ad45107a2 release: Kata Containers 2.2.3
4f73e58d7 packaging/static-build: s390x fixes
45f65a73c agent: Handle uevent remove actions
06d304934 agent: fix race condition when test watcher
0366f6e81 template: disable template unit test on arm
7cb650abc runtime: DefaultMaxVCPUs should not greater than defaultMaxQemuVCPUs
e97cd23bd runtime: current vcpu number should be limited
6b6d81cce runtime: kernel version with '+' as suffix panic in parse
a479eca7d docs: Fix outdated links
b794a3940 virtcontainers: clh: Re-generate the client code
39d95f486 versions: Upgrade to Cloud Hypervisor v19.0
Depends-on: github.com/kata-containers/tests#4155
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
- Install OpenSSL for key generation in kernel build
- Do not install libpmem
- Do not exclude `*/share/*/*.img` files in QEMU tarball since among
them are boot loader files critical for IPLing.
Fixes: #2895
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
uevents with action=remove was ignored causing the agent to reuse stale
data in the device map. This patch adds handling of such uevents.
Fixes#2405
Signed-off-by: Haitao Li <lihaitao@gmail.com>
create_tmpfs won't pass as the race condition in watcher umount. quote
James's words here:
1. Rust runs all tests in parallel.
2. Mounts are a process-wide, not a per-thread resource.
The only test that calls watcher.mount() is create_tmpfs().
However, other tests create BindWatcher objects.
3. BindWatcher's drop() implementation calls self.cleanup(),
which calls unmount for the mountpoint create_tmpfs() asserts.
4. The other tests are calling unmount whenever a BindWatcher goes
out of scope.
To avoid that issue, let the tests using BindWatcher in watcher and
sandbox.rs run sequentially.
Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
DefaultMaxVCPUs may be larger than the defaultMaxQemuVCPUs that should
be checked and avoided.
Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
The physical current vcpu number should not be used directly as the
largest vcpu number is limited to defaultMaxQemuVCPUs.
Here, a new helper is introduced in pkg/katautils/config.go to get
current vcpu number.
Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
The current kernel version parse lib can't process suffix '+', as the
modified kernel version will add '+' as suffix, thus panic will occur.
For example, if the current kernel version is "5.14.0-rc4+", test
TestHostNetworkingRequested will panic:
--- FAIL: TestHostNetworkingRequested (0.00s)
panic: &{DistroName:ubuntu DistroVersion:18.04
KernelVersion:5.11.0-rc3+ Issue: Passed:[] Failed:[] Debug:true
ActualEUID:0}: failed to check test constraints: error: Build meta data
is empty
Here, remove the suffix '+' in kernel version fix helper.
Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Currently the image-builder image is built from `fedora:latest` and
this is error-prone as any update of the base image can lead to
breakage. Instead let's create the image from Fedora 34, which is the
last known version to build fine.
Fixes#2960
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
(cherry picked from commit a239a38f45)
Highlights from the Cloud Hypervisor release v19.0: 1) Improved PTY
handling for serial and virtio-console; 2) PCI boot time optimisations;
3) Improved TDX support; 4) Live migration enhancements (support with
virtio-mem and virtio-balloon); 5) virtio-mem support with vfio-user; 6)
AArch64 for virtio-iommu; 7) Various bug fixes for live-migration and
VFIO passthrough.
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v19.0Fixes: #2871
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit 8296754e07)
- stable-2.2 | Backport #2821 and #2769
- Backport runtime: Fix !x86 static checks
- stable-2.2 | agent: exec should inherit container process capabilities
- stable-2.2 | vendor: Update containerd to v1.5.7
- stable-2.2 | fc: fix version parsing for fc >= 0.25
- [backport] kata-monitor: cache improvements
eea2c019 virtcontainers: clh: Use 'quiet' as the default kernel parameter
1e798b96 virtcontainers: clh: Turn-off serial and virtio-console by default
53c4492f agent: netlink: Use the grpc IP family field when updating the route
893623df runtime: Pass the route IP family to the agent
503ce9c1 agent: protos: Add a Family field to the Route payload
9932e76f runtime: vendor: Bump the netlink package dependency
0034f40b agent: exec should inherit container process capabilities
1f6b0f65 protection: add confidential compute frame for arm
112e0f63 check: fix typecheck failure in qemu_arm64_test.go
18820e31 virtcontainers: fix lint failure on ppc64le
8fafced9 virtcontainers: nolint guestProtection
9668095a runtime: Fix field alignment on s390x
3e145ea9 vendor: Update containerd to v1.5.7
79e0754a fc: fix version parsing for fc >= 0.25
b8fc1af3 runtime: set the sandbox storage path static
97167ccd runtime: rename GetSanboxesStoragePath() --> GetSandboxesStoragePath()
b0aca51e kata-monitor: bump version to 0.2.0
28873c4d kata-monitor: refresh kata sandbox list on fs events
3525a2ed kata-monitor: improve detection of kata workloads
30d07d44 kata-monitor: add getSandboxFS()
623b1082 runtime: add GetSandboxesStoragePath()
fc1822f0 kata-monitor: improve sandbox caching
ba6ad1c8 kata-monitor: warn when unable to retrive the lower level runtime
22d3df91 kata-monitor: minor fixes
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The 'quiet' kernel parameter can avoid guest kernel logs while booting,
which can reduce boot time.
Fix: #2820
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit 7b2bfd4eca)
We will need to have console output from the guest only for debugging
purposes. As a result, we can turn-off both the serial and
virtio-console devices by default for better boot time.
Fixes: #2820
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit 3e24e46c70)
Not all routes have either a gateway or a destination IP.
Interface routes, where the source, destination and gateway are undefined,
will default to IP v4 with the current is_ipv6() check even when they
are v6 routes.
We use the provided gRPC Route.Family field instead. This field is built
from the host netlink messages, and is a reliable way of finding out
a route's IP family.
Fixes: #2768
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
(cherry picked from commit a44cde7e8d)
When updating the guest routing table, we should forward the IP family
information up to the guest.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
(cherry picked from commit 71ce6cfe9e)
Our check for the IP family is working as long as we have either a
gateway or a destination IP. Some routes are missing both.
The RT netlink messages provide the IP family information for each
route, so we can carry that piece of information up to the guest. That
will allow for a more reliable route IP family determination.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
(cherry picked from commit 99450bd1f7)
We need to be able to get the IP family from the netlink route meesages,
and the Route.Family field only got recently added to the netlink
package.
The update generates static check warnings about the call for
nethandler.Delete() being deprecated in favor of a Close() call instead.
So we include the s/Delete()/Close()/ change as part of this PR.
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
(cherry picked from commit f85fe70231)
Even CCA, which is the confidential compute archtecture, has not been
ready, add a empty implementation to avoid static check error.
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Suggested-by: Fabiano Fidêncio <fidencio@redhat.com>
Bump containerd to v1.5.7 in order to bring in a fix for CVE-2021-41103,
"insufficiently restricted permissions on plugins directories
(GHSA-c2h3-6mxw-7mvq)".
dependabot found a potential security vulnerability and raised a PR to
fix it. However, dependabot does not properly follows nor understands
the needed of our CIs (mainly related to formatting the PR and whatnot),
thus I'm re-raising it.
Fixes: #2796
Backports: #2797
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Since we now have "unix://" kind of socket returned by the
SocketAddress() function, there is no more need to build the sandbox
storage path dynamically to keep OS compatibility.
Fixes: #2738
Suggested-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
(cherry picked from commit 2304a59601)
There's a typo in the file that should receive the output of `cargo
vendor`. We should use forward the output to `.cargo/config` instead of
`.cargo/vendor`.
This was introduced by 21c8511630.
Backports: #2730Fixes: #2729
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit a525991c2c)
While releasing kata-containers 2.3.0-alpha1 we've hit some issues as
the tags attribution is done incorrectly. We want an array of tags to
iterate over, but the currently code is just lost is the parenthesis.
This issue was introduced in a156288c1f.
Fixes: #2725
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 39dcbaa672)
- stable-2.2 | watcher: ensure we create target mount point for storage
- stable-2.2 | virtiofs: Create shared directory with 0700 mode, not 0750
- [backport]sandbox: Allow the device to be accessed,such as /dev/null and /dev/u…
- stable-2.2 | kata-deploy: Also provide "stable" & "latest" tags
- stable-2.2 | runtime: tracing: Fix logger passed in newContainer
- stable-2.2 | runtime: tracing: Use root context to stop tracing
- packaging: Backport QEMU's GitLab switch to 5.1.x
- stable-2.2 | workflows,release: Upload the vendored cargo code
- backport: Call agent shutdown test only in the correspondent CI_JOB
- packaging: Backport QEMU's switch to GitLab repos
- stable-2.2 | virtcontainers: fc: parse vcpuID correctly
- shimv2: Backport fixes for #2527
- backport-2.2: remove default config for arm64.
- stable-2.2 | versions: Upgrade to Cloud Hypervisor v18.0
- [backport]sandbox: Add device permissions such as /dev/null to cgroup
- [backport] runtime: Fix README link
- [backport] snap: Test variable instead of executing "branch"
d9b41fc5 watcher: ensure we create target mount point for storage
2b6327ac kata-deploy: Add more info about the stable tag
5256e085 kata-deploy: Improve README
02b46268 kata-deploy: Remove qemu-virtiofs runtime class
1b3058dd release: update the kata-deploy yaml files accordingly
98e2e935 kata-deploy: Add "stable" info to the README
8f25c7da kata-deploy: Update the README
84da2f8d workflows: Add "stable" & "latest" tags to kata-deploy
5c76f1c6 packaging: Backport QEMU's GitLab switch to 5.1.x
ba6fc328 packaging: Backport QEMU's switch to GitLab repos
d5f5da43 workflows,release: Upload the vendored cargo code
017cd3c5 ci: Call agent shutdown test only in the correspondent CI_JOB
2ca867da runtime: Add container field to logs
f4da502c shimv2: add information to method comment
16164241 shimv2: add logging to shimv2 api calls
25c7e118 virtiofs: Create shared directory with 0700 mode, not 0750
4c5bf057 virtcontainers: fc: parse vcpuID correctly
b3e620db runtime: tracing: Fix logger passed in newContainer
98c2ca13 runtime: tracing: Use root context to stop tracing
0481c507 backport-2.2: remove default config for arm64.
56920bc9 sandbox: Allow the device to be accessed,such as /dev/null and /dev/urandom
a1874ccd virtcontainers: clh: Revert the workaround incorrect default values
c2c65050 virtcontainers: clh: Re-generate the client code
7ee43f94 versions: Upgrade to Cloud Hypervisor v18.0
1792a9fe runtime: Fix README link
807cc8a3 sandbox: Add device permissions such as /dev/null to cgroup
5987f3b5 snap: Test variable instead of executing "branch"
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
We now support any container engine CRI compliant. Let's bump the
kata-monitor version to 0.2.0.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
(cherry picked from commit 8b0bc1f45e)
This commit stops the container engine polling in favor of
the kata sandbox storage path monitoring.
The pod cache list is now refreshed based on fs events and synced with
the container engine only when needed.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
(cherry picked from commit bfb556d56a)
When the container engine is different than containerd or CRI-O we
lack proper detection of kata workloads and consider all the pods as
kata ones.
Instead of querying the container engine for the lower level runtime
used in each pod, check if a directory matching the pod exists in
the virtualcontainers sandboxes storage path.
This provides a container engine independent way to check for kata pods.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
(cherry picked from commit 0e854f3b80)
Retrieve the absolute sandbox storage path. We will soon need this to
monitor the creation/deletion of new kata sandboxes.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
(cherry picked from commit afad910d0e)
The storage path we use to collect the sandbox files is defined in the
virtcontainers/persist/fs package.
We create the runtime socket in that storage path, by hardcoding the
full path in the SocketAddress() function in the runtime package.
This commit splits the hardcoded path by the socket address path so that
the runtime package will be able to provide the storage path to all the
components that may need it.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
(cherry picked from commit e38686f74d)
In order to retrieve the list of sandboxes, we poll the container engine
every 15 seconds via the CRI. Once we have the list we have to inspect
each pod to find out the kata ones.
This commit extend the sandbox cache to keep track of all the pods,
marking the kata ones, so that during the next polling only the new
sandboxes should be inspected to figure out which ones are using the
kata runtime.
Fixes: #2563
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
(cherry picked from commit 245a12bbb7)
this is an unexpected event (likely a change in how containerd/cri-o
record the lower level runtime in the pod) and should be more visible:
raise the log level to "warning".
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
(cherry picked from commit fc067d61d4)
We would only create the target when updating files. We need to make
sure that we create the target if the source is a directory. Without
this, we'll fail to start a container that utilizes an empty configmap,
for example.
Add unit tests for this.
Fixes: #2638
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Let's make it as clear as possible for the user that if they go for a
tagged version of kata-deploy, eg, 2.2.1, they'll have the kata runtime
2.2.1 deployed on their cluster.
Suggested-by: Eric Adams <eric.adams@intel.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 3bdcfaa658)
Let's add more instructions in the README in order to make clear to the
reader what they can do to check whether kata-deploy is ready, or
whether they have to wait till proceeding with the next instruction.
Suggested-by: Eric Adams <eric.adams@intel.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 41c590fa0a)
There's only one QEMU runtime class deployed as part of kata-deploy, and
that includes virtiofs support (which is the default for quite some time
already). Knowing this, let's just remove the `qemu-virtiofs` runtime
class definition.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit debf3c9fe9)
Let's teach our `update-repository-version.sh` script to properly update
the kata-deploy tags on both kata-deploy and kata-cleanup yaml files.
The 3 scenarios that we're dealing with, based on which branch we're
targetting, are:
```
1) [main] ------> [main] NO-OP
"alpha0" "alpha1"
+----------------+----------------+
| from | to |
-----------------+----------------+----------------+
kata-deploy | "latest" | "latest" |
-----------------+----------------+----------------+
kata-deploy-base | "stable | "stable" |
-----------------+----------------+----------------+
2) [main] ------> [stable] Update kata-deploy and
"alpha2" "rc0" get rid of kata-deploy-base
+----------------+----------------+
| from | to |
-----------------+----------------+----------------+
kata-deploy | "latest" | "rc0" |
-----------------+----------------+----------------+
kata-deploy-base | "stable" | REMOVED |
-----------------+----------------+----------------+
3) [stable] ------> [stable] Update kata-deploy
"x.y.z" "x.y.(z+1)"
+----------------+----------------+
| from | to |
-----------------+----------------+----------------+
kata-deploy | "x.y.z" | "x.y.(z+1)" |
-----------------+----------------+----------------+
kata-deploy-base | NON-EXISTENT | NON-EXISTENT |
-----------------+----------------+----------------+
```
And we can easily cover those 3 cases only with the information about
the "${target_branch}" and the "${new_version}", where:
* case 1) if "${target_branch}" is "main" *and* "${new_version}"
contains "alpha", do nothing
* case 2) if "${target_branch}" is "main" *and* "${new_version}"
contains "rc":
* change the kata-deploy & kata-cleanup tags from "latest" to
"${new_version}".
* delete the kata-deploy-stable & kata-cleanup-stable files.
* case 3) if the "${target_branch}" contains "stable":
* change the kata-deploy & kata-cleanup tags from "${current_version}"
to "${new_version}".
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 43a72d76e2)
Similar to the instructions we have for the "latest" images, let's also
add instructions about the "stable" images.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit ea9b2f9c92)
Let's just point to our repo URLs rather than assume users using
kata-deploy will have our repo cloned.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit e541105680)
When releasing a tarball, let's *also* add the "stable" & "latest" tags
to the kata-deploy image.
The "stable" tag refers to any official release, while the "latest" tag
refers to any pre-release / release candidate.
Fixes: #2302
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit a156288c1f)
This brings #2699 to 5.1.x for ARM. Add a `no_patches.txt` for 5.1.0
which was missing apparently.
Fixes: #2701
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
QEMU's submodule checkout from git.qemu.org can fail. On QEMU 6.x, this
is not a problem because they moved to GitLab. However, we use QEMU 5.2
on stable-2.2, which can be a problem when no cached QEMU is used.
Backport QEMU's switch.
Fixes: #2698
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
As part of the release, let's also upload a tarball with the vendored
cargo code. By doing this we allow distros, which usually don't have
access to the internet while performing the builds, to just add the
vendored code as a second source, making the life of the downstream
maintainers slightly easier*.
Fixes: #1203
Backports: #2573
*: The current workflow requires the downstream maintainer to download
the tarball, unpack it, run `cargo vendor`, create the tarball, etc.
Although this doesn't look like a ridiculous amount of work, it's better
if we can have it in an automated fashion.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 21c8511630)
The agent shutdown test should only run on the CI JOB of CRI_CONTAINERD_K8S_MINIMAL
which is the only one where testing tracing is being enabled, however, this
test is being triggered in multiple CI jobs where it should not run. This PR
fixes that issue.
Fixes#2683
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
add a comment to explicitly mentioned method is a binary call
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Backport from commit 72e3538e36
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
A discussion on the Linux kernel mailing list [1] exposed that virtiofsd makes a
core assumption that the file systems being shared are not accessible by any
non-privileged user. We currently create the `shared` directory in the sandbox
with the default `0750` permissions, which gives read and directory traversal
access to the group. There is no real good reason for a non-root user to access
the shared directory, and this is potentially dangerous.
Fixes: #2589
[1]: https://lore.kernel.org/linux-fsdevel/YTI+k29AoeGdX13Q@redhat.com/
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
In getThreadIDs(), the cpuID variable is derived from a string that
already contains a whitespace. As a result, strings.SplitAfter returns
the cpuID with a leading space. This makes any go variant of string to int
fail (strconv.ParseInt() in our case). This patch makes sure that the
leading space character is removed so the string passed to
strconv.ParseInt() is "CPUID" and not " CPUID".
This has been caused by a change in the naming scheme of vcpu threads
for Firecracker after v0.19.1.
Fixes: #2592
Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
Change logger in Trace call in newContainer from sandbox.Logger() to
nil. Passing nil will cause an error to be logged by kataTraceLogger
instead of the sandbox logger, which will avoid having the log message
report it as part of the sandbox subsystem when it is part of the
container subsystem.
The kataTraceLogger will not log it as related to the container
subsystem, but since the container logger has not been created at this
point, and we already use the kataTraceLogger in other instances where a
subsystem's logger has not been created yet, this PR makes the call
consistent with other code.
Backport of #2666Fixes#2667
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Call StopTracing with s.rootCtx, which is the root context for tracing,
instead of s.ctx, which is parent to a subset of trace spans.
Backport of #2662Fixes#2663
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
The current default config in qemu for arm64 doesn't suit for qemu
version 5.1+, so remove them here.
Fixes: #2595
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
If the device has no permission, such as /dev/null, /dev/urandom,
it needs to be added into cgroup.
Fixes: #2615
Backport: #2616
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
Highlights from the Cloud Hypervisor release v18.0: 1) Experimental User
Device (vfio-user) support; 2) Migration support for vhost-user devices;
3) VHDX disk image support; 4) Device pass through on MSHV hypervisor;
5) AArch64 for support virtio-mem; 6) Live migration on MSHV hypervisor;
7) AArch64 CPU topology support; 8) Power button support on AArch64; 9)
Various bug fixes on PTY, TTY, signal handling, and live-migration on
AArch64.
Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v18.0Fixes: #2543
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit f0b5331430)
adds the default devices for unix such as /dev/null, /dev/urandom to
the container's resource cgroup spec
Fixes: #2539
Backports: #2603
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
In snapcraft.yaml we have a case statement on $(branch) - that is on the
output of executing a command "branch". From the selections it appears
that what it actually wants is to simply select on the contents of the
$branch variable, which should be ${branch} instead.
fixes#2558
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
- runtime: drop qemu-lite support
- stable-2.2 | virtcontainers: clh: Upgrade to the openapi-generator v5.2.1
- backport ci: Temporarily skip agent shutdown test on s390x
- backport: build_image: Fix error soft link about initrd.img
dca35c17 docs: remove mentioning of qemu-lite
0bdfdad2 runtime: drop qemu-lite support
60155756 runtime: fix default hypervisor path
ca9e6538 ci: Temporarily skip agent shutdown test on s390x
938b01ae virtcontainers: clh: Workaround incorrect default values
abd708e8 virtcontainers: clh: Fix the unit test
61babd45 virtcontainers: clh: Use constructors to ensure proper default value
59c51f62 virtcontainers: clh: Migrate to use the updated client APIs
c1f260cc virtcontainers: clh: Re-generate the client code
4cd6909f virtcontainers: clh: Upgrade to the openapi-generator v5.2.1
efa2d54e build_image: Fix error soft link about initrd.img
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Two default values defined in the 'cloud-hypervisor.yaml' have typo, and this
patch manually overwrites them with the correct value as a workaround
before the corresponding fix is landed to Cloud Hypervisor upstream.
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit 932ee41b3f)
This patch fixes the unit tests over clh.go with the updated client code.
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit bff38e4f4d)
With the updated openapi-generator, the client code now handles optional
attributes correctly, and ensures to assign the right default
values. This patch enables to use those constructors to make sure the
proper default values being used.
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit d967d3cb37)
The client code (and APIs) for Cloud Hypervisor has been changed
dramatically due to the upgrade to `openapi-generator` v5.2.1. This
patch migrate the Cloud Hypervisor driver in the kata-runtime to use
those updated APIs.
The main change from the client code is that it now uses "pointer" type
to represent "optional" attributes from the input openapi specification
file.
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit a6a2e525de)
This patch re-generates the client code for Cloud Hypervisor with the
updated `openapi-generator` v5.2.1.
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit 46eb07e14f)
To improve the quality and correctness of the auto-generated code, this
patch upgrade the `openapi-generator` to its latest stable release
v5.2.1.
Fixes: #2487
Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit 80fba4d637)
- use CRI in kata-monitor
- config: Enable jailer by default when using firecracker
- workflows: Actually push the release to quay.io
- docs: update general wording for installation documentation
- Cleanup kernel packaging
- tracing: Return context in runHooks() span creation
- osbuilder: Document no Alpine support on s390x
- osbuilder: Upgrade Ubuntu guest to 20.04
- agent: watcher / inotify stability fixes
- enable snap build for arm64
- agent: Fix cargo 1.54 clippy warning
- osbuilder: Drop Go agent support
- kernel: PTP_KVM support for arm/arm64 in Kata
- docs: update the docs project url from kata 1.x to 2.x
- clh: correct cloud-hypervisor installation on non-x86
- virtcontainers: fc: properly remove jailed block device
- CI: Call agent shutdown test
- kata deploy: always update the base image
- docs: Remove kata-proxy and invalid script reference
- workflows: Actually login to quay.io
- kata-deploy: Update our content to use / point to quay.io/kata-containers rather than katadocker
- agent: Create the process CWD when it does not exist
- Update Kata to allow it to use Qemu 6.1
- osbuilder/dracut: Add missing libraries
- osbuilder: pass env OS_VERSION
- tools: shorten directory path
- virtcontainers: clh: Do not use the default HTTP client
- docs: update kata deploy README doc to add cloud-hypervisor test command
- Container: Add initConfigResourcesMemory and call it in newContainer
- qemu/arm: remove nvdimm/"ReadOnly" option on arm64
- Fix issue container start fail if io.katacontainers.container.resource.swap_in_bytes and memory_limit_in_bytes are not set
- docs: Add tracing proposals doc
- docs: Remove table of contents
- static-checks: Check for the `force-skip-ci` label on each step
- docs: update the kata release url in the kata deploy document
- kata-deploy: Allow build kata-deploy tarball from HEAD
- mod: unify runc and containerd dependencies
- how-to-use-virtio-mem-with-kata.md: Remove undefined ${REPORT_DIR}
- ci: Run static checks when PRs are updated
- docs: update url for log parser in how-to-import-kata-logs-with-fluen…
- versions: Upgrade to Cloud Hypervisor v17.0
- snap: Substitute image configuration with initrd
- docs: Update url for log parser in Developer guide
- mount: fix the issue of missing check file exists
- build(deps): bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /src/runtime
- docs: Update experimental documentation
- snap: do not export agent version
- Upgrade runc to 1.0.1
- runtime: read-only NVDIMM
- osbuilder/scripts: add support to yq version 4 and above
- osbuilder: update centos arm rootfs image config 'GPG_KEY_ARCH_URL'
- monitor: mv the monitor socket into sbs directory
- fix govet fieldalignment
- docs: added a glossary to support SEO tactics
- ci: expand $CI to nothing
- Add swap support
- snap: fixed snap aarch64 qemu patches dir in snapcraft.yaml file
- agent: clear MsFlags if the option has clear flag set
- snap: Remove QEMU before clone
- docs: fix minikube installation guide runtimeclasses error
- docs: fixed kata-deploy path for kata logs with fluentd doc
- agent/agent-ctl: update tokio to 1.8.1
- ci: set -o nounset
- static-checks: Add a make target to run static-checks locally
- virtiofsd: fix the issue of missing stop virtiofsd
- docs: Update containerd configuration format
- osbuilder: Skip installing golang for building rootfs
- agent-ctl: Use a common Makefile style like other components
- vsock-exporter: switch to tokio runtime
- config: Fix description for OCI hooks
- shimv2: fix the issue of kata-runtime exec failed
7a5ffd4a config: Enable jailer by default when using firecracker
2cb7b513 docs: update general wording for installation documentation
76f4588f workflows: Actually push the release to quay.io
b980c62f packaging/kernel: Update kernel build doc
99e9a6ad packaging/kernel: Update versions.yaml kernel urls
c23ffef4 packaging/kernel: Remove old Jenkins pipeline
9586d482 tracing: Return context in runHooks() span creation
6a6dee7c osbuilder: Document no Alpine support on s390x
71f304ce agent: watcher: cleanup mount if needed when container is removed
f1a505db agent: Temporarily allow unknown linters
961aaff0 agent: watcher: fixes to make more robust
7effbdeb osbuilder: Upgrade Ubuntu guest to 20.04
99ab91df docs: update the docs project url from kata 1.x to 2.x
4fe23b19 kernel: PTP_KVM support for arm/arm64 in Kata
f981fc64 clh: correct cloud-hypervisor installation
f87cee9d kata-deploy: Rely directly on a centos:7 image
6871aeaa snap: enable snap build for arm64
15e0a3c8 kata-deploy: Remove unneeded yum cached files
d01aebeb kata-deploy: Ensure the system is up-to-date
77160e59 workflows: Actually login to quay.io
b9e03a1c docs: update the image repository to quay.io
f47cad3d tools: Update the image repository to quay.io
9fa1febf workflows: Also push the image to quay.io
233b53c0 agent: Fix cargo 1.54 clippy warning
2d8386ea kata-monitor: add few unit tests
8714a350 kata-monitor: make code to identify kata pods simpler
68a6f011 kata-monitor: drop the runtime info from the sandbox cache
97dcc5f7 kata-monitor: drop getMonitorAddress()
0b03d97d vendor: update vendors for kata-monitor
c2f03e89 kata-monitor: talk to the container engine via the CRI
c867d1e0 osbuilder: Drop Go agent support
1d25d7d4 docs: Remove kata-proxy and binaries reference
64dd35ba virtcontainers: fc: properly remove jailed block device
b8133a18 osbuilder/dracut: Add missing libraries
831c2fee packaging: Remove reference to sheepdog driver
2e28b714 packaging: Drop support for qemu < 5.0
d5f85698 vendor: Update govmm
31650956 runtime/qemu: Use explicit "on" for kernel_irqchip parameter
a72b0811 osbuilder: pass env OS_VERSION
d007bb85 kata-deploy: shorten directory path
e6408fe6 Container: Add initConfigResourcesMemory and call it in newContainer
49083bfa agent: Create the process CWD when it does not exist
ee90affc newContainer: Initialize c.config.Resources.Memory if it is nil
767a41ce updateResources: Log result after calculateSandboxMemory
760ec4e5 virtcontainers: clh: Do not use the default HTTP client
3fe6695b static-checks: Check for the `force-skip-ci` label on each step
7df56301 CI: Call agent shutdown test
57b696a5 docs: Removed mention of 1.x
4f0726bc docs: Remove table of contents
f186c5e2 docs: Fix invalid URLs
7c610a6f docs: Fix shell code
80afba15 docs: update kata deploy README doc to add cloud-hypervisor test command
5a0d3c4f docs: update the kata release url in the kata deploy document
9514dda5 mod: unity containerd dependency
6ffe37b9 mod: unify runc dependency
5b514177 docs: Add tracing proposals doc
b53e8405 how-to-use-virtio-mem-with-kata.md: Remove undefined ${REPORT_DIR}
5957bc7d ci: Run static checks when PRs are updated
81e6bf6f kata-deploy: Split shimv2 build in a separate container.
d46ae324 kernel: build: Add container build
b789a935 actions: release: Use new kata-deploy scripts.
85987c6d kata-deploy: Add Makefile
b9d2eea3 kata-deploy: Add script to merge kata tarballs.
4895747f Rootfs: Add curl to alpine rootfs builder.
fc90bb53 Actions: Add new workflow to create static tarballs
bbb06c49 actions: Remove scripts from actions directory.
2f9859ab build: Reuse firecracker directory on builds.
3533a5b6 Packaging: stop using GOPATH for yq.
0c5ded4b kata-deploy: build kata only with docker in host
2ec31093 docs: update url for log parser in how-to-import-kata-logs-with-fluentd.md
cc0bb9ae versions: Upgrade to Cloud Hypervisor v17.0
8e9ffe6f snap: Substitute image configuration with initrd
8b15eafa docs: Update url for log parser in Developer guide
77604de8 qemu/arm: remove nvdimm/"ReadOnly" option on arm64
4fbae549 docs: Update experimental documentation
07f7ad9d build(deps): bump github.com/containerd/containerd in /src/runtime
9c0b8a7f snap: do not export agent version
3727caf7 versions: Update runc to 1.0.1
116c29c8 cgroups: manager's Set() now takes Resources as its parameter
c0f801c0 rootless: RunningInUserNS() is now part of userns namespace
b5293c52 runtime: update runc dependency to 1.0.1
2859600a runtime: virtcontainers: make rootfs image read-only
8befb1f3 kata-deploy: Refactor builder options.
7125f5d8 image-builder: Allow build image and initrd independently.
0f8c0dbc osbuilder/scripts: add support to yq version 4 and above
070590fb vendor: update govmm
b4c45df8 runtime: tools/packaging/cmd/kata-pkgsync: fix govet fieldalignment
aec53090 runtime: virtcontainers/utils: fix govet fieldalignment
1e4f7faa runtime: virtcontainers/types: fix govet fieldalignment
bb9495c0 runtime: virtcontainers/pkg: fix govet fieldalignment
80ab91ac runtime: virtcontainers/persist: fix govet fieldalignment
54bdd018 runtime: virtcontainers/factory: fix govet fieldalignment
dd58de36 runtime: virtcontainers/device: fix govet fieldalignment
47d95dc1 runtime: virtcontainers: fix govet fieldalignment
8ca7a7c5 runtime: netmon: fix govet fieldalignment
31de8eb7 runtime: pkg: fix govet fieldalignment
2b80091e runtime: containerd-shim-v2: fix govet fieldalignment
0dc59df6 runtime: cli: fix govet fieldalignment
c1042523 ci: expand $CI to nothing
add480ed monitor: mv the monitor socket into sbs directory
f7c6f170 docs: added a glossary to support SEO tactics
a8649acf snap: fixed snap aarch64 qemu patches dir in snapcraft.yaml file
38826194 osbuilder: update centos arm rootfs image config 'GPG_KEY_ARCH_URL'
c5fdc0db docs: fix minikube installation guide runtimeclasses error
f2ef25c6 docs: fixed kata-deploy path for kata logs with fluentd doc
cb6b7667 runtime: Add option "enable_guest_swap" to config hypervisor.qemu
a733f537 runtime: newContainer: Handle the annotations of SWAP
2c835b60 ContainerConfig: Set ocispec.Annotations to containerConfig.Annotations
243d4b86 runtime: Sandbox: Add addSwap and removeSwap
e1b91986 runtime: Update golang proto code for AddSwap
4f066db8 agent: agent.proto: Add AddSwap
4f23b8cd ci: set -o nounset
35cbc93d agent: clear MsFlags if the option has clear flag set
ff87da72 config: Fix description for OCI hooks
8e0daf67 shimv2: fix the issue of kata-runtime exec failed
b12b21f3 osbuilder: Skip installing golang for building rootfs
558f1be6 snap: Remove QEMU before clone
5371b921 mount: fix the issue of missing check file exists
27b299b2 agent-ctl: Use a common Makefile style like other components
05084699 agent-ctl: bump to latest tokio
acf69328 agent: update tokio to 1.8.1
dcd29867 static-checks: Call the static-checks make target
afd97850 makefile: Add static-checks target
34828df9 virtiofsd: fix the issue of missing stop virtiofsd
73d3798c vsock-exporter: switch to tokio runtime
7960689e tracing: replace SimpleSpanProcessor with BatchSpanProcessor
e887b39e docs: Update containerd configuration format
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Now that we have enabled CI tests for jailed firecracker and we have
fixed the issue with removing the block storage device #2387, we
should leverage the full power of firecracker and enable jailer by
default.
Fixes: #2455
Signed-off-by: Jack Rieck <jack.rieck@sendgrid.com>
Remove duplicated information, reduce text separation, and rewrite notes
to be more clear and concise.
Fixes: #2449
Signed-off-by: Joao Vanzuita <joaovanzuita@me.com>
As quay.io is becoming our de-facto image registry, let's actually push
the kata-deploy release to it. This commit should've been part of
9fa1febfd9 but ended up slipping out.
Fixes: #2306
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The call to Trace() in runHooks() should return a context so that
subsequent calls to runHook() produce properly ordered trace spans.
Fixes#2423
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Alpine used to work as guest under 1.x, but because there is no musl
target for Rust on s390x, Alpine will not work for 2.x. Document this.
Fixes: #2436
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
inotify/watchable-mount changes...
- Allow up to 16 files. It isn't that uncommon to have 3 files in a secret.
In Kubernetes, this results in 9 files in the mount (the presented files,
which are symlinks to the latest files, which are symlinks to actual files
which are in a seperate hidden directoy on the mount). Bumping from eight to 16 will
help ensure we can support "most" secret/tokens, and is still a pretty
small number to scan...
- Now we will only replace the watched storage with a bindmount if we observe
that there are too many files or if its too large. Since the scanning/updating is racy,
we should expect that we'll occassionally run into errors (ie, a file
deleted between scan / update). Rather than stopping and making a bind
mount, continue updating, as the changes will be updated the next time
check is called for that entry (every 2 seconds today).
To facilitate the 'oversized' handling, we create specific errors for too large
or too many files, and handle these specific errors when scanning the storage entry.
- When handling an oversided mount, do not remove the prior files -- we'll just
overwrite them with the bindmount. This'll help avoid the files
disappearing from the user, avoid racy cleanup and simplifies the flow.
Similarly, only mark it as a non-watched storage device after the
bindmount is created successfully.
- When creating bind mount, make sure destination exists. If we hadn't
had a successful scan before, this wouldn't exist and the mount would
fail. Update logic and unit test to cover this.
- In several spots, we were returning when there was an error (both in
scan and update). For update case, let's just log an warning and continue;
since the scan/update is racy, we should expect that we'll have
transient errors which should resolve the next time the watcher runs.
Fixes: #2402
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
- no need to create `/usr/lib/systemd/systemd` link any more
- install `chrony` as extra package and install extra packages in chroot
rather than `debootstrap`, because `chrony` provides `time-daemon`,
which under 20.04 is provided by `systemd-timesyncd`, which is
required by `systemd`, and `debootstrap`'s conflict resolvement can't
handle this, but `apt`'s can.
Fixes: #2147
Depends-on: github.com/kata-containers/tests#3636
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
changed the document project url in the using-vpp-and-kata.md and
runtime experimental README.md files.
Fixes: #2418
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
This work patched the 4.19, 5.4 and 5.10 kernels, and now ptp_kvm can work
correctly when the host and guest use different kernel versions..
Fixes: #2123
Signed-off-by: Damon Kwok <damon-kwok@outlook.com>
Currently, there is cloud hypervisor binary released only for x86, thus
we must build from source code when install cloud hypervisor on arm64.
Fixes: #2410
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Instead of relying on a centos/docker image, present only on dockerhub,
let's rely on the centos:7 image from the centos registry, and apply
the same modifications applied when generating the centos/systemd image.
The main reason for doing this is avoiding to update an image from 3
years ago, making the delta of the packages updated smaller.
If you're curious why we keep using CentOS 7 though, the reason is
because CentOS 8, and UBI images have a different systemd configuration
that works quite well when mounting the image using podman, but systemd
can't connect dbus when running on environments like AKS or even
minikube. So, in order to be as compatible as possible, let's keep
using the CentOS 7 image for now, at least till we find a suitable
substitute for that.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
snap build for arm64 fail for a long time, here we enable it.
the changes:
1. correct the variable of "branch"
2. add v5.1.0 under tag_patchs
Fixes: #2194
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Let's just remove the cached failes as those are not needed for anything
we do when using this image.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
In order to avoid providing an image with security issues, let's ensure
we run `yum update` as part of our image build process. This is needed
as even with the latest CentOS images there may be fix provided by some
CVE that's already part of the updates but not yet part of the image.
In our case, it's even more needed as the `centos/systemd` image has not
been updated for 3 years or so and those are the vulnerabilities found
in the current images:
https://quay.io/repository/kata-containers/kata-deploy?tab=tagsFixes: #2303
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
9fa1febfd9 added the support to also push
the image to quay.io. However, we didn't try explicitly pass quay.io as
the registry server, causing then to login to fail.
Fixes: #2306
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
just search for the "kata" substring in the runtime value and log at
info level when the runtime name/type is not found.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
We keep the container engine info in the sandbox cache map, as the value
associated to the pod id (the key). Since we used that in
getMonitorAddress() only (which is gone) we can avoid storing that
information. Let's drop it.
Keep the map structure and the [put,delete]IfExists functions as we may
want to move to an event based cache update process sooner or later, and
we will need those.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
since the shim socket path is statically defined in the containerd-shimv2
code, we don't need to retrieve the socket name from the filesystem:
construct the socket name using the containerd-shimv2 code.
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
kata-monitor switched from containerd client to CRI. Update the
dependencies and vendored code.
go mod tidy
go mod vendor
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
kata-monitor uses containerd client to retrieve information from the
container engine. This makes kata-monitor work with the containerd
container engine only.
Bin Liu (bin <bin@hyper.sh>) worked on a kata-monitor version able
to talk to any container engine leveraging the standard CRI[1].
Here, the original work of Bin Lui has been adapted on the current
kata-monitor to make it container engine independent.
[1] https://github.com/liubin/kata-containers/tree/fix/1030-use-cri-in-kata-monitorFixes: #1030
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
With Kata 1.x EOL, the Go agent is no more. So, remove support for it from
the osbuilder scripts. This removes the RUST_AGENT variable, treating it
as always true.
fixes#2396
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Kata-proxy is not longer used in kata 2.x, this PR removes the
reference as well to an script that is not longer existing.
Fixes#2391
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
When running a firecracker instance jailed, block devices
are not removed correctly, as the jailerRoot path is not
stripped from the PATCH command sent to the FC API.
This patch differentiates the jailed case from the non-jailed
one and allows the firecracker instance to be properly
terminated.
Fixes#2387
Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
When the guest is built using dracut and the agent uses glibc (esp.
ppc64le/s390x), libraries might be missing. In my case, it was
`libutil.so`, but more can be added easily. Add a script to configure
`install_items` for dracut w.r.t. `ldd` of the agent.
Fixes: #2384
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The QEMU sheepdog driver was deprecated in 5.2.0 and removed entirely in
6.1. Explicitly disabling, therefore is unnecessary from 5.2.0 and will
give an error from 6.1.
fixes#2337
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We only test qemu 5.2 in the CI (5.1 for ARM), and I believe we already
have some subtle dependencies that will stop things working on older qemu
versions.
We just updated govmm to a version that explicitly only works with qemu 5.0
and later, so we can drop stale checks for older qemu versions. More
specifically that means we can drop patches for older qemu versions, and
remove checks for older qemu versions from configure-hypervisor.sh.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Update to commit 3c64244cbb, in particular to get these fixes which
are needed to work with qemu-6.0 and later:
https://github.com/kata-containers/govmm/pull/192https://github.com/kata-containers/govmm/pull/194
Git log
d27256f (qmp: Don't use deprecated 'props' field for object-add, 2021-08-03)
d8cdf9a (qemu: Drop support for versions older than 5.0, 2021-08-03)
1b02192 (Use 'host_device' driver for blockdev backends, 2021-07-29)
9518675 (add support for "sandbox" feature to qemu, 2021-07-20)
335fa81 (qemu: fix golangci-lint errors, 2021-07-21)
61b6378 (.github/workflows: reimplement github actions CI, 2021-07-21)
9d6e797 (go: support go modules, 2021-07-21)
0d21263 (qemu: support read-only nvdimm, 2021-07-21)
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Kata uses the 'kernel_irqchip' machine option to qemu. By default it
uses it in what qemu calls the "short-form boolean" with no parameter.
That style was deprecated by qemu between 5.2 and 6.0 (commit
ccd3b3b8112b) and effectively removed entirely between 6.0 and 6.1
(commit d8fb7d0969d5).
Update ourselves for newer qemus by using an explicit
"kernel_irqchip=on".
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With lines like
0a2e2c6038/tools/osbuilder/rootfs-builder/fedora/config.sh (L8)
we imply that one can set another OS_VERSION and it will get picked up.
This is not the case when building inside Docker/Podman because the
variable is not passed to the container, which can lead to confusion.
Forward this env.
Fixes: #2378
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
long file paths are difficult to read, this change adds a new readonly variable to shorten the full file path of the static build folder files.
Fixes: #2354
Signed-off-by: Joao Vanzuita <joaovanzuita@me.com>
The swappiness is not right if just set
io.katacontainers.container.resource.swappiness:
$ pod_yaml=pod.yaml
$ container_yaml=container.yaml
$ image="quay.io/prometheus/busybox:latest"
$ cat << EOF > "${pod_yaml}"
metadata:
name: busybox-sandbox1
EOF
$ cat << EOF > "${container_yaml}"
metadata:
name: busybox-killed-vmm
annotations:
io.katacontainers.container.resource.swappiness: "100"
image:
image: "$image"
command:
- top
EOF
$ sudo crictl pull $image
$ podid=$(sudo crictl runp $pod_yaml)
$ cid=$(sudo crictl create $podid $container_yaml $pod_yaml)
$ sudo crictl start $cid
crictl exec $cid cat /sys/fs/cgroup/memory/memory.swappiness
60
The cause of this issue is there are two elements store the resources
infomation. They are c.config.Resources for calculateSandboxMemory and
c.GetPatchedOCISpec() for agent.
This add initConfigResourcesMemory to Container and call it in
newContainer to handle the issue.
Fixes: #2372
Signed-off-by: Hui Zhu <teawater@antfin.com>
Although the OCI specification does not explictly requires that, we
should create the process CWD if it does not exist, before chdir'ing
to it. Without that fizx, the kata-agent fails to create a container
and returns a grpc error when it's trying to change the containerd
working directory to an non existing folder.
runc, the OCI runtime reference implementation, also creates the process
CWD when it's not part of the container rootfs.
Fixes#2374
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
When enabling tracing with Cloud Hypervisor, we end up establishing 2
connections to 2 different HTTP servers: The Cloud Hypervisor API one
that runs over a UNIX socket and the Jaeger endpoint running over UDP.
Both connections use the default HTTP golang client instance, and thus
share the same transport layer. As the Cloud Hypervisor implementation
sets it up to be over a Unix socket, the jaeger uploader ends up going
through that transport as well, and sending its spans to the Cloud
Hypervisor API server.
We fix that by giving the Cloud Hypervisor implementation its own HTTP
client instance and we avoid sharing it with anything else in the shim.
Fixes#2364
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
This is not the most beautiful solution, but when do the check on every
single step we ensure the test at least started, and consequently will
succeed.
Without this the tests wouldn't even start, making any PR using the
`force-skip-ci` label not mergeable.
Fixes: #2362
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Run the agent shutdown test as part of CI testing code in this repo.
Fixes: #1808.
Depends-on:github.com/kata-containers/tests#3495
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
All users should be running 2.x releases so remove the legacy details
since it's arguably confusing to have two sets of details.
Reworked the components listed in the main README so that rather than
being sorted alphabetically, they are now sorted in semi-order of
importance and split into two tables to make the point more clearly.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Removed all TOCs now that GitHub auto-generates them.
Also updated the documentation requirements doc removing the requirement
to add a TOC.
Fixes: #2022.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Kata deploy README document only contains Firecracker and Qemu. This PR adds
cloud-hypervisor test command to the README.md file.
Fixes: #2357
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
The old ones are carrying CVEs, do not use them.
PS: In order to update the modules, we're running `make handle_vendor`
target from the runtime's Makefile. This is now part of the CI and
ensures that the vendored code is up-to-date. It's important to note
that older versions of golang may generate different results for those,
but those versions are not supported anymore, so we're good to go with
what we have in the CI (1.15 and 1.16).
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Since the old ones are carrying CVEs. Do not use them.
PS: In order to update the modules, we're running `make handle_vendor`
target from the runtime's Makefile. This is now part of the CI and
ensures that the vendored code is up-to-date. It's important to note
that older versions of golang may generate different results for those,
but those versions are not supported anymore, so we're good to go with
what we have in the CI (1.15 and 1.16).
Fixes: #2338
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Create a document summarising the tracing design proposals
from PR #1937.
Fixes: #2061.
Signed-off-by: bin <bin@hyper.sh>
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Looking at the changes that could cause the static-checks not to run
when a PR is updated I think 7db8a85a1f
could be the one that introduced such a regression.
Let's (try to) fix this by enforcing the workflow to run also when the
PR has been "edited" and "synchronized".
Fixes: #2343
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Add makefile to document possible options to run.
e.g
Default: Create a kata tarball, it will build assets concurrently.
```
$ make
```
Create a tarball build for cloud-hypervisor.
```
$ make cloud-hypervisor
```
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
If alpine image is created inside a container,
it does not get any golang version data. It will try
to get it by installing yq. To install yq curl is used.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Tarballs are generated on push and merge events.
push: Allows get a tarball from the PR and use locally.
merge: After a PR is merged we have a quick way to get latest
kata-tarball.
The tarball can be downloaded from github page only.
Fixes: #1710
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
kata-deploy buider now reuses the build directory, this
makes faster rebuilds. Update firecracker builder to
not fail if is called twice.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Use the yq installed in the env. Needed
to build kata from docker. The container builder
has not an initial Go env.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
Add script to build kata using docker.
Allow build kata-deploy binaries using docker.
kata-deploy-binaries-in-docker.sh is a wrapper of
kata-deploy-binaries.sh it will call kata-deploy-binaries.sh in a
container with all the dependencies installed.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
rather than removing the other line because configuration only contains
the image line ever more and this is how we already do it in tests.
Fixes: #2330
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
This PR updates the proper url for log parser for kata 2.x for
the Developer Guide document.
Fixes#2328
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
There is a new "ReadOnly" option added to nvdimm device in qemu
and now added to kata. However, qemu used for arm64 is a little
old and has no this feature. Here we remove this feature for arm.
Fixes: #2320
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
This PR updates the experimental documentation with the proper reference
to kata 2.x
Fixes#2317
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This causes the repository to be checked out to a version tag, which is
inconsistent with how we build runtime, and reverts us to a buggy
`snap/snapcraft.yaml`.
Fixes: #2313
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Let's ensure the runc version installed and used for running our tests
matches the vendored version.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Pior our bump to runc 1.0.1 the manager's Set() would take a Config as
its parameter. Now it takes the Resources directly.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Previously part of the "system" namespace, the RunningInUserNS() has
been moved to the "userns" namespace.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Dependabot brought to us attention that we were still vendoring the runc
code which was affected by CVE-2021-30465.
Although the vulnerability doesn't seem to affect kata-containers, we
better keep our dependencies up-to-date anyways. With this in mind,
let's bump our runc dependency to the latest release.
Fixes: #2309
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Improve security by making rootfs image read-only, nobody
will be able to modify it from the guest.
fixes#1916
Signed-off-by: Julio Montes <julio.montes@intel.com>
Update kata-deploy-binaries.sh cli options.
Add options to allow ask build a tarball for a specific asset.
It will help developers build a specific component and update
a kata-deploy installation. Also build each asset independetly
can help to create cache tarballs per asset in the future.
e.g. Build a tarball with shimv2.
```
./kata-deploy-binaries.sh --build=shim-v2
```
Additionally, the script path is moved to a new directory
as not only will work for releases.
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
yq changed syntax in an incompatible way starting from version 4 and
above. Deal with that.
Fixes: #2297
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Bring read-only nvdimm support
Shortlog:
335fa81 qemu: fix golangci-lint errors
61b6378 .github/workflows: reimplement github actions CI
9d6e797 go: support go modules
0d21263 qemu: support read-only nvdimm
ff34d28 qemu: Consistent parameter building
Signed-off-by: Julio Montes <julio.montes@intel.com>
PR #2252 put `set -o nounset` in `ci/lib.sh`. It turns out that this
won't work when `$CI` is unset (it is always set in CI). Expand `$CI` to
nothing.
Fixes: #2283
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Since the monitor socket used the unix socket path file,
which needed to be cleaned after the pod terminated,
thus put it into the sandbox data directory, and it
would be cleaned up once the sandbox termianted.
Fixes: #2269
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
This commit is a result of Assisted PR Process for PR #1515. It
deviates from it in that the original commits were not retained as the
original commit structure was unnecessarily complex - the same commit
was added to two parallel branches which were then merged, producing the
same result in the end as any of the original two non-merge commits.
Also, a squash was requested by an original PR review.
Other changes to the original PR were changing capitalisation of the word
"Kubelet" in Glossary.md to placate spell checker and fixing link names and
syntax.
The original commit message follows:
The terms added are: Kata Containers, container software, container
runtime interface, virtual machine software, container virtualization,
container security solutions, serverless containers, pod containers,
virtual machine monitor, private cloud, infrastructure architecture,
public cloud, and auto scaling.
Fixes: #1509
Signed-off-by: Helena Spease <helena@openstack.org>
Signed-off-by: Pavel Mores <pmores@redhat.com>
fixed arm qemu patches dir in snap part. Clear the old `packaging/obs-packaging` path.
Fixes: #2279
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
the kata-deploy project scripts were changed, but minikube installation guide doc still use old yaml script.
fix guide doc use the new yaml script of runtimeClasses.
Fixes: #2276
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
The kata-deploy project path has changed from kata v2. fixed kata-deploy path in the document how-to-import-kata-logs-with-fluentd.md.
The correct path is `$GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy`
Fixes: #2273
Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
This commit add option "enable_guest_swap" to config hypervisor.qemu.
It will enable swap in the guest. Default false.
When enable_guest_swap is enabled, insert a raw file to the guest as the
swap device if the swappiness of a container (set by annotation
"io.katacontainers.container.resource.swappiness") is bigger than 0.
The size of the swap device should be
swap_in_bytes (set by annotation
"io.katacontainers.container.resource.swap_in_bytes") - memory_limit_in_bytes.
If swap_in_bytes is not set, the size should be memory_limit_in_bytes.
If swap_in_bytes and memory_limit_in_bytes is not set, the size should be
default_memory.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
This commit add code to handle the annotations
"io.katacontainers.container.resource.swappiness" and
"io.katacontainers.container.resource.swap_in_bytes".
It will set the value of "io.katacontainers.resource.swappiness" to
c.config.Resources.Memory.Swappiness and set the value of
"io.katacontainers.resource.swap_in_bytes" to
c.config.Resources.Memory.Swap.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
ocispec.Annotations is dropped in ContainerConfig.
This commit let it to be set to containerConfig.Annotations in
ContainerConfig.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
addSwap will create a swap file, hotplug it to hypervisor as a special
block device and let agent to setup it in the guest kernel.
removeSwap will remove the swap file.
Just QEMU support addSwap.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
Add new fuction AddSwap. When agent get AddSwap, it will get the device
name from PCIPath and set the device as the swap device.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
'FLAGS' hash map has bool to indicate if the flag should be cleared or
not. But in parse_mount_flags_and_options() we set the flag even 'clear'
is true. This results in a 'rw' mount being mounted as 'MS_RDONLY'.
Fixes: #2262
Signed-off-by: Eryu Guan <eguan@linux.alibaba.com>
Seems that at least some versions of container, when using ConifgPath,
still rely on the runtime options and its APIs from the not in use
anymore github.com/containerd/cri-containerd/pkg/api/runtimeoptions/v1.
The fact backward compat breaks when moving from the old to the new
runtime options, which happened as part of f60641a6e6d, strongly feels
like a containerd bug. Regardless, we can easily work this around on
our side without much hassle.
Just by importing old runtime options the unmarshalling doesn't break
anymore and we can easily check whether getting the options fails or not
and fallback to the old way if it does.
Fixes: #2258
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Commit 32c9ae1388 upgrade the
containerd vendor, which used the socket path to replace
the abstract socket address for socket listen and dial, and
there's an bug in containerd's abstract socket dialing.
Thus we should replace our monitor and exec socket server
with the socket path to fix this issue.
Fixes: #2238
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Building rootfs does not depend on golang, delete intalling
golang may save build time.
And there is only rust agent now, the code for golang agent should
be deleted too.
Fixes: #2170
Signed-off-by: bin <bin@hyper.sh>
If you snap in an environment where you previously snapped,
`git clone`ing QEMU will fail. Remove the checkout directory.
Fixes: #2249
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
It's better to check whether the destination file exists
before creating them, if it had been existed, then return
directly.
Fixes: #2247
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Update to latest tokio to address RUSTSEC-2021-0072:
Task dropped in wrong thread when aborting `LocalSet` task
Update the toml to specify just 1.x for the tokio version.
Fixes: #2165
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
While doing the release we've faced the following issue:
```
Dockerfile for action: '/home/runner/work/kata-containers/kata-containers/./packaging/kata-deploy/action/Dockerfile'.
/usr/bin/docker build -t 8a33c1:c0625fe487ce5e4c8217747bef28861f -f "/home/runner/work/kata-containers/kata-containers/./packaging/kata-deploy/action/Dockerfile" "/home/runner/work/kata-containers/kata-containers/packaging/kata-deploy/action"
Sending build context to Docker daemon 15.87kB
Step 1/12 : FROM microsoft/azure-cli:latest
pull access denied for microsoft/azure-cli, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
```
Carlos pointed out that the image has gone awry and that we could use
mcr.microsoft.com/azure-cli instead.
Fixes: #2240
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Instead of calling the ci/static-checks.sh script directly, it was changed the
workflow to call `make static-checks`. And because the `static-checks` target
depends on build, the build step in the workflow is not longer needed.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Added the 'static-checks' make target to allow developers to easily run
the static checks locally.
Fixes#2206
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
- runtime: Register defer function at early stage
- Ensure the go vendored code is up-to-date and that we actually can call `cargo vendor` on every pull-request
- ci: add golang 1.16 to the CI
- Update outdated comments and do some minor reworks
- snap: Build initrd on ppc64le & s390x
- ci: static checks: use defined target_branch
- trace-forwarder: Add option rustflags, target, build-type for the make
- CI: Honour force-skip-ci label
- qemu: stop the virtiofsd specifically
- tracing: Consolidate tracing into a new katatrace package
- runtime: return error if clh's binary doesn't have a normal stat
- osbuilder: Fix the order of checking the distro config directory
- agent: Fix to parsing of /proc/self/mountinfo
- runtime: Fix lint issues
- snap: Miscellaneous s390x fixes
- runtime: Use CC=gcc on all RPM-based s390x
- s390x: Enable virtio-blk-ccw
- forwarder: Add dump only option
- shimv2: fix the issue of leaking the hypervisor processes
- runtime: Remove the version check for cloud hypervisor
- agent: fix wrong regular exp to fetch guest-cid
- runtime: refact virtcontainers/pkg/oci
- agent: enhance tests of execute_hook
- agent: Cleanup config
- Pass span context from runtime to agent to get a full trace #1968
- agent: update netlink libraries
- shimv2: update containerd vendor
- runtime: Format golang proto code
- agent: delete some lint attributes
- docs: Fix url in virtiofs documentation
- tools: agent-ctl: Fix build failure
- cargo: Use latest nix crate for all Rust code bases
- virtcontainers: Don't fail memory hotplug
- Add "watchable-mounts" concept to allow for inotify support of specific types of mounts.
- tracing: Make runHooks() span creation return context
- kernel: Add Secure Execution guest
- packaging: Support Podman in QEMU build
- Update qat version
- docs: Set LIBC=gnu for s390x too
- shimv2: fix the issue of leaking wait goroutines
- runtime: report finish time in containers stats
- docs: Fix typos in Developer Guide
- docs: Update urls for Documentation Requirements document
- runtime: update default machine type to q35
- docs: fix brackets usage error for developer guide
- Remove the pc machine
- runtime: do not hot-remove PMEM devices
- docs: Update kata-deploy urls for installation document
- docs: Update url for installation guides
- agent: Add some mount options and sort the options alphabetically
- runtime: using detail propertites instead of function name in log field
- qemu: Add nvdimm read-only file support
- ci: snap: Fetch history to all branches and tags
- memory_offset must be larger than 32 bit
- containerd-shim-v2: Skip TestIoCopy unit test
- ppc64le: Adding test for appendProtectionDevice
- agent: Update rust version for tokio
- Upgrade mio to v0.7.13 to fix epoll_fd leak problem
- osbuilder: fix log message that is not error but seems like an error
- docs: Update url for breaking compatibility
- docs: Remove docker support with kata 2.x and sysctls
- docs: Update README for runtime documentation
- Support SEV
- test: Add a unit test for ioCopy()
- versions: Upgrade to cloud-hypervisor v16.0
e3860691 static-checks: Restrict static checks to go 1.15 and 1.16
f4fbf723 runtime: Update vendored code
a20074d4 static-checks: Check the vendored code
ac8f972e build: Add `make vendor`
f9643d83 agent-ctl: Add `make vendor`
5e69b498 trace-forwarder: Add `make vendor`
a104f132 agent: Add `make vendor`
579b3f34 runtime: Add `make vendor`
930ca55d runtime: Add `make handle_vendor`
39546a10 runtime: delete not used functions
d0bc148f runtime: Register defer function at early stage
350acb2d virtcontainers: refactoring code for error handling in sandbox
858f39ef virtcontainers: update wrong comments for code
e0a19f6a virtcontainers: update API documentation
8d6dd2ad snap: support golang 1.16.x
a48dc93f versions: update newest golang version
37996791 ci: add 1.16 to the list of golang versions to test
6999dcca trace-forwarder: Add option rustflags, target, build-type for the make
7db8a85a CI: Honour force-skip-ci label
007a6561 snap: Build initrd on ppc64le & s390x
9b8cc458 ci: static checks: use defined target_branch
9081bee2 runtime: return error if clh's binary has not a normal stat
b10e3e22 tracing: Consolidate tracing into a new katatrace package
88e70759 osbuilder: Fix the order of checking the distro config directory
1ab72518 agent: Fix to parsing of /proc/self/mountinfo
8f76626f qemu: stop the virtiofsd specifically
da3de3c2 shim-v2: Fix `gosimple` issue on utils_test.go
305fb054 virtcontainers: Fix `gosimple` issue on client.go
89cf168c virtcontainers: Ignore a staticcheck error on cpuset.go
2cc9006c snap: Miscellaneous s390x fixes
28b2c629 runtime: Use CC=gcc on SUSE s390x too
cfd690b6 virtcontainers: Use virtio-blk-ccw on s390x
8758ce26 agent: Enable virtio-blk-ccw
a33d6bae forwarder: Add dump only option
4c809a53 shimv2: fix the issue of leaking the hypervisor processes
d08603be runtime: Remove the version check for cloud hypervisor
2c943012 agent: fix wrong regular exp to fetch guest-cid
e6b1766f agent: Cleanup config
55c5c871 agent: enhance tests of execute_hook
bd595124 runtime: add spans and attributes for agent/mount
65d2fb5d agent: remove instrument attribute for some simple functions
cfb8139f agent: add more instruments for RPC calls
ae46e7bf runtime: pass span context to agent in ttRPC client
66dd8719 runtime: refact virtcontainers/pkg/oci
d671f789 agent: fix the issue of convert OCI spec to RPC spec
f607641a shimv2: fix the issue bring by updating containerd vendor
79e632bc version: update the cri-containerd to v1.5.2
32c9ae13 shimv2: update containerd vendor
aa264f91 agent: update netlink libraries
34bdddbe docs: Fix url in virtiofs documentation
3e8a07c4 tools: agent-ctl: Fix build failure
f6294226 cargo: Use latest nix crate for all Rust code bases
064dfb16 runtime: Add "watchable-mounts" concept for inotify support
3f0f1ceb docs: inotify: add initial documentation
6a93e5d5 agent: Initial watchable-bind implementation
57c0cee0 runtime: Cleanup mountSharedDirMounts, shareFile parameters
772c117d kernel: Add Secure Execution guest
f35ba94d packaging: Support Podman in QEMU build
8310a3d7 virtcontainers: Don't fail memory hotplug
ecd13ec4 docs: Update QAT docs with newer driver version
a822cdf6 osbuilder: Update QAT driver version
6a1a051c runtime: report finish time in containers stats
fe0085ca docs: Set LIBC=gnu for s390x too
08984b6e docs: Update urls for Documentation Requirements document
b3623a2c shimv2: fix the issue of leaking wait goroutines
2322f935 runtime: update default machine type to q35
11f9a914 docs: fix brackets usage error for developer guide
1316fa53 docs: Fix typos in Developer Guide
ac6b9c53 runtime: Hot-plug virtio-mem device on PCI bridge
789a5954 virtcontainers: Remove the pc machine
caf5760c runtime: Update golang proto code
bd20701f docs: Update kata-deploy urls for installation document
a9aa36ce docs: Update url for installation guides
ecdd137c runtime: do not hot-remove PMEM devices
000049b6 agent: delete some lint attributes
3f39df0d qemu: Add nvdimm read-only file support
23d31d5a ci: snap: Fetch history to all branches and tags
2022c64f runtime: using detail propertites instead of function name in log field
361bee91 runtime/virtcontrainers: fix alignment structures
6be8bf5c docs: update annotations documentation
7834f412 virtcontainers: change memory_offset to uint64
bd27f7ba agent: Sort PROPAGATION and OPTIONS alphabetically to scan easily
ad06eb90 containerd-shim-v2: Skip TestIoCopy unit test
ea9bb8e9 ppc64le: Adding test for appendProtectionDevice
799cb272 agent: Upgrade mio to v0.7.13 to fix epoll_fd leak problem
45fd58d1 osbuilder: fix log message that is not error but seems like an error
2fb176dd docs: Update url for breaking compatibility
601e2b65 docs: Remove docker support with kata 2.x and sysctls
be316945 virtcontainers: Fix TestQemuAmd64AppendProtectionDevice()
240aae96 docs: Update README for runtime documentation
8825bb29 agent: Update rust version for tokio
cabddcc7 tracing: Make runHooks() span creation return context
e544779c agent: Add some mount options
85c40001 versions: Upgrade to cloud-hypervisor v16.0
b26d5b1d virtcontainers: Support SEV
81c6e4ca runtime/vendor: add github.com/intel-go/cpuid
a918c46f test: Add a unit test for ioCopy()
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Make the vsock-exporter async totally using tokio runtime.
And delay the timing of the connection to trace-forwarder so that
it is easy to reconnect when the connection was broken.
Fixes: #2234
Signed-off-by: Tim Zhang <tim@hyper.sh>
Seems that we get different results when running it with go 1.13.
Instead of figuring out why it doesn't work as expected with an EOL
version of go, let's just not run the tests on go versions that are
already dead.
https://endoflife.date/go
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's ensure we always have the go vendored code up-to-date and that the
rust vendor does actually work.
Fixes: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Add a top-level `vendor` entry, which will help us when adding the
vendor check as part of the static checks.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This has a similar intent as the go code, but not totally equal. For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.
We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This has a similar intent as the go code, but not totally equal. For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.
We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This has a similar intent as the go code, but not totally equal. For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.
We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Let's add this target so we can actually enforce, as part of the static
checks (which will be added in a follow-up commit), that our vendored go
code is up-to-date.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This will help us to ensure that we always update the vendored code when
needed. Right now we've been lacking behind and we tend to realise
something change during the next mandatory update, which is not exactly
optimal.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Use a defined error variable replade inplace error, and shortcut
for handling errors returned from function calls.
Fixes: #2187
Signed-off-by: bin <bin@hyper.sh>
instead of image, does not require privileged containers since `losetup`
is not used and is thus more portable for various build environments.
Fixes: #2218
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
`containerd` has adopted a new configuration style. Update the example configuration to reflect the change.
Fixes: #2180
Signed-off-by: Yujia Qiao <qiaoyujia@bytedance.com>
When checking clh's binary path if valid, return error even
though the error is not a IsNotExist error.
And add errors to log filed when errors occurred.
Fixes: #2208
Signed-off-by: bin <bin@hyper.sh>
Removes custom trace functions defined across the repo and creates
a single trace function in a new katatrace package. Also moves
span tag management into this package and provides a function to
dynamically add a tag at runtime, such as a container id, etc.
Fixes#1162
Signed-off-by: Benjamin Porter <bporter816@gmail.com>
get_mounts() parses /proc/self/mountinfo in order to get the mountpoints
for various cgroup filesystems. One of the entries in mountinfo is the
"device" for each filesystem, but for virtual filesystems like /proc, /sys
and cgroups, the device entry is arbitrary. Depending on the exact rootfs
setup, it can end up being "-".
This breaks get_mounts() because it uses " - " as a separator. There
really is a " - " separator in mountinfo, but in this case the device entry
shows up as a second one. Fix this, by changing a split to a splitn, which
will effectively only consider the first " - " in the line.
While we're there, make the warning message more useful, by having it
actually show which line it wasn't able to parse.
fixes#2182
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We'd better stop the virtiofsd specifically after stop qemu,
instead of depending on the qemu's termination to notify virtiofsd
to exit.
Fixes: #2211
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
For some reason our static check started to get opinionated about code
that's been there for ages.
One of the suggestions is to improve:
```
INFO: Running golangci-lint on /home/fidencio/go/src/github.com/kata-containers/kata-containers/src/runtime/containerd-shim-v2
utils_test.go:76:36: S1039: unnecessary use of fmt.Sprintf (gosimple)
testDir, err = ioutil.TempDir("", fmt.Sprintf("shimV2-"))
```
And that's what this PR is about.
Fixes: #2204
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
For some reason our static check started to get opinionated about code
that's been there for ages.
One of the suggestions is to improve:
```
INFO: Running golangci-lint on /home/fidencio/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols/client
client.go:431:2: S1017: should replace this `if` statement with an unconditional `strings.TrimPrefix` (gosimple)
if strings.HasPrefix(sock, "mock:") {
```
And that's what this PR is about.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
First of all, cpuset.go just comes from kubernetes and we shouldn't be
doing much with this file apart from updating it every now and then
(but that's material for another PR).
Right now, due to some change on the static checks we use as part of our
CI, we started getting issues as:
```
INFO: Running golangci-lint on /home/fidencio/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/cpuset
cpuset.go:60:2: SA4005: ineffective assignment to field Builder.done (staticcheck)
b.done = true
```
For those, let's just ignore the lint and move on.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
- Ported from https://github.com/kata-containers/tests/pull/3612:
Install protobuf-compiler for agent build on ppc64le & s390x
- Fixes in image target for ppc64le & s390x
- Install image instead of initrd since it's preferred
- Use Ubuntu as base since Alpine requires a musl agent (cannot be
built on ppc64le & s390x because there is no such Rust target)
- Ported from
https://github.com/kata-containers/kata-containers/pull/1265:
Fix vmlinux install path
- Install libseccomp-dev on all architectures, not just x86_64
Fixes: #2192
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Added a `--dump-only` option which disables forwarding of trace spans.
This essentially makes the forwarder a NOP but can be useful for testing
purposes.
Fixes: #2132.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Since we only send an shutdown qmp command to qemu when do
stopSandbox, and didn't wait until qemu process's exit, thus
we'd better to make sure it had exited when shimv2 terminated.
Thus here to do the last cleanup of the hypervisor.
Fixes: #2198
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
It looks like the version check for cloud hypervisor (clh) was added
initially when clh was actively evolving its API. We no longer need the
version check as clh API has been fairly stable for its recent releases.
Fixes: #1991
Signed-off-by: Bo Chen <chen.bo@intel.com>
Fix the incorrect regular expression to fetch the guest context ID.
In " [^,][^,]* ", [^,]* will match to the next ",",
which is after "socket", so finally got incorrect result.
Use egrep -o "guest-cid=[0-9]*" instead.
Fixes: #2124
Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
This commit clean up config parsing and testing code to make it a bit more easy to maintain.
- Adds `with_context` from anyhow to include the underlying error. This helps to understand what exactly went wrong.
- Uses ensure and bail as a shorter alternative for `if` checks.
- TestData in test_parse_cmdline is now implements Default to reduce boilerplate code
- Remove `make_err` as it doesn’t make any sense.
Fixes: #2177
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Use which to find the full path of exe before run execute_hook
to avoid error: 'No such file or directory'
Fixes: #2172
Signed-off-by: Tim Zhang <tim@hyper.sh>
For some simple functions that only process memory data(list/hashmap),
they don't need to be instrumented.
And sometime they may generate non-parent spans, if they are called from
daemon-style "threads".
Fixes: #1968
Signed-off-by: bin <bin@hyper.sh>
Pass span context through ttRPC metadata, that
agent can get parent from the context to create
new sub-spans.
Fixes: #1968
Signed-off-by: bin <bin@hyper.sh>
Use common functions wrapping logic of getting values
from annotations, parsing bool/uint32/uint64 and setting
to struct fields.
Fixes: #2082
Signed-off-by: bin <bin@hyper.sh>
Since the rpc spec used an interface to represen the ErrnoRet,
thus the transform function of OCItoGRPC should take care of
this case.
Depends-on: github.com/kata-containers/tests#3629
Fixes: #1441
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Fix the mismatch bring by the upgrading of vendor of containerd,
cgroup and runtime spec.
Fixes: #1441
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Since the latest containerd's shimv2 had changed the socket
from abstract unix socket to path unix socket, thus we'd
better to update the vendor to match with the latest containerd.
containerd from v1.3.9, v1.4.3 and v1.5.0 used the path unix socket
instead of abstract socket, thus kata wouldn's support the
containerd's version older than them.
Fixes: #1441
short logs:
15d9703d6 Remove ARM64 releases from release notes
5d2e8e86d Revert "Release artifacts for Linux ARM64"
7942ae68b Revert "Specify seccomp target arch for CC"
3187b6dc8 tests: Adds consumed memory stats test
969ec8949 Specify seccomp target arch for CC
c19b7b64d RELEASES.md: recommend alternatives for deprecated
features
8a62aa1c3 Deprecate built-in aufs snapshotter
4e7915f80 CI: allow Go 1.13 for Docker/Moby compatibility
8e589e873 Vagrantfile: update to Fedora 34
5847340a7 tests: Refactors container image usage
9f43eade6 Prepare v1.5.0-rc.3 release notes
4c7b960cb prow needs some additional setup for docker buildx
2e4c1d4b7 Use the multi-arch version of the test images
4e00c4b65 integration tests needs lsof
177273680 Add script to build test images
1b5d59dfe Add multi-arch support for test images
78e529727 add integration tests
2b0e6cdd4 Separate jobs for build and test for openlab/arm64
cdd075853 Release artifacts for Linux ARM64
efcb18742 Add unit tests for PID NamespaceMode_TARGET validation
b48f27df6 Support PID NamespaceMode_TARGET
909660ea9 process: use the unbuffered channel as the done signal
0f332dadd Update cgroups for regenerated protos
391b123a5 adds quiet option for ref
ab1654d0e Fix PushHandler cannot push image that contains duplicated
blobs
00f8d32ef add not found debug out for check cmd; update usage
55734b1c5 Prepare 1.5.0-rc.2 release notes
3ef337ae3 Update containerd vendors to tags
fbe1e140f Update Go to 1.16.3
c1d1edbad gha: use sudo -E in some places to prevent dropping
env-vars
7966a6652 Cleanup code
5d79d3adb go.mod: update kubernetes to v1.20.6
1c03c377e go.mod: github.com/containerd/fifo v1.0.0
12a2a2108 go.mod: github.com/google/uuid v1.2.0
3292ea586 pkg/seccomp: use sync.Once to speed up IsEnabled
00b5c99b1 pkg/seccomp: simplify IsEnabled, update doc
6dd29c25f go.mod: github.com/containerd/aufs
330a2a809 go.mod: github.com/containerd/zfs
34780d67a runtime/shim: check the namespace flag first
c3dde8c4b freebsd: add zfs to the default plugins
b431fe4fc freebsd: don't run shim delete in deleted dir
1f4192daf freebsd: exclude v1 runtimes
cb1580937 metadata: improve deleting a non-empty namespace's error
message
5bf84034d Remove junit test result processor
b83d04f91 Add variable names to runtime's interface definitions
993b86399 Add shim start opts
9e576b889 Optimize backoff
5c02688b5 converter: use OpenWriter helper function
fcf3b275f Add lock for ListPids
fdb76f55d Fix backword-compatibility issue of non-versioned config
file
d21fe4625 adds log for each failed host and status not found on host
8a4cbabc6 Reimport windows layers when comitting snapshots
2de38a926 fix(windows): create debug npipe failure
41fc516a2 docs/rootless.md: recommend "easy way" over "hard way"
864a3322b go.mod: github.com/containerd/go-cni v1.0.2
ee34caccb go.mod: github.com/Microsoft/go-winio v0.4.17
d478676d3 go.mod: github.com/containerd/imgcrypt v1.1.1
1dd45d51c go.mod: github.com/containerd/typeurl v1.0.2
abd4be07a fix the 404 url
978ebbef6 Prepare 1.5.0-rc.1 release
ce116d4c5 go.mod: github.com/containerd/imgcrypt
v1.1.1-0.20210412181126-0bed51b9522c
0550c3233 containerd-stress: add snapshotter option for stress test
to use
8a04bd052 address recent runtimes config confusion
c4778fe1b go.mod: github.com/containernetworking/plugins v0.9.1
5ce35ac39 devmapper: log pool status when mkfs fails
75097b8ca hcsshim seems to have been updated
9ad087947 Switch all our tests to version 2
e96d2a5d9 Revert "remove two very old no longer used runtime
options"
14f357b90 CI: update crun to 0.19
294331060 go.mod: github.com/containerd/console v1.0.2
bb6c0c2de Add more bolt utils
0ad8c0a16 Decouple shim start from task creation
c7504987e Implement windowsDiff.Compare via hcsshim/pkg/ociwclayer
a64a76846 Replace inline applyWindowsLayer using hcsshim
149fa366f Don't tease the logger with a %-less format string
b399e2ef6 Don't lose Compare failure if aborting diff upload fails
36bf3f0e8 go.mod: github.com/Microsoft/hcsshim v0.8.16
8e1a8ecd8 Prepare v1.5.0-rc.0
45df696bf Fix return event publishing error
4bc8f692f optimize cri redirect logs
9bc8d63c9 cri/server: use containerd/oci instead of
libcontainer/devices
dd16b006e merge in the move to the new options type
9144ce967 shows our runc.v2 default options in the containerd
default config
3d20fa930 fix TestSetOOMScoreBoundaries
4d4117415 Change CRI config runtime options type
21ebeef74 integration: use busybox:1.32.0 since latest is
unavailable
f9bcf4a8a add section link
d4be6aa8f rm mirror defaults; doc registry deprecations
7bb73da6b runtime/v2/shim: remove unused SetScore() and remove
sys.OOMScoreMaxKillable
91e7d21ee sys: add AdjustOOMScore() utility
44240116a sys: add boundary checks to SetOOMScore()
ace1912bb sys: use assert for error checks in OOM tests
6e7271522 sys: add missing pre-condition checks in tests
badd60d3f sys: un-export runningPrivileged(), remove
runningUnprivileged()
21a175860 go.mod github.com/klauspost/compress v1.11.13
58c5fd09e re-enable cri test
da998c81e move to gcr.io/k8s-staging-cri-tools test images
8ba8533bd pkg/cri/opts.WithoutRunMount -> oci.WithoutRunMount
92ea98eda cri-cni-release: add imgcrypt binaries (v1.1.0)
4c1fa5719 remotes/docker: Only return "already exists" on push when
the upload was successful
0186a329e remove two very old no longer used runtime options
58a07754a Temporarily disable cri-tools critest
7ae0a60fb Add OCI ref.name to unique key in remotes handler
5ada2f74a Keep host order as defined in TOML file
d9ff8ebef support multi-arch images for windows via ctr
af1e2af72 ci: upload junit formatted test results
6866b36ab Add workaround to keep docker hosts structs private
c54d92c79 image: use generic decompressor for calculating DiffID
1faca349e integration/client: rename package to "client"
6fc9e4500 synchronize replace rules in integration/client go.mod
with main go.mod
9e19a2984 Fix hosts test on Windows
3f406d4af Cleanup vendor
d56b49c13 Rewrite Docker hosts parser
e1f51ba73 Use os.File#Seek() to get the size of a block device
ddd4298a1 Migrate current TOML code to github.com/pelletier/go-toml
499c2f7d4 Vendor github.com/pelletier/go-toml
61c749036 integration/util: remove dependency on k8s.io/klog/v2
d9765f7bf Extend default timeout for nested VM integration run
5e94745f2 ctr: add --user for task exec
f8c2f0475 remotes/ctr: allow to limit max concurrent uploads like
downloads
4674ad7be Ignore some tests on darwin
55450e773 Run unit tests on CI for MacOS
311e326a1 Add CI job to cross compile all the things
10a498c7c Update go-winio to fix compile error on armv7
1a9c6f557 Revendor zfs to to fix integer overflow
1fd3d12f9 `go mod tidy` the client integration test module
da7d96ba3 Clean up WCOW layers after tests in the correct order
9ad87b9ba adds critools-version
72b7f4bab task: allow checkpoint on pause state
e4b9b1038 Make CRI registry docs more clear
ec4d7736d Increase timeout for linux integration tests
eb7c7c71e Fix oom tests on non Linux
708299ca4 Move RunningInUserNS() to its own package
0886ceaea Fix reference ordering in CRI image store
bf9db47e8 add caller info to the testHook
305b42583 use happy-eyeballs for port-forwarding
22ef69d77 Support HTTP debug in ctr
01765d097 night ci fix: add packages for ubuntu 20.04
8cdc1f13b go.mod: github.com/containerd/zfs
v0.0.0-20210322090317-0e92c2247fb7
30e1e66e5 runtime/v2: Fix defer cleanup
33776ada0 Use specific image for user namespaces tests
7704fe72d Specifically mention "mkfs.ext4" on the error from the
command
1410220d8 Fix error log when copy file
fe787efa2 Fix error log when kill shim
8d8c15ca5 contentproxy: ensure grpc stream is closed on commit
6e343f25e Switch test image to a non rate-limited manifest list
9fdc96c09 runtime/v2: add comment for checkCopyShimLogError
24602e7a9 change default runtime for containerd-stress app
8731888ec Re-enable CRIU tests by not using overlayfs snapshotter
b520428b5 Fix CRIU
4e76bcf06 gofmt -s -w all the things
569023fd5 go.mod: github.com/containerd/nri
v0.0.0-20210316161719-dbaa18c31c14
0e1f59e89 go.mod: github.com/containerd/zfs
v0.0.0-20210315114300-dde8f0fda960
ffff68866 upgrade pause image to 3.5 for non-root
88d3881e1 go.mod: github.com/containerd/fifo
v0.0.0-20210316144830-115abcc95a1d
a22c43fa4 go.mod: github.com/containerd/aufs
v0.0.0-20210316121734-20793ff83c97
f6f861736 go.mod: github.com/containerd/btrfs
v0.0.0-20210316141732-918d888fb676
460b35236 go.mod: kubernetes v1.20.4
5e484c961 runtime/v2/runc: fix the defer cleanup of the NewContainer
e6086d9c0 Prepare release notes for v1.5.0-beta.4
34b7a5f09 Update mailmap
ba8f9845e move overlay-checks to an overlayutils package
7776e5ef2 Support adding devices by dir
d895118c7 runtime/v2/runc: fix leaking socket path
a76cefd12 plugin status should be skip, not error
766e7953a Change dgst to digest in debug
4e8b2f309 rootfs: fix the error handling of the createInitLayer
d3ad7f390 cmd/ctr: use e.g. in the command usage
231bbdc37 cmd/ctr: fix export command
ecb881e5e add imgcrypt stream processors to the default config
ac2726e12 cmd/containerd: deduplicate config*.go
9a7ca39cb defaults: add DefaultConfigDir
8f863afd3 Use net.IP.IsLoopback() to match loopback addresses
eabd9b98b runtime: ignore file-already-closed error if dead shim
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Our dependencies already bring several versions of nix, we should avoid
adding even more fragementation.
Fixes#2114
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
To workaround virtiofs' lack of inotify support, we'll special case
particular mounts which are typically watched, and pass on information
to the agent so it can ensure that the mount presented to the container
is indeed watchable (see applicable agent commit).
This commit will:
- identify watchable mounts based on file count and mount source
- create a watchable-bind storage object for these mounts to
communicate intent to the agent
- update the OCI spec to take the updated watchable mount source into account
Unit tests added and updated for the newly introduced
functionality/functions.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
We're introducing a workaround for enabling users to utilize inotify on
mounts that are backed by virtiofs. Let's add some documentation on how
this work.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Add support for watchable-bind storage driver. When watchable-bind storage
is present, the agent will create a watchable path in a tmpfs, and poll the
watchable-bind source to keep this new mount-point up to date.
This poll will allow the agent to present the mount-point to the
container, allowing for inotify usage by the container workload.
If a mount becomes too large, either in file count or in overall size,
we want to stop treating it as watchable, and instead just treat as a
bindmount. This'll help avoid DoS by growing tmpfs too large, as well
as limiting time spent scanning files. If a watchable-bind grows beyond
8 files (arbitrary sane number for certs/secrets) or 1MB (limit on ConfigMap size),
we treat it as a normal bind.
Fixes: #1879
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
agent: watcher: SandboxStorages check loop cleanup
There's no reason to pass the paths; they can be
determined when they are actually used.
Let's make the return values more comparable to the other mount handling
functions (we'll add storage object in future commit), and pass the mount maps as
function parameters.
...No functional changes here...
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Add `CONFIG_PROTECTED_VIRTUALIZATION_GUEST=y` to s390's guest kernel
config, which enables running with a secure image (as generated by
s390-tools' `genprotimg`).
Fixes: #2106
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Use Podman instead of Docker when $USE_PODMAN is set. This enables
running with Podman, e.g. to import images for CRI-O.
Fixes: #2067
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Architectures that do not support memory hotplugging will fail when
memory limits are set because that amount is hotplugged. Issue a warning
instead. The long-term solution is virtio-mem.
Fixes: #1412
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The Developer Guide instructs to install the agent from
`${ARCH}-unknown-linux-${LIBC}`, where `$LIBC` is set to `gnu` for
ppc64le (because Rust has no musl target there). The same is true for
s390x. Also set this for s390x.
Fixes: #2092
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
After create an container/exec successfully, containerd
would wait it immediately, and if start it failed, there
is no chance to send value to exitCh, thus the wait goroutine
would blocked for ever and had no chance to exit.
Fixes: #2087
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Fixed 3 errors which misused the bracket to substitute parameter for initrd-img creation at the developer guide.
Fixes: #2079
Signed-off-by: focus-zhaos <zhaos@nbjl.nankai.edu.cn>
- Adding missing `$` symbols to 3 references to `sandbox_id` variable
- Adding missing `'` symbol to QEMU-related `socat` command
Fixes#2075
Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
Currently the virtio-mem device is hotplugged on the root bus.
This doesn't work for PCIe machines like q35.
Hotplug the virtio-mem device into the pci bridge instead.
Fixes#1953
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Keeping around two different x86 machines has no added value
and require more tests and maintenance. Prefer the q35 machine
since it has more features and drop the pc machine.
Fixes#1953
Depends-on: github.com/kata-containers/tests#3586
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
We should update golang proto files.
These changes are updated using libprotoc v3.6.1.
Fixes: #2064
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This PR updates the proper url for kata-deploy scripts at the
minikube installation.
Fixes#2072
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
For QEMU 5.0.0 it is applied the patches/5.0.x/0002-memory-backend-file-nvdimm-support-read-only-files-a.patch
to fix an issue with the use of read-only files as backend memory of nvdimm devices. When Kata Containers bumped
to QEMU 5.2.0 that patch was left behind by mistake. In meanwhile a proper feature ("nvdimm: read-only file support")
was proposed and merged upstream (see https://mail.gnu.org/archive/html/qemu-devel/2021-01/msg00258.html).
This contain the backport of the commit 8360ebeb4f4a from QEMU master which should be applied on QEMU 5.2.0
so that feature is available to Kata Containers.
Fixes#2011
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The snap/snapcraft.yaml set AGENT_VERSION to the current VERSION. The osbuilder script
will try to checkout the AGENT_VERSION tag. Let's ensure that all tags and branches
are fetched by the github's checkout action so the tag checkout does not fail.
Fixes#2052
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
To print the correct value of kernel parameters, the log field
value should not be a function name. And for that qemuArchBase
doesn't contain debug flag, so the log contains debug/non-debug
parameters.
Fixes: #2048
Signed-off-by: bin <bin@hyper.sh>
`memory_offset` is used to increase the maximum amount of memory
supported in a VM, this offset is equal to the NVDIMM/PMEM device that
is hot added, in real use case workloads such devices are bigger than
4G, which is the current limit (uint32).
fixes#2006
Signed-off-by: Julio Montes <julio.montes@intel.com>
It's hard to visually scan over the list currently.
Therefore, we should sort the list alphabetically to scan easily.
Fixes: #1999
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Currently in kata 2.x, we do not have docker support, this PR removes
the docker documentation with sysctls.
Fixes#2029
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Since SEV support has been added, an implementation mistake was also
added to TestQemuAmd64AppendProtectionDevice.
appendProtectionDevice() will, as it name says, append the protection
device to whatever was there previously. So, when SEV was added, we
broke the comparison done for TDX as we didn't append the expected
output for TDX with what we already had for SEV.
This should be enough to get the tests passing.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This PR removes old links that were used in kata 1.x but not
longer valid for kata 2.x
Fixes#2019
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
- Update CC=gcc setting for Fedora s390x
- osbuilder: Streamline s390x CMake & musl handling
- runtime: remove the call to storeSandbox at the end of createSandboxFromConfig
- virtcontainers: Add support for Secure Execution
- agent: Conform to the latest nix version (0.21.0)
- docs: Update the stable branch strategy to what was proposed in our ML
- runtime: add more traces for network
- tools/packaging: clone meson and dependencies before building QEMU
- runtime: remove covertool from cli test
- factory: Use lazy unmount
- docs: Fix Release Process document
- Add sandbox and container ID to trace spans
- agent: Fix fd leak caused by netlink
- metrics: Add virtiofsd exporter
- versions: Update kubernetes to 1.21.1
- tracing: Add basic VSOCK tracing
- agent: Upgrade tokio-vsock to fix fd leak of vsock socket
- runtime: fix some comments and logs
- runtime: Add support for PEF
- cleanup TODOs in runtime
- tracing: Make runtime span attributes more consistent
- virtiofsd: refactor qemu.go to use code in virtiofsd.go
- runtime: remove unused doc.go
- cgroup: fix the issue of set mem.limit and mem.swap
- agent: re-enable the standard SIGPIPE behavior
- virtiofsd: Fix file descriptors leak and return correct PID
- runtime: and cgroup and SandboxCgroupOnly check for check sub-command
- kernel: add ppc64le fragments
- docs: Use --ignore-preflight-errors=all flag
- agent: fix start container failed when dropping all capabilities
- agent: Remove unnecessary underscore(_) variables
- docs: Add instructions for getting QEMU source
- qemu: align before memory hotplug on arm64
- workflows: release kata 2.x snap through the stable channel
- Sandbox bindmount cleanup
- docs: Update add customer agent command
- agent: Stop relying in the unmaintained prctl crate
- how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
- docs: Add document for memory hotplug on arm64
- github: Run require porting labels only at main
- kernel: add confidential guest build option
- rustjail: separated the propagation flags from mount flags
- runtime: improve sandbox cleanup logic
- docs: add note for connecting debug console for old versions
- image_build: align image size to 128M for arm64
- agent: avoid reaping the exit signal of execute_hook in the reaper
- agent: move the dependency tempfile to the dev-dependencies section
- docs: Document test repository changes when creating a stable branch
- docs: Remove horizontal ruler markers that disable spell checks
- docs/Developer-Guide: Add instructions to apply QEMU patches
- runtime: make dialing timeout configurable
- Get sandbox metrics cli
- Support TDx
- packaging/kata-cleanup: add k3s containerd volume
- osbuilder: Upgrade alpine version to 3.13.5
- Monitor cleanup
- Open CONFIG_VIRTIO_MEM in x86_64 Linux kernel
- agent: delete code which is no longer used
- cli: delete tracing code for kata-runtime binary
- docs: add per-Pod Kata configurations for `enable_pprof`
- Fix issue of virtio-mem
- Set fixed NOFILE limit value for kata-agent
- ci/install_yq.sh: install_yq: Check version before return
- runtime: use s.ctx instead ctx for checking cancellation
- runtime: fix some comments
a1247bc0 agent: Conform to the latest nix version (0.21.0)
3130e66d runtime: remove storeSandbox at the end of createSandboxFromConfig
7593ebf9 runtime: Use CC=gcc on Fedora s390x
a484d6db osbuilder: Streamline s390x CMake & musl handling
da2d9ab8 osbuilder: Remove CC=gcc for Fedora s390x
c0c05c73 virtcontainers: Add support for Secure Execution
78f21710 virtcontainers/s390x: Put consts into one block
784025bb runtime: add more traces for network
9ec9bbba tools/packaging: clone meson and dependencies before building QEMU
9158ec68 docs: Fix Release Process document
9e3349c1 agent: Fix fd leak caused by netlink
3d0e0b27 tracing: Add network model to span
8ca02072 tracing: Add sandbox and container ID to trace spans
a9a0eccf tracing: Add basic VSOCK tracing
2234b730 metrics: Add virtiofsd exporter
9bf781d7 agent: Upgrade tokio-vsock to fix fd leak of vsock socket
b68334a1 runtime: fix some comments and logs
1f5b229b runtime: remove FIXME in SandboxState about CgroupPath
fee0004a runtime: remove TODO about hot add memory in qemu.go
2e29ef9c runtime: remove TODO comment from StatusContainer
72cd8f5e virtiofsd: refactor qemu.go to use code in virtiofsd.go
0b22c48d runtime: remove unused doc.go
30f4834c cgroup: fix the issue of set mem.limit and mem.swap
0ae364c8 agent: re-enable the standard SIGPIPE behavior
05a46fed tracing: Make runtime span attributes more consistent
727bfc45 runtime: and cgroup and SandboxCgroupOnly check for check sub-command
b25ad1ab tracing: Make trace-forwarder async
45f02227 tracing: Add trace points
773deca2 virtiofsd: Fix file descriptors leak and return correct PID
37a426b4 runtime: Add support for PEF
fe670c5d docs: Use --ignore-preflight-errors=all flag
5b5047bd docs: Add instructions for getting QEMU source
3e4ebe10 agent: fix start container failed when dropping all capabilities
9a43d76d workflows: release kata 2.x snap through the stable channel
7f1030d3 sandbox-bindmount: persist mount information
089a7484 sandbox: Cleanup if failure to setup sandbox-bindmount occurs
f65acc20 docs: Update add customer agent command
20a382c1 agent: Remove unnecessary underscore(_) variables
4b88532c docs: Don't use Docker as an example of a container manager
4142e424 docs: Don't mention 1.x components as part of the stable branch strategy
a0af2bd7 docs: Use stable-2.x / 2.x.y as example in the branch strategy document
a5e1f66a docs: Maintain only one stable branch per major release
419773b8 docs: Emphasize behaviour changes may be a reason for a major bump
54a75008 docs: Refer to `main` branch in the stable branch strategy document
7dde0b5d kernel: add ppc64le fragments
84906181 kernel: skip fragments for ppc64le
9676b86b kernel: move CONFIG_RANDOMIZE_BASE
bd0cde40 factory: Use lazy unmount
f52468be agent/agent-ctl: Replace prctl crate by the capctl one
d289b1d6 agent-ctl: Perform a `cargo update`
bc36b7b4 qemu: align before memory hotplug on arm64
8aefc793 agent: Perform a `cargo update`
785be0bb how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
f8a16c17 kernel: add confidential guest build option
a65f11ea docs: Add document for memory hotplug on arm64
1b607056 runtime: remove covertool from cli test
fc42dc07 github: Run require porting labels only at main
dbef2b29 versions: Update kubernetes to 1.21.1
35151f17 runtime: sandbox delete should succeed after verifying sandbox state
e5fe572f rustjail: separated the propagation flags from mount flags
ffbb4d9b docs: add note for connecting debug console for old versions
a5bb383c agent: avoid reaping the exit signal of execute_hook in the reaper
ce7a5ba2 agent: move the dependency tempfile to the dev-dependencies section
e24e9462 docs/Developer-Guide: Add instructions to apply QEMU patches
850cf8cd docs: Document test repository changes when creating a stable branch
8068a469 kata-runtime: add `metrics` command
37873061 kata-monitor: export get stats for sandbox
01b56d6c runtime: make dialing timeout configurable
e8038718 osbuilder: Upgrade alpine version to 3.13.5
3caed6f8 runtime: shim: dedup client, socket addr code
4bc006c8 runtime: Short the shim-monitor path
5fdf617e docs: Fix spell-check errors found after new text is discovered
42425456 docs: Remove horizontal ruler markers that disable spell checks
3883e4e2 kernel: configs: Open CONFIG_VIRTIO_MEM in x86_64 Linux kernel
4f61f4b4 virtcontainers: Support TDX
0affe886 virtcontainers: define confidential guest framework
539afba0 runtime: define config options to enable confidential computing
79831faf runtime: use s.ctx instead ctx for checking cancellation
f6d5fbf9 runtime: fix some comments
9381e5f3 packaging/kata-cleanup: add k3s containerd volume
7f7c3fc8 qemu.go: qemu: resizeMemory: Fix virtio-mem resize overflow issue
c9053ea3 qemu.go: qemu: setupVirtioMem: let sizeMB be multiple of 2Mib
a188577e agent: Set fixed NOFILE limit value for kata-agent
88cf3db6 runtime: implement CPUFlags function
2b0d5b25 image_build: align image size to 128M for arm64
d601ae34 agent: delete not used comments
6038da19 agent: delete rustjail/src/configs directory
84ee8aa8 agent: delete not used functions
d8896157 ci/install_yq.sh: install_yq: Check version before return
95e54e3f docs: add per-Pod Kata configurations for enable_pprof
13c23fec cli: delete tracing code for kata-runtime binary
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The call to Trace() in runHooks() does not return a context; fix this so
that the subsequent calls to runHook() produces a properly ordered trace
span.
Fixes#2001
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Add the following mount options to catch up with the runtime spec
- silent
- loud
- (no)acl
- (no)iversion
- (no)lazytime
Fixes: #1999
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This PR removes the travis reference as we currently for kata 2.0,
travis is not being supported.
Fixes#1994
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
We need to fix some agent's code to conform to the latest nix crate
to be able to use new features of the nix.
Fixes: #1987
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Remove storeSandbox() at the end of createSandboxFromConfig(),
because this callchain createSandboxFromConfig -> createContainers
has already calls storeSandbox().
This can improve the startup speed of the container,
even just for a little.
Fixes: #1980
Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
- Merge codepath in lib.sh with ppc64le -- do not install CMake
- Like ppc64le, do not install musl rather than just not using it
Fixes: #1975
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Secure Execution is a confidential computing technology on s390x (IBM Z
& LinuxONE). Enable the correspondent virtualization technology in QEMU
(where it is referred to as "Protected Virtualization").
- Introduce enableProtection and appendProtectionDevice functions for
QEMU s390x.
- Introduce CheckCmdline to check for "prot_virt=1" being present on the
kernel command line.
- Introduce CPUFacilities and avilableGuestProtection for hypervisor
s390x to check for CPU support.
Fixes: #1771
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Previously, all consts were in single lines in
virtcontainers/qemu_s390x.go. Put them into a const block.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
In some distros (Ubuntu 18 and 20) it's not possible to clone meson
and QEMU dependencies from https://git.qemu.org due to problems with
its certificates, let's pull these dependencies from github before
building QEMU.
fixes#1965
Signed-off-by: Julio Montes <julio.montes@intel.com>
This PR updates the correct url for github actions as well as it
corrects a misspelling.
Fixes#1960
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Trace spans erroneously set the network model to default in all cases.
Add function to return network model string and use it to set attribute
in spans.
Fixes#1878
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Add sandbox, container, and hypervisor IDs to trace spans. Note that
some spans in sandbox.go are created with a trace() call from api.go.
These spans have additional attributes set after span creation to
overwrite the api attributes.
Fixes#1878
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Implement an openTelemetry custom exporter that sends trace spans to a
VSOCK socket. A VSOCK-to-span converter (such as the Kata trace
forwarder) needs to be running on the host to allow systems like Jaeger
to capture the trace spans.
By default, tracing is not enabled (meaning a NOP tracer is used). To
activate tracing, set the `agent.kata.enable_tracing=true` in the
configuration file.
The type of tracing this change introduces is "static isolated"
tracing. See [1] for further details.
> **Note:**
>
> This change only provides the foundational changes for agent
> tracing work. The feature is _not_ yet complete since it does
> not yet show the correct trace hierarchy.
Fixes: #60.
[1] - https://github.com/kata-containers/agent/blob/master/TRACING.md
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Export proc stats for virtiofsd.
This commit only adds for hypervisors that have support for it.
- qemu
- cloud-hypervisor
Fixes: #1926
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
It is in real life usage as we put non constrained sandbox processes
(like shim) in a separate cgroup path.
Fixes: #1944
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
CloudHypervisor is using virtiofsd.go to manage virtiofsd process,
but qemu has its code in qemu.go. This commit let qemu to re-use
code in virtiofsd.go to reduce code and improve maintenanceability.
Fixes: #1933
Signed-off-by: bin <bin@hyper.sh>
When update memory limit, we should adapt the write sequence
for memory and swap memory, so it won't fail because
the new value and the old value don't fit kernel's
validation.
Fixes: #1917
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
The Rust standard library had suppressed the default SIGPIPE
behavior, see https://github.com/rust-lang/rust/pull/13158.
Since the parent's signal handler would be inherited by it's child
process, thus we should re-enable the standard SIGPIPE behavior as a
workaround.
Fixes: #1887
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Span attributes (tags) are not consistent in runtime tracing, so
designate and use core attributes such source, package, subsystem, and
type as span metadata for more understandable output.
Use WithAttributes() during span creation to reduce calls to
SetAttributes().
Modify Trace() in katautils to accept slice of attributes so multiple
functions using different attributes can use it.
Fixes#1852
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
In kata-runtime check sub-command, checks cgroups and SandboxCgroupOnly
to show message if the SandboxCgroupOnly is not set to true
and cgroup v2 is used.
Fixes: #1927
Signed-off-by: bin <bin@hyper.sh>
Use the tracing crate to create automatic trace spans for the _majority_
of top-level modules.
Note that not all functions in the top-level modules can be traced:
- Some functions cannot be traced due to the requirement that all
function parameters implement the `Debug` trait. In some cases (such
as `netlink.rs`), objects are being passed that are defined in
different crates and which do not implement `Debug`.
- Some functions may never return (`signal.rs`).
- Some functions are inlined.
- Some functions are very simple getter/setter functions.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This commit will fix two problems:
- Virtiofsd process ID returned to the caller will always be 0,
the pid var is never being assigned a value.
- Socket listen fd may leak in case of failure of starting virtiofsd process.
This is a port of be9ca0d58bFixes: #1931
Signed-off-by: bin <bin@hyper.sh>
Protected Execution Facility(PEF) is the confidential computing
technology on ppc64le. This PR adds the support for it in Kata.
Also re-vendor govmm for the latest changes.
Fixes: #1881
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
The --skip-preflight-checks flag has been deprecated in the Kubernetes v1.9
and removed from Kubernetes v1.12.
We should use --ignore-preflight-errors=all flag instead of --skip-preflight-checks.
Fixes: #1919
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Update the developer guide to add instructions of how to get the
correct version of the QEMU source and sets your_qemu_directory
variable, so that follow on steps are easier for a new joiner to the
community to understand
Fixes#1907
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
When starting a container and dropping all capabilities,
the init child process has no permission to read the exec.fifo
file because the parent set the file mode 0o622. So change the exec.fifo file mode to 0o644.
fixes#1913
Signed-off-by: quanweiZhou <quanweiZhou@linux.alibaba.com>
Without this, if the shim dies, we will not have a reliable way to
identify what mounts should be cleaned up if `containerd-shim-kata-v2
cleanup` is called for the sandbox.
Before this, if you `ctr run` with a sandbox bindmount defined and SIGKILL the
containerd-shim-kata-v2, you'll notice the sandbox bindmount left on
host.
With this change, the shim is able to get the sandbox bindmount
information from disk and do the appropriate cleanup.
Fixes#1896
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
If for any reason there's an error when trying to setup the sandbox
bindmounts, make sure we roll back any mounts already created when
setting up the sandbox.
Without this, we'd leave shared directory mount and potentially
sandbox-bindmounts on the host.
Fixes: #1895
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Update the developer guide to correct the
command that adds a customer kata-agent to the rootfs image
putting it in /usr/bin/kata-agent rather than /bin/kata-agent
Fixes#1904
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Let's slightly rewrite the text to ensure users of 2.x that never had
contact with kata-containers 1.x would be able to understand the
sentences.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This is a proposal that was sent to the ML and can be accessed via
http://lists.katacontainers.io/pipermail/kata-dev/2021-May/001894.html
Shortly, the proposal is to maintain only one stable branch per major
active release.
This will help the developers and the CI maintainers, to spend more time
on what's coming, rather on backporting and debugging issues with old
releases; while still providing one stable branch that downstream
companies can rely on.
Hopefully, with this we'll be able to lower the maintainance burden and
spend more time on getting things rock solid / move forward in a faster
pace with the project.
Fixes: #1876
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The current wording is good, but we could emphasize better that changes
on behaviour from a previous release by simply making the text bold
rather than italic.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
As there's no active `master` branch as part of kata-containers 2.x,
let's avoid referring to it, and let's referr to the `main` branch
instead.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This config is not selected for ppc64le. It is
only supported on PPC32 for now. Moved it to
respective arch base.conf.
Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
we can have the following case,
1. start kata container with factory feature, this need kata-runtime
config to enable factory and use initrd as base image.
2. start a kata container.
3. cd /root; cd /run/vc/vm/template dir, this will make
/run/vc/vm/template to be in used.
4. destroy vm template with kata-runtime factory destroy , and check
the template mountpoint.
we can see the template mountpoints will add everytime we repeat the above steps .
[root@centos1 template]# mount |grep template
[root@centos1 template]# docker run -ti --rm --runtime untrusted-runtime --net none busybox echo
[root@centos1 template]# cd /root; cd /run/vc/vm/template/
[root@centos1 template]# /kata/bin/kata-runtime factory destroy
vm factory destroyed
[root@centos1 template]# mount |grep template
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
[root@centos1 template]# docker run -ti --rm --runtime untrusted-runtime --net none busybox echo
[root@centos1 template]# cd /root; cd /run/vc/vm/template/
[root@centos1 template]# /kata/bin/kata-runtime factory destroy
vm factory destroyed
[root@centos1 template]# mount |grep template
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
Fixes: #938
Signed-off-by: Shukui Yang <keloyangsk@gmail.com>
While evaluating the possibility of having kata-agent statically linked
to the GNU libc, we've ended up facing some issues with prctl.
When debugging the issues, we figured out that the crate hasn't been
maintained since 2015 and that the capctl one is a good 1:1 replacement
for what we need.
Fixes: #1844
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
When hotplug memory on arm64 in kata, kernel will shout:
[ 0.396551] Block size [0x40000000] unaligned hotplug range: start 0xc8000000, size 0x40000000
[ 0.396556] acpi PNP0C80:01: add_memory failed
[ 0.396834] acpi PNP0C80:01: acpi_memory_enable_device() error
[ 0.396948] acpi PNP0C80:01: Enumeration failure
It means that kernel will check if the memory range to be hotplugged
align with 1G before plug the memory. So we should twist the qemu to
make sure the memory range align with 1G to pass the kernel check.
Fixes: #1841
Signed-off-by: Yuanzhe Liu <yuanzheliu09@gmail.com>
After some enablement work, memory hotplug can be used on arm64.
Here we offer a document to instruct user to enable it.
Fixes: #1854
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
covertool has no active since 2018 and is not compatible with go1.16
../vendor/github.com/dlespiau/covertool/pkg/cover/cover.go:76:29: cannot use f (type dummyTestDeps) as type testing.testDeps in argument to testing.MainStart:
dummyTestDeps does not implement testing.testDeps (missing SetPanicOnExit0 method)
Fixes: #1862
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
Since the propagation flags couldn't be combinted with the
standard mount flags, and they should be used with the remount,
thus it's better to split them from the standard mount flags.
Fixes: #1699
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Following the fix for #1713, adding a unit test for ioCopy() that
verifies that data is properly copied from source to destination
whatever the order in which the pipes are closed.
Fixes#1831
Signed-off-by: Julien Ropé <jrope@redhat.com>
Occasionally patches are necessary to build QEMU with the kata containers
configuration. This changed the developer guide to make it clear it is
recommended to apply the patches; and tell how.
Fixes#1807
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
When we create a new stable branch, it is good practice to ensure that the test
repository points to that stable branch, to make sure that it is not impacted by
later changes to the CI made on the stable branch.
Fixes: #1823
Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
For easier debug, let's add subcommand to kata-runtime for gathering
metrics associated with a given sandbox.
kata-runtime metrics --sandbox-id foobar
Fixes: #1815
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Gathering stats for a given sandbox is pretty useful; let's export a
function from katamonitor pkg to do this.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
(1) Add an accessor function, SocketAddress, to the shim-v2 code for
determining the shim's abstract domain socket address, given the sandbox
ID.
(2) In kata monitor, create a function, BuildShimClient, for obtaining the appropriate
http.Client for communicating with the shim's monitoring endpoint.
(3) Update the kata CLI and kata-monitor code to make use of these.
(4) Migrate some kata monitor methods to be functions, in order to ease
future reuse.
(5) drop unused namespace from functions where it is no longer needed.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Instead of having something like
"/containerd-shim/$namespace/$sandboxID/shim-monitor.sock", let's change
the approach to:
* create the file in a more neutral location "/run/vc", instead of
"/containerd-shim";
* drop the namespace, as the sandboxID should be unique;
* remove ".sock" from the socket name.
This will result on a name that looks like:
"/run/vc/$sandboxID/shim-monitor"
Fixes: #497
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
The spell-checker scripts has some bugs that caused large chunks of texts to not
be spell checked at all (see #1793). The previous commit worked around this bug,
which exposed another bug:
The following source text:
are discussions about using VM save and restore to
give [`criu`](https://github.com/checkpoint-restore/criu)-like
functionality, which might provide a solution
yields the surprising error below:
WARNING: Word 'givelike': did you mean one of the following?: give like, give-like, wavelike
Apparently, an extra space is removed, which is another issue with the
spell-checking script. This case is somewhat contrived because of the URL link,
so for now, I decided for a creative rewriting, inserting the word "a" knowing
that "alike" is a valid word ;-)
Fixes: #1793
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
There is a bug in the CI script checking spelling that causes it
to skip any text that follows a horizontal ruler.
(https://github.com/kata-containers/tests/issues/3448)
Solution: replace one horizontal ruler marker with another that
does not trip the spell-checking script.
Fixes: #1793
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Define the structure and functions needed to support confidential
guests, this commit doesn't add support for any specific technology,
support for TDX, SEV, PEF and others will be added in following
commits.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Define config options to enable or disable confidential computing and
its features, for example:
* Image service offloading
* Image decryption keys
Signed-off-by: Julio Montes <julio.montes@intel.com>
This commint include two types of fixes for comments
in src/runtime/containerd-shim-v2/start.go.
- Update comment for calling of watchOOMEvents.
- Comments without heading spaces.
Fixes: #1750
Signed-off-by: bin <bin@hyper.sh>
kata-deploy cleanup expects to find containerd configuration
in /etc/containerd/config.toml. In case of k3s mount the k3s
containerd config as a volume.
Fixes#1801
Signed-off-by: Orestis Lagkas Nikolos <olagkasn@nubificus.co.uk>
Got:
FATA[0000] run pod sandbox: rpc error: code = Unknown desc = failed to
create containerd task: Add 189759MB virtio-mem-pci fail QMP command
failed: backend memory size must be multiple of 0x200000: unknown
This commit let sizeMB be multiple of 2Mib to fix the issue.
Fixes: #1796
Signed-off-by: Hui Zhu <teawater@antfin.com>
Some applications may fail if NOFILE limit is set to unlimited.
Although in some environments this value is explicitly overridden,
lets set it to a more sane value in case it doesn't.
Fixes#1715
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
`CPUFlags` returns a map with all the CPU flags, these CPU flags
may help us to identiry whether a system support confidential computing
or not.
Signed-off-by: Julio Montes <julio.montes@intel.com>
There is an inconformity between qemu and kernel of memory alignment
check in memory hotplug. Both of qemu and kernel will do the start
address alignment check in memory hotplug. But it's 2M in qemu
while 128M in kernel. It leads to an issue when memory hotplug.
Currently, the kata image is a nvdimm device, which will plug into the VM as
a dimm. If another dimm is pluged, it will reside on top of that nvdimm.
So, the start address of the second dimm may not pass the alginment
check in kernel if the nvdimm size doesn't align with 128M.
There are 3 ways to address this issue I think:
1. fix the alignment size in kernel according to qemu. I think people
in linux kernel community will not accept it.
2. do alignment check in qemu and force the start address of hotplug
in alignment with 128M, which means there maybe holes between memory blocks.
3. obey the rule in user end, which means fix it in kata.
I think the second one is the best, but I can't do that for some reason.
Thus, the last one is the choice here.
Fixes: #1769
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
In file src/agent/rustjail/src/validator.rs,
these two functions are not used:
- get_namespace_path
- check_host_ns
Fixes: #1783
Signed-off-by: bin <bin@hyper.sh>
Now enabling enable_pprof for individual pods is supported,
but not documented.
This commit will add per-Pod Kata configurations for `enable_pprof`
in file `docs/how-to/how-to-set-sandbox-config-kata.md`
Fixes: #1744
Signed-off-by: bin <bin@hyper.sh>
a method used in cloud computing, whereby the amount of computational resources in a server farm, typically measured in terms of the number of active servers, which vary automatically based on the load on the farm.
## B
## C
### Container Security Solutions
The process of implementing security tools and policies that will give you the assurance that everything in your container is running as intended, and only as intended.
### Container Software
A standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.
### Container Runtime Interface
A plugin interface which enables Kubelet to use a wide variety of container runtimes, without the need to recompile.
### Container Virtualization
A container is a virtual runtime environment that runs on top of a single operating system (OS) kernel and emulates an operating system rather than the underlying hardware.
## D
## E
## F
## G
## H
## I
### Infrastructure Architecture
A structured and modern approach for supporting an organization and facilitating innovation within an enterprise.
## J
## K
### Kata Containers
Kata containers is an open source project delivering increased container security and Workload isolation through an implementation of lightweight virtual machines.
## L
## M
## N
## O
## P
### Pod Containers
A Group of one or more containers , with shared storage/network, and a specification for how to run the containers.
### Private Cloud
A computing model that offers a proprietary environment dedicated to a single business entity.
### Public Cloud
Computing services offered by third-party providers over the public Internet, making them available to anyone who wants to use or purchase them.
## Q
## R
## S
### Serverless Containers
An architecture in which code is executed on-demand. Serverless workloads are typically in the cloud, but on-premises serverless platforms exist, too.
## T
## U
## V
### Virtual Machine Monitor
Computer software, firmware or hardware that creates and runs virtual machines.
### Virtual Machine Software
A software program or operating system that not only exhibits the behavior of a separate computer, but is also capable of performing tasks such as running applications and programs like a separate computer.
Kata Containers is an open source project and community working to build a
@@ -67,69 +46,34 @@ Please raise an issue
> **Note:**
> If you are reporting a security issue, please follow the [vulnerability reporting process](https://github.com/kata-containers/community#vulnerability-handling)
#### Kata Containers 1.x versions
For older Kata Containers 1.x releases, please raise an issue in the
| [KSM throttler](https://github.com/kata-containers/ksm-throttler) | optional core | Daemon that monitors containers and deduplicates memory to maximize container density on the host. |
| [osbuilder](https://github.com/kata-containers/osbuilder) | infrastructure | See [components](#components). |
| [packaging](https://github.com/kata-containers/packaging) | infrastructure | See [components](#components). |
| [proxy](https://github.com/kata-containers/proxy) | core | Multiplexes communications between the shims, agent and runtime. |
| [runtime](https://github.com/kata-containers/runtime) | core | See [components](#components). |
| [shim](https://github.com/kata-containers/shim) | core | Handles standard I/O and signals on behalf of the container process. |
> **Note:**
>
> - There are more components for the original Kata Containers 1.x implementation.
> - The current implementation simplifies the design significantly:
> compare the [current](docs/design/architecture.md) and
The following repositories are used by both the current and first generation Kata Containers implementations:
| Component | Description | Current | First generation | Notes |
|-|-|-|-|-|
| CI | Continuous Integration configuration files and scripts. | [Kata 2.x](https://github.com/kata-containers/ci/tree/main) | [Kata 1.x](https://github.com/kata-containers/ci/tree/master) | |
| kernel | The Linux kernel used by the hypervisor to boot the guest image. | [Kata 2.x][kernel] | [Kata 1.x][kernel] | Patches are stored in the packaging component. |
| tests | Test code. | [Kata 2.x](https://github.com/kata-containers/tests/tree/main) | [Kata 1.x](https://github.com/kata-containers/tests/tree/master) | Excludes unit tests which live with the main code. |
| www.katacontainers.io | Contains the source for the [main web site](https://www.katacontainers.io). | [Kata 2.x][github-katacontainers.io] | [Kata 1.x][github-katacontainers.io] | | |
| [packaging](tools/packaging) | infrastructure | Scripts and metadata for producing packaged binaries<br/>(components, hypervisors, kernel and rootfs). |
| [kernel](https://www.kernel.org) | kernel | Linux kernel used by the hypervisor to boot the guest image. Patches are stored [here](tools/packaging/kernel). |
| [osbuilder](tools/osbuilder) | infrastructure | Tool to create "mini O/S" rootfs and initrd images and kernel for the hypervisor. |
| [`agent-ctl`](tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. |
| [`ci`](https://github.com/kata-containers/ci) | CI | Continuous Integration configuration files and scripts. |
| [`katacontainers.io`](https://github.com/kata-containers/www.katacontainers.io) | Source for the [`katacontainers.io`](https://www.katacontainers.io) site. |
### Packaging and releases
@@ -138,6 +82,9 @@ Kata Containers is now
However, packaging scripts and metadata are still used to generate snap and GitHub releases. See
the [components](#components) section for further details.
## Glossary of Terms
See the [glossary of terms](Glossary.md) related to Kata Containers.
@@ -353,12 +301,13 @@ You MUST choose one of `alpine`, `centos`, `clearlinux`, `euleros`, and `fedora`
>
> - Check the [compatibility matrix](../tools/osbuilder/README.md#platform-distro-compatibility-matrix) before creating rootfs.
Optionally, add your custom agent binary to the rootfs with the following, `LIBC` default is `musl`, if `ARCH` is `ppc64le`, should set the`LIBC=gnu` and `ARCH=powerpc64le`:
Optionally, add your custom agent binary to the rootfs with the following commands. The default`$LIBC` used
is `musl`, but on ppc64le and s390x, `gnu` should be used. Also, Rust refers to ppc64le as `powerpc64le`:
tool, which can convert the logs into formats (e.g. JSON, TOML, XML, and YAML).
See [Set up a debug console](#set-up-a-debug-console).
@@ -475,6 +450,16 @@ debug_console_enabled = true
This will pass `agent.debug_console agent.debug_console_vport=1026` to agent as kernel parameters, and sandboxes created using this parameters will start a shell in guest if new connection is accept from VSOCK.
#### Start `kata-monitor` - ONLY NEEDED FOR 2.0.x
For Kata Containers `2.0.x` releases, the `kata-runtime exec` command depends on the`kata-monitor` running, in order to get the sandbox's `vsock` address to connect to. Thus, first start the `kata-monitor` process.
```
$ sudo kata-monitor
```
`kata-monitor` will serve at `localhost:8090` by default.
#### Connect to debug console
Command `kata-runtime exec` is used to connect to the debug console.
@@ -619,7 +604,7 @@ VMM solution.
In case of cloud-hypervisor, connect to the `vsock` as shown:
```
$ sudo su -c 'cd /var/run/vc/vm/{sandbox_id}/root/ && socat stdin unix-connect:clh.sock'
$ sudo su -c 'cd /var/run/vc/vm/${sandbox_id}/root/ && socat stdin unix-connect:clh.sock'
CONNECT 1026
```
@@ -627,7 +612,7 @@ CONNECT 1026
For firecracker, connect to the `hvsock` as shown:
```
$ sudo su -c 'cd /var/run/vc/firecracker/{sandbox_id}/root/ && socat stdin unix-connect:kata.hvsock'
$ sudo su -c 'cd /var/run/vc/firecracker/${sandbox_id}/root/ && socat stdin unix-connect:kata.hvsock'
CONNECT 1026
```
@@ -636,7 +621,7 @@ CONNECT 1026
For QEMU, connect to the `vsock` as shown:
```
$ sudo su -c 'cd /var/run/vc/vm/{sandbox_id} && socat "stdin,raw,echo=0,escape=0x11" "unix-connect:console.sock"
$ sudo su -c 'cd /var/run/vc/vm/${sandbox_id} && socat "stdin,raw,echo=0,escape=0x11" "unix-connect:console.sock"'
```
To disconnect from the virtual machine, type `CONTROL+q` (hold down the
A [Kata Container](https://github.com/kata-containers) utilizes a Virtual Machine (VM) to enhance security and
@@ -94,7 +62,9 @@ This section lists items that might be possible to fix.
### checkpoint and restore
The runtime does not provide `checkpoint` and `restore` commands. There
are discussions about using VM save and restore to give [`criu`](https://github.com/checkpoint-restore/criu)-like functionality, which might provide a solution.
are discussions about using VM save and restore to give us a
If you create a new stable branch, i.e. if your release changes a major or minor version number (not a patch release), then
you should modify the `tests` repository to point to that newly created stable branch and not the `main` branch.
The objective is that changes in the CI on the main branch will not impact the stable branch.
In the test directory, change references the main branch in:
* `README.md`
* `versions.yaml`
* `cmd/github-labels/labels.yaml.in`
* `cmd/pmemctl/pmemctl.sh`
* `.ci/lib.sh`
* `.ci/static-checks.sh`
See the commits in [the corresponding PR for stable-2.1](https://github.com/kata-containers/tests/pull/3504) for an example of the changes.
### Merge all bump version Pull requests
- The above step will create a GitHub pull request in the Kata projects. Trigger the CI using `/test` command on each bump Pull request.
@@ -50,7 +54,7 @@
### Tag all Kata repositories
Once all the pull requests to bump versions in all Kata repositories are merged,
tag all the repositories as shown below.
tag all the repositories as shown below.
```
$ cd ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/release
$ git checkout <kata-branch-to-release>
@@ -60,7 +64,7 @@
### Check Git-hub Actions
We make use of [GitHub actions](https://github.com/features/actions) in this [file](https://github.com/kata-containers/kata-containers/blob/master/.github/workflows/main.yaml) in the `kata-containers/kata-containers` repository to build and upload release artifacts. This action is auto triggered with the above step when a new tag is pushed to the `kata-containers/kata-conatiners` repository.
We make use of [GitHub actions](https://github.com/features/actions) in this [file](https://github.com/kata-containers/kata-containers/blob/main/.github/workflows/main.yaml) in the `kata-containers/kata-containers` repository to build and upload release artifacts. This action is auto triggered with the above step when a new tag is pushed to the `kata-containers/kata-containers` repository.
Check the [actions status page](https://github.com/kata-containers/kata-containers/actions) to verify all steps in the actions workflow have completed successfully. On success, a static tarball containing Kata release artifacts will be uploaded to the [Release page](https://github.com/kata-containers/kata-containers/releases).
Note, the stable-1.1 branch will still exist with tag 1.1.3, but under current plans it is
not maintained further. The next tag applied to master will be 1.4.0-alpha0. We would then
Note, the stable-2.2 branch will still exist with tag 2.2.1, but under current plans it is
not maintained further. The next tag applied to main will be 2.4.0-alpha0. We would then
create a couple of alpha releases gathering features targeted for that particular release (in
this case 1.4.0), followed by a release candidate. The release candidate marks a feature freeze.
this case 2.4.0), followed by a release candidate. The release candidate marks a feature freeze.
A new stable branch is created for the release candidate. Only bug fixes and any security issues
are added to the branch going forward until release 1.4.0 is made.
are added to the branch going forward until release 2.4.0 is made.
## Backporting Process
Development that occurs against the master branch and applicable code commits should also be submitted
Development that occurs against the main branch and applicable code commits should also be submitted
against the stable branches. Some guidelines for this process follow::
1. Only bug and security fixes which do not introduce inter-component dependencies are
candidates for stable branches. These PRs should be marked with "bug" in GitHub.
2. Once a PR is created against master which meets requirement of (1), a comparable one
2. Once a PR is created against main which meets requirement of (1), a comparable one
should also be submitted against the stable branches. It is the responsibility of the submitter
to apply their pull request against stable, and it is the responsibility of the
reviewers to help identify stable-candidate pull requests.
## Continuous Integration Testing
The test repository is forked to create stable branches from master. Full CI
runs on each stable and master PR using its respective tests repository branch.
The test repository is forked to create stable branches from main. Full CI
runs on each stable and main PR using its respective tests repository branch.
### An alternative method for CI testing:
Ideally, the continuous integration infrastructure will run the same test suite on both master
Ideally, the continuous integration infrastructure will run the same test suite on both main
and the stable branches. When tests are modified or new feature tests are introduced, explicit
logic should exist within the testing CI to make sure only applicable tests are executed against
stable and master. While this is not in place currently, it should be considered in the long term.
stable and main. While this is not in place currently, it should be considered in the long term.
## Release Management
@@ -121,7 +122,7 @@ stable and master. While this is not in place currently, it should be considered
Releases are made every three weeks, which include a GitHub release as
well as binary packages. These patch releases are made for both stable branches, and a "release candidate"
for the next `MAJOR` or `MINOR` is created from master. If there are no changes across all the repositories, no
for the next `MAJOR` or `MINOR` is created from main. If there are no changes across all the repositories, no
release is created and an announcement is made on the developer mailing list to highlight this.
If a release is being made, each repository is tagged for this release, regardless
of whether changes are introduced. The release schedule can be seen on the
@@ -142,10 +143,10 @@ maturity, we have increased the cadence from six weeks to twelve weeks. The rele
### Compatibility
Kata guarantees compatibility between components that are within one minor release of each other.
This is critical for dependencies which cross between host (runtime, shim, proxy) and
This is critical for dependencies which cross between host (shimv2 runtime) and
the guest (hypervisor, rootfs and agent). For example, consider a cluster with a long-running
deployment, workload-never-dies, all on Kata version 1.1.3 components. If the operator updates
the Kata components to the next new minor release (i.e. 1.2.0), we need to guarantee that the 1.2.0
runtime still communicates with 1.1.3 agent within workload-never-dies.
deployment, workload-never-dies, all on Kata version 2.1.3 components. If the operator updates
the Kata components to the next new minor release (i.e. 2.2.0), we need to guarantee that the 2.2.0
shimv2 runtime still communicates with 2.1.3 agent within workload-never-dies.
Handling live-update is out of the scope of this document. See this [`kata-runtime` issue](https://github.com/kata-containers/runtime/issues/492) for details.
Kata implement CRI's API and support [`ContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L101) and [`ListContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L103) interfaces to expose containers metrics. User can use these interface to get basic metrics about container.
But unlike `runc`, Kata is a VM-based runtime and has a different architecture.
To fulfill the [Kata design requirements](kata-design-requirements.md), and based on the discussion on [Virtcontainers API extensions](https://docs.google.com/presentation/d/1dbGrD1h9cpuqAPooiEgtiwWDGCYhVPdatq7owsKHDEQ), the Kata runtime library features the following APIs:
# How to use memory hotplug feature in Kata Containers on arm64
## Introduction
Memory hotplug is a key feature for containers to allocate memory dynamically in deployment.
As Kata Container bases on VM, this feature needs support both from VMM and guest kernel. Luckily, it has been fully supported for the current default version of QEMU and guest kernel used by Kata on arm64. For other VMMs, e.g, Cloud Hypervisor, the enablement work is on the road. Apart from VMM and guest kernel, memory hotplug also depends on ACPI which depends on firmware either. On x86, you can boot a VM using QEMU with ACPI enabled directly, because it boots up with firmware implicitly. For arm64, however, you need specify firmware explicitly. That is to say, if you are ready to run a normal Kata Container on arm64, what you need extra to do is to install the UEFI ROM before use the memory hotplug feature.
## Install UEFI ROM
We have offered a helper script for you to install the UEFI ROM. If you have installed Kata normally on your host, you just need to run the script as fellows:
@@ -26,6 +26,7 @@ There are several kinds of Kata configurations and they are listed below.
| `io.katacontainers.config.runtime.disable_new_netns` | `boolean` | determines if a new netns is created for the hypervisor process |
| `io.katacontainers.config.runtime.internetworking_model` | string| determines how the VM should be connected to the container network interface. Valid values are `macvtap`, `tcfilter` and `none` |
| `io.katacontainers.config.runtime.sandbox_cgroup_only`| `boolean` | determines if Kata processes are managed only in sandbox cgroup |
| `io.katacontainers.config.runtime.enable_pprof` | `boolean` | enables Golang `pprof` for `containerd-shim-kata-v2` process |
## Agent Options
| Key | Value Type | Comments |
@@ -78,7 +79,7 @@ There are several kinds of Kata configurations and they are listed below.
| `io.katacontainers.config.hypervisor.kernel` | string | the kernel used to boot the container VM |
| `io.katacontainers.config.hypervisor.machine_accelerators` | string | machine specific accelerators for the hypervisor |
| `io.katacontainers.config.hypervisor.machine_type` | string | the type of machine being emulated by the hypervisor |
| `io.katacontainers.config.hypervisor.memory_offset` | uint32| the memory space used for `nvdimm` device by the hypervisor |
| `io.katacontainers.config.hypervisor.memory_offset` | uint64| the memory space used for `nvdimm` device by the hypervisor |
| `io.katacontainers.config.hypervisor.memory_slots` | uint32| the memory slots assigned to the VM by the hypervisor |
| `io.katacontainers.config.hypervisor.msize_9p` | uint32 | the `msize` for 9p shares |
| `io.katacontainers.config.hypervisor.path` | string | the hypervisor that will run the container VM |
This document provides an overview on how to run Kata containers with ACRN hypervisor and device model.
- [Introduction](#introduction)
- [Pre-requisites](#pre-requisites)
- [Configure Docker](#configure-docker)
- [Configure Kata Containers with ACRN](#configure-kata-containers-with-acrn)
## Introduction
ACRN is a flexible, lightweight Type-1 reference hypervisor built with real-time and safety-criticality in mind. ACRN uses an open source platform making it optimized to streamline embedded development.
@@ -27,7 +22,7 @@ This document requires the presence of the ACRN hypervisor and Kata Containers o
- For networking, ACRN supports either MACVTAP or TAP. If MACVTAP is not enabled in the Service OS, please follow the below steps to update the kernel:
For additional documentation on setting sysctls with Docker please refer to [Docker-sysctl-doc](https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime).
#### Setting Namespaced Sysctls with Kubernetes:
Kubernetes considers certain sysctls as safe and others as unsafe. For detailed
@@ -100,7 +79,7 @@ spec:
### Non-Namespaced Sysctls:
Docker and Kubernetes disallow sysctls without a namespace.
Kubernetes disallow sysctls without a namespace.
The recommendation is to set them directly on the host or use a privileged
- [Kata Containers with virtio-fs](#kata-containers-with-virtio-fs)
- [Introduction](#introduction)
## Introduction
Container deployments utilize explicit or implicit file sharing between host filesystem and containers. From a trust perspective, avoiding a shared file-system between the trusted host and untrusted container is recommended. This is not always feasible. In Kata Containers, block-based volumes are preferred as they allow usage of either device pass through or `virtio-blk` for access within the virtual machine.
As of the 2.0 release of Kata Containers, [virtio-fs](https://virtio-fs.gitlab.io/) is the default filesystem sharing mechanism.
virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](https://github.com/kata-containers/packaging/tree/master/kata-deploy#kubernetes-quick-start).
virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy#kubernetes-quick-start).
- [Run a Kata Container utilizing `virtio-mem`](#run-a-kata-container-utilizing-virtio-mem)
## Introduction
The basic idea of `virtio-mem` is to provide a flexible, cross-architecture memory hot plug and hot unplug solution that avoids many limitations imposed by existing technologies, architectures, and interfaces.
@@ -13,26 +9,23 @@ Kata Containers with `virtio-mem` supports memory resize.
## Requisites
Kata Containers with `virtio-mem` requires Linux and the QEMU that support `virtio-mem`.
The Linux kernel and QEMU upstream version still not support `virtio-mem`. @davidhildenbrand is working on them.
Please use following unofficial version of the Linux kernel and QEMU that support `virtio-mem` with Kata Containers.
Kata Containers just supports`virtio-mem` with QEMU.
Install and setup Kata Containers as shown [here](../install/README.md).
The Linux kernel is at https://github.com/davidhildenbrand/linux/tree/virtio-mem-rfc-v4.
The Linux kernel config that can work with Kata Containers is at https://gist.github.com/teawater/016194ee84748c768745a163d08b0fb9.
The QEMU is at https://github.com/teawater/qemu/tree/kata-virtio-mem. (The original source is at https://github.com/davidhildenbrand/qemu/tree/virtio-mem. Its base version of QEMU cannot work with Kata Containers. So merge the commit of `virtio-mem` to upstream QEMU.)
Set Linux and the QEMU that support `virtio-mem` with following line in the Kata Containers QEMU configuration `configuration-qemu.toml`:
```toml
[hypervisor.qemu]
path="qemu-dir"
kernel="vmlinux-dir"
### With x86_64
The `virtio-mem` config of the x86_64 Kata Linux kernel is open.
Enable `virtio-mem` as follows:
```
$ sudo sed -i -e 's/^#enable_virtio_mem.*$/enable_virtio_mem = true/g' /etc/kata-containers/configuration.toml
```
Enable `virtio-mem` with following line in the Kata Containers configuration:
```toml
enable_virtio_mem =true
### With other architectures
The `virtio-mem` config of the others Kata Linux kernel is not open.
You can open `virtio-mem`config as follows:
```
CONFIG_VIRTIO_MEM=y
```
Then you can build and install the guest kernel image as shown [here](../../tools/packaging/kernel/README.md#build-kata-containers-kernel).
## Run a Kata Container utilizing `virtio-mem`
@@ -41,13 +34,35 @@ Use following command to enable memory overcommitment of a Linux kernel. Becaus
$ echo 1 | sudo tee /proc/sys/vm/overcommit_memory
```
Use following command start a Kata Container.
Use following command to start a Kata Container.
```
$ docker run --rm -it --runtime=kata --name test busybox
Kata Containers on Amazon Web Services (AWS) makes use of [i3.metal](https://aws.amazon.com/ec2/instance-types/i3/) instances. Most of the installation procedure is identical to that for Kata on your preferred distribution, except that you have to run it on bare metal instances since AWS doesn't support nested virtualization yet. This guide walks you through creating an i3.metal instance.
# Install Kata Containers on Google Compute Engine
* [Create an Image with Nested Virtualization Enabled](#create-an-image-with-nested-virtualization-enabled)
* [Create the Image](#create-the-image)
* [Verify VMX is Available](#verify-vmx-is-available)
* [Install Kata](#install-kata)
* [Create a Kata-enabled Image](#create-a-kata-enabled-image)
Kata Containers on Google Compute Engine (GCE) makes use of [nested virtualization](https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances). Most of the installation procedure is identical to that for Kata on your preferred distribution, but enabling nested virtualization currently requires extra steps on GCE. This guide walks you through creating an image and instance with nested virtualization enabled. Note that `kata-runtime check` checks for nested virtualization, but does not fail if support is not found.
As a pre-requisite this guide assumes an installed and configured instance of the [Google Cloud SDK](https://cloud.google.com/sdk/downloads). For a zero-configuration option, all of the commands below were been tested under [Google Cloud Shell](https://cloud.google.com/shell/) (as of Jun 2018). Verify your `gcloud` installation and configuration:
- [Install and configure Kata Containers](#install-and-configure-kata-containers)
- [Build Kata Containers kernel with GPU support](#build-kata-containers-kernel-with-gpu-support)
- [Nvidia GPU pass-through mode with Kata Containers](#nvidia-gpu-pass-through-mode-with-kata-containers)
- [Nvidia vGPU mode with Kata Containers](#nvidia-vgpu-mode-with-kata-containers)
- [Install Nvidia Driver in Kata Containers](#install-nvidia-driver-in-kata-containers)
- [References](#references)
An Nvidia GPU device can be passed to a Kata Containers container using GPU passthrough
(Nvidia GPU pass-through mode) as well as GPU mediated passthrough (Nvidia vGPU mode).
@@ -75,13 +63,6 @@ To use non-large BARs devices (for example, Nvidia Tesla T4), you need Kata vers
Follow the [Kata Containers setup instructions](../install/README.md)
to install the latest version of Kata.
The following configuration in the Kata `configuration.toml` file as shown below can work:
```
machine_type = "pc"
hotplug_vfio_on_root_bus = true
```
To use large BARs devices (for example, Nvidia Tesla P100), you need Kata version 1.11.0 or above.
The following configuration in the Kata `configuration.toml` file as shown below can work:
@@ -310,4 +291,4 @@ Tue Mar 3 00:03:49 2020
- [Configuring a VM for GPU Pass-Through by Using the QEMU Command Line](https://docs.nvidia.com/grid/latest/grid-vgpu-user-guide/index.html#using-gpu-pass-through-red-hat-el-qemu-cli)
- [Copy Intel® QAT configuration files and enable virtual functions](#copy-intel-qat-configuration-files-and-enable-virtual-functions)
- [Expose and Bind Intel® QAT virtual functions to VFIO-PCI (Every reboot)](#expose-and-bind-intel-qat-virtual-functions-to-vfio-pci-every-reboot)
- [Check Intel® QAT virtual functions are enabled](#check-intel-qat-virtual-functions-are-enabled)
- [Prepare Kata Containers](#prepare-kata-containers)
- [Download Kata kernel Source](#download-kata-kernel-source)
- [Build Kata kernel](#build-kata-kernel)
- [Copy Kata kernel](#copy-kata-kernel)
- [Prepare Kata root filesystem](#prepare-kata-root-filesystem)
- [Compile Intel® QAT drivers for Kata Containers kernel and add to Kata Containers rootfs](#compile-intel-qat-drivers-for-kata-containers-kernel-and-add-to-kata-containers-rootfs)
- [Copy Kata rootfs](#copy-kata-rootfs)
- [Verify Intel® QAT works in a container](#verify-intel-qat-works-in-a-container)
prometheus::register_gauge_vec!(format!("{}_{}",NAMESPACE_KATA_GUEST,"meminfo").as_ref(),"Statistics about memory usage in the system.",&["item"]).unwrap();
//let meta = metadata(testdir.to_str().unwrap()).unwrap();
letmeta=metadata(testdir).unwrap();
assert!(meta.is_dir());
}
}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.