: #103
Signed-off-by: Haomin <caihaomin@huawei.com>
Don't append to Kata-specific apt sources file to avoid apt warnings
and make the install idempotent.
Fixes#107.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Change the installation guides so that all commands the user must type
use an explicit bash code block rather than a standard code block.
This adds meaning to the documents and will then allow us to extract
the commands and run them for testing purposes.
Fixes#92.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Provide a pointer to the versions database to allow developers
to see the range of golang versions known to work.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add details of how to install the packaged components to start off with
a working system. This involved splitting out part of the "Assumptions"
section into a new "Initial setup" section.
Fixes#80.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add an appendix explaining how to setup a debug console to login to the
virtual machine for debugging.
Fixes#72.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
You cannot remove an existing rootfs directory without being `root`,
so use `sudo(8)` in the developer guide.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add a document explaining how to upgrade a system:
- Running Clear Containers.
- Already installed with Kata Containers binaries.
Also, include details of assets and how and when the are updated.
Fixes#69, fixes#78.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Allow kernel builds in fedora 28.
Ignore new warnings from gcc 8.
Fixes: #30
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
We can only set disable fno-semantic-interposition if the
gcc used to build qemu is 5.3 or newer.
CentOS provides an older gcc, then we need to not enable this
option if it is the case.
Fixes#32.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Add details to the developer guide of how to obtain a backtrace by
sending a `SIGUSR1` signal to the component.
Fixes#70.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add brief details to the developer guide explaining that the
log parser can convert the format of the logs.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This commit adds the necessary spec files and scripts in order to be able to create
packages in OBS (Open Build System) and locally.
Fixes#15
Signed-off-by: Erick Cardona <erick.cardona.ruiz@intel.com>
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The link to the release checklist in the Releases document was linking
to the parent document, not the separate checklist document.
Fixes#73.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Remove more references to Clear in the images as well as text.
Reworked some sections for grammar/flow.
Immediate next steps:
1. At least the delete/kill command section needs to be cleaned
up/clarified
2. Move CRI-O UML flow example to its own section, or subection of CRI-O
3. Carve up UML diagram for basic docker example case.
4. Add section describing initrd configuration
5. Add section detailing the gRPC protocol
6. Agent section needs cleaning around gRPC description.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
There is still a lot in progress, but sharing a first pass.
To do includes:
-need updated pngs (s/cc/kata)
-'signifcant' cmd section could use (simple) UML
-Need better location, and possible split up the CRI UML example
-need description of CRI-containerd
-Missing API extensions and description
Should likely carve this up into smaller .mds, as no one should read
that much text, and I don't want to get more than 200 review comments.
Contributed to by: Julio Montes, Archana Shinde, Sebastien Boeuf, and
the original CC-3.0 doc.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
If ssh keys are not set ssh clone wont work.
Clone using https and push using ssh.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
- Add tests for release tool tag_repos.sh
- Toplevel makefile
- Add make test target for CI
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Add a document providing an overview of releases along with the
all-important release checklist.
Fixes#32.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add helper script to tag repos.
- Check all repos are in the same version
- Create annotated tags
- Push tags to the repos
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
If kata-runtime is already added as a runtime to
kata-containers.conf then you need not add it again.
Fixes: #49
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
We need to be able to specify the PCI slot for a bridge while
adding it.
Add test to verify bridge is correctly added.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Set the qemu major and minor version variables in the hypervisor
configuration script.
Partially fixes#13.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This enable data-plane for scsi. All drives attached to the
scsi controller will have their IO processed in a single separate
IO thread instead of qemu's main event loop.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
IOthreads also known as x-data-plane allow IO to
be processed in a separate thread rather than the main event
loop. This produces much better IO throughput and latency.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Qemu 2.11 does not support --disable-static flag and
--enable-strip flag, this patch adds a condition
to only use it for qemu 2.7 or older.
Fixes: #11.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Add details on how to disable the `initrd` config option to ensure the
base system as documented is functional.
Fixes#42.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This script will ensure we use a single source of qemu build
options for the Kata Containers project.
Fixes: #7.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
The table of contents showed an incorrect link for building and
installing the runtime.
Fixes#40.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Change the command to enable agent debug slightly so that even if the
config file specifies kernel parameters, the command will successfully
enable the agent debug.
Fixes#38.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
To fulfill the kata design requirements, and based on the disscusion on
Virtcontainers API extentions, runtime API early sketch and runtime API
comparison, this commit added the high level design of the kata runtime
library API.
fixes: #26
Signed-off-by: Peng Tao <bergwolf@gmail.com>
Adding initial kata requirements list, based off of discussion from
kata-containers/runtime issue #31.
Fixes: #18
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
certain machines types need to have options to enable or disable features
For example the machine type virt in certain hosts must have the gic version
(gic-version=3 or gic-version=host) to start without problems
Signed-off-by: Julio Montes <julio.montes@intel.com>
Require an additional approval from a `documentation` team member for
PRs containing documentation changes.
Fixes#4.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
device_add qmp command for scsi devices accepts additional parameters like
scsi-id and lun. Implement function to add scsi devices. Devices
with drivers "scsi-hd", "scsi-cd" and "scsi-disk" are accepted.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Require two approvals from documentation team members before a PR
can land.
The configuration file is the same as those used for the other repos,
except for the approval team name.
Fixes#2.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This commit enables unit test coverage computation in Travis CI builds.
Going forward, builds that decrease the unit test coverage by more than
1.0% will fail.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
VSOCK sockets are added through a vhost PCI device.
It takes a device ID and a context ID, the latter being
the endpoint value to be reached from the host.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Introduce basic vhost-user-blk-pci support.
In adding this, cleaned up the QemuParams function to use a more
appropriate switch statement. Similarly, cleanup up the Valid() logic.
We still need to look into parameterization of the block parameter
fields as well as introducing multiqueue support for the vhost-user devices.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Some comments were network specific for vhost-user devices, which is
incorect. Fixed these.
Renamed the HWAddress field to be Address, so that it could potentially
be used more generically for non-network based vhost-user types.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
maxcpus is used to specify how many cpus a VM can have.
This attribute must be specified to enable the hotplugging CPUs capability,
otherwise the maximum number of CPU will be defined by the number of CPU
in -smp.
Signed-off-by: Julio Montes <julio.montes@intel.com>
There were some unchecked errors in some of the unit files relating to
the closure and removal of temporary files. As the closure and removal
of these files is not really important to whether the next passes or
fails we ignore the errors.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This commit adds a .travis file which enables Travis builds for
govmm. The script builds the source and runs the unit tests
and gometalinter enabling
- misspell
- vet
- ineffassign
- gofmt
- gocyclo 15
- golint
- errcheck
- deadcode
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This commit adds three documents:
- CONTRIBUTING.md ( a files describing how to contribute to the project )`
- COPYING ( the Apache 2.0 license )
- README.md ( a brief description of the project)
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This commit removes all the references to the ciao project. It also removes
some of the dependencies that the unit tests were pulling in.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
Add ability to add a vhostuser device to the
QEMU commandline. We expect two different types of devices
to be connected through a vhostuser socket: SCSI and network.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Some QMP commands like ```query-hotpluggable-cpus``` returns a
response that needs to be processed and returned to the client as
a struct. This patch adds the function ```executeCommandWithResponse```
that returns the response of a QMP command.
Signed-off-by: Julio Montes <julio.montes@intel.com>
This patch adds a new function to hot plug VFIO devices on PCI(E) bridges,
This change allows to hot plug N VFIO devices in Qemu PC and Q35
Signed-off-by: Julio Montes <julio.montes@intel.com>
This change adds an additional parameter to CreateCloudInitISO that
allows users more control over the newly created xorriso process.
They can for instance specify the user under which the new qemu process
should run and which capabilities should be retained in the child
xorriso process.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This change adds an additional parameter to LaunchCustomQemu that
allows users more control over the newly created process. They can
for instance specify the user under which the new qemu process should
run and which capabilities should be retained in the child qemu
process.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
ExecutePCIDeviceAdd is a function that can be used to hot plug
devices directly on pci(e).0 or pci(e) bridges. ExecutePCIDeviceAdd
is PCI specific because unlike ExecuteDeviceAdd, it includes an
extra parameter to specify the device address on its parent bus.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Bridge struct represent pci bridges(pci-bridge) or
pcie bridges(pcie-pci-bridges), bridges can be used to
hot plug devices in pc and q35 machines
Signed-off-by: Julio Montes <julio.montes@intel.com>
Add support for macvtap interfaces. This also brings in support
for generic multiqueue support in virt containers.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Add support to launch virtual machines where the RAM is
allocated using huge pages. This is useful for running
with a user mode networking stack, and for custom setups
which require high performance and low latency.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
VFIO is meant for exposing exposing direct device access
to the virtual machine.
Add ability to append VFIO devices to qemu command line.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Ciao has recently moved from github.com/01org/ciao to
github.com/ciao-project/ciao. This moves requires us to update our
import paths to build successfully.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
The Mlock knob is unfortunately tied to realtime.
Allow Mlock knob to implicitly enable realtime to get the
desired swapping behavior when swapping is desired.
Note: Realtime as implemented today can only be used to enable
swap, and as such does not really control realtime behaviour.
The knob is redundant but retained here just to ensure that
when more capabilities are added in future QEMU iterations
we can take advantage of the same.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Enable realtime options in QEMU. Also add support to control memory
locking. Turning realtime on with memory locking disabled allows
memory to be swapped out, potentially increasing density of VMs.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Add support for pre-allocating all of the RAM.
This increases the memory footprint of QEMU and should be used
only when needed.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
blockdev-del command has been added in qemu 2.9 to replace
x-blockdev-del command used earlier for deleting block devices.
Update ExecuteXBlockdevDel() to use this updated qmp command.
Rename ExecuteXBlockdevDel to ExecuteBlockdevDel as this no longer
executes x-block-del command for qemu>=2.9.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
For some cases, we have to disable the fast MMIO support, by disabling
virtio 1.0. The reason for this is that we want to be able to nest our
qemu VM inside a VM run by an hypervisor with no support for fast MMIO.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
In case of a network device, and specifically virtio-net-pci, we have
to update to what is expected by qemu. In this case, the driver name
should be prefixed with "driver=".
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
With qemu 2.9, the qmp block-dev command was updated from:
{ "execute": "blockdev-add", "arguments": { "options": { ... } } }
to:
{ "execute": "blockdev-add", "arguments": { ... } }
Also, instead of id, blockdev-add now requires a node-name for the
root node(https://wiki.qemu.org/index.php/ChangeLog/2.9)
Store the version information with QMPStart and use that to issue
qmp command for adding block devices in the correct format.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Unfortunately the ununused linter is overzealous with some of the fields
that it things are unused as gophercloud relies on their values. So go
ahead with the most straightforward removals but do not enable unused on
travis builds.
ciao-image/datastore/datastore_test.go:28:5⚠️ var metaDsTables is unused (U1000) (unused)
ciao-controller/api/api_test.go:39:6⚠️ func myHostname is unused (U1000) (unused)
ciao-cli/identity.go:58:3⚠️ field Description is unused (U1000) (unused)
ciao-cli/identity.go:59:3⚠️ field DomainID is unused (U1000) (unused)
ciao-cli/identity.go:60:3⚠️ field Enabled is unused (U1000) (unused)
ciao-cli/identity.go:62:3⚠️ field ParentID is unused (U1000) (unused)
ciao-cli/identity.go:63:3⚠️ field Links is unused (U1000) (unused)
ciao-cli/identity.go:70:3⚠️ field Self is unused (U1000) (unused)
ciao-cli/identity.go:71:3⚠️ field Previous is unused (U1000) (unused)
ciao-cli/identity.go:72:3⚠️ field Next is unused (U1000) (unused)
ciao-cli/identity.go:207:3⚠️ field Next is unused (U1000) (unused)
ciao-cli/identity.go:208:3⚠️ field Previous is unused (U1000) (unused)
ciao-cli/identity.go:209:3⚠️ field Self is unused (U1000) (unused)
ciao-cli/identity.go:213:3⚠️ field Description is unused (U1000) (unused)
ciao-cli/identity.go:214:3⚠️ field DomainID is unused (U1000) (unused)
ciao-cli/identity.go:215:3⚠️ field Enabled is unused (U1000) (unused)
ciao-cli/identity.go:217:3⚠️ field Links is unused (U1000) (unused)
ciao-cli/identity.go:221:3⚠️ field ParentID is unused (U1000) (unused)
ciao-cli/main.go:105:6⚠️ type action is unused (U1000) (unused)
ciao-cli/volume.go:37:6⚠️ type customVolumeExt is unused (U1000) (unused)
ciao-cli/volume.go:39:2⚠️ field customVolumeExt is unused (U1000) (unused)
networking/ciao-cnci-agent/network.go:98:8⚠️ const maxKey is unused (U1000) (unused)
networking/libsnnet/tests/parallel/parallel_test.go:371:6⚠️ func dockerNetList is unused (U1000) (unused)
networking/libsnnet/tests/parallel/parallel_test.go:379:6⚠️ func dockerNetInfo is unused (U1000) (unused)
openstack/compute/api.go:308:2⚠️ const limit is unused (U1000) (unused)
openstack/compute/api.go:309:2⚠️ const marker is unused (U1000) (unused)
openstack/compute/api.go:312:6⚠️ type pager is unused (U1000) (unused)
openstack/compute/api.go:313:2⚠️ func pager.filter is unused (U1000) (unused)
openstack/compute/api.go:314:2⚠️ func pager.nextPage is unused (U1000) (unused)
openstack/compute/api_test.go:34:6⚠️ func myHostname is unused (U1000) (unused)
ciao-controller/api.go:72:2⚠️ const statusFilter is unused (U1000) (unused)
ciao-controller/api.go:75:6⚠️ type pager is unused (U1000) (unused)
ciao-controller/api.go:76:2⚠️ func pager.filter is unused (U1000) (unused)
ciao-controller/api.go:77:2⚠️ func pager.nextPage is unused (U1000) (unused)
ciao-controller/api.go:136:25⚠️ func (*nodePager).filter is unused (U1000) (unused)
ciao-controller/api.go:198:31⚠️ func (*nodeServerPager).filter is unused (U1000) (unused)
ciao-controller/controller_test.go:107:6⚠️ func addTestTenantNoCNCI is unused (U1000) (unused)
ciao-controller/controller_test.go:1104:6⚠️ func startTestWorkload is unused (U1000) (unused)
ciao-controller/controller_test.go:1123:6⚠️ func testStartWorkloadLaunchCNCI is unused (U1000) (unused)
ciao-controller/openstack_compute.go:552:5⚠️ field Links is unused (U1000) (unused)
qemu/qmp_test.go:493:3⚠️ const seconds is unused (U1000) (unused)
qemu/qmp_test.go:494:3⚠️ const microsecondsEv1 is unused (U1000) (unused)
qemu/qmp_test.go:495:3⚠️ const device is unused (U1000) (unused)
qemu/qmp_test.go:496:3⚠️ const path is unused (U1000) (unused)
templateutils/example_test.go:53:3⚠️ field hidden is unused (U1000) (unused)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
Add structcheck to the list of linters used on travis runs.
ciao-cli/event.go:109:2⚠️ unused struct field github.com/01org/ciao/ciao-cli.eventDeleteCommand.all (structcheck)
ciao-cli/event.go:110:2⚠️ unused struct field github.com/01org/ciao/ciao-cli.eventDeleteCommand.tenant (structcheck)
ciao-cli/external_ips.go:636:2⚠️ unused struct field github.com/01org/ciao/ciao-cli.poolAddCommand.ips (structcheck)
ciao-cli/node.go:43:2⚠️ unused struct field github.com/01org/ciao/ciao-cli.nodeListCommand.nodeID (structcheck)
ciao-controller/client_wrapper_test.go:29:2⚠️ unused struct field github.com/01org/ciao/ciao-controller.ssntpClientWrapper.ctl (structcheck)
qemu/qmp.go:111:2⚠️ unused struct field github.com/01org/ciao/qemu.qmpResult.data (structcheck)
ssntp/ssntp_test.go:193:2⚠️ unused struct field github.com/01org/ciao/ssntp_test.ssntpClient.evtTracedChannel (structcheck)
ssntp/ssntp_test.go:192:2⚠️ unused struct field github.com/01org/ciao/ssntp_test.ssntpClient.staTracedChannel (structcheck)
ssntp/ssntp_test.go:194:2⚠️ unused struct field github.com/01org/ciao/ssntp_test.ssntpClient.errTracedChannel (structcheck)
ssntp/server.go:75:2⚠️ unused struct field github.com/01org/ciao/ssntp.Server.roleVerify (structcheck)
networking/ciao-cnci-agent/client.go:97:2⚠️ unused struct field github.com/01org/ciao/networking/ciao-cnci-agent.agentClient.netCh (structcheck)
testutil/agent.go:37:2⚠️ unused struct field github.com/01org/ciao/testutil.SsntpTestClient.ticker (structcheck)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
And add varcheck to the list of linters used on travis runs (with an
increased deadline.)
ciao-launcher/qemu_test.go:31:5⚠️ unused variable or constant imageInfoTestGood (varcheck)
ciao-launcher/qemu_test.go:44:5⚠️ unused variable or constant imageInfoTestMissingBytes (varcheck)
ciao-launcher/qemu_test.go:57:5⚠️ unused variable or constant imageInfoTestMissingLine (varcheck)
ciao-launcher/qemu_test.go:69:5⚠️ unused variable or constant imageInfoTooBig (varcheck)
ciao-launcher/qemu_test.go:82:5⚠️ unused variable or constant imageInfoBadBytes (varcheck)
configuration/configuration_test.go:35:7⚠️ unused variable or constant glanceURL (varcheck)
ciao-controller/controller_test.go:1918:5⚠️ unused variable or constant testClients (varcheck)
qemu/qmp_test.go:44:2⚠️ unused variable or constant qmpSuccess (varcheck)
qemu/qmp_test.go:45:2⚠️ unused variable or constant qmpFailure (varcheck)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
The existing NetDevice relies on virtio-net driver, but there is a
useful PCI variant which was not available: virtio-net-pci.
This patch adds this new driver and adds two parameters specific to
this: "bus" and "addr".
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
The code that handles the serialization and cancelling of QMP commands
is a little complex and it took me some time to remember how it actually
works and why it works in this particular way. For this reason I've
added some comments which will hopefully make the next bug fix in this
area a little less painful.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
There was a bug with the cancelling of commands that meant that when
an attempt was made to cancel a command and then to issue a second
command, the first, cancelled command was re-issued. This commit
fixes the issue and adds a new test case to check that cancelling
of commands does indeed work. There was also an issue with the
test harness which meant that tests that issued more than one command
were not actually testing the second and third commands.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
Launcher's ConfigDrive ISO creation function, createCloudInitISO has
been moved to the qemu package so that it can be re-used by ciao-down.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
When creating a CharDevice, we need to add a "bus" parameter
so that it can match the serial pci device previously created.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
We add a new device driver, and also a name to the CharDev structure
this is needed for qemu to actually create the serial port on
the guest.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The QMP socket implementation does not support multiple clients sending
and receiving QMP commands. As a consequence we need to be able to
create multiple QMP sockets from the qemu package, so that at least we
can support a fixed number of QMP clients.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
When we get no virtual console to plug into, we may want qemu to create
a socket where we can asynchronously connect to.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
All file descriptors will come from specific devices configurations, so
this patch:
1) Make the Config FDs file private
2) Provide an appendFDs() method for Config, that takes a slice of
os.File pointers and
a) Adds them to the Config private fd slice
b) Return a slice of ints that represent the file descriptors for
these device specific files, as seen by the qemu process.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
It is a private field now, and all append*() routines are now
Config methods instead of private qemu functions.
Since we will have to carry a kernelParams private field as well,
this change will keep all built parameters internal and make things
consistent.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
By adding QemuParams() to the Device interface, we can get rid of the
driver structure and simplify further the appendDevices() routine.
With that implementation we can generate the following qemu parameters:
"-device virtio-9p-pci,fsdev=foo,mount_tag=rootfs -fsdev local,id=foo,path=/bar/foo,security-model=none"
from these single structures:
fsdev := FSDevice{
Driver: Virtio9P
FSDriver: Local,
ID: "foo",
Path: "/bar/foo",
MountTag: "rootfs",
SecurityModel: None,
}
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Instead of open coding the RTC fields, we now have specific types for
it.
We also have a RTC unit test now.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Having separate structures for the qemu driver definitions
and each possible device definitions is confusing and error prone as one
needs to be very careful using matching IDs and names in both
structures.
As the driver parameter can be derived from the device
ones, this patch changes the Device and Driver structures to be linked
together, i.e. each driver needs to have its corresponding device.
For example this allows us to build the following 9pfs qemu parameters:
"-fsdev local,id=foo,path=/bar/foo,security-model=none -device virtio-9p-pci,fsdev=foo,mount_tag=rootfs"
from these structures:
fsdev := FSDevice{
Driver: Local,
ID: "foo",
Path: "/bar/foo",
MountTag: "rootfs",
SecurityModel: None,
}
driver := Driver{
Driver: Virtio9P,
Device: fsdev,
}
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
With the NetDev and MACAddress strings, we can now create networking
device drivers.
We also add a unit test for netdev Device creation.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
We can now specify if we want vhost to be enabled and wich fds we should
use for multiqueue support.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The NetDevice structure represents a network device to be emulated by
qemu.
We also add the corresponding unit test.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The Knobs structure groups all qemu isolated boolean settings.
For now this is -no-user-config, -no-defaults and -nographic.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The extraParams is confusing and can conflict with the rest of the
Config structure definitions.
We remove it and will add new fields to that structure as needed.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Here we group the machine type and acceleration together as they are
defined through the same qemu parameter (-machine).
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The Global string represents the set of default Device driver properties
we want qemu to use. This is mostly useful for automatically created
devices.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The SMP structure defines the amount of virtual CPUs, sockets, and
threads per CPU that is made available to the guest.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The Memory field holds the guest memory configuration.
It is used to define the current and maximum RAM is made available to
the guest and how this amount of RAM is splitted into several slots.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Qemu character devices typically allow for sending traffic from the
guest to the host by emulating a console, a tty, a serial device for
example.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Each Filesystem device should have a corresponding "virtio-9p-pci"
Device driver. They represent a filesystem to be exported through 9pfs.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The Kernel structure holds the guest kernel configuration: its path and
its parameters. This is the kernel qemu will boot the VM from.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The Object slice tells qemu which specific object to create.
Qemu objects can represent memory backend files, random number
generators, TLS credentials, etc...
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
We may need to support a large range of devices in the qemu created VM
and the Device slice allows us to define which drivers are needed.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
QMP sockets are used to send qemu specific commands to the running qemu
process.
The QMPSocket structure allows us to define the socket type we want,
along with its name.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
LaunchQemu() now takes a Config structure that contains some more
descriptive fields than raw qemu parameter strings.
LaunchQemu is now simpler to call and more extensible as supporting more
qemu parameters would mean expanding Config instead of changing the API.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Ciao will use the new standard library context package from now on.
This will allow us to use some of the new standard library functions
such as DialContext.
Partial fix for issue #541
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
Fix ciao/qemu/qmp.go:349:3: ineffectual assignment to ok.
Strictly speaking this is a bug in ineffassign but it's easier
to change the ciao code.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
There's no point in setting cmd.ExtraFiles if the fds array is an
empty slice. This won't do any harm but is essentially a no-op.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
This commit adds some package documentation to the qemu package,
including an overview of the package and an example of its use.
Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
## This repo is part of [Kata Containers](https://katacontainers.io)
For details on how to contribute to the Kata Containers project, please see the main [contributing document](https://github.com/kata-containers/community/blob/master/CONTRIBUTING.md).
For details on how to contribute to the Kata Containers project, please see the main [contributing document](https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md).
which contains a number of sections for various parts of the Kata
Containers system including the [runtime](src/runtime), the
[agent](src/agent) and the [hypervisor](#hypervisors).
## Hypervisors
See the [hypervisors document](docs/hypervisors.md) and the
[Hypervisor specific configuration details](src/runtime/README.md#hypervisor-specific-configuration).
## Community
To learn more about the project, its community and governance, see the
[community repository](https://github.com/kata-containers/community). This is
the first place to go if you wish to contribute to the project.
## Getting help
See the [community](#community) section for ways to contact us.
### Raising issues
Please raise an issue
[in this repository](https://github.com/kata-containers/kata-containers/issues).
> **Note:**
>
> - If an issue affects only a single component, it should be raised in that
> components repository.
> If you are reporting a security issue, please follow the [vulnerability reporting process](https://github.com/kata-containers/community#vulnerability-handling)
## Kata Containers repositories
## Developers
### CI
See the [developer guide](docs/Developer-Guide.md).
The [CI](https://github.com/kata-containers/ci) repository stores the Continuous
Integration (CI) system configuration information.
### Components
### Community
### Main components
The [Community](https://github.com/kata-containers/community) repository is
the first place to go if you want to use or contribute to the project.
The table below lists the core parts of the project:
### Code Repositories
| Component | Type | Description |
|-|-|-|
| [runtime](src/runtime) | core | Main component run by a container manager and providing a containerd shimv2 runtime implementation. |
| [agent](src/agent) | core | Management process running inside the virtual machine / POD that sets up the container environment. |
| [documentation](docs) | documentation | Documentation common to all components (such as design and install documentation). |
| [tests](https://github.com/kata-containers/tests) | tests | Excludes unit tests which live with the main code. |
#### Kata Containers-developed components
### Additional components
##### Agent
The table below lists the remaining parts of the project:
The [`kata-agent`](src/agent/README.md) runs inside the
virtual machine and sets up the container environment.
| Component | Type | Description |
|-|-|-|
| [packaging](tools/packaging) | infrastructure | Scripts and metadata for producing packaged binaries<br/>(components, hypervisors, kernel and rootfs). |
| [kernel](https://www.kernel.org) | kernel | Linux kernel used by the hypervisor to boot the guest image. Patches are stored [here](tools/packaging/kernel). |
| [osbuilder](tools/osbuilder) | infrastructure | Tool to create "mini O/S" rootfs and initrd images and kernel for the hypervisor. |
| [`agent-ctl`](src/tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. |
| [`ci`](https://github.com/kata-containers/ci) | CI | Continuous Integration configuration files and scripts. |
| [`katacontainers.io`](https://github.com/kata-containers/www.katacontainers.io) | Source for the [`katacontainers.io`](https://www.katacontainers.io) site. |
##### KSM throttler
### Packaging and releases
The [`kata-ksm-throttler`](https://github.com/kata-containers/ksm-throttler)
is an optional utility that monitors containers and deduplicates memory to
maximize container density on a host.
Kata Containers is now
[available natively for most distributions](docs/install/README.md#packaged-installation-methods).
However, packaging scripts and metadata are still used to generate snap and GitHub releases. See
the [components](#components) section for further details.
##### Proxy
## Glossary of Terms
The [`kata-proxy`](https://github.com/kata-containers/proxy) is a process that
runs on the host and co-ordinates access to the agent running inside the
virtual machine.
##### Runtime
The [`kata-runtime`](src/runtime/README.md) is usually
invoked by a container manager and provides high-level verbs to manage
containers.
##### Shim
The [`kata-shim`](https://github.com/kata-containers/shim) is a process that
runs on the host. It acts as though it is the workload (which actually runs
inside the virtual machine). This shim is required to be compliant with the
Jun 29 14:51:17 mymachine systemd-journald[346]: Suppressed 4150 messages from /system.slice/docker.service
```
This message indicates that a number of log messages from the `docker.service` slice were
suppressed. In such a case, you can expect to have incomplete logging information
stored from the Kata Containers components.
#### Disabling `systemd-journald` rate limiting
In order to capture complete logs from the Kata Containers components, you
need to reduce or disable the `systemd-journald` rate limit. Configure
this at the global `systemd-journald` level, and it will apply to all system slices.
To disable `systemd-journald` rate limiting at the global level, edit the file
`/etc/systemd/journald.conf`, and add/uncomment the following lines:
```
RateLimitInterval=0s
RateLimitBurst=0
```
Restart `systemd-journald` for the changes to take effect:
```sh
$ sudo systemctl restart systemd-journald
```
# Create and install rootfs and initrd image
## Build a custom Kata agent - OPTIONAL
> **Note:**
>
> - You should only do this step if you are testing with the latest version of the agent.
The agent is built with a statically linked `musl.` The default `libc` used is `musl`, but on `ppc64le` and `s390x`, `gnu` should be used. To configure this:
```
$ export ARCH=$(uname -m)
$ if [ "$ARCH" = "ppc64le" -o "$ARCH" = "s390x" ]; then export LIBC=gnu; else export LIBC=musl; fi
> - You must ensure that the *default Docker runtime* is `runc` to make use of
> the `USE_DOCKER` variable. If that is not the case, remove the variable
> from the previous command. See [Checking Docker default runtime](#checking-docker-default-runtime).
> - If you do *not* wish to build under Docker, remove the `USE_DOCKER`
> variable in the previous command and ensure the `qemu-img` command is
> available on your system.
> - If `qemu-img` is not installed, you will likely see errors such as `ERROR: File /dev/loop19p1 is not a block device` and `losetup: /tmp/tmp.bHz11oY851: Warning: file is smaller than 512 bytes; the loop device may be useless or invisible for system tools`. These can be mitigated by installing the `qemu-img` command (available in the `qemu-img` package on Fedora or the `qemu-utils` package on Debian).
You can build and install the guest kernel image as shown [here](../tools/packaging/kernel/README.md#build-kata-containers-kernel).
# Install a hypervisor
When setting up Kata using a [packaged installation method](install/README.md#installing-on-a-linux-system), the
`QEMU` VMM is installed automatically. Cloud-Hypervisor and Firecracker VMMs are available from the [release tarballs](https://github.com/kata-containers/kata-containers/releases), as well as through [`kata-deploy`](../tools/packaging/kata-deploy/README.md).
You may choose to manually build your VMM/hypervisor.
## Build a custom QEMU
Kata Containers makes use of upstream QEMU branch. The exact version
and repository utilized can be found by looking at the [versions file](../versions.yaml).
Find the correct version of QEMU from the versions file:
See the [static-build script for QEMU](../tools/packaging/static-build/qemu/build-static-qemu.sh) for a reference on how to get, setup, configure and build QEMU for Kata.
### Build a custom QEMU for aarch64/arm64 - REQUIRED
> **Note:**
>
> - You should only do this step if you are on aarch64/arm64.
> - You should include [Eric Auger's latest PCDIMM/NVDIMM patches](https://patchwork.kernel.org/cover/10647305/) which are
> under upstream review for supporting NVDIMM on aarch64.
>
You could build the custom `qemu-system-aarch64` as required with the following command:
Kata containers provides two ways to connect to the guest. One is using traditional login service, which needs additional works. In contrast the simple debug console is easy to setup.
### Simple debug console setup
Kata Containers 2.0 supports a shell simulated *console* for quick debug purpose. This approach uses VSOCK to
connect to the shell running inside the guest which the agent starts. This method only requires the guest image to
contain either `/bin/sh` or `/bin/bash`.
#### Enable agent debug console
Enable debug_console_enabled in the `configuration.toml` configuration file:
```
[agent.kata]
debug_console_enabled = true
```
This will pass `agent.debug_console agent.debug_console_vport=1026` to agent as kernel parameters, and sandboxes created using this parameters will start a shell in guest if new connection is accept from VSOCK.
#### Start `kata-monitor` - ONLY NEEDED FOR 2.0.x
For Kata Containers `2.0.x` releases, the `kata-runtime exec` command depends on the`kata-monitor` running, in order to get the sandbox's `vsock` address to connect to. Thus, first start the `kata-monitor` process.
```
$ sudo kata-monitor
```
`kata-monitor` will serve at `localhost:8090` by default.
#### Connect to debug console
Command `kata-runtime exec` is used to connect to the debug console.
`kata-runtime exec` has a command-line option `runtime-namespace`, which is used to specify under which [runtime namespace](https://github.com/containerd/containerd/blob/master/docs/namespaces.md) the particular pod was created. By default, it is set to `k8s.io` and works for containerd when configured
with Kubernetes. For CRI-O, the namespace should set to `default` explicitly. This should not be confused with [Kubernetes namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/).
For other CRI-runtimes and configurations, you may need to set the namespace utilizing the `runtime-namespace` option.
If you want to access guest OS through a traditional way, see [Traditional debug console setup)](#traditional-debug-console-setup).
### Traditional debug console setup
By default you cannot login to a virtual machine, since this can be sensitive
from a security perspective. Also, allowing logins would require additional
packages in the rootfs, which would increase the size of the image used to
boot the virtual machine.
If you want to login to a virtual machine that hosts your containers, complete
the following steps (using rootfs or initrd image).
> **Note:** The following debug console instructions assume a systemd-based guest
> O/S image. This means you must create a rootfs for a distro that supports systemd.
> Currently, all distros supported by [osbuilder](../tools/osbuilder) support systemd
> except for Alpine Linux.
>
> Look for `INIT_PROCESS=systemd` in the `config.sh` osbuilder rootfs config file
> to verify an osbuilder distro supports systemd for the distro you want to build rootfs for.
> For an example, see the [Clear Linux config.sh file](../tools/osbuilder/rootfs-builder/clearlinux/config.sh).
>
> For a non-systemd-based distro, create an equivalent system
> service using that distro’s init system syntax. Alternatively, you can build a distro
> that contains a shell (e.g. `bash(1)`). In this circumstance it is likely you need to install
> additional packages in the rootfs and add “agent.debug_console” to kernel parameters in the runtime
> config file. This tells the Kata agent to launch the console directly.
>
> Once these steps are taken you can connect to the virtual machine using the [debug console](Developer-Guide.md#connect-to-the-virtual-machine-using-the-debug-console).
#### Create a custom image containing a shell
To login to a virtual machine, you must
[create a custom rootfs](#create-a-rootfs-image) or [custom initrd](#create-an-initrd-image---optional)
containing a shell such as `bash(1)`. For Clear Linux, you will need
an additional `coreutils` package.
For example using CentOS:
```
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/osbuilder/rootfs-builder
See [Privileged Kata Containers](how-to/privileged.md) for how to configure some of this behavior.
# Appendices
## The constraints challenge
Applying resource constraints such as cgroup, CPU, memory, and storage to a workload is not always straightforward with a VM based system. A Kata Container runs in an isolated environment inside a virtual machine. This, coupled with the architecture of Kata Containers, offers many more possibilities than are available to traditional Linux containers due to the various layers and contexts.
In some cases it might be necessary to apply the constraints to multiple levels. In other cases, the hardware isolated VM provides equivalent functionality to the the requested constraint.
The following examples outline some of the various areas constraints can be applied:
- Inside the VM
Constrain the guest kernel. This can be achieved by passing particular values through the kernel command line used to boot the guest kernel. Alternatively, sysctl values can be applied at early boot.
- Inside the container
Constrain the container created inside the VM.
- Outside the VM:
- Constrain the hypervisor process by applying host-level constraints.
- Constrain all processes running inside the hypervisor.
This can be achieved by specifying particular hypervisor configuration options.
Note that in some circumstances it might be necessary to apply particular constraints
to more than one of the previous areas to achieve the desired level of isolation and resource control.
* [Installation guides](./install/README.md): Install and run Kata Containers with Docker or Kubernetes
## Tracing
See the [tracing documentation](tracing.md).
## More User Guides
* [Upgrading](Upgrading.md): how to upgrade from [Clear Containers](https://github.com/clearcontainers) and [runV](https://github.com/hyperhq/runv) to [Kata Containers](https://github.com/kata-containers) and how to upgrade an existing Kata Containers system to the latest version.
* [Limitations](Limitations.md): differences and limitations compared with the default [Docker](https://www.docker.com/) runtime,
[`runc`](https://github.com/opencontainers/runc).
### How-to guides
See the [how-to documentation](how-to).
## Kata Use-Cases
* [GPU Passthrough with Kata](./use-cases/GPU-passthrough-and-Kata.md)
* [SR-IOV with Kata](./use-cases/using-SRIOV-and-kata.md)
* [Intel QAT with Kata](./use-cases/using-Intel-QAT-and-kata.md)
* [SPDK vhost-user with Kata](./use-cases/using-SPDK-vhostuser-and-kata.md)
* [Intel SGX with Kata](./use-cases/using-Intel-SGX-and-kata.md)
## Developer Guide
Documents that help to understand and contribute to Kata Containers.
### Design and Implementations
* [Kata Containers Architecture](design/architecture): Architectural overview of Kata Containers
* [Kata Containers E2E Flow](design/end-to-end-flow.md): The entire end-to-end flow of Kata Containers
* [Kata Containers design](./design/README.md): More Kata Containers design documents
* [Kata Containers threat model](./threat-model/threat-model.md): Kata Containers threat model
### How to Contribute
* [Developer Guide](Developer-Guide.md): Setup the Kata Containers developing environments
* [How to contribute to Kata Containers](https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md)
This document lists the tasks required to create a Kata Release.
## Requirements
- [hub](https://github.com/github/hub)
* Using an [application token](https://github.com/settings/tokens) is required for hub.
- GitHub permissions to push tags and create releases in Kata repositories.
- GPG configured to sign git tags. https://help.github.com/articles/generating-a-new-gpg-key/
- You should configure your GitHub to use your ssh keys (to push to branches). See https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/.
* As an alternative, configure hub to push and fork with HTTPS, `git config --global hub.protocol https` (Not tested yet) *
## Release Process
### Bump all Kata repositories
Bump the repositories using a script in the Kata packaging repo, where:
-`BRANCH=<the-branch-you-want-to-bump>`
-`NEW_VERSION=<the-new-kata-version>`
```
$ cd ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/release
If you create a new stable branch, i.e. if your release changes a major or minor version number (not a patch release), then
you should modify the `tests` repository to point to that newly created stable branch and not the `main` branch.
The objective is that changes in the CI on the main branch will not impact the stable branch.
In the test directory, change references the main branch in:
* `README.md`
* `versions.yaml`
* `cmd/github-labels/labels.yaml.in`
* `cmd/pmemctl/pmemctl.sh`
* `.ci/lib.sh`
* `.ci/static-checks.sh`
See the commits in [the corresponding PR for stable-2.1](https://github.com/kata-containers/tests/pull/3504) for an example of the changes.
### Merge all bump version Pull requests
- The above step will create a GitHub pull request in the Kata projects. Trigger the CI using `/test` command on each bump Pull request.
- Trigger the test-kata-deploy workflow on the kata-containers repository bump Pull request using `/test_kata_deploy` (monitor under the "action" tab).
- Check any failures and fix if needed.
- Work with the Kata approvers to verify that the CI works and the pull requests are merged.
### Tag all Kata repositories
Once all the pull requests to bump versions in all Kata repositories are merged,
tag all the repositories as shown below.
```
$ cd ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/release
$ git checkout <kata-branch-to-release>
$ git pull
$ ./tag_repos.sh -p -b "$BRANCH" tag
```
### Check Git-hub Actions
We make use of [GitHub actions](https://github.com/features/actions) in this [file](../.github/workflows/release.yaml) in the `kata-containers/kata-containers` repository to build and upload release artifacts. This action is auto triggered with the above step when a new tag is pushed to the `kata-containers/kata-containers` repository.
Check the [actions status page](https://github.com/kata-containers/kata-containers/actions) to verify all steps in the actions workflow have completed successfully. On success, a static tarball containing Kata release artifacts will be uploaded to the [Release page](https://github.com/kata-containers/kata-containers/releases).
### Create release notes
We have a script in place in the packaging repository to create release notes that include a short-log of the commits across Kata components.
Run the script as shown below:
```
$ cd ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/release
# Note: OLD_VERSION is where the script should start to get changes.
Note, the stable-2.2 branch will still exist with tag 2.2.1, but under current plans it is
not maintained further. The next tag applied to main will be 2.4.0-alpha0. We would then
create a couple of alpha releases gathering features targeted for that particular release (in
this case 2.4.0), followed by a release candidate. The release candidate marks a feature freeze.
A new stable branch is created for the release candidate. Only bug fixes and any security issues
are added to the branch going forward until release 2.4.0 is made.
## Backporting Process
Development that occurs against the main branch and applicable code commits should also be submitted
against the stable branches. Some guidelines for this process follow::
1. Only bug and security fixes which do not introduce inter-component dependencies are
candidates for stable branches. These PRs should be marked with "bug" in GitHub.
2. Once a PR is created against main which meets requirement of (1), a comparable one
should also be submitted against the stable branches. It is the responsibility of the submitter
to apply their pull request against stable, and it is the responsibility of the
reviewers to help identify stable-candidate pull requests.
## Continuous Integration Testing
The test repository is forked to create stable branches from main. Full CI
runs on each stable and main PR using its respective tests repository branch.
### An alternative method for CI testing:
Ideally, the continuous integration infrastructure will run the same test suite on both main
and the stable branches. When tests are modified or new feature tests are introduced, explicit
logic should exist within the testing CI to make sure only applicable tests are executed against
stable and main. While this is not in place currently, it should be considered in the long term.
## Release Management
### Patch releases
Releases are made every four weeks, which include a GitHub release as
well as binary packages. These patch releases are made for both stable branches, and a "release candidate"
for the next `MAJOR` or `MINOR` is created from main. If there are no changes across all the repositories, no
release is created and an announcement is made on the developer mailing list to highlight this.
If a release is being made, each repository is tagged for this release, regardless
of whether changes are introduced. The release schedule can be seen on the
[release rotation wiki page](https://github.com/kata-containers/community/wiki/Release-Team-Rota).
If there is urgent need for a fix, a patch release will be made outside of the planned schedule.
The process followed for making a release can be found at [Release Process](Release-Process.md).
## Minor releases
### Frequency
Minor releases are less frequent in order to provide a more stable baseline for users. They are currently
running on a sixteen weeks cadence. The release schedule can be seen on the
[release rotation wiki page](https://github.com/kata-containers/community/wiki/Release-Team-Rota).
### Compatibility
Kata guarantees compatibility between components that are within one minor release of each other.
This is critical for dependencies which cross between host (shimv2 runtime) and
the guest (hypervisor, rootfs and agent). For example, consider a cluster with a long-running
deployment, workload-never-dies, all on Kata version 2.1.3 components. If the operator updates
the Kata components to the next new minor release (i.e. 2.2.0), we need to guarantee that the 2.2.0
shimv2 runtime still communicates with 2.1.3 agent within workload-never-dies.
Handling live-update is out of the scope of this document. See this [`kata-runtime` issue](https://github.com/kata-containers/runtime/issues/492) for details.
API in terms of the way the container lifecycle is split into
different verbs. Rather than calling the runtime multiple times, the
container manager creates a socket and passes it to the shimv2
runtime. The socket is a bi-directional communication channel that
uses a gRPC based protocol to allow the container manager to send API
calls to the runtime, which returns the result to the container
manager using the same channel.
The shimv2 architecture allows running several containers per VM to
support container engines that require multiple containers running
inside a pod.
With the new architecture [Kubernetes](kubernetes.md) can
launch both Pod and OCI compatible containers with a single
[runtime](#runtime) shim per Pod, rather than `2N+1` shims. No stand
alone `kata-proxy` process is required, even if VSOCK is not
available.
## Workload
The workload is the command the user requested to run in the
container and is specified in the [OCI bundle](background.md#oci-bundle)'s
configuration file.
In our [example](example-command.md), the workload is the `sh(1)` command.
### Workload root filesystem
For details of how the [runtime](#runtime) makes the
[container image](background.md#container-image) chosen by the user available to
the workload process, see the
[Container creation](#container-creation) and [storage](#storage) sections.
Note that the workload is isolated from the [guest VM](#environments) environment by its
surrounding [container environment](#environments). The guest VM
environment where the container runs in is also isolated from the _outer_
[host environment](#environments) where the container manager runs.
## System overview
### Environments
The following terminology is used to describe the different or
environments (or contexts) various processes run in. It is necessary
to study this table closely to make sense of what follows:
| Type | Name | Virtualized | Containerized | rootfs | Rootfs device type | Mount type | Description |
|-|-|-|-|-|-|-|-|
| Host | Host | no `[1]` | no | Host specific | Host specific | Host specific | The environment provided by a standard, physical non virtualized system. |
| VM root | Guest VM | yes | no | rootfs inside the [guest image](guest-assets.md#guest-image) | Hypervisor specific `[2]` | `ext4` | The first (or top) level VM environment created on a host system. |
| VM container root | Container | yes | yes | rootfs type requested by user ([`ubuntu` in the example](example-command.md)) | `kataShared` | [virtio FS](storage.md#virtio-fs) | The first (or top) level container environment created inside the VM. Based on the [OCI bundle](background.md#oci-bundle). |
**Key:**
-`[1]`: For simplicity, this document assumes the host environment
runs on physical hardware.
-`[2]`: See the [DAX](#dax) section.
> **Notes:**
>
> - The word "root" is used to mean _top level_ here in a similar
> manner to the term [rootfs](background.md#root-filesystem).
>
> - The term "first level" prefix used above is important since it implies
> that it is possible to create multi level systems. However, they do
> not form part of a standard Kata Containers environment so will not
> be considered in this document.
The reasons for containerizing the [workload](#workload) inside the VM
are:
- Isolates the workload entirely from the VM environment.
- Provides better isolation between containers in a [pod](kubernetes.md).
- Allows the workload to be managed and monitored through its cgroup
confinement.
### Container creation
The steps below show at a high level how a Kata Containers container is
created using the containerd container manager:
1. The user requests the creation of a container by running a command
like the [example command](example-command.md).
1. The container manager daemon runs a single instance of the Kata
[runtime](#runtime).
1. The Kata runtime loads its [configuration file](#configuration).
1. The container manager calls a set of shimv2 API functions on the runtime.
1. The Kata runtime launches the configured [hypervisor](#hypervisor).
1. The hypervisor creates and starts (_boots_) a VM using the
[guest assets](guest-assets.md#guest-assets):
- The hypervisor [DAX](#dax) shares the
[guest image](guest-assets.md#guest-image)
into the VM to become the VM [rootfs](background.md#root-filesystem) (mounted on a `/dev/pmem*` device),
which is known as the [VM root environment](#environments).
- The hypervisor mounts the [OCI bundle](background.md#oci-bundle), using [virtio FS](storage.md#virtio-fs),
into a container specific directory inside the VM's rootfs.
This container specific directory will become the
[container rootfs](#environments), known as the
[container environment](#environments).
1. The [agent](#agent) is started as part of the VM boot.
1. The runtime calls the agent's `CreateSandbox` API to request the
agent create a container:
1. The agent creates a [container environment](#environments)
in the container specific directory that contains the [container rootfs](#environments).
The container environment hosts the [workload](#workload) in the
[container rootfs](#environments) directory.
1. The agent spawns the workload inside the container environment.
> **Notes:**
>
> - The container environment created by the agent is equivalent to
> script as `root` and looking at the "Image details" section of the
> output.
#### Root filesystem image
The default packaged rootfs image, sometimes referred to as the _mini
O/S_, is a highly optimized container bootstrap system.
If this image type is [configured](README.md#configuration), when the
user runs the [example command](example-command.md):
- The [runtime](README.md#runtime) will launch the configured [hypervisor](README.md#hypervisor).
- The hypervisor will boot the mini-OS image using the [guest kernel](#guest-kernel).
- The kernel will start the init daemon as PID 1 (`systemd`) inside the VM root environment.
-`systemd`, running inside the mini-OS context, will launch the [agent](README.md#agent)
in the root context of the VM.
- The agent will create a new container environment, setting its root
filesystem to that requested by the user (Ubuntu in [the example](example-command.md)).
- The agent will then execute the command (`sh(1)` in [the example](example-command.md))
inside the new container.
The table below summarises the default mini O/S showing the
environments that are created, the services running in those
environments (for all platforms) and the root filesystem used by
each service:
| Process | Environment | systemd service? | rootfs | User accessible | Notes |
|-|-|-|-|-|-|
| systemd | VM root | n/a | [VM guest image](#guest-image)| [debug console][debug-console] | The init daemon, running as PID 1 |
| [Agent](README.md#agent) | VM root | yes | [VM guest image](#guest-image)| [debug console][debug-console] | Runs as a systemd service |
| `chronyd` | VM root | yes | [VM guest image](#guest-image)| [debug console][debug-console] | Used to synchronise the time with the host |
| container workload (`sh(1)` in [the example](example-command.md)) | VM container | no | User specified (Ubuntu in [the example](example-command.md)) | [exec command](README.md#exec-command) | Managed by the agent |
See also the [process overview](README.md#process-overview).
> **Notes:**
>
> - The "User accessible" column shows how an administrator can access
> the environment.
>
> - The container workload is running inside a full container
> environment which itself is running within a VM environment.
>
> - See the [configuration files for the `osbuilder` tool](../../../tools/osbuilder/rootfs-builder)
> for details of the default distribution for platforms other than
> Intel x86_64.
#### Initrd image
The initrd image is a compressed `cpio(1)` archive, created from a
rootfs which is loaded into memory and used as part of the Linux
startup process. During startup, the kernel unpacks it into a special
instance of a `tmpfs` mount that becomes the initial root filesystem.
If this image type is [configured](README.md#configuration), when the user runs
the [example command](example-command.md):
- The [runtime](README.md#runtime) will launch the configured [hypervisor](README.md#hypervisor).
- The hypervisor will boot the mini-OS image using the [guest kernel](#guest-kernel).
- The kernel will start the init daemon as PID 1 (the
[agent](README.md#agent))
inside the VM root environment.
- The [agent](README.md#agent) will create a new container environment, setting its root
filesystem to that requested by the user (`ubuntu` in
[the example](example-command.md)).
- The agent will then execute the command (`sh(1)` in [the example](example-command.md))
inside the new container.
The table below summarises the default mini O/S showing the environments that are created,
the processes running in those environments (for all platforms) and
the root filesystem used by each service:
| Process | Environment | rootfs | User accessible | Notes |
|-|-|-|-|-|
| [Agent](README.md#agent) | VM root | [VM guest image](#guest-image) | [debug console][debug-console] | Runs as the init daemon (PID 1) |
| container workload | VM container | User specified (Ubuntu in this example) | [exec command](README.md#exec-command) | Managed by the agent |
> **Notes:**
>
> - The "User accessible" column shows how an administrator can access
> the environment.
>
> - It is possible to use a standard init daemon such as systemd with
> an initrd image if this is desirable.
See also the [process overview](README.md#process-overview).
| [initrd](#initrd-image) | [Alpine Linux](https://alpinelinux.org) | Kata [agent](README.md#agent) (as no systemd support) | Security hardened and tiny C library |
See also:
- The [osbuilder](../../../tools/osbuilder) tool
This is used to build all default image types.
- The [versions database](../../../versions.yaml)
The `default-image-name` and `default-initrd-name` options specify
Kata implements CRI's API and supports [`ContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L101) and [`ListContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L103) interfaces to expose containers metrics. User can use these interfaces to get basic metrics about containers.
Unlike `runc`, Kata is a VM-based runtime and has a different architecture.
## Limitations of Kata 1.x and target of Kata 2.0
Kata 1.x has a number of limitations related to observability that may be obstacles to running Kata Containers at scale.
In Kata 2.0, the following components will be able to provide more details about the system:
- containerd shim v2 (effectively `kata-runtime`)
- Hypervisor statistics
- Agent process
- Guest OS statistics
> **Note**: In Kata 1.x, the main user-facing component was the runtime (`kata-runtime`). From 1.5, Kata introduced the Kata containerd shim v2 (`containerd-shim-kata-v2`) which is essentially a modified runtime that is loaded by containerd to simplify and improve the way VM-based containers are created and managed.
>
> For Kata 2.0, the main component is the Kata containerd shim v2, although the deprecated `kata-runtime` binary will be maintained for a period of time.
>
> Any mention of the "Kata runtime" in this document should be taken to refer to the Kata containerd shim v2 unless explicitly noted otherwise (for example by referring to it explicitly as the `kata-runtime` binary).
## Metrics architecture
Kata 2.0 metrics strongly depend on [Prometheus](https://prometheus.io/), a graduated project from CNCF.
Kata Containers 2.0 introduces a new Kata component called `kata-monitor` which is used to monitor the Kata components on the host. It's shipped with the Kata runtime to provide an interface to:
- Get metrics
- Get events
At present, `kata-monitor` supports retrieval of metrics only: this is what will be covered in this document.
This is the architecture overview of metrics in Kata Containers 2.0:
For a quick evaluation, you can check out [this how to](../how-to/how-to-set-prometheus-in-k8s.md).
### Kata monitor
The `kata-monitor` management agent should be started on each node where the Kata containers runtime is installed. `kata-monitor` will:
> **Note**: a *node* running Kata containers will be either a single host system or a worker node belonging to a K8s cluster capable of running Kata pods.
- Aggregate sandbox metrics running on the node, adding the `sandbox_id` label to them.
- Expose a new Prometheus target, allowing all node metrics coming from the Kata shim to be collected by Prometheus indirectly. This simplifies the targets count in Prometheus and avoids exposing shim's metrics by `ip:port`.
Only one `kata-monitor` process runs in each node.
`kata-monitor` uses a different communication channel than the one used by the container engine (`containerd`/`CRI-O`) to communicate with the Kata shim. The Kata shim exposes a dedicated socket address reserved to `kata-monitor`.
The shim's metrics socket file is created under the virtcontainers sandboxes directory, i.e. `vc/sbs/${PODID}/shim-monitor.sock`.
> **Note**: If there is no Prometheus server configured, i.e., there are no scrape operations, `kata-monitor` will not collect any metrics.
### Kata runtime
Kata runtime is responsible for:
- Gather metrics about shim process
- Gather metrics about hypervisor process
- Gather metrics about running sandbox
- Get metrics from Kata agent (through `ttrpc`)
### Kata agent
Kata agent is responsible for:
- Gather agent process metrics
- Gather guest OS metrics
In Kata 2.0, the agent adds a new interface:
```protobuf
rpcGetMetrics(GetMetricsRequest)returns(Metrics);
messageGetMetricsRequest{}
messageMetrics{
stringmetrics=1;
}
```
The `metrics` field is Prometheus encoded content. This can avoid defining a fixed structure in protocol buffers.
### Performance and overhead
Metrics should not become a bottleneck for the system or downgrade the performance: they should run with minimal overhead.
Requirements:
* Metrics **MUST** be quick to collect
* Metrics **MUST** be small
* Metrics **MUST** be generated only if there are subscribers to the Kata metrics service
* Metrics **MUST** be stateless
In Kata 2.0, metrics are collected only when needed (pull mode), mainly from the `/proc` filesystem, and consumed by Prometheus. This means that if the Prometheus collector is not running (so no one cares about the metrics) the overhead will be zero.
The metrics service also doesn't hold any metrics in memory.
*Metrics size*: response size of one Prometheus scrape request.
It's easy to estimate the size of one metrics fetch request issued by Prometheus.
The formula to calculate the expected size when no gzip compression is in place is:
9 + (144 - 9) * `number of kata sandboxes`
Prometheus supports `gzip compression`. When enabled, the response size of each request will be smaller:
2 + (10 - 2) * `number of kata sandboxes`
**Example**
We have 10 sandboxes running on a node. The expected size of one metrics fetch request issued by Prometheus against the kata-monitor agent running on that node will be:
9 + (144 - 9) * 10 = **1.35M**
If `gzip compression` is enabled:
2 + (10 - 2) * 10 = **82K**
#### Metrics delay ####
And here is some test data:
- End-to-end (from Prometheus server to `kata-monitor` and `kata-monitor` write response back): **20ms**(avg)
- Agent (RPC all from shim to agent): **3ms**(avg)
Test infrastructure:
- OS: Ubuntu 20.04
- Hardware: Intel(R) Core(TM) i5-8500 CPU @ 3.00GHz, 6 Cores, and 16GB memory.
**Scrape interval**
Prometheus default `scrape_interval` is 1 minute, but it is usually set to 15 seconds. A smaller `scrape_interval` causes more overhead, so users should set it depending on their monitoring needs.
## Metrics list
Here are listed all the metrics supported by Kata 2.0. Some metrics are dependent on the VM guest kernel, so the available ones may differ based on the environment.
Metrics are categorized by the component from/for which the metrics are collected.
> * Labels here do not include the `instance` and `job` labels added by Prometheus.
> * Notes about metrics unit
> * `Kibibytes`, abbreviated `KiB`. 1 `KiB` equals 1024 B.
> * For some metrics (like network devices statistics from file `/proc/net/dev`), unit depends on label( for example `recv_bytes` and `recv_packets` have different units).
> * Most of these metrics are collected from the `/proc` filesystem, so the unit of each metric matches the unit of the relevant `/proc` entry. See the `proc(5)` manual page for further details.
### Metric types
Prometheus offers four core metric types.
- Counter: A counter is a cumulative metric that represents a single monotonically increasing counter whose value can only increase.
- Gauge: A gauge metric represents a single numerical value that can go up and down, typically used for measured values like current memory usage.
- Histogram: A histogram samples observations (usually things like request durations or response sizes) and counts them in configurable buckets.
- Summary: A summary samples observations like histogram, it can calculate configurable quantiles over a sliding time window.
See [Prometheus metric types](https://prometheus.io/docs/concepts/metric_types/) for detailed explanations about these metric types.
### Kata agent metrics
Agent's metrics contains metrics about agent process.
| Metric name | Type | Units | Labels | Introduced in Kata version |
|---|---|---|---|---|
| `kata_agent_io_stat`: <br> Agent process IO stat. | `GAUGE` | | <ul><li>`item` (see `/proc/<pid>/io`)<ul><li>`cancelled_write_byte`</li><li>`rchar`</li><li>`read_bytes`</li><li>`syscr`</li><li>`syscw`</li><li>`wchar`</li><li>`write_bytes`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_agent_proc_stat`: <br> Agent process stat. | `GAUGE` | | <ul><li>`item` (see `/proc/<pid>/stat`)<ul><li>`cstime`</li><li>`cutime`</li><li>`stime`</li><li>`utime`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_agent_proc_status`: <br> Agent process status. | `GAUGE` | | <ul><li>`item` (see `/proc/<pid>/status`)<ul><li>`hugetlbpages`</li><li>`nonvoluntary_ctxt_switches`</li><li>`rssanon`</li><li>`rssfile`</li><li>`rssshmem`</li><li>`vmdata`</li><li>`vmexe`</li><li>`vmhwm`</li><li>`vmlck`</li><li>`vmlib`</li><li>`vmpeak`</li><li>`vmpin`</li><li>`vmpte`</li><li>`vmrss`</li><li>`vmsize`</li><li>`vmstk`</li><li>`vmswap`</li><li>`voluntary_ctxt_switches`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_agent_process_cpu_seconds_total`: <br> Total user and system CPU time spent in seconds. | `COUNTER` | `seconds` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_agent_process_max_fds`: <br> Maximum number of open file descriptors. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_agent_process_open_fds`: <br> Number of open file descriptors. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_agent_process_start_time_seconds`: <br> Start time of the process since `unix` epoch in seconds. | `GAUGE` | `seconds` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_agent_total_rss`: <br> Agent process total `rss` size | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_agent_total_time`: <br> Agent process total time | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_agent_total_vm`: <br> Agent process total `vm` size | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
### Firecracker metrics
Metrics for Firecracker vmm.
| Metric name | Type | Units | Labels | Introduced in Kata version |
|---|---|---|---|---|
| `kata_firecracker_api_server`: <br> Metrics related to the internal API server. | `GAUGE` | | <ul><li>`item`<ul><li>`process_startup_time_cpu_us`</li><li>`process_startup_time_us`</li><li>`sync_response_fails`</li><li>`sync_vmm_send_timeout_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_get_api_requests`: <br> Metrics specific to GET API Requests for counting user triggered actions and/or failures. | `GAUGE` | | <ul><li>`item`<ul><li>`instance_info_count`</li><li>`instance_info_fails`</li><li>`machine_cfg_count`</li><li>`machine_cfg_fails`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_i8042`: <br> Metrics specific to the i8042 device. | `GAUGE` | | <ul><li>`item`<ul><li>`error_count`</li><li>`missed_read_count`</li><li>`missed_write_count`</li><li>`read_count`</li><li>`reset_count`</li><li>`write_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_latencies_us`: <br> Performance metrics related for the moment only to snapshots. | `GAUGE` | | <ul><li>`item`<ul><li>`diff_create_snapshot`</li><li>`full_create_snapshot`</li><li>`load_snapshot`</li><li>`pause_vm`</li><li>`resume_vm`</li><li>`vmm_diff_create_snapshot`</li><li>`vmm_full_create_snapshot`</li><li>`vmm_load_snapshot`</li><li>`vmm_pause_vm`</li><li>`vmm_resume_vm`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_logger`: <br> Metrics for the logging subsystem. | `GAUGE` | | <ul><li>`item`<ul><li>`log_fails`</li><li>`metrics_fails`</li><li>`missed_log_count`</li><li>`missed_metrics_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_mmds`: <br> Metrics for the MMDS functionality. | `GAUGE` | | <ul><li>`item`<ul><li>`connections_created`</li><li>`connections_destroyed`</li><li>`rx_accepted`</li><li>`rx_accepted_err`</li><li>`rx_accepted_unusual`</li><li>`rx_bad_eth`</li><li>`rx_count`</li><li>`tx_bytes`</li><li>`tx_count`</li><li>`tx_errors`</li><li>`tx_frames`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_patch_api_requests`: <br> Metrics specific to PATCH API Requests for counting user triggered actions and/or failures. | `GAUGE` | | <ul><li>`item`<ul><li>`drive_count`</li><li>`drive_fails`</li><li>`machine_cfg_count`</li><li>`machine_cfg_fails`</li><li>`network_count`</li><li>`network_fails`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_put_api_requests`: <br> Metrics specific to PUT API Requests for counting user triggered actions and/or failures. | `GAUGE` | | <ul><li>`item`<ul><li>`actions_count`</li><li>`actions_fails`</li><li>`boot_source_count`</li><li>`boot_source_fails`</li><li>`drive_count`</li><li>`drive_fails`</li><li>`logger_count`</li><li>`logger_fails`</li><li>`machine_cfg_count`</li><li>`machine_cfg_fails`</li><li>`metrics_count`</li><li>`metrics_fails`</li><li>`network_count`</li><li>`network_fails`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_rtc`: <br> Metrics specific to the RTC device. | `GAUGE` | | <ul><li>`item`<ul><li>`error_count`</li><li>`missed_read_count`</li><li>`missed_write_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_seccomp`: <br> Metrics for the seccomp filtering. | `GAUGE` | | <ul><li>`item`<ul><li>`num_faults`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_signals`: <br> Metrics related to signals. | `GAUGE` | | <ul><li>`item`<ul><li>`sigbus`</li><li>`sigsegv`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_uart`: <br> Metrics specific to the UART device. | `GAUGE` | | <ul><li>`item`<ul><li>`error_count`</li><li>`flush_count`</li><li>`missed_read_count`</li><li>`missed_write_count`</li><li>`read_count`</li><li>`write_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_vcpu`: <br> Metrics specific to VCPUs' mode of functioning. | `GAUGE` | | <ul><li>`item`<ul><li>`exit_io_in`</li><li>`exit_io_out`</li><li>`exit_mmio_read`</li><li>`exit_mmio_write`</li><li>`failures`</li><li>`filter_cpuid`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_vmm`: <br> Metrics specific to the machine manager as a whole. | `GAUGE` | | <ul><li>`item`<ul><li>`device_events`</li><li>`panic_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| Metric name | Type | Units | Labels | Introduced in Kata version |
|---|---|---|---|---|
| `kata_guest_cpu_time`: <br> Guest CPU stat. | `GAUGE` | | <ul><li>`cpu` (CPU no. and total for all CPUs)<ul><li>`0` (CPU 0)</li><li>`1` (CPU 1)</li><li>`total` (for all CPUs)</li></ul></li><li>`item` (Kernel/system statistics, from `/proc/stat`)<ul><li>`guest`</li><li>`guest_nice`</li><li>`idle`</li><li>`iowait`</li><li>`irq`</li><li>`nice`</li><li>`softirq`</li><li>`steal`</li><li>`system`</li><li>`user`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_guest_diskstat`: <br> Disks stat in system. | `GAUGE` | | <ul><li>`disk` (disk name)</li><li>`item` (see `/proc/diskstats`)<ul><li>`discards`</li><li>`discards_merged`</li><li>`flushes`</li><li>`in_progress`</li><li>`merged`</li><li>`reads`</li><li>`sectors_discarded`</li><li>`sectors_read`</li><li>`sectors_written`</li><li>`time_discarding`</li><li>`time_flushing`</li><li>`time_in_progress`</li><li>`time_reading`</li><li>`time_writing`</li><li>`weighted_time_in_progress`</li><li>`writes`</li><li>`writes_merged`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_guest_meminfo`: <br> Statistics about memory usage on the system. | `GAUGE` | | <ul><li>`item` (see `/proc/meminfo`)<ul><li>`active`</li><li>`active_anon`</li><li>`active_file`</li><li>`anon_hugepages`</li><li>`anon_pages`</li><li>`bounce`</li><li>`buffers`</li><li>`cached`</li><li>`cma_free`</li><li>`cma_total`</li><li>`commit_limit`</li><li>`committed_as`</li><li>`direct_map_1G`</li><li>`direct_map_2M`</li><li>`direct_map_4M`</li><li>`direct_map_4k`</li><li>`dirty`</li><li>`hardware_corrupted`</li><li>`high_free`</li><li>`high_total`</li><li>`hugepages_free`</li><li>`hugepages_rsvd`</li><li>`hugepages_surp`</li><li>`hugepages_total`</li><li>`hugepagesize`</li><li>`hugetlb`</li><li>`inactive`</li><li>`inactive_anon`</li><li>`inactive_file`</li><li>`k_reclaimable`</li><li>`kernel_stack`</li><li>`low_free`</li><li>`low_total`</li><li>`mapped`</li><li>`mem_available`</li><li>`mem_free`</li><li>`mem_total`</li><li>`mlocked`</li><li>`mmap_copy`</li><li>`nfs_unstable`</li><li>`page_tables`</li><li>`per_cpu`</li><li>`quicklists`</li><li>`s_reclaimable`</li><li>`s_unreclaim`</li><li>`shmem`</li><li>`shmem_hugepages`</li><li>`shmem_pmd_mapped`</li><li>`slab`</li><li>`swap_cached`</li><li>`swap_free`</li><li>`swap_total`</li><li>`unevictable`</li><li>`vmalloc_chunk`</li><li>`vmalloc_total`</li><li>`vmalloc_used`</li><li>`writeback`</li><li>`writeback_tmp`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_guest_netdev_stat`: <br> Guest net devices stats. | `GAUGE` | | <ul><li>`interface` (network device name)</li><li>`item` (see `/proc/net/dev`)<ul><li>`recv_bytes`</li><li>`recv_compressed`</li><li>`recv_drop`</li><li>`recv_errs`</li><li>`recv_fifo`</li><li>`recv_frame`</li><li>`recv_multicast`</li><li>`recv_packets`</li><li>`sent_bytes`</li><li>`sent_carrier`</li><li>`sent_colls`</li><li>`sent_compressed`</li><li>`sent_drop`</li><li>`sent_errs`</li><li>`sent_fifo`</li><li>`sent_packets`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| Metric name | Type | Units | Labels | Introduced in Kata version |
|---|---|---|---|---|
| `kata_monitor_go_gc_duration_seconds`: <br> A summary of the pause duration of garbage collection cycles. | `SUMMARY` | `seconds` | | 2.0.0 |
| `kata_monitor_go_goroutines`: <br> Number of goroutines that currently exist. | `GAUGE` | | | 2.0.0 |
| `kata_monitor_go_info`: <br> Information about the Go environment. | `GAUGE` | | <ul><li>`version` (golang version)<ul><li>`go1.13.9` (environment dependent variable)</li></ul></li></ul> | 2.0.0 |
| `kata_monitor_go_memstats_alloc_bytes`: <br> Number of bytes allocated and still in use. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_alloc_bytes_total`: <br> Total number of bytes allocated, even if freed. | `COUNTER` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_buck_hash_sys_bytes`: <br> Number of bytes used by the profiling bucket hash table. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_frees_total`: <br> Total number of frees. | `COUNTER` | | | 2.0.0 |
| `kata_monitor_go_memstats_gc_cpu_fraction`: <br> The fraction of this program's available CPU time used by the GC since the program started. | `GAUGE` | | | 2.0.0 |
| `kata_monitor_go_memstats_gc_sys_bytes`: <br> Number of bytes used for garbage collection system metadata. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_heap_alloc_bytes`: <br> Number of heap bytes allocated and still in use. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_heap_idle_bytes`: <br> Number of heap bytes waiting to be used. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_heap_inuse_bytes`: <br> Number of heap bytes that are in use. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_heap_objects`: <br> Number of allocated objects. | `GAUGE` | | | 2.0.0 |
| `kata_monitor_go_memstats_heap_released_bytes`: <br> Number of heap bytes released to OS. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_heap_sys_bytes`: <br> Number of heap bytes obtained from system. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_last_gc_time_seconds`: <br> Number of seconds since 1970 of last garbage collection. | `GAUGE` | `seconds` | | 2.0.0 |
| `kata_monitor_go_memstats_lookups_total`: <br> Total number of pointer lookups. | `COUNTER` | | | 2.0.0 |
| `kata_monitor_go_memstats_mallocs_total`: <br> Total number of `mallocs`. | `COUNTER` | | | 2.0.0 |
| `kata_monitor_go_memstats_mcache_inuse_bytes`: <br> Number of bytes in use by `mcache` structures. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_mcache_sys_bytes`: <br> Number of bytes used for `mcache` structures obtained from system. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_mspan_inuse_bytes`: <br> Number of bytes in use by `mspan` structures. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_mspan_sys_bytes`: <br> Number of bytes used for `mspan` structures obtained from system. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_next_gc_bytes`: <br> Number of heap bytes when next garbage collection will take place. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_other_sys_bytes`: <br> Number of bytes used for other system allocations. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_stack_inuse_bytes`: <br> Number of bytes in use by the stack allocator. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_stack_sys_bytes`: <br> Number of bytes obtained from system for stack allocator. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_memstats_sys_bytes`: <br> Number of bytes obtained from system. | `GAUGE` | `bytes` | | 2.0.0 |
| `kata_monitor_go_threads`: <br> Number of OS threads created. | `GAUGE` | | | 2.0.0 |
| `kata_monitor_process_cpu_seconds_total`: <br> Total user and system CPU time spent in seconds. | `COUNTER` | `seconds` | | 2.0.0 |
| `kata_monitor_process_max_fds`: <br> Maximum number of open file descriptors. | `GAUGE` | | | 2.0.0 |
| `kata_monitor_process_open_fds`: <br> Number of open file descriptors. | `GAUGE` | | | 2.0.0 |
| Metric name | Type | Units | Labels | Introduced in Kata version |
|---|---|---|---|---|
| `kata_shim_agent_rpc_durations_histogram_milliseconds`: <br> RPC latency distributions. | `HISTOGRAM` | `milliseconds` | <ul><li>`action` (RPC actions of Kata agent)<ul><li>`grpc.CheckRequest`</li><li>`grpc.CloseStdinRequest`</li><li>`grpc.CopyFileRequest`</li><li>`grpc.CreateContainerRequest`</li><li>`grpc.CreateSandboxRequest`</li><li>`grpc.DestroySandboxRequest`</li><li>`grpc.ExecProcessRequest`</li><li>`grpc.GetMetricsRequest`</li><li>`grpc.GuestDetailsRequest`</li><li>`grpc.ListInterfacesRequest`</li><li>`grpc.ListProcessesRequest`</li><li>`grpc.ListRoutesRequest`</li><li>`grpc.MemHotplugByProbeRequest`</li><li>`grpc.OnlineCPUMemRequest`</li><li>`grpc.PauseContainerRequest`</li><li>`grpc.RemoveContainerRequest`</li><li>`grpc.ReseedRandomDevRequest`</li><li>`grpc.ResumeContainerRequest`</li><li>`grpc.SetGuestDateTimeRequest`</li><li>`grpc.SignalProcessRequest`</li><li>`grpc.StartContainerRequest`</li><li>`grpc.StatsContainerRequest`</li><li>`grpc.TtyWinResizeRequest`</li><li>`grpc.UpdateContainerRequest`</li><li>`grpc.UpdateInterfaceRequest`</li><li>`grpc.UpdateRoutesRequest`</li><li>`grpc.WaitProcessRequest`</li><li>`grpc.WriteStreamRequest`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_fds`: <br> Kata containerd shim v2 open FDs. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_gc_duration_seconds`: <br> A summary of the pause duration of garbage collection cycles. | `SUMMARY` | `seconds` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_goroutines`: <br> Number of goroutines that currently exist. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_info`: <br> Information about the Go environment. | `GAUGE` | | <ul><li>`sandbox_id`</li><li>`version` (golang version)<ul><li>`go1.13.9` (environment dependent variable)</li></ul></li></ul> | 2.0.0 |
| `kata_shim_go_memstats_alloc_bytes`: <br> Number of bytes allocated and still in use. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_alloc_bytes_total`: <br> Total number of bytes allocated, even if freed. | `COUNTER` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_buck_hash_sys_bytes`: <br> Number of bytes used by the profiling bucket hash table. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_frees_total`: <br> Total number of frees. | `COUNTER` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_gc_cpu_fraction`: <br> The fraction of this program's available CPU time used by the GC since the program started. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_gc_sys_bytes`: <br> Number of bytes used for garbage collection system metadata. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_heap_alloc_bytes`: <br> Number of heap bytes allocated and still in use. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_heap_idle_bytes`: <br> Number of heap bytes waiting to be used. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_heap_inuse_bytes`: <br> Number of heap bytes that are in use. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_heap_objects`: <br> Number of allocated objects. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_heap_released_bytes`: <br> Number of heap bytes released to OS. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_heap_sys_bytes`: <br> Number of heap bytes obtained from system. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_last_gc_time_seconds`: <br> Number of seconds since 1970 of last garbage collection. | `GAUGE` | `seconds` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_lookups_total`: <br> Total number of pointer lookups. | `COUNTER` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_mallocs_total`: <br> Total number of `mallocs`. | `COUNTER` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_mcache_inuse_bytes`: <br> Number of bytes in use by `mcache` structures. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_mcache_sys_bytes`: <br> Number of bytes used for `mcache` structures obtained from system. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_mspan_inuse_bytes`: <br> Number of bytes in use by `mspan` structures. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_mspan_sys_bytes`: <br> Number of bytes used for `mspan` structures obtained from system. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_next_gc_bytes`: <br> Number of heap bytes when next garbage collection will take place. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_other_sys_bytes`: <br> Number of bytes used for other system allocations. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_stack_inuse_bytes`: <br> Number of bytes in use by the stack allocator. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_stack_sys_bytes`: <br> Number of bytes obtained from system for stack allocator. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_memstats_sys_bytes`: <br> Number of bytes obtained from system. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_threads`: <br> Number of OS threads created. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_io_stat`: <br> Kata containerd shim v2 process IO statistics. | `GAUGE` | | <ul><li>`item` (see `/proc/<pid>/io`)<ul><li>`cancelledwritebytes`</li><li>`rchar`</li><li>`readbytes`</li><li>`syscr`</li><li>`syscw`</li><li>`wchar`</li><li>`writebytes`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_pod_overhead_cpu`: <br> Kata Pod overhead for CPU resources(percent). | `GAUGE` | percent | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_pod_overhead_memory_in_bytes`: <br> Kata Pod overhead for memory resources(bytes). | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_proc_stat`: <br> Kata containerd shim v2 process statistics. | `GAUGE` | | <ul><li>`item` (see `/proc/<pid>/stat`)<ul><li>`cstime`</li><li>`cutime`</li><li>`stime`</li><li>`utime`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_proc_status`: <br> Kata containerd shim v2 process status. | `GAUGE` | | <ul><li>`item` (see `/proc/<pid>/status`)<ul><li>`hugetlbpages`</li><li>`nonvoluntary_ctxt_switches`</li><li>`rssanon`</li><li>`rssfile`</li><li>`rssshmem`</li><li>`vmdata`</li><li>`vmexe`</li><li>`vmhwm`</li><li>`vmlck`</li><li>`vmlib`</li><li>`vmpeak`</li><li>`vmpin`</li><li>`vmpmd`</li><li>`vmpte`</li><li>`vmrss`</li><li>`vmsize`</li><li>`vmstk`</li><li>`vmswap`</li><li>`voluntary_ctxt_switches`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_process_cpu_seconds_total`: <br> Total user and system CPU time spent in seconds. | `COUNTER` | `seconds` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_process_max_fds`: <br> Maximum number of open file descriptors. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_process_open_fds`: <br> Number of open file descriptors. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_process_start_time_seconds`: <br> Start time of the process since `unix` epoch in seconds. | `GAUGE` | `seconds` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_process_virtual_memory_max_bytes`: <br> Maximum amount of virtual memory available in bytes. | `GAUGE` | `bytes` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
To fulfill the [Kata design requirements](kata-design-requirements.md), and based on the discussion on [Virtcontainers API extensions](https://docs.google.com/presentation/d/1dbGrD1h9cpuqAPooiEgtiwWDGCYhVPdatq7owsKHDEQ), the Kata runtime library features the following APIs:
- Sandbox based top API
- Storage and network hotplug API
- Plugin frameworks for external proprietary Kata runtime extensions
## Sandbox Based API
### Sandbox Management API
|Name|Description|
|---|---|
|`CreateSandbox(SandboxConfig, Factory)`| Create a sandbox and its containers, base on `SandboxConfig` and `Factory`. Return the `Sandbox` structure, but do not start them.|
### Sandbox Operation API
|Name|Description|
|---|---|
|`sandbox.Delete()`| Shut down the VM in which the sandbox, and destroy the sandbox and remove all persistent metadata.|
|`sandbox.Monitor()`| Return a context handler for caller to monitor sandbox callbacks such as error termination.|
|`sandbox.Release()`| Release a sandbox data structure, close connections to the agent, and quit any goroutines associated with the Sandbox. Mostly used for daemon restart.|
|`sandbox.Start()`| Start a sandbox and the containers making the sandbox.|
|`sandbox.Stats()`| Get the stats of a running sandbox, return a `SandboxStats` structure.|
|`sandbox.Status()`| Get the status of the sandbox and containers, return a `SandboxStatus` structure.|
|`sandbox.Stop(force)`| Stop a sandbox and Destroy the containers in the sandbox. When force is true, ignore guest related stop failures.|
|`sandbox.CreateContainer(contConfig)`| Create new container in the sandbox with the `ContainerConfig` parameter. It will add new container config to `sandbox.config.Containers`.|
|`sandbox.DeleteContainer(containerID)`| Delete a container from the sandbox by `containerID`, return a `Container` structure.|
|`sandbox.EnterContainer(containerID, cmd)`| Run a new process in a container, executing customer's `types.Cmd` command.|
|`sandbox.KillContainer(containerID, signal, all)`| Signal a container in the sandbox by the `containerID`.|
|`sandbox.PauseContainer(containerID)`| Pause a running container in the sandbox by the `containerID`.|
|`sandbox.ProcessListContainer(containerID, options)`| List every process running inside a specific container in the sandbox, return a `ProcessList` structure.|
|`sandbox.ResumeContainer(containerID)`| Resume a paused container in the sandbox by the `containerID`.|
|`sandbox.StartContainer(containerID)`| Start a container in the sandbox by the `containerID`.|
|`sandbox.StatsContainer(containerID)`| Get the stats of a running container, return a `ContainerStats` structure.|
|`sandbox.StatusContainer(containerID)`| Get the status of a container in the sandbox, return a `ContainerStatus` structure.|
|`sandbox.StopContainer(containerID, force)`| Stop a container in the sandbox by the `containerID`.|
|`sandbox.UpdateContainer(containerID, resources)`| Update a running container in the sandbox.|
|`sandbox.WaitProcess(containerID, processID)`| Wait on a process to terminate.|
### Sandbox Hotplug API
|Name|Description|
|---|---|
|`sandbox.AddDevice(info)`| Add new storage device `DeviceInfo` to the sandbox, return a `Device` structure.|
|`sandbox.AddInterface(inf)`| Add new NIC to the sandbox.|
|`sandbox.RemoveInterface(inf)`| Remove a NIC from the sandbox.|
|`sandbox.ListInterfaces()`| List all NICs and their configurations in the sandbox, return a `pbTypes.Interface` list.|
|`sandbox.UpdateRoutes(routes)`| Update the sandbox route table (e.g. for portmapping support), return a `pbTypes.Route` list.|
|`sandbox.ListRoutes()`| List the sandbox route table, return a `pbTypes.Route` list.|
### Sandbox Relay API
|Name|Description|
|---|---|
|`sandbox.WinsizeProcess(containerID, processID, Height, Width)`| Relay TTY resize request to a process.|
|`sandbox.SignalProcess(containerID, processID, signalID, signalALL)`| Relay a signal to a process or all processes in a container.|
|`sandbox.IOStream(containerID, processID)`| Relay a process stdio. Return stdin/stdout/stderr pipes to the process stdin/stdout/stderr streams.|
### Sandbox Monitor API
|Name|Description|
|---|---|
|`sandbox.GetOOMEvent()`| Monitor the OOM events that occur in the sandbox..|
|`sandbox.UpdateRuntimeMetrics()`| Update the `shim/hypervisor` metrics of the running sandbox.|
|`sandbox.GetAgentMetrics()`| Get metrics of the agent and the guest in the running sandbox.|
## Plugin framework for external proprietary Kata runtime extensions
### Hypervisor plugin
TBD.
### Metadata storage plugin
The metadata storage plugin controls where sandbox metadata is saved.
All metadata storage plugins must implement the following API:
|Name|Description|
|---|---|
|`storage.Save(key, value)`| Save a record.|
|`storage.Load(key)`| Load a record.|
|`storage.Delete(key)`| Delete a record.|
Built-in implementations include:
- Filesystem storage
- LevelDB storage
### VM Factory plugin
The VM factory plugin controls how a sandbox factory creates new VMs.
All VM factory plugins must implement following API:
|Name|Description|
|---|---|
|`VMFactory.NewVM(HypervisorConfig)`|Create a new VM based on `HypervisorConfig`.|
Built-in implementations include:
|Name|Description|
|---|---|
|`CreateNew()`| Create brand new VM based on `HypervisorConfig`.|
|`CreateFromTemplate()`| Create new VM from template.|
|`CreateFromCache()`| Create new VM from VM caches.|
In theory, being OCI compatible should be enough. In practice, the Kata Containers runtime
should comply with the latest *stable*`runc` CLI. In particular, it **MUST** implement the
following `runc` commands:
*`create`
*`delete`
*`exec`
*`kill`
*`list`
*`pause`
*`ps`
*`start`
*`state`
*`version`
The Kata Containers runtime **MUST** implement the following command line options:
*`--console-socket`
*`--pid-file`
### [CRI](http://blog.kubernetes.io/2016/12/container-runtime-interface-cri-in-kubernetes.html) and [Kubernetes](https://kubernetes.io) support
The Kata Containers project **MUST** provide two interfaces for CRI shims to manage hardware
virtualization based Kubernetes pods and containers:
- An OCI and `runc` compatible command line interface, as described in the previous section.
This interface is used by implementations such as [`CRI-O`](http://cri-o.io) and [`containerd`](https://github.com/containerd/containerd), for example.
- A hardware virtualization runtime library API for CRI shims to consume and provide a more
CRI native implementation. The [`frakti`](https://github.com/kubernetes/frakti) CRI shim is an example of such a consumer.
### Multiple hardware architectures support
The Kata Containers runtime **MUST NOT** be architecture-specific. It should be able to support
multiple hardware architectures and provide a modular and flexible design for adding support
for additional ones.
### Multiple hypervisor support
The Kata Containers runtime **MUST NOT** be tied to any specific hardware virtualization technology,
hypervisor, or virtual machine monitor implementation.
It should support multiple hypervisors and provide a pluggable and flexible design to add support
for additional ones.
#### Nesting
The Kata Containers runtime **MUST** support nested virtualization environments.
### Networking
* The Kata Containers runtime **MUST** support CNI plugin.
* The Kata Containers runtime **MUST** support both legacy and IPv6 networks.
### I/O
#### Devices direct assignment
In order for containers to directly consume host hardware resources, the Kata Containers runtime
**MUST** provide containers with secure pass through for generic devices such as GPUs, SRIOV,
RDMA, QAT, by leveraging I/O virtualization technologies (IOMMU, interrupt remapping).
#### Acceleration
The Kata Containers runtime **MUST** support accelerated and user-space-based I/O operations
for networking (e.g. DPDK) as well as storage through `vhost-user` sockets.
#### Scalability
The Kata Containers runtime **MUST** support scalable I/O through the SRIOV technology.
### Virtualization overhead reduction
A compelling aspect of containers is their minimal overhead compared to bare metal applications.
A container runtime should keep the overhead to a minimum in order to provide the expected user
experience.
The Kata Containers runtime implementation **SHOULD** be optimized for:
* Minimal workload boot and shutdown times
* Minimal workload memory footprint
* Maximal networking throughput
* Minimal networking latency
### Testing and debugging
#### Continuous Integration
Each Kata Containers runtime pull request **MUST** pass at least the following set of container-related
tests:
* Unit tests: runtime unit tests coverage >75%
* Functional tests: the entire runtime CLI and APIs
* Integration tests: Docker and Kubernetes
#### Debugging
The Kata Containers runtime implementation **MUST** use structured logging in order to namespace
[Research](https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter) shows that time to take for pull operation accounts for 76% of container startup time but only 6.4% of that data is read. So if we can get data on demand (lazy load), it will speed up the container start. [`Nydus`](https://github.com/dragonflyoss/image-service) is a project which build image with new format and can get data on demand when container start.
The following benchmarking result shows the performance improvement compared with the OCI image for the container cold startup elapsed time on containerd. As the OCI image size increases, the container startup time of using `nydus` image remains very short. [Click here](https://github.com/dragonflyoss/image-service/blob/master/docs/nydus-design.md) to see `nydus` design.
## Proposal - Bring `lazyload` ability to Kata Containers
`Nydusd` is a fuse/`virtiofs` daemon which is provided by `nydus` project and it supports `PassthroughFS` and [RAFS](https://github.com/dragonflyoss/image-service/blob/master/docs/nydus-design.md) (Registry Acceleration File System) natively, so in Kata Containers, we can use `nydusd` in place of `virtiofsd` and mount `nydus` image to guest in the meanwhile.
The process of creating/starting Kata Containers with `virtiofsd`,
1. When creating sandbox, the Kata Containers Containerd v2 [shim](https://github.com/kata-containers/kata-containers/blob/main/docs/design/architecture/README.md#runtime) will launch `virtiofsd` before VM starts and share directories with VM.
2. When creating container, the Kata Containers Containerd v2 shim will mount rootfs to `kataShared`(/run/kata-containers/shared/sandboxes/\<SANDBOX\>/mounts/\<CONTAINER\>/rootfs), so it can be seen at the path `/run/kata-containers/shared/containers/shared/\<CONTAINER\>/rootfs` in the guest and used as container's rootfs.
The process of creating/starting Kata Containers with `nydusd`,
1. When creating sandbox, the Kata Containers Containerd v2 shim will launch `nydusd` daemon before VM starts.
After VM starts, `kata-agent` will mount `virtiofs` at the path `/run/kata-containers/shared` and Kata Containers Containerd v2 shim mount `passthroughfs` filesystem to path `/run/kata-containers/shared/containers` when the VM starts.
```bash
# start nydusd
$ sandbox_id=my-test-sandbox
$ sudo /usr/local/bin/nydusd --log-level info --sock /run/vc/vm/${sandbox_id}/vhost-user-fs.sock --apisock /run/vc/vm/${sandbox_id}/api.sock
```
```bash
# source: the host sharedir which will pass through to guest
-X POST "http://localhost/api/v1/mount?mountpoint=/containers" -H "accept: */*"\
-H "Content-Type: application/json"\
-d '{
"source":"/path/to/sharedir",
"fs_type":"passthrough_fs",
"config":""
}'
```
2. When creating normal container, the Kata Containers Containerd v2 shim send request to `nydusd` to mount `rafs` at the path `/run/kata-containers/shared/rafs/<container_id>/lowerdir` in guest.
The Kata Containers Containerd v2 shim will also bind mount `snapshotdir` which `nydus-snapshotter` assigns to `sharedir`。
So in guest, container rootfs=overlay(`lowerdir=rafs`, `upperdir=snapshotdir/fs`, `workdir=snapshotdir/work`)
> how to transfer the `rafs` info from `nydus-snapshotter` to the Kata Containers Containerd v2 shim?
By default, when creating `OCI` image container, `nydus-snapshotter` will return [`struct` Mount slice](https://github.com/containerd/containerd/blob/main/mount/mount.go#L21) below to containerd and containerd use them to mount rootfs
Then, we can append `rafs` info into `Options`, but if do this, containerd will mount failed, as containerd can not identify `rafs` info. Here, we can refer to [containerd mount helper](https://github.com/containerd/containerd/blob/main/mount/mount_linux.go#L42) and provide a binary called `nydus-overlayfs`. The `Mount` slice which `nydus-snapshotter` returned becomes
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
