Compare commits

...

1137 Commits

Author SHA1 Message Date
Fabiano Fidêncio
3e3e3a0253 Merge pull request #3149 from fidencio/2.4.0-alpha0-branch-bump
# Kata Containers 2.4.0-alpha0
2021-11-29 20:24:19 +01:00
Fabiano Fidêncio
72b8144b56 release: Kata Containers 2.4.0-alpha0
- osbuilder: fix missing cpio package when building rootfs-initrd image
- osbuilder: add coreutils to guest rootfs
- workflows: only allow org members to run `/test_kata_deploy`
- agent: use temp directory for test containers
- tools/osbuilder: build QAT kernel in fedora 34
- agent: refactor find_process function and add test cases
- Hypervisor cleanup, refactoring
- agent: clear cargo test warnings
- docs: Add a code PR advice document
- tools: Automatically revert kata-deploy changes
- runtime: delete netmon
- agent: Remove some unwrap and expect calls
- agent: fixed the `make optimize` bug
- docs: make kata-deploy more visible
- workflows: Add back the checks for running test-kata-deploy
- kata-deploy: Ensure we test HEAD with `/test_kata_deploy`
- docs: update using-SPDK-vhostuser-and-kata.md
- Update k8s SR-IOV plugin environment variables to work properly with Kata
- watchers: don't dereference symlinks when copying files
- kata-deploy: Add back stable & latest tags
- agent: fix the issue of missing create a new session for container
- runtime: Update containerd to 1.5.8
- qemu: fix snap build on ppc64le
- virtcontainers: fix failing template test on ppc64le
- agent: Update README
- Remove cruft, do some simple non-functional cleanup in the runtime
- macvlan: drop bridged part of name
- clh: Fix race condition that prevent start pods
- Update CRI-O documentation
- cgroups: Fix systemd cgroup support
- runtime: merge virtcontainers/pkg/types into virtcontainers/types
- workflows: Remove non-used main.yaml
- agent/src: improve unit test coverage for src/namespace.rs
- doc: update kata metrics documentation
- runtime: delete not used codes
- versions: bump golang to 1.17.x
- release: Use ${GOPATH}/bin/yq for upload-libseccomp-tarball action
- agent-ctl: Allow API specification in JSON format
- virtcontainers: Lint protection types
- agent: check environment variables if empty or invalid
- runtime: Revert "runtime: use containerd package instead of cri-containerd"
- rustjail: Fix created time of container
- agent: Remove dynamic tracing APIs
- kernel: add VFIO kernel dependencies for ppc64le
- logging: Always run crate tests

8ee67aae osbuilder: fix missing cpio package when building rootfs-initrd image
f59d3ff6 osbuilder: add coreutils to guest rootfs
5e7c1a29 workflows: only allow org members to run `/test_kata_deploy`
857501d8 tools/osbuilder: build QAT kernel in fedora 34
a32e02a1 agent: use temp directory as root of test containers
f0734f52 docs: Remove extraneous whitespace
aff32756 docs: Add a code PR advice document
d41c375c docs: Add more advice to the UT advice doc
baf4f76d docs: More detail on running tests as different users
fcf45b0c docs: Use more idiomatic rust string check
9fed7d0b docs: Mention anyhow for error handling in UT doc
318b3f18 docs: No present continuous in UT advice doc
e8bb6b26 docs: Correct repo name usage
c1111a1d docs: Use leading caps for lang names in UT advice doc
597b239e docs: Remove TOC in UT advice doc
cf360fad docs: Move unit test advice doc from tests repo
bc955814 docs: Move doc requirements section higher
6a0b7165 agent: refactor find_process function and add test cases
5ba2f52c tools: Quote functions arguments in the update repos script
5dbd752f tools: Remove the check for the VERSION file
85eb743f tools: Make hub usage slightly less fragile
76540dbd tools: Automatically revert kata-deploy changes
36d73c96 tools: Do the kata-deploy changes on its own commit
c8e22daf tools: Use vars for the registry in the update repo script
ac958a30 tools: Use vars for the yaml files used in the update repo script
edca8292 tools: Rewrite the logic around kata-deploy changes
31f6c2c2 tools: Update comments about the kata-deploy yaml changes
75bb3401 shimv2/service: fix defer funtions never run with os.Exit()
bd3217da agent: Remove redundant returns
adab6434 agent: Remove some unwrap and expect calls
351cef7b agent: Remove unwrap from verify_cid()
a7d1c70c agent: Improve baremount
09abcd4d agent-ctl: Remove some unwrap and expect calls
35db75ba agent-ctl: Remove redundant returns
46e45958 agent-ctl: Simplify main
c7349d0b agent-ctl: Simplify error handling
ddc68131 runtime: delete netmon
705687dc docs: Add kata-deploy as part of the install docs
acece849 docs: Use the default notation for "Note" on install README
143fb278 kata-deploy: Use the default notation for "Note"
45d76407 kata-deploy: Don't mention arch specific binaries in the README
0c6c0735 agent: fixed the `make optimize` bug
a7c08aa4 workflows: Add back the checks for running test-kata-deploy
ce0693d6 agent: clear cargo test warnings
ce92cadc vc: hypervisor: remove setSandbox
2227c46c vc: hypervisor: use our own logger
4c2883f7 vc: hypervisor: remove dependency on persist API
34f23de5 vc: hypervisor: Remove need to get shared address from sandbox
c28e5a78 acrn: remove dependency on sandbox, persistapi datatypes
a0e0e186 hypervisors: introduce pkg to unbreak vc/persist dependency
b5dfcf26 watcher: tests: ensure there is 20ms delay between fs writes
78dff468 agent/device: Adjust PCIDEVICE_* container environment variables for VM
4530e7df agent/device: Use simpler structure in update_spec_devices()
b6062278 agent/device: Correct misleading comment on test case
89ff7000 agent/device: Remove unnecessary check for empty container_path
c855a312 agent/device: Make DevIndex local to update_spec_devices()
084538d3 agent/device: Change update_spec_device to handle multiple devices at once
d6a3ebc4 agent/device: Obtain guest major/minor numbers when creating DevNumUpdate
f4982130 agent/device: Check for conflicting device updates
f10e8c81 agent/device: Batch changes to the OCI specification
46a4020e agent/device: Types to represent update for a device in the OCI spec
e7beed54 agent/device: Remove unneeded clone() from several device handlers
2029eeeb agent/device: Improve update_spec_device() final_path handling
57541315 agent/device: Correct misleading parameter name in update_spec_device()
0c51da3d agent/device: Correct misleading error message in update_spec_device()
94b7936f agent/device: Use nix::sys::stat::{major,minor} instead of libc::*
296e76f8 watchers: handle symlinked directories, dir removal
2b6dfe41 watchers: don't dereference symlinks when copying files
3c9ae7fb kata-deploy: Ensure we test HEAD with `/test_kata_deploy`
0380b9bd runtime: Update containerd to 1.5.8
112ea258 qemu: fix snap build by disabling libudev
d5a18173 virtcontainers: fix failing template test on ppc64le
6955d144 kata-deploy: Add back stable & latest tags
bbaf57ad agent: fix the issue of missing create a new session for container
46fd5069 docs: update using-SPDK-vhostuser-and-kata.md
7e6f2b8d vc-utils: don't export unused function
860f3088 virtcontainers: move oci, uuid packages top level
8acb3a32 virtcontainers: remove unused package nsenter
4788cb82 vc-network: remove unused functions
b6ebddd7 oci: remove unused function GetContainerType
599bc0c2 agent: Update README
1e7cb4bc macvlan: drop bridged part of name
55412044 monitor: Fix monitor race condition doing hypervisor.check()
eb11d053 cri-o: Update deployment documentation
92e3a140 cri-o: Update links for the CRI-O github page
0a19340a cri-o: Remove outdated documentation
a3b3c85e workflows: Remove non-used main.yaml
09f7962f runtime: merge virtcontainers/pkg/types into virtcontainers/types
6acedc25 runtime: delete not used codes
395638c4 versions: bump golang to 1.17.x
570915a8 docs: update kata 2.0 metrics documentation
bcf181b7 cgroups: Fix systemd cgroup support
34307235 release: Use ${GOPATH}/bin/yq for upload-libseccomp-tarball action
6339fdd1 docs: update kata metrics architecture image
57bb7ffa agent: check environment variables if empty or invalid
8ab90e10 agent-ctl: Allow API specification in JSON format
eacfcdec runtime: Revert "runtime: use containerd package instead of cri-containerd"
e7856ff1 rustjail: Fix created time of container
b7b89905 virtcontainers: Lint protection types
7566b736 kernel: add VFIO kernel dependencies for ppc64le
87f67606 agent: Remove dynamic tracing APIs
b09dd7a8 docs: Fix typo
d47484e7 logging: Always run crate tests
5c9c0b6e build: Fix default target
b34ed403 cgroups: pass vhost-vsock device to cgroup
7362e1e8 runtime: remove prefix when cgroups are managed by systemd
1b1790fd agent/src: improve unit test coverage for src/namespace.rs

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-29 18:34:45 +01:00
Fabiano Fidêncio
f8aaefc919 Merge pull request #3147 from Bevisy/main-3144
osbuilder: fix missing cpio package when building rootfs-initrd image
2021-11-29 18:27:49 +01:00
Binbin Zhang
8ee67aae4f osbuilder: fix missing cpio package when building rootfs-initrd image
1. install cpio package before building rootfs-initrd image
2. add `pipefaili;errexit` check to the scripts

Fixes: #3144

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-11-29 23:42:44 +08:00
Fabiano Fidêncio
879ec4e0e9 Merge pull request #3139 from bergwolf/coreutils
osbuilder: add coreutils to guest rootfs
2021-11-29 10:19:39 +01:00
Fabiano Fidêncio
a6219cb5e0 Merge pull request #3134 from fidencio/wip/only-allow-users-who-are-part-of-the-org-to-run-test-kata-deploy
workflows: only allow org members to run `/test_kata_deploy`
2021-11-29 07:55:40 +01:00
Peng Tao
f59d3ff600 osbuilder: add coreutils to guest rootfs
So that the debug console is more useful. In the meantime, remove
iptables as it is not used by kata-agent any more.

Fixes: #3138
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-11-29 11:22:07 +08:00
Fabiano Fidêncio
7364cd4983 Merge pull request #3129 from liubin/fix/3122-use-tempdir-for-test-container
agent: use temp directory for test containers
2021-11-26 23:11:27 +01:00
Fabiano Fidêncio
5e7c1a290f workflows: only allow org members to run /test_kata_deploy
Let's take advantage of the "is-organization-member" action and only
allow members who are part of the `kata-containers` organization to
trigger `/test_kata_deploy`.

One caveat with this approach is that for the user to be considered as
part of an organization, they **must** have their "Organization
Visibility" configured as Public (and I think the default is Private).

This was found out and suggested by @jcvenegas!

Fixes: #3130

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-26 23:02:51 +01:00
Julio Montes
06d28d50ed Merge pull request #3136 from devimc/2021-11-26/fixQATci
tools/osbuilder: build QAT kernel in fedora 34
2021-11-26 15:38:57 -06:00
Julio Montes
857501d8dd tools/osbuilder: build QAT kernel in fedora 34
kernel compiled in fedora 35 (latest) is not working, following error
is reported:

```
qemu-system-x86_64: Error loading uncompressed kernel without PVH ELF
Note
```

Build QAT kernel in fedora 34 container to fix it

fixes #3135

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-11-26 13:56:43 -06:00
bin
a32e02a1ee agent: use temp directory as root of test containers
Some tests in sandbox.rs need root user to run, because they need create
directories under /run/agent directories, actually this is a limit
that shouldn't be there. By using a temp directory for test containers
will not need run tests as root user.

Fixes: #3122

Signed-off-by: bin <bin@hyper.sh>
2021-11-26 15:18:38 +08:00
Peng Tao
c3de161168 Merge pull request #3118 from liubin/fix/3117-refactor-find_process
agent: refactor find_process function and add test cases
2021-11-26 10:22:48 +08:00
Peng Tao
01b6ffc0a4 Merge pull request #3028 from egernst/hypervisor-hacking
Hypervisor cleanup, refactoring
2021-11-26 10:21:49 +08:00
James O. D. Hunt
9412be39ba Merge pull request #3092 from liubin/fix/3091-fix-test-warnings
agent: clear cargo test warnings
2021-11-25 17:22:27 +00:00
James O. D. Hunt
a813378ac5 Merge pull request #3100 from jodh-intel/docs-code-pr-advice
docs: Add a code PR advice document
2021-11-25 15:46:13 +00:00
James O. D. Hunt
f0734f52c1 docs: Remove extraneous whitespace
Remove trailing whitespace in the unit test advice doc.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:49 +00:00
James O. D. Hunt
aff3275608 docs: Add a code PR advice document
Add a document giving advice to code PR authors.

Fixes: #3099.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:46 +00:00
James O. D. Hunt
d41c375c4f docs: Add more advice to the UT advice doc
Add information to the unit test advice document on test strategies and
the test environment.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
James O. D. Hunt
baf4f76d97 docs: More detail on running tests as different users
Add some more detail to the unit test advice document about running
tests as different users.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
James O. D. Hunt
fcf45b0c92 docs: Use more idiomatic rust string check
Rather than comparing a string to a literal in the rust example,
use `.is_empty()` as that approach is more idiomatic and preferred.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
James O. D. Hunt
9fed7d0bde docs: Mention anyhow for error handling in UT doc
Add a comment stating that `anyhow` and `thiserror` should be used in
real rust code, rather than the unwieldy default `Result` handling
shown in the example.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
James O. D. Hunt
318b3f187b docs: No present continuous in UT advice doc
Change some headings to avoid using the present continuous tense which
should not be used for headings.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
James O. D. Hunt
e8bb6b2666 docs: Correct repo name usage
Change reference from "runtime repo" to "main repo" in unit test advice
document.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
James O. D. Hunt
c1111a1d2d docs: Use leading caps for lang names in UT advice doc
Use a capital letter when referring to Golang and Rust (and remove
unnecessary backticks for Rust).

> **Note:**
>
> We continue refer to "Go" as "Golang" since it's a common alias,
> but, crucially, familiarity with this name makes searching for
> information using this term possible: "Go" is too generic a word.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
James O. D. Hunt
597b239ef3 docs: Remove TOC in UT advice doc
Remove the table of contents in the Unit Test Advice document since
GitHub auto-generates these now.

See: https://github.com/kata-containers/kata-containers/pull/2023

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
James O. D. Hunt
cf360fad92 docs: Move unit test advice doc from tests repo
Unit tests necessarily need to be maintained with the code they test so
it makes sense to keep the Unit Test Advice document into the main repo
since that is where the majority of unit tests reside.

Note: The
[`Unit-Test-Advice.md` file](https://github.com/kata-containers/tests/blob/main/Unit-Test-Advice.md)
was copied from the `tests` repo when it's `HEAD` was
38855f1f40.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
James O. D. Hunt
bc9558149c docs: Move doc requirements section higher
Move the documentation requirements document link up so that it appears
immediately below the "How to Contribute" section.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-25 14:44:40 +00:00
Fabiano Fidêncio
abf39ddef0 Merge pull request #3089 from fidencio/wip/kata-deploy-remove-files-and-revert-removal-as-part-of-the-release-scripts
tools: Automatically revert kata-deploy changes
2021-11-25 15:23:52 +01:00
Chelsea Mafrica
ed7eb26bff Merge pull request #3113 from liubin/fix/3112-delete-netmon
runtime: delete netmon
2021-11-24 17:58:13 -08:00
bin
6a0b7165ba agent: refactor find_process function and add test cases
Delete redundant parameter init in find_process function and
add test case for it.

Fixes: #3117

Signed-off-by: bin <bin@hyper.sh>
2021-11-25 09:47:25 +08:00
Fupan Li
2938f60abb Merge pull request #3012 from jodh-intel/agent-rm-unwraps
agent: Remove some unwrap and expect calls
2021-11-25 09:37:39 +08:00
Fabiano Fidêncio
5ba2f52c73 tools: Quote functions arguments in the update repos script
Although this is not strictly needed, better be safe than sorry on those
cases.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-24 22:09:58 +01:00
Fabiano Fidêncio
5dbd752f8f tools: Remove the check for the VERSION file
All repos we release (https://github.com/kata-containers/kata-containers
and https://github.com/kata-containers/tests) have a VERSION file.

Keeping a check for it, although useful for a new repo, just complicates
the use-case we currently deal with.

While here, let's also anchor the '#' and potentially exclude blank
lines, following James' suggestion.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-24 22:09:49 +01:00
Fabiano Fidêncio
85eb743f46 tools: Make hub usage slightly less fragile
`grep`ing by a specific output, in a specific language, is quite fragile
and could easily break `hub`.  For now, let's work this around following
James' suggestion of setting `LC_ALL=C LANG=C` when calling `hub`.

> **Note**: I don't think we should invest much time on fixing `hub`
> usage, as it'll be soon replaced by `gh`, see:
> https://github.com/kata-containers/kata-containers/issues/3083

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-24 22:09:30 +01:00
Fabiano Fidêncio
76540dbdd1 tools: Automatically revert kata-deploy changes
When branching the "stable-x.y" branch, we need to do some quite
specific changes to kata-deploy / kata-cleanup files, such as:
* changing the tags from "latest" to "stable-x.y".
* removing the kata-deploy / kata-cleanup stable files.

However, after the branching is done, we need to get the `main` repo to
its original state, with the kata-deploy / kata-cleanup using the
"latest" tag, and with the stable files present there, and this commit
ensures that, during the release process, a new PR is automatically
created with these changes.

Fixes: #3069

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-24 22:07:53 +01:00
Fabiano Fidêncio
36d73c96c8 tools: Do the kata-deploy changes on its own commit
Rather than doing the kata-deploy changes as part of the release bump
commit, let's split those on its own changes, as it will both make the
life of the reviewer less confusing and also allows us to start
preparing the field for a possible automated revert of these changes,
whenever it becomes needed.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-24 22:07:52 +01:00
Fabiano Fidêncio
c8e22daf67 tools: Use vars for the registry in the update repo script
Similarly to what was done for the yaml files, let's use a var for
representing the registry where our images will be pushed to and avoid
repetition and too long lines.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-24 22:07:03 +01:00
Fabiano Fidêncio
ac958a3073 tools: Use vars for the yaml files used in the update repo script
Instead of always writing the full path of some files, let's just create
some vars and avoid both repetition (which is quite error prone) and too
long lines (which makes the file not so easy to read).

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-24 22:06:45 +01:00
Fabiano Fidêncio
edca829242 tools: Rewrite the logic around kata-deploy changes
We can simplify the code a little bit, as at least now we group common
operationr together.  Hopefully this will improve the maintainability
and the readability of the code.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-24 22:05:35 +01:00
Fabiano Fidêncio
31f6c2c2ea tools: Update comments about the kata-deploy yaml changes
The comments were mentioning kata-deploy-base files while it really
should mention kata-deploy-stable files.

While here, I've also added a missing '"' to one of the tags.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-24 21:17:40 +01:00
Binbin Zhang
75bb340137 shimv2/service: fix defer funtions never run with os.Exit()
os.Exit() will terminate program immediately, the defer functions
won't be executed, so we add defer functions again before os.Exit().
Refer to https://pkg.go.dev/os#Exit

Fixes: #3059

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-11-24 15:59:59 +01:00
James O. D. Hunt
bd3217daeb agent: Remove redundant returns
Remove an unnecessary `return` statement identified by clippy.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-24 11:43:49 +00:00
James O. D. Hunt
adab64349c agent: Remove some unwrap and expect calls
Replace some `unwrap()` and `expect()` calls with code to return the
error to the caller.

Fixes: #3011.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-24 11:43:49 +00:00
James O. D. Hunt
351cef7b6a agent: Remove unwrap from verify_cid()
Improved the `verify_cid()` function that validates container ID's by
removing the need for an `unwrap()`.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-24 11:43:49 +00:00
James O. D. Hunt
a7d1c70c4b agent: Improve baremount
Change `baremount()` to accept `Path` values rather than string values
since:

- `Path` is more natural given the function deals with paths.
- This minimises the caller having to convert between string and `Path`
  types, which simplifies the surrounding code.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-24 11:43:49 +00:00
James O. D. Hunt
09abcd4dc6 agent-ctl: Remove some unwrap and expect calls
Replace some `unwrap()` and `expect()` calls with code to return the
error to the caller.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-24 11:43:49 +00:00
James O. D. Hunt
35db75baa1 agent-ctl: Remove redundant returns
Remove a number of redundant `return`'s.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-24 11:43:49 +00:00
James O. D. Hunt
46e459584d agent-ctl: Simplify main
Make the `main()` function simpler.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-24 11:43:49 +00:00
James O. D. Hunt
c7349d0bf1 agent-ctl: Simplify error handling
Replace `ok_or().map_err()` combinations with the simpler `ok_or_else()`
construct.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-24 11:43:49 +00:00
bin
ddc68131df runtime: delete netmon
Netmon is not used anymore.

Fixes: #3112

Signed-off-by: bin <bin@hyper.sh>
2021-11-24 15:08:18 +08:00
Carlos Venegas
ac058b3897 Merge pull request #3105 from YchauWang/wyc-agent-make-02
agent: fixed the `make optimize` bug
2021-11-23 13:17:05 -06:00
Fabiano Fidêncio
181f876fdb Merge pull request #3098 from fidencio/wip/move_kata-deploy-install-instruction_to_docs
docs: make kata-deploy more visible
2021-11-23 18:32:42 +01:00
João Vanzuita
705687dc42 docs: Add kata-deploy as part of the install docs
This PR links the kata-deloy installation instructions to the
docs/install folder.

Fixes: #2450

Signed-off-by: João Vanzuita <joao.vanzuita@de.bosch.com>
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-23 13:57:22 +01:00
Fabiano Fidêncio
acece84906 docs: Use the default notation for "Note" on install README
Let's use the default GitHub notation for notes in documentation, as
describe here:
https://github.com/kata-containers/kata-containers/blob/main/docs/Documentation-Requir

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Suggested-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-23 13:27:35 +01:00
Fabiano Fidêncio
143fb27802 kata-deploy: Use the default notation for "Note"
Let's use the default GitHub notation for notes in documentation, as
describe here:
https://github.com/kata-containers/kata-containers/blob/main/docs/Documentation-Requirements.md#notes

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Suggested-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-23 13:24:42 +01:00
Fabiano Fidêncio
45d76407aa kata-deploy: Don't mention arch specific binaries in the README
Although the binary name of the shipped binary is `qemu-system-x86_64`,
and we only ship kata-deploy for `x86_64`, we better leaving the
architecture specific name out of our README file.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-23 13:21:37 +01:00
wangyongchao.bj
0c6c0735ec agent: fixed the make optimize bug
The unrecognized option: 'deny-warnings' args caused `make optimize` failed.
Fixed the Makefile of the agent project, make sure the `make optimize` command
execute correctly. This PR modify the rustc args from '--deny-warnings' to
'--deny warnings'.

Fixes: #3104

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-11-23 09:44:05 +08:00
Fabiano Fidêncio
0ae77e1232 Merge pull request #3102 from fidencio/wip/add-back-wrongly-removed-check-for-test-kata-deploy
workflows: Add back the checks for running test-kata-deploy
2021-11-22 22:36:03 +01:00
Fabiano Fidêncio
a7c08aa4b6 workflows: Add back the checks for running test-kata-deploy
Commit 3c9ae7f made /test_kata_deploy run
against HEAD, but it also mistakenly removed all the checks that ensure
/test_kata_deploy only runs when explicitly called.

Mea culpa on this, and let's add the tests back.

Fixes: #3101

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-22 18:33:10 +01:00
Carlos Venegas
3be15aed1c Merge pull request #3071 from fidencio/wip/test-kata-deploy-should-use-the-latest-builds
kata-deploy: Ensure we test HEAD with `/test_kata_deploy`
2021-11-22 10:48:35 -06:00
bin
ce0693d6dc agent: clear cargo test warnings
Function parameters in test config is not used. This
commit will add under score before variable name
in test config.

Fixes: #3091

Signed-off-by: bin <bin@hyper.sh>
2021-11-22 20:45:46 +08:00
Tim Zhang
cad279b37d Merge pull request #3055 from liubin/fix/3054-update-spdk-doc
docs: update using-SPDK-vhostuser-and-kata.md
2021-11-22 15:47:02 +08:00
David Gibson
1b28d7180f Merge pull request #2927 from dgibson/vfio-env-mangling
Update k8s SR-IOV plugin environment variables to work properly with Kata
2021-11-22 13:44:19 +11:00
Eric Ernst
a0919b0865 Merge pull request #2998 from egernst/fix-symlinks
watchers: don't dereference symlinks when copying files
2021-11-19 12:43:22 -08:00
Eric Ernst
ce92cadc7d vc: hypervisor: remove setSandbox
The hypervisor interface implementation should not know a thing about
sandboxes.

Fixes: #2882

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-19 12:20:41 -08:00
Eric Ernst
2227c46c25 vc: hypervisor: use our own logger
This'll end up moving to hypervisors pkg, but let's stop using virtLog,
instead introduce hvLogger.

Fixes: #2884

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-19 12:20:41 -08:00
Eric Ernst
4c2883f7e2 vc: hypervisor: remove dependency on persist API
Today the hypervisor code in vc relies on persist pkg for two things:
1. To get the VM/run store path on the host filesystem,
2. For type definition of the Load/Save functions of the hypervisor
   interface.

For (1), we can simply remove the store interface from the hypervisor
config and replace it with just the path, since this is all we really
need. When we create a NewHypervisor structure, outside of the
hypervisor, we can populate this path.

For (2), rather than have the persist pkg define the structure, let's
let the hypervisor code (soon to be pkg) define the structure. persist
API already needs to call into hypervisor anyway; let's allow us to
define the structure.

We'll probably want to look at following similar pattern for other parts
of vc that we want to make independent of the persist API.

In doing this, we started an initial hypervisors pkg, to hold these
types (avoid a circular dependency between virtcontainers and persist
pkg). Next step will be to remove all other dependencies and move the
hypervisor specific code into this pkg, and out of virtcontaienrs.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-19 12:20:41 -08:00
Eric Ernst
34f23de512 vc: hypervisor: Remove need to get shared address from sandbox
Add shared path as part of the hypervisor config

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-19 12:20:41 -08:00
Eric Ernst
c28e5a7807 acrn: remove dependency on sandbox, persistapi datatypes
Today, acrn relies on sandbox level information, as well as a store
provided by common parts of the hypervisor. As we cleanup the
abstractions within our runtime, we need to ensure that there aren't
cross dependencies between the sandbox, the persistence logic and the
hypervisor.

Ensure that ACRN still compiles, but remove the setSandbox usage as
well as persist driver setup.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-19 12:20:41 -08:00
Eric Ernst
a0e0e18639 hypervisors: introduce pkg to unbreak vc/persist dependency
Initial hypervisors pkg, with just basic state types defined.

Fixes: #2883

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-19 12:20:41 -08:00
Eric Ernst
b5dfcf2653 watcher: tests: ensure there is 20ms delay between fs writes
We noticed s390x test failures on several of the watcher unit tests.

Discovered that on s390 in particular, if we update a file in quick
sucecssion, the time stampe on the file would not be unique between the
writes. Through testing, we observe that a 20 millisecond delay is very
reliable for being able to observe the timestamp update. Let's ensure we
have this delay between writes for our tests so our tests are more
reliable.

In "the real world" we'll be polling for changes every 2 seconds, and
frequency of filesystem updates will be on order of minutes and days,
rather that microseconds.

Fixes: #2946

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-19 11:33:36 -08:00
Fabiano Fidêncio
d08bcde7aa Merge pull request #3068 from fidencio/wip/kata-deploy-re-add-latest-and-stable-tags
kata-deploy: Add back stable & latest tags
2021-11-19 15:58:55 +01:00
David Gibson
78dff468bf agent/device: Adjust PCIDEVICE_* container environment variables for VM
The k8s SR-IOV plugin, when it assigns a VFIO device to a container, adds
an variable of the form PCIDEVICE_<identifier> to the container's
environment, so that the payload knows which device is which.  The contents
of the variable gives the PCI address of the device to use.

Kata allows VFIO devices to be passed in to a Kata container, however it
runs within a VM which has a different PCI topology.  In order for the
payload to find the right device, the environment variables therefore need
to be converted to list the guest PCI addresses instead of the host PCI
addresses.

fixes #2897

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 17:44:05 +11:00
David Gibson
4530e7df29 agent/device: Use simpler structure in update_spec_devices()
update_spec_devices() takes a bunch of updates for the device entries in
the OCI spec and applies them, adjusting things in both the linux.devices
and linux.resources.devices sections of the spec.

It's important that each entry in the spec only be updated once.  Currently
we ensure this by first creating an index of where the entries are, then
consulting that as we apply each update, so that earlier updates don't
cause us to incorrectly detect an entry as being relevant to a later
update.  This method works, but it's quite awkward.

This inverts the loop structure in update_spec_devices() to make this
clearer.  Instead of stepping through each update and finding the relevant
entries in the spec to change, we step through each entry in the spec and
find the relevant update.  This makes it structurally clear that we're only
updating each entry once.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 17:21:11 +11:00
Tim Zhang
653b461dc2 Merge pull request #3064 from lifupan/main
agent: fix the issue of missing create a new session for container
2021-11-19 11:28:54 +08:00
David Gibson
b60622786d agent/device: Correct misleading comment on test case
We have a test case commented as testing the case where linux.devices is
empty in the OCI spec.  While it's true that linux.devices is empth in this
example, the reason it fails isn't specifically because it's empty but
because it doesn't contain a device for the update we're trying to apply.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 14:25:04 +11:00
David Gibson
89ff700038 agent/device: Remove unnecessary check for empty container_path
update_spec_devices() explicitly checks for being called with an empty
container path and fails.  We have a unit test to verify this behaviour.

But while an empty container_path probably does mean something has gone
wrong elsewhere, that's also true of any number of other bad paths.  Having
an empty string here doesn't prevent what we're doing in this function
making sense - we can compare it to the strings in the OCI spec perfectly
well (though more likely we simply won't find it there).

So, there's no real reason to check this one particular odd case.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 14:25:03 +11:00
David Gibson
c855a312f0 agent/device: Make DevIndex local to update_spec_devices()
The DevIndex data structure keeps track of devices in the OCI
specification.  We used to carry it around to quite a lot of
functions, but it's now used only within update_spec_devices().  That
means we can simplify things a bit by just open coding the maps we
need, rather than declaring a special type.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 14:24:47 +11:00
David Gibson
084538d334 agent/device: Change update_spec_device to handle multiple devices at once
update_spec_device() adjusts the OCI spec for device differences
between the host and guest.  It is called repeatedly for each device
we need to alter.  These calls are now all in a single loop in
add_devices(), so it makes more sense to move the loop into a renamed
update_spec_devices() and process all the fixups in one call.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 14:23:58 +11:00
David Gibson
d6a3ebc496 agent/device: Obtain guest major/minor numbers when creating DevNumUpdate
Currently the DevNumUpdate structure is created with a path to a
device node in the VM, which is then used by update_spec_device().
However the only piece of information that update_spec_device()
actually needs is the VM side major and minor numbers for the device.
We can determine those when we create the DevNumUpdate structure.
This means we detect errors earlier and as a bonus we don't need to
make a copy of the vm path string.

Since that change requires updating 2 of the log statements, we take the
opportunity to update all the log statements to structured style.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 14:23:36 +11:00
David Gibson
f4982130e1 agent/device: Check for conflicting device updates
For each device in the OCI spec we need to update it to reflect the guest
rather than the host.  We do this with additional device information
provided by the runtime.  There should only be one update for each device
though, if there are multiple, something has gone horribly wrong.

Detect and report this situation, for safety.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 14:23:34 +11:00
David Gibson
f10e8c8165 agent/device: Batch changes to the OCI specification
As we process container devices in the agent, we repeatedly call
update_spec_device() to adjust the OCI spec as necessary for differences
between the host and the VM.  This means that for the whole of a pretty
complex call graph, the spec is in a partially-updated state - neither
fully as it was on the host, not fully as it will be for the container
within the VM.

Worse, it's not discernable from the contents itself which parts of the
spec have already been updated and which have not.  We used to have real
bugs because of this, until the DevIndex structure was introduced, but that
means a whole, fairly complex, parallel data structure needs to be passed
around this call graph just to keep track of the state we're in.

Start simplifying this by having the device handler functions not directly
update the spec, but instead return an update structure describing the
change they need.  Once all the devices are added, add_devices() will
process all the updates as a batch.

Note that collecting the updates in a HashMap, rather than a simple Vec
doesn't make a lot of sense in the current code, but will reduce churn
in future changes which make use of it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 14:23:15 +11:00
David Gibson
46a4020e9e agent/device: Types to represent update for a device in the OCI spec
Currently update_spec_device() takes parameters 'vm_path' and 'final_path'
to give it the information it needs to update a single device in the OCI
spec for the guest.  This bundles these parameters into a single structure
type describing the updates to a single device.  This doesn't accomplish
much immediately, but will allow a number of further cleanups.

At the same time we change the representation of vm_path from a Unicode
string to a std::path::Path, which is a bit more natural since we are
performing file operations on it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 12:27:52 +11:00
David Gibson
e7beed5430 agent/device: Remove unneeded clone() from several device handlers
virtio_blk_device_handler(), virtio_blk_ccw_device_handler() and
virtio_scsi_device_handler() all take a clone of their 'device' parameter.
They appear to do this in order to get a mutable copy in which they can
update the vm_path field.

However, the copy is dropped at the end of the function, so the only thing
that's used in it is the vm_path field passed to update_spec_device()
afterwards.

We can avoid the clone by just using a local variable for the vm_path.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 12:27:52 +11:00
David Gibson
2029eeebca agent/device: Improve update_spec_device() final_path handling
update_spec_device() takes a 'final_path' parameter which gives the
name the device should be given in the "inner" OCI spec.  We need this
for VFIO devices where the name the payload sees needs to match the
VM's IOMMU groups.  However, in all other cases (for now, and maybe
forever), this is the same as the original 'container_path' given in
the input OCI spec.  To make this clearer and simplify callers, make
this parameter an Option, and only update the device name if it is
non-None.

Additionally, update_spec_device() needs to call to_string() on
update_path to get an owned version.  Rust convention[0] is to let the
caller decide whether it should copy, or just give an existing owned
version to the function.  Change from &str to String to allow that; it
doesn't buy us anything right now, but will make some things a little
nicer in future.

[0] https://rust-lang.github.io/api-guidelines/flexibility.html?highlight=clone#caller-decides-where-to-copy-and-place-data-c-caller-control

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 12:27:52 +11:00
David Gibson
57541315db agent/device: Correct misleading parameter name in update_spec_device()
update_spec_device() takes a 'host_path' parameter which it uses to locate
the device to correct in the OCI spec.  Although this will usually be the
path of the device on the host, it doesn't have to be - a traditional
runtime like runc would create a device node of that name in the container
with the given (host) major and minor numbers.  To clarify that, rename it
to 'container_path'.

We also update the block comment to explain the distinctions more
carefully.  Finally we update some variable names in tests to match.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 12:27:52 +11:00
David Gibson
0c51da3dd0 agent/device: Correct misleading error message in update_spec_device()
This error is returned if we have information for a device from the
runtime, but a matching device does not appear in the OCI spec.  However,
the name for the device we print is the name from the VM, rather than the
name from the container which is what we actually expect in the spec.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 12:27:52 +11:00
David Gibson
94b7936f51 agent/device: Use nix::sys::stat::{major,minor} instead of libc::*
update_spec_devices() includes an unsafe block, in order to call the libc
functions to get the major and minor numbers from a device ID.  However,
the nix crate already has a safe wrapper for this function, which we use in
other places in the file.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-11-19 12:27:52 +11:00
Eric Ernst
296e76f8ee watchers: handle symlinked directories, dir removal
- Even a directory could be a symlink - check for this. This is very
common when using configmaps/secrets
- Add unit test to better mimic a configmap, configmap update
- We would never remove directories before. Let's ensure that these are
added to the watched_list, and verify in unit tests
- Update unit tests which exercise maximum number of files per entry. There's a change
in behavior now that we consider directories/symlinks watchable as well.
For these tests, it means we support one less file in a watchable mount.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-18 16:23:45 -08:00
Eric Ernst
2b6dfe414a watchers: don't dereference symlinks when copying files
The current implementation just copies the file, dereferencing any
simlinks in the process. This results in symlinks no being preserved,
and a change in layout relative to the mount that we are making
watchable.

What we want is something like "cp -d"

This isn't available in a crate, so let's go ahead and introduce a copy
function which will create a symlink with same relative path if the
source file is a symlink. Regular files are handled with the standard
fs::copy.

Introduce a unit test to verify symlinks are now handled appropriately.

Fixes: #2950

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-18 16:23:45 -08:00
Fabiano Fidêncio
3c9ae7fb4b kata-deploy: Ensure we test HEAD with /test_kata_deploy
Is the past few releases we ended up hitting issues that could be easily
avoided if `/test_kata_deploy` would use HEAD instead of a specific
tarball.

By the end of the day, we want to ensure kata-deploy works, but before
we cut a release we also want to ensure that the binaries used in that
release are in a good shape.  If we don't do that we end up either
having to roll a release back, or to cut a second release in a really
short time (and that's time consuming).

Note: there's code duplication here that could and should be avoided,b
but I sincerely would prefer treating it in a different PR.

Fixes: #3001

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-18 23:38:55 +01:00
Greg Kurz
c01189d4a6 Merge pull request #3075 from c3d/bugs/3074-containerd-update
runtime: Update containerd to 1.5.8
2021-11-18 22:42:05 +01:00
Christophe de Dinechin
0380b9bda7 runtime: Update containerd to 1.5.8
Release 1.5.8 of containerd contains fixes for two low-severity advisories:

[GHSA-5j5w-g665-5m35](https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m)
[GHSA-77vh-xpmg-72qh](https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh)

Fixes: #3074

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2021-11-18 18:38:27 +01:00
Greg Kurz
bdde8beb52 Merge pull request #3003 from Amulyam24/snap_ppc
qemu: fix snap build on ppc64le
2021-11-18 17:46:23 +01:00
Greg Kurz
f80ca66300 Merge pull request #2921 from Amulyam24/template_test
virtcontainers: fix failing template test on ppc64le
2021-11-18 17:32:18 +01:00
Amulyam24
112ea25859 qemu: fix snap build by disabling libudev
While building snap, static qemu is considered. Disable libudev
as it doesn't have static libraries on most of the distros of all
archs.

Fixes: #3002

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2021-11-18 18:50:19 +05:30
Amulyam24
d5a18173b9 virtcontainers: fix failing template test on ppc64le
If a file/directory doesn't exist, os.Stat() returns an
error. Assert the returned value with os.IsNotExist() to
prevent it from failing.

Fixes: #2920

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2021-11-18 15:37:40 +05:30
Fabiano Fidêncio
6955d1442f kata-deploy: Add back stable & latest tags
stable-2.3 was the first time we branched the repo since
43a72d76e2 was merged.  One bit that I
didn't notice while working on this, regardless of being warned by
@amshinde (sorry!), was that the change would happen on `main` branch,
rather than on the branched `stable-2.3` one.

In my mind, the workflow was:
* we branch.
* we do the changes, including removing the files.
* we tag a release.

However, the workflow actually is:
* we do the changes, including removing the files.
* we branch.
* we tag a release.

A better way to deal with this has to be figured out before 2.4.0 is
out, but for now let's just re-add the files back.

Fixes: #3067

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-18 09:41:54 +01:00
James O. D. Hunt
7269352fd4 Merge pull request #3057 from jodh-intel/docs-update-agent-readme
agent: Update README
2021-11-18 08:02:10 +00:00
Fupan Li
bbaf57adb0 agent: fix the issue of missing create a new session for container
When the container didn't had a tty console, it would be in a same
process group with the kata-agent, which wasn't expected. Thus,
create a new session for the container process.

Fixes: #3063

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2021-11-18 14:12:51 +08:00
bin
46fd5069c9 docs: update using-SPDK-vhostuser-and-kata.md
Use `ctr` instead of `Docker`.

Fixes: #3054

Signed-off-by: bin <bin@hyper.sh>
2021-11-18 09:41:12 +08:00
Eric Ernst
076dbe6cea Merge pull request #2973 from egernst/remove-cruft
Remove cruft, do some simple non-functional cleanup in the runtime
2021-11-17 15:26:12 -08:00
Eric Ernst
7e6f2b8d64 vc-utils: don't export unused function
Many of these functions are just used on one place throughout the rest
of the code base. If we create hypervisor package, newtork package, etc, we may want to
parse this out.

Fixes: #3049

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-17 14:12:57 -08:00
Eric Ernst
860f30882a virtcontainers: move oci, uuid packages top level
This will be useful at runtime level; no need for oci or uuid to be subpkg of
virtcontainers.

While at it, ensure we run gofmt on the changed files.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-17 14:12:57 -08:00
Eric Ernst
8acb3a32b6 virtcontainers: remove unused package nsenter
Package is not utilized. Remove.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-17 14:12:57 -08:00
Eric Ernst
4788cb8263 vc-network: remove unused functions
Unused functions -- let's clean up!

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-17 14:12:57 -08:00
Eric Ernst
b6ebddd7ef oci: remove unused function GetContainerType
This is unused - we utilize ContainerType directly.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-17 14:12:57 -08:00
James O. D. Hunt
599bc0c2a9 agent: Update README
Update the agent README by removing the historical details about the
conversion from golang to rust which (occurred at the start of Kata 2.x
development) and replacing it with information that developers and
testers should find more useful.

Fixes: #3056.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-17 17:57:45 +00:00
Fabiano Fidêncio
e34893a0c4 Merge pull request #3051 from egernst/macvlan-rename
macvlan: drop bridged part of name
2021-11-17 10:21:07 +01:00
Eric Ernst
1e7cb4bc3a macvlan: drop bridged part of name
The fact that we need to "bridge" the endpoint is a bit irrelevant. To
be consistent with the rest of the endpoints, let's just call this
"macvlan"

Fixes: #3050

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-11-16 16:44:29 -08:00
Carlos Venegas
15b5d22e81 Merge pull request #2778 from jcvenegas/clh-race-condition-check
clh: Fix race condition that prevent start pods
2021-11-16 14:15:06 -06:00
Carlos Venegas
55412044df monitor: Fix monitor race condition doing hypervisor.check()
The thread monitor will check if the agent and the VMM are alive every
second in a blocking thread. The Cloud hypervisor API server is
single-threaded, if the monitor does a `check()`, while a slow request
is still in progress, the monitor check() method will timeout. The
monitor thread will stop all the shim-v2 execution.

This commit modifies the monitor thread to make it check the status of
the hypervisor after 5 seconds. Additionally, the `check()` method from
cloud-hypervisor will use the method `clh.isClhRunning(timeout)` with a
10 seconds timeout. The monitor function does no timeout, so even if
`hypervisor.check()` takes more 10 seconds, the isClhRunning method
handles errors doing a VmmPing and retry in case of errors until the
timeout is reached.

Reduce the time to the next check to 5 should not affect any functionality,
but it will reduce the overhead polling the hypervisor.

Fixes: #2777

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-11-16 18:28:29 +00:00
James O. D. Hunt
480343671b Merge pull request #3046 from fidencio/wip/update-crio-documentation
Update CRI-O documentation
2021-11-16 08:33:29 +00:00
Fabiano Fidêncio
eb11d053d5 cri-o: Update deployment documentation
CRI-O deployment documentation was quite outdated, giving info from the
`1.x` era.  Let's update this to reflect what we currently have.

Fixes: #2498

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-15 18:30:40 +01:00
Fabiano Fidêncio
92e3a14023 cri-o: Update links for the CRI-O github page
The links are either pointing to the not-used-anymore `master` branch,
or to the kubernetes-incubator page.

Let's always point to the CRI-O github page, using the `main`branch.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-15 11:39:09 +01:00
Fabiano Fidêncio
0a19340a93 cri-o: Remove outdated documentation
Although the documentation removed is correct, it's not relevant to the
current supported versions of CRI-O.

Related: #2498

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-15 11:39:08 +01:00
snir911
b046c1ef6b Merge pull request #2959 from snir911/wip/cgroups-systemd-fix
cgroups: Fix systemd cgroup support
2021-11-15 10:44:45 +02:00
Eric Ernst
e89c06e68b Merge pull request #3032 from liubin/fix/3031-merge-two-types-packages
runtime: merge virtcontainers/pkg/types into virtcontainers/types
2021-11-12 14:23:21 -08:00
Chelsea Mafrica
b585264555 Merge pull request #3034 from fidencio/wip/remove-non-used-actions
workflows: Remove non-used main.yaml
2021-11-12 11:25:47 -08:00
Chelsea Mafrica
d38135c93b Merge pull request #2570 from YchauWang/wyc-agent-test
agent/src: improve unit test coverage for src/namespace.rs
2021-11-12 11:24:13 -08:00
Fabiano Fidêncio
a3b3c85ec3 workflows: Remove non-used main.yaml
The main.yaml workflow was created and used only on 1.x.  We inherited
it, but we didn't remove it after deprecating the 1.x repos.

While here, let's also update the reference to the `main.yaml` file,
and point to `release.yaml` (the file that's actually used for 2.x).

Fixes: #3033

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-12 18:17:11 +01:00
Chelsea Mafrica
6b48d3754a Merge pull request #3013 from fgiudici/kata_metrics_doc
doc: update kata metrics documentation
2021-11-12 09:11:36 -08:00
Chelsea Mafrica
c8f2ef9488 Merge pull request #3030 from liubin/fix/3029-delete-codes
runtime: delete not used codes
2021-11-12 08:53:20 -08:00
bin
09f7962ff1 runtime: merge virtcontainers/pkg/types into virtcontainers/types
There are two types packages under virtcontainers, and the
virtcontainers/pkg/types has a few codes, merging them into
one can make it easy for outstanding and using types package.

Fixes: #3031

Signed-off-by: bin <bin@hyper.sh>
2021-11-12 15:06:39 +08:00
bin
6acedc2531 runtime: delete not used codes
Functions EnvVars and GetOCIConfig in runtime/virtcontainers/pkg/oci/utils.go
are not used anymore.

Fixes: #3029

Signed-off-by: bin <bin@hyper.sh>
2021-11-12 11:35:31 +08:00
Fabiano Fidêncio
c0aea3f662 Merge pull request #3017 from fidencio/wip/bump-golang
versions: bump golang to 1.17.x
2021-11-11 16:57:50 +01:00
Fabiano Fidêncio
7c947357ad Merge pull request #3015 from ManaSugi/fix-yq-path
release: Use ${GOPATH}/bin/yq for upload-libseccomp-tarball action
2021-11-11 10:48:42 +01:00
Fabiano Fidêncio
395638c4bc versions: bump golang to 1.17.x
According to https://endoflife.date/go golang 1.15 is not supported
anymore.  Let's remove it from out tests, add 1.17.x, and bump the
newest version known to work when building kata to 1.17.3.

Fixes: #3016

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2021-11-11 10:43:18 +01:00
Bin Liu
bf24eb6b33 Merge pull request #2979 from jodh-intel/agent-ctl-json-api-spec
agent-ctl: Allow API specification in JSON format
2021-11-11 16:45:30 +08:00
Francesco Giudici
570915a8c3 docs: update kata 2.0 metrics documentation
We now support any container engine CRI compliant in kata-monitor.
Update documentation to reflect it.

Fixes: #980

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-11-11 09:33:01 +01:00
Snir Sheriber
bcf181b7ee cgroups: Fix systemd cgroup support
As github.com/containerd/cgroups doesn't support scope
units which are essential in some cases lets create
the cgroups manually and load it trough the cgroups
api
This is currently done only when there's single sandbox
cgroup (sandbox_cgroup_only=true), otherwise we set it
as static cgroup path as it used to be (until a proper
soultion for overhead cgroup under systemd will be
suggested)

Fixes: #2868
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-11-11 08:51:45 +02:00
Manabu Sugimoto
3430723594 release: Use ${GOPATH}/bin/yq for upload-libseccomp-tarball action
We need to explicitly call `${GOPATH}/bin/yq` that is installed by
`ci/install_yq.sh`.

Fixes: #3014

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-11-11 13:42:12 +09:00
Bin Liu
04185bd068 Merge pull request #2997 from Jakob-Naucke/lint-protection
virtcontainers: Lint protection types
2021-11-11 08:34:48 +08:00
Fabiano Fidêncio
05cf7cdddb Merge pull request #3007 from liubin/fix/3006-check-env-key-value
agent: check environment variables if empty or invalid
2021-11-10 19:19:47 +01:00
Francesco Giudici
6339fdd1f6 docs: update kata metrics architecture image
We now support any CRI container engine in kata-monitor, notably CRI-O.
Add both containerd and CRI-O in the kata metrics architecture image.

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-11-10 18:58:15 +01:00
bin
57bb7ffae3 agent: check environment variables if empty or invalid
Invalid environment variable key/value will cause set_env panic.

Refer: https://doc.rust-lang.org/std/env/fn.set_var.html#panics

Fixes: #3006

Signed-off-by: bin <bin@hyper.sh>
2021-11-10 20:54:21 +08:00
Fabiano Fidêncio
653976c0fd Merge pull request #3000 from bergwolf/crioptions
runtime: Revert "runtime: use containerd package instead of cri-containerd"
2021-11-10 13:41:24 +01:00
Tim Zhang
fbf3bb55c0 Merge pull request #2995 from Tim-Zhang/fix-container-created-time
rustjail: Fix created time of container
2021-11-10 19:44:04 +08:00
James O. D. Hunt
8ab90e1068 agent-ctl: Allow API specification in JSON format
Update the `agent-ctl` tool to allow API fields to be specified in JSON
format, either directly on the command-line, or via a file URI.

This feature is made possible by enabling `serde` support in the agent
`protocols` crate. Careful use of the `serde` macros allows the
`agent-ctl` tool to accept _partially_ specified API objects in JSON
format; fields that are not specified are set to the default value for
their respective types.

`build.rs` changes based on work by Fupan.

Fixes: #2978.

Contributions-by: Fupan Li <lifupan@gmail.com>
Contributions-by: Bin Liu <bin@hyper.sh>
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-10 10:16:04 +00:00
James O. D. Hunt
18c47fe8f3 Merge pull request #2986 from jodh-intel/rm-dynamic-tracing-api
agent: Remove dynamic tracing APIs
2021-11-10 10:10:14 +00:00
Peng Tao
eacfcdec19 runtime: Revert "runtime: use containerd package instead of cri-containerd"
This reverts commit 76f16fd1a7 to bring
back cri-containerd crioptions parsing so that kata works with older
containerd versions like v1.3.9 and v1.4.6.

Fixes: #2999
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-11-10 16:06:42 +08:00
Tim Zhang
e7856ff10c rustjail: Fix created time of container
Got wrong created time of container after an exec
this commit will fix this problem.

Fixes: #2994

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-11-10 10:43:03 +08:00
Chelsea Mafrica
8b01666109 Merge pull request #2992 from Amulyam24/kernel_vfio
kernel: add VFIO kernel dependencies for ppc64le
2021-11-09 15:22:16 -08:00
Jakob Naucke
b7b89905d4 virtcontainers: Lint protection types
Protection types like tdxProtection or seProtection were marked nolint,
remove this. As a side effect, ARM needs dummy tests for these.

Fixes: #2801
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-11-09 18:36:32 +01:00
Amulyam24
7566b736ac kernel: add VFIO kernel dependencies for ppc64le
Recently added VFIO kernel configs require addtional
dependencies on pcc64le.

Fixes: #2991

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2021-11-09 14:38:03 +05:30
James O. D. Hunt
87f676062c agent: Remove dynamic tracing APIs
Remove the `StartTracing` and `StopTracing` agent APIs that toggle
dynamic tracing. This is not supported in Kata 2.x, as documented in the
[tracing proposals document](https://github.com/kata-containers/kata-containers/pull/2062).

Fixes: #2985.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-09 08:39:06 +00:00
James O. D. Hunt
b09dd7a883 docs: Fix typo
Correct a typo identified by the static checker's spell checker.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-09 08:38:42 +00:00
James O. D. Hunt
b192d388c1 Merge pull request #2970 from jodh-intel/logging-create-tests-and-checks
logging: Always run crate tests
2021-11-08 13:16:48 +00:00
Fabiano Fidêncio
c9e6efb1e1 Merge pull request #2976 from bergwolf/2.3.0-rc0-branch-bump
# Kata Containers 2.3.0-rc0
2021-11-05 14:19:21 +01:00
James O. D. Hunt
4be2c8b190 Merge pull request #2602 from cmaf/upgrade-opentelemetry
vendor: update OpenTelemetry
2021-11-05 11:00:25 +00:00
Peng Tao
99c46be787 release: Kata Containers 2.3.0-rc0
- runtime# make sure the "Shutdown" trace span have a correct end
- tracing: Accept multiple dynamic tags
- logging: Enable agent debug output for release builds
- agent: "Revert agent: Disable seccomp feature on aarch64 temporarily"
- runtime: Enhancement for Makefile
- osbuilder: build image-builder image from Fedora 34
- agent: refactor process IO processing
- agent-ctl: Update for Hybrid VSOCK
- docs: Fix outdated links
- ci/install_libseccomp: Fix libseccomp build and misc improvement
- virtcontainers: simplify read-only mount handling
- runtime: add fast-test to let test exit on error
- test: Fix random failure for TestIoCopy
- cli: Show available guest protection in env output
- Update k8s, critools, and CRI-O to their 1.22 release
- package: assign proper value to redefined_string  in build-kernel.sh
- agent: Make wording of error message match CRI-O test suite
- docs: Moving from EOT to EOF
- virtcontainers: api: update the functions in the api.md docs
- release: Upload libseccomp sources with notice to release page
- virtcontainers: check that both initrd and image are not set
- agent: Fix the configuration sample file
- runtime: set tags for trace span
- agent-ctl: Implement Linux OCI spec handling
- runtime: Remove comments about unsupported features in config for clh
- tools/packaging: Add options for VFIO to guest kernel
- agent/runtime: Add seccomp feature
- ci: test-kata-deploy: Get rid of slash-command-action action
- This is to bump the OOT QAT 1.7 driver version to the latest version.…
- forwarder: Drop privileges when using hybrid VSOCK
- packaging/static-build: s390x fixes
- agent-ctl: improve the oci_to_grpc code
- agent: do not return error but print it if task wait failed
- virtcontainers: delete duplicated notify in watchHypervisor function
- agent: Handle uevent remove actions
- enable unit test on arm
- rustjail: Consistent coding style of LinuxDevice type
- cli: Fix outdated kata-runtime bash completion
- Allow VFIO devices to be used as VFIO devices in the container
- Expose top level hypervisor methods -
- Upgrade to Cloud Hypervisor v19.0
- docs: use-cases: Update Intel SGX use case
- virtcontainers: clh: Enable the `seccomp` feature
- runtime: delete cri containerd plugin from versions.yaml
- docs: Write tracing documentation
- runtime: delete useless src/runtime/cli/exit.go
- snap: add cloud-hypervisor and experimental kernel
- osbuilder: Call detect_rust_version() right before install_rust.sh
- docs: Updating Developer Guide re qemu-img
- versions: Add libseccomp and gperf version
- Enable agent tracing for hybrid VSOCK hypervisors
- runtime: optimize test code
- runtime: use containerd package instead of cri-containerd
- runtime: update sandbox root dir cleanup behavior in rootless hypervisor
- utils: kata-manager: Update kata-manager.sh for new containerd config
- osbuilder: Re-enable building the agent in Docker
- agent: Do not fail when trying to adding existing routes
- tracing: Fix typo in "package" tag name
- kata-deploy: add .dockerignore file
- runtime: change name in config settings back to "kata"
- tracing: Remove trace mode and trace type

09d5d88 runtime: tracing: Change method for adding tags
bcf3e82 logging: Enable agent debug output for release builds
a239a38 osbuilder: build image-builder image from Fedora 34
375ad2b runtime: Enhancement for Makefile
b468dc5 agent: Use dup3 system call in unit tests of seccomp
1aaa059 agent: "Revert agent: Disable seccomp feature on aarch64 temporarily"
1e331f7 agent: refactor process IO processing
9d3ec58 runtime: make sure the "Shutdown" trace span have a correct end
3f21af9 runtime: add fast-test to let test exit on error
9b270d7 ci/install_libseccomp: use a temporary work directory
98b4406 ci/install_libseccomp: Fix fail when DESTDIR is set
338ac87 virtcontainers: api: update the functions in the api.md docs
23496f9 release: Upload libseccomp sources with notice to release page
e610fc8 runtime: Remove comments about unsupported features in config for clh
7e40195 agent-ctl: Add stub for AddSwap API
82de838 agent-ctl: Update for Hybrid VSOCK
d1bcf10 forwarder: Remove quotes from socket path in doc
e66d047 virtcontainers: simplify read-only mount handling
bdf4824 tools/packaging: Add options for VFIO to guest kernel
c509a20 agent-ctl: Implement Linux OCI spec handling
42add7f agent: Disable seccomp feature on aarch64 temporarily
5dfedc2 docs: Add explanation about seccomp
45e7c2c static-checks: Add step for installing libseccomp
a3647e3 osbuilder: Set up libseccomp library
3be50ad agent: Add support for Seccomp
4280415 agent: Fix the configuration sample file
b0bc71f ci: test-kata-deploy: Get rid of slash-command-action action
309dae6 virtcontainers: check that both initrd and image are not set
a10cfff forwarder: Fix changing log level
6abccb9 forwarder: Drop privileges when using hybrid VSOCK
bf00b8d agent-ctl: improve the oci_to_grpc code
b67fa9e forwarder: Make explicit root check
e377578 forwarder: Fix docs socket path
5f30633 virtcontainers: delete duplicated notify in watchHypervisor function
5f5eca6 agent: do not return error but print it if task wait failed
d2a7b6f packaging/static-build: s390x fixes
6cc8000 cli: Show available guest protection in env output
2063b13 virtcontainers: Add func AvailableGuestProtections
a13e2f7 agent: Handle uevent remove actions
34273da runtime/device: Allow VFIO devices to be presented to guest as VFIO devices
68696e0 runtime: Add parameter to constrainGRPCSpec to control VFIO handling
d9e2e9e runtime: Rename constraintGRPCSpec to improve grammar
57ab408 runtime: Introduce "vfio_mode" config variable and annotation
730b9c4 agent/device: Create device nodes for VFIO devices
175f9b0 rustjail: Allow container devices in subdirectories
9891efc rustjail: Correct sanity checks on device path
d6b62c0 rustjail: Change mknod_dev() and bind_dev() to take relative device path
2680c0b rustjail: Provide useful context on device node creation errors
42b92b2 agent/device: Allow container devname to differ from the host
827a41f agent/device: Refactor update_spec_device_list()
8ceadcc agent/device: Sanity check guest IOMMU groups
ff59db7 agent/device: Add function to get IOMMU group for a PCI device
13b06a3 agent/device: Rebind VFIO devices to VFIO driver inside guest
e22bd78 agent/device: Add helper function for binding a guest device to a driver
b40eedc rustjail: Consistent coding style of LinuxDevice type
57c0f93 agent: fix race condition when test watcher
1a96b8b template: disable template unit test on arm
43b13a4 runtime: DefaultMaxVCPUs should not greater than defaultMaxQemuVCPUs
c59c367 runtime: current vcpu number should be limited
fa92251 runtime: kernel version with '+' as suffix panic in parse
52268d0 hypervisor: Expose the hypervisor itself
a72bed5 hypervisor: update tests based on createSandbox->CreateVM change
f434bcb hypervisor: createSandbox is CreateVM
76f1ce9 hypervisor: startSandbox is StartVM
fd24a69 hypervisor: waitSandbox is waitVM
a6385c8 hypervisor: stopSandbox is StopVM
f989078 hypervisor: resumeSandbox is ResumeVM
73b4f27 hypervisor: saveSandbox is SaveVM
7308610 hypervisor: pauseSandbox is nothing but PauseVM
8f78e1c hypervisor: The SandboxConsole is the VM's console
4d47aee hypervisor: Export generic interface methods
6baf258 hypervisor: Minimal exports of generic hypervisor internal fields
37fa453 osbuilder: Update QAT driver in Dockerfile
8030b6c virtcontainers: clh: Re-generate the client code
8296754 versions: Upgrade to Cloud Hypervisor v19.0
2b13944 docs: Fix outdated links
4f75ccb docs: use-cases: Update Intel SGX use case
4f018b5 runtime: delete useless src/runtime/cli/exit.go
7a80aeb docs: Moving from EOT to EOF
09a5e03 docs: Write tracing documentation
b625f62 runtime: delete cri containerd plugin from versions.yaml
24fff57 snap: make curl commands consistent
2b9f79c snap: add cloud-hypervisor and experimental kernel
273a1a9 runtime: optimize test code
76f16fd runtime: use containerd package instead of cri-containerd
6d55b1b docs: use containerd to replace cri-containerd
ed02bc9 packaging: add containerd to versions.yaml
50da26d osbuilder: Call detect_rust_version() right before install_rust.sh
b4fadc9 docs: Updating Developer Guide re qemu-img
b8e69ce versions: Add libseccomp and gperf version
17a8c5c runtime: Fix random failure for TestIoCopy
f34f67d osbuilder: Specify version when installing Rust
135a080 osbuilder: Pass CI env to container agent build
eb5dd76 osbuilder: Re-enable building the agent in Docker
bcffa26 tracing: Fix typo in "package" tag name
e61f5e2 runtime: Show socket path in kata-env output
5b3a349 trace-forwarder: Support Hybrid VSOCK
e42bc05 kata-deploy: add .dockerignore file
321be0f tracing: Remove trace mode and trace type
7d0b616 agent: Do not fail when trying to adding existing routes
3f95469 runtime: logging: Add variable for syslog tag
adc9e0b runtime: fix two bugs in rootless hypervisor
51cbe14 runtime: Add option "disable_seccomp" to config hypervisor.clh
98b7350 virtcontainers: clh: Enable the `seccomp` feature
46720c6 runtime: set tags for trace span
d789b42 package: assign proper value to redefined_string
4d7ddff utils: kata-manager: Update kata-manager.sh for new containerd config
f5172d1 cli: Fix outdated kata-runtime bash completion
d45c86d versions: Update CRI-O to its 1.22 release
c4a6426 versions: Update k8s & critools to v1.22
881b996 agent: Make wording of error message match CRI-O test suite

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-11-05 10:49:54 +00:00
Chelsea Mafrica
d17100aee6 vendor: update OpenTelemetry to v1.0.0
Upgrade from v0.20.0 to v1.0.0, first stable release.

    Git log

    4bfa0034 Release prep v1.0.0-RC3 (2218)
    c7ae470a Refactor SDK span creation and implementation (2213)
    db317fce Verify and update OTLP trace exporter documentation (2053)
    04de34a2 Update the website getting started docs (2203)
    a7b9d021 Rename metric instruments to match feature-freeze API specification (2202)
    1f527a52 Update trace API config creation functions (2212)
    361a2096 Fix RC2 header in changelog (2215)
    e209ee75 chore(exporter/zipkin): improves logging on invalid collector. (2191)
    c0c5ef65 Fix typos in resource.go. (2201)
    abf6afe0 Update otel example guide (2210)
    3b05ba02 Bump actions/setup-go from 2.1.3 to 2.1.4 (2206)
    bcd7ff7b Bump codecov/codecov-action from 2.0.2 to 2.0.3 (2205)
    c912b179 Print JSON objects to stdout without a wrapping array (2196)
    add511c1 Make WithoutTimestamps work (2195)
    85c27e01 Bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 in /internal/tools (2199)
    bf6500b3 Bump google.golang.org/grpc from 1.39.1 to 1.40.0 in /exporters/otlp/otlptrace (2184)
    9392af96 Bump google.golang.org/grpc in /exporters/otlp/otlptrace/otlptracegrpc (2185)
    c95694dc Bump google.golang.org/grpc from 1.39.1 to 1.40.0 in /example/otel-collector (2183)
    0528fa66 Bump google.golang.org/grpc from 1.39.1 to 1.40.0 in /exporters/otlp/otlpmetric (2186)
    3a26ed21 Deprecate the oteltest package (2188)
    c885435f Website: support GH page links to canonical src (2189)
    6da20a27 Add cross-module test coverage (2182)
    dfc866bd Support capturing stack trace  (2163)
    41588fea Deprecate the attribute.Any function (2181)
    4e8d667f Support a single Resource per MeterProvider in the SDK (2120)
    a8bb0bf8 Make the tracetest.SpanRecorder concurrent safe (2178)
    87d09df3 Deprecate Array attribute in favor of *Slice types (2162)
    df384a9a Move InstrumentKind into the new metric/sdkapi package (2091)
    1cb5cdca Unify the OTLP attribute transform (2170)
    a882ee37 Clarify the attribute package documentation and order/grouping (2168)
    5d25c4d2 Add support for int32 in attribute.Any (2169)
    2b0e139e Refactor attributes benchmark tests (2167)
    4c7470d9 Bump google.golang.org/grpc from 1.39.0 to 1.39.1 in /exporters/otlp/otlptrace (2176)
    990c534a Bump google.golang.org/grpc in /example/otel-collector (2172)
    b45c9d31 Bump google.golang.org/grpc from 1.39.0 to 1.39.1 in /exporters/otlp/otlpmetric (2174)
    a3d4ff5c Deprecated the bridge/opencensus/utils package (2166)
    b1d1d529 Move OC bridge integration tests to own mod (2165)
    89a9489c Add OC bridge internal unit tests (2164)
    56c743ba Allow global ErrorHandler to be set multiple times (2160)
    d18c135f Add OpenCensus bridge internal package (2146)
    fcf945a4 Just a little typo fix in code documentation. (2159)
    59a82eba Update version.go (2157)
    21d4686f Add ErrorHandlerFunc to simplify creating ErrorHandlers (2149)
    23cb9396 Remove `internal/semconv-gen` (2155)
    39acab32 Fix code sample in otel.GetTraceProvider (2147)
    2b1bb29e Update OpenCensus bridge docs with limitations (2145)
    fd7c327b Fix Jaeger exporter agent port default value and docs (2131)
    b8561785 fix(2138): add guard to constructOTResources to return an empty resource (2139)
    11f62640 Add a SpanRecorder to the sdk/trace/tracetest (2132)
    fd9de7ec rename assertsocketbuffersize.go to *_test (2136)
    a6b4d90c nit doc fix (2135)
    79398418 pre-release v1.0.0-RC2 (2133)
    2501e0fd Use semconv.SchemaURL in STDOUT exporter example (2134)
    ef03dbc9 Bump codecov/codecov-action from 1 to 2.0.2 (2129)
    bbe6ca40 Deprecate oteltest.Harness for removal (2123)
    7a624ac2 Deprecated the oteltest.TraceStateFromKeyValues function (2122)
    ece1879f Removed dropped link's attributes field from API package (2118)
    03902d98 Rename sdk/trace/tracetest test.go -> exporter.go (2128)
    cb607b0a Unify OTLP exporter retry logic (2095)
    abe22437 API: create new linked span from current context (2115)
    db81d4aa Update internal/global/trace testing (2111)
    7f10ef72 Remove propagation testing types from oteltest (2116)
    25d739b0 Remove resource.WithBuiltinDetectors() which has not been maintained (2097)
    d57c5a56  Remove several metrics test helpers (2105)
    49359495 Simplify trace_context tests (2108)
    56d42011 Simplify trace context benchmark test (2109)
    63dfe64a Correct status transform in OTLP exporter (2102)
    9b1a5f70 Performance improvement: avoid creating multiple same read-only objects (2104)
    ab78dbd0 Update release URL (2106)
    647af3a0 Pre release experimental metrics v0.22.0 (2101)
    0a562337 Fixed OS type value for DragonFly BSD (2092)
    62c21ffb Bump golang.org/x/tools from 0.1.4 to 0.1.5 in /internal/tools (2096)
    4a3da55a Ensure sample code in website_docs getting started page works (2094)
    d3063a3d Update otel.Meter to global.Meter in Getting Started Document.(2087) (2093)
    00a1ec5f Add documentation guidelines and improve Jaeger exporter readme (2082)
    12f737c7 oteltest: ensure valid SpanContext created for span started WithNewRoot (2073)
    484258eb OS description attribute detector (1840)
    d8c9a955 Bump google.golang.org/grpc from 1.38.0 to 1.39.0 in /example/otel-collector (2054)
    4ffdf034 Add @pellard as an Approver (2047)
    1a74b399 Bump google.golang.org/protobuf from 1.26.0 to 1.27.0 in /exporters/otlp/otlpmetric (2040)
    57c2e8fb Bump golang.org/x/tools from 0.1.3 to 0.1.4 in /internal/tools (2036)
    7cff31a9 Bump google.golang.org/protobuf from 1.26.0 to 1.27.0 in /exporters/otlp/otlptrace (2035)
    9e8f523d when using WithNewRoot, don't use the parent context for sampling (2032)
    62af6c70 semconv-gen: fix capitalization at word boundaries, add stability/deprecation indicators (2033)
    0bceed7e Fix docs on otel-collector example (2034)
    6428cd69 Update doc.go (2030)
    311a6396 fix documentation for trace.Status (2029)
    16f83ce6 export ToZipkinSpanModels for use outside this library (2027)
    d5d4c87f Add HTTP metrics exporter for OTLP (2022)
    d6e8f60f Bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 in /internal/tools (2023)
    51dbe3cb Remove deprecated exporters (2020)
    257ef7fc Update project status in README (2017)
    ced177b7 Pre-release 1.0.0-RC1 (2013)
    694c9a41 Interface stability documentation (2012)
    39fe8092 Add span.TracerProvider() (2009)
    d020e1a2 Add more tests for go.opentelemetry.io/otel/trace package. (2004)
    6d4a38f1 replace WithSyncer with WithBatcher in opencensus example (2007)
    c30cd1d0 Split stdout exporter into stdouttrace and stdoutmetric (2005)
    80ca2b1e otlp: mark unix endpoints to work without transport security (2001)
    65140985 Update codecov ignore (2006)
    3be9813d Deprecate the exporters in the "trace" and "metric" sub-directories (1993)
    377f7ce4 remove WithTrace* options from otlptrace exporters (1997)
    b33edaa5 OTLP metrics gRPC exporter (1991)
    64b640cc Remove old OTLP exporter (1990)
    7728a521 Remove dependency on metrics packages (1988)
    135ac4b6 Moved internal/tools duplicated findRepoRoot function to common package (1978)
    cdf67ddf Update semantic conventions to v1.4.0, move to versioned package (1987)
    4883cb11 Refactor exporter creation functions (1985)
    87cc1e1f Test BatchSpanProcessor export timeout directly (1982)
    7ffe2845 Added inputPath validation to semconv-gen (1986)
    a113856a Add caveat about installing opencensus bridge (1983)
    741cb9a3 Fix generator.go call typo in RELEASING.md (1977)
    7a0cee7b Replaces golint by revive and fix newly reported linter issues (1946)
    46d9687a Add Schema URL support to Resource (1938)
    0827aa62 Use mock server as jaeger agent listener. (1930)
    20886012 Bugfix jaeger exporter test panic (1973)
    4bf6150f Add baggage implementation based on the W3C and OpenTelemetry specification (1967)
    bbe2b8a3 Bump github.com/itchyny/gojq from 0.12.3 to 0.12.4 in /internal/tools (1971)
    4949bf05 Bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 in /exporters/otlp/otlptrace (1972)
    015b4c17 Bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 in /exporters/otlp (1970)
    13eb12ac Bump github.com/prometheus/client_golang from 1.10.0 to 1.11.0 in /exporters/metric/prometheus (1974)
    2371bb0a add otlp trace http exporter (1963)
    a75ade4e sdk/resource: honor OTEL_SERVICE_NAME in fromEnv resource detector (1969)
    aed45802 Bump go.opentelemetry.io/proto/otlp from 0.8.0 to 0.9.0 in /exporters/otlp/otlptrace (1959)
    c4ebae6a Bump go.opentelemetry.io/proto/otlp (1960)
    b1d2be3b Bump google.golang.org/grpc from 1.37.1 to 1.38.0 in /exporters/otlp/otlptrace (1958)
    f6daea5e Generate semantic conventions according to specification latest tagged version (1933)
    435a63b3 Bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (1954)
    6c46af66 Bump github.com/google/go-cmp from 0.5.5 to 0.5.6 in /exporters/trace/jaeger (1953)
    4d294853 Bump actions/cache from 2.1.5 to 2.1.6 (1952)
    dfe2b6f1 OTLP trace gRPC exporter (1922)
    5a8f7ff7 Bump go.opentelemetry.io/proto/otlp from 0.8.0 to 0.9.0 in /exporters/otlp (1943)
    bd935866 Add schema URL support to Tracer (1889)
    c1f460e0 Update API configs. (1921)
    270cc603 Small fixes on some Span method's documentation headers (1950)
    8603b902 Fix typo in doc (1949)
    acbb1882 Bump google.golang.org/grpc from 1.37.1 to 1.38.0 in /exporters/otlp (1942)
    b1621501 Add codecov badge (1940)
    ea1434c3 Fix some golint issues (1947)
    0eeb8f87 Refactor Tracestate (1931)
    d3b12808 Add Passthrough example (1912)
    f06cace6 Add @MadVikingGod as a project Approver (1923)
    ab5facb3 Bump github.com/golangci/golangci-lint in /internal/tools (1925)
    d23cc61b Refactor configs (1882)
    6324adaa Add tracer option argument to global Tracer function (1902)
    035fc650 Do not include authentication information in the http.url attribute (1919)
    d8ac212c Fix sporadic test failure in otlp exporter http driver (1906)
    a3df00f4 Create .gitattributes (1920)
    fb88e926 Bump google.golang.org/grpc from 1.37.0 to 1.37.1 in /exporters/otlp (1914)
    1982dc46 Bump google.golang.org/grpc in /example/prom-collector (1915)
    1759c630 Bump github.com/golangci/golangci-lint in /internal/tools (1916)
    7342aa47 Bump google.golang.org/grpc in /example/otel-collector (1913)
    21c16418 Add support for scheme in OTEL_EXPORTER_OTLP_ENDPOINT (1886)
    5cb62636 Semantic Convention generation tooling (1891)
    6219221f Move the unit package to the metric module (1903)
    63e0ecfc Implement global default non-recording span (1901)
    b6d5442f Remove the Tracer method from the Span API (1900)
    ae85fab3 Document functional options (1899)
    cabf0c07 Fix default Jaeger collector endpoint (1898)
    1e3fa3a3 Bump go.opentelemetry.io/proto/otlp from 0.7.0 to 0.8.0 in /exporters/otlp (1872)
    696af787 Bump github.com/benbjohnson/clock from 1.0.3 to 1.1.0 in /sdk/metric (1532)
    97eea6c3 Fix some golint issues (1894)
    79d9852e fix container port mismatch issue (1895)
    d20e7228 CI builds validate against last two versions of Go, dropping 1.14 and adding 1.16 (1865)
    cbcd4b1a Redefine ExportSpans of SpanExporter with ReadOnlySpan (1873)
    c99d5e99 Split large jaeger span batch to admire the udp packet size limit  (1853)
    42a84509 Unembed SpanContext (1877)
    b7d02db1 Add Status type to SDK (1874)
    f90d0d93 Update README (1876)
    a1349944 Update resource.go (1871)
    f40cad5e Add markdown link check configuration and action (1869)
    9bc28f6b Fix existing markdown lint issues (1866)
    08f4c270 Add documentation for tracer.Start() (1864)
    2bd4840c remove Set.Encoded(Encoder) enconding cache (1855)
    7674eebf Removed different types of Detectors for Resources. (1810)
    f92a6d83 Implement retry policy for the OTLP/gRPC  exporter (1832)
    ec75390f Fix BSP context done tests (1863)
    8e55f10a Move the Event type from the API to the SDK (1846)
    e399d355 drop failed to exporter batches and return error when forcing flush a span processor (1860)
    f6a9279a Honor context deadline or cancellation in SimpleSpanProcessor.Shutdown (1856)
    aeef8e00 Add markdown lint GitHub action (1849)
    d4c8ffad Replace spaces to tabs in Go code snippets (1854)
    cb097250 fixed typo (1857)
    392a44fa Refine configuration design docs (1841)
    62cd933d Handle Resource env error when non-nil (1851)
    24a91628 Document the SSP is not for production use (1844)
    ec26ac23 Update RELEASING.md (1843)
    8eb0bb99 Fix golint issue caused by typo (1847)
    ca130e54 Markdownlint (1842)
    1144a83d Small typo fixes to existing CHANGELOG entries (1839)
    e6086958 Update website_docs to v0.20.0 (1838)
    0f4e454c Change NewSplitDriver paramater and initialization (1798)
    92551d39 Prerelease v1.0.0 (2250)
    61839133 zipkin: remove no-op WithSDKOptions (2248)
    568e7556 Set Schema URL when exporting traces to OTLP (2242)
    ec26b556 Fix RC tags in docs (2239)
    767ce26c Bump github.com/itchyny/gojq from 0.12.4 to 0.12.5 in /internal/tools (2216)
    fe7058da adding NewNoopMeterProvider to follow trace api (2237)
    c338a5ef Bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 in /internal/tools (2236)
    ef126f5c Remove deprecated Array from attribute package (2235)
    360d1302 Add tests for nil *Resource (2227)
    9e7812d1 Remove the deprecated oteltest package (2234)
    486afd34 Remove the deprecated bridge/opencensus/utils pkg (2233)
    eaacfaa8 Fix slice-valued attributes when used as map keys (2223)
    df2bdbba Fix the import comments of otelpconfig (2224)
    7aae2a02 otlptrace: Document supported environment variables (2222)

Fixes #2591

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-11-04 12:39:00 -07:00
Chelsea Mafrica
84ccdd8ef2 vendor: update OpenTelemetry to v0.20.0
Update OpenTelemetry from v0.15.0 to v0.20.0.

    Git log

    02d8bdd5 Release v0.20.0 (1837)
    aa66fe75 OS and Process resource detectors (1788)
    7374d679 Fix Links documents (1835)
    856f5b84 Add feature request issue template (1831)
    0fdc3d78 Remove bundler from Jaeger exporter (1830)
    738ef11e Fix flaky global ErrorHandler delegation test (1829)
    e43d9c00  Update Default Value for Jaeger Exporter Endpoint  (1824)
    0032bd64 Fix default merging of resource attributes from environment variable (1785)
    96c5e4ba Add SpanProcessor example for Span annotation on start (1733)
    543c8144 Remove the WithSDKOptions from the Jaeger exporter (1825)
    66389ad6 Update function docs in sdk.go (1826)
    70bc9eb3 Adds support for timeout on the otlp/gRPC exporter (1821)
    081cc61d Update Jaeger exporter convenience functions (1822)
    1b9f16d3 Remove the WithDisabled option from Jaeger exporter (1806)
    6867faa0 Bump actions/cache from v2.1.4 to v2.1.5 (1818)
    a2bf04dc Build context pipeline in Jaeger upload process (1809)
    2de86f23 Remove locking from Jaeger exporter shutdown/export (1807)
    4f9fec29 Add ExportSpans benchmark to Jaeger exporter (1805)
    d9566abe Fix OTLP testing flake: signal connection from mock collector (1816)
    a2cecb6e add support for env var configuration to otlp/gRPC (1811)
    d616df61 Fix flaky OTLP exporter reconnect test (1814)
    b09df84a Changes stdout to expose the `*sdktrace.TracerProvider` (1800)
    04890608 Remove options field from Jaeger exporter (1808)
    6db20e00 Remove the abandoned Process struct in Jaeger exporter (1804)
    086abf34 docs: use test example to document prometheus.InstallNewPipeline (1796)
    d0cea04b Bump google.golang.org/api from 0.43.0 to 0.44.0 in /exporters/trace/jaeger (1792)
    99c477fe Fixed typo for default service name in Jaeger Exporter (1797)
    95fd8f50 Bump google.golang.org/grpc from 1.36.1 to 1.37.0 in /exporters/otlp (1791)
    9b251644 Zipkin Exporter: Use default resouce's serviceName as default serivce name (1777) (1786)
    4d141e47 Add k8s.node.name and k8s.node.uid to semconv (1789)
    5c99a34c Fix golint issue caused by incorrect comment (1795)
    c5d006c0 Update Jaeger environment variables (1752)
    58432808 add NewExportPipeline and InstallNewPipeline for otlp (1373)
    7d8e6bd7 Zipkin Exporter: Adjust span transformation to comply with the spec (1688)
    2817c091 Merge sdk/export/trace into sdk/trace (1778)
    c61e654c Refactor prometheus exporter tests to match file headers as well (1470)
    23422c56 Remove process config for Jaeger exporter (1776)
    0d49b592 Add test to check bsp ignores `OnEnd` and `ForceFlush` post Shutdown` (1772)
    e9aaa04b Record links/events attribute drops independently (1771)
    5bbfc22c Make ExportSpans for Jaeger Exporter honor deadline (1773)
    0786fe32 Add Bug report issue templates (1775)
    3c7facee Add `ExportTimeout` option to batch span processor (1755)
    c6b92d5b Make TraceFlags spec-compliant (1770)
    ee687ca5 Bump github.com/itchyny/gojq from 0.12.2 to 0.12.3 in /internal/tools (1774)
    52a24774 add support for configuring tls certs via env var to otlp/HTTP (1769)
    35cfbc7e Update precedence of event name in Jaeger exporter (1768)
    33699d24 Adds semantic conventions for exceptions (1492)
    928e3c38 Modify ForceFlush to abort after timeout/cancellation (1757)
    3947cab4 Fix testCollectorEndpoint typo and add tag assertions in jaeger_test (1753)
    ecc635dc add website docs (1747)
    07a8d195 Fix Jaeger span status reporting and unify tag keys (1761)
    4fa35c90 add partial support for env var config to otlp/HTTP (1758)
    bf180d0f improve OTLP/gRPC connection errors (1737)
    d575865b Fix span IsRecording when not sampling (1750)
    20c93b01 Update SamplingParameters (1749)
    97501a3f Update SpanSnapshot to use parent SpanContext (1748)
    604b05cb Store current Span instead of local and remote SpanContext in context.Context (1731)
    c61f4b6d Set @lizthegrey to emeritus status (1745)
    b1342fec Bump github.com/golangci/golangci-lint in /internal/tools (1743)
    54e1bd19 Bump google.golang.org/api from 0.41.0 to 0.43.0 in /exporters/trace/jaeger (1741)
    4d25b6a2 Bump github.com/prometheus/client_golang from 1.9.0 to 1.10.0 in /exporters/metric/prometheus (1740)
    0a47b66f Bump google.golang.org/grpc from 1.36.0 to 1.36.1 in /exporters/otlp (1739)
    26f006b8 Reinstate @paivagustavo as an Approver (1734)
    382c7ced Remove hasRemoteParent field from SDK span (1728)
    862a5a68 Remove setting error status while recording error with Span from oteltest package (1729)
    6defcfdf Remove links on NewRoot spans (1726)
    a9b2f851 upgrade thrift to v0.14.1 in jaeger exporter (1712)
    5a6a854d Bump google.golang.org/protobuf from 1.25.0 to 1.26.0 in /exporters/otlp (1724)
    23486213 Migrate to using go.opentelemetry.io/proto/otlp (1713)
    5d559b40 Remove makeSamplingDecision func (1711)
    e24702da Update the TraceContext.Extract docs (1720)
    9d4eb1f6 Update dates in CHANGELOG.md for 2021 releases (1723)
    2b4fa968 Release v0.19.0 (1710)
    4beb7041 sdk/trace: removing ApplyConfig and Config (1693)
    1d42be16 Rename WithDefaultSampler TracerProvider option to WithSampler and update docs (1702)
    860d5d86 Add flag to determine whether SpanContext is remote (1701)
    0fe65e6b Comply with OpenTelemetry attributes specification (1703)
    88884351 Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger (1700)
    345f264a breaking(zipkin): removes servicName from zipkin exporter. (1697)
    62cbf0f2 Populate Jaeger's Span.Process from Resource (1673)
    28eaaa9a Add a test to prove the Tracer is safe for concurrent calls (1665)
    8b1be11a Rename resource pkg label vars and methods (1692)
    a1539d44 OpenCensus metric exporter bridge (1444)
    77aa218d Fix issue #1490, apply same logic as in the SDK (1687)
    9d3416cc Fix synchronization issues in global trace delegate implementation (1686)
    58f69f09 Span status from HTTP code: Do not set status message if it can be inferred (1681)
    9c305bde Flush metric events prior to shutdown in OTLP example (1678)
    66b1135a Fix CHANGELOG (1680)
    90bd4ab5 Update employer information for maintainers (1683)
    36841913 Remove WithRecord() option from trace.SpanOption when starting a span (1660)
    65c7de20 Remove trace prefix from NoOp src files. (1679)
    e88a091a Make SpanContext Immutable (1573)
    d75e2680 Avoid overriding configuration of tracer provider (1633)
    2b4d5ac3 Bump github.com/golangci/golangci-lint in /internal/tools (1671)
    150b868d Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (1667)
    76aa924e Fix the examples target info messaging (1676)
    a3aa9fda Bump github.com/itchyny/gojq from 0.12.1 to 0.12.2 in /internal/tools (1672)
    a5edd79e Removed setting error status while recording err as span event (1663)
    e9814758 chore(zipkin): improves zipkin example to not to depend on timeouts. (1566)
    3dc91f2d Add ForceFlush method to TracerProvider (1608)
    bd0bba43 exporter: swap pusher for exporter (1656)
    56904859 Update the SimpleSpanProcessor (1612)
    a7f7abac  SpanStatus description set only when status code is set to Error (1662)
    05252f40 Jaeger Exporter: Fix minor mapping discrepancies (1626)
    238e7c61 Add non-empty string check for attribute keys (1659)
    e9b9aca8 Add tests for propagation of Sampler Tracestate changes (1655)
    875a2583 Add docs on when reviews should be cleared (1556)
    7153ef2d Add HTTP/JSON to the otlp exporter (1586)
    62e2a0f7 Unexport the simple and batch SpanProcessors (1638)
    992837f1 Add TracerProvider tests to oteltest harness (1607)
    bb4c297e Pre release v0.18.0 (1635)
    712c3dcc Fix makefile ci target and coverage test packages (1634)
    841d2a58 Rename local var new to not collide with builtin (1610)
    13938ab5 Update SpanProcessor docs (1611)
    e25503a0 Add compatibility tests to CI (1567)
    1519d959 Use reasonable interval in sdktrace.WithBatchTimeout (1621)
    7d4496e0 Pass metric labels when transforming to gaugeArray (1570)
    6d4a5e0d Bump google.golang.org/grpc from 1.35.0 to 1.36.0 in /exporters/otlp (1619)
    a93393a0 Bump google.golang.org/grpc in /example/prom-collector (1620)
    e499ca86 Fix validation for tracestate with vendor and add tests (1581)
    43886e52 Make timestamps sequential in lastvalue agg check (1579)
    37688ef6 revent end-users from implementing some interfaces (1575)
    85e696d2 Updating documentation with an working example for creating NewExporter (1513)
    562eb28b Unify the Added sections of the unreleased changes (1580)
    c4cf1aff Fix Windows build of Jaeger tests (1577)
    4a163bea Fix stdout TestStdoutTimestamp failure with sleep (1572)
    bd4701eb Stagger timestamps in exact aggregator tests (1569)
    b94cd4b2 add code attributes to semconv package (1558)
    78c06cef Update docs from gitter to slack for communication (1554)
    1307c911 Remove vendor exclude from license-check (1552)
    5d2636e5 Bump github.com/golangci/golangci-lint in /internal/tools (1565)
    d7aff473 Vendor Thrift dependency (1551)
    298c5a14 Update span limits to conform with OpenTelemetry specification (1535)
    ecf65d79 Rename otel/label -> otel/attribute (1541)
    1b5b6621 Remove resampling on span.SetName (1545)
    8da52996 fix: grpc reconnection  (1521)
    3bce9c97 Add Keys() method to propagation.TextMapCarrier (1544)
    0b1a1c72 Make oteltest.SpanRecorder into a concrete type (1542)
    7d0e3e52 SDK span no modification after ended (1543)
    7de3b58c Remove extra labels types (1314)
    73194e44 Bump google.golang.org/api from 0.39.0 to 0.40.0 in /exporters/trace/jaeger (1536)
    8fae0a64 Create resource.Default() with required attributes/default values (1507)
    76f93422 Release v0.17.0 (1534)
    9b242bc4 Organize API into Go modules based on stability and dependencies (1528)
    e50a1c8c Bump actions/cache from v2 to v2.1.4 (1518)
    a6aa7f00 Bump google.golang.org/api from 0.38.0 to 0.39.0 in /exporters/trace/jaeger (1517)
    38efc875 Code Improvement - Error strings should not be capitalized (1488)
    6b340501 Update default branch name (1505)
    b39fd052 nit: Fix comment to be up-to-date (1510)
    186c2953 Fix golint error of package comment form (1487)
    9308d662 Bump google.golang.org/api from 0.37.0 to 0.38.0 in /exporters/trace/jaeger (1506)
    1952d7b6 Reverse order of attribute precedence when merging two Resources (1501)
    ad7b4715 Remove build flags for runtime/trace support (1498)
    4bf4b690 Remove inaccurate and unnecessary import comment (1481)
    7e19eb6a Bump google.golang.org/api from 0.36.0 to 0.37.0 in /exporters/trace/jaeger (1504)
    c6a4406a Bump github.com/golangci/golangci-lint in /internal/tools (1503)
    9524ac09 Update workflows to include main branch as trigger (1497)
    c066f15e Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /internal/tools (1478)
    894e0240 Bump github.com/golangci/golangci-lint in /internal/tools (1477)
    71ffba39 Bump google.golang.org/grpc from 1.34.0 to 1.35.0 in /exporters/otlp (1471)
    515809a8 Bump github.com/itchyny/gojq from 0.12.0 to 0.12.1 in /internal/tools (1472)
    3e96ad1e gitignore: remove unused example path (1474)
    c5622777 Histogram aggregator functional options (1434)
    0df8cd62 Rename Makefile.proto to avoid interpretation as proto file (1468)
    979ff51f Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (1453)
    1df8b3b8 Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /exporters/otlp (1456)
    4c30a90a Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /sdk (1455)
    5a9f8f6e Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/stdout (1454)
    7786f34c Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/zipkin (1457)
    4352a7a6 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/otlp (1460)
    6990b3b3 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/metric/prometheus (1461)
    7af40d22 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/jaeger (1463)
    f16f1892 Bump google.golang.org/grpc in /example/otel-collector (1465)
    fe363be3 Move Span Event to API (1452)
    43922240 Bump google.golang.org/grpc in /example/prom-collector (1466)
    0aadfb27 Prepare release v0.16.0 (1464)
    207587b6 Metric histogram aggregator: Swap in SynchronizedMove to avoid allocations (1435)
    c29c6fd1 Shutdown underlying span exporter while shutting down BatchSpanProcessor (1443)
    dfece3d2 Combine the Push and Pull metric controllers (1378)
    74deeddd Handle tracestate in TraceContext propagator  (1447)
    49f699d6 Remove Quantile aggregation, DDSketch aggregator; add Exact timestamps (1412)
    9c949411 Rename internal/testing to internal/internaltest (1449)
    8d809814 Move gRPC driver to a subpackage and add an HTTP driver (1420)
    9332af1b Bump github.com/golangci/golangci-lint in /internal/tools (1445)
    5ed96e92 Update exporters/otlp Readme.md (1441)
    bc9cb5e3 Switch CircleCI badge to GitHub Actions (1440)
    716ad082 Remove CircleCI config (1439)
    0682db1e Adding Security Workflows to GitHub Actions (2/2): gosec workflow (1429)
    11f732b8 Adding Security Workflows to GitHub Actions (1/2): codeql workflow (1428)
    40f1c003 Add Tracestate into the SamplingResult struct (1432)
    db06c8d1 Flush metric events before shutdown in collector example (1438)
    f6f458e1 Fix golint issue caused by typo in trace.go (1436)
    fe9d1f7e Use uint64 Count consistently in metric aggregation (1430)
    3a337d0b Bump github.com/golangci/golangci-lint in /internal/tools (1433)
    1e4c8321 cleanup: drop the removed examples in gitignore (1427)
    5c9221cf Unify endpoint API that related to OTel exporter (1401)
    045c3ffe Build scripts: Replace mapfile with read loop for old bash versions (1425)
    2def8c3d Add Versioning Documentation (1388)
    6bcd1085 Bump github.com/itchyny/gojq from 0.11.2 to 0.12.0 in /internal/tools (1424)
    38e76efe Add a split protocol driver for otlp exporter (1418)
    439cd313 Add TraceState to SpanContext in API (1340)
    35215264 Split connection management away from exporter (1369)
    add9d933 Bump github.com/prometheus/client_golang from 1.8.0 to 1.9.0 in /exporters/metric/prometheus (1414)
    93d426a1 Add @dashpole as a project Approver (1410)
    6fe20ef3 Fix small typo (1409)
    b22d0d70 Mention the getting started guide (1406)
    3fb80fb2 Fix duplicate checkout action in GitHub workflow (1407)
    2051927b Correct CI workflow syntax (1403)
    f11a86f7 Fix typo in comment (1402)
    bdf87a78 Migrate CircleCI ci.yml workflow to GitHub Actions (1382)
    4e59dd1f Bump google.golang.org/grpc from 1.32.0 to 1.34.0 in /example/otel-collector (1400)
    83513f70 Bump google.golang.org/api from 0.32.0 to 0.36.0 in /exporters/trace/jaeger (1398)
    a354fc41 Bump github.com/prometheus/client_golang from 1.7.1 to 1.8.0 in /exporters/metric/prometheus (1397)
    3528e42c Bump google.golang.org/grpc from 1.32.0 to 1.34.0 in /exporters/otlp (1396)
    af114baf Call otel.Handle with non-nil errors (1384)
    c3c4273e Add RO/RW span interfaces (1360)

Fixes #2591

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-11-04 12:30:45 -07:00
Chelsea Mafrica
b5cfb73466 Merge pull request #2931 from YchauWang/wyc-runtime-shim2
runtime# make sure the "Shutdown" trace span have a correct end
2021-11-04 11:33:22 -07:00
Chelsea Mafrica
02181cb7d8 Merge pull request #2620 from cmaf/tracing-fix-addtag
tracing: Accept multiple dynamic tags
2021-11-04 11:33:06 -07:00
James O. D. Hunt
d47484e7c1 logging: Always run crate tests
Ensure the tests in the local `logging` crate are run for all consumers
of it.

Additionally, add a new test which checks that output is generated by a
range of different log level `slog` macros. This is designed to ensure
debug level output is always available for the consumers of the
`logging` crate.

Fixes: #2969.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-04 17:26:52 +00:00
Chelsea Mafrica
09d5d8836b runtime: tracing: Change method for adding tags
In later versions of OpenTelemetry label.Any() is deprecated. Create
addTag() to handle type assertions of values. Change AddTag() to
variadic function that accepts multiple keys and values.

Fixes #2547

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-11-04 10:19:05 -07:00
James O. D. Hunt
5c9c0b6e62 build: Fix default target
Fixed the top-level build which was broken: the kata deploy
Makefile was being sourced, but it was defining the first target, which
became the default.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-04 16:30:50 +00:00
GabyCT
f611785fdc Merge pull request #2967 from jodh-intel/enable-debug-logs
logging: Enable agent debug output for release builds
2021-11-04 10:04:59 -06:00
GabyCT
86b5bb5801 Merge pull request #2940 from ManaSugi/seccomp-aarch64
agent: "Revert agent: Disable seccomp feature on aarch64 temporarily"
2021-11-04 09:38:45 -06:00
James O. D. Hunt
bcf3e82cf0 logging: Enable agent debug output for release builds
Raise the `slog` maximum log level feature for release code from `info`
to `debug` by changing the `slog` maximum level features in the shared
`logging` crate. This allows the consumers of the `logging` crate (the
agent, the `trace-forwarder` and the `agent-ctl` tool) to produce debug
output when their debug options are enabled. Currently, those options
will essentially be a NOP (unless using a debug version of the code).

Testing showed that setting the `slog` maximum level features in the
rust manifest files for the consumers of the `logging` crate has no
impact: those values are ignored, so they have been removed and replaced
with a comment stating the levels are set in the `logging` crate.

Fixes: #2966.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-11-04 11:42:47 +00:00
Snir Sheriber
b34ed403c5 cgroups: pass vhost-vsock device to cgroup
for the sandbox cgroup

Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-11-04 10:59:10 +02:00
Snir Sheriber
7362e1e8a9 runtime: remove prefix when cgroups are managed by systemd
as done previously in 9949daf4dc

Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-11-04 10:13:22 +02:00
Bin Liu
a7a47bd7d4 Merge pull request #2943 from liubin/fix/2942-add-golint-for-makefile
runtime: Enhancement for Makefile
2021-11-04 11:37:21 +08:00
GabyCT
fbe27d9097 Merge pull request #2962 from wainersm/image-builder-fix-1
osbuilder: build image-builder image from Fedora 34
2021-11-03 14:04:02 -06:00
Wainer dos Santos Moschetta
a239a38f45 osbuilder: build image-builder image from Fedora 34
Currently the image-builder image is built from `fedora:latest` and
this is error-prone as any update of the base image can lead to
breakage. Instead let's create the image from Fedora 34, which is the
last known version to build fine.

Fixes #2960
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-11-03 13:07:42 -04:00
bin
375ad2b2b6 runtime: Enhancement for Makefile
There are some issues with Makefile for runtime:

- default target can't be used as a dependent of other targets.
- empty target `check`

And also add two targets for locally development/tests.

- lint: run golangci-lint
- pre-commit: run lint and test

Fixes: #2942

Signed-off-by: bin <bin@hyper.sh>
2021-11-03 17:36:55 +08:00
Manabu Sugimoto
b468dc500a agent: Use dup3 system call in unit tests of seccomp
Use `dup3` system call instead of `dup2` in unit tests of seccomp
because `dup2` is obsolete on aarch64.

Fixes: #2939

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-11-03 15:49:23 +09:00
Tim Zhang
5e230a1cba Merge pull request #2945 from liubin/fix/2944-refactor-process-io
agent: refactor process IO processing
2021-11-03 14:35:04 +08:00
Manabu Sugimoto
1aaa0599d9 agent: "Revert agent: Disable seccomp feature on aarch64 temporarily"
Re-enable seccomp feature on aarch64 because CI is ready
by https://github.com/kata-containers/tests/pull/4124.

This reverts commit 42add7f201.

Fixes: #2939

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-11-02 22:53:38 +09:00
bin
1e331f7542 agent: refactor process IO processing
Move closing IO into process.rs and use macro
to reduce codes.

Fixes: #2944

Signed-off-by: bin <bin@hyper.sh>
2021-11-02 15:49:11 +08:00
wangyongchao.bj
9d3ec58370 runtime: make sure the "Shutdown" trace span have a correct end
We only added span.End() in the main process of the shim2 Shutdown method.
The "Shutdown" span would keep alive, when the containers number is not 0.
This PR make sure the "Shutdown" trace span have a correct end.

Fixes: #2930

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-11-02 14:24:31 +08:00
Fupan Li
1c81d7e0b6 Merge pull request #2915 from jodh-intel/agent-ctl-handle-hybrid-vsock
agent-ctl: Update for Hybrid VSOCK
2021-11-02 09:55:16 +08:00
GabyCT
3bc25e684e Merge pull request #2631 from Bevisy/main-2630
docs: Fix outdated links
2021-11-01 11:22:45 -06:00
Wainer Moschetta
415f5a9a67 Merge pull request #2935 from wainersm/fix_install_libseccomp-1
ci/install_libseccomp: Fix libseccomp build and misc improvement
2021-11-01 12:04:46 -03:00
Jianyong Wu
e15c8460db Merge pull request #2265 from rapiz1/simple-ro-mount
virtcontainers: simplify read-only mount handling
2021-11-01 10:43:16 +08:00
Bin Liu
51e9038ad5 Merge pull request #1998 from liubin/1997/add-fastfail-test
runtime: add fast-test to let test exit on error
2021-10-30 15:38:27 +08:00
bin
3f21af9c5c runtime: add fast-test to let test exit on error
Add -failfast option to let test exit on error, but -failfast option
can't cross package, so there is a for loop used to test on all packages
in src/runtime, and the parallel number is set to 1, this may lead test
to be slow.

Fixes: #1997

Signed-off-by: bin <bin@hyper.sh>
2021-10-30 11:09:54 +08:00
GabyCT
c8553ea427 Merge pull request #2046 from littlejawa/issue_2042
test: Fix random failure for TestIoCopy
2021-10-29 17:29:31 -05:00
GabyCT
969b78b01f Merge pull request #2496 from rapiz1/show-guest-protection
cli: Show available guest protection in env output
2021-10-29 17:28:47 -05:00
GabyCT
39ab5f4bea Merge pull request #2435 from fidencio/wip/update-k8s-and-crio-to-1.22
Update k8s, critools, and CRI-O to their 1.22 release
2021-10-29 17:27:51 -05:00
GabyCT
e009b58c93 Merge pull request #2629 from Kvasscn/kata_dev_kbuild
package: assign proper value to redefined_string  in build-kernel.sh
2021-10-29 17:26:40 -05:00
GabyCT
7b406d5561 Merge pull request #2037 from c3d/issue/2036-is-not-exist
agent: Make wording of error message match CRI-O test suite
2021-10-29 17:25:06 -05:00
Wainer dos Santos Moschetta
9b270d72d1 ci/install_libseccomp: use a temporary work directory
It is safer to download the tarballs and work on a temporary directory
which can be proper cleaned up when the script finishes.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-10-29 13:00:27 -03:00
Wainer dos Santos Moschetta
98b4406196 ci/install_libseccomp: Fix fail when DESTDIR is set
If DESTDIR is set on the environment then gperf will be installed
in an unexpected directory, resulting on the libseccomp's configure
not being able to find it. To avoid that issue this changed the
ci/install_libseccomp.sh so that PREFIX and DESTDIR are unset
inside the script.

Fixes #2932
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-10-29 12:58:09 -03:00
Chelsea Mafrica
53a9f9460f Merge pull request #2383 from wzshiming/patch-1
docs: Moving from EOT to EOF
2021-10-29 08:44:52 -07:00
James O. D. Hunt
2551179e43 Merge pull request #2929 from YchauWang/vc-docs-api
virtcontainers: api: update the functions in the api.md docs
2021-10-29 16:01:31 +01:00
Julio Montes
2751a13bbd Merge pull request #2923 from ManaSugi/add-libseccomp-info
release: Upload libseccomp sources with notice to release page
2021-10-29 09:44:24 -05:00
James O. D. Hunt
4e2dd41eb6 Merge pull request #1791 from wainersm/virtcontainers-1
virtcontainers: check that both initrd and image are not set
2021-10-29 14:51:07 +01:00
wangyongchao.bj
338ac87516 virtcontainers: api: update the functions in the api.md docs
Virtcontainers API document functions weren't sync with the codes Sandbox and VCImpl.
And we have two functions named `CreateSandbox` functions, diff by one parameter,
very confused. So this pr sync the codes to api documents.

Fixes: #2928

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-10-29 15:36:53 +08:00
Bin Liu
71b69c36d5 Merge pull request #2917 from sameo/topic/agent-config-sample
agent: Fix the configuration sample file
2021-10-29 11:51:58 +08:00
Bin Liu
eb248b0c66 Merge pull request #2750 from liubin/fix/2749-remove-fixme
runtime: set tags for trace span
2021-10-29 11:42:49 +08:00
Manabu Sugimoto
23496f94be release: Upload libseccomp sources with notice to release page
The `kata-agent` binaries inside the Kata Containers images provided
with release are statically linked with the GNU LGPL-2.1 licensed
libseccomp library by default.
Therefore, we attach the complete source code of the libseccomp
to the release page in order to comply with the LGPL-2.1 (6(a)).
In addition, we add the description about the libseccomp license
to the release page.

Fixes: #2922

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-10-29 12:38:14 +09:00
Bin Liu
00a20c840b Merge pull request #2716 from liudalibj/linux_oci_spec
agent-ctl: Implement Linux OCI spec handling
2021-10-29 10:53:04 +08:00
GabyCT
29f5ff5304 Merge pull request #2925 from GabyCT/topic/fixclhconfig
runtime: Remove comments about unsupported features in config for clh
2021-10-28 14:42:52 -05:00
Gabriela Cervantes
e610fc82ff runtime: Remove comments about unsupported features in config for clh
Cloud hypervisor is only supporting virtio-blk, this PR removes comments
that make a wrong reference of other features that are not supported
by clh.

Fixes #2924

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-10-28 15:14:49 +00:00
Julio Montes
caa6e19b5d Merge pull request #2919 from dgibson/viommu
tools/packaging: Add options for VFIO to guest kernel
2021-10-28 08:23:55 -05:00
James O. D. Hunt
7e401952f8 agent-ctl: Add stub for AddSwap API
Add a basic implementation for the `AddSwap` agent API call.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-28 09:22:52 +01:00
James O. D. Hunt
82de838e5f agent-ctl: Update for Hybrid VSOCK
Allow the `agent-ctl` tool to connect to a Hybrid VSOCK hypervisor such
as Cloud Hypervisor or Firecracker.

Fixes: #2914.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-28 09:22:35 +01:00
James O. D. Hunt
d1bcf105ff forwarder: Remove quotes from socket path in doc
Update the trace forwarder README to remove the quotes around the socket
path, which makes manipulating that path easier.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-28 09:20:38 +01:00
Yujia Qiao
e66d0473be virtcontainers: simplify read-only mount handling
Current handling of read-only mounts is a little tricky.
However, a clearer solution can be used here:
  1. make a private ro bind mount at privateDest to the mount source
  2. make a bind mount at mountDest to the mount created in step 1
  3. umount the private bind mount created in step 1
One important aspect is that the mount in step 2 is duplicated from
the one we created in step 1. So the MS_RDONLY flag is properly
preserved in all mounts created in the propagtion.

Fixes: #2205

Depends-on: github.com/kata-containers/tests#4106

Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
2021-10-28 15:48:41 +08:00
David Gibson
bdf4824145 tools/packaging: Add options for VFIO to guest kernel
Pull #2795 recently added support for a closer-to-OCI behaviour for
VFIO devices, in which they appear to the container as VFIO devices,
rather than being interpreted by the guest kernel.  However, in order
to use this, the Kata guest kernel needs to include the VFIO PCI
driver, along with dependencies like the Intel IOMMU driver.

The kernel as built by the scripts within Kata don't currently include
those, so this patch adds them.

fixes #2913

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-28 11:38:51 +11:00
Da Li Liu
c509a204f3 agent-ctl: Implement Linux OCI spec handling
- convert linux field from oci spec to grpc spec
- include all the fields below linux oci spec

Fixes: #2715

Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
2021-10-27 13:41:57 +00:00
Bin Liu
b85edbfa00 Merge pull request #1788 from ManaSugi/add-seccomp-feature
agent/runtime: Add seccomp feature
2021-10-27 21:00:04 +08:00
Manabu Sugimoto
42add7f201 agent: Disable seccomp feature on aarch64 temporarily
In order to pass CI test of aarch64, it is necessary to run
`ci/install_libseccomp.sh` before ruuning unit tests in
`jenkins_job_build.sh`.
However, `ci/install_libseccomp.sh` is not available
until PR #1788 including this commit is merged in the mainline.
Therefore, we disable seccomp feature on aarch64 temporarily.
After #1788 lands and CI is fixed, this commit will be reverted.

Fixes: #1476

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-10-27 19:06:13 +09:00
Manabu Sugimoto
5dfedc2b19 docs: Add explanation about seccomp
This adds explanation about how to enable seccomp in the kata-runtime and
build the kata-agent with seccomp capability.

Fixes: #1476

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-10-27 19:06:13 +09:00
Manabu Sugimoto
45e7c2cab1 static-checks: Add step for installing libseccomp
This adds a step for installing libseccomp because the kata-agent
supports seccomp feature.

Fixes: #1476

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-10-27 19:06:13 +09:00
Manabu Sugimoto
a3647e3486 osbuilder: Set up libseccomp library
The osbuilder needs to set up libseccomp library to build the kata-agent
because the kata-agent supports seccomp currently.
The library is built from the sources to create a static library for musl libc.
In addition, environment variables for the libseccomp crate are set to
link the library statically.

Fixes: #1476

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-10-27 19:06:13 +09:00
Manabu Sugimoto
3be50adab9 agent: Add support for Seccomp
The kata-agent supports seccomp feature based on the OCI runtime specification.
This seccomp capability in the kata-agent is enabled by default.
However, it is not enforced by default: users need to enable that by setting
`disable_guest_seccomp` to `false` in the main configuration file.

Fixes: #1476

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-10-27 19:06:13 +09:00
James O. D. Hunt
4d4a15d6ce Merge pull request #2057 from wainersm/fix_kata-deploy-ci
ci: test-kata-deploy: Get rid of slash-command-action action
2021-10-27 10:08:12 +01:00
Peng Tao
03a9411884 Merge pull request #2878 from eadamsintel/update-qat-dockerfile
This is to bump the OOT QAT 1.7 driver version to the latest version.…
2021-10-27 17:00:04 +08:00
Samuel Ortiz
4280415149 agent: Fix the configuration sample file
All endpoint names share the `Request` suffix.
Also, the current list is based on functions, not requests.

Fixes #2916

Reported-by: Jakob Naucke <jakob.naucke@ibm.com>
Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
2021-10-27 06:02:33 +02:00
Bo Chen
bf5f42d411 Merge pull request #2906 from jodh-intel/trace-forwarder-drop-privs
forwarder: Drop privileges when using hybrid VSOCK
2021-10-26 13:24:01 -07:00
Chelsea Mafrica
8f33e6f593 Merge pull request #2896 from Jakob-Naucke/static
packaging/static-build: s390x fixes
2021-10-26 11:53:34 -07:00
Wainer dos Santos Moschetta
b0bc71f463 ci: test-kata-deploy: Get rid of slash-command-action action
There is a problem with slash-command-action which is on absence of a slash command
the job fails (instead of simply ignore, i.e., skip). This is documented on
https://github.com/xt0rted/slash-command-action/issues/124. There is a workaround
also documented on that issue, but here instead let's get rid of the action.

In this new implementation all comments sent to the pull request are parsed, if any
starts with "/test_kata-deploy" then the job is triggered.

Fixes #2836
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-10-26 11:36:13 -04:00
Wainer dos Santos Moschetta
309dae631a virtcontainers: check that both initrd and image are not set
This changed valid() in hypervisor to check the case where both
initrd and image path are set; in this case it returns an error.

Fixes #1868
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-10-26 10:44:23 -04:00
James O. D. Hunt
3120b489e3 Merge pull request #2687 from genjuro214/improve-oci-to-grpc
agent-ctl: improve the oci_to_grpc code
2021-10-26 13:00:02 +01:00
James O. D. Hunt
a10cfffdff forwarder: Fix changing log level
Fix `-l <log-level>` for the trace forwarder which didn't work
previously as it lacked the magic Cargo configuration.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-26 11:02:06 +01:00
James O. D. Hunt
6abccb92ce forwarder: Drop privileges when using hybrid VSOCK
Hybrid VSOCK requires `root` privileges to access the sandbox-specific
host-side AF_UNIX socket created by the hypervisor (CLH or FC). However,
once the socket has been bound, privileges can be dropped, allowing the
forwarder to run as user `nobody`.

Fixes: #2905.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-26 11:01:58 +01:00
Bin Liu
8d8604e10f Merge pull request #2893 from liubin/fix/2892-print-error-instead-of-return
agent: do not return error but print it if task wait failed
2021-10-26 17:48:17 +08:00
Lei Li
bf00b8df87 agent-ctl: improve the oci_to_grpc code
The oci_to_grpc function just handles part of oci fields,
and others are not copied from oci spec to grpc spec,
such as process.env, process.capabilities, mounts and so on.
Try to implement more handlings to convert thoses fields.

Fixes #2686

Signed-off-by: Lei Li <cdlleili@cn.ibm.com>
2021-10-26 16:54:28 +08:00
James O. D. Hunt
b67fa9e450 forwarder: Make explicit root check
Rather than generating a potentially misleading error message if the
socket bind fails, perform an explicit check for `root` for Hybrid
VSOCK.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-26 09:28:26 +01:00
James O. D. Hunt
e377578e08 forwarder: Fix docs socket path
Updated the trace forwarder README to ensure the real socket path is
created, not the template socket path returned by `kata-runtime env`.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-26 09:28:26 +01:00
James O. D. Hunt
d1d9e84e9f Merge pull request #2902 from liubin/fix/2901-delete-duplicated-line
virtcontainers: delete duplicated notify in watchHypervisor function
2021-10-26 08:22:11 +01:00
bin
5f306330f4 virtcontainers: delete duplicated notify in watchHypervisor function
When hypervisor check failed, the notify function is called twice.

Fixes: #2901

Signed-off-by: bin <bin@hyper.sh>
2021-10-26 11:58:26 +08:00
bin
5f5eca6b8e agent: do not return error but print it if task wait failed
Do not return error but print it if task wait failed
and let program continue to run the next code.

Fixes: #2892

Signed-off-by: bin <bin@hyper.sh>
2021-10-26 11:43:39 +08:00
Jakob Naucke
d2a7b6ff4a packaging/static-build: s390x fixes
- Install OpenSSL for key generation in kernel build
- Do not install libpmem
- Do not exclude `*/share/*/*.img` files in QEMU tarball since among
  them are boot loader files critical for IPLing.

Fixes: #2895
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-10-25 18:47:35 +02:00
Yujia Qiao
6cc8000cae cli: Show available guest protection in env output
Show available guest protections in the
`kata-runtime env` output. Also bump the formatVersion.

Fixes: #1982

Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
2021-10-25 21:44:56 +08:00
Yujia Qiao
2063b13805 virtcontainers: Add func AvailableGuestProtections
Add functions to return guestProtection as a string slice, which
can be then used in `kata-runtime env` output.

Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
2021-10-25 21:44:01 +08:00
Fupan Li
3d0fe433c6 Merge pull request #2889 from lht/handle-uevent-remove-actions
agent: Handle uevent remove actions
2021-10-25 19:08:20 +08:00
James O. D. Hunt
ec3aa1694b Merge pull request #2844 from jongwu/unit_test
enable unit test on arm
2021-10-25 10:58:21 +01:00
Bin Liu
01fdeb7641 Merge pull request #2891 from ManaSugi/fix/unify-form
rustjail: Consistent coding style of LinuxDevice type
2021-10-25 14:03:03 +08:00
Bin Liu
ded864f862 Merge pull request #2568 from Bevisy/main-2254
cli: Fix outdated kata-runtime bash completion
2021-10-25 14:02:13 +08:00
Haitao Li
a13e2f77b8 agent: Handle uevent remove actions
uevents with action=remove was ignored causing the agent to reuse stale
data in the device map. This patch adds handling of such uevents.

Fixes #2405

Signed-off-by: Haitao Li <lihaitao@gmail.com>
2021-10-25 14:41:32 +11:00
David Gibson
a0825badf6 Merge pull request #2795 from dgibson/vfio-as-vfio
Allow VFIO devices to be used as VFIO devices in the container
2021-10-25 14:25:26 +11:00
Peng Tao
e709f11229 Merge pull request #2881 from mcastelino/topic/hypervisor-rename
Expose top level hypervisor methods -
2021-10-25 10:25:49 +08:00
David Gibson
34273da98f runtime/device: Allow VFIO devices to be presented to guest as VFIO devices
On a conventional (e.g. runc) container, passing in a VFIO group device,
/dev/vfio/NN, will result in the same VFIO group device being available
within the container.

With Kata, however, the VFIO device will be bound to the guest kernel's
driver (if it has one), possibly appearing as some other device (or a
network interface) within the guest.

This add a new `vfio_mode` option to alter this.  If set to "vfio" it will
instruct the agent to remap VFIO devices to the VFIO driver within the
guest as well, meaning they will appear as VFIO devices within the
container.

Unlike a runc container, the VFIO devices will have different names to the
host, since the names correspond to the IOMMU groups of the guest and those
can't be remapped with namespaces.

For now we keep 'guest-kernel' as the value in the default configuration
files, to maintain current Kata behaviour.  In future we should change this
to 'vfio' as the default.  That will make Kata's default behaviour more
closely resemble OCI specified behaviour.

fixes #693

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:29:31 +11:00
David Gibson
68696e051d runtime: Add parameter to constrainGRPCSpec to control VFIO handling
Currently constrainGRPCSpec always removes VFIO devices from the OCI
container spec which will be used for the inner container.  For
upcoming support for VFIO devices in DPDK usecases we'll need to not
do that.

As a preliminary to that, add an extra parameter to the function to
control whether or not it will remove the VFIO devices from the spec.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:29:31 +11:00
David Gibson
d9e2e9edb2 runtime: Rename constraintGRPCSpec to improve grammar
"constraint" is a noun, "constrain" is the associated verb, which makes
more sense in this context.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:29:31 +11:00
David Gibson
57ab408576 runtime: Introduce "vfio_mode" config variable and annotation
In order to support DPDK workloads, we need to change the way VFIO devices
will be handled in Kata containers.  However, the current method, although
it is not remotely OCI compliant has real uses.  Therefore, introduce a new
runtime configuration field "vfio_mode" to control how VFIO devices will be
presented to the container.

We also add a new sandbox annotation -
io.katacontainers.config.runtime.vfio_mode - to override this on a
per-sandbox basis.

For now, the only allowed value is "guest-kernel" which refers to the
current behaviour where VFIO devices added to the container will be bound
to whatever driver in the VM kernel claims them.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:29:29 +11:00
David Gibson
730b9c433f agent/device: Create device nodes for VFIO devices
Add and adjust the vfio devices in the inner container spec so that
rustjail will create device nodes for them.

In order to do that, we also need to make sure the VFIO device node is
ready within the guest VM first.  That may take (slightly) longer than
just the underlying PCI device(s) being ready, because vfio-pci needs
to initialize.  So, add a helper function that will wait for a
specific VFIO device node to be ready, using the existing uevent
listening mechanism.  It also returns the device node name for the
device (though in practice it will always /dev/vfio/NN where NN is the
group number).

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
175f9b06e9 rustjail: Allow container devices in subdirectories
Many device nodes go directly under /dev, however some are conventionally
placed in subdirectories under /dev.  For example /dev/vfio/vfio or
/dev/pts/ptmx.

Currently, attempting to pass such a device into a Kata container will fail
because mknod() will get an ENOENT because the parent directory is missing
(or an equivalent error for bind_dev()).

Correct that by making subdirectories as necessary in create_devices().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
9891efc61f rustjail: Correct sanity checks on device path
For each user supplied device, create_devices() checks that the given path
actually is in /dev, by checking that its path starts with /dev and does
not contain "..".

However, this has subtle errors because it's interpreting the path as a raw
string without considering separators.  It will accept the path /devfoo
which it should not, while it will not accept the valid (though weird)
paths /dev/... and /dev/a..b.

Correct this by using std::path::Path methods designed for the purpose.
Having done this, it's trivial to also generate the relative path that
mknod_dev() or bind_dev() will need, so do that at the same time.

We also move this logic into a helper function so that we can add some unit
tests for it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
d6b62c029e rustjail: Change mknod_dev() and bind_dev() to take relative device path
Both these functions take the absolute path from LinuxDevice and drop the
leading '/' to make a relative path.  They do that with a simple
&dev.path[1..].  That can be technically incorrect in some edge cases such
as a path with redundant /s like "//dev//sda".

To handle cases like that, have the explicit relative path passed into
these functions.  For now we calculate it in the same buggy way, but we'll
fix that shortly.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
2680c0bfee rustjail: Provide useful context on device node creation errors
create_devices() within the rustjail module is responsible for creating
device nodes within the (inner) containers.  Errors that occur here will
be propagated up, but are likely to be low level failures of mknod() - e.g.
ENOENT or EACCESS - which won't be very useful without context when
reported all the way up to the runtime without the context of what we were
trying to do.

Add some anyhow context information giving the details of the device we
were trying to create when it failed.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
42b92b2b05 agent/device: Allow container devname to differ from the host
Currently, update_spec_device() assumes that the proper device path in the
(inner) container is the same as the device path specified in the outer OCI
spec on the host.

Usually that's correct.  However for VFIO group devices we actually need
the container to see the VM's device path, since it's normal to correlate
that with IOMMU group information from sysfs which will be different in the
guest and which we can't namespace away.

So, add an extra "final_path" parameter to update_spec_device() to allow
callers to chose the device path that should be used for the inner
container.  All current callers pass the same thing as container_path, but
that will change in future.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
827a41f973 agent/device: Refactor update_spec_device_list()
update_spec_device_list() is used to update the container configuration to
change device major/minor numbers configured by the Kata client based on
host details to values suitable for the sandbox VM, which may differ.  It
takes a 'device' object, but the only things it actually uses from there
are container_path and vm_path.

Refactor this as update_spec_device(), taking the host and guest paths to
the device as explicit parameters.  This makes the function more
self-contained and will enable some future extensions.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
8ceadcc5a9 agent/device: Sanity check guest IOMMU groups
Each VFIO device passed into the guest could represent a whole IOMMU group
of devices on the host.  Since these devices aren't DMA isolated from each
other, they must appear as the same IOMMU group in the guest as well.

The VMM should enforce that for us, but double check it, since things can't
work otherwise.  This also means we determine the guest IOMMU group for the
VFIO device, which we'll be needing later.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
ff59db7534 agent/device: Add function to get IOMMU group for a PCI device
For upcoming VFIO extensions we'll need to work with the IOMMU groups of
VFIO devices.  This helps us towards that by adding pci_iommu_group() to
retrieve the IOMMU group (if any) of a given PCI device.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
13b06a35d5 agent/device: Rebind VFIO devices to VFIO driver inside guest
VFIO devices can be added to a Kata container and they will be passed
through to the sandbox guest.  However, inside the guest those devices
will bind to a native guest driver, so they will no longer appear as VFIO
devices within the guest.  This behaviour differs from runc or other
conventional container runtimes.

This code allows the agent to match the behaviour of other runtimes,
if instructed to by kata-runtime.  VFIO devices it's informed about
with the "vfio" type instead of the existing "vfio-gk" type will be
rebound to the vfio-pci driver within the guest.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
David Gibson
e22bd78249 agent/device: Add helper function for binding a guest device to a driver
For better VFIO support, we're going to need to take control of which guest
driver controls specific guest devices.  To assist with that, add the
pci_driver_override() function to force a specific guest device to be
bound to a specific guest driver.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-25 12:28:33 +11:00
Manabu Sugimoto
b40eedc9f7 rustjail: Consistent coding style of LinuxDevice type
Use `"c".to_string` in the device type of `dev/full`
in order to consistent with the coding style of other devices

Fixes: #2890

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-10-25 09:15:59 +09:00
Jianyong Wu
57c0f93f54 agent: fix race condition when test watcher
create_tmpfs won't pass as the race condition in watcher umount. quote
James's words here:

1. Rust runs all tests in parallel.
2. Mounts are a process-wide, not a per-thread resource.
The only test that calls watcher.mount() is create_tmpfs().
However, other tests create BindWatcher objects.
3. BindWatcher's drop() implementation calls self.cleanup(),
which calls unmount for the mountpoint create_tmpfs() asserts.
4. The other tests are calling unmount whenever a BindWatcher goes
out of scope.

To avoid that issue, let the tests using BindWatcher in watcher and
sandbox.rs run sequentially.

Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-10-24 17:31:53 +08:00
Jianyong Wu
1a96b8ba35 template: disable template unit test on arm
Template is broken on arm. here we disable the template unit test
temporarily.

Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-10-23 15:07:25 +08:00
Jianyong Wu
43b13a4a6d runtime: DefaultMaxVCPUs should not greater than defaultMaxQemuVCPUs
DefaultMaxVCPUs may be larger than the defaultMaxQemuVCPUs that should
be checked and avoided.

Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-10-23 15:07:25 +08:00
Jianyong Wu
c59c36732b runtime: current vcpu number should be limited
The physical current vcpu number should not be used directly as the
largest vcpu number is limited to defaultMaxQemuVCPUs.
Here, a new helper is introduced in pkg/katautils/config.go to get
current vcpu number.

Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-10-23 15:07:25 +08:00
Jianyong Wu
fa922517d9 runtime: kernel version with '+' as suffix panic in parse
The current kernel version parse lib can't process suffix '+', as the
modified kernel version will add '+' as suffix, thus panic will occur.

For example, if the current kernel version is "5.14.0-rc4+", test
TestHostNetworkingRequested will panic:
--- FAIL: TestHostNetworkingRequested (0.00s)
panic: &{DistroName:ubuntu DistroVersion:18.04
KernelVersion:5.11.0-rc3+ Issue: Passed:[] Failed:[] Debug:true
ActualEUID:0}: failed to check test constraints: error: Build meta data
is empty

Here, remove the suffix '+' in kernel version fix helper.

Fixes: #2809
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-10-23 15:07:25 +08:00
Manohar Castelino
52268d0ece hypervisor: Expose the hypervisor itself
Export the top level hypervisor type

s/hypervisor/Hypervisor

Fixes: #2880

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-10-22 16:46:02 -07:00
Eric Ernst
a72bed5b34 hypervisor: update tests based on createSandbox->CreateVM change
Fixup a couple of broken tests.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
f434bcbf6c hypervisor: createSandbox is CreateVM
Last of a series of commits to export the top level
hypervisor generic methods.

s/createSandbox/CreateVM

Fixes #2880

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
76f1ce9e30 hypervisor: startSandbox is StartVM
s/startSandbox/StartVM

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
fd24a695bf hypervisor: waitSandbox is waitVM
renaming...

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
a6385c8fde hypervisor: stopSandbox is StopVM
Renaming. There is no Sandbox specific logic except tracing.

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
f989078cd2 hypervisor: resumeSandbox is ResumeVM
renaming...

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
73b4f27c46 hypervisor: saveSandbox is SaveVM
rename

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
7308610c41 hypervisor: pauseSandbox is nothing but PauseVM
renaming

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
8f78e1cc19 hypervisor: The SandboxConsole is the VM's console
update naming

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
4d47aeef2e hypervisor: Export generic interface methods
This is in preparation for creating a seperate hypervisor package.
Non functional change.

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
2021-10-22 16:45:35 -07:00
Manohar Castelino
6baf2586ee hypervisor: Minimal exports of generic hypervisor internal fields
Export commonly used hypervisor fields and utility functions.
These need to be exposed to allow the hypervisor to be consumed
externally.

Note: This does not change the hypervisor interface definition.
Those changes will be separate commits.

Signed-off-by: Manohar Castelino <mcastelino@apple.com>
2021-10-22 16:45:35 -07:00
Eric Adams
37fa453dd2 osbuilder: Update QAT driver in Dockerfile
This is to bump the OOT QAT 1.7 driver version to the
latest version. I dida test on my QAT enabled system and
everything functioned as expected.

Fixes: #2877

Signed-off-by: Eric Adams <eric.adams@intel.com>
2021-10-22 00:08:24 +00:00
GabyCT
03877f3479 Merge pull request #2872 from likebreath/1020/clh_v19.0
Upgrade to Cloud Hypervisor v19.0
2021-10-21 10:26:55 -05:00
James O. D. Hunt
8c8bcb7b00 Merge pull request #2810 from mythi/sgx-doc
docs: use-cases: Update Intel SGX use case
2021-10-21 12:28:29 +01:00
James O. D. Hunt
09741272bc Merge pull request #2783 from likebreath/1001/clh_enable_seccomp
virtcontainers: clh: Enable the `seccomp` feature
2021-10-21 09:21:33 +01:00
Bo Chen
8030b6caf0 virtcontainers: clh: Re-generate the client code
This patch re-generates the client code for Cloud Hypervisor v19.0.
Note: The client code of cloud-hypervisor's (CLH) OpenAPI is
automatically generated by openapi-generator [1-2].

[1] https://github.com/OpenAPITools/openapi-generator
[2] https://github.com/kata-containers/kata-containers/blob/main/src/runtime/virtcontainers/pkg/cloud-hypervisor/README.md

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-10-20 15:48:55 -07:00
Bo Chen
8296754e07 versions: Upgrade to Cloud Hypervisor v19.0
Highlights from the Cloud Hypervisor release v19.0: 1) Improved PTY
handling for serial and virtio-console; 2) PCI boot time optimisations;
3) Improved TDX support; 4) Live migration enhancements (support with
virtio-mem and virtio-balloon); 5) virtio-mem support with vfio-user; 6)
AArch64 for virtio-iommu; 7) Various bug fixes for live-migration and
VFIO passthrough.

Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v19.0

Fixes: #2871

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-10-20 15:39:53 -07:00
James O. D. Hunt
de45c783ca Merge pull request #2864 from liubin/fix/2791-delete-cri-containerd-from-versions
runtime: delete cri containerd plugin from versions.yaml
2021-10-20 13:21:34 +01:00
James O. D. Hunt
c1adb075ad Merge pull request #1937 from jodh-intel/add-tracing-docs
docs: Write tracing documentation
2021-10-20 10:14:46 +01:00
Binbin Zhang
2b13944964 docs: Fix outdated links
fix outdated links which were checked out by workflow/docs-url-alive-check

Fixes #2630

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-10-20 16:54:39 +08:00
Archana Shinde
6abc70725f Merge pull request #2523 from Bevisy/main-2295
runtime: delete useless src/runtime/cli/exit.go
2021-10-20 01:37:20 -07:00
Mikko Ylinen
4f75ccb903 docs: use-cases: Update Intel SGX use case
The upstream kernel SGX support has changed drastically since
the initial version of the Intel SGX use case doc was written.

The updated use case documents how to easily setup SGX with
Kata Containers running in a Kubernetes cluster.

Fixes: #2811
Depends-on: github.com/kata-containers/tests#4079

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Co-authored-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-20 09:20:57 +03:00
Binbin Zhang
4f018b5287 runtime: delete useless src/runtime/cli/exit.go
simply use os.Exit() replace exit()
delete useless ci/go-no-os-exit.sh;

Fixes: #2295

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-10-20 11:42:37 +08:00
Shiming Zhang
7a80aeb0b8 docs: Moving from EOT to EOF
Only this uses EOT, the others are EOF, uniformly changed to EOF to
avoid confusion

Fixes: #2550

Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
2021-10-20 01:27:23 +08:00
James O. D. Hunt
09a5e03f4a docs: Write tracing documentation
Add documentation explaining how to trace the runtime and agent.

Fixes: #1892.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-19 17:33:01 +01:00
Julio Montes
448fe0a5ed Merge pull request #2853 from devimc/2021-10-15/snap/clh+expKernel
snap: add cloud-hypervisor and experimental kernel
2021-10-19 11:19:11 -05:00
bin
b625f62d4b runtime: delete cri containerd plugin from versions.yaml
Delete cri containerd plugin from versions.yaml.

Releated to:
- https://github.com/kata-containers/tests/issues/4061
- https://github.com/kata-containers/kata-containers/issues/2791

Fixes: #2791

Signed-off-by: bin <bin@hyper.sh>
2021-10-19 21:36:08 +08:00
Julio Montes
24fff57c23 snap: make curl commands consistent
remove -k and -Ssf from curl commands

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-10-19 08:36:06 -05:00
Julio Montes
2b9f79cfc9 snap: add cloud-hypervisor and experimental kernel
Add cloud-hypervisor and experimental kernel as part of the kata snap

fixes #2852

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-10-19 08:35:06 -05:00
James O. D. Hunt
9db56ffd85 Merge pull request #2863 from wainersm/osbuilder_dracut_rust
osbuilder: Call detect_rust_version() right before install_rust.sh
2021-10-19 11:48:39 +01:00
Archana Shinde
1ba069b303 Merge pull request #2860 from davidhay1969/update_developer_guide
docs: Updating Developer Guide re qemu-img
2021-10-19 01:40:52 -07:00
Bin Liu
29234c6d45 Merge pull request #2859 from ManaSugi/add-libseccomp-dep
versions: Add libseccomp and gperf version
2021-10-19 13:05:00 +08:00
Chelsea Mafrica
4ce2b14e60 Merge pull request #2817 from jodh-intel/clh+fc-agent-tracing
Enable agent tracing for hybrid VSOCK hypervisors
2021-10-18 22:01:52 -07:00
Bin Liu
72d1a04cf1 Merge pull request #2761 from liubin/fix/2752-optimize-test-code
runtime: optimize test code
2021-10-19 12:21:04 +08:00
Bin Liu
78d3f319e2 Merge pull request #2792 from liubin/fix/2791-remove-cri-containerd-from-source
runtime: use containerd package instead of cri-containerd
2021-10-19 10:39:25 +08:00
bin
273a1a9ac6 runtime: optimize test code
This PR includes these optimize changes:

- Remove the dependency on the container engine.
  The old code uses runc to generate config.json and
  Docker to export rootfs, that will be heavy and need
  additional dependency.
  Using a fixed config for busybox image can avoid
  the heavy processing above.

- Moved duplicate code to pkg/katatestutils package

Fixes: #2752

Signed-off-by: bin <bin@hyper.sh>
2021-10-19 09:54:49 +08:00
bin
76f16fd1a7 runtime: use containerd package instead of cri-containerd
cri-containerd project has been merged into containerd repo, and
we should not reference it any more in code and docs.

This commit will use containerd package instead of cri-containerd
package.

Fixes: #2791

Signed-off-by: bin <bin@hyper.sh>
2021-10-19 09:40:20 +08:00
bin
6d55b1bafa docs: use containerd to replace cri-containerd
cri-containerd plugin is deprecated, use containerd instead.

Fixes: #2791

Signed-off-by: bin <bin@hyper.sh>
2021-10-19 09:38:56 +08:00
bin
ed02bc9041 packaging: add containerd to versions.yaml
This commit will add containerd to versions.yaml.

Please at now there are both containerd and cri-containerd
in the versions.yaml.

After updating of kata-containers/tests repo, the cri-containerd
should be removed.

Fixes: #2791

Signed-off-by: bin <bin@hyper.sh>
2021-10-19 09:38:56 +08:00
Wainer dos Santos Moschetta
50da26d3e6 osbuilder: Call detect_rust_version() right before install_rust.sh
When building with dracut method the build_rootfs_distro() is not called, in turn
detect_rust_version() isn't either, so the install_rust.sh script is gave a null
rust version. This changed the script to call detect_rust_version() right before
install_rust.sh.

Related to commit: f34f67d610
Fixes #2862
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-10-18 16:54:53 -04:00
James O. D. Hunt
41c49a7bf5 Merge pull request #2771 from fengwang666/debug-pid
runtime: update sandbox root dir cleanup behavior in rootless hypervisor
2021-10-18 17:47:47 +01:00
Dave Hay
b4fadc9456 docs: Updating Developer Guide re qemu-img
Adding notes re `qemu-img` dependency for non-Docker builds of image

Fixes #2477

Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
2021-10-18 15:39:15 +01:00
Manabu Sugimoto
b8e69ce5bd versions: Add libseccomp and gperf version
Add `libseccomp` and `gperf` version information to support
for seccomp feature in Kata agent: #1788.

Fixes: #2858

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-10-18 23:21:02 +09:00
James O. D. Hunt
d0e5e55e55 Merge pull request #2569 from Bevisy/main-2188
utils: kata-manager: Update kata-manager.sh for new containerd config
2021-10-18 14:50:16 +01:00
Julien Ropé
17a8c5c685 runtime: Fix random failure for TestIoCopy
When running the TestIoCopy test, on some occasions, the test
runs too quick, and closes the stdin pipe before the ioCopy()
routine start to read from it. This causes a SIGSEGV error.

To fix this issue, I am adding additional read/write tests before
closing the pipes. As the read operation waits for the writer to
be done, this actually synchronizes the threads and make sure
the final tests (with closed pipes) works as expected.

Fixes: #2042

Signed-off-by: Julien Ropé <jrope@redhat.com>
2021-10-18 15:25:57 +02:00
James O. D. Hunt
f16a99603c Merge pull request #2399 from Jakob-Naucke/container-osbuilder-respin
osbuilder: Re-enable building the agent in Docker
2021-10-18 12:06:37 +01:00
Bin Liu
1cb38ecbe7 Merge pull request #2843 from zhaojizhuang/fixroute
agent: Do not fail when trying to adding existing routes
2021-10-18 15:52:29 +08:00
Bin Liu
c2be2dfb61 Merge pull request #2848 from c3d/bug/2847-tag-typo
tracing: Fix typo in "package" tag name
2021-10-18 14:50:47 +08:00
Fabiano Fidêncio
681b80473f Merge pull request #2846 from fidencio/wip/kata-deploy-add-dockerignore-file
kata-deploy: add .dockerignore file
2021-10-16 10:39:07 +02:00
Chelsea Mafrica
6ffe9e5afe Merge pull request #2816 from cmaf/add-var-name-kata
runtime: change name in config settings back to "kata"
2021-10-15 14:09:41 -07:00
Jakob Naucke
f34f67d610 osbuilder: Specify version when installing Rust
and update the script in `ci/` accordingly.
When only parts of the Kata Containers repositories are checked out
(e.g. when building with Snap) and no Rust version is provided in
calling `install_rust.sh`, the scripts will attempt to clone the
appropriate repos to read the version, which will fail because the
directories already exist. Since we have read the version already, we
can just specify it.

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-10-15 16:27:40 +02:00
Jakob Naucke
135a0802c5 osbuilder: Pass CI env to container agent build
The agent build inside a Docker or Podman container has been re-enabled,
but we have since introduced the `$CI` environment variable. Pass it to
avoid checking out the tests repo to main when there is a dependency.

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-10-15 16:27:39 +02:00
Jakob Naucke
eb5dd76e9d osbuilder: Re-enable building the agent in Docker
or Podman. This is a partial revert of
76c18aa345. The rationale behind that
commit was the fact that the agent could not be built on Alpine, and
then this capability was removed altogether. The issue in Alpine has
since been resolved (see
https://github.com/kata-containers/osbuilder/issues/386). At the same
time, this ensures being able to run a glibc agent on hosts with distros
more recent than the osbuilder distro used (i.e. as of now, when you
build the agent on the host, and its glibc is newer than the one used in
the guest, the agent may encounter unresolved symbols).

Fixes #2398
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-10-15 16:27:37 +02:00
Christophe de Dinechin
bcffa26305 tracing: Fix typo in "package" tag name
The tracing tags for api.go contain `"packages"` as a tag name,
whereas all other tags contain `"package"`.

Fixes: #2847

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2021-10-15 14:48:00 +02:00
James O. D. Hunt
e61f5e2931 runtime: Show socket path in kata-env output
Display a pseudo path to the sandbox socket in the output of
`kata-runtime env` for those hypervisors that use Hybrid VSOCK.

The path is not a real path since the command does not create a sandbox.
The output includes a `{ID}` tag which would be replaced with the real
sandbox ID (name) when the sandbox was created.

This feature is only useful for agent tracing with the trace forwarder
where the configured hypervisor uses Hybrid VSOCK.

Note that the features required a new `setConfig()` method to be added
to the `hypervisor` interface. This isn't normally needed as the
specified hypervisor configuration passed to `setConfig()` is also
passed to `createSandbox()`. However the new call is required by
`kata-runtime env` to display the correct socket path for Firecracker.
The new method isn't wholly redundant for the main code path though as
it's now used by each hypervisor's `createSandbox()` call.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-15 11:45:29 +01:00
James O. D. Hunt
5b3a349db5 trace-forwarder: Support Hybrid VSOCK
Add support for Hybrid VSOCK. Unlike standard vsock (`vsock(7)`), under
hybrid VSOCK, the hypervisor creates a "master" *UNIX* socket on the
host. For guest-initiated VSOCK connections (such as the Kata agent uses
for agent tracing), the hypervisor will then attempt to open a VSOCK
port-specific variant of the socket which it expects a server to be
listening on. Running the trace forwarder with the new `--socket-path`
option and passing it the Hypervisor specific master UNIX socket path,
the trace forwarder will listen on the VSOCK port-specific socket path
to handle Kata agent traces.

For further details and examples, see the README or run the
trace forwarder with `--help`.

Fixes: #2786.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-15 11:45:29 +01:00
James O. D. Hunt
baf4784a29 Merge pull request #2353 from jodh-intel/rm-trace-type-and-mode
tracing: Remove trace mode and trace type
2021-10-15 11:44:44 +01:00
Fabiano Fidêncio
e42bc05c8a kata-deploy: add .dockerignore file
.dockerignore file is similar to .gitignore and serves the purpose to
simply ignore paths in the build context.

For now, let me just use it to fix the following problem:
```
docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz .
error checking context: 'no permission to read from
'(...)/local-build/build/firecracker/builddir/firecracker/(...)/crc64-1.0.0/.gitignore''.
```

Fixes: #2845

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2021-10-15 12:00:14 +02:00
James O. D. Hunt
321be0f794 tracing: Remove trace mode and trace type
Remove the `trace_mode` and `trace_type` agent tracing options as
decided in the Architecture Committee meeting.

See:

- https://github.com/kata-containers/kata-containers/pull/2062

Fixes: #2352.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-10-15 10:09:38 +01:00
zhaojizhuang
7d0b616cf3 agent: Do not fail when trying to adding existing routes
Adding a route that already exists should not be a reason for the agent to fail
booting and thus preventing the sandbox to start.

Fixes #2712

Signed-off-by: zhaojizhuang <571130360@qq.com>
2021-10-14 18:38:26 +02:00
Fabiano Fidêncio
119edcc443 Merge pull request #2837 from fidencio/2.3.0-alpha2-branch-bump
# Kata Containers 2.3.0-alpha2
2021-10-14 09:52:37 +02:00
Fabiano Fidêncio
8873ddab9e release: Kata Containers 2.3.0-alpha2
- kata-monitor: add index page
- clh: Refine the usage of guest console and kernel parameters with Cloud Hypervisor
- agent: exec should inherit container process capabilities
- GitHubActions: fix invalid format of require-pr-porting-labels.yaml
- agent: flush root span before process finish
- Extend PCI submodules to represent non-zero functions and addresses
- packaging/kernel: Add CONFIG_PCI_MMCONFIG to x86 guest kernel configuration
- runtime: don't start shim management server in tests
- qemu: use GitLab repos instead of qemu.org
- runtime: optimize code for managing temp users for rootless mode
- Agent configuration file and API restriction
- Delete file virtcontainers-setup.sh
- vendor: Update containerd to v1.5.7
- runtime: Optimize func noNeedForOutput and add test cases
- runtime: Fix !x86 static checks
- #2676: fixing centos gpg key url for ppc64le
- Pass the host route IP family to the guest
- cmd: get return value for setCPUtype
- packaging: Configure QEMU with --enable-pie
- clh: Enable guest userland output
- cmd: Fix mismatched types in testModuleData
- runtime: update .gitignore to ignore monitor_address file
- runtime: fix the make check-go-static command error
- virtcontainers: clean up useless code
- Remove forced PCI rescans from agent
- kernel: Enable SGX in experimental kernel.
- runtime: fix nil reference in cleanup rootless user
- qemu: prepare to upgrade qemu version to 6.1.0 for arm
- kata-monitor (minor) improvements
- virtcontainers: Fix incorrect scripts path
- runtime: clear virtcontainers cgroup duplicated function
- Kata monitor: cache improvements
- virtiofs: fix error report in TestVirtiofsdStart when go test running

176dee6f agent: exec should inherit container process capabilities
7b2bfd4e virtcontainers: clh: Use 'quiet' as the default kernel parameter
3e24e46c virtcontainers: clh: Turn-off serial and virtio-console by default
2d7b65e8 agent: flush root span before process finish
5c77cc2c runtime: don't start shim management server in tests
72044180 agent/device: Return PCI address from wait_for_pci_device()
e50b05d9 agent/pci: Add type to represent PCI addresses
8528157b agent/pci:  Extend Slot type to represent PCI function as well
bf8f582c runtime: optimize code for managing temp users for rootless mode
a9c2a4ba GitHubActions: fix invalid format of require-pr-porting-labels.yaml
c4236cb2 packaging/kernel: Add CONFIG_PCI_MMCONFIG to x86 guest kernel configuration
08360c98 agent: Add an agent configutation file example
8a4e69d2 agent: rpc: Return UNIMPLEMENTED for not allowed endpoints
0ea2e3af agent: config: Allow for building the configuration from a file
63539dc9 agent: config: Add allowed endpoints
a953fea3 agent: config: Simplify configuration creation
b888edc2 agent: config: Implement Default
7eac2ec7 protection: add confidential compute frame for arm
8acfc154 check: fix typecheck failure in qemu_arm64_test.go
5b02d54e virtcontainers: fix lint failure on ppc64le
ff9728f0 virtcontainers: nolint guestProtection
5c138c8f runtime: Fix field alignment on s390x
191d0016 vendor: Update containerd to v1.5.7
f7f6bd01 kata-monitor: add index page
a44cde7e agent: netlink: Use the grpc IP family field when updating the route
71ce6cfe runtime: Pass the route IP family to the agent
99450bd1 agent: protos: Add a Family field to the Route payload
f85fe702 runtime: vendor: Bump the netlink package dependency
e439cec7 cmd: fix field alignment on ppc64le
e5159ea7 cmd: get return value for setCPUtype
2ce8d426 clh: Suppress hypervisor output to make guest output visible
cd1064b1 packaging: Configure QEMU with --enable-pie
762922a5 runtime: delete func ConstraintsToVCPUs
4f485430 runtime: delete virtcontainers-setup.sh
80f6b977 osbuilder: fixing centos gpg key url for ppc64le
bb99bfb4 runtime: fix the make check-go-static command error
870771d7 runtime: update .gitignore to ignore monitor_address file
18bff584 runtime: Optimize func noNeedForOutput and add test cases
e5fe53f0 runtime: fix nil reference in cleanup rootless user
2304a596 runtime: set the sandbox storage path static
315295e0 runtime: rename GetSanboxesStoragePath() --> GetSandboxesStoragePath()
13e65f2e cmd: Fix mismatched types in testModuleData
da42cbc0 actions: Build experimental kernel on kata-deploy push action
dffc5092 kernel: Enable SGX in experimental kernel.
ff6a677d kernel-build: Enable multiple config types.
90046964 experimental-kernel: bump 5.13.10
1fbb7304 build: kata-deploy kernel experimental
907459c1 agent/device: Don't force PCI rescans
75f426dd agent: Simplify do_add_swap()
aad1a873 runtime/device: Give the agent information about VFIO devices
ebd7b618 runtime: Don't repeat GetDeviceByID between appendDevices() and append*()
ad45c52f runtime/device: Record guest PCI path for VFIO devices
5c2af3e3 runtime/device: Refactor hotplugVFIODevice() to have common exit path
8bc71105 agent/device: Add device type for VFIO devices
f7a27075 agent: Move driver type constants into device.rs
5b1eb08b agent/uevent: Improve logging of wait_for_uevent()
cf36fd87 runtime: Fix some leftover go fmt errors
6d94957a kernel: reduce alignment size of memory hotplug to 128M
48090f62 qemu: disable plug on arm64 when pie is added
57e3712d virtiofs: fix error report in TestVirtiofsdStart when go test running
8b0bc1f4 kata-monitor: bump version to 0.2.0
bfb556d5 kata-monitor: refresh kata sandbox list on fs events
0e854f3b kata-monitor: improve detection of kata workloads
80463b44 qemu: use GitLab repos instead of qemu.org
3b0c4bf9 runtime: clear virtcontainers cgroup duplicated function
afad910d kata-monitor: add getSandboxFS()
e38686f7 runtime: add GetSandboxesStoragePath()
245a12bb kata-monitor: improve sandbox caching
fc067d61 kata-monitor: warn when unable to retrive the lower level runtime
53ec4df9 kata-monitor: minor fixes
47516988 virtcontainers: Fix incorrect scripts path
814cea96 virtcontainers: clean up useless code

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-10-14 06:56:30 +02:00
Bin Liu
8be85fda4f Merge pull request #2775 from fgiudici/kata-monitor_issue2292
kata-monitor: add index page
2021-10-14 09:12:57 +08:00
GabyCT
5c7e1b457c Merge pull request #2821 from likebreath/1011/clh_console
clh: Refine the usage of guest console and kernel parameters with Cloud Hypervisor
2021-10-13 13:36:32 -05:00
Eric Ernst
6cc4d6b54e Merge pull request #2829 from bergwolf/capability
agent: exec should inherit container process capabilities
2021-10-13 09:02:03 -07:00
Peng Tao
176dee6f37 agent: exec should inherit container process capabilities
Otherwise rustjail would not set its capabilities and it ends up getting
all capabilities.

Fixes: #2828
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-10-13 17:24:52 +08:00
Bo Chen
7b2bfd4eca virtcontainers: clh: Use 'quiet' as the default kernel parameter
The 'quiet' kernel parameter can avoid guest kernel logs while booting,
which can reduce boot time.

Fix: #2820

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-10-11 22:06:27 -07:00
Bo Chen
3e24e46c70 virtcontainers: clh: Turn-off serial and virtio-console by default
We will need to have console output from the guest only for debugging
purposes. As a result, we can turn-off both the serial and
virtio-console devices by default for better boot time.

Fixes: #2820

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-10-11 22:06:23 -07:00
GabyCT
88affdb7b7 Merge pull request #2799 from liubin/fix/github-action-format
GitHubActions: fix invalid format of require-pr-porting-labels.yaml
2021-10-11 09:36:04 -05:00
Bin Liu
b7cd4ca2b8 Merge pull request #2813 from liubin/fix/2812-flush-root-span
agent: flush root span before process finish
2021-10-11 18:46:09 +08:00
bin
2d7b65e8eb agent: flush root span before process finish
Variables in rust will be dropped at the end of the function.

In function real_main the trace will be shut down by `tracer::end_tracing()`,
but at this time the root span is in an active state, so this root span
will not be sent to the trace collector.

This can be fixed by dropping the root span manually.

Fixes: #2812

Signed-off-by: bin <bin@hyper.sh>
2021-10-11 17:14:37 +08:00
Chelsea Mafrica
3f95469a78 runtime: logging: Add variable for syslog tag
The variable for 'name' in config-settings.go.in was previously
hardcoded as "kata". In e7c42fb it was changed to the runtime name,
which is "kata-runtime". Add a variable to specify a syslog identifier
for consistency for tests and documentation that use it.

Fixes #2806

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-10-11 02:12:13 -07:00
Marcel Apfelbaum
06f4ab10b4 Merge pull request #2764 from dgibson/more-pci
Extend PCI submodules to represent non-zero functions and addresses
2021-10-10 15:57:54 +03:00
Marcel Apfelbaum
9796babd92 Merge pull request #2311 from dgibson/mmconfig
packaging/kernel: Add CONFIG_PCI_MMCONFIG to x86 guest kernel configuration
2021-10-10 15:11:33 +03:00
Feng Wang
adc9e0baaf runtime: fix two bugs in rootless hypervisor
Update the sandbox dir clean up logic to be more appropriate
Add different seeds for randInt() method

Fixes #2770

Signed-off-by: Feng Wang <feng.wang@databricks.com>
2021-10-08 15:52:42 -07:00
Bo Chen
51cbe14584 runtime: Add option "disable_seccomp" to config hypervisor.clh
This patch adds an option "disable_seccomp" to the config
hypervisor.clh, from which users can disable the `seccomp`
feature from Cloud Hypervisor when needed (for debugging purposes).

Fixes: #2782

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-10-08 15:10:30 -07:00
Bo Chen
98b7350a1b virtcontainers: clh: Enable the seccomp feature
This patch enables the `seccomp` feature from Cloud Hypervisor which
provides fine-grained allowed syscalls for each of its worker
threads. It brings important security benefits, while would increase
memory footprint.

Fixes: #2782

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-10-08 15:07:43 -07:00
Bin Liu
0300e91cd0 Merge pull request #2808 from liubin/fix/2805-fix-test-leak-of-monitor-socket
runtime: don't start shim management server in tests
2021-10-08 19:42:09 +08:00
bin
5c77cc2c49 runtime: don't start shim management server in tests
Shim management server is running in a go routine, in test mode
this will cause the directory where the listen socket
file(/run/vc/sbs/777-77-77777777/shim-monitor.sock) in leak
after the tests finished.

Fixes: #2805

Signed-off-by: bin <bin@hyper.sh>
2021-10-08 18:41:53 +08:00
Jakob Naucke
4152c45e4c Merge pull request #2706 from yuanzhe-liu0/qemu_link
qemu: use GitLab repos instead of qemu.org
2021-10-08 12:03:55 +02:00
David Gibson
72044180e4 agent/device: Return PCI address from wait_for_pci_device()
wait_for_pci_device() waits for the PCI device at the given path to become
ready, but it doesn't currently give you any meaningful handle on that
device.

Change the signature, so that it returns the PCI address of the device.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-08 16:52:49 +11:00
David Gibson
e50b05d93c agent/pci: Add type to represent PCI addresses
Add a new pci::Address type which represents a guest PCI address in
DDDD:BB:SS.F form.

fixes #2745

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-08 16:52:49 +11:00
David Gibson
8528157b9b agent/pci: Extend Slot type to represent PCI function as well
pci::Slot represents a PCI slot.  However, in all cases where we use it, we
actually care about addressing a specific PCI function.  So, at the moment
we can only refer to function 0 in each slot.

Replace pci::Slot with pci::SlotFn to represent both the slot and function.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-08 16:52:49 +11:00
Fupan Li
988eb95621 Merge pull request #2760 from liubin/fix/2759-optimize-code-for-managing-temp-users
runtime: optimize code for managing temp users for rootless mode
2021-10-08 13:49:14 +08:00
bin
bf8f582c1d runtime: optimize code for managing temp users for rootless mode
This commit does two chagnes:

- move code for managing temp users to rootless.go.
- use common function in qemu.go when shutdown the VM.

Fixes: #2759

Signed-off-by: bin <bin@hyper.sh>
2021-10-08 11:04:21 +08:00
Eric Ernst
011c58d626 Merge pull request #2517 from sameo/topic/agent-config
Agent configuration file and API restriction
2021-10-07 08:54:51 -07:00
Bin Liu
10ec4b133c Merge pull request #2742 from liubin/fix/2741-delete-file-code
Delete file virtcontainers-setup.sh
2021-10-07 11:54:47 +08:00
bin
a9c2a4ba8e GitHubActions: fix invalid format of require-pr-porting-labels.yaml
The yaml file has an indent issue from line 15.

And the branches filter should be under pull_request_target but
not the pull_request trigger.

Also actions/checkout@v2 does not need the token parameter.

Fixes: #2798

Signed-off-by: bin <bin@hyper.sh>
2021-10-07 10:23:44 +08:00
David Gibson
c4236cb2d1 packaging/kernel: Add CONFIG_PCI_MMCONFIG to x86 guest kernel configuration
The guest kernel configuration suggested for Kata, and which is used by the
CI didn't include CONFIG_PCI_MMCONFIG.  That's kind of weird, MMCONFIG is
the modern normal way of handling configuration cycles.

In addition, due to a complex set of interactions through the ACPI code,
disabling MMCONFIG means that SHPC hotplug doesn't work: the driver is
included in the guest kernel, but will fail to probe on PCI to PCI bridges,
meaning it won't actually be activated.

Enable MMCONFIG so that we suggest and testa more typical guest kernel
configuration.

fixes #2288

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-10-07 13:21:48 +11:00
Samuel Ortiz
08360c981d agent: Add an agent configutation file example
With all endpoints allowed.

Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
2021-10-07 04:04:52 +02:00
Samuel Ortiz
8a4e69d237 agent: rpc: Return UNIMPLEMENTED for not allowed endpoints
From the endpoints string described through the configuration file, we
build a hash set of allowed enpoints. If a configuration files does not
include an endpoints section, we assume all endpoints are not allowed.
If there is no configuration file, then all endpoints are allowed.

Then for every ttrpc request, we check if the name of the endpoint is
part of the hashset. If it is not, then we return ttrcp::UNIMPLEMENTED.

Fixes: #1837

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-10-07 04:04:32 +02:00
Samuel Ortiz
0ea2e3af07 agent: config: Allow for building the configuration from a file
When the kernel command line includes a agent.config_file=<path> entry,
then we will try to override the default confiuguration values with the
ones we parse from a TOML file at <path>.

As the configuration file overrides the default values, we need to go
through a simplified builder that convert a set of Option<> fields into
the actual AgentConfig structure.

Fixes: #1837

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-10-07 00:37:40 +02:00
Samuel Ortiz
63539dc9fd agent: config: Add allowed endpoints
They will define the list of endpoints that an agent supports.
They're empty and non actionable for now.

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-10-07 00:37:40 +02:00
Samuel Ortiz
a953fea324 agent: config: Simplify configuration creation
We dont need a constructor and derive directly from the command line
parsing.

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-10-07 00:37:40 +02:00
Samuel Ortiz
b888edc2fc agent: config: Implement Default
A single constructor setting default value is a typical pattern for a
Default implementation.

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-10-07 00:37:40 +02:00
Fabiano Fidêncio
4cde619c68 Merge pull request #2797 from fidencio/wip/upgrade-vendored-containerd
vendor: Update containerd to v1.5.7
2021-10-06 21:05:44 +02:00
Chelsea Mafrica
6e3fcce2a2 Merge pull request #2748 from liubin/fix/2747-add-test
runtime: Optimize func noNeedForOutput and add test cases
2021-10-06 11:24:57 -07:00
Fabiano Fidêncio
04cdf5b1f0 Merge pull request #2774 from Jakob-Naucke/fix-s390x-alignment
runtime: Fix !x86 static checks
2021-10-06 19:57:00 +02:00
Jianyong Wu
7eac2ec786 protection: add confidential compute frame for arm
Even CCA, which is the confidential compute archtecture, has not been
ready, add a empty implementation to avoid static check error.

Fixes: #2789
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Suggested-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-10-06 15:53:36 +02:00
Jianyong Wu
8acfc154de check: fix typecheck failure in qemu_arm64_test.go
fix typecheck failure in qemu_arm64_test.go

Fixes: #2789
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-10-06 15:53:35 +02:00
Amulya Meka
5b02d54e23 virtcontainers: fix lint failure on ppc64le
Add nolint for arch specific code to exclude
from lint check.

Fixes: #2773

Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
2021-10-06 15:53:35 +02:00
Jakob Naucke
ff9728f032 virtcontainers: nolint guestProtection
Exclude from lint checking for it is ultimately only used in
architecture-specific code.

Fixes: #2273
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-10-06 15:53:35 +02:00
Jakob Naucke
5c138c8f12 runtime: Fix field alignment on s390x
Follow-up of #2237 for s390x -- field alignment isn't always minimal

Fixes: #2773
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-10-06 15:53:35 +02:00
Fabiano Fidêncio
191d001610 vendor: Update containerd to v1.5.7
Bump containerd to v1.5.7 in order to bring in a fix for CVE-2021-41103,
"insufficiently restricted permissions ons plugins directories
(https://github.com/advisories/GHSA-c2h3-6mxw-7mvq)".

dependabot found a potential security vulnerability and raised a PR to
fix it.  However, dependabot does not properly follows nor understands
the needed of our CIs (mainly related to formatting the PR and whatnot),
thus I'm re-raising it.

Fixes: #2796
Supersedes: #2787

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-10-06 10:40:43 +02:00
Chelsea Mafrica
1f6a551570 Merge pull request #2755 from paleozogt/centos-ppc64le-gpg
#2676: fixing centos gpg key url for ppc64le
2021-10-05 09:37:58 -07:00
Eric Ernst
2bc7561561 Merge pull request #2769 from sameo/topic/agent-route
Pass the host route IP family to the guest
2021-10-05 07:20:33 -07:00
Chelsea Mafrica
db7d3b91bd Merge pull request #2780 from Amulyam24/checks
cmd: get return value for setCPUtype
2021-10-04 22:19:59 -07:00
Bin Liu
f7f6bd0142 kata-monitor: add index page
Add an index page to the kata-monitor endpoint.

Porting of https://github.com/liubin/kata-containers/commit/a45aa0696d55

Fixes: #2292
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-10-04 18:13:56 +02:00
Archana Shinde
5fd963530d Merge pull request #2756 from gkurz/fix-enable-pie
packaging: Configure QEMU with --enable-pie
2021-10-04 03:50:00 -07:00
Samuel Ortiz
a44cde7e8d agent: netlink: Use the grpc IP family field when updating the route
Not all routes have either a gateway or a destination IP.
Interface routes, where the source, destination and gateway are undefined,
will default to IP v4 with the current is_ipv6() check even when they
are v6 routes.

We use the provided gRPC Route.Family field instead. This field is built
from the host netlink messages, and is a reliable way of finding out
a route's IP family.

Fixes: #2768

Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
2021-10-01 14:39:46 +02:00
Samuel Ortiz
71ce6cfe9e runtime: Pass the route IP family to the agent
When updating the guest routing table, we should forward the IP family
information up to the guest.

Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
2021-10-01 14:35:17 +02:00
Samuel Ortiz
99450bd1f7 agent: protos: Add a Family field to the Route payload
Our check for the IP family is working as long as we have either a
gateway or a destination IP. Some routes are missing both.
The RT netlink messages provide the IP family information for each
route, so we can carry that piece of information up to the guest. That
will allow for a more reliable route IP family determination.

Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
2021-10-01 14:35:17 +02:00
Samuel Ortiz
f85fe70231 runtime: vendor: Bump the netlink package dependency
We need to be able to get the IP family from the netlink route meesages,
and the Route.Family field only got recently added to the netlink
package.

The update generates static check warnings about the call for
nethandler.Delete() being deprecated in favor of a Close() call instead.
So we include the s/Delete()/Close()/ change as part of this PR.

Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
2021-10-01 14:35:01 +02:00
Amulya Meka
e439cec7c5 cmd: fix field alignment on ppc64le
Optimising structure field alignment.

Fixes: #2779

Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
2021-10-01 11:45:27 +00:00
Amulya Meka
e5159ea755 cmd: get return value for setCPUtype
Accept and assert the return value in testSetCPUTypeGeneric.

Fixes: #2779

Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
2021-10-01 11:44:14 +00:00
Bo Chen
fd5c858390 Merge pull request #2751 from jodh-intel/clh-fix-guest-output
clh: Enable guest userland output
2021-09-30 09:05:30 -07:00
James O. D. Hunt
2ce8d4263c clh: Suppress hypervisor output to make guest output visible
Reduce the cloud-hypervisor log level from `Debug` to `Info` when hypervisor
debug is enabled. This is required since `Debug` level:

- Is overkill for debugging hypervisor failures.
- Effectively hides the output from the guest kernel and userland: CLH
  generates so much output that the output from the guest gets "lost in
  the noise" (experiments show that for each full CLH debug message, at most
  1 _byte_ of guest output is displayed).

Fixes: #2726.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-09-30 14:22:09 +01:00
Greg Kurz
cd1064b16f packaging: Configure QEMU with --enable-pie
We explicitely set the Postion Independant Executlable (PIE) options
in the extra CFLAGS and LDFLAGS that are passed to the QEMU configure
script for all archs. This means that these options are used pretty
much everywhere, including when building the sample plugins under the
test directory. These cannot be linked with -pie and break the build,
as experienced recently on ARM (see PR #2732).

This only broke on ARM because other archs are configured with
--disable-tcg : this disables plugins which are built by default
otherwise.

The --enable-pie option is all that is needed. The QEMU build system
knows which binaries should be created as PIE, e.g. the important
bits like QEMU and virtiofsd, and which ones should not, e.g. the
sample plugins that aren't used in production.

Rely on --enable-pie only, for all archs. This allows to drop the
workaround that was put in place in PR #2732.

Fixes: #2757
Signed-off-by: Greg Kurz <groug@kaod.org>
2021-09-30 11:17:41 +02:00
Jakob Naucke
8739a73dd3 Merge pull request #2736 from Amulyam24/kata-check-test
cmd: Fix mismatched types in testModuleData
2021-09-30 10:20:19 +02:00
bin
762922a521 runtime: delete func ConstraintsToVCPUs
ConstraintsToVCPUs is not used any more.

Fixes: #2741

Signed-off-by: bin <bin@hyper.sh>
2021-09-30 14:44:41 +08:00
bin
4f4854308a runtime: delete virtcontainers-setup.sh
This file is not used anymore.

Fixes: #2741

Signed-off-by: bin <bin@hyper.sh>
2021-09-30 14:44:30 +08:00
Chelsea Mafrica
96c033ba6c Merge pull request #2763 from liubin/fix/2762-update-gitignore
runtime: update .gitignore to ignore monitor_address file
2021-09-29 09:45:57 -07:00
Carlos Venegas
7183de47df Merge pull request #2766 from YchauWang/wyc-runtime-cmd
runtime: fix the make check-go-static command error
2021-09-29 10:53:02 -05:00
Aaron Simmons
80f6b97710 osbuilder: fixing centos gpg key url for ppc64le
The centos ppc64le gpg key at mirror.centos.org doesn't exist (link rot?).
Replacing it with url from CentOS/sig-core-AltArch on github.

Fixes: #2676

Signed-off-by: Aaron Simmons <paleozogt@gmail.com>
2021-09-29 09:20:51 -06:00
Bin Liu
4ac7199282 Merge pull request #2494 from rapiz1/clean-up-code
virtcontainers: clean up useless code
2021-09-29 22:56:13 +08:00
wangyongchao.bj
bb99bfb45d runtime: fix the make check-go-static command error
modify the make script of the check-go-static, changing the `./cli` path to `./cmd/kata-runtime`

Fixes: #2765

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-09-29 15:37:25 +08:00
David Gibson
b57613f53e Merge pull request #1682 from dgibson/rescan
Remove forced PCI rescans from agent
2021-09-29 13:03:55 +10:00
bin
870771d76d runtime: update .gitignore to ignore monitor_address file
Run tests sometimes generate pkg/containerd-shim-v2/monitor_address,
and `git status` will treat it as a new file.

Package containerd-shim-v2 has moved to pkg/containerd-shim-v2,
the monitor_address in .gitignore should be updated too.

Fixes: #2762

Signed-off-by: bin <bin@hyper.sh>
2021-09-29 09:24:14 +08:00
Chelsea Mafrica
20f4c252b8 Merge pull request #2519 from jcvenegas/kernel-experimental-5.13.10
kernel: Enable SGX in experimental kernel.
2021-09-28 11:00:46 -07:00
Fupan Li
823818cfbc Merge pull request #2744 from fengwang666/nil-bug
runtime: fix nil reference in cleanup rootless user
2021-09-28 22:43:24 +08:00
Fabiano Fidêncio
f9ecaaa6be Merge pull request #2732 from jongwu/plugin
qemu: prepare to upgrade qemu version to 6.1.0 for arm
2021-09-28 12:12:48 +02:00
bin
46720c61c1 runtime: set tags for trace span
Set tags for trace span in hook.go and remove FIXME.

Fixes: #2749

Signed-off-by: bin <bin@hyper.sh>
2021-09-28 18:05:03 +08:00
bin
18bff58487 runtime: Optimize func noNeedForOutput and add test cases
Optimize func noNeedForOutput and add test cases for this func.

Fixes: #2747

Signed-off-by: bin <bin@hyper.sh>
2021-09-28 16:58:44 +08:00
Feng Wang
e5fe53f0a9 runtime: fix nil reference in cleanup rootless user
It seems the client (crio) can send multiple requests to stop the Kata VM,
resulting a nil reference if the uid has already been cleaned up by a different thread.

Fixes #2743

Signed-off-by: Feng Wang <feng.wang@databricks.com>
2021-09-27 21:28:47 -07:00
Chelsea Mafrica
0b087a873d Merge pull request #2739 from fgiudici/kata-monitor_improvements3
kata-monitor (minor) improvements
2021-09-27 15:45:21 -07:00
Francesco Giudici
2304a59601 runtime: set the sandbox storage path static
Since we now have "unix://" kind of socket returned by the
SocketAddress() function, there is no more need to build the sandbox
storage path dynamically to keep OS compatibility.

Fixes: #2738
Suggested-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-27 15:57:34 +02:00
Francesco Giudici
315295e0ef runtime: rename GetSanboxesStoragePath() --> GetSandboxesStoragePath()
Add the missing 'd'.

Fixes: #2738
Suggested-by: Jakob Naucke <jakob.naucke@ibm.com>
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-27 15:56:14 +02:00
Bin Liu
3217b03b17 Merge pull request #2522 from Bevisy/main-2515
virtcontainers: Fix incorrect scripts path
2021-09-27 21:14:40 +08:00
Bin Liu
39df808f6a Merge pull request #2695 from YchauWang/wyc-vc-cgroup
runtime: clear virtcontainers cgroup duplicated function
2021-09-27 21:12:39 +08:00
Amulya Meka
13e65f2ee8 cmd: Fix mismatched types in testModuleData
Rectify the values of testModuleData with the correct
types in TestCCCheckCLiFunction in kata-check_(!x86)_test.go

Fixes: #2735

Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
2021-09-27 07:17:07 +00:00
Peng Tao
05995632c3 Merge pull request #2566 from fgiudici/kata-monitor_improvements
Kata monitor: cache improvements
2021-09-27 12:29:13 +08:00
Carlos Venegas
da42cbc0a7 actions: Build experimental kernel on kata-deploy push action
Build experimental kernel on kata-deploy push action.

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-27 03:39:50 +00:00
Carlos Venegas
dffc50928a kernel: Enable SGX in experimental kernel.
Enable Intel SGX support in experimental kernel.

Fixes: #2518

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-27 03:39:50 +00:00
Carlos Venegas
ff6a677d16 kernel-build: Enable multiple config types.
Optional build types are common for early adoption.
Lets add a flag to build and optional config.

e.g.
kernel-build.sh -b experimental

In the future instead of add more flags just add a new build type.

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-27 03:39:50 +00:00
Carlos Venegas
90046964ef experimental-kernel: bump 5.13.10
Upgrade Linux kernel to latest stable release.

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-27 03:39:50 +00:00
Carlos Venegas
1fbb73041b build: kata-deploy kernel experimental
Allow build experimental kernel from kata-deploy.

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-27 02:56:59 +00:00
David Gibson
907459c1c1 agent/device: Don't force PCI rescans
The agent initiates a PCI rescan from two places.  One is triggered
for each virtio-blk PCI device, and one is triggered unconditionally
when we start a new container.

The PCI bus rescan code was added long time ago in Clear Containers due to
lack of ACPI support in QEMU 2.9 + q35.  Since Kata routinely plugs devices
under a PCIe-to-PCI bridge, that left SHPC as the only available hotplug
mechanism.

However, while Kata was using SHPC on the qemu side, it wasn't actually
using it on the guest side.  Due to a quirk of our guest kernel
configuration, the SHPC driver never bound to the bridge, and *no* hotplug
was working at all.  To work around that, Kata was forcing the rescan
manually, which would discover the new device.  That was very fragile (we
were arguably relying on a kernel bug).  Even if we were using SHPC
propertly, it includes a mandatory 5s delay during plug operations
(designed for physical cards and human operators), which makes it
unsuitable quick start up.

Worse, the forced PCI rescans could race with either SHPC or PCIe native
hotplug sequences, causing several problems.  In some cases this could put
the device into an entirely broken state where it wouldn't respond to
config space accesses at all.

Since pull request #2323 was merged, we have instead used ACPI hotplug
which is both fast, and more solid in terms of semantics and races.  So,
the forced PCI rescans are no longer necessary.  Remove them all.

fixes #683

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
David Gibson
75f426dd1e agent: Simplify do_add_swap()
do_add_swap() has some mildly complex code to translate the PCI path of
a virtio-blk device (where the swap will reside) into a /dev path. However,
the device module already has get_virtio_blk_pci_device_name() which does
exactly that.  The existing code has some further advantages: it uses
more precise matching of the sysfs paths, and if necessary it will wait for
the device to be added to the guest.

While we're there, remove an unnecessary 'as u8' from the PCI path
construction: pci::Path::new() already accepts anything which implements
TryInfo<u8>, which u32 certainly does.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
David Gibson
aad1a8734f runtime/device: Give the agent information about VFIO devices
We send information about several kinds of devices to the agent so
that it can apply specific handling.  We don't currently do this with
VFIO devices.  However we need to do that so that the agent can
properly wait for VFIO devices to be ready (previously it did that
using a PCI rescan which may not be reliable and has some very bad
side effects).

This patch collates and sends the relevant information.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
David Gibson
ebd7b61884 runtime: Don't repeat GetDeviceByID between appendDevices() and append*()
Both appendBlockDevice and appendVhostUserBlkDevice start by using
GetDeviceByID to lookup the api.Device object corresponding to their
ContainerDevice object.  However their common caller, appendDevices() has
already done this.

This changes it so the looked up api.Device is passed to the individual
append*Device() functions.  This slightly reduces duplicated work, but more
importantly it makes it clearer that append*Device() don't need to check
for a nil result from GetDeviceByID, since the caller has already done
that.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
David Gibson
ad45c52fbe runtime/device: Record guest PCI path for VFIO devices
For several device types which correspond to a PCI device in the guest
we record the device's PCI path in the guest.  We don't currently do
that for VFIO devices, but we're going to need to for better handling
of SR-IOV devices.

To accomplish this, we have to determine the guest PCI path from the
information the VMM gives us:

For qemu, we query the slot of the device and its bridge from QMP.

For cloud-hypervisor, the device add interface gives us a guest PCI
address.  In fact this represents a design error in the clh API -
there's no way it can really know the guest PCI address in general.
It works in this case, because clh doesn't use PCI bridges, so the
device will always be on the root bus.  Based on that, the PCI path is
simply the device's slot number.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
David Gibson
5c2af3e308 runtime/device: Refactor hotplugVFIODevice() to have common exit path
hotplugVFIODevice() has several different paths depending if we're
plugging into a root port or a PCIE<->PCI bridge and if we're using a
regular or mediated VFIO device.

We're going to want some common code on the successful exit path here,
so refactor the function to allow that without duplication.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
David Gibson
8bc71105f4 agent/device: Add device type for VFIO devices
Currently, VFIO devices attached to a Kata container aren't described to
the agent at all.  We essentially just hope they're ready by the time
we've entered the container proper, which is usually the case because of
the PCI rescan - but that causes other problems.

This adds a new device type to the agent representing VFIO devices.  The
agent will use its existing uevent watching mechanisms to wait for the
associated guest PCI device to appear before proceeding.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
David Gibson
f7a2707505 agent: Move driver type constants into device.rs
Currently the constants giving the names for each device/driver type in
the protocol are in mount.rs, and used in device.rs.  Since these constants
are inherently related to, well, devices, it makes more sense to put them
in device.rs and use them from mount.rs.

This will become even more so with planned extensions which will add some
device types that will not be used in mount.rs at all.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
David Gibson
5b1eb08bde agent/uevent: Improve logging of wait_for_uevent()
These messages will help when debugging matchers not matching properly.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
David Gibson
cf36fd87ad runtime: Fix some leftover go fmt errors
A few "go fmt" errors appear to have crept it.  Clean them up with
"go fmt ./..." in the src/runtime directory.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-27 12:46:33 +10:00
Jianyong Wu
6d94957a14 kernel: reduce alignment size of memory hotplug to 128M
After 5.11-rc4, memory hotplug alignment size is reduced to 128M for 4K
page.
It works better for memory hotplug and nvdimm plug in kata on arm.
without this patch, memory hotplug will fail for the current memory
hotplug alignment is 1G but the nvdimm size align with 128M in kata.
After port it here, we can avoid a fix in qemu side.

Note: if you change the page size to other size than 4K, memory hotplug
will has no effect.

Fixes: #2707
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-09-26 15:33:33 +08:00
Jianyong Wu
48090f624a qemu: disable plug on arm64 when pie is added
For qemu 6.1.0 build on arm64, compile error occurs when "-pie" is added
 to ldflag.
tests/plugins/empty.c won't be linked as a sysmbol is missing.
I consider there maybe a bug.
Before figure it out, we should disable plugins for qemu 6.1.0 on arm64.

Fixes: #2707
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-09-26 15:33:33 +08:00
Fabiano Fidêncio
c811dd7484 Merge pull request #2720 from Kvasscn/kata_dev_virtiofsd_ctx
virtiofs: fix error report in TestVirtiofsdStart when go test running
2021-09-25 12:17:00 +02:00
Fabiano Fidêncio
ed705482a2 Merge pull request #2730 from fidencio/wip/release-fix-using-vendored-sources
workflows: Fix the config file path for using vendored sources
2021-09-24 23:37:10 +02:00
Fabiano Fidêncio
a525991c2c workflows: Fix the config file path for using vendored sources
There's a typo in the file that should receive the output of `cargo
vendor`.  We should use forward the output to `.cargo/config` instead of
`.cargo/vendor`.

This was introduced by 21c8511630.

Fixes: #2729

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-24 20:26:27 +02:00
Fabiano Fidêncio
9ad44750e8 Merge pull request #2727 from fidencio/wip/fix-wrong-tags-attribution
workflows: Fix tag attribution
2021-09-24 19:28:33 +02:00
Fabiano Fidêncio
39dcbaa672 workflows: Fix tag attribution
While releasing kata-containers 2.3.0-alpha1 we've hit some issues as
the tags attribution is done incorrectly.  We want an array of tags to
iterate over, but the currently code is just lost is the parenthesis.

This issue was introduced in a156288c1f.

Fixes: #2725

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-24 17:58:50 +02:00
Fabiano Fidêncio
832d57c960 Merge pull request #2722 from fidencio/2.3.0-alpha1-branch-bump
# Kata Containers 2.3.0-alpha1
2021-09-24 15:03:06 +02:00
Fabiano Fidêncio
04139ba686 release: Kata Containers 2.3.0-alpha1
- virtiofs: Create shared directory with 0700 mode, not 0750
- watcher: ensure we create target mount point for storage
- packaging: fix qemu build on ppc64le
- runtime: tracing: Use root context to stop tracing
- Replace SHPC with ACPI PCI hotplug for Kata guests
- kata-deploy: Also provide "stable" & "latest" tags
- runtime: tracing: Fix logger passed in newContainer
- virtcontainers: update VC SandboxConfig API add SandboxBindMounts field
- sandbox: Allow the device to be accessed,such as /dev/null and /dev/u…
- qemu: add v5.1.0 dir under tag_patches
- threat-model: Add missing threat-model document
- docs: documentation for running non-root VMM
- workflows,release: Upload the vendored cargo code
- runtime: run the QEMU VMM process with a non-root user
- runtime: update .gitignore file cleare the vc shim config
- runtime: fix empty cgroup path validation error
- ci: Call agent shutdown test only in the correspondent CI_JOB
- runtime: Remove outdated TestStoreContainer
- runtime: refactor commandline code directory
- virtcontainers: update VC HypervisorConfig API add three lost fields
- virtcontainers: add unit tests for container.go
- runtime: clh: Enable hugepages support
- agent: Simplify mount point creation
- versions: Allow newer Rust versions
- runtime/qemu: Move from query-cpus to query-cpus-fast
- Update Kata to use qemu-6.1
- Host cgroups improvements and simplifications
- Add doc for guest swap
- versions: Upgrade to Cloud Hypervisor v18.0
- runtime: Fix README link
- qemu: remove default config for arm64.
- sandbox: Add device permissions such as /dev/null to cgroup
- virtcontainers: fc: parse vcpuID correctly
- kata-tarball: Build and test fixes
- test: enable running tests under root user
- osbuilder: Change to "=" operator to make script more portable
- makefile: Fix error exit status code
- osbuilder: fix inconsistent calculation of fs size
- virtcontainers: Remove NewStoreFeature
- snap: Test variable instead of executing "branch"
- license: drop redundent license files
- Fix swap fail insert fail issue

272771dc watcher: ensure we create target mount point for storage
439e5ac3 packaging: fix qemu build on ppc64le
8bbcb06a qemu: Disable SHPC hotplug
cc4983ee runtime: Remove unused qemuArchBase.appendBridges definition
e248de46 vendor: Update govmm
0ca8c272 qemu: add v5.1.0 dir under tag_patches
3bdcfaa6 kata-deploy: Add more info about the stable tag
41c590fa kata-deploy: Improve README
debf3c9f kata-deploy: Remove qemu-virtiofs runtime class
43a72d76 release: update the kata-deploy yaml files accordingly
ea9b2f9c kata-deploy: Add "stable" info to the README
e5411056 kata-deploy: Update the README
9acf4e5d kata-deploy: Add `stable` yaml files
a86babe0 kata-deploy: Point to the `latest` release
a156288c workflows: Add "stable" & "latest" tags to kata-deploy
305afc8b docs: documentation for running non-root VMM
1fe080fd threat-model: Add missing threat-model document
21c85116 workflows,release: Upload the vendored cargo code
9a6d56f1 runtime: fix empty cgroup path validation error
90e63887 ci: Call agent shutdown test only in the correspondent CI_JOB
48fb1d92 virtiofs: Create shared directory with 0700 mode, not 0750
077b77c1 runtime: tracing: Fix logger passed in newContainer
39cd05e0 runtime: tracing: Use root context to stop tracing
1cfe5930 runtime: Run QEMU using a non-root user/group
fd983738 runtime: update .gitignore file cleare the vc shim config
067c44d0 runtime: fix UT build failure
9353cd77 runtime: Remove outdated TestStoreContainer
9a311a2b docs: fix invalid kernel dax doc url
e7c42fbc runtime: unify generated config
4f7cc186 runtime: refactor commandline code directory
9d3cd984 agent/mount: Remove unused ensure_destination_exists()
64aa5623 agent: Correct mount point creation
08d7aebc agent/mount: Split out regular file case from ensure_destination_exists()
9fa3beff agent: Remove unnecessary BareMount structure
49282854 agent: Simplify BareMount::mount by using nix::mount::mount
d00decc9 runtime: clh: Enable hugepages support
64bb803f runtime/qemu: Move from query-cpus to query-cpus-fast
25ac3524 versions: Allow newer Rust versions
851d5f86 tests: Correct heading in static checks test
4b7e4a4c runtime: Vendoring update
8d9d6e6a docs: Host cgroups documentation update
9bed2ade virtcontainers: Convert to the new cgroups package API
b42ed393 virtcontainers: cgroups: Add a containerd API based cgroups package
f17752b0 virtcontainers: container: Do not create and manage container host cgroups
dc7e9bce virtcontainers: sandbox: Host cgroups partitioning
f811026c virtcontainers: Unconditionally create the sandbox cgroup manager
a6066404 virtcontainers: update VC HypervisorConfig API add three lost fields
bb18cd47 virtcontainers: update VC SandboxConfig API add SandboxBindMounts field
58e77a3c sandbox: Allow the device to be accessed,such as /dev/null and /dev/urandom
d67a414b src/runtime/README.md: Fix URL of Licence
13b8bb0c runtime: Fix README link
25670d30 packaging/qemu: Update qemu-exerimental version to v6.1.0
041a513f versions: Update qemu to v6.1.0
62baa48e virtcontainers: fc: parse vcpuID correctly
81de2d47 packaging: Correct error message in apply_patches.sh
f785ff0b virtcontainers: clh: Revert the workaround incorrect default values
0e0e59dc virtcontainers: clh: Re-generate the client code
f0b53314 versions: Upgrade to Cloud Hypervisor v18.0
11652136 actions: test make kata-tarball
626d659f actions: kata-deploy on PRs and use makefile
78d99f51 kata-deploy: Make verbose single builds
59486b85 kata-deploy: Add tarball suffix to makefile targets
96e1246b makefile: Include kata-deploy targets
74d645cd how-to: Add how-to-setup-swap-devices-in-guest-kernel.md
d865c809 virtcontainers: add unit tests for container.go
71f915c6 sandbox: Add device permissions such as /dev/null to cgroup
2174fee4 docs: Add swap annotations introduction
2abc450a test: enable running tests under root user
924a68d0 osbuilder: Change to "=" operator to make script more portable
1fff9be7 qemu: remove default config for arm64.
e2a9e78c virtcontainers: Remove NewStoreFeature
bfcee911 osbuilder: fix inconsistent calculation of fs size
4996f9b7 snap: Test variable instead of executing "branch"
256c3b27 license: drop redundent license files
bcc9fa3b hotplugAddBlockDevice: Use ExecuteBlockdevAddWithDriverCache with swap
bd85da04 vendor: Update vendor/github.com/kata-containers/govmm
d422789f makefile: Fix error exit status code

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-24 12:32:26 +02:00
zhanghj
57e3712dbd virtiofs: fix error report in TestVirtiofsdStart when go test running
Initialize ctx with context.Background() instead of nil value.

Fixes: #2718

Signed-off-by: zhanghj <zhanghj.lc@inspur.com>
2021-09-24 16:06:06 +08:00
Fabiano Fidêncio
279f8e9d03 Merge pull request #2590 from c3d/issue/2589-virtiofsd-perms
virtiofs: Create shared directory with 0700 mode, not 0750
2021-09-24 09:16:40 +02:00
Eric Ernst
fa44e5c1e5 Merge pull request #2703 from egernst/watcher-fixup
watcher: ensure we create target mount point for storage
2021-09-23 21:59:08 -07:00
Chelsea Mafrica
e987632deb Merge pull request #2693 from Amulyam24/qemu-build
packaging: fix qemu build on ppc64le
2021-09-23 10:31:34 -07:00
Julio Montes
1766c93b08 Merge pull request #2662 from cmaf/tracing-stop-rootctx
runtime: tracing: Use root context to stop tracing
2021-09-23 11:50:35 -05:00
Eric Ernst
272771dcf9 watcher: ensure we create target mount point for storage
We would only create the target when updating files. We need to make
sure that we create the target if the source is a directory. Without
this, we'll fail to start a container that utilizes an empty configmap,
for example.

Add unit tests for this.

Fixes: #2638

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-09-23 08:29:28 -07:00
Julio Montes
5d2a82fbf9 Merge pull request #2323 from dgibson/acpi-pcihp
Replace SHPC with ACPI PCI hotplug for Kata guests
2021-09-23 09:55:31 -05:00
Francesco Giudici
8b0bc1f45e kata-monitor: bump version to 0.2.0
We now support any container engine CRI compliant. Let's bump the
kata-monitor version to 0.2.0.

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-23 14:32:09 +02:00
Francesco Giudici
bfb556d56a kata-monitor: refresh kata sandbox list on fs events
This commit stops the container engine polling in favor of
the kata sandbox storage path monitoring.
The pod cache list is now refreshed based on fs events and synced with
the container engine only when needed.

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-23 14:32:09 +02:00
Francesco Giudici
0e854f3b80 kata-monitor: improve detection of kata workloads
When the container engine is different than containerd or CRI-O we
lack proper detection of kata workloads and consider all the pods as
kata ones.
Instead of querying the container engine for the lower level runtime
used in each pod, check if a directory matching the pod exists in
the virtualcontainers sandboxes storage path.
This provides a container engine independent way to check for kata pods.

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-23 14:32:09 +02:00
Yuanzhe Liu
80463b445a qemu: use GitLab repos instead of qemu.org
arm using qemu 5.1.0, thus is affected by the wired submodules
link.

Fixes: #2705
Signed-off-by: Yuanzhe Liu <yuanzheliu09@gmail.com>
2021-09-23 12:07:44 +00:00
Samuel Ortiz
3276f3b5b6 Merge pull request #2453 from fidencio/wip/kata-deploy-use-stable-and-latest-tags
kata-deploy: Also provide "stable" & "latest" tags
2021-09-23 13:54:01 +02:00
Fabiano Fidêncio
0ececc630f Merge pull request #2666 from cmaf/tracing-newContainer-logger
runtime: tracing: Fix logger passed in newContainer
2021-09-23 13:07:19 +02:00
Fabiano Fidêncio
e33c26ba18 Merge pull request #2622 from YchauWang/wyc-vc-api
virtcontainers: update VC SandboxConfig API add SandboxBindMounts field
2021-09-23 13:05:33 +02:00
Fabiano Fidêncio
47170e302a Merge pull request #2616 from Bevisy/main-2615
sandbox: Allow the device to be accessed,such as /dev/null and /dev/u…
2021-09-23 13:04:18 +02:00
Amulya Meka
439e5ac3b0 packaging: fix qemu build on ppc64le
Since the qemu upgrade to v6.1.0, the build fails
with a linking issue. Adding --disable-tcg to fix
it.

Fixes: #2710

Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
2021-09-23 06:27:15 +00:00
David Gibson
8bbcb06af5 qemu: Disable SHPC hotplug
Under certain circumstances[0] Kata will attempt to use SHPC hotplug
for PCI devices on the guest.  In fact we explicitly enable SHPC on
our PCI to PCI bridges, regardless of the qemu default.

SHPC was designed a long, long time ago for physical hotplugging and
works very poorly for a virtual environment. In particular it has a
mandatory 5s delay to allow a (real, human) operator to back out the
operation if they press a button by mistake. This alone makes it
unusable for a fast start up application like Kata.

Worse, the agent forces a PCI rescan during startup.  That will race
with the SHPC hotplug operation causing the device to go into a bad
state where config space can't be accessed from the guest at all.

The only reason we've sort of gotten away with this is that our
default guest kernel configuration triggers what's arguably a kernel
bug effectively disabling SHPC.  That makes the agent rescan the only
reason we see the new device.

Now that we require a qemu >=6.1, which includes ACPI PCI hotplug on
the q35 machine, we can explicitly disable SHPC in all cases.  It's
nothing but trouble.

fixes #2174

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-23 10:27:26 +10:00
David Gibson
cc4983eeac runtime: Remove unused qemuArchBase.appendBridges definition
qemuArchBase.appendBridges is never actually used, because the bare
qemuArchBase type is itself never used (outside of unit tests).  Instead
*all* the subclasses of qemuArchBase override appendBridges() to call
the very similar, but not identical genericAppendBridges.  So, we can
remove the qemuArchBase.appendBridges implementation.

Furthermore, all those subclasses override appendBridges() in exactly
the same way, and so we can remove *those* definitions and replace the
base class qemuArchBase appendBridges() with that version, calling
genericAppendBridges().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-23 10:15:08 +10:00
David Gibson
e248de4616 vendor: Update govmm
Update to commit 1b60b536f3, in particular to get extensions to
allow IO and memory window reservations to be set on PCI bridges.

https://github.com/kata-containers/govmm/pull/201

Git log:

de039da govmm/qemu: Let IO/memory reservations be specified for bridge devices

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-23 10:14:29 +10:00
Chelsea Mafrica
b6ff23d21b Merge pull request #2697 from jongwu/patch_qemu
qemu: add v5.1.0 dir under tag_patches
2021-09-22 09:08:05 -07:00
Jianyong Wu
0ca8c27241 qemu: add v5.1.0 dir under tag_patches
A related dir is needed when apply qemu patch using script. As qemu 5.1
is used for arm, a dir of "v5.1.0" is needed under tag_patches.

Fixes: #2696
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-09-22 18:07:24 +08:00
Archana Shinde
771a934fc5 Merge pull request #2341 from amshinde/add-threat-model
threat-model: Add missing threat-model document
2021-09-22 01:17:05 -07:00
wangyongchao.bj
3b0c4bf9a0 runtime: clear virtcontainers cgroup duplicated function
There are `DeviceToDeviceCgroup` and `deviceToDeviceCgroup` two functions,
 creating a `specs.LinuxDeviceCgroup` object. We clear the new function `deviceToDeviceCgroup`.

Fixes: #2694

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-09-22 15:13:34 +08:00
Fabiano Fidêncio
3bdcfaa658 kata-deploy: Add more info about the stable tag
Let's make it as clear as possible for the user that if they go for a
tagged version of kata-deploy, eg, 2.2.1, they'll have the kata runtime
2.2.1 deployed on their cluster.

Suggested-by: Eric Adams <eric.adams@intel.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 23:13:45 +02:00
Fabiano Fidêncio
41c590fa0a kata-deploy: Improve README
Let's add more instructions in the README in order to make clear to the
reader what they can do to check whether kata-deploy is ready, or
whether they have to wait till proceeding with the next instruction.

Suggested-by: Eric Adams <eric.adams@intel.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 23:13:45 +02:00
Fabiano Fidêncio
debf3c9fe9 kata-deploy: Remove qemu-virtiofs runtime class
There's only one QEMU runtime class deployed as part of kata-deploy, and
that includes virtiofs support (which is the default for quite some time
already).  Knowing this, let's just remove the `qemu-virtiofs` runtime
class definition.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 22:48:04 +02:00
Fabiano Fidêncio
43a72d76e2 release: update the kata-deploy yaml files accordingly
Let's teach our `update-repository-version.sh` script to properly update
the kata-deploy tags on both kata-deploy and kata-cleanup yaml files.

The 3 scenarios that we're dealing with, based on which branch we're
targetting, are:
```
 1) [main] ------> [main]        NO-OP
   "alpha0"       "alpha1"

                   +----------------+----------------+
                   |      from      |       to       |
  -----------------+----------------+----------------+
  kata-deploy      | "latest"       | "latest"       |
  -----------------+----------------+----------------+
  kata-deploy-base | "stable        | "stable"       |
  -----------------+----------------+----------------+

 2) [main] ------> [stable] Update kata-deploy and
   "alpha2"         "rc0"   get rid of kata-deploy-base

                   +----------------+----------------+
                   |      from      |       to       |
  -----------------+----------------+----------------+
  kata-deploy      | "latest"       | "rc0"          |
  -----------------+----------------+----------------+
  kata-deploy-base | "stable"       | REMOVED        |
  -----------------+----------------+----------------+

 3) [stable] ------> [stable]    Update kata-deploy
    "x.y.z"         "x.y.(z+1)"

                   +----------------+----------------+
                   |      from      |       to       |
  -----------------+----------------+----------------+
  kata-deploy      | "x.y.z"        | "x.y.(z+1)"    |
  -----------------+----------------+----------------+
  kata-deploy-base | NON-EXISTENT   | NON-EXISTENT   |
  -----------------+----------------+----------------+
```

And we can easily cover those 3 cases only with the information about
the "${target_branch}" and the "${new_version}", where:
* case 1) if "${target_branch}" is "main" *and* "${new_version}"
  contains "alpha", do nothing
* case 2) if "${target_branch}" is "main" *and* "${new_version}"
  contains "rc":
  * change the kata-deploy & kata-cleanup tags from "latest" to
    "${new_version}".
  * delete the kata-deploy-stable & kata-cleanup-stable files.
* case 3) if the "${target_branch}" contains "stable":
  * change the kata-deploy & kata-cleanup tags from "${current_version}"
    to "${new_version}".

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 22:48:04 +02:00
Fabiano Fidêncio
ea9b2f9c92 kata-deploy: Add "stable" info to the README
Similar to the instructions we have for the "latest" images, let's also
add instructions about the "stable" images.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 22:48:04 +02:00
Fabiano Fidêncio
e541105680 kata-deploy: Update the README
Let's just point to our repo URLs rather than assume users using
kata-deploy will have our repo cloned.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 22:48:04 +02:00
Fabiano Fidêncio
9acf4e5d32 kata-deploy: Add stable yaml files
This is **not** the nicest patch of my career, and I know it adds code
duplication.  However, I've decided to take this approach in order to
have easier / better instructions for users who're consuming
kata-deploy.

Having both stable & latest yaml on `main` will let us point to just one
place, without having to update the instructions.

I know, would be better to have those generated from a .in file,
wouldn't it?  For sure, but then we'd lose the ability to just point to
those files from kata-deploy pages (either on dockerhub or quay.io).

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 22:48:04 +02:00
Fabiano Fidêncio
a86babe0d0 kata-deploy: Point to the latest release
Instead of point to a specific release number, let's point to the
`latest` tag on the main branch.

There's still some work needed in order to point to the `stable` tag on
the stable-x.y branches, as this is something that should be done
automagically as part of the release process.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 22:48:04 +02:00
Fabiano Fidêncio
a156288c1f workflows: Add "stable" & "latest" tags to kata-deploy
When releasing a tarball, let's *also* add the "stable" & "latest" tags
to the kata-deploy image.

The "stable" tag refers to any official release, while the "latest" tag
refers to any pre-release / release candidate.

Fixes: #2302

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 22:48:04 +02:00
Fabiano Fidêncio
32c3fb71f2 Merge pull request #2546 from fengwang666/rootless-qemu-doc
docs: documentation for running non-root VMM
2021-09-21 22:45:33 +02:00
Fabiano Fidêncio
08e55a279a Merge pull request #2573 from fidencio/wip/upload-cargo-vendored-tarball
workflows,release: Upload the vendored cargo code
2021-09-21 21:45:59 +02:00
Fabiano Fidêncio
2bee8bc6bd Merge pull request #2432 from fengwang666/qemu-rootless
runtime: run the QEMU VMM process with a non-root user
2021-09-21 21:37:02 +02:00
Feng Wang
305afc8b70 docs: documentation for running non-root VMM
Documentation for running non-root QEMU VMM in Kata runtime

Fixes: #2545

Signed-off-by: Feng Wang <feng.wang@databricks.com>
2021-09-21 11:20:37 -07:00
Archana Shinde
1fe080fd24 threat-model: Add missing threat-model document
This was added in the 1.x repo and is missing in the 2.x repo.
Copying over the document from 1.x.
This is a starting point and focuses on the devices / interfaces
with the virtual machine, and ultimately to the container itself.

We then discuss how these devices/interfaces vary by VMM/hypervisor.

The threat model drawing is created via gdocs, located here:
https://docs.google.com/drawings/d/1dPi9DG9bcCUXlayxrR2OUa1miEZXewtW7YCt4r_VDmA/edit?usp=sharing

For Kata 2.x, the block named as `kata-runtime` has been changed to
`kata-shim`.

Fixes: #2340

Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
2021-09-21 20:20:39 +05:30
Samuel Ortiz
3a4aca4d67 Merge pull request #2671 from YchauWang/wyc-runtime-config
runtime: update .gitignore file cleare the vc shim config
2021-09-21 15:15:09 +02:00
Fabiano Fidêncio
21c8511630 workflows,release: Upload the vendored cargo code
As part of the release, let's also upload a tarball with the vendored
cargo code.  By doing this we allow distros, which usually don't have
access to the internet while performing the builds, to just add the
vendored code as a second source, making the life of the downstream
maintainers slightly easier*.

Fixes: #1203

*: The current workflow requires the downstream maintainer to download
the tarball, unpack it, run `cargo vendor`, create the tarball, etc.
Although this doesn't look like a ridiculous amount of work, it's better
if we can have it in an automated fashion.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-09-21 09:28:16 +02:00
Fabiano Fidêncio
9ea78ac386 Merge pull request #2675 from fengwang666/cgroup-bug-fix
runtime: fix empty cgroup path validation error
2021-09-21 08:48:22 +02:00
Feng Wang
9a6d56f1ab runtime: fix empty cgroup path validation error
An empty cgroup path shouldn't fail cgroup creation

Fixes #2674

Signed-off-by: Feng Wang <feng.wang@databricks.com>
2021-09-20 13:48:09 -07:00
GabyCT
c4bafc4e68 Merge pull request #2684 from GabyCT/topic/remoteagenttest
ci: Call agent shutdown test only in the correspondent CI_JOB
2021-09-20 14:13:36 -05:00
Gabriela Cervantes
90e6388726 ci: Call agent shutdown test only in the correspondent CI_JOB
The agent shutdown test should only run on the CI JOB of CRI_CONTAINERD_K8S_MINIMAL
which is the only one where testing tracing is being enabled, however, this
test is being triggered in multiple CI jobs where it should not run. This PR
fixes that issue.

Fixes #2683

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-09-20 17:04:48 +00:00
Julio Montes
45d40179c2 Merge pull request #2655 from Jakob-Naucke/no-store-container
runtime: Remove outdated TestStoreContainer
2021-09-20 11:22:50 -05:00
Christophe de Dinechin
48fb1d9203 virtiofs: Create shared directory with 0700 mode, not 0750
A discussion on the Linux kernel mailing list [1] exposed that virtiofsd makes a
core assumption that the file systems being shared are not accessible by any
non-privileged user. We currently create the `shared` directory in the sandbox
with the default `0750` permissions, which gives read and directory traversal
access to the group. There is no real good reason for a non-root user to access
the shared directory, and this is potentially dangerous.

Fixes: #2589

[1]: https://lore.kernel.org/linux-fsdevel/YTI+k29AoeGdX13Q@redhat.com/

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2021-09-20 10:47:18 +02:00
Francesco Giudici
afad910d0e kata-monitor: add getSandboxFS()
Retrieve the absolute sandbox storage path. We will soon need this to
monitor the creation/deletion of new kata sandboxes.

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-20 10:37:55 +02:00
Francesco Giudici
e38686f74d runtime: add GetSandboxesStoragePath()
The storage path we use to collect the sandbox files is defined in the
virtcontainers/persist/fs package.
We create the runtime socket in that storage path, by hardcoding the
full path in the SocketAddress() function in the runtime package.
This commit splits the hardcoded path by the socket address path so that
the runtime package will be able to provide the storage path to all the
components that may need it.

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-20 10:37:55 +02:00
Francesco Giudici
245a12bbb7 kata-monitor: improve sandbox caching
In order to retrieve the list of sandboxes, we poll the container engine
every 15 seconds via the CRI. Once we have the list we have to inspect
each pod to find out the kata ones.
This commit extend the sandbox cache to keep track of all the pods,
marking the kata ones, so that during the next polling only the new
sandboxes should be inspected to figure out which ones are using the
kata runtime.

Fixes: #2563
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-20 10:37:55 +02:00
Francesco Giudici
fc067d61d4 kata-monitor: warn when unable to retrive the lower level runtime
this is an unexpected event (likely a change in how containerd/cri-o
record the lower level runtime in the pod) and should be more visible:
raise the log level to "warning".

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-20 10:37:54 +02:00
Francesco Giudici
53ec4df953 kata-monitor: minor fixes
fix comment and use literals

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-09-20 10:37:54 +02:00
Chelsea Mafrica
077b77c178 runtime: tracing: Fix logger passed in newContainer
Change logger in Trace call in newContainer from sandbox.Logger() to
nil. Passing nil will cause an error to be logged by kataTraceLogger
instead of the sandbox logger, which will avoid having the log message
report it as part of the sandbox subsystem when it is part of the
container subsystem.

The kataTraceLogger will not log it as related to the container
subsystem, but since the container logger has not been created at this
point, and we already use the kataTraceLogger in other instances where a
subsystem's logger has not been created yet, this PR makes the call
consistent with other code.

Fixes #2665

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-09-17 11:41:04 -07:00
Chelsea Mafrica
39cd05e0bb runtime: tracing: Use root context to stop tracing
Call StopTracing with s.rootCtx, which is the root context for tracing,
instead of s.ctx, which is parent to a subset of trace spans.

Fixes #2661

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-09-17 11:39:13 -07:00
Feng Wang
1cfe59304d runtime: Run QEMU using a non-root user/group
A random generated user/group is used to start QEMU VMM process.
The /dev/kvm group owner is also added to the QEMU process to grant it access.

Fixes #2444

Signed-off-by: Feng Wang <feng.wang@databricks.com>
2021-09-17 11:28:44 -07:00
wangyongchao.bj
fd98373850 runtime: update .gitignore file cleare the vc shim config
update .gitignore file, remove the follow configurations:
/virtcontainers/shim/mock/cc-shim/cc-shim
/virtcontainers/shim/mock/kata-shim/kata-shim
/virtcontainers/shim/mock/shim

Fixes: #2670

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-09-17 15:25:28 +08:00
wangyongchao.bj
1b1790fdbc agent/src: improve unit test coverage for src/namespace.rs
Improve unit test coverage for src/namespace.rs for Kata 2.0 agent

Fixes: #289

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-09-17 14:15:14 +08:00
Hui Zhu
fff82b4ef5 Merge pull request #2628 from bergwolf/runtime-reorg
runtime: refactor commandline code directory
2021-09-17 10:37:22 +08:00
Chelsea Mafrica
6159ef3499 Merge pull request #2626 from YchauWang/wyc-vc-api02
virtcontainers: update VC HypervisorConfig API add three lost fields
2021-09-16 16:46:27 -07:00
Peng Tao
067c44d0b6 runtime: fix UT build failure
storeContainer has been removed.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-09-16 19:42:02 +08:00
Jakob Naucke
9353cd77fd runtime: Remove outdated TestStoreContainer
Due to #2332 being merged after running tests for #2604, and the latter
being merged now, a test for the now removed `storeContainer` was added.
Remove it.

Fixes: #2652
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-09-16 12:26:37 +02:00
Peng Tao
9a311a2b58 docs: fix invalid kernel dax doc url
And use a released version instead of the master branch so that it no
longer gets invalidated.

Depends-on: github.com/kata-containers/kata-containers#2645
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-09-16 17:19:18 +08:00
Peng Tao
e7c42fbc76 runtime: unify generated config
We don't need to maintain two generated config.go and even have
duplicates between them.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-09-16 17:19:18 +08:00
Peng Tao
4f7cc18622 runtime: refactor commandline code directory
Move all command line code to `cmd` and move containerd-shim-v2 to pkg.

Fixes: #2627
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-09-16 17:19:18 +08:00
Samuel Ortiz
7bf96d2457 Merge pull request #2604 from Amulyam24/container_tests
virtcontainers: add unit tests for container.go
2021-09-16 11:02:16 +02:00
Samuel Ortiz
9ed024e0bf Merge pull request #2649 from likebreath/0916/clh_hugepages
runtime: clh: Enable hugepages support
2021-09-16 10:57:34 +02:00
David Gibson
b46adbc527 Merge pull request #2428 from dgibson/simplify-mount-storage
agent: Simplify mount point creation
2021-09-16 14:43:29 +10:00
David Gibson
9d3cd9841f agent/mount: Remove unused ensure_destination_exists()
The only remaining callers of ensure_destination_exists() are in its own
unit tests.  So, just remove it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-16 12:24:47 +10:00
David Gibson
64aa562355 agent: Correct mount point creation
mount_storage() first makes sure the mount point for the storage volume
exists.  It uses fs::create_dir_all() in the case of 9p or virtiofs volumes
otherwise ensure_destination_exists().  But.. ensure_destination_exists()
boils down to an fs::create_dir_all() in most cases anyway.  The only case
it doesn't is for a bind fstype, where it creates a file instead of a
directory.  But, that's not correct anyway because we need to create either
a file or a directory depending on the source of the bind mount, which
ensure_destination_exists() doesn't know.

The 9p/virtiofs paths also check if the mountpoint exists before calling
fs::create_dir_all(), which is unnecessary (fs::create_dir_all already
handles that case).

mount_storage() does have the information to know what we need to create,
so have it explicitly call ensure_destination_file_exists() for the bind
mount to a non-directory case, and fs::create_dir_all() in all other cases.

fixes #2390

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-16 12:24:47 +10:00
David Gibson
08d7aebc28 agent/mount: Split out regular file case from ensure_destination_exists()
ensure_destination_exists() can create either a directory or a regular file
depending on the arguments.  This patch extracts the regular file specific
option into its own helper: ensure_destination_file_exists().  This:
 - Avoids doing some steps in the directory case (they're already handled
   by create_dir_all())
 - Enables some further future cleanups

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-16 12:24:47 +10:00
David Gibson
9fa3beff4f agent: Remove unnecessary BareMount structure
struct Baremount contains the information necessary to make a new mount.
As a datastructure, however, it's pointless, since every user just
constructs it, immediately calls the BareMount::mount() method then
discards the structure.

Simplify the code by making this a direct function call baremount().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-16 12:24:47 +10:00
David Gibson
49282854f1 agent: Simplify BareMount::mount by using nix::mount::mount
BareMount::mount does some complicated marshalling and uses unsafe code to
call into the mount(2) system call.  However, we're already using the nix
crate which provides a more Rust-like wrapper for mount(2).  We're even
already using nix::mount::umount and nix::mount::MsFlags from the same
module.

In the same way, we can replace the direct usage of libc::umount() with
nix::mount::umount() in one of the tests.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-16 12:24:47 +10:00
David Gibson
bac849ecba Merge pull request #2634 from dgibson/newer-rust
versions: Allow newer Rust versions
2021-09-16 12:23:37 +10:00
Bo Chen
d00decc97d runtime: clh: Enable hugepages support
This patch adds the configuration option that allows to use hugepages
with Cloud Hypervisor guests.

Fixes: #2648

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-09-15 10:43:57 -07:00
GabyCT
2a26c2397d Merge pull request #2645 from dgibson/query-cpus
runtime/qemu: Move from query-cpus to query-cpus-fast
2021-09-15 10:35:03 -05:00
David Gibson
64bb803fcf runtime/qemu: Move from query-cpus to query-cpus-fast
We recently updated to using qemu-6.1 (from qemu 5.2).  Unfortunately one
breaking change in qemu 6.0 wasn't caught by the CI.

The query-cpus QMP command has been removed, replaced by query-cpus-fast
(which has been available since qemu 2.12).  govmm already had support for
query-cpus-fast, we just weren't using it, so the change is quite easy.

fixes #2643

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-15 16:41:26 +10:00
David Gibson
e7deee948a Merge pull request #2502 from dgibson/qemu-6.1
Update Kata to use qemu-6.1
2021-09-15 11:06:14 +10:00
David Gibson
25ac3524c9 versions: Allow newer Rust versions
Rust 1.47.0 which is the latest we note as tested in versions.yaml is now
getting fairly old - many current distros have newer versions (e.g.
Rust 1.54.0 in Fedora 34).  Bring this more up to date.

Note that this is only updating the 'newest-version', not the minimum
required version.

The new version changes the name of the 'clippy::unknown_clipp_lints'
option to simply 'unknown_lints' so we need to change that as well to avoid
warnings.

fixes #2633

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-15 08:58:28 +10:00
Eric Ernst
e4cb6cbfbb Merge pull request #2332 from sameo/topic/host-cgroups
Host cgroups improvements and simplifications
2021-09-14 09:09:10 -07:00
David Gibson
851d5f8613 tests: Correct heading in static checks test
The github static checks action has a section heading called "Building
rust".  It doesn't actually build rust, though, just installs it with
rustup.  Correct the misleading message.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-14 20:17:27 +10:00
Tim Zhang
842c76cb40 Merge pull request #2359 from teawater/swap_doc
Add doc for guest swap
2021-09-14 15:54:10 +08:00
zhanghj
d789b42937 package: assign proper value to redefined_string
Fixes: #2624

Signed-off-by: zhanghj <zhanghj.lc@inspur.com>
2021-09-14 14:38:36 +08:00
Samuel Ortiz
4b7e4a4c70 runtime: Vendoring update
Due to the libcontainer dependencies removal.

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-09-14 07:09:34 +02:00
Samuel Ortiz
8d9d6e6af0 docs: Host cgroups documentation update
Update according to the new sandbox/overhead cgroup split.

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-09-14 07:09:34 +02:00
Samuel Ortiz
9bed2ade0f virtcontainers: Convert to the new cgroups package API
The new API is based on containerd's cgroups package.
With that conversion we can simpligy the virtcontainers sandbox code and
also uniformize our cgroups external API dependency. We now only depend
on containerd/cgroups for everything cgroups related.

Depends-on: github.com/kata-containers/tests#3805
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-09-14 07:09:34 +02:00
Samuel Ortiz
b42ed39349 virtcontainers: cgroups: Add a containerd API based cgroups package
Eventually, we will convert the virtcontainers and the whole Kata
runtime code base to only rely on that package.

This will make Kata only depends on the simpler containerd cgroups API.

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-09-14 07:09:34 +02:00
Samuel Ortiz
f17752b0dc virtcontainers: container: Do not create and manage container host cgroups
The only process we are adding there is the container host one, and
there is no such thing anymore.

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-09-14 07:09:33 +02:00
Samuel Ortiz
dc7e9bce73 virtcontainers: sandbox: Host cgroups partitioning
This is a simplification of the host cgroup handling by partitioning the
host cgroups into 2: A sandbox cgroup and an overhead cgroup.

The sandbox cgroup is always created and initialized. The overhead
cgroup is only available when sandbox_cgroup_only is unset, and is
unconstrained on all controllers. The goal of having an overhead cgroup
is to be more flexible on how we manage a pod overhead. Having such
cgroup will allow for setting a fixed overhead per pod, for a subset of
controllers, while at the same time not having the pod being accounted
for those resources.

When sandbox_cgroup_only is not set, we move all non vCPU threads
to the overhead cgroup and let them run unconstrained. When it is set,
all pod related processes and threads will run in the sandbox cgroup.

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-09-14 07:09:29 +02:00
Samuel Ortiz
f811026c77 virtcontainers: Unconditionally create the sandbox cgroup manager
Regardless of the sandbox_cgroup_only setting, we create the sandbox
cgroup manager and set the sandbox cgroup path at the same time.

Without doing this, the hypervisor constraint routine is mostly a NOP as
the sandbox state cgroup path is not initialized.

Fixes #2184

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-09-14 07:05:57 +02:00
wangyongchao.bj
a6066404f7 virtcontainers: update VC HypervisorConfig API add three lost fields
Sync the virtcontainers api.md document, add `ConfidentialGuest` `EntropySourceList` `GuestSwap` three
 fields to the HypervisorConfig API.

Fixes #2625

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-09-14 10:42:54 +08:00
wangyongchao.bj
bb18cd475c virtcontainers: update VC SandboxConfig API add SandboxBindMounts field
sync the virtcontainers api.md document, add SandboxBindMounts field to the SandboxConfig API.
And update the order of the SandboxConfig API fields.

Fixes #2621

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-09-14 09:56:47 +08:00
Eric Ernst
967db0cbcc Merge pull request #2544 from likebreath/0831/upgrade_clh_v18.0
versions: Upgrade to Cloud Hypervisor v18.0
2021-09-13 11:27:45 -07:00
Fabiano Fidêncio
9381f23ccf Merge pull request #2613 from sameo/topic/runtime-readme
runtime: Fix README link
2021-09-13 17:44:56 +02:00
Binbin Zhang
58e77a3c13 sandbox: Allow the device to be accessed,such as /dev/null and /dev/urandom
If the device has no permission, such as /dev/null, /dev/urandom,
it needs to be added into cgroup.

Fixes: #2615

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-09-13 20:47:16 +08:00
Samuel Ortiz
057eb80ac9 Merge pull request #2596 from jongwu/qemu_mak
qemu: remove default config for arm64.
2021-09-13 11:23:35 +02:00
Samuel Ortiz
75ef8c243a Merge pull request #2603 from Bevisy/main-2539
sandbox: Add device permissions such as /dev/null to cgroup
2021-09-13 11:04:51 +02:00
Samuel Ortiz
62a1a6f827 Merge pull request #2593 from nubificus/fix_fc_vcpu_thread
virtcontainers: fc: parse vcpuID correctly
2021-09-13 09:23:53 +02:00
Hui Zhu
d67a414b2b src/runtime/README.md: Fix URL of Licence
Fix URL of Licence of src/runtime/README.md.

Fixes: #2326

Signed-off-by: Hui Zhu <teawater@gmail.com>
2021-09-13 09:11:42 +08:00
Samuel Ortiz
13b8bb0c74 runtime: Fix README link
The LICENSE file lives in the project's root.

Fixes #2612

Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
2021-09-11 09:44:40 +02:00
David Gibson
25670d3058 packaging/qemu: Update qemu-exerimental version to v6.1.0
This brings it back into line with the normal qemu version.  We refer to
v6.1.0 by full SHA in versions.yaml, rather than the tag, so that
apply_patches.sh sees it as different and applies the virtiofs DAX patches
which is what the experimental version is actually about having.

The virtiofs DAX patches themselves are updated to the version from
https://gitlab.com/virtio-fs/qemu, virtio-fs-dev branch as of commit
3620cb0a.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-11 16:43:26 +10:00
David Gibson
041a513f80 versions: Update qemu to v6.1.0
We need qemu-6.1 for ACPI PCI hotplug support for the q35 machine.  At the
moment qemu will use SHPC hotplug under the PCIe to PCI bridge on q35.
SHPC is too slow to use for our purposes (it requires a 5s delay).

Update the qemu version to v6.1.0.  This leaves the experimental version
*older* than the normal version, but we'll fix that up later.

We also need to tweak the snapcraft.yaml, since the location for configs
has changed in the new qemu version.

fixes #1691

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-11 16:43:22 +10:00
Anastassios Nanos
62baa48ef5 virtcontainers: fc: parse vcpuID correctly
In getThreadIDs(), the cpuID variable is derived from a string that
already contains a whitespace. As a result, strings.SplitAfter returns
the cpuID with a leading space. This makes any go variant of string to int
fail (strconv.ParseInt() in our case). This patch makes sure that the
leading space character is removed so the string passed to
strconv.ParseInt() is "CPUID" and not " CPUID".

This has been caused by a change in the naming scheme of vcpu threads
for Firecracker after v0.19.1.

Fixes: #2592

Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
2021-09-10 09:39:56 +00:00
David Gibson
81de2d476b packaging: Correct error message in apply_patches.sh
If the script doesn't find a patches directory it expects, it gives an
error saying to create a dummy 'no_patches' file if you really don't want
any patches applied for that version.

But actual practice in the tree is to call the dummy file 'no_patches.txt'
rather than simply 'no_patches'.  Correct the message to match existing
practice.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-10 11:19:10 +10:00
Bo Chen
f785ff0bf2 virtcontainers: clh: Revert the workaround incorrect default values
Given the fix to the bugs of the openapi spec file is included in the
Cloud Hypervisor v18.0 [1], this patch reverts the workaround we carried
in the CLH driver.

This reverts commit 932ee41b3f.

[1] https://github.com/cloud-hypervisor/cloud-hypervisor/pull/3029

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-09-09 14:52:53 -07:00
Bo Chen
0e0e59dc5f virtcontainers: clh: Re-generate the client code
This patch re-generates the client code for Cloud Hypervisor v18.0.
Note: The client code of cloud-hypervisor's (CLH) OpenAPI is
automatically generated by openapi-generator [1-2].

[1] https://github.com/OpenAPITools/openapi-generator
[2] https://github.com/kata-containers/kata-containers/blob/main/src/runtime/virtcontainers/pkg/cloud-hypervisor/README.md

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-09-09 14:51:55 -07:00
Bo Chen
f0b5331430 versions: Upgrade to Cloud Hypervisor v18.0
Highlights from the Cloud Hypervisor release v18.0: 1) Experimental User
Device (vfio-user) support; 2) Migration support for vhost-user devices;
3) VHDX disk image support; 4) Device pass through on MSHV hypervisor;
5) AArch64 for support virtio-mem; 6) Live migration on MSHV hypervisor;
7) AArch64 CPU topology support; 8) Power button support on AArch64; 9)
Various bug fixes on PTY, TTY, signal handling, and live-migration on
AArch64.

Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v18.0

Fixes: #2543

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-09-09 14:44:04 -07:00
Carlos Venegas
230eae3ff3 Merge pull request #2417 from jcvenegas/docker-build-fixes
kata-tarball: Build and test fixes
2021-09-09 14:14:26 -05:00
Carlos Venegas
116521367e actions: test make kata-tarball
make kata-tarball is the main way to
build a kata in a single host. Lets
test it to make sure it works on every PR.

Fixes: #2416

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-09 14:32:08 +00:00
Carlos Venegas
626d659fd9 actions: kata-deploy on PRs and use makefile
- Run kata-deploy tarball generation action on every PR.

- Use kata-deploy makefile targets.

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-09 14:32:08 +00:00
Carlos Venegas
78d99f5129 kata-deploy: Make verbose single builds
If a binary tarball for a single component is done,
the logs will be shown in stdout.

e.g.

make kernel-tarball

To build all a the same time still store logs in files.

make kata-tarball

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-09 14:32:08 +00:00
Carlos Venegas
59486b855a kata-deploy: Add tarball suffix to makefile targets
Now that local-build kata-deploy makefile is inlucded in toplevel
makefile, lets use the suffix `-tarball` to avoid name collitions
and identify the tarball releted targets.

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-09 14:32:08 +00:00
Carlos Venegas
96e1246bce makefile: Include kata-deploy targets
Use kata-deploy targets from toplevel.
This will help if want to build and
reinstall just one single kata component.

Signed-off-by: Carlos Venegas <jose.carlos.venegas.munoz@intel.com>
2021-09-09 14:32:08 +00:00
Fupan Li
a2db68e347 Merge pull request #2565 from liubin/fix/2446-run-tests-by-root
test: enable running tests under root user
2021-09-09 17:45:35 +08:00
Hui Zhu
74d645cd21 how-to: Add how-to-setup-swap-devices-in-guest-kernel.md
Add how-to-setup-swap-devices-in-guest-kernel.md to how-to to introduce
how to setup swap device in guest kernel.

Fixes: #2326

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-09-09 17:24:24 +08:00
Fabiano Fidêncio
f28e6e506f Merge pull request #2585 from Bevisy/main-2584
osbuilder: Change to "=" operator to make script more portable
2021-09-09 10:53:47 +02:00
Amulyam24
d865c80986 virtcontainers: add unit tests for container.go
Fixes: #268

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2021-09-09 13:09:38 +05:30
Binbin Zhang
71f915c63f sandbox: Add device permissions such as /dev/null to cgroup
adds the default devices for unix such as /dev/null, /dev/urandom to
the container's resource cgroup spec

Fixes: #2539

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-09-09 15:33:24 +08:00
Hui Zhu
2174fee48d docs: Add swap annotations introduction
Add swap annotations introduction of
`io.katacontainers.config.hypervisor.enable_guest_swap`,
`io.katacontainers.container.resource.swappiness"` and
`io.katacontainers.container.resource.swap_in_bytes"` to
how-to-set-sandbox-config-kata.md.

Fixes: #2326

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-09-09 15:28:51 +08:00
bin
2abc450a4d test: enable running tests under root user
Add tests that run under root user to test special cases.

Fixes: #2446

Signed-off-by: bin <bin@hyper.sh>
2021-09-09 14:21:34 +08:00
Binbin Zhang
924a68d08d osbuilder: Change to "=" operator to make script more portable
zsh doesn't support "==" as equal comparison operator, so
replace "==" with "=" to make the script more portable

Fixes: #2584

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-09-08 16:57:34 +08:00
Jianyong Wu
1fff9be707 qemu: remove default config for arm64.
The current default config in qemu for arm64 doesn't suit for qemu
version 5.1+, so remove them here.

Fixes: #2595
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-09-08 16:25:22 +08:00
Julio Montes
9bbaa66f39 Merge pull request #2480 from Bevisy/main
makefile: Fix error exit status code
2021-09-06 07:28:15 -05:00
Binbin Zhang
4d7ddffe6f utils: kata-manager: Update kata-manager.sh for new containerd config
update script for new containerd config

Fixes: #2188

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-09-05 17:15:15 +08:00
Binbin Zhang
f5172d1c36 cli: Fix outdated kata-runtime bash completion
adapt to the latest kata-runtime version

Fixes: #2254

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-09-04 22:26:44 +08:00
Bin Liu
3c9170ea0d Merge pull request #2561 from rapiz1/patch-4
osbuilder: fix inconsistent calculation of fs size
2021-09-04 15:14:07 +08:00
Bin Liu
103fdd3f6c Merge pull request #2564 from Bevisy/main-2296
virtcontainers: Remove NewStoreFeature
2021-09-03 10:41:21 +08:00
James O. D. Hunt
c64867ad34 Merge pull request #2559 from dgibson/snapbranch
snap: Test variable instead of executing "branch"
2021-09-02 15:42:28 +01:00
James O. D. Hunt
f3a1bf3b45 Merge pull request #2552 from bergwolf/license
license: drop redundent license files
2021-09-02 14:31:18 +01:00
Binbin Zhang
e2a9e78c9e virtcontainers: Remove NewStoreFeature
remove NewStoreFeature

Fixes: #2296

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-09-02 21:28:36 +08:00
Yujia Qiao
bfcee91164 osbuilder: fix inconsistent calculation of fs size
This patch fixes inconsistent calculations of the rootfs size.
For `du` and `df`, `-B 1MB` is different from `-BM`. The
former is the power of 1000, and the latter is the power of
1024. So comparing them doesn't make sense. The bug may result
in a larger image than needed.

Fixes: #2560

Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
2021-09-02 16:00:29 +08:00
David Gibson
4996f9b7da snap: Test variable instead of executing "branch"
In snapcraft.yaml we have a case statement on $(branch) - that is on the
output of executing a command "branch".  From the selections it appears
that what it actually wants is to simply select on the contents of the
$branch variable, which should be ${branch} instead.

fixes #2558

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-09-02 14:38:15 +10:00
Julio Montes
716ab32acf Merge pull request #2551 from teawater/fix_swap
Fix swap fail insert fail issue
2021-09-01 08:25:27 -05:00
Fabiano Fidêncio
fee6f49d38 Merge pull request #2540 from fidencio/2.3.0-alpha0-branch-bump
# Kata Containers 2.3.0-alpha0
2021-09-01 09:13:52 +02:00
Peng Tao
256c3b2747 license: drop redundent license files
There is no need to keep multiple copies of the license file in
different directory. We can just use the top level one for the project.

Fixes: #2553
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-09-01 15:10:04 +08:00
Hui Zhu
bcc9fa3b35 hotplugAddBlockDevice: Use ExecuteBlockdevAddWithDriverCache with swap
Use ExecuteBlockdevAddWithDriverCache with swap in
hotplugAddBlockDevice to handle swap file cannot work OK with
ExecuteBlockdevAddWithCache issue.

Fixes: #2548

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-09-01 14:13:11 +08:00
Hui Zhu
bd85da0461 vendor: Update vendor/github.com/kata-containers/govmm
Update vendor/github.com/kata-containers/govmm for
ExecuteBlockdevAddWithDriverCache.

Fixes: #2548

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-09-01 13:59:19 +08:00
Fabiano Fidêncio
18c95b9ab1 release: Kata Containers 2.3.0-alpha0
- tracing: Change runtime tracing tags to vars
- shimv2: add logging to shimv2 api calls
- drop qemu-lite support
- runtime: delete types or const that no longer needed
- runtime: Optimize the way slice created
- virtcontainers: simplify tests
- virtcontainers: clh: Upgrade to the openapi-generator v5.2.1
- build_image: Fix error soft link about initrd.img
- ci: Temporarily skip agent shutdown test on s390x
- Fix version parsing for firecracker version 0.25 and over
- Osbuilder fixes
- docs: update the GoDoc url from runtime project to kata-containers/sr…
- docs: update `how-to` README file for Firecracker config
- ci/openshift-ci: Pull centos from registry.centos.org
- docs: update containerd CRI plugin url

2250360b docs: remove mentioning of qemu-lite
a9de761d runtime: drop qemu-lite support
8ae3edbc runtime: fix default hypervisor path
0c7789fa runtime: Add container field to logs
72e3538e shimv2: add information to method comment
8dadca9c shimv2: add logging to shimv2 api calls
a99fcc3a virtcontainers: simplify tests
39ffd8ee runtime: delete types or const that no longer needed
ff37f5c7 runtime: Optimize the way slice created
8f0f949a tracing: Move dynamically added attributes to Trace()
932ee41b virtcontainers: clh: Workaround incorrect default values
bff38e4f virtcontainers: clh: Fix the unit test
d967d3cb virtcontainers: clh: Use constructors to ensure proper default value
87de26bd tracing: Modify Trace() to accept multiple tag maps
8058e972 tracing: Change runtime tracing tags to vars
a6a2e525 virtcontainers: clh: Migrate to use the updated client APIs
9de1129b osbuilder: Fix rootfs-builder when running in VMs
65a1e131 osbuilder: Allow running the tool several times
a4214738 osbuilder: Fix Makefile
b8717f35 ci: Temporarily skip agent shutdown test on s390x
938981be build_image: Fix error soft link about initrd.img
2304f935 docs: update the GoDoc url from kata 1.x to 2.x
2a614577 docs: update `how-to` README file for Firecracker config
486baba7 docs: update containerd CRI plugin url
46eb07e1 virtcontainers: clh: Re-generate the client code
80fba4d6 virtcontainers: clh: Upgrade to the openapi-generator v5.2.1
8594f80c ci/openshift-ci: Pull centos from registry.centos.org
87bbae1b fc: fix version parsing for fc >= 0.25

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-31 18:43:09 +02:00
Peng Tao
c0daa4ebff Merge pull request #2513 from cmaf/tracing-tracingtags-consistency
tracing: Change runtime tracing tags to vars
2021-08-31 10:25:10 +08:00
Fabiano Fidêncio
67d1f4fd14 Merge pull request #2528 from snir911/main_debuggabillity_sq
shimv2: add logging to shimv2 api calls
2021-08-30 15:50:55 +02:00
Samuel Ortiz
87152fffcb Merge pull request #2530 from bergwolf/qemu-lite
drop qemu-lite support
2021-08-30 14:12:08 +02:00
Peng Tao
2250360b56 docs: remove mentioning of qemu-lite
vm-templating should just work with upstream qemu v4.1.0 or above.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-08-30 16:58:12 +08:00
Peng Tao
a9de761d71 runtime: drop qemu-lite support
As the project is not maintained and we have not been testing against it
for a long time.

Fixes: #2529
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-08-30 16:58:12 +08:00
Peng Tao
8ae3edbc18 runtime: fix default hypervisor path
Should not be qemu-lite.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-08-30 16:09:02 +08:00
Snir Sheriber
0c7789fad6 runtime: Add container field to logs
and unified field naming

Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-08-30 10:09:05 +03:00
Snir Sheriber
72e3538e36 shimv2: add information to method comment
add a comment to explicitly mentioned method is a binary call

Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-08-30 10:09:05 +03:00
Snir Sheriber
8dadca9cd1 shimv2: add logging to shimv2 api calls
and also fetch and log container id from the request

Fixes: #2527
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-08-30 10:09:05 +03:00
Bo Chen
b564dd47b6 Merge pull request #2526 from Bevisy/main-2285
runtime: delete types or const that no longer needed
2021-08-29 15:35:03 -07:00
Bin Liu
a89cc0bb5c Merge pull request #2524 from Bevisy/main-2264
runtime: Optimize the way slice created
2021-08-29 16:00:08 +08:00
Eric Ernst
8771d8c375 Merge pull request #2514 from rapiz1/improve-util-test
virtcontainers: simplify tests
2021-08-28 06:41:15 -07:00
Yujia Qiao
a99fcc3af1 virtcontainers: simplify tests
Simplify tests in utils_test.go by table-driven tests.

Fixes: #2281

Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
2021-08-28 12:35:25 +08:00
Binbin Zhang
39ffd8ee84 runtime: delete types or const that no longer needed
type: ProcessListOptions; ProcessList
const: SocketTypeVSOCK

Fixes: #2285

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-08-28 04:09:25 +00:00
Binbin Zhang
ff37f5c798 runtime: Optimize the way slice created
Initialize and assign a value, reducing one append operation

Fixes: #2264

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-08-28 04:15:59 +08:00
Carlos Venegas
fb583780f6 Merge pull request #2488 from likebreath/0823/clh_openapi_generator
virtcontainers: clh: Upgrade to the openapi-generator v5.2.1
2021-08-27 14:28:09 -05:00
Binbin Zhang
4751698829 virtcontainers: Fix incorrect scripts path
modify to the correct relative path

Fixes: #2515

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-08-27 19:16:53 +00:00
Chelsea Mafrica
8f0f949abf tracing: Move dynamically added attributes to Trace()
Where possible, move attributes added with AddTag() to Trace() call to
reduce the amount of code used for tracing.

Fixes #2512

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-08-27 08:26:40 -07:00
Bo Chen
932ee41b3f virtcontainers: clh: Workaround incorrect default values
Two default values defined in the 'cloud-hypervisor.yaml' have typo, and this
patch manually overwrites them with the correct value as a workaround
before the corresponding fix is landed to Cloud Hypervisor upstream.

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-08-26 22:53:31 -07:00
Bo Chen
bff38e4f4d virtcontainers: clh: Fix the unit test
This patch fixes the unit tests over clh.go with the updated client code.

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-08-26 22:53:17 -07:00
Bo Chen
d967d3cb37 virtcontainers: clh: Use constructors to ensure proper default value
With the updated openapi-generator, the client code now handles optional
attributes correctly, and ensures to assign the right default
values. This patch enables to use those constructors to make sure the
proper default values being used.

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-08-26 22:53:13 -07:00
Chelsea Mafrica
87de26bda3 tracing: Modify Trace() to accept multiple tag maps
The general Trace() function accepts one map as a set of tags. Modify it
to accept multiple sets of tags so that additional ones can be added at
Trace() and not as a subsequent call.

Additionally, we should not iterate over the maps unless tracing tracing
is enabled.

Fixes #2512

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-08-26 15:55:32 -07:00
Chelsea Mafrica
8058e97212 tracing: Change runtime tracing tags to vars
Tracing tags are stored inconsistently throughout the runtime. Change
all instances of tracing tags to variables.

Fixes #2512

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-08-26 15:55:32 -07:00
Bo Chen
a6a2e525de virtcontainers: clh: Migrate to use the updated client APIs
The client code (and APIs) for Cloud Hypervisor has been changed
dramatically due to the upgrade to `openapi-generator` v5.2.1. This
patch migrate the Cloud Hypervisor driver in the kata-runtime to use
those updated APIs.

The main change from the client code is that it now uses "pointer" type
to represent "optional" attributes from the input openapi specification
file.

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-08-26 14:04:18 -07:00
GabyCT
d490704133 Merge pull request #2504 from Bevisy/main-2503
build_image: Fix error soft link about initrd.img
2021-08-26 13:26:52 -05:00
GabyCT
a0dd840ef6 Merge pull request #2508 from Jakob-Naucke/s390x-skip-agent-shutdown-test
ci: Temporarily skip agent shutdown test on s390x
2021-08-26 13:25:48 -05:00
Chelsea Mafrica
0be91280f2 Merge pull request #2466 from Bl1tz23/main
Fix version parsing for firecracker version 0.25 and over
2021-08-26 08:51:18 -07:00
Marcel Apfelbaum
f62ea5dade Merge pull request #2511 from marcel-apf/osbuilder-fixes
Osbuilder fixes
2021-08-26 11:32:48 +03:00
Marcel Apfelbaum
9de1129bf7 osbuilder: Fix rootfs-builder when running in VMs
The script runs apt sync at some point which scans all possible fds
in order to close them. The operation is incredibly slow on VMs
and may lead to build timeouts.

Fix it by limiting the container runtime fds to a sane limit.

Fixes: #2510

Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2021-08-25 19:58:21 +00:00
Marcel Apfelbaum
65a1e13195 osbuilder: Allow running the tool several times
Once the ${ROOTFS_DIR} is created, the tool can't run the second
time since the directory is populated and the debootstrap tool
will fail.

Fix by deleting the contents of ${ROOTFS_DIR} if the directory exists.
Note that running make clean will also allow the re-run, it
is only an optimization for some cases the build fails in the middle.

Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2021-08-25 19:49:14 +00:00
Marcel Apfelbaum
a4214738b9 osbuilder: Fix Makefile
Let the DISTRO variable to be set from outside,
allowing "sudo -E DISTRO=<ANY> make clean" to delete the correct files.

Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2021-08-25 19:45:53 +00:00
GabyCT
a989238348 Merge pull request #2501 from YchauWang/wyc-godoc
docs: update the GoDoc url from runtime project to kata-containers/sr…
2021-08-25 10:49:26 -05:00
Jakob Naucke
b8717f35d7 ci: Temporarily skip agent shutdown test on s390x
see https://github.com/kata-containers/tests/issues/3878 for tracking

Fixes: #2507
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-08-25 16:34:38 +02:00
Binbin Zhang
938981be1d build_image: Fix error soft link about initrd.img
fix error soft link about initrd.img

Fixes #2503

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-08-25 16:00:55 +08:00
wangyongchao.bj
2304f935b4 docs: update the GoDoc url from kata 1.x to 2.x
the katatestutils GoDoc url stilled using the kata 1.x branch url. This PR fixed the
url from kata-containers/runtime/pkg/katatestutils to
kata-containers/kata-containers/src/runtime/pkg/katatestutils

Fixes: #2500

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-08-25 11:21:36 +08:00
Chelsea Mafrica
c5fea9ff70 Merge pull request #2493 from YchauWang/wyc-how-to-02
docs: update `how-to` README file for Firecracker config
2021-08-24 10:12:19 -07:00
Wainer Moschetta
f3539d2fb7 Merge pull request #2486 from wainersm/registry_centos
ci/openshift-ci: Pull centos from registry.centos.org
2021-08-24 11:41:57 -03:00
Samuel Ortiz
e26a140448 Merge pull request #2491 from YchauWang/wyc-how-to
docs: update containerd CRI plugin url
2021-08-24 11:37:18 +02:00
Yujia Qiao
814cea9601 virtcontainers: clean up useless code
Fixes: #2275

Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
2021-08-24 16:04:34 +08:00
wangyongchao.bj
2a614577fb docs: update how-to README file for Firecracker config
Remove the `Kata Containers with Firecracker` additional configuration steps.
From kata 2.x,  the config of `firecracker` is same to `qemu` and `cloud-hypervisor`.

Fixes: #2492

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-08-24 15:16:46 +08:00
wangyongchao.bj
486baba7fd docs: update containerd CRI plugin url
update cri plugin source path to containerd pkg in the
 how-to-use-k8s-with-cri-containerd-and-kata.md file. The cri project was moved to containerd project pkg directory.

Fixes: #2490

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-08-24 11:11:06 +08:00
Bo Chen
46eb07e14f virtcontainers: clh: Re-generate the client code
This patch re-generates the client code for Cloud Hypervisor with the
updated `openapi-generator` v5.2.1.

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-08-23 16:00:32 -07:00
Bo Chen
80fba4d637 virtcontainers: clh: Upgrade to the openapi-generator v5.2.1
To improve the quality and correctness of the auto-generated code, this
patch upgrade the `openapi-generator` to its latest stable release
v5.2.1.

Fixes: #2487

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-08-23 15:59:41 -07:00
Wainer dos Santos Moschetta
8594f80c0a ci/openshift-ci: Pull centos from registry.centos.org
In order to avoid hit the pull requests limit of docker.io, this changed the
openshift-ci/images/Dockerfile.buildroot dockerfile to pull the centos image
from registry.centos.org.

Fixes #1636

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-08-23 15:21:10 -03:00
Bl1tz23
87bbae1bd7 fc: fix version parsing for fc >= 0.25
Allows to use firecracker version >=0.25.

Fixes: #2471

Signed-off-by: Bl1tz23 <alex3angle@gmail.com>
2021-08-23 15:09:59 +03:00
Binbin Zhang
d422789fac makefile: Fix error exit status code
Generate `config-generated.go` file under src/runtime/cli/containerd-shim-kata-v2 before excuting test or coverage.

Fixes #2479

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
2021-08-23 11:31:33 +08:00
Fabiano Fidêncio
cfd539dc6c Merge pull request #2476 from fidencio/wip/fix-release-process
workflows: fix artifact name in the release yaml
2021-08-20 22:17:43 +02:00
Fabiano Fidêncio
31c8454700 workflows: fix artifact name in the release yaml
b789a935cf changed the artifact name from
"release-candidate" to "kata-static-tarball".  However, we didn't do the
same for the upload-static-tarball action, causing us the following
error during the release process:
https://github.com/kata-containers/kata-containers/runs/3383157459?check_suite_focus=true

Fixes: #2475

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-20 17:06:53 +02:00
Fabiano Fidêncio
0675bab49c Merge pull request #2473 from fidencio/2.2.0-rc0-branch-bump
# Kata Containers 2.2.0-rc0
2021-08-20 16:11:03 +02:00
Fabiano Fidêncio
aaf37d72b2 release: Kata Containers 2.2.0-rc0
- use CRI in kata-monitor
- config: Enable jailer by default when using firecracker
- workflows: Actually push the release to quay.io
- docs: update general wording for installation documentation
- Cleanup kernel packaging
- tracing: Return context in runHooks() span creation
- osbuilder: Document no Alpine support on s390x
- osbuilder: Upgrade Ubuntu guest to 20.04
- agent: watcher / inotify stability fixes
- enable snap build for arm64
- agent: Fix cargo 1.54 clippy warning
- osbuilder: Drop Go agent support
- kernel: PTP_KVM support for arm/arm64 in Kata
- docs: update the docs project url from kata 1.x to 2.x
- clh: correct cloud-hypervisor installation on non-x86
- virtcontainers: fc: properly remove jailed block device
- CI: Call agent shutdown test
- kata deploy: always update the base image
- docs: Remove kata-proxy and invalid script reference
- workflows: Actually login to quay.io
- kata-deploy: Update our content to use / point to quay.io/kata-containers rather than katadocker
- agent: Create the process CWD when it does not exist
- Update Kata to allow it to use Qemu 6.1
- osbuilder/dracut: Add missing libraries
- osbuilder: pass env OS_VERSION
- tools: shorten directory path
- virtcontainers: clh: Do not use the default HTTP client
- docs: update kata deploy README doc to add cloud-hypervisor test command
- Container: Add initConfigResourcesMemory and call it in newContainer
- qemu/arm: remove nvdimm/"ReadOnly" option on arm64
- Fix issue container start fail if io.katacontainers.container.resource.swap_in_bytes and memory_limit_in_bytes are not set
- docs: Add tracing proposals doc
- docs: Remove table of contents
- static-checks: Check for the `force-skip-ci` label on each step
- docs: update the kata release url in the kata deploy document
- kata-deploy: Allow build  kata-deploy  tarball from HEAD
- mod: unify runc and containerd dependencies
- how-to-use-virtio-mem-with-kata.md: Remove undefined ${REPORT_DIR}
- ci: Run static checks when PRs are updated
- docs: update url for log parser in how-to-import-kata-logs-with-fluen…
- versions: Upgrade to Cloud Hypervisor v17.0
- snap: Substitute image configuration with initrd
- docs: Update url for log parser in Developer guide
- mount: fix the issue of missing check file exists
- build(deps): bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /src/runtime
- docs: Update experimental documentation
- snap: do not export agent version
- Upgrade runc to 1.0.1
- runtime: read-only NVDIMM
- osbuilder/scripts: add support to yq version 4 and above
- osbuilder: update centos arm rootfs image config 'GPG_KEY_ARCH_URL'
- monitor: mv the monitor socket into sbs directory
- fix govet fieldalignment
- docs: added a glossary to support SEO tactics
- ci: expand $CI to nothing
- Add swap support
- snap: fixed snap aarch64 qemu patches dir in snapcraft.yaml file
- agent: clear MsFlags if the option has clear flag set
- snap: Remove QEMU before clone
- docs: fix minikube installation guide runtimeclasses error
- docs: fixed kata-deploy path for kata logs with fluentd doc
- agent/agent-ctl: update tokio to 1.8.1
- ci: set -o nounset
- static-checks: Add a make target to run static-checks locally
- virtiofsd: fix the issue of missing stop virtiofsd
- docs: Update containerd configuration format
- osbuilder: Skip installing golang for building rootfs
- agent-ctl: Use a common Makefile style like other components
- vsock-exporter: switch to tokio runtime
- config: Fix description for OCI hooks
- shimv2: fix the issue of kata-runtime exec failed

7a5ffd4a config: Enable jailer by default when using firecracker
2cb7b513 docs: update general wording for installation documentation
76f4588f workflows: Actually push the release to quay.io
b980c62f packaging/kernel: Update kernel build doc
99e9a6ad packaging/kernel: Update versions.yaml kernel urls
c23ffef4 packaging/kernel: Remove old Jenkins pipeline
9586d482 tracing: Return context in runHooks() span creation
6a6dee7c osbuilder: Document no Alpine support on s390x
71f304ce agent: watcher: cleanup mount if needed when container is removed
f1a505db agent: Temporarily allow unknown linters
961aaff0 agent: watcher: fixes to make more robust
7effbdeb osbuilder: Upgrade Ubuntu guest to 20.04
99ab91df docs: update the docs project url from kata 1.x to 2.x
4fe23b19 kernel: PTP_KVM support for arm/arm64 in Kata
f981fc64 clh: correct cloud-hypervisor installation
f87cee9d kata-deploy: Rely directly on a centos:7 image
6871aeaa snap: enable snap build for arm64
15e0a3c8 kata-deploy: Remove unneeded yum cached files
d01aebeb kata-deploy: Ensure the system is up-to-date
77160e59 workflows: Actually login to quay.io
b9e03a1c docs: update the image repository to quay.io
f47cad3d tools: Update the image repository to quay.io
9fa1febf workflows: Also push the image to quay.io
233b53c0 agent: Fix cargo 1.54 clippy warning
2d8386ea kata-monitor: add few unit tests
8714a350 kata-monitor: make code to identify kata pods simpler
68a6f011 kata-monitor: drop the runtime info from the sandbox cache
97dcc5f7 kata-monitor: drop getMonitorAddress()
0b03d97d vendor: update vendors for kata-monitor
c2f03e89 kata-monitor: talk to the container engine via the CRI
c867d1e0 osbuilder: Drop Go agent support
1d25d7d4 docs: Remove kata-proxy and binaries reference
64dd35ba virtcontainers: fc: properly remove jailed block device
b8133a18 osbuilder/dracut: Add missing libraries
831c2fee packaging: Remove reference to sheepdog driver
2e28b714 packaging: Drop support for qemu < 5.0
d5f85698 vendor: Update govmm
31650956 runtime/qemu: Use explicit "on" for kernel_irqchip parameter
a72b0811 osbuilder: pass env OS_VERSION
d007bb85 kata-deploy: shorten directory path
e6408fe6 Container: Add initConfigResourcesMemory and call it in newContainer
49083bfa agent: Create the process CWD when it does not exist
ee90affc newContainer: Initialize c.config.Resources.Memory if it is nil
767a41ce updateResources: Log result after calculateSandboxMemory
760ec4e5 virtcontainers: clh: Do not use the default HTTP client
3fe6695b static-checks: Check for the `force-skip-ci` label on each step
7df56301 CI: Call agent shutdown test
57b696a5 docs: Removed mention of 1.x
4f0726bc docs: Remove table of contents
f186c5e2 docs: Fix invalid URLs
7c610a6f docs: Fix shell code
80afba15 docs: update kata deploy README doc to add cloud-hypervisor test command
5a0d3c4f docs: update the kata release url in the kata deploy document
9514dda5 mod: unity containerd dependency
6ffe37b9 mod: unify runc dependency
5b514177 docs: Add tracing proposals doc
b53e8405 how-to-use-virtio-mem-with-kata.md: Remove undefined ${REPORT_DIR}
5957bc7d ci: Run static checks when PRs are updated
81e6bf6f kata-deploy: Split shimv2 build in a separate container.
d46ae324 kernel: build: Add container build
b789a935 actions: release: Use new kata-deploy scripts.
85987c6d kata-deploy: Add Makefile
b9d2eea3 kata-deploy: Add script to merge kata tarballs.
4895747f Rootfs: Add curl to alpine rootfs builder.
fc90bb53 Actions: Add new workflow to create static tarballs
bbb06c49 actions: Remove scripts from actions directory.
2f9859ab build: Reuse firecracker directory on builds.
3533a5b6 Packaging: stop using GOPATH for yq.
0c5ded4b kata-deploy: build kata only with docker in host
2ec31093 docs: update url for log parser in how-to-import-kata-logs-with-fluentd.md
cc0bb9ae versions: Upgrade to Cloud Hypervisor v17.0
8e9ffe6f snap: Substitute image configuration with initrd
8b15eafa docs: Update url for log parser in Developer guide
77604de8 qemu/arm: remove nvdimm/"ReadOnly" option on arm64
4fbae549 docs: Update experimental documentation
07f7ad9d build(deps): bump github.com/containerd/containerd in /src/runtime
9c0b8a7f snap: do not export agent version
3727caf7 versions: Update runc to 1.0.1
116c29c8 cgroups: manager's Set() now takes Resources as its parameter
c0f801c0 rootless: RunningInUserNS() is now part of userns namespace
b5293c52 runtime: update runc dependency to 1.0.1
2859600a runtime: virtcontainers: make rootfs image read-only
8befb1f3 kata-deploy: Refactor builder options.
7125f5d8 image-builder: Allow build image and initrd independently.
0f8c0dbc osbuilder/scripts: add support to yq version 4 and above
070590fb vendor: update govmm
b4c45df8 runtime: tools/packaging/cmd/kata-pkgsync: fix govet fieldalignment
aec53090 runtime: virtcontainers/utils: fix govet fieldalignment
1e4f7faa runtime: virtcontainers/types: fix govet fieldalignment
bb9495c0 runtime: virtcontainers/pkg: fix govet fieldalignment
80ab91ac runtime: virtcontainers/persist: fix govet fieldalignment
54bdd018 runtime: virtcontainers/factory: fix govet fieldalignment
dd58de36 runtime: virtcontainers/device: fix govet fieldalignment
47d95dc1 runtime: virtcontainers: fix govet fieldalignment
8ca7a7c5 runtime: netmon: fix govet fieldalignment
31de8eb7 runtime: pkg: fix govet fieldalignment
2b80091e runtime: containerd-shim-v2: fix govet fieldalignment
0dc59df6 runtime: cli: fix govet fieldalignment
c1042523 ci: expand $CI to nothing
add480ed monitor: mv the monitor socket into sbs directory
f7c6f170 docs: added a glossary to support SEO tactics
a8649acf snap: fixed snap aarch64 qemu patches dir in snapcraft.yaml file
38826194 osbuilder: update centos arm rootfs image config 'GPG_KEY_ARCH_URL'
c5fdc0db docs: fix minikube installation guide runtimeclasses error
f2ef25c6 docs: fixed kata-deploy path for kata logs with fluentd doc
cb6b7667 runtime: Add option "enable_guest_swap" to config hypervisor.qemu
a733f537 runtime: newContainer: Handle the annotations of SWAP
2c835b60 ContainerConfig: Set ocispec.Annotations to containerConfig.Annotations
243d4b86 runtime: Sandbox: Add addSwap and removeSwap
e1b91986 runtime: Update golang proto code for AddSwap
4f066db8 agent: agent.proto: Add AddSwap
4f23b8cd ci: set -o nounset
35cbc93d agent: clear MsFlags if the option has clear flag set
ff87da72 config: Fix description for OCI hooks
8e0daf67 shimv2: fix the issue of kata-runtime exec failed
b12b21f3 osbuilder: Skip installing golang for building rootfs
558f1be6 snap: Remove QEMU before clone
5371b921 mount: fix the issue of missing check file exists
27b299b2 agent-ctl: Use a common Makefile style like other components
05084699 agent-ctl: bump to latest tokio
acf69328 agent: update tokio to 1.8.1
dcd29867 static-checks: Call the static-checks make target
afd97850 makefile: Add static-checks target
34828df9 virtiofsd: fix the issue of missing stop virtiofsd
73d3798c vsock-exporter: switch to tokio runtime
7960689e tracing: replace SimpleSpanProcessor with BatchSpanProcessor
e887b39e docs: Update containerd configuration format

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-20 14:03:43 +02:00
Fabiano Fidêncio
348795e282 Merge pull request #2233 from fgiudici/kata-monitor_liubin_cri
use CRI in kata-monitor
2021-08-20 13:58:12 +02:00
Fabiano Fidêncio
fbd4ab6cdc Merge pull request #2454 from jrieck1991/default-jailer
config: Enable jailer by default when using firecracker
2021-08-20 13:13:27 +02:00
Fabiano Fidêncio
af93263985 Merge pull request #2451 from fidencio/wip/kata-deploy-actually-push-the-release-to-quay.io
workflows: Actually push the release to quay.io
2021-08-18 19:50:22 +02:00
Eric Ernst
02717b8c4b Merge pull request #2448 from converge/update_installation_overview
docs: update general wording for installation documentation
2021-08-18 09:49:20 -07:00
Fabiano Fidêncio
1c643dea24 Merge pull request #2425 from dcmiddle/cleanup-kernel-packaging
Cleanup kernel packaging
2021-08-18 08:24:12 +02:00
Jack Rieck
7a5ffd4a0f config: Enable jailer by default when using firecracker
Now that we have enabled CI tests for jailed firecracker and we have
fixed the  issue with removing the block storage device #2387, we
should leverage the full power of firecracker and enable jailer by
default.

Fixes: #2455
Signed-off-by: Jack Rieck <jack.rieck@sendgrid.com>
2021-08-17 19:22:09 -04:00
Joao Vanzuita
2cb7b51355 docs: update general wording for installation documentation
Remove duplicated information, reduce text separation, and rewrite notes
to be more clear and concise.

Fixes: #2449

Signed-off-by: Joao Vanzuita <joaovanzuita@me.com>
2021-08-17 21:55:11 +02:00
Fabiano Fidêncio
76f4588f25 workflows: Actually push the release to quay.io
As quay.io is becoming our de-facto image registry, let's actually push
the kata-deploy release to it.  This commit should've been part of
9fa1febfd9 but ended up slipping out.

Fixes: #2306

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-17 13:16:00 +02:00
Chelsea Mafrica
e155fb2b19 Merge pull request #2424 from cmaf/fix-span-runHooks-2
tracing: Return context in runHooks() span creation
2021-08-12 12:01:31 -07:00
Dan Middleton
b980c62f43 packaging/kernel: Update kernel build doc
Clarify dependencies, correct typos, and fill in some gaps.

Fixes: #2422

Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2021-08-12 12:14:58 -05:00
Dan Middleton
99e9a6ad0a packaging/kernel: Update versions.yaml kernel urls
Correct url to coordinate with version string.

Fixes #2422

Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2021-08-12 12:14:58 -05:00
Dan Middleton
c23ffef4eb packaging/kernel: Remove old Jenkins pipeline
This Jenkins pipeline is no longer used and it references now archived
repos.

Fixes: #2422

Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2021-08-12 12:14:58 -05:00
Chelsea Mafrica
9586d48254 tracing: Return context in runHooks() span creation
The call to Trace() in runHooks() should return a context so that
subsequent calls to runHook() produce properly ordered trace spans.

Fixes #2423

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-08-12 10:09:56 -07:00
GabyCT
bff73de4d3 Merge pull request #2437 from Jakob-Naucke/doc-alpine-osbuilder-s390x
osbuilder: Document no Alpine support on s390x
2021-08-12 11:08:57 -05:00
Fabiano Fidêncio
d45c86de29 versions: Update CRI-O to its 1.22 release
As kubernetes version has been bumped to 1.22, let's bump the CRI-O
version accordingly.

Related: #2434

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-12 11:39:17 +02:00
Fabiano Fidêncio
c4a642636b versions: Update k8s & critools to v1.22
Let's test our `main` branch against the latest version of k8s.  In
order to do the bump, let's also update critools version accordingly.

Depends-on: github.com/kata-containers/tests#3818

Fixes: #2433

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-12 11:38:37 +02:00
Jakob Naucke
6a6dee7cc8 osbuilder: Document no Alpine support on s390x
Alpine used to work as guest under 1.x, but because there is no musl
target for Rust on s390x, Alpine will not work for 2.x. Document this.

Fixes: #2436
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-08-12 11:14:25 +02:00
Jakob Naucke
8915dc56d5 Merge pull request #2150 from Jakob-Naucke/focal-rootfs
osbuilder: Upgrade Ubuntu guest to 20.04
2021-08-12 10:03:31 +02:00
Eric Ernst
46942dd449 Merge pull request #2404 from egernst/watcher
agent: watcher / inotify stability fixes
2021-08-11 13:58:10 -07:00
Julio Montes
9edbc00dbc Merge pull request #2394 from jongwu/snap
enable snap build for arm64
2021-08-11 11:38:11 -05:00
Eric Ernst
71f304ce17 agent: watcher: cleanup mount if needed when container is removed
If a bind mount was created for watchable storage, make sure we remove
when removing a container.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-08-11 08:53:28 -07:00
Samuel Ortiz
f1a505dbfe agent: Temporarily allow unknown linters
Bump thiserror to 1.0.26 for vsock-exporter and work around
a bug in Clippy nonstandard_macro_braces lint.
(See https://github-redirect.dependabot.com/rust-lang/rust-clippy/issues/7422)

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-08-11 08:53:28 -07:00
Eric Ernst
961aaff004 agent: watcher: fixes to make more robust
inotify/watchable-mount changes...

- Allow up to 16 files. It isn't that uncommon to have 3 files in a secret.
In Kubernetes, this results in 9 files in the mount (the presented files,
which are symlinks to the latest files, which are symlinks to actual files
which are in a seperate hidden directoy on the mount). Bumping from eight to 16 will
help ensure we can support "most" secret/tokens, and is still a pretty
small number to scan...

- Now we will only replace the watched storage with a bindmount if we observe
that there are too many files or if its too large. Since the scanning/updating is racy,
we should expect that we'll occassionally run into errors (ie, a file
deleted between scan / update). Rather than stopping and making a bind
mount, continue updating, as the changes will be updated the next time
check is called for that entry (every 2 seconds today).

To facilitate the 'oversized' handling, we create specific errors for too large
or too many files, and handle these specific errors when scanning the storage entry.

- When handling an oversided mount, do not remove the prior files -- we'll just
overwrite them with the bindmount. This'll help avoid the files
disappearing from the user, avoid racy cleanup and simplifies the flow.
Similarly, only mark it as a non-watched storage device after the
bindmount is created successfully.

- When creating bind mount, make sure destination exists. If we hadn't
had a successful scan before, this wouldn't exist and the mount would
fail. Update logic and unit test to cover this.

- In several spots, we were returning when there was an error (both in
scan and update). For update case, let's just log an warning and continue;
since the scan/update is racy, we should expect that we'll have
transient errors which should resolve the next time the watcher runs.

Fixes: #2402

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-08-11 08:52:51 -07:00
Fabiano Fidêncio
2aa686a0f5 Merge pull request #2409 from sameo/topic/agent
agent: Fix cargo 1.54 clippy warning
2021-08-10 23:03:00 +02:00
Jakob Naucke
7effbdebcb osbuilder: Upgrade Ubuntu guest to 20.04
- no need to create `/usr/lib/systemd/systemd` link any more
- install `chrony` as extra package and install extra packages in chroot
  rather than `debootstrap`, because `chrony` provides `time-daemon`,
  which under 20.04 is provided by `systemd-timesyncd`, which is
  required by `systemd`, and `debootstrap`'s conflict resolvement can't
  handle this, but `apt`'s can.

Fixes: #2147
Depends-on: github.com/kata-containers/tests#3636
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-08-10 16:31:21 +02:00
GabyCT
1ab55e5afd Merge pull request #2397 from dgibson/no-go-agent
osbuilder: Drop Go agent support
2021-08-10 09:13:00 -05:00
GabyCT
e287708435 Merge pull request #2246 from damon-kwok/main
kernel: PTP_KVM support for arm/arm64 in Kata
2021-08-10 09:11:48 -05:00
GabyCT
7445071330 Merge pull request #2419 from YchauWang/wyc-doc-test-01
docs: update the docs project url from kata 1.x to 2.x
2021-08-10 09:08:43 -05:00
Jakob Naucke
f152284f1b Merge pull request #2411 from jongwu/clh
clh: correct cloud-hypervisor installation on non-x86
2021-08-10 10:39:57 +02:00
wangyongchao.bj
99ab91df3d docs: update the docs project url from kata 1.x to 2.x
changed the document project url in the using-vpp-and-kata.md and
runtime experimental README.md files.

Fixes: #2418

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-08-10 13:51:54 +08:00
Damon Kwok
4fe23b190f kernel: PTP_KVM support for arm/arm64 in Kata
This work patched the 4.19, 5.4 and 5.10 kernels, and now ptp_kvm can work
correctly when the host and guest use different kernel versions..

Fixes: #2123

Signed-off-by: Damon Kwok <damon-kwok@outlook.com>
2021-08-10 11:04:28 +08:00
Fabiano Fidêncio
e1e6827a2c Merge pull request #2388 from nubificus/fix_jailed_fc
virtcontainers: fc: properly remove jailed block device
2021-08-10 00:17:18 +02:00
Carlos Venegas
a28cc7ffd6 Merge pull request #1809 from jodh-intel/run-agent-shutdown-test
CI: Call agent shutdown test
2021-08-09 09:55:05 -05:00
Fabiano Fidêncio
b7d4888659 Merge pull request #2400 from fidencio/wip/kata-deploy-always-update-the-base-image
kata deploy: always update the base image
2021-08-09 10:03:25 +02:00
Jianyong Wu
f981fc6456 clh: correct cloud-hypervisor installation
Currently, there is cloud hypervisor binary released only for x86, thus
we must build from source code when install cloud hypervisor on arm64.

Fixes: #2410
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-08-09 15:56:28 +08:00
Samuel Ortiz
e07a9fea79 Merge pull request #2392 from GabyCT/topic/fixfluentd
docs: Remove kata-proxy and invalid script reference
2021-08-06 15:01:57 +02:00
Fabiano Fidêncio
f87cee9d11 kata-deploy: Rely directly on a centos:7 image
Instead of relying on a centos/docker image, present only on dockerhub,
let's rely on the centos:7 image from the centos registry, and apply
the same modifications applied when generating the centos/systemd image.

The main reason for doing this is avoiding to update an image from 3
years ago, making the delta of the packages updated smaller.

If you're curious why we keep using CentOS 7 though, the reason is
because CentOS 8, and UBI images have a different systemd configuration
that works quite well when mounting the image using podman, but systemd
can't connect dbus when running on environments like AKS or even
minikube.  So, in order to be as compatible as possible, let's keep
using the CentOS 7 image for now, at least till we find a suitable
substitute for that.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-06 13:22:45 +02:00
Jianyong Wu
6871aeaa60 snap: enable snap build for arm64
snap build for arm64 fail for a long time, here we enable it.
the changes:
1. correct the variable of "branch"
2. add v5.1.0 under tag_patchs

Fixes: #2194
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-08-06 17:11:58 +08:00
Fabiano Fidêncio
15e0a3c8f0 kata-deploy: Remove unneeded yum cached files
Let's just remove the cached failes as those are not needed for anything
we do when using this image.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-06 11:01:58 +02:00
Fabiano Fidêncio
d01aebebae kata-deploy: Ensure the system is up-to-date
In order to avoid providing an image with security issues, let's ensure
we run `yum update` as part of our image build process.  This is needed
as even with the latest CentOS images there may be fix provided by some
CVE that's already part of the updates but not yet part of the image.

In our case, it's even more needed as the `centos/systemd` image has not
been updated for 3 years or so and those are the vulnerabilities found
in the current images:
https://quay.io/repository/kata-containers/kata-deploy?tab=tags

Fixes: #2303

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-06 11:01:58 +02:00
Fabiano Fidêncio
b4b843178c Merge pull request #2406 from fidencio/wip/workflows-login-to-the-correct-registry
workflows: Actually login to quay.io
2021-08-06 11:01:18 +02:00
Fabiano Fidêncio
77160e591a workflows: Actually login to quay.io
9fa1febfd9 added the support to also push
the image to quay.io.  However, we didn't try explicitly pass quay.io as
the registry server, causing then to login to fail.

Fixes: #2306

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-06 10:07:25 +02:00
Fabiano Fidêncio
2f5a77d144 Merge pull request #2307 from fidencio/wip/kata-deploy-also-push-images-to-quay-io
kata-deploy: Update our content to use / point to quay.io/kata-containers rather than katadocker
2021-08-06 09:23:35 +02:00
Fabiano Fidêncio
b9e03a1cf1 docs: update the image repository to quay.io
This can help our users to **not** hit the pull limitation imposed by
dockerhub.

Fixes: #2306

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-05 22:53:20 +02:00
Fabiano Fidêncio
f47cad3d95 tools: Update the image repository to quay.io
This can help our users to **not** hit the pull limitation imposed by
dockerhub.

Fixes: #2306

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-05 22:53:20 +02:00
Fabiano Fidêncio
9fa1febfd9 workflows: Also push the image to quay.io
Now that the project owns https://quay.io/kata-containers, let's also
push our images there and start making it our primary image repository.

Fixes: #2306

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-08-05 22:53:19 +02:00
Samuel Ortiz
233b53c048 agent: Fix cargo 1.54 clippy warning
Mostly the needless borrow one, plus a few others that are now enforced.

Fixes #2408

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-08-05 18:41:55 +02:00
Francesco Giudici
2d8386ea52 kata-monitor: add few unit tests
Add cri.go unit tests

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-08-05 11:41:54 +02:00
Francesco Giudici
8714a35063 kata-monitor: make code to identify kata pods simpler
just search for the "kata" substring in the runtime value and log at
info level when the runtime name/type is not found.

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-08-05 11:41:54 +02:00
Francesco Giudici
68a6f011b5 kata-monitor: drop the runtime info from the sandbox cache
We keep the container engine info in the sandbox cache map, as the value
associated to the pod id (the key). Since we used that in
getMonitorAddress() only (which is gone) we can avoid storing that
information. Let's drop it.
Keep the map structure and the [put,delete]IfExists functions as we may
want to move to an event based cache update process sooner or later, and
we will need those.

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-08-05 11:41:54 +02:00
Francesco Giudici
97dcc5f78a kata-monitor: drop getMonitorAddress()
since the shim socket path is statically defined in the containerd-shimv2
code, we don't need to retrieve the socket name from the filesystem:
construct the socket name using the containerd-shimv2 code.

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-08-05 11:41:54 +02:00
Francesco Giudici
0b03d97d0b vendor: update vendors for kata-monitor
kata-monitor switched from containerd client to CRI. Update the
dependencies and vendored code.

go mod tidy
go mod vendor

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-08-05 11:41:54 +02:00
Francesco Giudici
c2f03e8993 kata-monitor: talk to the container engine via the CRI
kata-monitor uses containerd client to retrieve information from the
container engine. This makes kata-monitor work with the containerd
container engine only.
Bin Liu (bin <bin@hyper.sh>) worked on a kata-monitor version able
to talk to any container engine leveraging the standard CRI[1].
Here, the original work of Bin Lui has been adapted on the current
kata-monitor to make it container engine independent.

[1] https://github.com/liubin/kata-containers/tree/fix/1030-use-cri-in-kata-monitor

Fixes: #1030
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-08-05 11:41:54 +02:00
David Gibson
c867d1e069 osbuilder: Drop Go agent support
With Kata 1.x EOL, the Go agent is no more.  So, remove support for it from
the osbuilder scripts.  This removes the RUST_AGENT variable, treating it
as always true.

fixes #2396

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-08-05 16:10:10 +10:00
Gabriela Cervantes
1d25d7d43f docs: Remove kata-proxy and binaries reference
Kata-proxy is not longer used in kata 2.x, this PR removes the
reference as well to an script that is not longer existing.

Fixes #2391

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-08-04 22:00:57 +00:00
Chelsea Mafrica
eac05ad6d6 Merge pull request #2375 from sameo/upstream/topic/process-cwd
agent: Create the process CWD when it does not exist
2021-08-04 11:35:11 -07:00
Anastassios Nanos
64dd35ba4f virtcontainers: fc: properly remove jailed block device
When running a firecracker instance jailed, block devices
are not removed correctly, as the jailerRoot path is not
stripped from the PATCH command sent to the FC API.

This patch differentiates the jailed case from the non-jailed
one and allows the firecracker instance to be properly
terminated.

Fixes #2387

Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
2021-08-04 16:31:56 +00:00
Julio Montes
03325f0612 Merge pull request #2382 from dgibson/prep-qemu-6.1
Update Kata to allow it to use Qemu 6.1
2021-08-04 09:16:06 -05:00
GabyCT
48bb104660 Merge pull request #2385 from Jakob-Naucke/dracut-libs
osbuilder/dracut: Add missing libraries
2021-08-04 09:04:46 -05:00
Jakob Naucke
b8133a188c osbuilder/dracut: Add missing libraries
When the guest is built using dracut and the agent uses glibc (esp.
ppc64le/s390x), libraries might be missing. In my case, it was
`libutil.so`, but more can be added easily. Add a script to configure
`install_items` for dracut w.r.t. `ldd` of the agent.

Fixes: #2384
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-08-04 13:50:42 +02:00
Jakob Naucke
d473967120 Merge pull request #2379 from Jakob-Naucke/env-os-version
osbuilder: pass env OS_VERSION
2021-08-04 10:40:17 +02:00
Christophe de Dinechin
881b996443 agent: Make wording of error message match CRI-O test suite
The CRI-O integration test suite has two tests that fail because they search for
"not found" in the error message, but we emit "is not exist".

Change the error message to match the expectations of the test suite.

Fixes: #2036

Reported-by: Julien Ropé <jrope@redhat.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2021-08-04 09:33:09 +02:00
David Gibson
831c2feead packaging: Remove reference to sheepdog driver
The QEMU sheepdog driver was deprecated in 5.2.0 and removed entirely in
6.1.  Explicitly disabling, therefore is unnecessary from 5.2.0 and will
give an error from 6.1.

fixes #2337

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-08-04 15:04:36 +10:00
David Gibson
2e28b71473 packaging: Drop support for qemu < 5.0
We only test qemu 5.2 in the CI (5.1 for ARM), and I believe we already
have some subtle dependencies that will stop things working on older qemu
versions.

We just updated govmm to a version that explicitly only works with qemu 5.0
and later, so we can drop stale checks for older qemu versions.  More
specifically that means we can drop patches for older qemu versions, and
remove checks for older qemu versions from configure-hypervisor.sh.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-08-04 15:04:36 +10:00
David Gibson
d5f85698e1 vendor: Update govmm
Update to commit 3c64244cbb, in particular to get these fixes which
are needed to work with qemu-6.0 and later:

https://github.com/kata-containers/govmm/pull/192
https://github.com/kata-containers/govmm/pull/194

Git log

d27256f (qmp: Don't use deprecated 'props' field for object-add, 2021-08-03)
d8cdf9a (qemu: Drop support for versions older than 5.0, 2021-08-03)
1b02192 (Use 'host_device' driver for blockdev backends, 2021-07-29)
9518675 (add support for "sandbox" feature to qemu, 2021-07-20)
335fa81 (qemu: fix golangci-lint errors, 2021-07-21)
61b6378 (.github/workflows: reimplement github actions CI, 2021-07-21)
9d6e797 (go: support go modules, 2021-07-21)
0d21263 (qemu: support read-only nvdimm, 2021-07-21)

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-08-04 15:04:30 +10:00
David Gibson
3165095669 runtime/qemu: Use explicit "on" for kernel_irqchip parameter
Kata uses the 'kernel_irqchip' machine option to qemu.  By default it
uses it in what qemu calls the "short-form boolean" with no parameter.
That style was deprecated by qemu between 5.2 and 6.0 (commit
ccd3b3b8112b) and effectively removed entirely between 6.0 and 6.1
(commit d8fb7d0969d5).

Update ourselves for newer qemus by using an explicit
"kernel_irqchip=on".

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-08-04 14:34:11 +10:00
Carlos Venegas
b24ee4b11e Merge pull request #2369 from converge/issue_2354
tools: shorten directory path
2021-08-03 15:32:56 -05:00
Carlos Venegas
27b9a68189 Merge pull request #2365 from sameo/topic/clh-tracing
virtcontainers: clh: Do not use the default HTTP client
2021-08-03 12:54:09 -05:00
Jakob Naucke
a72b08117f osbuilder: pass env OS_VERSION
With lines like
0a2e2c6038/tools/osbuilder/rootfs-builder/fedora/config.sh (L8)
we imply that one can set another OS_VERSION and it will get picked up.
This is not the case when building inside Docker/Podman because the
variable is not passed to the container, which can lead to confusion.
Forward this env.

Fixes: #2378
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-08-03 18:28:17 +02:00
Samuel Ortiz
0a2e2c6038 Merge pull request #2358 from YchauWang/wyc-deploy-test
docs: update kata deploy README doc to add cloud-hypervisor test command
2021-08-03 10:55:13 +02:00
Fupan Li
eda55195fb Merge pull request #2373 from teawater/fix_swap2
Container: Add initConfigResourcesMemory and call it in newContainer
2021-08-03 10:58:48 +08:00
Joao Vanzuita
d007bb8550 kata-deploy: shorten directory path
long file paths are difficult to read, this change adds a new readonly variable to shorten the full file path of the static build folder files.

Fixes: #2354
Signed-off-by: Joao Vanzuita <joaovanzuita@me.com>
2021-08-02 22:37:39 +02:00
Hui Zhu
e6408fe670 Container: Add initConfigResourcesMemory and call it in newContainer
The swappiness is not right if just set
io.katacontainers.container.resource.swappiness:
$ pod_yaml=pod.yaml
$ container_yaml=container.yaml
$ image="quay.io/prometheus/busybox:latest"
$ cat << EOF > "${pod_yaml}"
metadata:
  name: busybox-sandbox1
EOF
$ cat << EOF > "${container_yaml}"
metadata:
  name: busybox-killed-vmm
annotations:
  io.katacontainers.container.resource.swappiness: "100"
image:
  image: "$image"
command:
- top
EOF
$ sudo crictl pull $image
$ podid=$(sudo crictl runp $pod_yaml)
$ cid=$(sudo crictl create $podid $container_yaml $pod_yaml)
$ sudo crictl start $cid
crictl exec $cid cat /sys/fs/cgroup/memory/memory.swappiness
60

The cause of this issue is there are two elements store the resources
infomation.  They are c.config.Resources for calculateSandboxMemory and
c.GetPatchedOCISpec() for agent.
This add initConfigResourcesMemory to Container and call it in
newContainer to handle the issue.

Fixes: #2372

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-08-02 16:02:12 +08:00
Fupan Li
fdc42ca7ff Merge pull request #2324 from jongwu/ro_nv
qemu/arm: remove nvdimm/"ReadOnly" option on arm64
2021-08-02 14:14:06 +08:00
Fupan Li
186a02593a Merge pull request #2368 from teawater/fix_swap
Fix issue container start fail if io.katacontainers.container.resource.swap_in_bytes and memory_limit_in_bytes are not set
2021-08-02 10:08:30 +08:00
Samuel Ortiz
49083bfa31 agent: Create the process CWD when it does not exist
Although the OCI specification does not explictly requires that, we
should create the process CWD if it does not exist, before chdir'ing
to it. Without that fizx, the kata-agent fails to create a container
and returns a grpc error when it's trying to change the containerd
working directory to an non existing folder.

runc, the OCI runtime reference implementation, also creates the process
CWD when it's not part of the container rootfs.

Fixes #2374

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-08-01 04:27:03 +02:00
Hui Zhu
ee90affc18 newContainer: Initialize c.config.Resources.Memory if it is nil
container start fail if
io.katacontainers.container.resource.swap_in_bytes and
memory_limit_in_bytes are not set.
$ pod_yaml=pod.yaml
$ container_yaml=container.yaml
$ image="quay.io/prometheus/busybox:latest"
$ cat << EOF > "${pod_yaml}"
metadata:
  name: busybox-sandbox1
EOF
$ cat << EOF > "${container_yaml}"
metadata:
  name: busybox-killed-vmm
annotations:
  io.katacontainers.container.resource.swappiness: "60"
image:
  image: "$image"
command:
- top
EOF
$ sudo crictl pull $image
$ podid=$(sudo crictl runp $pod_yaml)
$ cid=$(sudo crictl create $podid $container_yaml $pod_yaml)
$ sudo crictl start $cid
DEBU[0000] get runtime connection
DEBU[0000] connect using endpoint
'unix:///var/run/containerd/containerd.sock' with '10s' timeout
DEBU[0000] connected successfully using endpoint:
unix:///var/run/containerd/containerd.sock
DEBU[0000] StartContainerRequest:
&StartContainerRequest{ContainerId:4fea91d16f661931fe33acd247efe831ef9e571588ba18b5a16f04c278fd61b8,}
DEBU[0000] StartContainerResponse: nil
FATA[0000] starting the container
"4fea91d16f661931fe33acd247efe831ef9e571588ba18b5a16f04c278fd61b8": rpc
error: code = Unknown desc = failed to create containerd task: failed to
create shim: ttrpc: closed: unknown

The cause of fail if if c.config.Resources.Memory is nil, values of
io.katacontainers.container.resource.swappiness and
io.katacontainers.container.resource.swap_in_bytes will be store in
newContainer.

This commit initialize c.config.Resources.Memory if it is nil in
newContainer.

Fixes: #2367

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-08-01 10:03:27 +08:00
Hui Zhu
767a41ce56 updateResources: Log result after calculateSandboxMemory
Log result after calculateSandboxMemory in updateResources.

Fixes: #2367

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-08-01 09:57:44 +08:00
Samuel Ortiz
760ec4e58a virtcontainers: clh: Do not use the default HTTP client
When enabling tracing with Cloud Hypervisor, we end up establishing 2
connections to 2 different HTTP servers: The Cloud Hypervisor API one
that runs over a UNIX socket and the Jaeger endpoint running over UDP.

Both connections use the default HTTP golang client instance, and thus
share the same transport layer. As the Cloud Hypervisor implementation
sets it up to be over a Unix socket, the jaeger uploader ends up going
through that transport as well, and sending its spans to the Cloud
Hypervisor API server.

We fix that by giving the Cloud Hypervisor implementation its own HTTP
client instance and we avoid sharing it with anything else in the shim.

Fixes #2364

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-07-30 16:51:01 +02:00
GabyCT
b94252a5fa Merge pull request #2062 from jodh-intel/add-tracing-design-proposals
docs: Add tracing proposals doc
2021-07-30 09:37:38 -05:00
Fabiano Fidêncio
0c913040b6 Merge pull request #2023 from jodh-intel/docs-rm-tocs
docs: Remove table of contents
2021-07-30 15:44:50 +02:00
Jakob Naucke
d9359440e2 Merge pull request #2361 from fidencio/wip/workflows-fix-skip-ci
static-checks: Check for the `force-skip-ci` label on each step
2021-07-30 15:07:25 +02:00
Fabiano Fidêncio
3fe6695b0a static-checks: Check for the force-skip-ci label on each step
This is not the most beautiful solution, but when do the check on every
single step we ensure the test at least started, and consequently will
succeed.

Without this the tests wouldn't even start, making any PR using the
`force-skip-ci` label not mergeable.

Fixes: #2362

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-30 13:51:56 +02:00
James O. D. Hunt
7df56301be CI: Call agent shutdown test
Run the agent shutdown test as part of CI testing code in this repo.

Fixes: #1808.

Depends-on:github.com/kata-containers/tests#3495

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-07-30 11:03:25 +01:00
James O. D. Hunt
57b696a5ec docs: Removed mention of 1.x
All users should be running 2.x releases so remove the legacy details
since it's arguably confusing to have two sets of details.

Reworked the components listed in the main README so that rather than
being sorted alphabetically, they are now sorted in semi-order of
importance and split into two tables to make the point more clearly.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-07-30 10:58:22 +01:00
James O. D. Hunt
4f0726bc49 docs: Remove table of contents
Removed all TOCs now that GitHub auto-generates them.

Also updated the documentation requirements doc removing the requirement
to add a TOC.

Fixes: #2022.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-07-30 10:58:22 +01:00
James O. D. Hunt
f186c5e284 docs: Fix invalid URLs
Correct broken / stale URLs as detected by the CI URL checker.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-07-30 10:58:22 +01:00
James O. D. Hunt
7c610a6ff1 docs: Fix shell code
Correct the shell code in the packaging tools README to keep the CI
happy.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-07-30 10:58:22 +01:00
Fabiano Fidêncio
1d70523a59 Merge pull request #2356 from YchauWang/wyc-doc-bug-fix
docs: update the kata release url in the kata deploy document
2021-07-30 11:57:26 +02:00
wangyongchao.bj
80afba15ee docs: update kata deploy README doc to add cloud-hypervisor test command
Kata deploy README document only contains Firecracker and Qemu. This PR adds
 cloud-hypervisor test command to the README.md file.

Fixes: #2357

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-07-30 10:01:13 +08:00
wangyongchao.bj
5a0d3c4fac docs: update the kata release url in the kata deploy document
fixed the url error, updated the path to kata 2.x release
(https://github.com/kata-containers/kata-containers/releases) from kata 1.x release
(https://github.com/kata-containers/runtime/releases) in the kata-deploy README.md file.

Fixes: #2355.

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-07-30 09:50:30 +08:00
Fabiano Fidêncio
2d142bc92d Merge pull request #2155 from jcvenegas/kata-deploy-2021-06-29
kata-deploy: Allow build  kata-deploy  tarball from HEAD
2021-07-29 22:50:03 +02:00
Fabiano Fidêncio
7ed6423dd8 Merge pull request #2347 from fidencio/wip/update-runc-and-containerd-deps
mod: unify runc and containerd dependencies
2021-07-29 22:29:06 +02:00
Peng Tao
9514dda52e mod: unity containerd dependency
The old ones are carrying CVEs, do not use them.

PS: In order to update the modules, we're running `make handle_vendor`
target from the runtime's Makefile.  This is now part of the CI and
ensures that the vendored code is up-to-date.  It's important to note
that older versions of golang may generate different results for those,
but those versions are not supported anymore, so we're good to go with
what we have in the CI (1.15 and 1.16).

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-29 20:51:02 +02:00
Peng Tao
6ffe37b949 mod: unify runc dependency
Since the old ones are carrying CVEs. Do not use them.

PS: In order to update the modules, we're running `make handle_vendor`
target from the runtime's Makefile.  This is now part of the CI and
ensures that the vendored code is up-to-date.  It's important to note
that older versions of golang may generate different results for those,
but those versions are not supported anymore, so we're good to go with
what we have in the CI (1.15 and 1.16).

Fixes: #2338

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-29 20:48:52 +02:00
GabyCT
8508e52fdc Merge pull request #2349 from teawater/fix_vm_doc
how-to-use-virtio-mem-with-kata.md: Remove undefined ${REPORT_DIR}
2021-07-29 10:42:44 -05:00
James O. D. Hunt
5b514177b0 docs: Add tracing proposals doc
Create a document summarising the tracing design proposals
from PR #1937.

Fixes: #2061.

Signed-off-by: bin <bin@hyper.sh>
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-07-29 16:17:48 +01:00
Fabiano Fidêncio
6b2ad64aea Merge pull request #2344 from fidencio/wip/run-static-checks-also-when-prs-are-edited-or-syncrhonized
ci: Run static checks when PRs are updated
2021-07-29 10:23:12 +02:00
Hui Zhu
b53e84054e how-to-use-virtio-mem-with-kata.md: Remove undefined ${REPORT_DIR}
Remove undefined ${REPORT_DIR} in how-to-use-virtio-mem-with-kata.md.

Fixes: #2348

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-07-29 14:50:08 +08:00
Fabiano Fidêncio
5957bc7d9c ci: Run static checks when PRs are updated
Looking at the changes that could cause the static-checks not to run
when a PR is updated I think 7db8a85a1f
could be the one that introduced such a regression.

Let's (try to) fix this by enforcing the workflow to run also when the
PR has been "edited" and "synchronized".

Fixes: #2343

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-28 22:26:55 +02:00
Carlos Venegas
81e6bf6f2c kata-deploy: Split shimv2 build in a separate container.
Instead of install golang in the base container, split the shimv2 build.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
d46ae3248e kernel: build: Add container build
Add script to build kernel in a container.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
b789a935cf actions: release: Use new kata-deploy scripts.
Update release action to build kata assets with new
scripts.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
85987c6d79 kata-deploy: Add Makefile
Add makefile to document possible options to run.

e.g
Default: Create a kata tarball, it will build assets concurrently.
```
$ make

```

Create a tarball build for cloud-hypervisor.
```
$ make cloud-hypervisor
```

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
b9d2eea39b kata-deploy: Add script to merge kata tarballs.
After each asset is build it is needed to merge them all into one single
tarball.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
4895747f35 Rootfs: Add curl to alpine rootfs builder.
If alpine image is created inside a container,
it does not get any golang version data. It will try
to get it by installing yq. To install yq curl is used.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
fc90bb5314 Actions: Add new workflow to create static tarballs
Tarballs are generated on push and merge events.

push: Allows get a tarball from the PR and use locally.

merge: After a PR is merged we have a quick way to get latest
kata-tarball.

The tarball can be downloaded from github page only.

Fixes: #1710

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
bbb06c4975 actions: Remove scripts from actions directory.
kata-deploy logic was moved to its own directory.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
2f9859ab2f build: Reuse firecracker directory on builds.
kata-deploy buider now reuses the build directory, this
makes faster rebuilds. Update firecracker builder to
not fail if is called twice.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
3533a5b61d Packaging: stop using GOPATH for yq.
Use the yq installed in the env.  Needed
to build kata from docker. The container builder
has not an initial Go env.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
Carlos Venegas
0c5ded4bd7 kata-deploy: build kata only with docker in host
Add script to build kata using docker.

Allow build kata-deploy binaries using docker.
kata-deploy-binaries-in-docker.sh is a wrapper of
kata-deploy-binaries.sh it will call kata-deploy-binaries.sh in a
container with all the dependencies installed.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00
GabyCT
fe7e6a2dc1 Merge pull request #2336 from YchauWang/wyc-docs-test
docs: update url for log parser in how-to-import-kata-logs-with-fluen…
2021-07-28 10:19:56 -05:00
Julio Montes
e27733db94 Merge pull request #2334 from likebreath/0727/clh_v17.0
versions: Upgrade to Cloud Hypervisor v17.0
2021-07-28 10:18:38 -05:00
Fabiano Fidêncio
fff76d5e90 Merge pull request #2331 from Jakob-Naucke/snap-initrd-path
snap: Substitute image configuration with initrd
2021-07-28 09:44:06 +02:00
wangyongchao.bj
2ec310934a docs: update url for log parser in how-to-import-kata-logs-with-fluentd.md
fixed the log parser url to kata 2.x path
(https://github.com/kata-containers/tests/tree/main)
for the How to import Kata Containers logs into Fluentd Doc.

Fixes #2335

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-07-28 10:56:23 +08:00
GabyCT
5283f73b0c Merge pull request #2329 from GabyCT/topic/udeveloperguide
docs: Update url for log parser in Developer guide
2021-07-27 14:00:33 -05:00
Bo Chen
cc0bb9aebc versions: Upgrade to Cloud Hypervisor v17.0
Highlights from the Cloud Hypervisor release v17.0: 1) ARM64 NUMA
support using ACPI; 2) `Seccomp` support for MSHV backend; 3) Hotplug of
macvtap devices; 4) Improved SGX support; 5) Inflight tracking for
`vhost-user` devices; 6) Bug fixes.

Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v17.0

Note: The client code of cloud-hypervisor's OpenAPI is automatically
generated by `openapi-generator` [1-2]. As the API changes do not
impact usages in Kata, no additional changes in kata's runtime are
needed to work with the current version of cloud-hypervisor.

[1] https://github.com/OpenAPITools/openapi-generator
[2] https://github.com/kata-containers/kata-containers/blob/main/src/runtime/virtcontainers/pkg/cloud-hypervisor/README.md

Fixes: #2333

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-07-27 11:56:29 -07:00
Jakob Naucke
8e9ffe6f3a snap: Substitute image configuration with initrd
rather than removing the other line because configuration only contains
the image line ever more and this is how we already do it in tests.

Fixes: #2330
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-27 18:39:14 +02:00
Fupan Li
838e169b9c Merge pull request #2248 from lifupan/check_file_exist
mount: fix the issue of missing check file exists
2021-07-27 23:29:26 +08:00
Gabriela Cervantes
8b15eafa6a docs: Update url for log parser in Developer guide
This PR updates the proper url for log parser for kata 2.x for
the Developer Guide document.

Fixes #2328

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-07-27 15:19:06 +00:00
Jianyong Wu
77604de80b qemu/arm: remove nvdimm/"ReadOnly" option on arm64
There is a new "ReadOnly" option added to nvdimm device in qemu
and now added to kata. However, qemu used for arm64 is a little
old and has no this feature. Here we remove this feature for arm.

Fixes: #2320
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-07-27 20:32:55 +08:00
Fabiano Fidêncio
9806e88963 Merge pull request #2319 from kata-containers/dependabot/go_modules/src/runtime/github.com/containerd/containerd-1.5.4
build(deps): bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /src/runtime
2021-07-27 08:49:50 +02:00
Archana Shinde
d2c7b5e782 Merge pull request #2318 from GabyCT/topic/updateread
docs: Update experimental documentation
2021-07-26 23:00:41 -07:00
Gabriela Cervantes
4fbae549e4 docs: Update experimental documentation
This PR updates the experimental documentation with the proper reference
to kata 2.x

Fixes #2317

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-07-26 20:29:21 +00:00
Julio Montes
1fbfd99d37 Merge pull request #2314 from Jakob-Naucke/no-agent-version
snap: do not export agent version
2021-07-26 13:14:38 -05:00
dependabot[bot]
07f7ad9d63 build(deps): bump github.com/containerd/containerd in /src/runtime
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.2 to 1.5.4.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](https://github.com/containerd/containerd/compare/v1.5.2...v1.5.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
...

Fixes: #2322
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-07-26 23:34:09 +08:00
Jakob Naucke
9c0b8a7f5b snap: do not export agent version
This causes the repository to be checked out to a version tag, which is
inconsistent with how we build runtime, and reverts us to a buggy
`snap/snapcraft.yaml`.

Fixes: #2313
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-26 17:32:18 +02:00
Fabiano Fidêncio
695a7ad758 Merge pull request #2310 from fidencio/wip/upgrade-runc-to-1.0.1
Upgrade runc to 1.0.1
2021-07-26 14:50:42 +02:00
Fabiano Fidêncio
3727caf7d8 versions: Update runc to 1.0.1
Let's ensure the runc version installed and used for running our tests
matches the vendored version.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-26 11:34:27 +02:00
Fabiano Fidêncio
116c29c897 cgroups: manager's Set() now takes Resources as its parameter
Pior our bump to runc 1.0.1 the manager's Set() would take a Config as
its parameter.  Now it takes the Resources directly.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-26 11:34:27 +02:00
Fabiano Fidêncio
c0f801c0c4 rootless: RunningInUserNS() is now part of userns namespace
Previously part of the "system" namespace, the RunningInUserNS() has
been moved to the "userns" namespace.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-26 11:34:23 +02:00
Fabiano Fidêncio
b5293c5214 runtime: update runc dependency to 1.0.1
Dependabot brought to us attention that we were still vendoring the runc
code which was affected by CVE-2021-30465.

Although the vulnerability doesn't seem to affect kata-containers, we
better keep our dependencies up-to-date anyways.  With this in mind,
let's bump our runc dependency to the latest release.

Fixes: #2309

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-26 08:06:43 +02:00
snir911
3160f0102d Merge pull request #2300 from devimc/2021-07-22/RONVDIMM
runtime: read-only NVDIMM
2021-07-25 18:13:20 +03:00
Julio Montes
2859600a6f runtime: virtcontainers: make rootfs image read-only
Improve security by making rootfs image read-only, nobody
will be able to modify it from the guest.

fixes #1916

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-23 13:20:42 -05:00
GabyCT
24cbb97f68 Merge pull request #2298 from fgiudici/yq_latest_fix
osbuilder/scripts: add support to yq version 4 and above
2021-07-23 12:19:46 -05:00
Fabiano Fidêncio
d75c01bd67 Merge pull request #2186 from YchauWang/yc-osbuilder-arm
osbuilder: update centos arm rootfs image config 'GPG_KEY_ARCH_URL'
2021-07-23 11:17:08 +02:00
Carlos Venegas
8befb1f39f kata-deploy: Refactor builder options.
Update kata-deploy-binaries.sh cli options.

Add options to allow ask build a tarball for a specific asset.
It will help developers build a specific component and update
a kata-deploy installation. Also build each asset independetly
can help to create cache tarballs per asset in the future.

e.g. Build a tarball with shimv2.

```
./kata-deploy-binaries.sh --build=shim-v2
```

Additionally, the script path is moved to a new directory
as not only will work for releases.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-22 20:58:54 +00:00
Carlos Venegas
7125f5d8cf image-builder: Allow build image and initrd independently.
This will help to do concurrent builds and speedup CI.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-22 20:49:38 +00:00
Francesco Giudici
0f8c0dbc52 osbuilder/scripts: add support to yq version 4 and above
yq changed syntax in an incompatible way starting from version 4 and
above. Deal with that.

Fixes: #2297

Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
2021-07-22 16:01:57 +02:00
Julio Montes
070590fb53 vendor: update govmm
Bring read-only nvdimm support

Shortlog:
335fa81 qemu: fix golangci-lint errors
61b6378 .github/workflows: reimplement github actions CI
9d6e797 go: support go modules
0d21263 qemu: support read-only nvdimm
ff34d28 qemu: Consistent parameter building

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-22 08:47:44 -05:00
Chelsea Mafrica
b817340f94 Merge pull request #2282 from lifupan/main
monitor: mv the monitor socket into sbs directory
2021-07-20 15:26:31 -07:00
Julio Montes
d08923d55a Merge pull request #2237 from devimc/2020-07-14/fixFieldalignment
fix govet fieldalignment
2021-07-20 14:03:36 -05:00
GabyCT
d53d3b4f6a Merge pull request #2272 from pmores/pull-1515
docs: added a glossary to support SEO tactics
2021-07-20 13:04:39 -05:00
Julio Montes
b4c45df885 runtime: tools/packaging/cmd/kata-pkgsync: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 12:09:54 -05:00
Julio Montes
aec530904b runtime: virtcontainers/utils: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 11:59:15 -05:00
Julio Montes
1e4f7faa77 runtime: virtcontainers/types: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 11:59:15 -05:00
Julio Montes
bb9495c0b7 runtime: virtcontainers/pkg: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 11:59:15 -05:00
Julio Montes
80ab91ac2f runtime: virtcontainers/persist: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 11:59:15 -05:00
Julio Montes
54bdd01811 runtime: virtcontainers/factory: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 11:59:15 -05:00
Julio Montes
dd58de368d runtime: virtcontainers/device: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 11:59:15 -05:00
Julio Montes
47d95dc1c6 runtime: virtcontainers: fix govet fieldalignment
Fix structures alignment

fixes #2271

Depends-on: github.com/kata-containers/tests#3727

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 11:59:15 -05:00
Julio Montes
8ca7a7c547 runtime: netmon: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 10:30:30 -05:00
Julio Montes
31de8eb75b runtime: pkg: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 10:30:30 -05:00
Julio Montes
2b80091e14 runtime: containerd-shim-v2: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 10:30:30 -05:00
Julio Montes
0dc59df68f runtime: cli: fix govet fieldalignment
Fix structures alignment

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-20 10:30:30 -05:00
Jakob Naucke
54bcd3c946 Merge pull request #2284 from Jakob-Naucke/ci-expand-to-nothing
ci: expand $CI to nothing
2021-07-20 17:10:35 +02:00
Jakob Naucke
c10425233b ci: expand $CI to nothing
PR #2252 put `set -o nounset` in `ci/lib.sh`. It turns out that this
won't work when `$CI` is unset (it is always set in CI). Expand `$CI` to
nothing.

Fixes: #2283
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-20 15:55:36 +02:00
Peng Tao
fd2607cc43 Merge pull request #2202 from teawater/swap7
Add swap support
2021-07-20 21:12:30 +08:00
Julio Montes
5512da1739 Merge pull request #2280 from YchauWang/wyc-arm-qemu
snap: fixed snap aarch64 qemu patches dir in snapcraft.yaml file
2021-07-20 07:33:39 -05:00
fupan.lfp
add480ed59 monitor: mv the monitor socket into sbs directory
Since the monitor socket used the unix socket path file,
which needed to be cleaned after the pod terminated,
thus put it into the sandbox data directory, and it
would be cleaned up once the sandbox termianted.

Fixes: #2269

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-07-20 19:10:01 +08:00
Fabiano Fidêncio
75c5edd66a Merge pull request #2263 from eryugey/eryugey/for-main
agent: clear MsFlags if the option has clear flag set
2021-07-20 12:50:45 +02:00
Jakob Naucke
67906b4876 Merge pull request #2250 from Jakob-Naucke/remove-qemu-snap
snap: Remove QEMU before clone
2021-07-20 11:28:32 +02:00
hspease99
f7c6f17060 docs: added a glossary to support SEO tactics
This commit is a result of Assisted PR Process for PR #1515.  It
deviates from it in that the original commits were not retained as the
original commit structure was unnecessarily complex - the same commit
was added to two parallel branches which were then merged, producing the
same result in the end as any of the original two non-merge commits.
Also, a squash was requested by an original PR review.

Other changes to the original PR were changing capitalisation of the word
"Kubelet" in Glossary.md to placate spell checker and fixing link names and
syntax.

The original commit message follows:

The terms added are: Kata Containers, container software, container
runtime interface, virtual machine software, container virtualization,
container security solutions, serverless containers, pod containers,
virtual machine monitor, private cloud, infrastructure architecture,
public cloud, and auto scaling.

Fixes: #1509

Signed-off-by: Helena Spease <helena@openstack.org>
Signed-off-by: Pavel Mores <pmores@redhat.com>
2021-07-20 11:22:58 +02:00
Jakob Naucke
1838c3a33b Merge pull request #2277 from YchauWang/wyc-doc-dev
docs: fix minikube installation guide runtimeclasses error
2021-07-20 10:45:29 +02:00
snir911
259f0e26d1 Merge pull request #2274 from YchauWang/wyc-doc-test
docs: fixed kata-deploy path for kata logs with fluentd doc
2021-07-20 10:50:19 +03:00
wangyongchao.bj
a8649acfd0 snap: fixed snap aarch64 qemu patches dir in snapcraft.yaml file
fixed arm qemu patches dir in snap part. Clear the old `packaging/obs-packaging` path.

Fixes: #2279

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-07-20 15:24:42 +08:00
Bin Liu
6b00806bb8 Merge pull request #2243 from egernst/bump-tokio
agent/agent-ctl: update tokio to 1.8.1
2021-07-20 13:56:32 +08:00
wangyongchao.bj
3882619471 osbuilder: update centos arm rootfs image config 'GPG_KEY_ARCH_URL'
fix GPG_KEY_ARCH_URL config of centos's config_aarch64,
update to "http://mirror.centos.org/altarch/7/os/aarch64/RPM-GPG-KEY-CentOS-7".

Fixes: #2181

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-07-20 13:49:17 +08:00
wangyongchao.bj
c5fdc0dbb6 docs: fix minikube installation guide runtimeclasses error
the kata-deploy project scripts were changed, but minikube installation guide doc still use old yaml script.
fix guide doc use the new yaml script of runtimeClasses.

Fixes: #2276

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-07-20 13:39:06 +08:00
wangyongchao.bj
f2ef25c67f docs: fixed kata-deploy path for kata logs with fluentd doc
The kata-deploy project path has changed from kata v2. fixed kata-deploy path in the document how-to-import-kata-logs-with-fluentd.md.
The correct path is `$GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy`

Fixes: #2273

Signed-off-by: wangyongchao.bj <wangyongchao.bj@inspur.com>
2021-07-20 10:41:18 +08:00
Bin Liu
1b71d31121 Merge pull request #2252 from Jakob-Naucke/ci-nounset
ci: set -o nounset
2021-07-20 10:03:28 +08:00
Wainer Moschetta
6310f0543a Merge pull request #2239 from wainersm/static_checks-improvements-2
static-checks: Add a make target to run static-checks locally
2021-07-19 14:25:23 -03:00
Hui Zhu
cb6b7667cd runtime: Add option "enable_guest_swap" to config hypervisor.qemu
This commit add option "enable_guest_swap" to config hypervisor.qemu.
It will enable swap in the guest. Default false.
When enable_guest_swap is enabled, insert a raw file to the guest as the
swap device if the swappiness of a container (set by annotation
"io.katacontainers.container.resource.swappiness") is bigger than 0.
The size of the swap device should be
swap_in_bytes (set by annotation
"io.katacontainers.container.resource.swap_in_bytes") - memory_limit_in_bytes.
If swap_in_bytes is not set, the size should be memory_limit_in_bytes.
If swap_in_bytes and memory_limit_in_bytes is not set, the size should be
default_memory.

Fixes: #2201

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-07-19 23:22:06 +08:00
Hui Zhu
a733f537e5 runtime: newContainer: Handle the annotations of SWAP
This commit add code to handle the annotations
"io.katacontainers.container.resource.swappiness" and
"io.katacontainers.container.resource.swap_in_bytes".
It will set the value of "io.katacontainers.resource.swappiness" to
c.config.Resources.Memory.Swappiness and set the value of
"io.katacontainers.resource.swap_in_bytes" to
c.config.Resources.Memory.Swap.

Fixes: #2201

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-07-19 23:20:46 +08:00
Hui Zhu
2c835b60ed ContainerConfig: Set ocispec.Annotations to containerConfig.Annotations
ocispec.Annotations is dropped in ContainerConfig.
This commit let it to be set to containerConfig.Annotations in
ContainerConfig.

Fixes: #2201

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-07-19 23:20:43 +08:00
Hui Zhu
243d4b8689 runtime: Sandbox: Add addSwap and removeSwap
addSwap will create a swap file, hotplug it to hypervisor as a special
block device and let agent to setup it in the guest kernel.
removeSwap will remove the swap file.

Just QEMU support addSwap.

Fixes: #2201

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-07-19 23:20:40 +08:00
Hui Zhu
e1b91986d7 runtime: Update golang proto code for AddSwap
Fixes: #2201

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-07-19 23:20:37 +08:00
Hui Zhu
4f066db8da agent: agent.proto: Add AddSwap
Add new fuction AddSwap.  When agent get AddSwap, it will get the device
name from PCIPath and set the device as the swap device.

Fixes: #2201

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-07-19 23:20:34 +08:00
Fabiano Fidêncio
11d84cca46 Merge pull request #2229 from lifupan/fix_virtiofsd
virtiofsd: fix the issue of missing stop virtiofsd
2021-07-19 13:34:59 +02:00
Jakob Naucke
4f23b8cd47 ci: set -o nounset
This avoids confusion e.g. when `$GOPATH` is unset.

Fixes: #2251
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-19 11:26:01 +02:00
Bin Liu
5737b36a35 Merge pull request #2175 from Rapiz1/patch-1
docs: Update containerd configuration format
2021-07-19 17:10:19 +08:00
Bin Liu
1da8fa1655 Merge pull request #2171 from liubin/feature/delete-golang-for-rootfs-builder
osbuilder: Skip installing golang for building rootfs
2021-07-19 17:06:57 +08:00
Bin Liu
1bb0705765 Merge pull request #2245 from liubin/2244-update-makefile-of-agent-ctl
agent-ctl: Use a common Makefile style like other components
2021-07-19 17:06:40 +08:00
Bin Liu
b94ebc30b4 Merge pull request #2235 from Tim-Zhang/vsock-exporter-async
vsock-exporter: switch to tokio runtime
2021-07-19 17:06:14 +08:00
Fabiano Fidêncio
462e445d2f Merge pull request #2261 from ManaSugi/fix/oci-hooks-explanation
config: Fix description for OCI hooks
2021-07-19 10:38:16 +02:00
Fabiano Fidêncio
f8d71eb96b Merge pull request #2253 from lifupan/fix_socket_address
shimv2: fix the issue of kata-runtime exec failed
2021-07-19 10:38:06 +02:00
Fabiano Fidêncio
a8a623fb75 Merge pull request #2257 from fidencio/wip/runtime-option-fix
shim-v2: Be compatible with the old runtime options
2021-07-19 08:05:01 +02:00
Eryu Guan
35cbc93dee agent: clear MsFlags if the option has clear flag set
'FLAGS' hash map has bool to indicate if the flag should be cleared or
not. But in parse_mount_flags_and_options() we set the flag even 'clear'
is true. This results in a 'rw' mount being mounted as 'MS_RDONLY'.

Fixes: #2262
Signed-off-by: Eryu Guan <eguan@linux.alibaba.com>
2021-07-19 11:50:10 +08:00
Manabu Sugimoto
ff87da721b config: Fix description for OCI hooks
- Update url for osbuilder
- Fix typo about poststart

Fixes: #2260

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-07-18 16:47:19 +09:00
Fabiano Fidêncio
fcc93b0074 shim-v2: Be compatible with the old runtime options
Seems that at least some versions of container, when using ConifgPath,
still rely on the runtime options and its APIs from the not in use
anymore github.com/containerd/cri-containerd/pkg/api/runtimeoptions/v1.

The fact backward compat breaks when moving from the old to the new
runtime options, which happened as part of f60641a6e6d, strongly feels
like a containerd bug.  Regardless, we can easily work this around on
our side without much hassle.

Just by importing old runtime options the unmarshalling doesn't break
anymore and we can easily check whether getting the options fails or not
and fallback to the old way if it does.

Fixes: #2258

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-18 00:07:57 +02:00
fupan.lfp
8e0daf6780 shimv2: fix the issue of kata-runtime exec failed
Commit 32c9ae1388 upgrade the
containerd vendor, which used the socket path to replace
the abstract socket address for socket listen and dial, and
there's an bug in containerd's abstract socket dialing.

Thus we should replace our monitor and exec socket server
with the socket path to fix this issue.

Fixes: #2238

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-07-16 11:41:09 +08:00
bin
b12b21f337 osbuilder: Skip installing golang for building rootfs
Building rootfs does not depend on golang, delete intalling
golang may save build time.

And there is only rust agent now, the code for golang agent should
be deleted too.

Fixes: #2170

Signed-off-by: bin <bin@hyper.sh>
2021-07-15 23:59:15 +08:00
Jakob Naucke
558f1be62d snap: Remove QEMU before clone
If you snap in an environment where you previously snapped,
`git clone`ing QEMU will fail. Remove the checkout directory.

Fixes: #2249
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-15 12:22:21 +02:00
fupan.lfp
5371b9214f mount: fix the issue of missing check file exists
It's better to check whether the destination file exists
before creating them, if it had been existed, then return
directly.

Fixes: #2247

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-07-15 18:09:33 +08:00
bin
27b299b2a7 agent-ctl: Use a common Makefile style like other components
Update Makfile like other components, and remove the -v option of
cargo build commond.

Fixes: #2244

Signed-off-by: bin <bin@hyper.sh>
2021-07-15 12:59:58 +08:00
Eric Ernst
0508469994 agent-ctl: bump to latest tokio
Update tokio to get latest fixes, including RUSTSEC-2021-0072

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-07-14 17:18:43 -07:00
Eric Ernst
acf6932863 agent: update tokio to 1.8.1
Update to latest tokio to address RUSTSEC-2021-0072:
 Task dropped in wrong thread when aborting `LocalSet` task

Update the toml to specify just 1.x for the tokio version.

Fixes: #2165

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-07-14 17:18:21 -07:00
Fabiano Fidêncio
594ff3a5bd Merge pull request #2241 from fidencio/wip/use-the-correct-image-for-kata-deploy
kata-deploy: Use the correct image for kata-deploy
2021-07-15 00:59:45 +02:00
Fabiano Fidêncio
fdf9731992 kata-deploy: Use the correct image for kata-deploy
While doing the release we've faced the following issue:
```
  Dockerfile for action: '/home/runner/work/kata-containers/kata-containers/./packaging/kata-deploy/action/Dockerfile'.
  /usr/bin/docker build -t 8a33c1:c0625fe487ce5e4c8217747bef28861f -f "/home/runner/work/kata-containers/kata-containers/./packaging/kata-deploy/action/Dockerfile" "/home/runner/work/kata-containers/kata-containers/packaging/kata-deploy/action"
  Sending build context to Docker daemon  15.87kB
  Step 1/12 : FROM microsoft/azure-cli:latest
  pull access denied for microsoft/azure-cli, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
```

Carlos pointed out that the image has gone awry and that we could use
mcr.microsoft.com/azure-cli instead.

Fixes: #2240

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-15 00:03:11 +02:00
Fabiano Fidêncio
17262cfe93 Merge pull request #2236 from fidencio/2.2.0-alpha1-branch-bump
# Kata Containers 2.2.0-alpha1
2021-07-14 21:56:53 +02:00
Wainer dos Santos Moschetta
dcd2986724 static-checks: Call the static-checks make target
Instead of calling the ci/static-checks.sh script directly, it was changed the
workflow to call `make static-checks`. And because the `static-checks` target
depends on build, the build step in the workflow is not longer needed.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-07-14 16:01:54 -03:00
Wainer dos Santos Moschetta
afd9785051 makefile: Add static-checks target
Added the 'static-checks' make target to allow developers to easily run
the static checks locally.

Fixes #2206
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-07-14 15:54:06 -03:00
Fabiano Fidêncio
c8aab29b38 release: Kata Containers 2.2.0-alpha1
- runtime: Register defer function at early stage
- Ensure the go vendored code is up-to-date and that we actually can call `cargo vendor` on every pull-request
- ci: add golang 1.16 to the CI
- Update outdated comments and do some minor reworks
- snap: Build initrd on ppc64le & s390x
- ci: static checks: use defined target_branch
- trace-forwarder: Add option rustflags, target, build-type for the make
- CI: Honour force-skip-ci label
- qemu: stop the virtiofsd specifically
- tracing: Consolidate tracing into a new katatrace package
- runtime: return error if clh's binary doesn't have a normal stat
- osbuilder: Fix the order of checking the distro config directory
- agent: Fix to parsing of /proc/self/mountinfo
- runtime: Fix lint issues
- snap: Miscellaneous s390x fixes
- runtime: Use CC=gcc on all RPM-based s390x
- s390x: Enable virtio-blk-ccw
- forwarder: Add dump only option
- shimv2: fix the issue of leaking the hypervisor processes
- runtime: Remove the version check for cloud hypervisor
- agent: fix wrong regular exp to fetch guest-cid
- runtime: refact virtcontainers/pkg/oci
- agent: enhance tests of execute_hook
- agent: Cleanup config
- Pass span context from runtime to agent to get a full trace #1968
- agent: update netlink libraries
- shimv2: update containerd vendor
- runtime: Format golang proto code
- agent: delete some lint attributes
- docs: Fix url in virtiofs documentation
- tools: agent-ctl: Fix build failure
- cargo: Use latest nix crate for all Rust code bases
- virtcontainers: Don't fail memory hotplug
- Add "watchable-mounts" concept to allow for  inotify support of specific types of mounts.
- tracing: Make runHooks() span creation return context
- kernel: Add Secure Execution guest
- packaging: Support Podman in QEMU build
- Update qat version
- docs: Set LIBC=gnu for s390x too
- shimv2: fix the issue of leaking wait goroutines
- runtime: report finish time in containers stats
- docs: Fix typos in Developer Guide
- docs: Update urls for Documentation Requirements document
- runtime: update default machine type to q35
- docs: fix brackets usage error for developer guide
- Remove the pc machine
- runtime: do not hot-remove PMEM devices
- docs: Update kata-deploy urls for installation document
- docs: Update url for installation guides
- agent: Add some mount options and sort the options alphabetically
- runtime: using detail propertites instead of function name in log field
- qemu: Add nvdimm read-only file support
- ci: snap: Fetch history to all branches and tags
- memory_offset must be larger than 32 bit
- containerd-shim-v2: Skip TestIoCopy unit test
- ppc64le: Adding test for appendProtectionDevice
- agent: Update rust version for tokio
- Upgrade mio to v0.7.13 to fix epoll_fd leak problem
- osbuilder: fix log message that is not error but seems like an error
- docs: Update url for breaking compatibility
- docs: Remove docker support with kata 2.x and sysctls
- docs: Update README for runtime documentation
- Support SEV
- test: Add a unit test for ioCopy()
- versions: Upgrade to cloud-hypervisor v16.0

e3860691 static-checks: Restrict static checks to go 1.15 and 1.16
f4fbf723 runtime: Update vendored code
a20074d4 static-checks: Check the vendored code
ac8f972e build: Add `make vendor`
f9643d83 agent-ctl: Add `make vendor`
5e69b498 trace-forwarder: Add `make vendor`
a104f132 agent: Add `make vendor`
579b3f34 runtime: Add `make vendor`
930ca55d runtime: Add `make handle_vendor`
39546a10 runtime: delete not used functions
d0bc148f runtime: Register defer function at early stage
350acb2d virtcontainers: refactoring code for error handling in sandbox
858f39ef virtcontainers: update wrong comments for code
e0a19f6a virtcontainers: update API documentation
8d6dd2ad snap: support golang 1.16.x
a48dc93f versions: update newest golang version
37996791 ci: add 1.16 to the list of golang versions to test
6999dcca trace-forwarder: Add option rustflags, target, build-type for the make
7db8a85a CI: Honour force-skip-ci label
007a6561 snap: Build initrd on ppc64le & s390x
9b8cc458 ci: static checks: use defined target_branch
9081bee2 runtime: return error if clh's binary has not a normal stat
b10e3e22 tracing: Consolidate tracing into a new katatrace package
88e70759 osbuilder: Fix the order of checking the distro config directory
1ab72518 agent: Fix to parsing of /proc/self/mountinfo
8f76626f qemu: stop the virtiofsd specifically
da3de3c2 shim-v2: Fix `gosimple` issue on utils_test.go
305fb054 virtcontainers: Fix `gosimple` issue on client.go
89cf168c virtcontainers: Ignore a staticcheck error on cpuset.go
2cc9006c snap: Miscellaneous s390x fixes
28b2c629 runtime: Use CC=gcc on SUSE s390x too
cfd690b6 virtcontainers: Use virtio-blk-ccw on s390x
8758ce26 agent: Enable virtio-blk-ccw
a33d6bae forwarder: Add dump only option
4c809a53 shimv2: fix the issue of leaking the hypervisor processes
d08603be runtime: Remove the version check for cloud hypervisor
2c943012 agent: fix wrong regular exp to fetch guest-cid
e6b1766f agent: Cleanup config
55c5c871 agent: enhance tests of execute_hook
bd595124 runtime: add spans and attributes for agent/mount
65d2fb5d agent: remove instrument attribute for some simple functions
cfb8139f agent: add more instruments for RPC calls
ae46e7bf runtime: pass span context to agent in ttRPC client
66dd8719 runtime: refact virtcontainers/pkg/oci
d671f789 agent: fix the issue of convert OCI spec to RPC spec
f607641a shimv2: fix the issue bring by updating containerd vendor
79e632bc version: update the cri-containerd to v1.5.2
32c9ae13 shimv2: update containerd vendor
aa264f91 agent: update netlink libraries
34bdddbe docs: Fix url in virtiofs documentation
3e8a07c4 tools: agent-ctl: Fix build failure
f6294226 cargo: Use latest nix crate for all Rust code bases
064dfb16 runtime: Add "watchable-mounts" concept for inotify support
3f0f1ceb docs: inotify: add initial documentation
6a93e5d5 agent: Initial watchable-bind implementation
57c0cee0 runtime: Cleanup mountSharedDirMounts, shareFile parameters
772c117d kernel: Add Secure Execution guest
f35ba94d packaging: Support Podman in QEMU build
8310a3d7 virtcontainers: Don't fail memory hotplug
ecd13ec4 docs: Update QAT docs with newer driver version
a822cdf6 osbuilder: Update QAT driver version
6a1a051c runtime: report finish time in containers stats
fe0085ca docs: Set LIBC=gnu for s390x too
08984b6e docs: Update urls for Documentation Requirements document
b3623a2c shimv2: fix the issue of leaking wait goroutines
2322f935 runtime: update default machine type to q35
11f9a914 docs: fix brackets usage error for developer guide
1316fa53 docs: Fix typos in Developer Guide
ac6b9c53 runtime: Hot-plug virtio-mem device on PCI bridge
789a5954 virtcontainers: Remove the pc machine
caf5760c runtime: Update golang proto code
bd20701f docs: Update kata-deploy urls for installation document
a9aa36ce docs: Update url for installation guides
ecdd137c runtime: do not hot-remove PMEM devices
000049b6 agent: delete some lint attributes
3f39df0d qemu: Add nvdimm read-only file support
23d31d5a ci: snap: Fetch history to all branches and tags
2022c64f runtime: using detail propertites instead of function name in log field
361bee91 runtime/virtcontrainers: fix alignment structures
6be8bf5c docs: update annotations documentation
7834f412 virtcontainers: change memory_offset to uint64
bd27f7ba agent: Sort PROPAGATION and OPTIONS alphabetically to scan easily
ad06eb90 containerd-shim-v2: Skip TestIoCopy unit test
ea9bb8e9 ppc64le: Adding test for appendProtectionDevice
799cb272 agent: Upgrade mio to v0.7.13 to fix epoll_fd leak problem
45fd58d1 osbuilder: fix log message that is not error but seems like an error
2fb176dd docs: Update url for breaking compatibility
601e2b65 docs: Remove docker support with kata 2.x and sysctls
be316945 virtcontainers: Fix TestQemuAmd64AppendProtectionDevice()
240aae96 docs: Update README for runtime documentation
8825bb29     agent: Update rust version for tokio
cabddcc7 tracing: Make runHooks() span creation return context
e544779c agent: Add some mount options
85c40001 versions: Upgrade to cloud-hypervisor v16.0
b26d5b1d virtcontainers: Support SEV
81c6e4ca runtime/vendor: add github.com/intel-go/cpuid
a918c46f test: Add a unit test for ioCopy()

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 17:52:21 +02:00
Fabiano Fidêncio
3a9ecbcca5 Merge pull request #2231 from liubin/fix/2230-register-defer-callback-at-early-stage
runtime: Register defer function at early stage
2021-07-14 17:50:48 +02:00
Fabiano Fidêncio
2f573bceaf Merge pull request #2223 from fidencio/wip/add-vendor-check-to-the-static-checks
Ensure the go vendored code is up-to-date and that we actually can call `cargo vendor` on every pull-request
2021-07-14 16:00:55 +02:00
fupan.lfp
34828df9a1 virtiofsd: fix the issue of missing stop virtiofsd
The virtiofsd's PID wan't assigned the right pid,
which will result skipping kill it.

Fixes: #2228

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-07-14 21:07:10 +08:00
Tim Zhang
73d3798cb1 vsock-exporter: switch to tokio runtime
Make the vsock-exporter async totally using tokio runtime.
And delay the timing of the connection to trace-forwarder so that
it is easy to reconnect when the connection was broken.

Fixes: #2234

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-07-14 20:16:05 +08:00
Fabiano Fidêncio
e386069158 static-checks: Restrict static checks to go 1.15 and 1.16
Seems that we get different results when running it with go 1.13.
Instead of figuring out why it doesn't work as expected with an EOL
version of go, let's just not run the tests on go versions that are
already dead.

https://endoflife.date/go

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 14:00:00 +02:00
Fabiano Fidêncio
f4fbf723e1 runtime: Update vendored code
The go vendored code is not up-to-date and the newly added check for
that caught this up as part of
https://github.com/kata-containers/kata-containers/pull/2223/checks?check_run_id=3056830309

Let's take advantage of the `make vendor` target and update the vendored
code. :-)

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 13:59:41 +02:00
Fabiano Fidêncio
a20074d45c static-checks: Check the vendored code
Let's ensure we always have the go vendored code up-to-date and that the
rust vendor does actually work.

Fixes: #2159

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 13:59:41 +02:00
Fabiano Fidêncio
ac8f972e4b build: Add make vendor
Add a top-level `vendor` entry, which will help us when adding the
vendor check as part of the static checks.

Related: #2159

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 13:59:41 +02:00
Fabiano Fidêncio
f9643d83fb agent-ctl: Add make vendor
This has a similar intent as the go code, but not totally equal.  For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.

We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.

Related: #2159

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 13:59:41 +02:00
Fabiano Fidêncio
5e69b498ed trace-forwarder: Add make vendor
This has a similar intent as the go code, but not totally equal.  For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.

We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.

Related: #2159

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 13:59:41 +02:00
Fabiano Fidêncio
a104f13230 agent: Add make vendor
This has a similar intent as the go code, but not totally equal.  For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.

We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.

Related: #2159

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 13:59:41 +02:00
Fabiano Fidêncio
579b3f34c2 runtime: Add make vendor
Let's add this target so we can actually enforce, as part of the static
checks (which will be added in a follow-up commit), that our vendored go
code is up-to-date.

Related: #2159

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 13:59:40 +02:00
Fabiano Fidêncio
930ca55d02 runtime: Add make handle_vendor
This will help us to ensure that we always update the vendored code when
needed.   Right now we've been lacking behind and we tend to realise
something change during the next mandatory update, which is not exactly
optimal.

Related: #2159

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-14 13:59:40 +02:00
Fabiano Fidêncio
79977a25ec Merge pull request #2102 from devimc/2021-06-23/golang1.16
ci: add golang 1.16 to the CI
2021-07-14 13:59:07 +02:00
bin
39546a1070 runtime: delete not used functions
Delete some not used functions in sandbox.go

Fixes: #2230

Signed-off-by: bin <bin@hyper.sh>
2021-07-14 19:42:50 +08:00
Tim Zhang
38dcdc3d91 Merge pull request #2189 from liubin/2187
Update outdated comments and do some minor reworks
2021-07-14 17:39:52 +08:00
bin
d0bc148fe0 runtime: Register defer function at early stage
Register defer function at early stage ensure that
it can be called if the startSandbox fails.

Fixes: #2230

Signed-off-by: bin <bin@hyper.sh>
2021-07-14 17:20:53 +08:00
Tim Zhang
7960689ef7 tracing: replace SimpleSpanProcessor with BatchSpanProcessor
This change make tokio could be use in vsock-exporter.

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-07-14 15:59:52 +08:00
bin
350acb2d6e virtcontainers: refactoring code for error handling in sandbox
Use a defined error variable replade inplace error, and shortcut
for handling errors returned from function calls.

Fixes: #2187

Signed-off-by: bin <bin@hyper.sh>
2021-07-14 14:28:58 +08:00
bin
858f39ef75 virtcontainers: update wrong comments for code
Some comments/URL are old or wrong, update them
to the correct ones.

Fixes: #2187

Signed-off-by: bin <bin@hyper.sh>
2021-07-14 14:28:57 +08:00
bin
e0a19f6a16 virtcontainers: update API documentation
Some functions add context as its first parameter,
the documentation should update.

Fixes: #2187

Signed-off-by: bin <bin@hyper.sh>
2021-07-14 14:28:57 +08:00
Julio Montes
8d6dd2ad61 snap: support golang 1.16.x
Fix build process, set GO111MODULE environment variable to "auto"

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-13 12:22:33 -05:00
Julio Montes
a48dc93fd4 versions: update newest golang version
update newest golang version to 1.16.5

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-13 12:22:33 -05:00
Julio Montes
3799679109 ci: add 1.16 to the list of golang versions to test
Add 1.16 to the list of golang versions to test

fixes #2101

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-07-13 12:22:33 -05:00
Jakob Naucke
67dfb0b922 Merge pull request #2219 from Jakob-Naucke/snap-390-ppc-initrd
snap: Build initrd on ppc64le & s390x
2021-07-13 12:17:14 +02:00
Fabiano Fidêncio
bfa8fe3183 Merge pull request #2216 from snir911/static_checks_fix
ci: static checks: use defined target_branch
2021-07-13 10:17:15 +02:00
Fabiano Fidêncio
8c4dd3b421 Merge pull request #2199 from Tim-Zhang/tracing-enhance
trace-forwarder: Add option rustflags, target, build-type for the make
2021-07-13 10:16:21 +02:00
Fabiano Fidêncio
e27080b706 Merge pull request #2221 from jodh-intel/action-honour-force-skip-ci
CI: Honour force-skip-ci label
2021-07-13 08:25:02 +02:00
Tim Zhang
6999dccaa8 trace-forwarder: Add option rustflags, target, build-type for the make
Support rust-flags, target and build-type.

Fixes: #2215

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-07-13 11:35:46 +08:00
Eric Ernst
feeb1ef8b1 Merge pull request #2212 from lifupan/fix_virtiofsd
qemu: stop the virtiofsd specifically
2021-07-12 13:56:04 -07:00
Chelsea Mafrica
61b1a6732b Merge pull request #2179 from bporter816/bporter816/refactor-tracing
tracing: Consolidate tracing into a new katatrace package
2021-07-12 12:42:01 -04:00
James O. D. Hunt
7db8a85a1f CI: Honour force-skip-ci label
If a PR has the `force-skip-ci` label set, don't run the static tests.

Fixes: #2220.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-07-12 16:11:55 +01:00
Jakob Naucke
007a656173 snap: Build initrd on ppc64le & s390x
instead of image, does not require privileged containers since `losetup`
is not used and is thus more portable for various build environments.

Fixes: #2218
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-12 15:17:30 +02:00
Snir Sheriber
9b8cc4581d ci: static checks: use defined target_branch
Fixes: #2214
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-07-12 15:38:37 +03:00
Yujia Qiao
e887b39e95 docs: Update containerd configuration format
`containerd` has adopted a new configuration style. Update the example configuration to reflect the change.

Fixes: #2180

Signed-off-by: Yujia Qiao <qiaoyujia@bytedance.com>
2021-07-12 10:25:21 +00:00
Tim Zhang
6c39c353e6 Merge pull request #2209 from liubin/fix/2208-log-error
runtime: return error if clh's binary doesn't have a normal stat
2021-07-12 15:49:29 +08:00
bin
9081bee2fd runtime: return error if clh's binary has not a normal stat
When checking clh's binary path if valid, return error even
though the error is not a IsNotExist error.

And add errors to log filed when errors occurred.

Fixes: #2208

Signed-off-by: bin <bin@hyper.sh>
2021-07-12 11:16:35 +08:00
Benjamin Porter
b10e3e22b5 tracing: Consolidate tracing into a new katatrace package
Removes custom trace functions defined across the repo and creates
a single trace function in a new katatrace package. Also moves
span tag management into this package and provides a function to
dynamically add a tag at runtime, such as a container id, etc.

Fixes #1162

Signed-off-by: Benjamin Porter <bporter816@gmail.com>
2021-07-11 14:19:51 -05:00
Fabiano Fidêncio
c8f32936d3 Merge pull request #2149 from ManaSugi/fix-order-check-dir
osbuilder: Fix the order of checking the distro config directory
2021-07-11 18:28:32 +02:00
Manabu Sugimoto
88e7075929 osbuilder: Fix the order of checking the distro config directory
Check if the distro config directory exists before using the directory

Fixes: #2148

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-07-11 15:24:25 +09:00
Fabiano Fidêncio
8c921e69ec Merge pull request #2183 from dgibson/mountinfo-misparse
agent: Fix to parsing of /proc/self/mountinfo
2021-07-10 13:07:12 +02:00
David Gibson
1ab72518b3 agent: Fix to parsing of /proc/self/mountinfo
get_mounts() parses /proc/self/mountinfo in order to get the mountpoints
for various cgroup filesystems.  One of the entries in mountinfo is the
"device" for each filesystem, but for virtual filesystems like /proc, /sys
and cgroups, the device entry is arbitrary.  Depending on the exact rootfs
setup, it can end up being "-".

This breaks get_mounts() because it uses " - " as a separator.  There
really is a " - " separator in mountinfo, but in this case the device entry
shows up as a second one.  Fix this, by changing a split to a splitn, which
will effectively only consider the first " - " in the line.

While we're there, make the warning message more useful, by having it
actually show which line it wasn't able to parse.

fixes #2182

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-07-10 19:30:27 +10:00
fupan.lfp
8f76626fd6 qemu: stop the virtiofsd specifically
We'd better stop the virtiofsd specifically after stop qemu,
instead of depending on the qemu's termination to notify virtiofsd
to exit.

Fixes: #2211

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-07-10 17:26:19 +08:00
Fabiano Fidêncio
75356967c6 Merge pull request #2203 from fidencio/wip/fix-static-checks
runtime: Fix lint issues
2021-07-10 10:43:33 +02:00
Fabiano Fidêncio
da3de3c2eb shim-v2: Fix gosimple issue on utils_test.go
For some reason our static check started to get opinionated about code
that's been there for ages.

One of the suggestions is to improve:

```
INFO: Running golangci-lint on /home/fidencio/go/src/github.com/kata-containers/kata-containers/src/runtime/containerd-shim-v2
utils_test.go:76:36: S1039: unnecessary use of fmt.Sprintf (gosimple)
	testDir, err = ioutil.TempDir("", fmt.Sprintf("shimV2-"))
```

And that's what this PR is about.

Fixes: #2204

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-09 17:24:51 +02:00
Fabiano Fidêncio
305fb0547d virtcontainers: Fix gosimple issue on client.go
For some reason our static check started to get opinionated about code
that's been there for ages.

One of the suggestions is to improve:
```
INFO: Running golangci-lint on /home/fidencio/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols/client
client.go:431:2: S1017: should replace this `if` statement with an unconditional `strings.TrimPrefix` (gosimple)
	if strings.HasPrefix(sock, "mock:") {
```

And that's what this PR is about.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-09 17:18:08 +02:00
Fabiano Fidêncio
89cf168c92 virtcontainers: Ignore a staticcheck error on cpuset.go
First of all, cpuset.go just comes from kubernetes and we shouldn't be
doing much with this file apart from updating it every now and then
(but that's material for another PR).

Right now, due to some change on the static checks we use as part of our
CI, we started getting issues as:
```
INFO: Running golangci-lint on /home/fidencio/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/cpuset
cpuset.go:60:2: SA4005: ineffective assignment to field Builder.done (staticcheck)
	b.done = true
```

For those, let's just ignore the lint and move on.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-07-09 17:17:12 +02:00
Jakob Naucke
f793b28dfd Merge pull request #2193 from Jakob-Naucke/snap-s390x
snap: Miscellaneous s390x fixes
2021-07-09 11:08:25 +02:00
Jakob Naucke
9577e54e2a Merge pull request #2168 from Jakob-Naucke/fix-cc-suse-s390x
runtime: Use CC=gcc on all RPM-based s390x
2021-07-09 11:07:35 +02:00
Jakob Naucke
e8ec18a9d8 Merge pull request #2027 from Jakob-Naucke/virtio-blk-ccw
s390x: Enable virtio-blk-ccw
2021-07-08 18:22:44 +02:00
James O. D. Hunt
7a481c3f4f Merge pull request #2133 from jodh-intel/trace-forwarder-dump-only
forwarder: Add dump only option
2021-07-08 15:17:36 +01:00
Jakob Naucke
2cc9006c26 snap: Miscellaneous s390x fixes
- Ported from https://github.com/kata-containers/tests/pull/3612:
  Install protobuf-compiler for agent build on ppc64le & s390x
- Fixes in image target for ppc64le & s390x
  - Install image instead of initrd since it's preferred
  - Use Ubuntu as base since Alpine requires a musl agent (cannot be
    built on ppc64le & s390x because there is no such Rust target)
- Ported from
  https://github.com/kata-containers/kata-containers/pull/1265:
  Fix vmlinux install path
- Install libseccomp-dev on all architectures, not just x86_64

Fixes: #2192
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-08 15:02:47 +02:00
Jakob Naucke
28b2c629e3 runtime: Use CC=gcc on SUSE s390x too
This setting is required, as it is on Fedora-likes.

Fixes: #2167
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-08 15:01:32 +02:00
Jakob Naucke
cfd690b638 virtcontainers: Use virtio-blk-ccw on s390x
if virtio-blk-pci were to be used

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-08 14:59:47 +02:00
Jakob Naucke
8758ce26b7 agent: Enable virtio-blk-ccw
Forward-port of https://github.com/kata-containers/agent/pull/600.
Enable virtio-blk-ccw devices in agent (virtio-blk for s390x, already
enabled in runtime).

Fixes: #2026

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-07-08 14:59:47 +02:00
James O. D. Hunt
a33d6bae63 forwarder: Add dump only option
Added a `--dump-only` option which disables forwarding of trace spans.
This essentially makes the forwarder a NOP but can be useful for testing
purposes.

Fixes: #2132.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-07-08 13:12:17 +01:00
Fabiano Fidêncio
432296ae7a Merge pull request #2197 from lifupan/fix_leak_hypervisor
shimv2: fix the issue of leaking the hypervisor processes
2021-07-08 13:49:37 +02:00
Fabiano Fidêncio
cf4a63f1e5 Merge pull request #2137 from likebreath/0628/clh_remove_version_check
runtime: Remove the version check for cloud hypervisor
2021-07-08 10:14:18 +02:00
fupan.lfp
4c809a53d2 shimv2: fix the issue of leaking the hypervisor processes
Since we only send an shutdown qmp command to qemu when do
stopSandbox, and didn't wait until qemu process's exit, thus
we'd better to make sure it had exited when shimv2 terminated.
Thus here to do the last cleanup of the hypervisor.

Fixes: #2198

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-07-08 15:43:58 +08:00
Bo Chen
d08603bebb runtime: Remove the version check for cloud hypervisor
It looks like the version check for cloud hypervisor (clh) was added
initially when clh was actively evolving its API. We no longer need the
version check as clh API has been fairly stable for its recent releases.

Fixes: #1991

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-07-06 18:42:59 -07:00
Julio Montes
7d3cf04f29 Merge pull request #2125 from LiangZhou-CTY/patch-1
agent: fix wrong regular exp to fetch guest-cid
2021-07-06 07:01:43 -05:00
Tim Zhang
3f1aa8ff91 Merge pull request #2084 from liubin/fix/2082-refactor-vc-pkg-oci
runtime: refact virtcontainers/pkg/oci
2021-07-06 19:14:10 +08:00
Bin Liu
26985bbfff Merge pull request #2173 from Tim-Zhang/enhance-test-execute-hook
agent: enhance tests of execute_hook
2021-07-05 14:36:45 +08:00
Liang Zhou
2c9430123e agent: fix wrong regular exp to fetch guest-cid
Fix the incorrect regular expression to fetch the guest context ID.
In " [^,][^,]* ", [^,]* will match to the next ",",
which is after "socket",  so finally got incorrect result.
Use egrep -o "guest-cid=[0-9]*" instead.

Fixes: #2124

Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
2021-07-05 09:46:03 +08:00
Fabiano Fidêncio
015b3baf06 Merge pull request #2178 from mxpv/config
agent: Cleanup config
2021-07-03 09:51:16 +02:00
Fupan Li
2de9c5b41d Merge pull request #1969 from liubin/feature/1968-pass-span-context-to-agent
Pass span context from runtime to agent to get a full trace #1968
2021-07-03 09:31:02 +08:00
Maksym Pavlenko
e6b1766f6b agent: Cleanup config
This commit clean up config parsing and testing code to make it a bit more easy to maintain.
- Adds `with_context` from anyhow to include the underlying error. This helps to understand what exactly went wrong.
- Uses ensure and bail as a shorter alternative for `if` checks.
- TestData in test_parse_cmdline is now implements Default to reduce boilerplate code
- Remove `make_err` as it doesn’t make any sense.

Fixes: #2177

Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
2021-07-02 14:28:43 -07:00
Tim Zhang
55c5c871d2 agent: enhance tests of execute_hook
Use which to find the full path of exe before run execute_hook
to avoid error: 'No such file or directory'

Fixes: #2172

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-07-02 14:30:56 +08:00
bin
bd5951247c runtime: add spans and attributes for agent/mount
Add more spans and attributes for agent setup, add devices,
and mount volumes.

Fixes: #1968

Signed-off-by: bin <bin@hyper.sh>
2021-07-02 10:07:28 +08:00
bin
65d2fb5d11 agent: remove instrument attribute for some simple functions
For some simple functions that only process memory data(list/hashmap),
they don't need to be instrumented.

And sometime they may generate non-parent spans, if they are called from
daemon-style "threads".

Fixes: #1968

Signed-off-by: bin <bin@hyper.sh>
2021-07-02 10:07:28 +08:00
bin
cfb8139f36 agent: add more instruments for RPC calls
All RPC calls can get parent span context,
and create new sub-spans for the full trace.

Fixes: #1968

Signed-off-by: bin <bin@hyper.sh>
2021-07-02 10:07:28 +08:00
bin
ae46e7bf97 runtime: pass span context to agent in ttRPC client
Pass span context through ttRPC metadata, that
agent can get parent from the context to create
new sub-spans.

Fixes: #1968

Signed-off-by: bin <bin@hyper.sh>
2021-07-02 10:07:14 +08:00
Fabiano Fidêncio
3fe0af6a9b Merge pull request #2152 from liubin/fix/2111-update-netlink-libs
agent: update netlink libraries
2021-07-01 12:01:35 +02:00
Bin Liu
15d37d5823 Merge pull request #2040 from lifupan/upgrade_containerd
shimv2: update containerd vendor
2021-07-01 15:55:07 +08:00
bin
66dd8719e3 runtime: refact virtcontainers/pkg/oci
Use common functions wrapping logic of getting values
from annotations, parsing bool/uint32/uint64 and setting
to struct fields.

Fixes: #2082

Signed-off-by: bin <bin@hyper.sh>
2021-07-01 10:14:47 +08:00
Eric Ernst
d0ad388721 Merge pull request #2065 from ManaSugi/format-golang-proto
runtime: Format golang proto code
2021-06-30 11:08:57 -07:00
fupan.lfp
d671f78952 agent: fix the issue of convert OCI spec to RPC spec
Since the rpc spec used an interface to represen the ErrnoRet,
thus the transform function of OCItoGRPC should take care of
this case.

Depends-on: github.com/kata-containers/tests#3629

Fixes: #1441

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-06-30 22:56:59 +08:00
fupan.lfp
f607641a6e shimv2: fix the issue bring by updating containerd vendor
Fix the mismatch bring by the upgrading of vendor of  containerd,
cgroup and runtime spec.

Fixes: #1441

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-06-30 22:56:51 +08:00
fupan.lfp
79e632bc23 version: update the cri-containerd to v1.5.2
Upgrade the cri-containerd to v1.5.2 for CI.

Fixes: #1441

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-06-30 22:53:35 +08:00
fupan.lfp
32c9ae1388 shimv2: update containerd vendor
Since the latest containerd's shimv2 had changed the socket
from abstract unix socket to path unix socket, thus we'd
better to update the vendor to match with the latest containerd.

containerd from v1.3.9, v1.4.3 and v1.5.0 used the path unix socket
instead of abstract socket, thus kata wouldn's support the
containerd's version older than them.

Fixes: #1441

short logs:

15d9703d6 Remove ARM64 releases from release notes
    5d2e8e86d Revert "Release artifacts for Linux ARM64"
    7942ae68b Revert "Specify seccomp target arch for CC"
    3187b6dc8 tests: Adds consumed memory stats test
    969ec8949 Specify seccomp target arch for CC
    c19b7b64d RELEASES.md: recommend alternatives for deprecated
features
    8a62aa1c3 Deprecate built-in aufs snapshotter
    4e7915f80 CI: allow Go 1.13 for Docker/Moby compatibility
    8e589e873 Vagrantfile: update to Fedora 34
    5847340a7 tests: Refactors container image usage
    9f43eade6 Prepare v1.5.0-rc.3 release notes
    4c7b960cb prow needs some additional setup for docker buildx
    2e4c1d4b7 Use the multi-arch version of the test images
    4e00c4b65 integration tests needs lsof
    177273680 Add script to build test images
    1b5d59dfe Add multi-arch support for test images
    78e529727 add integration tests
    2b0e6cdd4 Separate jobs for build and test for openlab/arm64
    cdd075853 Release artifacts for Linux ARM64
    efcb18742 Add unit tests for PID NamespaceMode_TARGET validation
    b48f27df6 Support PID NamespaceMode_TARGET
    909660ea9 process: use the unbuffered channel as the done signal
    0f332dadd Update cgroups for regenerated protos
    391b123a5 adds quiet option for ref
    ab1654d0e Fix PushHandler cannot push image that contains duplicated
blobs
    00f8d32ef add not found debug out for check cmd; update usage
    55734b1c5 Prepare 1.5.0-rc.2 release notes
    3ef337ae3 Update containerd vendors to tags
    fbe1e140f Update Go to 1.16.3
    c1d1edbad gha: use sudo -E in some places to prevent dropping
env-vars
    7966a6652 Cleanup code
    5d79d3adb go.mod: update kubernetes to v1.20.6
    1c03c377e go.mod: github.com/containerd/fifo v1.0.0
    12a2a2108 go.mod: github.com/google/uuid v1.2.0
    3292ea586 pkg/seccomp: use sync.Once to speed up IsEnabled
    00b5c99b1 pkg/seccomp: simplify IsEnabled, update doc
    6dd29c25f go.mod: github.com/containerd/aufs
    330a2a809 go.mod: github.com/containerd/zfs
    34780d67a runtime/shim: check the namespace flag first
    c3dde8c4b freebsd: add zfs to the default plugins
    b431fe4fc freebsd: don't run shim delete in deleted dir
    1f4192daf freebsd: exclude v1 runtimes
    cb1580937 metadata: improve deleting a non-empty namespace's error
message
    5bf84034d Remove junit test result processor
    b83d04f91 Add variable names to runtime's interface definitions
    993b86399 Add shim start opts
    9e576b889 Optimize backoff
    5c02688b5 converter: use OpenWriter helper function
    fcf3b275f Add lock for ListPids
    fdb76f55d Fix backword-compatibility issue of non-versioned config
file
    d21fe4625 adds log for each failed host and status not found on host
    8a4cbabc6 Reimport windows layers when comitting snapshots
    2de38a926 fix(windows): create debug npipe failure
    41fc516a2 docs/rootless.md: recommend "easy way" over "hard way"
    864a3322b go.mod: github.com/containerd/go-cni v1.0.2
    ee34caccb go.mod: github.com/Microsoft/go-winio v0.4.17
    d478676d3 go.mod: github.com/containerd/imgcrypt v1.1.1
    1dd45d51c go.mod: github.com/containerd/typeurl v1.0.2
    abd4be07a fix the 404 url
    978ebbef6 Prepare 1.5.0-rc.1 release
    ce116d4c5 go.mod: github.com/containerd/imgcrypt
v1.1.1-0.20210412181126-0bed51b9522c
    0550c3233 containerd-stress: add snapshotter option for stress test
to use
    8a04bd052 address recent runtimes config confusion
    c4778fe1b go.mod: github.com/containernetworking/plugins v0.9.1
    5ce35ac39 devmapper: log pool status when mkfs fails
    75097b8ca hcsshim seems to have been updated
    9ad087947 Switch all our tests to version 2
    e96d2a5d9 Revert "remove two very old no longer used runtime
options"
    14f357b90 CI: update crun to 0.19
    294331060 go.mod: github.com/containerd/console v1.0.2
    bb6c0c2de Add more bolt utils
    0ad8c0a16 Decouple shim start from task creation
    c7504987e Implement windowsDiff.Compare via hcsshim/pkg/ociwclayer
    a64a76846 Replace inline applyWindowsLayer using hcsshim
    149fa366f Don't tease the logger with a %-less format string
    b399e2ef6 Don't lose Compare failure if aborting diff upload fails
    36bf3f0e8 go.mod: github.com/Microsoft/hcsshim v0.8.16
    8e1a8ecd8 Prepare v1.5.0-rc.0
    45df696bf Fix return event publishing error
    4bc8f692f optimize cri redirect logs
    9bc8d63c9 cri/server: use containerd/oci instead of
libcontainer/devices
    dd16b006e merge in the move to the new options type
    9144ce967 shows our runc.v2 default options in the containerd
default config
    3d20fa930 fix TestSetOOMScoreBoundaries
    4d4117415 Change CRI config runtime options type
    21ebeef74 integration: use busybox:1.32.0 since latest is
unavailable
    f9bcf4a8a add section link
    d4be6aa8f rm mirror defaults; doc registry deprecations
    7bb73da6b runtime/v2/shim: remove unused SetScore() and remove
sys.OOMScoreMaxKillable
    91e7d21ee sys: add AdjustOOMScore() utility
    44240116a sys: add boundary checks to SetOOMScore()
    ace1912bb sys: use assert for error checks in OOM tests
    6e7271522 sys: add missing pre-condition checks in tests
    badd60d3f sys: un-export runningPrivileged(), remove
runningUnprivileged()
    21a175860 go.mod github.com/klauspost/compress v1.11.13
    58c5fd09e re-enable cri test
    da998c81e move to gcr.io/k8s-staging-cri-tools test images
    8ba8533bd pkg/cri/opts.WithoutRunMount -> oci.WithoutRunMount
    92ea98eda cri-cni-release: add imgcrypt binaries (v1.1.0)
    4c1fa5719 remotes/docker: Only return "already exists" on push when
the upload was successful
    0186a329e remove two very old no longer used runtime options
    58a07754a Temporarily disable cri-tools critest
    7ae0a60fb Add OCI ref.name to unique key in remotes handler
    5ada2f74a Keep host order as defined in TOML file
    d9ff8ebef support multi-arch images for windows via ctr
    af1e2af72 ci: upload junit formatted test results
    6866b36ab Add workaround to keep docker hosts structs private
    c54d92c79 image: use generic decompressor for calculating DiffID
    1faca349e integration/client: rename package to "client"
    6fc9e4500 synchronize replace rules in integration/client go.mod
with main go.mod
    9e19a2984 Fix hosts test on Windows
    3f406d4af Cleanup vendor
    d56b49c13 Rewrite Docker hosts parser
    e1f51ba73 Use os.File#Seek() to get the size of a block device
    ddd4298a1 Migrate current TOML code to github.com/pelletier/go-toml
    499c2f7d4 Vendor github.com/pelletier/go-toml
    61c749036 integration/util: remove dependency on k8s.io/klog/v2
    d9765f7bf Extend default timeout for nested VM integration run
    5e94745f2 ctr: add --user for task exec
    f8c2f0475 remotes/ctr: allow to limit max concurrent uploads like
downloads
    4674ad7be Ignore some tests on darwin
    55450e773 Run unit tests on CI for MacOS
    311e326a1 Add CI job to cross compile all the things
    10a498c7c Update go-winio to fix compile error on armv7
    1a9c6f557 Revendor zfs to to fix integer overflow
    1fd3d12f9 `go mod tidy` the client integration test module
    da7d96ba3 Clean up WCOW layers after tests in the correct order
    9ad87b9ba adds critools-version
    72b7f4bab task: allow checkpoint on pause state
    e4b9b1038 Make CRI registry docs more clear
    ec4d7736d Increase timeout for linux integration tests
    eb7c7c71e Fix oom tests on non Linux
    708299ca4 Move RunningInUserNS() to its own package
    0886ceaea Fix reference ordering in CRI image store
    bf9db47e8 add caller info to the testHook
    305b42583 use happy-eyeballs for port-forwarding
    22ef69d77 Support HTTP debug in ctr
    01765d097 night ci fix: add packages for ubuntu 20.04
    8cdc1f13b go.mod: github.com/containerd/zfs
v0.0.0-20210322090317-0e92c2247fb7
    30e1e66e5 runtime/v2: Fix defer cleanup
    33776ada0 Use specific image for user namespaces tests
    7704fe72d Specifically mention "mkfs.ext4" on the error from the
command
    1410220d8 Fix error log when copy file
    fe787efa2 Fix error log when kill shim
    8d8c15ca5 contentproxy: ensure grpc stream is closed on commit
    6e343f25e Switch test image to a non rate-limited manifest list
    9fdc96c09 runtime/v2: add comment for checkCopyShimLogError
    24602e7a9 change default runtime for containerd-stress app
    8731888ec Re-enable CRIU tests by not using overlayfs snapshotter
    b520428b5 Fix CRIU
    4e76bcf06 gofmt -s -w all the things
    569023fd5 go.mod: github.com/containerd/nri
v0.0.0-20210316161719-dbaa18c31c14
    0e1f59e89 go.mod: github.com/containerd/zfs
v0.0.0-20210315114300-dde8f0fda960
    ffff68866 upgrade pause image to 3.5 for non-root
    88d3881e1 go.mod: github.com/containerd/fifo
v0.0.0-20210316144830-115abcc95a1d
    a22c43fa4 go.mod: github.com/containerd/aufs
v0.0.0-20210316121734-20793ff83c97
    f6f861736 go.mod: github.com/containerd/btrfs
v0.0.0-20210316141732-918d888fb676
    460b35236 go.mod: kubernetes v1.20.4
    5e484c961 runtime/v2/runc: fix the defer cleanup of the NewContainer
    e6086d9c0 Prepare release notes for v1.5.0-beta.4
    34b7a5f09 Update mailmap
    ba8f9845e move overlay-checks to an overlayutils package
    7776e5ef2 Support adding devices by dir
    d895118c7 runtime/v2/runc: fix leaking socket path
    a76cefd12 plugin status should be skip, not error
    766e7953a Change dgst to digest in debug
    4e8b2f309 rootfs: fix the error handling of the createInitLayer
    d3ad7f390 cmd/ctr: use e.g. in the command usage
    231bbdc37 cmd/ctr: fix export command
    ecb881e5e add imgcrypt stream processors to the default config
    ac2726e12 cmd/containerd: deduplicate config*.go
    9a7ca39cb defaults: add DefaultConfigDir
    8f863afd3 Use net.IP.IsLoopback() to match loopback addresses
    eabd9b98b runtime: ignore file-already-closed error if dead shim

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-06-30 22:53:24 +08:00
Fabiano Fidêncio
550029c473 Merge pull request #2060 from liubin/2059/delete-some-lint-attributes
agent: delete some lint attributes
2021-06-30 16:51:07 +02:00
Fabiano Fidêncio
7d05739f01 Merge pull request #2135 from GabyCT/topic/fixdocvirtiofs
docs: Fix url in virtiofs documentation
2021-06-30 16:47:01 +02:00
bin
aa264f915f agent: update netlink libraries
Update rtnetlink to use crate.io to make cargo vendor work.
Add vendor/ to .gitignore.

Fixes: #2111

Signed-off-by: bin <bin@hyper.sh>
2021-06-30 22:39:50 +08:00
Gabriela Cervantes
34bdddbeb5 docs: Fix url in virtiofs documentation
This PR updates the url for virtiofs documentation.

Fixes #2134

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-06-30 13:48:29 +00:00
Fabiano Fidêncio
d78e396a33 Merge pull request #2127 from sameo/topic/agent-ctl-build-fix
tools: agent-ctl: Fix build failure
2021-06-30 11:47:02 +02:00
Fabiano Fidêncio
7d37fbfdfb Merge pull request #2115 from sameo/topic/rust-nix
cargo: Use latest nix crate for all Rust code bases
2021-06-28 08:18:53 +02:00
Fabiano Fidêncio
a8bb8269fe Merge pull request #2047 from Jakob-Naucke/s390x-skip-hotplug
virtcontainers: Don't fail memory hotplug
2021-06-28 08:18:31 +02:00
Eric Ernst
69bf7e7519 Merge pull request #1964 from egernst/inotify
Add "watchable-mounts" concept to allow for  inotify support of specific types of mounts.
2021-06-25 12:59:04 -07:00
Samuel Ortiz
3e8a07c415 tools: agent-ctl: Fix build failure
Two nix packages with the same version are specified from the lock file.

Fixes #2126

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-06-25 12:11:38 +02:00
Samuel Ortiz
f6294226e8 cargo: Use latest nix crate for all Rust code bases
Our dependencies already bring several versions of nix, we should avoid
adding even more fragementation.

Fixes #2114

Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
2021-06-25 03:38:37 +02:00
Eric Ernst
064dfb164b runtime: Add "watchable-mounts" concept for inotify support
To workaround virtiofs' lack of inotify support, we'll special case
particular mounts which are typically watched, and pass on information
to the agent so it can ensure that the mount presented to the container
is indeed watchable (see applicable agent commit).

This commit will:
 - identify watchable mounts based on file count and mount source
 - create a watchable-bind storage object for these mounts to
   communicate intent to the agent
 - update the OCI spec to take the updated watchable mount source into account

Unit tests added and updated for the newly introduced
functionality/functions.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-06-24 10:07:06 -07:00
Eric Ernst
3f0f1ceba0 docs: inotify: add initial documentation
We're introducing a workaround for enabling users to utilize inotify on
mounts that are backed by virtiofs. Let's add some documentation on how
this work.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-06-24 10:07:06 -07:00
Maksym Pavlenko
6a93e5d593 agent: Initial watchable-bind implementation
Add support for watchable-bind storage driver. When watchable-bind storage
is present, the agent will create a watchable path in a tmpfs, and poll the
watchable-bind source to keep this new mount-point up to date.

This poll will allow the agent to present the mount-point to the
container, allowing for inotify usage by the container workload.

If a mount becomes too large, either in file count or in overall size,
we want to stop treating it as watchable, and instead just treat as a
bindmount. This'll help avoid DoS by growing tmpfs too large, as well
as limiting time spent scanning files. If a watchable-bind grows beyond
8 files (arbitrary sane number for certs/secrets) or 1MB (limit on ConfigMap size),
we treat it as a normal bind.

Fixes: #1879

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>

agent: watcher: SandboxStorages check loop cleanup
2021-06-24 10:07:06 -07:00
Eric Ernst
57c0cee0a5 runtime: Cleanup mountSharedDirMounts, shareFile parameters
There's no reason to pass the paths; they can be
determined when they are actually used.

Let's make the return values more comparable to the other mount handling
functions (we'll add storage object in future commit), and pass the mount maps as
function parameters.

...No functional changes here...

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-06-24 10:07:06 -07:00
Chelsea Mafrica
ac0bd57748 Merge pull request #2003 from cmaf/fix-span-runHooks
tracing: Make runHooks() span creation return context
2021-06-24 07:50:42 -07:00
Samuel Ortiz
9ab6e07330 Merge pull request #2107 from Jakob-Naucke/protvirt-kernel
kernel: Add Secure Execution guest
2021-06-24 15:29:15 +02:00
Jakob Naucke
3b356be87c Merge pull request #2068 from Jakob-Naucke/podman-qemu
packaging: Support Podman in QEMU build
2021-06-24 15:16:30 +02:00
Fabiano Fidêncio
bb4a256a30 Merge pull request #2104 from eadamsintel/update-qat-version
Update qat version
2021-06-24 11:41:14 +02:00
Jakob Naucke
772c117d4e kernel: Add Secure Execution guest
Add `CONFIG_PROTECTED_VIRTUALIZATION_GUEST=y` to s390's guest kernel
config, which enables running with a secure image (as generated by
s390-tools' `genprotimg`).

Fixes: #2106
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-06-24 11:34:28 +02:00
Jakob Naucke
f35ba94d30 packaging: Support Podman in QEMU build
Use Podman instead of Docker when $USE_PODMAN is set. This enables
running with Podman, e.g. to import images for CRI-O.

Fixes: #2067

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-06-24 11:08:47 +02:00
Jakob Naucke
8310a3d70a virtcontainers: Don't fail memory hotplug
Architectures that do not support memory hotplugging will fail when
memory limits are set because that amount is hotplugged. Issue a warning
instead. The long-term solution is virtio-mem.

Fixes: #1412
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-06-24 10:58:06 +02:00
Fabiano Fidêncio
5a22e0e3b1 Merge pull request #2093 from Jakob-Naucke/doc-s390x-gnu
docs: Set LIBC=gnu for s390x too
2021-06-24 08:08:48 +02:00
Eric Adams
ecd13ec43d docs: Update QAT docs with newer driver version
This updates the QAT docs to the latest driver version.

Fixes: #2103

Signed-off-by: Eric Adams <eric.adams@intel.com>
2021-06-23 23:51:20 +00:00
Eric Adams
a822cdf64d osbuilder: Update QAT driver version
This updates the QAT driver version to the latest version.

Fixes: #2103

Signed-off-by: Eric Adams <eric.adams@intel.com>
2021-06-23 23:49:19 +00:00
Fabiano Fidêncio
f5d9d89b73 Merge pull request #2089 from lifupan/fix_wait
shimv2: fix the issue of leaking wait goroutines
2021-06-23 23:06:11 +02:00
Fabiano Fidêncio
c47a597568 Merge pull request #2097 from littlejawa/issue_crio_ctr_6_main
runtime: report finish time in containers stats
2021-06-23 22:53:12 +02:00
GabyCT
a1d6c3c551 Merge pull request #2077 from davidhay1969/debug_doc_change
docs: Fix typos in Developer Guide
2021-06-23 14:11:48 -05:00
GabyCT
d7ce78cf6a Merge pull request #2095 from GabyCT/topic/fixDocuRe
docs: Update urls for Documentation Requirements document
2021-06-23 11:11:21 -05:00
Julien Ropé
6a1a051c65 runtime: report finish time in containers stats
Make sure we report the exit time for the container when we answer a "Status" request.

Fixes: #2096

Signed-off-by: Julien Ropé <jrope@redhat.com>
2021-06-23 17:36:47 +02:00
Jakob Naucke
fe0085ca55 docs: Set LIBC=gnu for s390x too
The Developer Guide instructs to install the agent from
`${ARCH}-unknown-linux-${LIBC}`, where `$LIBC` is set to `gnu` for
ppc64le (because Rust has no musl target there). The same is true for
s390x. Also set this for s390x.

Fixes: #2092

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-06-23 17:25:33 +02:00
Gabriela Cervantes
08984b6e31 docs: Update urls for Documentation Requirements document
This PR updates the proper urls for the Documentation Requirements document.

Fixes #2094

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-06-23 15:16:13 +00:00
Fabiano Fidêncio
951bb6a78f Merge pull request #2086 from liubin/fix/2085-change-machinetype-to-q35
runtime: update default machine type to q35
2021-06-23 14:26:40 +02:00
fupan.lfp
b3623a2c40 shimv2: fix the issue of leaking wait goroutines
After create an container/exec successfully, containerd
would wait it immediately, and if start it failed, there
is no chance to send value to exitCh, thus the wait goroutine
would blocked for ever and had no chance to exit.

Fixes: #2087

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-06-23 19:29:26 +08:00
Jakob Naucke
2a1b6d376a Merge pull request #2080 from focus-zhaos/initrd-doc
docs: fix brackets usage error for developer guide
2021-06-23 13:13:43 +02:00
bin
2322f935c1 runtime: update default machine type to q35
The machine type of pc is deleted, generated configuration
should update too.

Fixes: #2085

Signed-off-by: bin <bin@hyper.sh>
2021-06-23 17:08:44 +08:00
focus-zhaos
11f9a914b9 docs: fix brackets usage error for developer guide
Fixed 3 errors which misused the bracket to substitute parameter for initrd-img creation at the developer guide.

Fixes: #2079

Signed-off-by: focus-zhaos <zhaos@nbjl.nankai.edu.cn>
2021-06-23 17:01:57 +08:00
Dave Hay
1316fa5300 docs: Fix typos in Developer Guide
- Adding missing `$` symbols to 3 references to `sandbox_id` variable
- Adding missing `'` symbol to QEMU-related `socat` command

Fixes #2075

Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
2021-06-23 08:46:43 +01:00
David Gibson
c0cc6d5978 Merge pull request #1954 from marcel-apf/remove-pc
Remove the pc machine
2021-06-23 12:00:05 +10:00
Julio Montes
b9e611e363 Merge pull request #2066 from devimc/2021-06-17/fixTeardownPmem
runtime: do not hot-remove PMEM devices
2021-06-22 09:06:59 -05:00
Marcel Apfelbaum
ac6b9c53d2 runtime: Hot-plug virtio-mem device on PCI bridge
Currently the virtio-mem device is hotplugged on the root bus.
This doesn't work for PCIe machines like q35.

Hotplug the virtio-mem device into the pci bridge instead.

Fixes #1953
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2021-06-22 12:34:48 +03:00
Marcel Apfelbaum
789a59549e virtcontainers: Remove the pc machine
Keeping around two different x86 machines has no added value
and require more tests and maintenance. Prefer the q35 machine
since it has more features and drop the pc machine.

Fixes #1953
Depends-on: github.com/kata-containers/tests#3586
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2021-06-22 11:54:07 +03:00
GabyCT
757ddf7b83 Merge pull request #2073 from GabyCT/topic/updateminikube
docs: Update kata-deploy urls for installation document
2021-06-21 14:13:28 -05:00
GabyCT
8bb9192e83 Merge pull request #2070 from GabyCT/topic/updateinstallurl
docs: Update url for installation guides
2021-06-21 11:37:33 -05:00
Manabu Sugimoto
caf5760c45 runtime: Update golang proto code
We should update golang proto files.
These changes are updated using libprotoc v3.6.1.

Fixes: #2064

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-06-19 18:53:56 +09:00
Gabriela Cervantes
bd20701f35 docs: Update kata-deploy urls for installation document
This PR updates the proper url for kata-deploy scripts at the
minikube installation.

Fixes #2072

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-06-18 18:48:56 +00:00
Gabriela Cervantes
a9aa36cebc docs: Update url for installation guides
This PR updates the correct url for kata installation guides in kata 2.x

Fixes #2069

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-06-18 16:48:07 +00:00
Julio Montes
ecdd137c6f runtime: do not hot-remove PMEM devices
PMEM devices cannot be hot-removed from a running VM.

fixes #2018

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-06-18 09:02:03 -05:00
bin
000049b69e agent: delete some lint attributes
Thes lint attributes can be deleted to keep clean code.

Fixes: #2059

Signed-off-by: bin <bin@hyper.sh>
2021-06-18 16:08:25 +08:00
snir911
1faaf5f35d Merge pull request #2000 from ManaSugi/update-mount-flags
agent: Add some mount options and sort the options alphabetically
2021-06-17 11:53:11 +03:00
Tim Zhang
90029032b4 Merge pull request #2049 from liubin/2048/fix-log-field
runtime: using detail propertites instead of function name in log field
2021-06-17 10:53:12 +08:00
Wainer Moschetta
9e6f1f7794 Merge pull request #2041 from wainersm/fix_qemu_5_2
qemu: Add nvdimm read-only file support
2021-06-16 20:48:17 -03:00
Wainer dos Santos Moschetta
3f39df0d18 qemu: Add nvdimm read-only file support
For QEMU 5.0.0 it is applied the patches/5.0.x/0002-memory-backend-file-nvdimm-support-read-only-files-a.patch
to fix an issue with the use of read-only files as backend memory of nvdimm devices. When Kata Containers bumped
to QEMU 5.2.0 that patch was left behind by mistake. In meanwhile a proper feature ("nvdimm: read-only file support")
was proposed and merged upstream (see https://mail.gnu.org/archive/html/qemu-devel/2021-01/msg00258.html).

This contain the backport of the commit 8360ebeb4f4a from QEMU master which should be applied on QEMU 5.2.0
so that feature is available to Kata Containers.

Fixes #2011

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-06-16 17:03:05 -04:00
Fabiano Fidêncio
1bad9999fd Merge pull request #2051 from wainersm/hot_fix_snap_ci
ci: snap: Fetch history to all branches and tags
2021-06-16 22:41:02 +02:00
Wainer dos Santos Moschetta
23d31d5a7c ci: snap: Fetch history to all branches and tags
The snap/snapcraft.yaml set AGENT_VERSION to the current VERSION. The osbuilder script
will try to checkout the AGENT_VERSION tag. Let's ensure that all tags and branches
are fetched by the github's checkout action so the tag checkout does not fail.

Fixes #2052
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-06-16 13:34:09 -04:00
bin
2022c64f94 runtime: using detail propertites instead of function name in log field
To print the correct value of kernel parameters, the log field
value should not be a function name. And for that qemuArchBase
doesn't contain debug flag, so the log contains debug/non-debug
parameters.

Fixes: #2048

Signed-off-by: bin <bin@hyper.sh>
2021-06-17 00:17:16 +08:00
Julio Montes
85bb5cffe1 Merge pull request #2017 from devimc/2021-06-11/fixPmemCSI
memory_offset must be larger than 32 bit
2021-06-16 09:10:48 -05:00
Julio Montes
361bee91f7 runtime/virtcontrainers: fix alignment structures
fix alignment of qemuArchBase and HypervisorConfig structures

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-06-16 07:16:49 -05:00
Julio Montes
6be8bf5c66 docs: update annotations documentation
update documentation to reflect value type of `memory_offset`

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-06-16 07:16:49 -05:00
Julio Montes
7834f4127f virtcontainers: change memory_offset to uint64
`memory_offset` is used to increase the maximum amount of memory
supported in a VM, this offset is equal to the NVDIMM/PMEM device that
is hot added, in real use case workloads such devices are bigger than
4G, which is the current limit (uint32).

fixes #2006

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-06-16 07:16:49 -05:00
Manabu Sugimoto
bd27f7bab5 agent: Sort PROPAGATION and OPTIONS alphabetically to scan easily
It's hard to visually scan over the list currently.
Therefore, we should sort the list alphabetically to scan easily.

Fixes: #1999

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-06-16 17:23:05 +09:00
snir911
fb318532b9 Merge pull request #2044 from devimc/2021-06-15/skipTestIoCopy
containerd-shim-v2: Skip TestIoCopy unit test
2021-06-16 09:59:35 +03:00
Chelsea Mafrica
6abe7caecb Merge pull request #2039 from Amulyam24/pef-tests
ppc64le: Adding test for appendProtectionDevice
2021-06-15 16:19:05 -07:00
Julio Montes
ad06eb90db containerd-shim-v2: Skip TestIoCopy unit test
TestIoCopy unit test is failing randonly, skip it until we have a fix

fixes #2043

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-06-15 13:17:05 -05:00
Amulya Meka
ea9bb8e9ad ppc64le: Adding test for appendProtectionDevice
Fixes: #2038

Signed-off-by: Amulya Meka <amulmek1@in.ibm.com>
2021-06-15 10:23:38 +00:00
James O. D. Hunt
685d631c4c Merge pull request #2004 from houfangdong/3849/fix-rust-version-for-tokio
agent: Update rust version for tokio
2021-06-15 11:06:37 +01:00
Fupan Li
1ab64e30aa Merge pull request #2034 from Tim-Zhang/fix-mio-epoll-fd-leak
Upgrade mio to v0.7.13 to fix epoll_fd leak problem
2021-06-15 15:33:10 +08:00
Tim Zhang
c881899903 Merge pull request #1990 from liubin/1989/fix-log-message
osbuilder: fix log message that is not error but seems like an error
2021-06-15 15:13:21 +08:00
Tim Zhang
799cb27234 agent: Upgrade mio to v0.7.13 to fix epoll_fd leak problem
Fixes: #2035
Fixes: tokio-rs/tokio/#3809

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-06-15 11:35:49 +08:00
bin
45fd58d11c osbuilder: fix log message that is not error but seems like an error
Only show checkout failed message if AGENT_VERSION is set
and the checkout is failed.

Fixes: #1989

Signed-off-by: bin <bin@hyper.sh>
2021-06-15 10:26:52 +08:00
GabyCT
2f322b8be0 Merge pull request #2032 from GabyCT/topic/fixkernelreadme
docs: Update url for breaking compatibility
2021-06-14 16:40:27 -05:00
Julio Montes
383041959d Merge pull request #2030 from GabyCT/topic/fixsys
docs: Remove docker support with kata 2.x and sysctls
2021-06-14 16:22:46 -05:00
Gabriela Cervantes
2fb176ddee docs: Update url for breaking compatibility
This PR updates the proper url for breaking compatibility for
kata 2.x

Fixes #2031

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-06-14 14:45:42 -05:00
Gabriela Cervantes
601e2b65c5 docs: Remove docker support with kata 2.x and sysctls
Currently in kata 2.x, we do not have docker support, this PR removes
the docker documentation with sysctls.

Fixes #2029

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-06-14 14:20:14 -05:00
Julio Montes
9d585935b5 Merge pull request #2020 from GabyCT/topic/fixreadruntime
docs: Update README for runtime documentation
2021-06-14 10:37:20 -05:00
Fabiano Fidêncio
5a71786986 Merge pull request #1674 from jimcadden/stable-2.0-SEV
Support SEV
2021-06-12 16:56:51 +02:00
Fabiano Fidêncio
be31694554 virtcontainers: Fix TestQemuAmd64AppendProtectionDevice()
Since SEV support has been added, an implementation mistake was also
added to TestQemuAmd64AppendProtectionDevice.

appendProtectionDevice() will, as it name says, append the protection
device to whatever was there previously.  So, when SEV was added, we
broke the comparison done for TDX as we didn't append the expected
output for TDX with what we already had for SEV.

This should be enough to get the tests passing.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-06-12 08:56:15 -04:00
Fabiano Fidêncio
723c0ac4d5 Merge pull request #1832 from littlejawa/issue_1713
test: Add a unit test for ioCopy()
2021-06-12 00:34:28 +02:00
Gabriela Cervantes
240aae96dd docs: Update README for runtime documentation
This PR removes old links that were used in kata 1.x but not
longer valid for kata 2.x

Fixes #2019

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-06-11 16:01:20 -05:00
GabyCT
66e4c77a54 Merge pull request #1993 from likebreath/0610/clh_v16.0
versions: Upgrade to cloud-hypervisor v16.0
2021-06-11 15:11:11 -05:00
Fabiano Fidêncio
e754ff37e4 Merge pull request #2015 from fidencio/2.2.0-alpha0-branch-bump
# Kata Containers 2.2.0-alpha0
2021-06-11 18:51:08 +02:00
Julio Montes
6e7b55baa9 Merge pull request #1995 from GabyCT/topic/removetravisreference
docs: Remove old travis reference
2021-06-11 09:23:47 -05:00
Fabiano Fidêncio
54832cd052 release: Kata Containers 2.2.0-alpha0
- Update CC=gcc setting for Fedora s390x
- osbuilder: Streamline s390x CMake & musl handling
- runtime: remove the call to storeSandbox at the end of createSandboxFromConfig
- virtcontainers: Add support for Secure Execution
- agent: Conform to the latest nix version (0.21.0)
- docs: Update the stable branch strategy to what was proposed in our ML
- runtime: add more traces for network
- tools/packaging: clone meson and dependencies before building QEMU
- runtime: remove covertool from cli test
- factory: Use lazy unmount
- docs: Fix Release Process document
- Add sandbox and container ID to trace spans
- agent: Fix fd leak caused by netlink
- metrics: Add virtiofsd exporter
- versions: Update kubernetes to 1.21.1
- tracing: Add basic VSOCK tracing
- agent: Upgrade tokio-vsock to fix fd leak of vsock socket
- runtime: fix some comments and logs
- runtime: Add support for PEF
- cleanup TODOs in runtime
- tracing: Make runtime span attributes more consistent
- virtiofsd: refactor qemu.go to use code in virtiofsd.go
- runtime: remove unused doc.go
- cgroup: fix the issue of set mem.limit and mem.swap
- agent: re-enable the standard SIGPIPE behavior
- virtiofsd: Fix file descriptors leak and return correct PID
- runtime: and cgroup and SandboxCgroupOnly check for check sub-command
- kernel: add ppc64le fragments
- docs: Use --ignore-preflight-errors=all flag
- agent: fix start container failed when dropping all capabilities
- agent: Remove unnecessary underscore(_) variables
- docs: Add instructions for getting QEMU source
- qemu: align before memory hotplug on arm64
- workflows: release kata 2.x snap through the stable channel
- Sandbox bindmount cleanup
- docs: Update add customer agent command
- agent: Stop relying in the unmaintained prctl crate
- how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
- docs: Add document for memory hotplug on arm64
- github: Run require porting labels only at main
- kernel: add confidential guest build option
- rustjail: separated the propagation flags from mount flags
- runtime: improve sandbox cleanup logic
- docs: add note for connecting debug console for old versions
- image_build: align image size to 128M for arm64
- agent: avoid reaping the exit signal of execute_hook in the reaper
- agent: move the dependency tempfile to the dev-dependencies section
- docs: Document test repository changes when creating a stable branch
- docs: Remove horizontal ruler markers that disable spell checks
- docs/Developer-Guide: Add instructions to apply QEMU patches
- runtime: make dialing timeout configurable
- Get sandbox metrics cli
- Support TDx
- packaging/kata-cleanup: add k3s containerd volume
- osbuilder: Upgrade alpine version to 3.13.5
- Monitor cleanup
- Open CONFIG_VIRTIO_MEM in x86_64 Linux kernel
- agent: delete code which is no longer used
- cli: delete tracing code for kata-runtime binary
- docs: add per-Pod Kata configurations for `enable_pprof`
- Fix issue of virtio-mem
- Set fixed NOFILE limit value for kata-agent
- ci/install_yq.sh: install_yq: Check version before return
- runtime: use s.ctx instead ctx for checking cancellation
- runtime: fix some comments

a1247bc0 agent: Conform to the latest nix version (0.21.0)
3130e66d runtime: remove storeSandbox at the end of createSandboxFromConfig
7593ebf9 runtime: Use CC=gcc on Fedora s390x
a484d6db osbuilder: Streamline s390x CMake & musl handling
da2d9ab8 osbuilder: Remove CC=gcc for Fedora s390x
c0c05c73 virtcontainers: Add support for Secure Execution
78f21710 virtcontainers/s390x: Put consts into one block
784025bb runtime: add more traces for network
9ec9bbba tools/packaging: clone meson and dependencies before building QEMU
9158ec68 docs: Fix Release Process document
9e3349c1 agent: Fix fd leak caused by netlink
3d0e0b27 tracing: Add network model to span
8ca02072 tracing: Add sandbox and container ID to trace spans
a9a0eccf tracing: Add basic VSOCK tracing
2234b730 metrics: Add virtiofsd exporter
9bf781d7 agent: Upgrade tokio-vsock to fix fd leak of vsock socket
b68334a1 runtime: fix some comments and logs
1f5b229b runtime: remove FIXME in SandboxState about CgroupPath
fee0004a runtime: remove TODO about hot add memory in qemu.go
2e29ef9c runtime: remove TODO comment from StatusContainer
72cd8f5e virtiofsd: refactor qemu.go to use code in virtiofsd.go
0b22c48d runtime: remove unused doc.go
30f4834c cgroup: fix the issue of set mem.limit and mem.swap
0ae364c8 agent: re-enable the standard SIGPIPE behavior
05a46fed tracing: Make runtime span attributes more consistent
727bfc45 runtime: and cgroup and SandboxCgroupOnly check for check sub-command
b25ad1ab tracing: Make trace-forwarder async
45f02227 tracing: Add trace points
773deca2 virtiofsd: Fix file descriptors leak and return correct PID
37a426b4 runtime: Add support for PEF
fe670c5d docs: Use --ignore-preflight-errors=all flag
5b5047bd docs: Add instructions for getting QEMU source
3e4ebe10 agent: fix start container failed when dropping all capabilities
9a43d76d workflows: release kata 2.x snap through the stable channel
7f1030d3 sandbox-bindmount: persist mount information
089a7484 sandbox: Cleanup if failure to setup sandbox-bindmount occurs
f65acc20 docs: Update add customer agent command
20a382c1 agent: Remove unnecessary underscore(_) variables
4b88532c docs: Don't use Docker as an example of a container manager
4142e424 docs: Don't mention 1.x components as part of the stable branch strategy
a0af2bd7 docs: Use stable-2.x / 2.x.y as example in the branch strategy document
a5e1f66a docs: Maintain only one stable branch per major release
419773b8 docs: Emphasize behaviour changes may be a reason for a major bump
54a75008 docs: Refer to `main` branch in the stable branch strategy document
7dde0b5d kernel: add ppc64le fragments
84906181 kernel: skip fragments for ppc64le
9676b86b kernel: move CONFIG_RANDOMIZE_BASE
bd0cde40 factory: Use lazy unmount
f52468be agent/agent-ctl: Replace prctl crate by the capctl one
d289b1d6 agent-ctl: Perform a `cargo update`
bc36b7b4 qemu: align before memory hotplug on arm64
8aefc793 agent: Perform a `cargo update`
785be0bb how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
f8a16c17 kernel: add confidential guest build option
a65f11ea docs: Add document for memory hotplug on arm64
1b607056 runtime: remove covertool from cli test
fc42dc07 github: Run require porting labels only at main
dbef2b29 versions: Update kubernetes to 1.21.1
35151f17 runtime: sandbox delete should succeed after verifying sandbox state
e5fe572f rustjail: separated the propagation flags from mount flags
ffbb4d9b docs: add note for connecting debug console for old versions
a5bb383c agent: avoid reaping the exit signal of execute_hook in the reaper
ce7a5ba2 agent: move the dependency tempfile to the dev-dependencies section
e24e9462 docs/Developer-Guide: Add instructions to apply QEMU patches
850cf8cd docs: Document test repository changes when creating a stable branch
8068a469 kata-runtime: add `metrics` command
37873061 kata-monitor: export get stats for sandbox
01b56d6c runtime: make dialing timeout configurable
e8038718 osbuilder: Upgrade alpine version to 3.13.5
3caed6f8 runtime: shim: dedup client, socket addr code
4bc006c8 runtime: Short the shim-monitor path
5fdf617e docs: Fix spell-check errors found after new text is discovered
42425456 docs: Remove horizontal ruler markers that disable spell checks
3883e4e2 kernel: configs: Open CONFIG_VIRTIO_MEM in x86_64 Linux kernel
4f61f4b4 virtcontainers: Support TDX
0affe886 virtcontainers: define confidential guest framework
539afba0 runtime: define config options to enable confidential computing
79831faf runtime: use s.ctx instead ctx for checking cancellation
f6d5fbf9 runtime: fix some comments
9381e5f3 packaging/kata-cleanup: add k3s containerd volume
7f7c3fc8 qemu.go: qemu: resizeMemory: Fix virtio-mem resize overflow issue
c9053ea3 qemu.go: qemu: setupVirtioMem: let sizeMB be multiple of 2Mib
a188577e agent: Set fixed NOFILE limit value for kata-agent
88cf3db6 runtime: implement CPUFlags function
2b0d5b25 image_build: align image size to 128M for arm64
d601ae34 agent: delete not used comments
6038da19 agent: delete rustjail/src/configs directory
84ee8aa8 agent: delete not used functions
d8896157 ci/install_yq.sh: install_yq: Check version before return
95e54e3f docs: add per-Pod Kata configurations for enable_pprof
13c23fec cli: delete tracing code for kata-runtime binary

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-06-11 16:10:01 +02:00
houfangdong
8825bb298f agent: Update rust version for tokio
This was fixed for tokio's version
    requirements for rust, see:
    https://github.com/tokio-rs/tokio#supported-rust-versions

    Fixes: #3849

Signed-off-by: houfangdong <houfangdong@loongson.cn>
2021-06-11 15:01:43 +08:00
Chelsea Mafrica
cabddcc735 tracing: Make runHooks() span creation return context
The call to Trace() in runHooks() does not return a context; fix this so
that the subsequent calls to runHook() produces a properly ordered trace
span.

Fixes #2001

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-06-10 23:50:51 -07:00
Manabu Sugimoto
e544779c61 agent: Add some mount options
Add the following mount options to catch up with the runtime spec
- silent
- loud
- (no)acl
- (no)iversion
- (no)lazytime

Fixes: #1999

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-06-11 15:08:46 +09:00
Fabiano Fidêncio
dc4307d3cc Merge pull request #1974 from Jakob-Naucke/fix-cc-fedora-s390x
Update CC=gcc setting for Fedora s390x
2021-06-11 00:31:51 +02:00
Fabiano Fidêncio
bd195d67d4 Merge pull request #1976 from Jakob-Naucke/streamline-s390x-osbuilder
osbuilder: Streamline s390x CMake & musl handling
2021-06-11 00:31:34 +02:00
Fabiano Fidêncio
24bbcf58d3 Merge pull request #1981 from LiangZhou-CTY/patch-1
runtime: remove the call to storeSandbox at the end of createSandboxFromConfig
2021-06-11 00:30:39 +02:00
Gabriela Cervantes
a668f310c3 docs: Remove old travis reference
This PR removes the travis reference as we currently for kata 2.0,
travis is not being supported.

Fixes #1994

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-06-10 17:17:17 -05:00
Fabiano Fidêncio
8239f6fc17 Merge pull request #1772 from Jakob-Naucke/sec-exec
virtcontainers: Add support for Secure Execution
2021-06-11 00:02:01 +02:00
Bo Chen
85c40001da versions: Upgrade to cloud-hypervisor v16.0
Highlights from the Cloud Hypervisor release v16.0: 1) Improved live
migration support; 2) Improved `vhost-user` support; 3) ARM64 ACPI and
UEFI support; 4) Bug fixes.

Details can be found: https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v16.0

Note: The client code of cloud-hypervisor's OpenAPI is automatically
generated by `openapi-generator` [1-2]. As the API changes do not
impact usages in Kata, no additional changes in kata's runtime are
needed to work with the current version of cloud-hypervisor.

[1] https://github.com/OpenAPITools/openapi-generator
[2] https://github.com/kata-containers/kata-containers/blob/main/src/runtime/virtcontainers/pkg/cloud-hypervisor/README.md

Fixes: #1992

Signed-off-by: Bo Chen <chen.bo@intel.com>
2021-06-10 10:16:39 -07:00
Fupan Li
9d84272dd1 Merge pull request #1988 from ManaSugi/conform-to-latest-nix
agent: Conform to the latest nix version (0.21.0)
2021-06-10 17:17:03 +08:00
Samuel Ortiz
15e3d1656b Merge pull request #1877 from fidencio/wip/update-stable-branch-strategy
docs: Update the stable branch strategy to what was proposed in our ML
2021-06-10 10:26:31 +02:00
Manabu Sugimoto
a1247bc0bb agent: Conform to the latest nix version (0.21.0)
We need to fix some agent's code to conform to the latest nix crate
to be able to use new features of the nix.

Fixes: #1987

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-06-10 16:58:51 +09:00
Liang Zhou
3130e66d33 runtime: remove storeSandbox at the end of createSandboxFromConfig
Remove storeSandbox() at the end of createSandboxFromConfig(),
because this callchain createSandboxFromConfig -> createContainers
has already calls storeSandbox().
This can improve the startup speed of the container,
even just for a little.

Fixes: #1980

Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
2021-06-10 11:56:40 +08:00
Tim Zhang
f26837a0f1 Merge pull request #1967 from liubin/fix/1956-add-more-traces-for-network
runtime: add more traces for network
2021-06-10 10:56:42 +08:00
Jakob Naucke
7593ebf947 runtime: Use CC=gcc on Fedora s390x
This was fixed for the Go agent back in
https://github.com/kata-containers/osbuilder/issues/217, but is also
required for the runtime.

Fixes: #1973

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-06-08 16:36:24 +02:00
Fabiano Fidêncio
16a835e4a0 Merge pull request #1966 from devimc/2021-06-04/fixSnapCerts
tools/packaging: clone meson and dependencies before building QEMU
2021-06-08 10:36:53 +02:00
Jakob Naucke
a484d6db87 osbuilder: Streamline s390x CMake & musl handling
- Merge codepath in lib.sh with ppc64le -- do not install CMake
- Like ppc64le, do not install musl rather than just not using it

Fixes: #1975

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-06-07 17:39:31 +02:00
Jakob Naucke
da2d9ab813 osbuilder: Remove CC=gcc for Fedora s390x
since that was required specifically for the Go agent

Fixes: #1973

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-06-07 17:32:05 +02:00
Fabiano Fidêncio
208ab60e1e Merge pull request #1863 from zhsj/drop-covertool
runtime: remove covertool from cli test
2021-06-07 16:21:51 +02:00
Fabiano Fidêncio
51ac042cad Merge pull request #939 from keloyang/detach
factory: Use lazy unmount
2021-06-07 13:26:16 +02:00
Jakob Naucke
c0c05c73e1 virtcontainers: Add support for Secure Execution
Secure Execution is a confidential computing technology on s390x (IBM Z
& LinuxONE). Enable the correspondent virtualization technology in QEMU
(where it is referred to as "Protected Virtualization").

- Introduce enableProtection and appendProtectionDevice functions for
  QEMU s390x.
- Introduce CheckCmdline to check for "prot_virt=1" being present on the
  kernel command line.
- Introduce CPUFacilities and avilableGuestProtection for hypervisor
  s390x to check for CPU support.

Fixes: #1771

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-06-07 10:50:33 +02:00
Jakob Naucke
78f21710e3 virtcontainers/s390x: Put consts into one block
Previously, all consts were in single lines in
virtcontainers/qemu_s390x.go. Put them into a const block.

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2021-06-07 10:50:30 +02:00
bin
784025bb08 runtime: add more traces for network
Add traces for all the endpoinnt types
and the main interface functions.
Record errors for some traces.

Fixes: #1956

Signed-off-by: bin <bin@hyper.sh>
2021-06-07 11:38:40 +08:00
Julio Montes
a57118d03a Merge pull request #1961 from GabyCT/topic/fixreleasedoc
docs: Fix Release Process document
2021-06-04 14:59:11 -05:00
Julio Montes
9ec9bbbabc tools/packaging: clone meson and dependencies before building QEMU
In some distros (Ubuntu 18 and 20) it's not possible to clone meson
and QEMU dependencies from https://git.qemu.org due to problems with
its certificates, let's pull these dependencies from github before
building QEMU.

fixes #1965

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-06-04 14:52:39 -05:00
Chelsea Mafrica
60806ce3c8 Merge pull request #1957 from cmaf/tracing-attributes-sandboxID-1
Add sandbox and container ID to trace spans
2021-06-04 09:10:05 -07:00
Gabriela Cervantes
9158ec68cc docs: Fix Release Process document
This PR updates the correct url for github actions as well as it
corrects a misspelling.

Fixes #1960

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-06-03 12:51:25 -05:00
Tim Zhang
1255b83427 Merge pull request #1955 from Tim-Zhang/fix-fd-leak-of-netlink
agent: Fix fd leak caused by netlink
2021-06-03 20:15:15 +08:00
Tim Zhang
9e3349c18e agent: Fix fd leak caused by netlink
See also: little-dude/netlink#165

Fixes: #1952

Because the author of netlink has no time to maintain the crate
(https://github.com/little-dude/netlink/issues/161), so we
need to switch the dependency to github temporarily.

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-06-03 17:23:37 +08:00
Chelsea Mafrica
3d0e0b2786 tracing: Add network model to span
Trace spans erroneously set the network model to default in all cases.
Add function to return network model string and use it to set attribute
in spans.

Fixes #1878

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-06-02 21:53:54 -07:00
Chelsea Mafrica
8ca0207281 tracing: Add sandbox and container ID to trace spans
Add sandbox, container, and hypervisor IDs to trace spans. Note that
some spans in sandbox.go are created with a trace() call from api.go.
These spans have additional attributes set after span creation to
overwrite the api attributes.

Fixes #1878

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-06-02 21:53:54 -07:00
Bin Liu
1673110ee9 Merge pull request #1930 from jcvenegas/kata-moinitor-export-virtiofsd
metrics: Add virtiofsd exporter
2021-06-03 10:38:55 +08:00
Fabiano Fidêncio
fd59030031 Merge pull request #1851 from fidencio/wip/bump-kubernetes-version-to-1.21.1
versions: Update kubernetes to 1.21.1
2021-06-02 23:41:57 +02:00
Chelsea Mafrica
33c12b6d08 Merge pull request #1929 from jodh-intel/add-agent-tracing
tracing: Add basic VSOCK tracing
2021-06-02 11:45:41 -07:00
Sandeep Gupta
b26d5b1d08 virtcontainers: Support SEV
fixes #1869

Signed-off-by: Jim Cadden <jcadden@ibm.com>
2021-06-02 14:32:50 -04:00
James O. D. Hunt
a9a0eccf33 tracing: Add basic VSOCK tracing
Implement an openTelemetry custom exporter that sends trace spans to a
VSOCK socket. A VSOCK-to-span converter (such as the Kata trace
forwarder) needs to be running on the host to allow systems like Jaeger
to capture the trace spans.

By default, tracing is not enabled (meaning a NOP tracer is used). To
activate tracing, set the `agent.kata.enable_tracing=true` in the
configuration file.

The type of tracing this change introduces is "static isolated"
tracing. See [1] for further details.

> **Note:**
>
> This change only provides the foundational changes for agent
> tracing work. The feature is _not_ yet complete since it does
> not yet show the correct trace hierarchy.

Fixes: #60.

[1] - https://github.com/kata-containers/agent/blob/master/TRACING.md

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-06-02 18:00:05 +01:00
Jim Cadden
81c6e4ca9f runtime/vendor: add github.com/intel-go/cpuid
Fixes: #1869

Signed-off-by: Jim Cadden <jcadden@ibm.com>
2021-06-02 12:59:04 -04:00
Carlos Venegas
2234b73090 metrics: Add virtiofsd exporter
Export proc stats for virtiofsd.

This commit only adds for hypervisors that have support for it.

- qemu
- cloud-hypervisor

Fixes: #1926

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-06-02 16:06:00 +00:00
Julio Montes
1f0964bad8 Merge pull request #1951 from Tim-Zhang/fix-fd-leak-of-vsock
agent: Upgrade tokio-vsock to fix fd leak of vsock socket
2021-06-02 09:41:10 -05:00
Tim Zhang
9bf781d704 agent: Upgrade tokio-vsock to fix fd leak of vsock socket
Fixes: #1950

The further information: rust-vsock/vsock-rs#15

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-06-02 16:03:09 +08:00
Tim Zhang
476ec9bd86 Merge pull request #1948 from liubin/fix/1947-fix-comments
runtime: fix some comments and logs
2021-06-02 10:52:01 +08:00
Pradipta Banerjee
604e3a6fa1 Merge pull request #1882 from Amulyam24/pef
runtime: Add support for PEF
2021-06-01 12:56:53 +05:30
Peng Tao
41e04495f4 Merge pull request #1943 from bergwolf/cleanup2
cleanup TODOs in runtime
2021-06-01 14:16:46 +08:00
Chelsea Mafrica
bcde703b36 Merge pull request #1859 from cmaf/tracing-attributes-1
tracing: Make runtime span attributes more consistent
2021-05-31 21:57:58 -07:00
bin
b68334a1a8 runtime: fix some comments and logs
This commit fix some conments/logs.
And add some logs for debug.

Fixes: #1947

Signed-off-by: bin <bin@hyper.sh>
2021-06-01 09:04:18 +08:00
Bin Liu
d1ac0a1a2c Merge pull request #1938 from liubin/fix/1933-virtiofsd-refactor
virtiofsd: refactor qemu.go to use code in virtiofsd.go
2021-06-01 08:32:56 +08:00
Fabiano Fidêncio
d7b6e3e178 Merge pull request #1942 from bergwolf/cleanup
runtime: remove unused doc.go
2021-05-31 22:41:24 +02:00
Peng Tao
1f5b229bef runtime: remove FIXME in SandboxState about CgroupPath
It is in real life usage as we put non constrained sandbox processes
(like shim) in a separate cgroup path.

Fixes: #1944
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-05-29 13:17:14 +08:00
Peng Tao
fee0004ad4 runtime: remove TODO about hot add memory in qemu.go
Already addressed by https://github.com/kata-containers/runtime/pull/786

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-05-29 11:15:50 +08:00
Peng Tao
2e29ef9cab runtime: remove TODO comment from StatusContainer
It is no longer valid as containerd already doesn't treat container pid
as host process pid.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-05-29 11:10:32 +08:00
bin
72cd8f5ef6 virtiofsd: refactor qemu.go to use code in virtiofsd.go
CloudHypervisor is using virtiofsd.go to manage virtiofsd process,
but qemu has its code in qemu.go. This commit let qemu to re-use
code in virtiofsd.go to reduce code and improve maintenanceability.

Fixes: #1933

Signed-off-by: bin <bin@hyper.sh>
2021-05-29 11:00:05 +08:00
Peng Tao
0b22c48d2a runtime: remove unused doc.go
It doesn't even contain any actual code there.

Fixes: #1941
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-05-29 10:25:29 +08:00
Peng Tao
c455d84571 Merge pull request #1918 from lifupan/main
cgroup: fix the issue of set mem.limit and mem.swap
2021-05-29 10:05:44 +08:00
Peng Tao
fd6d32ee42 Merge pull request #1939 from lifupan/fix_epipe
agent: re-enable the standard SIGPIPE behavior
2021-05-29 10:05:09 +08:00
Fabiano Fidêncio
bcf78a18ae Merge pull request #1932 from liubin/fix/1931-virtiofsd-fd-leak-and-return-right-pid
virtiofsd: Fix file descriptors leak and return correct PID
2021-05-28 12:29:56 +02:00
Fupan Li
a761e980e4 Merge pull request #1934 from liubin/fix/1927-check-SandboxCgroupOnly-and-cgroup-v2
runtime: and cgroup and SandboxCgroupOnly check for check sub-command
2021-05-28 16:43:44 +08:00
fupan.lfp
30f4834c5b cgroup: fix the issue of set mem.limit and mem.swap
When update memory limit, we should adapt the write sequence
for memory and swap memory, so it won't fail because
the new value and the old value don't fit kernel's
validation.

Fixes: #1917

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-05-28 15:44:14 +08:00
fupan.lfp
0ae364c8eb agent: re-enable the standard SIGPIPE behavior
The Rust standard library had suppressed the default SIGPIPE
behavior, see https://github.com/rust-lang/rust/pull/13158.
Since the parent's signal handler would be inherited by it's child
process, thus we should re-enable the standard SIGPIPE behavior as a
workaround.

Fixes: #1887

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-05-28 15:25:05 +08:00
Chelsea Mafrica
05a46fede0 tracing: Make runtime span attributes more consistent
Span attributes (tags) are not consistent in runtime tracing, so
designate and use core attributes such source, package, subsystem, and
type as span metadata for more understandable output.

Use WithAttributes() during span creation to reduce calls to
SetAttributes().

Modify Trace() in katautils to accept slice of attributes so multiple
functions using different attributes can use it.

Fixes #1852

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-05-27 10:07:11 -07:00
bin
727bfc4556 runtime: and cgroup and SandboxCgroupOnly check for check sub-command
In kata-runtime check sub-command, checks cgroups and SandboxCgroupOnly
to show message if the SandboxCgroupOnly is not set to true
and cgroup v2 is used.

Fixes: #1927

Signed-off-by: bin <bin@hyper.sh>
2021-05-27 21:19:12 +08:00
James O. D. Hunt
b25ad1ab2c tracing: Make trace-forwarder async
The tracing crates are now async, so update the trace forwarder to use
the new API.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-05-27 10:48:05 +01:00
James O. D. Hunt
45f02227b2 tracing: Add trace points
Use the tracing crate to create automatic trace spans for the _majority_
of top-level modules.

Note that not all functions in the top-level modules can be traced:

- Some functions cannot be traced due to the requirement that all
  function parameters implement the `Debug` trait. In some cases (such
  as `netlink.rs`), objects are being passed that are defined in
  different crates and which do not implement `Debug`.
- Some functions may never return (`signal.rs`).
- Some functions are inlined.
- Some functions are very simple getter/setter functions.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
2021-05-27 10:42:58 +01:00
bin
773deca2f6 virtiofsd: Fix file descriptors leak and return correct PID
This commit will fix two problems:
- Virtiofsd process ID returned to the caller will always be 0,
   the pid var is never being assigned a value.
- Socket listen fd may leak in case of failure of starting virtiofsd process.
  This is a port of be9ca0d58b

Fixes: #1931

Signed-off-by: bin <bin@hyper.sh>
2021-05-27 16:51:41 +08:00
Amulyam24
37a426b4c6 runtime: Add support for PEF
Protected Execution Facility(PEF) is the confidential computing
technology on ppc64le. This PR adds the support for it in Kata.
Also re-vendor govmm for the latest changes.

Fixes: #1881

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2021-05-25 14:29:42 +00:00
Peng Tao
35f297ad50 Merge pull request #1899 from Amulyam24/fragments
kernel: add ppc64le fragments
2021-05-25 10:18:55 +08:00
Fabiano Fidêncio
9fb301f4df Merge pull request #1920 from ManaSugi/update-kubeadm-flag
docs: Use --ignore-preflight-errors=all flag
2021-05-24 21:12:12 +02:00
Fabiano Fidêncio
c3f6c88668 Merge pull request #1915 from quanweiZhou/fix_start_container_failed_when_drop_all_caps
agent: fix start container failed when dropping all capabilities
2021-05-24 14:13:52 +02:00
Tim Zhang
005e5ddedc Merge pull request #1905 from ManaSugi/del_underscore_var
agent: Remove unnecessary underscore(_) variables
2021-05-24 17:39:48 +08:00
Manabu Sugimoto
fe670c5de5 docs: Use --ignore-preflight-errors=all flag
The --skip-preflight-checks flag has been deprecated in the Kubernetes v1.9
and removed from Kubernetes v1.12.
We should use --ignore-preflight-errors=all flag instead of --skip-preflight-checks.

Fixes: #1919

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-05-24 18:06:41 +09:00
Fabiano Fidêncio
852aa9454f Merge pull request #1908 from stevenhorsman/add-doc-for-getting-qemu
docs: Add instructions for getting QEMU source
2021-05-24 10:31:03 +02:00
Fupan Li
c09d8fcfda Merge pull request #1888 from yuanzhe-liu0/qemu_align
qemu: align before memory hotplug on arm64
2021-05-24 16:13:01 +08:00
stevenhorsman
5b5047bd4a docs: Add instructions for getting QEMU source
Update the developer guide to add instructions of how to get the
correct version of the QEMU source and sets your_qemu_directory
variable, so that follow on steps are easier for a new joiner to the
community to understand

Fixes #1907

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2021-05-23 10:23:18 +01:00
quanweiZhou
3e4ebe10ac agent: fix start container failed when dropping all capabilities
When starting a container and dropping all capabilities,
the init child process has no permission to read the exec.fifo
file because the parent set the file mode 0o622. So change the exec.fifo file mode to 0o644.

fixes #1913

Signed-off-by: quanweiZhou <quanweiZhou@linux.alibaba.com>
2021-05-22 17:33:49 +08:00
Fabiano Fidêncio
c078628544 Merge pull request #1910 from devimc/2021-05-21/snap/updateChannels
workflows: release kata 2.x snap through the stable channel
2021-05-22 09:21:58 +02:00
Julio Montes
9a43d76d5e workflows: release kata 2.x snap through the stable channel
kata 1.x has been deprecated, now kata 2.x can be released through
the stable channel

fixes #1909

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-05-21 15:48:48 -05:00
Fabiano Fidêncio
7dc1d32017 Merge pull request #1897 from egernst/sandbox-bindmount-cleanup
Sandbox bindmount cleanup
2021-05-21 22:36:12 +02:00
GabyCT
6f3b1bb796 Merge pull request #1906 from stevenhorsman/fix-add-customer-agent-command
docs: Update add customer agent command
2021-05-21 15:04:04 -05:00
Eric Ernst
7f1030d303 sandbox-bindmount: persist mount information
Without this, if the shim dies, we will not have a reliable way to
identify what mounts should be cleaned up if `containerd-shim-kata-v2
cleanup` is called for the sandbox.

Before this, if you `ctr run` with a sandbox bindmount defined and SIGKILL the
containerd-shim-kata-v2, you'll notice the sandbox bindmount left on
host.

With this change, the shim is able to get the sandbox bindmount
information from disk and do the appropriate cleanup.

Fixes #1896

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-21 12:54:35 -07:00
Eric Ernst
089a7484e1 sandbox: Cleanup if failure to setup sandbox-bindmount occurs
If for any reason there's an error when trying to setup the sandbox
bindmounts, make sure we roll back any mounts already created when
setting up the sandbox.

Without this, we'd leave shared directory mount and potentially
sandbox-bindmounts on the host.

Fixes: #1895

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-21 12:54:35 -07:00
stevenhorsman
f65acc20dc docs: Update add customer agent command
Update the developer guide to correct the
command that adds a customer kata-agent to the rootfs image
putting it in /usr/bin/kata-agent rather than /bin/kata-agent

Fixes #1904

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2021-05-21 15:42:04 +01:00
Manabu Sugimoto
20a382c158 agent: Remove unnecessary underscore(_) variables
We should remove underscore(_) prefixed variables when ? operator is
used.

Fixes: #1903

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-05-21 17:45:34 +09:00
Fabiano Fidêncio
4b88532c2f docs: Don't use Docker as an example of a container manager
Let's update the doc to use Containerd and CRI-O as examples, which fits
better the 2.x world.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-21 09:52:39 +02:00
Fabiano Fidêncio
4142e42465 docs: Don't mention 1.x components as part of the stable branch strategy
Let's slightly rewrite the text to ensure users of 2.x that never had
contact with kata-containers 1.x would be able to understand the
sentences.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-21 09:52:39 +02:00
Fabiano Fidêncio
a0af2bd7dc docs: Use stable-2.x / 2.x.y as example in the branch strategy document
This may help to reduce some confusion as 1.x was a totally different
thing for the project.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-21 09:52:39 +02:00
Fabiano Fidêncio
a5e1f66a15 docs: Maintain only one stable branch per major release
This is a proposal that was sent to the ML and can be accessed via
http://lists.katacontainers.io/pipermail/kata-dev/2021-May/001894.html

Shortly, the proposal is to maintain only one stable branch per major
active release.

This will help the developers and the CI maintainers, to spend more time
on what's coming, rather on backporting and debugging issues with old
releases; while still providing one stable branch that downstream
companies can rely on.

Hopefully, with this we'll be able to lower the maintainance burden and
spend more time on getting things rock solid / move forward in a faster
pace with the project.

Fixes: #1876

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-21 09:52:39 +02:00
Fabiano Fidêncio
419773b8df docs: Emphasize behaviour changes may be a reason for a major bump
The current wording is good, but we could emphasize better that changes
on behaviour from a previous release by simply making the text bold
rather than italic.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-21 09:52:39 +02:00
Fabiano Fidêncio
54a750086d docs: Refer to main branch in the stable branch strategy document
As there's no active `master` branch as part of kata-containers 2.x,
let's avoid referring to it, and let's referr to the `main` branch
instead.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-21 09:52:39 +02:00
Amulyam24
7dde0b5d84 kernel: add ppc64le fragments
Adding support for ppc64le kernel fragments.

Fixes: #1898

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2021-05-21 07:06:45 +00:00
Amulyam24
8490618125 kernel: skip fragments for ppc64le
Adding !powerpc to the group of fragments not
supported on ppc64le.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2021-05-21 06:09:05 +00:00
Amulyam24
9676b86b44 kernel: move CONFIG_RANDOMIZE_BASE
This config is not selected for ppc64le. It is
only supported on PPC32 for now. Moved it to
respective arch base.conf.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2021-05-21 06:05:21 +00:00
Shukui Yang
bd0cde40e7 factory: Use lazy unmount
we can have the following case,
1. start kata container with factory feature, this need kata-runtime
   config to enable factory and use initrd as base image.
2. start a kata container.
3. cd /root; cd /run/vc/vm/template dir, this will make
   /run/vc/vm/template to be in used.
4. destroy vm template with kata-runtime factory destroy , and check
                the template mountpoint.
we can see  the template mountpoints will add everytime we repeat the above steps .

[root@centos1 template]# mount |grep template
[root@centos1 template]# docker run -ti --rm  --runtime untrusted-runtime --net none busybox echo

[root@centos1 template]# cd /root; cd /run/vc/vm/template/
[root@centos1 template]# /kata/bin/kata-runtime factory destroy
vm factory destroyed
[root@centos1 template]# mount |grep template
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
[root@centos1 template]# docker run -ti --rm  --runtime untrusted-runtime --net none busybox echo

[root@centos1 template]# cd /root; cd /run/vc/vm/template/
[root@centos1 template]# /kata/bin/kata-runtime factory destroy
vm factory destroyed
[root@centos1 template]# mount |grep template
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)
tmpfs on /run/vc/vm/template type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2105344k)

Fixes: #938

Signed-off-by: Shukui Yang <keloyangsk@gmail.com>
2021-05-20 16:18:28 +08:00
Fupan Li
0c463babf3 Merge pull request #1885 from fidencio/wip/stop-using-unmaintained-prctl-crate
agent: Stop relying in the unmaintained prctl crate
2021-05-20 10:50:04 +08:00
Fabiano Fidêncio
f52468bea7 agent/agent-ctl: Replace prctl crate by the capctl one
While evaluating the possibility of having kata-agent statically linked
to the GNU libc, we've ended up facing some issues with prctl.

When debugging the issues, we figured out that the crate hasn't been
maintained since 2015 and that the capctl one is a good 1:1 replacement
for what we need.

Fixes: #1844

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-19 20:16:26 +02:00
Fabiano Fidêncio
d289b1d621 agent-ctl: Perform a cargo update
While in the beginning of the development cycle, let's perform a `cargo
update`.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-19 19:44:12 +02:00
Yuanzhe Liu
bc36b7b49f qemu: align before memory hotplug on arm64
When hotplug memory on arm64 in kata, kernel will shout:

[ 0.396551] Block size [0x40000000] unaligned hotplug range: start 0xc8000000, size 0x40000000
[ 0.396556] acpi PNP0C80:01: add_memory failed
[ 0.396834] acpi PNP0C80:01: acpi_memory_enable_device() error
[ 0.396948] acpi PNP0C80:01: Enumeration failure

It means that kernel will check if the memory range to be hotplugged
align with 1G before plug the memory. So we should twist the qemu to
make sure the memory range align with 1G to pass the kernel check.

Fixes: #1841

Signed-off-by: Yuanzhe Liu <yuanzheliu09@gmail.com>
2021-05-19 14:23:55 +00:00
Fabiano Fidêncio
8aefc79314 agent: Perform a cargo update
While in the beginning of the development cycle, let's perform a `cargo
update`.

Fixes: #1883

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-19 09:43:17 +02:00
Fupan Li
be936442eb Merge pull request #1846 from teawater/vm_doc
how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
2021-05-18 14:07:49 +08:00
Hui Zhu
b97791add1 Merge pull request #1855 from jongwu/mem_doc
docs: Add document for memory hotplug on arm64
2021-05-18 09:32:55 +08:00
Hui Zhu
785be0bbde how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
Update this howto because the virtio-mem support of kata, qemu and Linux
was updated.

Fixes: #1845

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-05-18 09:27:57 +08:00
Chelsea Mafrica
6b9e46ef54 Merge pull request #1858 from GabyCT/topic/fixprporting
github: Run require porting labels only at main
2021-05-17 11:43:04 -07:00
Chelsea Mafrica
2e52529895 Merge pull request #1822 from jimcadden/kernel-conf-guest
kernel: add confidential guest build option
2021-05-17 11:42:07 -07:00
Jim Cadden
f8a16c170a kernel: add confidential guest build option
Includes support for SEV guest kernels

Fixes #1870

Signed-off-by: Jim Cadden <jcadden@ibm.com>
2021-05-17 09:52:32 -04:00
Jianyong Wu
a65f11ea56 docs: Add document for memory hotplug on arm64
After some enablement work, memory hotplug can be used on arm64.
Here we offer a document to instruct user to enable it.

Fixes: #1854
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-05-17 16:21:37 +08:00
Shengjing Zhu
1b60705646 runtime: remove covertool from cli test
covertool has no active since 2018 and is not compatible with go1.16

  ../vendor/github.com/dlespiau/covertool/pkg/cover/cover.go:76:29: cannot use f (type dummyTestDeps) as type testing.testDeps in argument to testing.MainStart:
  dummyTestDeps does not implement testing.testDeps (missing SetPanicOnExit0 method)

Fixes: #1862

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
2021-05-16 03:06:06 +08:00
Gabriela Cervantes
fc42dc07cf github: Run require porting labels only at main
This PR modifies that require porting labels only run at main.

Fixes #1857

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2021-05-14 16:21:44 -05:00
Peng Tao
f6c5f7c0ef Merge pull request #1844 from lifupan/main
rustjail: separated the propagation flags from mount flags
2021-05-14 10:25:35 +08:00
Eric Ernst
f8d1f9b86e Merge pull request #985 from bergwolf/sandbox-cgroups-only
runtime: improve sandbox cleanup logic
2021-05-13 16:31:26 -07:00
Fabiano Fidêncio
dbef2b2931 versions: Update kubernetes to 1.21.1
The reason for doing such is to (try to) avoid random crashes we've been
facing as part of our CI, such as the one reported as part of
https://github.com/kata-containers/tests/issues/3473

Fixes: #1850

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-14 00:08:55 +02:00
Peng Tao
35151f1786 runtime: sandbox delete should succeed after verifying sandbox state
Otherwise we might block delete and create orphan containers.

Fixes: #1039

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-13 14:05:49 -07:00
fupan.lfp
e5fe572f51 rustjail: separated the propagation flags from mount flags
Since the propagation flags couldn't be combinted with the
standard mount flags, and they should be used with the remount,
thus it's better to split them from the standard mount flags.

Fixes: #1699

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-05-13 23:53:52 +08:00
snir911
c995a982bc Merge pull request #1843 from liubin/fix/1842-update-docs-for-connecting-debug-console
docs: add note for connecting debug console for old versions
2021-05-13 14:06:51 +03:00
bin
ffbb4d9b11 docs: add note for connecting debug console for old versions
Before 2.1-alpha1, user still need starting kata-monitor
to connect to debug console.

Fixes: #1842

Signed-off-by: bin <bin@hyper.sh>
2021-05-13 15:39:04 +08:00
GabyCT
bdc9a66bd9 Merge pull request #1770 from jongwu/image_align
image_build: align image size to 128M for arm64
2021-05-12 09:38:06 -05:00
Julien Ropé
a918c46fb6 test: Add a unit test for ioCopy()
Following the fix for #1713, adding a unit test for ioCopy() that
verifies that data is properly copied from source to destination
whatever the order in which the pipes are closed.

Fixes #1831

Signed-off-by: Julien Ropé <jrope@redhat.com>
2021-05-12 11:30:45 +02:00
Bin Liu
cc4748fa64 Merge pull request #1829 from Tim-Zhang/fix-reap
agent: avoid reaping the exit signal of execute_hook in the reaper
2021-05-12 17:24:25 +08:00
Bin Liu
15778a17e5 Merge pull request #1828 from Tim-Zhang/move-dep
agent: move the dependency tempfile to the dev-dependencies section
2021-05-12 17:21:50 +08:00
Tim Zhang
2909a0364d Merge pull request #1824 from c3d/issue/1823-release-process-version-bump
docs: Document test repository changes when creating a stable branch
2021-05-12 14:46:32 +08:00
Tim Zhang
a5bb383cf3 agent: avoid reaping the exit signal of execute_hook in the reaper
Fixes: #1826

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-05-12 14:40:20 +08:00
Tim Zhang
ce7a5ba22e agent: move the dependency tempfile to the dev-dependencies section
The tempfile is only used by tests.

Fixes: #1827

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-05-12 14:39:58 +08:00
Fabiano Fidêncio
979b73c35a Merge pull request #1794 from c3d/issue/1793-workaround-spell-checker-bug
docs: Remove horizontal ruler markers that disable spell checks
2021-05-11 23:27:37 +02:00
GabyCT
5d05f36117 Merge pull request #1825 from wainersm/docs_qemu_patches
docs/Developer-Guide: Add instructions to apply QEMU patches
2021-05-11 13:36:00 -05:00
Fabiano Fidêncio
ac61e60492 Merge pull request #1790 from snir911/configure_timeout
runtime: make dialing timeout configurable
2021-05-11 16:52:05 +02:00
Wainer dos Santos Moschetta
e24e94622c docs/Developer-Guide: Add instructions to apply QEMU patches
Occasionally patches are necessary to build QEMU with the kata containers
configuration. This changed the developer guide to make it clear it is
recommended to apply the patches; and tell how.

Fixes #1807
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2021-05-11 10:39:53 -04:00
Christophe de Dinechin
850cf8cdb3 docs: Document test repository changes when creating a stable branch
When we create a new stable branch, it is good practice to ensure that the test
repository points to that stable branch, to make sure that it is not impacted by
later changes to the CI made on the stable branch.

Fixes: #1823

Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
2021-05-11 11:44:03 +02:00
Bin Liu
bffb099d99 Merge pull request #1816 from egernst/get-sandbox-metrics-cli
Get sandbox metrics cli
2021-05-11 13:10:30 +08:00
Samuel Ortiz
2c4e4ca1ac Merge pull request #1590 from devimc/2021-02-02/ConfidentialComputing
Support TDx
2021-05-10 22:19:40 +02:00
Fabiano Fidêncio
becd270ccf Merge pull request #1802 from nubificus/fix-k3s-cleanup
packaging/kata-cleanup: add k3s containerd volume
2021-05-10 21:15:43 +02:00
Eric Ernst
8068a4692f kata-runtime: add metrics command
For easier debug, let's add subcommand to kata-runtime for gathering
metrics associated with a given sandbox.

kata-runtime metrics --sandbox-id foobar

Fixes: #1815

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-10 10:45:10 -07:00
Fabiano Fidêncio
c4bd246efb Merge pull request #1818 from cmaf/update-alpine-version
osbuilder: Upgrade alpine version to 3.13.5
2021-05-10 17:55:35 +02:00
Eric Ernst
3787306107 kata-monitor: export get stats for sandbox
Gathering stats for a given sandbox is pretty useful; let's export a
function from katamonitor pkg to do this.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-10 08:53:56 -07:00
Snir Sheriber
01b56d6cbf runtime: make dialing timeout configurable
allow to set dialing timeout in configuration.toml
default is 30s

Fixes: #1789
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-05-10 16:39:37 +03:00
Eric Ernst
12a04cb0ba Merge pull request #1811 from egernst/monitor-cleanup
Monitor cleanup
2021-05-07 21:03:34 -07:00
Chelsea Mafrica
e8038718aa osbuilder: Upgrade alpine version to 3.13.5
We are using an older version of alpine, so upgrade to latest 3.13.5.

Fixes #1817

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2021-05-07 16:34:45 -07:00
Eric Ernst
3caed6f88d runtime: shim: dedup client, socket addr code
(1) Add an accessor function, SocketAddress, to the shim-v2 code for
determining the shim's abstract domain socket address, given the sandbox
ID.

(2) In kata monitor, create a function, BuildShimClient, for obtaining the appropriate
http.Client for communicating with the shim's monitoring endpoint.

(3) Update the kata CLI and kata-monitor code to make use of these.

(4) Migrate some kata monitor methods to be functions, in order to ease
future reuse.

(5) drop unused namespace from functions where it is no longer needed.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-07 15:20:37 -07:00
Fabiano Fidêncio
4bc006c8a4 runtime: Short the shim-monitor path
Instead of having something like
"/containerd-shim/$namespace/$sandboxID/shim-monitor.sock", let's change
the approach to:
* create the file in a more neutral location "/run/vc", instead of
  "/containerd-shim";
* drop the namespace, as the sandboxID should be unique;
* remove ".sock" from the socket name.

This will result on a name that looks like:
"/run/vc/$sandboxID/shim-monitor"

Fixes: #497

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-07 14:20:35 -07:00
Christophe de Dinechin
5fdf617e7f docs: Fix spell-check errors found after new text is discovered
The spell-checker scripts has some bugs that caused large chunks of texts to not
be spell checked at all (see #1793). The previous commit worked around this bug,
which exposed another bug:

The following source text:

    are discussions about using VM save and restore to
    give [`criu`](https://github.com/checkpoint-restore/criu)-like
    functionality, which might provide a solution

yields the surprising error below:

    WARNING: Word 'givelike': did you mean one of the following?: give like, give-like, wavelike

Apparently, an extra space is removed, which is another issue with the
spell-checking script. This case is somewhat contrived because of the URL link,
so for now, I decided for a creative rewriting, inserting the word "a" knowing
that "alike" is a valid word ;-)

Fixes: #1793

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2021-05-07 11:43:44 +02:00
Christophe de Dinechin
42425456e7 docs: Remove horizontal ruler markers that disable spell checks
There is a bug in the CI script checking spelling that causes it
to skip any text that follows a horizontal ruler.
(https://github.com/kata-containers/tests/issues/3448)

Solution: replace one horizontal ruler marker with another that
does not trip the spell-checking script.

Fixes: #1793

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2021-05-07 11:43:44 +02:00
Fabiano Fidêncio
0a3b7938c9 Merge pull request #1799 from teawater/open_vm
Open CONFIG_VIRTIO_MEM in x86_64 Linux kernel
2021-05-07 11:43:17 +02:00
Tim Zhang
1bfc426a2b Merge pull request #1784 from liubin/fix/1783-delete-un-used-fn
agent: delete code which is no longer used
2021-05-07 14:25:26 +08:00
Fabiano Fidêncio
2436839fa7 Merge pull request #1749 from liubin/fix/1748-delete-tracing-in-cli
cli: delete tracing code for kata-runtime binary
2021-05-07 08:17:16 +02:00
Tim Zhang
75648b0770 Merge pull request #1745 from liubin/fix/1744-add-doc-for-enable_pprof
docs: add per-Pod Kata configurations for `enable_pprof`
2021-05-07 13:45:34 +08:00
Fupan Li
70e1d44262 Merge pull request #1800 from teawater/fix_vm
Fix issue of virtio-mem
2021-05-07 13:08:12 +08:00
Fupan Li
487e165093 Merge pull request #1778 from snir911/patch_nofile
Set fixed NOFILE limit value for kata-agent
2021-05-07 13:06:10 +08:00
Tim Zhang
29716c35e6 Merge pull request #1777 from teawater/check_yq
ci/install_yq.sh: install_yq: Check version before return
2021-05-07 10:02:51 +08:00
Chelsea Mafrica
3e8137399c Merge pull request #1805 from liubin/fix/1804-select-sandbox-ctx
runtime: use s.ctx instead ctx for checking cancellation
2021-05-06 09:51:47 -07:00
Chelsea Mafrica
917665ab6d Merge pull request #1751 from liubin/fix/1750-fix-comments
runtime: fix some comments
2021-05-06 08:42:15 -07:00
Julio Montes
4f61f4b490 virtcontainers: Support TDX
Add support for Intel TDX confidential guests

fixes #1332

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-05-06 10:09:05 -05:00
Julio Montes
0affe8860d virtcontainers: define confidential guest framework
Define the structure and functions needed to support confidential
guests, this commit doesn't add support for any specific technology,
support for TDX, SEV, PEF and others will be added in following
commits.

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-05-06 10:09:05 -05:00
Julio Montes
539afba03d runtime: define config options to enable confidential computing
Define config options to enable or disable confidential computing and
its features, for example:
* Image service offloading
* Image decryption keys

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-05-06 10:09:05 -05:00
bin
79831fafaf runtime: use s.ctx instead ctx for checking cancellation
s.ctx should be used for checking cancellation, and the
local ctx is used for tracing.

Fixes: #1804

Signed-off-by: bin <bin@hyper.sh>
2021-05-06 17:22:53 +08:00
bin
f6d5fbf9ba runtime: fix some comments
This commint include two types of fixes for comments
in src/runtime/containerd-shim-v2/start.go.

- Update comment for calling of watchOOMEvents.
- Comments without heading spaces.

Fixes: #1750

Signed-off-by: bin <bin@hyper.sh>
2021-05-06 17:12:52 +08:00
Orestis Lagkas Nikolos
9381e5f31a packaging/kata-cleanup: add k3s containerd volume
kata-deploy cleanup expects to find containerd configuration
in /etc/containerd/config.toml. In case of k3s mount the k3s
containerd config as a volume.

Fixes #1801

Signed-off-by: Orestis Lagkas Nikolos <olagkasn@nubificus.co.uk>
2021-05-06 03:18:16 -05:00
Hui Zhu
7f7c3fc8ec qemu.go: qemu: resizeMemory: Fix virtio-mem resize overflow issue
This commit change sizeByte from uint32 to uint64 to fix overflow issue.

Fixes: #1796

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-05-06 14:13:50 +08:00
Hui Zhu
c9053ea3fb qemu.go: qemu: setupVirtioMem: let sizeMB be multiple of 2Mib
Got:
FATA[0000] run pod sandbox: rpc error: code = Unknown desc = failed to
create containerd task: Add 189759MB virtio-mem-pci fail QMP command
failed: backend memory size must be multiple of 0x200000: unknown

This commit let sizeMB be multiple of 2Mib to fix the issue.

Fixes: #1796

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-05-06 14:13:48 +08:00
Snir Sheriber
a188577ebf agent: Set fixed NOFILE limit value for kata-agent
Some applications may fail if NOFILE limit is set to unlimited.
Although in some environments this value is explicitly overridden,
lets set it to a more sane value in case it doesn't.

Fixes #1715
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-05-04 15:06:11 +03:00
Julio Montes
88cf3db601 runtime: implement CPUFlags function
`CPUFlags` returns a map with all the CPU flags, these CPU flags
may help us to identiry whether a system support confidential computing
or not.

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-05-03 09:33:13 -05:00
Jianyong Wu
2b0d5b252e image_build: align image size to 128M for arm64
There is an inconformity between qemu and kernel of memory alignment
check in memory hotplug. Both of qemu and kernel will do the start
address alignment check in memory hotplug. But it's 2M in qemu
while 128M in kernel. It leads to an issue when memory hotplug.

Currently, the kata image is a nvdimm device, which will plug into the VM as
a dimm. If another dimm is pluged, it will reside on top of that nvdimm.
So, the start address of the second dimm may not pass the alginment
check in kernel if the nvdimm size doesn't align with 128M.

There are 3 ways to address this issue I think:
1. fix the alignment size in kernel according to qemu. I think people
in linux kernel community will not accept it.
2. do alignment check in qemu and force the start address of hotplug
in alignment with 128M, which means there maybe holes between memory blocks.
3. obey the rule in user end, which means fix it in kata.

I think the second one is the best, but I can't do that for some reason.
Thus, the last one is the choice here.

Fixes: #1769
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2021-05-03 10:44:30 +08:00
bin
d601ae3446 agent: delete not used comments
Delete comments meanless or make people confusion.

Fixes: #1783

Signed-off-by: bin <bin@hyper.sh>
2021-04-30 19:37:55 +08:00
bin
6038da1903 agent: delete rustjail/src/configs directory
This directory is not used anymore.

Fixes: #1783

Signed-off-by: bin <bin@hyper.sh>
2021-04-30 19:18:03 +08:00
bin
84ee8aa8b2 agent: delete not used functions
In file src/agent/rustjail/src/validator.rs,
these two functions are not used:
- get_namespace_path
- check_host_ns

Fixes: #1783

Signed-off-by: bin <bin@hyper.sh>
2021-04-30 19:17:41 +08:00
Hui Zhu
d8896157df ci/install_yq.sh: install_yq: Check version before return
Check the yq version before return.

Fixes: #1776

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-04-29 18:19:18 +08:00
bin
95e54e3f48 docs: add per-Pod Kata configurations for enable_pprof
Now enabling enable_pprof for individual pods is supported,
but not documented.

This commit will add per-Pod Kata configurations for `enable_pprof`
in file `docs/how-to/how-to-set-sandbox-config-kata.md`

Fixes: #1744

Signed-off-by: bin <bin@hyper.sh>
2021-04-26 22:20:49 +08:00
bin
13c23fec11 cli: delete tracing code for kata-runtime binary
There are no pod/container operations in kata-runtime binary,
tracing in this package is meaningless.

Fixes: #1748

Signed-off-by: bin <bin@hyper.sh>
2021-04-26 11:11:22 +08:00
2628 changed files with 224789 additions and 140258 deletions

View File

@@ -1,18 +0,0 @@
#!/bin/bash
# Copyright (c) 2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o pipefail
pushd kata-artifacts >>/dev/null
for c in ./*.tar.gz
do
echo "untarring tarball $c"
tar -xvf $c
done
tar cvfJ ../kata-static.tar.xz ./opt
popd >>/dev/null

View File

@@ -1,36 +0,0 @@
#!/bin/bash
# Copyright (c) 2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o pipefail
main() {
artifact_stage=${1:-}
artifact=$(echo ${artifact_stage} | sed -n -e 's/^install_//p' | sed -r 's/_/-/g')
if [ -z "${artifact}" ]; then
"Scripts needs artifact name to build"
exit 1
fi
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
export GOPATH=$HOME/go
go get github.com/kata-containers/packaging || true
pushd $GOPATH/src/github.com/kata-containers/packaging/release >>/dev/null
git checkout $tag
pushd ../obs-packaging
./gen_versions_txt.sh $tag
popd
source ./kata-deploy-binaries.sh
${artifact_stage} $tag
popd
mv $HOME/go/src/github.com/kata-containers/packaging/release/kata-static-${artifact}.tar.gz .
}
main $@

View File

@@ -1,34 +0,0 @@
#!/bin/bash
# Copyright (c) 2019 Intel Corporation
# Copyright (c) 2020 Ant Group
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o pipefail
main() {
artifact_stage=${1:-}
artifact=$(echo ${artifact_stage} | sed -n -e 's/^install_//p' | sed -r 's/_/-/g')
if [ -z "${artifact}" ]; then
"Scripts needs artifact name to build"
exit 1
fi
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
pushd $GITHUB_WORKSPACE/tools/packaging
git checkout $tag
./scripts/gen_versions_txt.sh $tag
popd
pushd $GITHUB_WORKSPACE/tools/packaging/release
source ./kata-deploy-binaries.sh
${artifact_stage} $tag
popd
mv $GITHUB_WORKSPACE/tools/packaging/release/kata-static-${artifact}.tar.gz .
}
main $@

68
.github/workflows/kata-deploy-push.yaml vendored Normal file
View File

@@ -0,0 +1,68 @@
name: kata deploy build
on: [push, pull_request]
jobs:
build-asset:
runs-on: ubuntu-latest
strategy:
matrix:
asset:
- kernel
- kernel-experimental
- shim-v2
- qemu
- cloud-hypervisor
- firecracker
- rootfs-image
- rootfs-initrd
steps:
- uses: actions/checkout@v2
- name: Install docker
run: |
curl -fsSL https://test.docker.com -o test-docker.sh
sh test-docker.sh
- name: Build ${{ matrix.asset }}
run: |
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
sudo cp -r --preserve=all "${build_dir}" "kata-build"
env:
KATA_ASSET: ${{ matrix.asset }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v2
with:
name: kata-artifacts
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
if-no-files-found: error
create-kata-tarball:
runs-on: ubuntu-latest
needs: build-asset
steps:
- uses: actions/checkout@v2
- name: get-artifacts
uses: actions/download-artifact@v2
with:
name: kata-artifacts
path: build
- name: merge-artifacts
run: |
make merge-builds
- name: store-artifacts
uses: actions/upload-artifact@v2
with:
name: kata-static-tarball
path: kata-static.tar.xz
make-kata-tarball:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: make kata-tarball
run: |
make kata-tarball
sudo make install-tarball

View File

@@ -5,58 +5,121 @@ on:
name: test-kata-deploy
jobs:
check_comments:
if: ${{ github.event.issue.pull_request }}
check-comment-and-membership:
runs-on: ubuntu-latest
if: |
github.event.issue.pull_request
&& github.event_name == 'issue_comment'
&& github.event.action == 'created'
&& startsWith(github.event.comment.body, '/test_kata_deploy')
steps:
- name: Check for Command
id: command
uses: kata-containers/slash-command-action@v1
- name: Check membership
uses: kata-containers/is-organization-member@1.0.1
id: is_organization_member
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
command: "test_kata_deploy"
reaction: "true"
reaction-type: "eyes"
allow-edits: "false"
permission-level: admin
- name: verify command arg is kata-deploy
organization: kata-containers
username: ${{ github.event.comment.user.login }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Fail if not member
run: |
echo "The command was '${{ steps.command.outputs.command-name }}' with arguments '${{ steps.command.outputs.command-arguments }}'"
result=${{ steps.is_organization_member.outputs.result }}
if [ $result == false ]; then
user=${{ github.event.comment.user.login }}
echo Either ${user} is not part of the kata-containers organization
echo or ${user} has its Organization Visibility set to Private at
echo https://github.com/orgs/kata-containers/people?query=${user}
echo
echo Ensure you change your Organization Visibility to Public and
echo trigger the test again.
exit 1
fi
create-and-test-container:
needs: check_comments
build-asset:
runs-on: ubuntu-latest
needs: check-comment-and-membership
strategy:
matrix:
asset:
- cloud-hypervisor
- firecracker
- kernel
- qemu
- rootfs-image
- rootfs-initrd
- shim-v2
steps:
- name: get-PR-ref
id: get-PR-ref
- uses: actions/checkout@v2
- name: Install docker
run: |
ref=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.pull_request.url' | sed 's#^.*\/pulls#refs\/pull#' | sed 's#$#\/merge#')
echo "reference for PR: " ${ref}
echo "##[set-output name=pr-ref;]${ref}"
curl -fsSL https://test.docker.com -o test-docker.sh
sh test-docker.sh
- name: check out
uses: actions/checkout@v2
with:
ref: ${{ steps.get-PR-ref.outputs.pr-ref }}
- name: build-container-image
id: build-container-image
- name: Build ${{ matrix.asset }}
run: |
PR_SHA=$(git log --format=format:%H -n1)
VERSION="2.0.0"
ARTIFACT_URL="https://github.com/kata-containers/kata-containers/releases/download/${VERSION}/kata-static-${VERSION}-x86_64.tar.xz"
wget "${ARTIFACT_URL}" -O tools/packaging/kata-deploy/kata-static.tar.xz
docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:${PR_SHA} ./tools/packaging/kata-deploy
docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
docker push katadocker/kata-deploy-ci:$PR_SHA
echo "##[set-output name=pr-sha;]${PR_SHA}"
- name: test-kata-deploy-ci-in-aks
uses: ./tools/packaging/kata-deploy/action
with:
packaging-sha: ${{ steps.build-container-image.outputs.pr-sha }}
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
sudo cp -r "${build_dir}" "kata-build"
env:
PKG_SHA: ${{ steps.build-container-image.outputs.pr-sha }}
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v2
with:
name: kata-artifacts
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
if-no-files-found: error
create-kata-tarball:
runs-on: ubuntu-latest
needs: build-asset
steps:
- uses: actions/checkout@v2
- name: get-artifacts
uses: actions/download-artifact@v2
with:
name: kata-artifacts
path: kata-artifacts
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
- name: store-artifacts
uses: actions/upload-artifact@v2
with:
name: kata-static-tarball
path: kata-static.tar.xz
kata-deploy:
needs: create-kata-tarball
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: get-kata-tarball
uses: actions/download-artifact@v2
with:
name: kata-static-tarball
- name: build-and-push-kata-deploy-ci
id: build-and-push-kata-deploy-ci
run: |
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
pushd $GITHUB_WORKSPACE
git checkout $tag
pkg_sha=$(git rev-parse HEAD)
popd
mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz
docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t quay.io/kata-containers/kata-deploy-ci:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy
docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io
docker push quay.io/kata-containers/kata-deploy-ci:$pkg_sha
mkdir -p packaging/kata-deploy
ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action
echo "::set-output name=PKG_SHA::${pkg_sha}"
- name: test-kata-deploy-ci-in-aks
uses: ./packaging/kata-deploy/action
with:
packaging-sha: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
env:
PKG_SHA: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

View File

@@ -1,293 +0,0 @@
name: Publish release tarball
on:
push:
tags:
- '1.*'
jobs:
get-artifact-list:
runs-on: ubuntu-latest
steps:
- name: get the list
run: |
pushd $GITHUB_WORKSPACE
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
git checkout $tag
popd
$GITHUB_WORKSPACE/tools/packaging/artifact-list.sh > artifact-list.txt
- name: save-artifact-list
uses: actions/upload-artifact@master
with:
name: artifact-list
path: artifact-list.txt
build-kernel:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_kernel"
steps:
- uses: actions/checkout@v1
- name: get-artifact-list
uses: actions/download-artifact@master
with:
name: artifact-list
- run: |
sudo apt-get update && sudo apt install -y flex bison libelf-dev bc iptables
- name: build-kernel
run: |
if grep -q $buildstr ./artifact-list/artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@master
with:
name: kata-artifacts
path: kata-static-kernel.tar.gz
build-experimental-kernel:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_experimental_kernel"
steps:
- uses: actions/checkout@v1
- name: get-artifact-list
uses: actions/download-artifact@master
with:
name: artifact-list
- run: |
sudo apt-get update && sudo apt install -y flex bison libelf-dev bc iptables
- name: build-experimental-kernel
run: |
if grep -q $buildstr ./artifact-list/artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@master
with:
name: kata-artifacts
path: kata-static-experimental-kernel.tar.gz
build-qemu:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_qemu"
steps:
- uses: actions/checkout@v1
- name: get-artifact-list
uses: actions/download-artifact@master
with:
name: artifact-list
- name: build-qemu
run: |
if grep -q $buildstr ./artifact-list/artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@master
with:
name: kata-artifacts
path: kata-static-qemu.tar.gz
# Job for building the image
build-image:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_image"
steps:
- uses: actions/checkout@v1
- name: get-artifact-list
uses: actions/download-artifact@master
with:
name: artifact-list
- name: build-image
run: |
if grep -q $buildstr ./artifact-list/artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@master
with:
name: kata-artifacts
path: kata-static-image.tar.gz
# Job for building firecracker hypervisor
build-firecracker:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_firecracker"
steps:
- uses: actions/checkout@v1
- name: get-artifact-list
uses: actions/download-artifact@master
with:
name: artifact-list
- name: build-firecracker
run: |
if grep -q $buildstr ./artifact-list/artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@master
with:
name: kata-artifacts
path: kata-static-firecracker.tar.gz
# Job for building cloud-hypervisor
build-clh:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_clh"
steps:
- uses: actions/checkout@v1
- name: get-artifact-list
uses: actions/download-artifact@master
with:
name: artifact-list
- name: build-clh
run: |
if grep -q $buildstr ./artifact-list/artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@master
with:
name: kata-artifacts
path: kata-static-clh.tar.gz
# Job for building kata components
build-kata-components:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_kata_components"
steps:
- uses: actions/checkout@v1
- name: get-artifact-list
uses: actions/download-artifact@master
with:
name: artifact-list
- name: build-kata-components
run: |
if grep -q $buildstr ./artifact-list/artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@master
with:
name: kata-artifacts
path: kata-static-kata-components.tar.gz
gather-artifacts:
runs-on: ubuntu-16.04
needs: [build-experimental-kernel, build-kernel, build-qemu, build-image, build-firecracker, build-kata-components, build-clh]
steps:
- uses: actions/checkout@v1
- name: get-artifacts
uses: actions/download-artifact@master
with:
name: kata-artifacts
- name: colate-artifacts
run: |
$GITHUB_WORKSPACE/.github/workflows/gather-artifacts.sh
- name: store-artifacts
uses: actions/upload-artifact@master
with:
name: release-candidate
path: kata-static.tar.xz
kata-deploy:
needs: gather-artifacts
runs-on: ubuntu-latest
steps:
- name: get-artifacts
uses: actions/download-artifact@master
with:
name: release-candidate
- name: build-and-push-kata-deploy-ci
id: build-and-push-kata-deploy-ci
run: |
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
git clone https://github.com/kata-containers/packaging
pushd packaging
git checkout $tag
pkg_sha=$(git rev-parse HEAD)
popd
mv release-candidate/kata-static.tar.xz ./packaging/kata-deploy/kata-static.tar.xz
docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:$pkg_sha ./packaging/kata-deploy
docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
docker push katadocker/kata-deploy-ci:$pkg_sha
echo "::set-output name=PKG_SHA::${pkg_sha}"
- name: test-kata-deploy-ci-in-aks
uses: ./packaging/kata-deploy/action
with:
packaging-sha: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
env:
PKG_SHA: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
- name: push-tarball
run: |
# tag the container image we created and push to DockerHub
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
docker tag katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} katadocker/kata-deploy:${tag}
docker push katadocker/kata-deploy:${tag}
upload-static-tarball:
needs: kata-deploy
runs-on: ubuntu-latest
steps:
- name: download-artifacts
uses: actions/download-artifact@master
with:
name: release-candidate
- name: install hub
run: |
HUB_VER=$(curl -s "https://api.github.com/repos/github/hub/releases/latest" | jq -r .tag_name | sed 's/^v//')
wget -q -O- https://github.com/github/hub/releases/download/v$HUB_VER/hub-linux-amd64-$HUB_VER.tgz | \
tar xz --strip-components=2 --wildcards '*/bin/hub' && sudo mv hub /usr/local/bin/hub
- name: push static tarball to github
run: |
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
tarball="kata-static-$tag-x86_64.tar.xz"
repo="https://github.com/kata-containers/runtime.git"
mv release-candidate/kata-static.tar.xz "release-candidate/${tarball}"
git clone "${repo}"
cd runtime
echo "uploading asset '${tarball}' to '${repo}' tag: ${tag}"
GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "../release-candidate/${tarball}" "${tag}"

View File

@@ -5,213 +5,45 @@ on:
- '2.*'
jobs:
get-artifact-list:
build-asset:
runs-on: ubuntu-latest
strategy:
matrix:
asset:
- cloud-hypervisor
- firecracker
- kernel
- qemu
- rootfs-image
- rootfs-initrd
- shim-v2
steps:
- uses: actions/checkout@v2
- name: get the list
- name: Install docker
run: |
pushd $GITHUB_WORKSPACE
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
git checkout $tag
popd
$GITHUB_WORKSPACE/tools/packaging/artifact-list.sh > artifact-list.txt
- name: save-artifact-list
uses: actions/upload-artifact@v2
with:
name: artifact-list
path: artifact-list.txt
curl -fsSL https://test.docker.com -o test-docker.sh
sh test-docker.sh
build-kernel:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_kernel"
steps:
- uses: actions/checkout@v2
- name: get-artifact-list
uses: actions/download-artifact@v2
with:
name: artifact-list
- run: |
sudo apt-get update && sudo apt install -y flex bison libelf-dev bc iptables
- name: build-kernel
- name: Build ${{ matrix.asset }}
run: |
if grep -q $buildstr artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
./tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh --build="${KATA_ASSET}"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
sudo cp -r "${build_dir}" "kata-build"
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v2
with:
name: kata-artifacts
path: kata-static-kernel.tar.gz
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
if-no-files-found: error
build-experimental-kernel:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_experimental_kernel"
steps:
- uses: actions/checkout@v2
- name: get-artifact-list
uses: actions/download-artifact@v2
with:
name: artifact-list
- run: |
sudo apt-get update && sudo apt install -y flex bison libelf-dev bc iptables
- name: build-experimental-kernel
run: |
if grep -q $buildstr artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@v2
with:
name: kata-artifacts
path: kata-static-experimental-kernel.tar.gz
build-qemu:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_qemu"
steps:
- uses: actions/checkout@v2
- name: get-artifact-list
uses: actions/download-artifact@v2
with:
name: artifact-list
- name: build-qemu
run: |
if grep -q $buildstr artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@v2
with:
name: kata-artifacts
path: kata-static-qemu.tar.gz
build-image:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_image"
steps:
- uses: actions/checkout@v2
- name: get-artifact-list
uses: actions/download-artifact@v2
with:
name: artifact-list
- name: build-image
run: |
if grep -q $buildstr artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@v2
with:
name: kata-artifacts
path: kata-static-image.tar.gz
build-firecracker:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_firecracker"
steps:
- uses: actions/checkout@v2
- name: get-artifact-list
uses: actions/download-artifact@v2
with:
name: artifact-list
- name: build-firecracker
run: |
if grep -q $buildstr artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@v2
with:
name: kata-artifacts
path: kata-static-firecracker.tar.gz
build-clh:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_clh"
steps:
- uses: actions/checkout@v2
- name: get-artifact-list
uses: actions/download-artifact@v2
with:
name: artifact-list
- name: build-clh
run: |
if grep -q $buildstr artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@v2
with:
name: kata-artifacts
path: kata-static-clh.tar.gz
build-kata-components:
runs-on: ubuntu-16.04
needs: get-artifact-list
env:
buildstr: "install_kata_components"
steps:
- uses: actions/checkout@v2
- name: get-artifact-list
uses: actions/download-artifact@v2
with:
name: artifact-list
- name: build-kata-components
run: |
if grep -q $buildstr artifact-list.txt; then
$GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
echo "artifact-built=true" >> $GITHUB_ENV
else
echo "artifact-built=false" >> $GITHUB_ENV
fi
- name: store-artifacts
if: ${{ env.artifact-built }} == 'true'
uses: actions/upload-artifact@v2
with:
name: kata-artifacts
path: kata-static-kata-components.tar.gz
gather-artifacts:
runs-on: ubuntu-16.04
needs: [build-experimental-kernel, build-kernel, build-qemu, build-image, build-firecracker, build-kata-components, build-clh]
create-kata-tarball:
runs-on: ubuntu-latest
needs: build-asset
steps:
- uses: actions/checkout@v2
- name: get-artifacts
@@ -219,24 +51,24 @@ jobs:
with:
name: kata-artifacts
path: kata-artifacts
- name: colate-artifacts
- name: merge-artifacts
run: |
$GITHUB_WORKSPACE/.github/workflows/gather-artifacts.sh
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
- name: store-artifacts
uses: actions/upload-artifact@v2
with:
name: release-candidate
name: kata-static-tarball
path: kata-static.tar.xz
kata-deploy:
needs: gather-artifacts
needs: create-kata-tarball
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: get-artifacts
- name: get-kata-tarball
uses: actions/download-artifact@v2
with:
name: release-candidate
name: kata-static-tarball
- name: build-and-push-kata-deploy-ci
id: build-and-push-kata-deploy-ci
run: |
@@ -246,9 +78,11 @@ jobs:
pkg_sha=$(git rev-parse HEAD)
popd
mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz
docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy
docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:$pkg_sha -t quay.io/kata-containers/kata-deploy-ci:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy
docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
docker push katadocker/kata-deploy-ci:$pkg_sha
docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io
docker push quay.io/kata-containers/kata-deploy-ci:$pkg_sha
mkdir -p packaging/kata-deploy
ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action
echo "::set-output name=PKG_SHA::${pkg_sha}"
@@ -266,8 +100,14 @@ jobs:
run: |
# tag the container image we created and push to DockerHub
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
docker tag katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} katadocker/kata-deploy:${tag}
docker push katadocker/kata-deploy:${tag}
tags=($tag)
tags+=($([[ "$tag" =~ "alpha"|"rc" ]] && echo "latest" || echo "stable"))
for tag in ${tags[@]}; do \
docker tag katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} katadocker/kata-deploy:${tag} && \
docker tag quay.io/kata-containers/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} quay.io/kata-containers/kata-deploy:${tag} && \
docker push katadocker/kata-deploy:${tag} && \
docker push quay.io/kata-containers/kata-deploy:${tag}; \
done
upload-static-tarball:
needs: kata-deploy
@@ -277,7 +117,7 @@ jobs:
- name: download-artifacts
uses: actions/download-artifact@v2
with:
name: release-candidate
name: kata-static-tarball
- name: install hub
run: |
HUB_VER=$(curl -s "https://api.github.com/repos/github/hub/releases/latest" | jq -r .tag_name | sed 's/^v//')
@@ -291,3 +131,49 @@ jobs:
pushd $GITHUB_WORKSPACE
echo "uploading asset '${tarball}' for tag: ${tag}"
GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}"
popd
upload-cargo-vendored-tarball:
needs: upload-static-tarball
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: generate-and-upload-tarball
run: |
pushd $GITHUB_WORKSPACE/src/agent
cargo vendor >> .cargo/config
popd
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
tarball="kata-containers-$tag-vendor.tar.gz"
pushd $GITHUB_WORKSPACE
tar -cvzf "${tarball}" src/agent/.cargo/config src/agent/vendor
GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}"
popd
upload-libseccomp-tarball:
needs: upload-cargo-vendored-tarball
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: download-and-upload-tarball
env:
GITHUB_TOKEN: ${{ secrets.GIT_UPLOAD_TOKEN }}
GOPATH: ${HOME}/go
run: |
pushd $GITHUB_WORKSPACE
./ci/install_yq.sh
tag=$(echo $GITHUB_REF | cut -d/ -f3-)
versions_yaml="versions.yaml"
version=$(${GOPATH}/bin/yq read ${versions_yaml} "externals.libseccomp.version")
repo_url=$(${GOPATH}/bin/yq read ${versions_yaml} "externals.libseccomp.url")
download_url="${repo_url}/releases/download/v${version}"
tarball="libseccomp-${version}.tar.gz"
asc="${tarball}.asc"
curl -sSLO "${download_url}/${tarball}"
curl -sSLO "${download_url}/${asc}"
# "-m" option should be empty to re-use the existing release title
# without opening a text editor.
# For the details, check https://hub.github.com/hub-release.1.html.
hub release edit -m "" -a "${tarball}" "${tag}"
hub release edit -m "" -a "${asc}" "${tag}"
popd

View File

@@ -12,6 +12,8 @@ on:
- reopened
- labeled
- unlabeled
branches:
- main
jobs:
check-pr-porting-labels:
@@ -29,8 +31,6 @@ jobs:
- name: Checkout code to allow hub to communicate with the project
uses: actions/checkout@v2
with:
token: ${{ secrets.KATA_GITHUB_ACTIONS_TOKEN }}
- name: Install porting checker script
run: |

View File

@@ -9,6 +9,8 @@ jobs:
steps:
- name: Check out Git repository
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Install Snapcraft
uses: samuelmeuli/action-snapcraft@v1
@@ -33,5 +35,5 @@ jobs:
snap_file="kata-containers_${snap_version}_amd64.snap"
# Upload the snap if it exists
if [ -f ${snap_file} ]; then
snapcraft upload --release=candidate ${snap_file}
snapcraft upload --release=stable ${snap_file}
fi

View File

@@ -6,6 +6,8 @@ jobs:
steps:
- name: Check out
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Install Snapcraft
uses: samuelmeuli/action-snapcraft@v1

View File

@@ -1,10 +1,19 @@
on: ["pull_request"]
on:
pull_request:
types:
- opened
- edited
- reopened
- synchronize
- labeled
- unlabeled
name: Static checks
jobs:
test:
strategy:
matrix:
go-version: [1.13.x, 1.14.x, 1.15.x]
go-version: [1.16.x, 1.17.x]
os: [ubuntu-20.04]
runs-on: ${{ matrix.os }}
env:
@@ -13,54 +22,77 @@ jobs:
TRAVIS_PULL_REQUEST_BRANCH: ${{ github.head_ref }}
TRAVIS_PULL_REQUEST_SHA : ${{ github.event.pull_request.head.sha }}
RUST_BACKTRACE: "1"
target_branch: ${TRAVIS_BRANCH}
target_branch: ${{ github.base_ref }}
steps:
- name: Install Go
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
uses: actions/setup-go@v2
with:
go-version: ${{ matrix.go-version }}
env:
GOPATH: ${{ runner.workspace }}/kata-containers
- name: Setup GOPATH
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
echo "TRAVIS_BRANCH: ${TRAVIS_BRANCH}"
echo "TRAVIS_PULL_REQUEST_BRANCH: ${TRAVIS_PULL_REQUEST_BRANCH}"
echo "TRAVIS_PULL_REQUEST_SHA: ${TRAVIS_PULL_REQUEST_SHA}"
echo "TRAVIS: ${TRAVIS}"
- name: Set env
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
- name: Checkout code
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
uses: actions/checkout@v2
with:
fetch-depth: 0
path: ./src/github.com/${{ github.repository }}
- name: Setup travis references
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
echo "TRAVIS_BRANCH=${TRAVIS_BRANCH:-$(echo $GITHUB_REF | awk 'BEGIN { FS = \"/\" } ; { print $3 }')}"
target_branch=${TRAVIS_BRANCH}
- name: Setup
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/setup.sh
env:
GOPATH: ${{ runner.workspace }}/kata-containers
- name: Building rust
- name: Installing rust
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_rust.sh
PATH=$PATH:"$HOME/.cargo/bin"
rustup target add x86_64-unknown-linux-musl
rustup component add rustfmt clippy
# Must build before static checks as we depend on some generated code in runtime and agent
- name: Build
- name: Setup seccomp
run: |
cd ${GOPATH}/src/github.com/${{ github.repository }} && make
libseccomp_install_dir=$(mktemp -d -t libseccomp.XXXXXXXXXX)
gperf_install_dir=$(mktemp -d -t gperf.XXXXXXXXXX)
cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
echo "Set environment variables for the libseccomp crate to link the libseccomp library statically"
echo "LIBSECCOMP_LINK_TYPE=static" >> $GITHUB_ENV
echo "LIBSECCOMP_LIB_PATH=${libseccomp_install_dir}/lib" >> $GITHUB_ENV
# Check whether the vendored code is up-to-date & working as the first thing
- name: Check vendored code
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
cd ${GOPATH}/src/github.com/${{ github.repository }} && make vendor
- name: Static Checks
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/static-checks.sh
cd ${GOPATH}/src/github.com/${{ github.repository }} && make static-checks
- name: Run Compiler Checks
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
cd ${GOPATH}/src/github.com/${{ github.repository }} && make check
- name: Run Unit Tests
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
cd ${GOPATH}/src/github.com/${{ github.repository }} && make test
- name: Run Unit Tests As Root User
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: |
cd ${GOPATH}/src/github.com/${{ github.repository }} && sudo -E PATH="$PATH" make test

94
Glossary.md Normal file
View File

@@ -0,0 +1,94 @@
# Glossary
[A](#a), [B](#b), [C](#c), [D](#d), [E](#e), [F](#f), [G](#g), [H](#h), [I](#i), [J](#j), [K](#k), [L](#l), [M](#m), [N](#n), [O](#o), [P](#p), [Q](#q), [R](#r), [S](#s), [T](#t), [U](#u), [V](#v), [W](#w), [X](#x), [Y](#y), [Z](#z)
## A
### Auto Scaling
a method used in cloud computing, whereby the amount of computational resources in a server farm, typically measured in terms of the number of active servers, which vary automatically based on the load on the farm.
## B
## C
### Container Security Solutions
The process of implementing security tools and policies that will give you the assurance that everything in your container is running as intended, and only as intended.
### Container Software
A standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.
### Container Runtime Interface
A plugin interface which enables Kubelet to use a wide variety of container runtimes, without the need to recompile.
### Container Virtualization
A container is a virtual runtime environment that runs on top of a single operating system (OS) kernel and emulates an operating system rather than the underlying hardware.
## D
## E
## F
## G
## H
## I
### Infrastructure Architecture
A structured and modern approach for supporting an organization and facilitating innovation within an enterprise.
## J
## K
### Kata Containers
Kata containers is an open source project delivering increased container security and Workload isolation through an implementation of lightweight virtual machines.
## L
## M
## N
## O
## P
### Pod Containers
A Group of one or more containers , with shared storage/network, and a specification for how to run the containers.
### Private Cloud
A computing model that offers a proprietary environment dedicated to a single business entity.
### Public Cloud
Computing services offered by third-party providers over the public Internet, making them available to anyone who wants to use or purchase them.
## Q
## R
## S
### Serverless Containers
An architecture in which code is executed on-demand. Serverless workloads are typically in the cloud, but on-premises serverless platforms exist, too.
## T
## U
## V
### Virtual Machine Monitor
Computer software, firmware or hardware that creates and runs virtual machines.
### Virtual Machine Software
A software program or operating system that not only exhibits the behavior of a separate computer, but is also capable of performing tasks such as running applications and programs like a separate computer.
## W
## X
## Y
## Z

View File

@@ -15,11 +15,17 @@ TOOLS =
TOOLS += agent-ctl
STANDARD_TARGETS = build check clean install test
STANDARD_TARGETS = build check clean install test vendor
default: all
all: logging-crate-tests build
logging-crate-tests:
make -C pkg/logging
include utils.mk
all: build
include ./tools/packaging/kata-deploy/local-build/Makefile
# Create the rules
$(eval $(call create_all_rules,$(COMPONENTS),$(TOOLS),$(STANDARD_TARGETS)))
@@ -29,4 +35,14 @@ $(eval $(call create_all_rules,$(COMPONENTS),$(TOOLS),$(STANDARD_TARGETS)))
generate-protocols:
make -C src/agent generate-protocols
.PHONY: all default
# Some static checks rely on generated source files of components.
static-checks: build
bash ci/static-checks.sh
.PHONY: \
all \
binary-tarball \
default \
install-binary-tarball \
logging-crate-tests \
static-checks

View File

@@ -2,22 +2,6 @@
# Kata Containers
* [Kata Containers](#kata-containers)
* [Introduction](#introduction)
* [Getting started](#getting-started)
* [Documentation](#documentation)
* [Community](#community)
* [Getting help](#getting-help)
* [Raising issues](#raising-issues)
* [Kata Containers 1.x versions](#kata-containers-1x-versions)
* [Developers](#developers)
* [Components](#components)
* [Kata Containers 1.x components](#kata-containers-1x-components)
* [Common repositories](#common-repositories)
* [Packaging and releases](#packaging-and-releases)
---
Welcome to Kata Containers!
This repository is the home of the Kata Containers code for the 2.0 and newer
@@ -26,11 +10,6 @@ releases.
If you want to learn about Kata Containers, visit the main
[Kata Containers website](https://katacontainers.io).
For further details on the older (first generation) Kata Containers 1.x
versions, see the
[Kata Containers 1.x components](#kata-containers-1x-components)
section.
## Introduction
Kata Containers is an open source project and community working to build a
@@ -67,69 +46,34 @@ Please raise an issue
> **Note:**
> If you are reporting a security issue, please follow the [vulnerability reporting process](https://github.com/kata-containers/community#vulnerability-handling)
#### Kata Containers 1.x versions
For older Kata Containers 1.x releases, please raise an issue in the
[Kata Containers 1.x component repository](#kata-containers-1x-components)
that seems most appropriate.
If in doubt, raise an issue
[in the Kata Containers 1.x runtime repository](https://github.com/kata-containers/runtime/issues).
## Developers
### Components
### Main components
The table below lists the core parts of the project:
| Component | Type | Description |
|-|-|-|
| [agent-ctl](tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. |
| [runtime](src/runtime) | core | Main component run by a container manager and providing a containerd shimv2 runtime implementation. |
| [agent](src/agent) | core | Management process running inside the virtual machine / POD that sets up the container environment. |
| [documentation](docs) | documentation | Documentation common to all components (such as design and install documentation). |
| [osbuilder](tools/osbuilder) | infrastructure | Tool to create "mini O/S" rootfs and initrd images for the hypervisor. |
| [packaging](tools/packaging) | infrastructure | Scripts and metadata for producing packaged binaries<br/>(components, hypervisors, kernel and rootfs). |
| [runtime](src/runtime) | core | Main component run by a container manager and providing a containerd shimv2 runtime implementation. |
| [trace-forwarder](src/trace-forwarder) | utility | Agent tracing helper. |
| [tests](https://github.com/kata-containers/tests) | tests | Excludes unit tests which live with the main code. |
#### Kata Containers 1.x components
### Additional components
For the first generation of Kata Containers (1.x versions), each component was
kept in a separate repository.
For information on the Kata Containers 1.x releases, see the
[Kata Containers 1.x releases page](https://github.com/kata-containers/runtime/releases).
For further information on particular Kata Containers 1.x components, see the
individual component repositories:
The table below lists the remaining parts of the project:
| Component | Type | Description |
|-|-|-|
| [agent](https://github.com/kata-containers/agent) | core | See [components](#components). |
| [documentation](https://github.com/kata-containers/documentation) | documentation | |
| [KSM throttler](https://github.com/kata-containers/ksm-throttler) | optional core | Daemon that monitors containers and deduplicates memory to maximize container density on the host. |
| [osbuilder](https://github.com/kata-containers/osbuilder) | infrastructure | See [components](#components). |
| [packaging](https://github.com/kata-containers/packaging) | infrastructure | See [components](#components). |
| [proxy](https://github.com/kata-containers/proxy) | core | Multiplexes communications between the shims, agent and runtime. |
| [runtime](https://github.com/kata-containers/runtime) | core | See [components](#components). |
| [shim](https://github.com/kata-containers/shim) | core | Handles standard I/O and signals on behalf of the container process. |
> **Note:**
>
> - There are more components for the original Kata Containers 1.x implementation.
> - The current implementation simplifies the design significantly:
> compare the [current](docs/design/architecture.md) and
> [previous generation](https://github.com/kata-containers/documentation/blob/master/design/architecture.md)
> designs.
### Common repositories
The following repositories are used by both the current and first generation Kata Containers implementations:
| Component | Description | Current | First generation | Notes |
|-|-|-|-|-|
| CI | Continuous Integration configuration files and scripts. | [Kata 2.x](https://github.com/kata-containers/ci/tree/main) | [Kata 1.x](https://github.com/kata-containers/ci/tree/master) | |
| kernel | The Linux kernel used by the hypervisor to boot the guest image. | [Kata 2.x][kernel] | [Kata 1.x][kernel] | Patches are stored in the packaging component. |
| tests | Test code. | [Kata 2.x](https://github.com/kata-containers/tests/tree/main) | [Kata 1.x](https://github.com/kata-containers/tests/tree/master) | Excludes unit tests which live with the main code. |
| www.katacontainers.io | Contains the source for the [main web site](https://www.katacontainers.io). | [Kata 2.x][github-katacontainers.io] | [Kata 1.x][github-katacontainers.io] | | |
| [packaging](tools/packaging) | infrastructure | Scripts and metadata for producing packaged binaries<br/>(components, hypervisors, kernel and rootfs). |
| [kernel](https://www.kernel.org) | kernel | Linux kernel used by the hypervisor to boot the guest image. Patches are stored [here](tools/packaging/kernel). |
| [osbuilder](tools/osbuilder) | infrastructure | Tool to create "mini O/S" rootfs and initrd images and kernel for the hypervisor. |
| [`agent-ctl`](tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. |
| [`trace-forwarder`](src/trace-forwarder) | utility | Agent tracing helper. |
| [`ci`](https://github.com/kata-containers/ci) | CI | Continuous Integration configuration files and scripts. |
| [`katacontainers.io`](https://github.com/kata-containers/www.katacontainers.io) | Source for the [`katacontainers.io`](https://www.katacontainers.io) site. |
### Packaging and releases
@@ -138,6 +82,9 @@ Kata Containers is now
However, packaging scripts and metadata are still used to generate snap and GitHub releases. See
the [components](#components) section for further details.
## Glossary of Terms
See the [glossary of terms](Glossary.md) related to Kata Containers.
---
[kernel]: https://www.kernel.org

View File

@@ -1 +1 @@
2.1.0-rc0
2.4.0-alpha0

View File

@@ -1,30 +0,0 @@
#!/bin/bash
# Copyright (c) 2018 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
# Check there are no os.Exit() calls creeping into the code
# We don't use that exit path in the Kata codebase.
# Allow the path to check to be over-ridden.
# Default to the current directory.
go_packages=${1:-.}
echo "Checking for no os.Exit() calls for package [${go_packages}]"
candidates=`go list -f '{{.Dir}}/*.go' $go_packages`
for f in $candidates; do
filename=`basename $f`
# skip all go test files
[[ $filename == *_test.go ]] && continue
# skip exit.go where, the only file we should call os.Exit() from.
[[ $filename == "exit.go" ]] && continue
files="$f $files"
done
[ -z "$files" ] && echo "No files to check, skipping" && exit 0
if egrep -n '\<os\.Exit\>' $files; then
echo "Direct calls to os.Exit() are forbidden, please use exit() so atexit() works"
exit 1
fi

109
ci/install_libseccomp.sh Executable file
View File

@@ -0,0 +1,109 @@
#!/bin/bash
#
# Copyright 2021 Sony Group Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
cidir=$(dirname "$0")
source "${cidir}/lib.sh"
clone_tests_repo
source "${tests_repo_dir}/.ci/lib.sh"
# The following variables if set on the environment will change the behavior
# of gperf and libseccomp configure scripts, that may lead this script to
# fail. So let's ensure they are unset here.
unset PREFIX DESTDIR
arch=$(uname -m)
workdir="$(mktemp -d --tmpdir build-libseccomp.XXXXX)"
# Variables for libseccomp
# Currently, specify the libseccomp version directly without using `versions.yaml`
# because the current Snap workflow is incomplete.
# After solving the issue, replace this code by using the `versions.yaml`.
# libseccomp_version=$(get_version "externals.libseccomp.version")
# libseccomp_url=$(get_version "externals.libseccomp.url")
libseccomp_version="2.5.1"
libseccomp_url="https://github.com/seccomp/libseccomp"
libseccomp_tarball="libseccomp-${libseccomp_version}.tar.gz"
libseccomp_tarball_url="${libseccomp_url}/releases/download/v${libseccomp_version}/${libseccomp_tarball}"
cflags="-O2"
# Variables for gperf
# Currently, specify the gperf version directly without using `versions.yaml`
# because the current Snap workflow is incomplete.
# After solving the issue, replace this code by using the `versions.yaml`.
# gperf_version=$(get_version "externals.gperf.version")
# gperf_url=$(get_version "externals.gperf.url")
gperf_version="3.1"
gperf_url="https://ftp.gnu.org/gnu/gperf"
gperf_tarball="gperf-${gperf_version}.tar.gz"
gperf_tarball_url="${gperf_url}/${gperf_tarball}"
# We need to build the libseccomp library from sources to create a static library for the musl libc.
# However, ppc64le and s390x have no musl targets in Rust. Hence, we do not set cflags for the musl libc.
if ([ "${arch}" != "ppc64le" ] && [ "${arch}" != "s390x" ]); then
# Set FORTIFY_SOURCE=1 because the musl-libc does not have some functions about FORTIFY_SOURCE=2
cflags="-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1 -O2"
fi
die() {
msg="$*"
echo "[Error] ${msg}" >&2
exit 1
}
finish() {
rm -rf "${workdir}"
}
trap finish EXIT
build_and_install_gperf() {
echo "Build and install gperf version ${gperf_version}"
mkdir -p "${gperf_install_dir}"
curl -sLO "${gperf_tarball_url}"
tar -xf "${gperf_tarball}"
pushd "gperf-${gperf_version}"
./configure --prefix="${gperf_install_dir}"
make
make install
export PATH=$PATH:"${gperf_install_dir}"/bin
popd
echo "Gperf installed successfully"
}
build_and_install_libseccomp() {
echo "Build and install libseccomp version ${libseccomp_version}"
mkdir -p "${libseccomp_install_dir}"
curl -sLO "${libseccomp_tarball_url}"
tar -xf "${libseccomp_tarball}"
pushd "libseccomp-${libseccomp_version}"
./configure --prefix="${libseccomp_install_dir}" CFLAGS="${cflags}" --enable-static
make
make install
popd
echo "Libseccomp installed successfully"
}
main() {
local libseccomp_install_dir="${1:-}"
local gperf_install_dir="${2:-}"
if [ -z "${libseccomp_install_dir}" ] || [ -z "${gperf_install_dir}" ]; then
die "Usage: ${0} <libseccomp-install-dir> <gperf-install-dir>"
fi
pushd "$workdir"
# gperf is required for building the libseccomp.
build_and_install_gperf
build_and_install_libseccomp
popd
}
main "$@"

View File

@@ -12,5 +12,5 @@ source "${cidir}/lib.sh"
clone_tests_repo
pushd ${tests_repo_dir}
.ci/install_rust.sh
.ci/install_rust.sh ${1:-}
popd

View File

@@ -15,10 +15,18 @@ die() {
# Install the yq yaml query package from the mikefarah github repo
# Install via binary download, as we may not have golang installed at this point
function install_yq() {
GOPATH=${GOPATH:-${HOME}/go}
local yq_path="${GOPATH}/bin/yq"
local yq_pkg="github.com/mikefarah/yq"
[ -x "${GOPATH}/bin/yq" ] && return
local yq_version=3.4.1
INSTALL_IN_GOPATH=${INSTALL_IN_GOPATH:-true}
if [ "${INSTALL_IN_GOPATH}" == "true" ];then
GOPATH=${GOPATH:-${HOME}/go}
mkdir -p "${GOPATH}/bin"
local yq_path="${GOPATH}/bin/yq"
else
yq_path="/usr/local/bin/yq"
fi
[ -x "${yq_path}" ] && [ "`${yq_path} --version`"X == "yq version ${yq_version}"X ] && return
read -r -a sysInfo <<< "$(uname -sm)"
@@ -49,15 +57,12 @@ function install_yq() {
;;
esac
mkdir -p "${GOPATH}/bin"
# Check curl
if ! command -v "curl" >/dev/null; then
die "Please install curl"
fi
local yq_version=3.4.1
## NOTE: ${var,,} => gives lowercase value of var
local yq_url="https://${yq_pkg}/releases/download/${yq_version}/yq_${goos,,}_${goarch}"
curl -o "${yq_path}" -LSsf "${yq_url}"

View File

@@ -3,9 +3,11 @@
#
# SPDX-License-Identifier: Apache-2.0
set -o nounset
export tests_repo="${tests_repo:-github.com/kata-containers/tests}"
export tests_repo_dir="$GOPATH/src/$tests_repo"
export branch="${branch:-main}"
export branch="${target_branch:-main}"
# Clones the tests repository and checkout to the branch pointed out by
# the global $branch variable.
@@ -15,7 +17,7 @@ export branch="${branch:-main}"
clone_tests_repo()
{
if [ -d "$tests_repo_dir" ]; then
[ -n "$CI" ] && return
[ -n "${CI:-}" ] && return
pushd "${tests_repo_dir}"
git checkout "${branch}"
git pull

View File

@@ -4,6 +4,6 @@
#
# This is the build root image for Kata Containers on OpenShift CI.
#
FROM centos:8
FROM registry.centos.org/centos:8
RUN yum -y update && yum -y install git sudo wget

View File

@@ -8,9 +8,14 @@
set -e
cidir=$(dirname "$0")
source "${cidir}/lib.sh"
export CI_JOB="${CI_JOB:-}"
clone_tests_repo
pushd ${tests_repo_dir}
.ci/run.sh
# temporary fix, see https://github.com/kata-containers/tests/issues/3878
if [ "$(uname -m)" != "s390x" ] && [ "$CI_JOB" == "CRI_CONTAINERD_K8S_MINIMAL" ]; then
tracing/test-agent-shutdown.sh
fi
popd

View File

@@ -1,55 +1,3 @@
- [Warning](#warning)
- [Assumptions](#assumptions)
- [Initial setup](#initial-setup)
- [Requirements to build individual components](#requirements-to-build-individual-components)
- [Build and install the Kata Containers runtime](#build-and-install-the-kata-containers-runtime)
- [Check hardware requirements](#check-hardware-requirements)
- [Configure to use initrd or rootfs image](#configure-to-use-initrd-or-rootfs-image)
- [Enable full debug](#enable-full-debug)
- [debug logs and shimv2](#debug-logs-and-shimv2)
- [Enabling full `containerd` debug](#enabling-full-containerd-debug)
- [Enabling just `containerd shim` debug](#enabling-just-containerd-shim-debug)
- [Enabling `CRI-O` and `shimv2` debug](#enabling-cri-o-and-shimv2-debug)
- [journald rate limiting](#journald-rate-limiting)
- [`systemd-journald` suppressing messages](#systemd-journald-suppressing-messages)
- [Disabling `systemd-journald` rate limiting](#disabling-systemd-journald-rate-limiting)
- [Create and install rootfs and initrd image](#create-and-install-rootfs-and-initrd-image)
- [Build a custom Kata agent - OPTIONAL](#build-a-custom-kata-agent---optional)
- [Get the osbuilder](#get-the-osbuilder)
- [Create a rootfs image](#create-a-rootfs-image)
- [Create a local rootfs](#create-a-local-rootfs)
- [Add a custom agent to the image - OPTIONAL](#add-a-custom-agent-to-the-image---optional)
- [Build a rootfs image](#build-a-rootfs-image)
- [Install the rootfs image](#install-the-rootfs-image)
- [Create an initrd image - OPTIONAL](#create-an-initrd-image---optional)
- [Create a local rootfs for initrd image](#create-a-local-rootfs-for-initrd-image)
- [Build an initrd image](#build-an-initrd-image)
- [Install the initrd image](#install-the-initrd-image)
- [Install guest kernel images](#install-guest-kernel-images)
- [Install a hypervisor](#install-a-hypervisor)
- [Build a custom QEMU](#build-a-custom-qemu)
- [Build a custom QEMU for aarch64/arm64 - REQUIRED](#build-a-custom-qemu-for-aarch64arm64---required)
- [Run Kata Containers with Containerd](#run-kata-containers-with-containerd)
- [Run Kata Containers with Kubernetes](#run-kata-containers-with-kubernetes)
- [Troubleshoot Kata Containers](#troubleshoot-kata-containers)
- [Appendices](#appendices)
- [Checking Docker default runtime](#checking-docker-default-runtime)
- [Set up a debug console](#set-up-a-debug-console)
- [Simple debug console setup](#simple-debug-console-setup)
- [Enable agent debug console](#enable-agent-debug-console)
- [Connect to debug console](#connect-to-debug-console)
- [Traditional debug console setup](#traditional-debug-console-setup)
- [Create a custom image containing a shell](#create-a-custom-image-containing-a-shell)
- [Build the debug image](#build-the-debug-image)
- [Configure runtime for custom debug image](#configure-runtime-for-custom-debug-image)
- [Create a container](#create-a-container)
- [Connect to the virtual machine using the debug console](#connect-to-the-virtual-machine-using-the-debug-console)
- [Enabling debug console for QEMU](#enabling-debug-console-for-qemu)
- [Enabling debug console for cloud-hypervisor / firecracker](#enabling-debug-console-for-cloud-hypervisor--firecracker)
- [Connecting to the debug console](#connecting-to-the-debug-console)
- [Obtain details of the image](#obtain-details-of-the-image)
- [Capturing kernel boot logs](#capturing-kernel-boot-logs)
# Warning
This document is written **specifically for developers**: it is not intended for end users.
@@ -138,6 +86,16 @@ One of the `initrd` and `image` options in Kata runtime config file **MUST** be
The main difference between the options is that the size of `initrd`(10MB+) is significantly smaller than
rootfs `image`(100MB+).
## Enable seccomp
Enable seccomp as follows:
```
$ sudo sed -i '/^disable_guest_seccomp/ s/true/false/' /etc/kata-containers/configuration.toml
```
This will pass container seccomp profiles to the kata agent.
## Enable full debug
Enable full debug as follows:
@@ -268,6 +226,18 @@ $ go get -d -u github.com/kata-containers/kata-containers
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/src/agent && make
```
The agent is built with seccomp capability by default.
If you want to build the agent without the seccomp capability, you need to run `make` with `SECCOMP=no` as follows.
```
$ make -C $GOPATH/src/github.com/kata-containers/kata-containers/src/agent SECCOMP=no
```
> **Note:**
>
> - If you enable seccomp in the main configuration file but build the agent without seccomp capability,
> the runtime exits conservatively with an error message.
## Get the osbuilder
```
@@ -286,9 +256,21 @@ the following example.
$ export ROOTFS_DIR=${GOPATH}/src/github.com/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/rootfs
$ sudo rm -rf ${ROOTFS_DIR}
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/osbuilder/rootfs-builder
$ script -fec 'sudo -E GOPATH=$GOPATH USE_DOCKER=true SECCOMP=no ./rootfs.sh ${distro}'
$ script -fec 'sudo -E GOPATH=$GOPATH USE_DOCKER=true ./rootfs.sh ${distro}'
```
You MUST choose a distribution (e.g., `ubuntu`) for `${distro}`.
You can get a supported distributions list in the Kata Containers by running the following.
```
$ ./rootfs.sh -l
```
If you want to build the agent without seccomp capability, you need to run the `rootfs.sh` script with `SECCOMP=no` as follows.
```
$ script -fec 'sudo -E GOPATH=$GOPATH AGENT_INIT=yes USE_DOCKER=true SECCOMP=no ./rootfs.sh ${distro}'
```
You MUST choose one of `alpine`, `centos`, `clearlinux`, `debian`, `euleros`, `fedora`, `suse`, and `ubuntu` for `${distro}`. By default `seccomp` packages are not included in the rootfs image. Set `SECCOMP` to `yes` to include them.
> **Note:**
>
@@ -304,7 +286,7 @@ You MUST choose one of `alpine`, `centos`, `clearlinux`, `debian`, `euleros`, `f
> - You should only do this step if you are testing with the latest version of the agent.
```
$ sudo install -o root -g root -m 0550 -t ${ROOTFS_DIR}/bin ../../../src/agent/target/x86_64-unknown-linux-musl/release/kata-agent
$ sudo install -o root -g root -m 0550 -t ${ROOTFS_DIR}/usr/bin ../../../src/agent/target/x86_64-unknown-linux-musl/release/kata-agent
$ sudo install -o root -g root -m 0440 ../../../src/agent/kata-agent.service ${ROOTFS_DIR}/usr/lib/systemd/system/
$ sudo install -o root -g root -m 0440 ../../../src/agent/kata-containers.target ${ROOTFS_DIR}/usr/lib/systemd/system/
```
@@ -324,6 +306,7 @@ $ script -fec 'sudo -E USE_DOCKER=true ./image_builder.sh ${ROOTFS_DIR}'
> - If you do *not* wish to build under Docker, remove the `USE_DOCKER`
> variable in the previous command and ensure the `qemu-img` command is
> available on your system.
> - If `qemu-img` is not installed, you will likely see errors such as `ERROR: File /dev/loop19p1 is not a block device` and `losetup: /tmp/tmp.bHz11oY851: Warning: file is smaller than 512 bytes; the loop device may be useless or invisible for system tools`. These can be mitigated by installing the `qemu-img` command (available in the `qemu-img` package on Fedora or the `qemu-utils` package on Debian).
### Install the rootfs image
@@ -342,23 +325,35 @@ $ (cd /usr/share/kata-containers && sudo ln -sf "$image" kata-containers.img)
$ export ROOTFS_DIR="${GOPATH}/src/github.com/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/rootfs"
$ sudo rm -rf ${ROOTFS_DIR}
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/osbuilder/rootfs-builder
$ script -fec 'sudo -E GOPATH=$GOPATH AGENT_INIT=yes USE_DOCKER=true SECCOMP=no ./rootfs.sh ${distro}'
$ script -fec 'sudo -E GOPATH=$GOPATH AGENT_INIT=yes USE_DOCKER=true ./rootfs.sh ${distro}'
```
`AGENT_INIT` controls if the guest image uses the Kata agent as the guest `init` process. When you create an initrd image,
always set `AGENT_INIT` to `yes`. By default `seccomp` packages are not included in the initrd image. Set `SECCOMP` to `yes` to include them.
always set `AGENT_INIT` to `yes`.
You MUST choose one of `alpine`, `centos`, `clearlinux`, `euleros`, and `fedora` for `${distro}`.
You MUST choose a distribution (e.g., `ubuntu`) for `${distro}`.
You can get a supported distributions list in the Kata Containers by running the following.
```
$ ./rootfs.sh -l
```
If you want to build the agent without seccomp capability, you need to run the `rootfs.sh` script with `SECCOMP=no` as follows.
```
$ script -fec 'sudo -E GOPATH=$GOPATH AGENT_INIT=yes USE_DOCKER=true SECCOMP=no ./rootfs.sh ${distro}'
```
> **Note:**
>
> - Check the [compatibility matrix](../tools/osbuilder/README.md#platform-distro-compatibility-matrix) before creating rootfs.
Optionally, add your custom agent binary to the rootfs with the following, `LIBC` default is `musl`, if `ARCH` is `ppc64le`, should set the `LIBC=gnu` and `ARCH=powerpc64le`:
Optionally, add your custom agent binary to the rootfs with the following commands. The default `$LIBC` used
is `musl`, but on ppc64le and s390x, `gnu` should be used. Also, Rust refers to ppc64le as `powerpc64le`:
```
$ export ARCH=$(shell uname -m)
$ [ ${ARCH} == "ppc64le" ] && export LIBC=gnu || export LIBC=musl
$ export ARCH=$(uname -m)
$ [ ${ARCH} == "ppc64le" ] || [ ${ARCH} == "s390x" ] && export LIBC=gnu || export LIBC=musl
$ [ ${ARCH} == "ppc64le" ] && export ARCH=powerpc64le
$ sudo install -o root -g root -m 0550 -T ../../../src/agent/target/$(ARCH)-unknown-linux-$(LIBC)/release/kata-agent ${ROOTFS_DIR}/sbin/init
$ sudo install -o root -g root -m 0550 -T ../../../src/agent/target/${ARCH}-unknown-linux-${LIBC}/release/kata-agent ${ROOTFS_DIR}/sbin/init
```
### Build an initrd image
@@ -393,14 +388,40 @@ You may choose to manually build your VMM/hypervisor.
Kata Containers makes use of upstream QEMU branch. The exact version
and repository utilized can be found by looking at the [versions file](../versions.yaml).
Kata often utilizes patches for not-yet-upstream fixes for components,
including QEMU. These can be found in the [packaging/QEMU directory](../tools/packaging/qemu/patches)
Find the correct version of QEMU from the versions file:
```
$ source ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/scripts/lib.sh
$ qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.version")
$ echo ${qemu_version}
```
Get source from the matching branch of QEMU:
```
$ go get -d github.com/qemu/qemu
$ cd ${GOPATH}/src/github.com/qemu/qemu
$ git checkout ${qemu_version}
$ your_qemu_directory=${GOPATH}/src/github.com/qemu/qemu
```
There are scripts to manage the build and packaging of QEMU. For the examples below, set your
environment as:
```
$ go get -d github.com/kata-containers/kata-containers
$ packaging_dir="${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging"
```
Kata often utilizes patches for not-yet-upstream and/or backported fixes for components,
including QEMU. These can be found in the [packaging/QEMU directory](../tools/packaging/qemu/patches),
and it's *recommended* that you apply them. For example, suppose that you are going to build QEMU
version 5.2.0, do:
```
$ cd $your_qemu_directory
$ $packaging_dir/scripts/apply_patches.sh $packaging_dir/qemu/patches/5.2.x/
```
To build utilizing the same options as Kata, you should make use of the `configure-hypervisor.sh` script. For example:
```
$ go get -d github.com/kata-containers/kata-containers/tools/packaging
$ cd $your_qemu_directory
$ ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/scripts/configure-hypervisor.sh kata-qemu > kata.cfg
$ $packaging_dir/scripts/configure-hypervisor.sh kata-qemu > kata.cfg
$ eval ./configure "$(cat kata.cfg)"
$ make -j $(nproc)
$ sudo -E make install
@@ -442,7 +463,7 @@ script and paste its output directly into a
> [runtime](../src/runtime) repository.
To perform analysis on Kata logs, use the
[`kata-log-parser`](https://github.com/kata-containers/tests/tree/master/cmd/log-parser)
[`kata-log-parser`](https://github.com/kata-containers/tests/tree/main/cmd/log-parser)
tool, which can convert the logs into formats (e.g. JSON, TOML, XML, and YAML).
See [Set up a debug console](#set-up-a-debug-console).
@@ -475,6 +496,16 @@ debug_console_enabled = true
This will pass `agent.debug_console agent.debug_console_vport=1026` to agent as kernel parameters, and sandboxes created using this parameters will start a shell in guest if new connection is accept from VSOCK.
#### Start `kata-monitor` - ONLY NEEDED FOR 2.0.x
For Kata Containers `2.0.x` releases, the `kata-runtime exec` command depends on the`kata-monitor` running, in order to get the sandbox's `vsock` address to connect to. Thus, first start the `kata-monitor` process.
```
$ sudo kata-monitor
```
`kata-monitor` will serve at `localhost:8090` by default.
#### Connect to debug console
Command `kata-runtime exec` is used to connect to the debug console.
@@ -619,7 +650,7 @@ VMM solution.
In case of cloud-hypervisor, connect to the `vsock` as shown:
```
$ sudo su -c 'cd /var/run/vc/vm/{sandbox_id}/root/ && socat stdin unix-connect:clh.sock'
$ sudo su -c 'cd /var/run/vc/vm/${sandbox_id}/root/ && socat stdin unix-connect:clh.sock'
CONNECT 1026
```
@@ -627,7 +658,7 @@ CONNECT 1026
For firecracker, connect to the `hvsock` as shown:
```
$ sudo su -c 'cd /var/run/vc/firecracker/{sandbox_id}/root/ && socat stdin unix-connect:kata.hvsock'
$ sudo su -c 'cd /var/run/vc/firecracker/${sandbox_id}/root/ && socat stdin unix-connect:kata.hvsock'
CONNECT 1026
```
@@ -636,7 +667,7 @@ CONNECT 1026
For QEMU, connect to the `vsock` as shown:
```
$ sudo su -c 'cd /var/run/vc/vm/{sandbox_id} && socat "stdin,raw,echo=0,escape=0x11" "unix-connect:console.sock"
$ sudo su -c 'cd /var/run/vc/vm/${sandbox_id} && socat "stdin,raw,echo=0,escape=0x11" "unix-connect:console.sock"'
```
To disconnect from the virtual machine, type `CONTROL+q` (hold down the

View File

@@ -1,16 +1,3 @@
* [Introduction](#introduction)
* [General requirements](#general-requirements)
* [Linking advice](#linking-advice)
* [Notes](#notes)
* [Warnings and other admonitions](#warnings-and-other-admonitions)
* [Files and command names](#files-and-command-names)
* [Code blocks](#code-blocks)
* [Images](#images)
* [Spelling](#spelling)
* [Names](#names)
* [Version numbers](#version-numbers)
* [The apostrophe](#the-apostrophe)
# Introduction
This document outlines the requirements for all documentation in the [Kata
@@ -23,10 +10,6 @@ All documents must:
- Be written in simple English.
- Be written in [GitHub Flavored Markdown](https://github.github.com/gfm) format.
- Have a `.md` file extension.
- Include a TOC (table of contents) at the top of the document with links to
all heading sections. We recommend using the
[`kata-check-markdown`](https://github.com/kata-containers/tests/tree/master/cmd/check-markdown)
tool to generate the TOC.
- Be linked to from another document in the same repository.
Although GitHub allows navigation of the entire repository, it should be
@@ -43,6 +26,10 @@ All documents must:
which can then execute the commands specified to ensure the instructions are
correct. This avoids documents becoming out of date over time.
> **Note:**
>
> Do not add a table of contents (TOC) since GitHub will auto-generate one.
# Linking advice
Linking between documents is strongly encouraged to help users and developers
@@ -118,7 +105,7 @@ This section lists requirements for displaying commands and command output.
The requirements must be adhered to since documentation containing code blocks
is validated by the CI system, which executes the command blocks with the help
of the
[doc-to-script](https://github.com/kata-containers/tests/tree/master/.ci/kata-doc-to-script.sh)
[doc-to-script](https://github.com/kata-containers/tests/tree/main/.ci/kata-doc-to-script.sh)
utility.
- If a document includes commands the user should run, they **MUST** be shown
@@ -202,7 +189,7 @@ and compare them with standard tools (e.g. `diff(1)`).
Since this project uses a number of terms not found in conventional
dictionaries, we have a
[spell checking tool](https://github.com/kata-containers/tests/tree/master/cmd/check-spelling)
[spell checking tool](https://github.com/kata-containers/tests/tree/main/cmd/check-spelling)
that checks both dictionary words and the additional terms we use.
Run the spell checking tool on your document before raising a PR to ensure it

View File

@@ -1,9 +1,5 @@
# Licensing strategy
* [Project License](#project-license)
* [License file](#license-file)
* [License for individual files](#license-for-individual-files)
## Project License
The license for the [Kata Containers](https://github.com/kata-containers)

View File

@@ -1,35 +1,3 @@
* [Overview](#overview)
* [Definition of a limitation](#definition-of-a-limitation)
* [Scope](#scope)
* [Contributing](#contributing)
* [Pending items](#pending-items)
* [Runtime commands](#runtime-commands)
* [checkpoint and restore](#checkpoint-and-restore)
* [events command](#events-command)
* [update command](#update-command)
* [Networking](#networking)
* [Docker swarm and compose support](#docker-swarm-and-compose-support)
* [Resource management](#resource-management)
* [docker run and shared memory](#docker-run-and-shared-memory)
* [docker run and sysctl](#docker-run-and-sysctl)
* [Docker daemon features](#docker-daemon-features)
* [SELinux support](#selinux-support)
* [Architectural limitations](#architectural-limitations)
* [Networking limitations](#networking-limitations)
* [Support for joining an existing VM network](#support-for-joining-an-existing-vm-network)
* [docker --net=host](#docker---nethost)
* [docker run --link](#docker-run---link)
* [Storage limitations](#storage-limitations)
* [Kubernetes `volumeMounts.subPaths`](#kubernetes-volumemountssubpaths)
* [Host resource sharing](#host-resource-sharing)
* [docker run --privileged](#docker-run---privileged)
* [Miscellaneous](#miscellaneous)
* [Docker --security-opt option partially supported](#docker---security-opt-option-partially-supported)
* [Appendices](#appendices)
* [The constraints challenge](#the-constraints-challenge)
---
# Overview
A [Kata Container](https://github.com/kata-containers) utilizes a Virtual Machine (VM) to enhance security and
@@ -94,7 +62,9 @@ This section lists items that might be possible to fix.
### checkpoint and restore
The runtime does not provide `checkpoint` and `restore` commands. There
are discussions about using VM save and restore to give [`criu`](https://github.com/checkpoint-restore/criu)-like functionality, which might provide a solution.
are discussions about using VM save and restore to give us a
`[criu](https://github.com/checkpoint-restore/criu)`-like functionality,
which might provide a solution.
Note that the OCI standard does not specify `checkpoint` and `restore`
commands.

View File

@@ -1,16 +1,5 @@
# Documentation
* [Getting Started](#getting-started)
* [More User Guides](#more-user-guides)
* [Kata Use-Cases](#kata-use-cases)
* [Developer Guide](#developer-guide)
* [Design and Implementations](#design-and-implementations)
* [How to Contribute](#how-to-contribute)
* [Code Licensing](#code-licensing)
* [The Release Process](#the-release-process)
* [Help Improving the Documents](#help-improving-the-documents)
* [Website Changes](#website-changes)
The [Kata Containers](https://github.com/kata-containers)
documentation repository hosts overall system documentation, with information
common to multiple components.
@@ -22,6 +11,10 @@ For details of the other Kata Containers repositories, see the
* [Installation guides](./install/README.md): Install and run Kata Containers with Docker or Kubernetes
## Tracing
See the [tracing documentation](tracing.md).
## More User Guides
* [Upgrading](Upgrading.md): how to upgrade from [Clear Containers](https://github.com/clearcontainers) and [runV](https://github.com/hyperhq/runv) to [Kata Containers](https://github.com/kata-containers) and how to upgrade an existing Kata Containers system to the latest version.
@@ -51,6 +44,7 @@ Documents that help to understand and contribute to Kata Containers.
* [Kata Containers Architecture](design/architecture.md): Architectural overview of Kata Containers
* [Kata Containers E2E Flow](design/end-to-end-flow.md): The entire end-to-end flow of Kata Containers
* [Kata Containers design](./design/README.md): More Kata Containers design documents
* [Kata Containers threat model](./threat-model/threat-model.md): Kata Containers threat model
### How to Contribute
@@ -58,6 +52,18 @@ Documents that help to understand and contribute to Kata Containers.
* [How to contribute to Kata Containers](https://github.com/kata-containers/community/blob/master/CONTRIBUTING.md)
* [Code of Conduct](../CODE_OF_CONDUCT.md)
## Help Writing a Code PR
* [Code PR advice](code-pr-advice.md).
## Help Writing Unit Tests
* [Unit Test Advice](Unit-Test-Advice.md)
## Help Improving the Documents
* [Documentation Requirements](Documentation-Requirements.md)
### Code Licensing
* [Licensing](Licensing-strategy.md): About the licensing strategy of Kata Containers.
@@ -67,10 +73,6 @@ Documents that help to understand and contribute to Kata Containers.
* [Release strategy](Stable-Branch-Strategy.md)
* [Release Process](Release-Process.md)
## Help Improving the Documents
* [Documentation Requirements](Documentation-Requirements.md)
## Website Changes
If you have a suggestion for how we can improve the

View File

@@ -1,20 +1,6 @@
# How to do a Kata Containers Release
This document lists the tasks required to create a Kata Release.
<!-- TOC START min:1 max:3 link:true asterisk:false update:true -->
- [How to do a Kata Containers Release](#how-to-do-a-kata-containers-release)
- [Requirements](#requirements)
- [Release Process](#release-process)
- [Bump all Kata repositories](#bump-all-kata-repositories)
- [Merge all bump version Pull requests](#merge-all-bump-version-pull-requests)
- [Tag all Kata repositories](#tag-all-kata-repositories)
- [Check Git-hub Actions](#check-git-hub-actions)
- [Create release notes](#create-release-notes)
- [Announce the release](#announce-the-release)
<!-- TOC END -->
## Requirements
- [hub](https://github.com/github/hub)
@@ -29,6 +15,7 @@
## Release Process
### Bump all Kata repositories
Bump the repositories using a script in the Kata packaging repo, where:
@@ -41,6 +28,23 @@
$ ./update-repository-version.sh -p "$NEW_VERSION" "$BRANCH"
```
### Point tests repository to stable branch
If you create a new stable branch, i.e. if your release changes a major or minor version number (not a patch release), then
you should modify the `tests` repository to point to that newly created stable branch and not the `main` branch.
The objective is that changes in the CI on the main branch will not impact the stable branch.
In the test directory, change references the main branch in:
* `README.md`
* `versions.yaml`
* `cmd/github-labels/labels.yaml.in`
* `cmd/pmemctl/pmemctl.sh`
* `.ci/lib.sh`
* `.ci/static-checks.sh`
See the commits in [the corresponding PR for stable-2.1](https://github.com/kata-containers/tests/pull/3504) for an example of the changes.
### Merge all bump version Pull requests
- The above step will create a GitHub pull request in the Kata projects. Trigger the CI using `/test` command on each bump Pull request.
@@ -50,7 +54,7 @@
### Tag all Kata repositories
Once all the pull requests to bump versions in all Kata repositories are merged,
tag all the repositories as shown below.
tag all the repositories as shown below.
```
$ cd ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/release
$ git checkout <kata-branch-to-release>
@@ -60,7 +64,7 @@
### Check Git-hub Actions
We make use of [GitHub actions](https://github.com/features/actions) in this [file](https://github.com/kata-containers/kata-containers/blob/master/.github/workflows/main.yaml) in the `kata-containers/kata-containers` repository to build and upload release artifacts. This action is auto triggered with the above step when a new tag is pushed to the `kata-containers/kata-conatiners` repository.
We make use of [GitHub actions](https://github.com/features/actions) in this [file](https://github.com/kata-containers/kata-containers/blob/main/.github/workflows/release.yaml) in the `kata-containers/kata-containers` repository to build and upload release artifacts. This action is auto triggered with the above step when a new tag is pushed to the `kata-containers/kata-containers` repository.
Check the [actions status page](https://github.com/kata-containers/kata-containers/actions) to verify all steps in the actions workflow have completed successfully. On success, a static tarball containing Kata release artifacts will be uploaded to the [Release page](https://github.com/kata-containers/kata-containers/releases).

View File

@@ -32,16 +32,16 @@ provides additional information regarding release `99.123.77` in the previous ex
changing the existing behavior*.
- When `MAJOR` increases, the new release adds **new features, bug fixes, or
both** and which *changes the behavior from the previous release* (incompatible with previous releases).
both** and which **changes the behavior from the previous release** (incompatible with previous releases).
A major release will also likely require a change of the container manager version used,
for example Docker\*. Please refer to the release notes for further details.
for example Containerd or CRI-O. Please refer to the release notes for further details.
## Release Strategy
Any new features added since the last release will be available in the next minor
release. These will include bug fixes as well. To facilitate a stable user environment,
Kata provides stable branch-based releases and a master branch release.
Kata provides stable branch-based releases and a main branch release.
## Stable branch patch criteria
@@ -49,9 +49,10 @@ No new features should be introduced to stable branches. This is intended to li
providing only bug and security fixes.
## Branch Management
Kata Containers will maintain two stable release branches in addition to the master branch.
Once a new MAJOR or MINOR release is created from master, a new stable branch is created for
the prior MAJOR or MINOR release and the older stable branch is no longer maintained. End of
Kata Containers will maintain **one** stable release branch, in addition to the main branch, for
each active major release.
Once a new MAJOR or MINOR release is created from main, a new stable branch is created for
the prior MAJOR or MINOR release and the previous stable branch is no longer maintained. End of
maintenance for a branch is announced on the Kata Containers mailing list. Users can determine
the version currently installed by running `kata-runtime kata-env`. It is recommended to use the
latest stable branch available.
@@ -61,59 +62,59 @@ A couple of examples follow to help clarify this process.
### New bug fix introduced
A bug fix is submitted against the runtime which does not introduce new inter-component dependencies.
This fix is applied to both the master and stable branches, and there is no need to create a new
This fix is applied to both the main and stable branches, and there is no need to create a new
stable branch.
| Branch | Original version | New version |
|--|--|--|
| `master` | `1.3.0-rc0` | `1.3.0-rc1` |
| `stable-1.2` | `1.2.0` | `1.2.1` |
| `stable-1.1` | `1.1.2` | `1.1.3` |
| `main` | `2.3.0-rc0` | `2.3.0-rc1` |
| `stable-2.2` | `2.2.0` | `2.2.1` |
| `stable-2.1` | (unmaintained) | (unmaintained) |
### New release made feature or change adding new inter-component dependency
A new feature is introduced, which adds a new inter-component dependency. In this case a new stable
branch is created (stable-1.3) starting from master and the older stable branch (stable-1.1)
branch is created (stable-2.3) starting from main and the previous stable branch (stable-2.2)
is dropped from maintenance.
| Branch | Original version | New version |
|--|--|--|
| `master` | `1.3.0-rc1` | `1.3.0` |
| `stable-1.3` | N/A| `1.3.0` |
| `stable-1.2` | `1.2.1` | `1.2.2` |
| `stable-1.1` | `1.1.3` | (unmaintained) |
| `main` | `2.3.0-rc1` | `2.3.0` |
| `stable-2.3` | N/A| `2.3.0` |
| `stable-2.2` | `2.2.1` | (unmaintained) |
| `stable-2.1` | (unmaintained) | (unmaintained) |
Note, the stable-1.1 branch will still exist with tag 1.1.3, but under current plans it is
not maintained further. The next tag applied to master will be 1.4.0-alpha0. We would then
Note, the stable-2.2 branch will still exist with tag 2.2.1, but under current plans it is
not maintained further. The next tag applied to main will be 2.4.0-alpha0. We would then
create a couple of alpha releases gathering features targeted for that particular release (in
this case 1.4.0), followed by a release candidate. The release candidate marks a feature freeze.
this case 2.4.0), followed by a release candidate. The release candidate marks a feature freeze.
A new stable branch is created for the release candidate. Only bug fixes and any security issues
are added to the branch going forward until release 1.4.0 is made.
are added to the branch going forward until release 2.4.0 is made.
## Backporting Process
Development that occurs against the master branch and applicable code commits should also be submitted
Development that occurs against the main branch and applicable code commits should also be submitted
against the stable branches. Some guidelines for this process follow::
1. Only bug and security fixes which do not introduce inter-component dependencies are
candidates for stable branches. These PRs should be marked with "bug" in GitHub.
2. Once a PR is created against master which meets requirement of (1), a comparable one
2. Once a PR is created against main which meets requirement of (1), a comparable one
should also be submitted against the stable branches. It is the responsibility of the submitter
to apply their pull request against stable, and it is the responsibility of the
reviewers to help identify stable-candidate pull requests.
## Continuous Integration Testing
The test repository is forked to create stable branches from master. Full CI
runs on each stable and master PR using its respective tests repository branch.
The test repository is forked to create stable branches from main. Full CI
runs on each stable and main PR using its respective tests repository branch.
### An alternative method for CI testing:
Ideally, the continuous integration infrastructure will run the same test suite on both master
Ideally, the continuous integration infrastructure will run the same test suite on both main
and the stable branches. When tests are modified or new feature tests are introduced, explicit
logic should exist within the testing CI to make sure only applicable tests are executed against
stable and master. While this is not in place currently, it should be considered in the long term.
stable and main. While this is not in place currently, it should be considered in the long term.
## Release Management
@@ -121,7 +122,7 @@ stable and master. While this is not in place currently, it should be considered
Releases are made every three weeks, which include a GitHub release as
well as binary packages. These patch releases are made for both stable branches, and a "release candidate"
for the next `MAJOR` or `MINOR` is created from master. If there are no changes across all the repositories, no
for the next `MAJOR` or `MINOR` is created from main. If there are no changes across all the repositories, no
release is created and an announcement is made on the developer mailing list to highlight this.
If a release is being made, each repository is tagged for this release, regardless
of whether changes are introduced. The release schedule can be seen on the
@@ -142,10 +143,10 @@ maturity, we have increased the cadence from six weeks to twelve weeks. The rele
### Compatibility
Kata guarantees compatibility between components that are within one minor release of each other.
This is critical for dependencies which cross between host (runtime, shim, proxy) and
This is critical for dependencies which cross between host (shimv2 runtime) and
the guest (hypervisor, rootfs and agent). For example, consider a cluster with a long-running
deployment, workload-never-dies, all on Kata version 1.1.3 components. If the operator updates
the Kata components to the next new minor release (i.e. 1.2.0), we need to guarantee that the 1.2.0
runtime still communicates with 1.1.3 agent within workload-never-dies.
deployment, workload-never-dies, all on Kata version 2.1.3 components. If the operator updates
the Kata components to the next new minor release (i.e. 2.2.0), we need to guarantee that the 2.2.0
shimv2 runtime still communicates with 2.1.3 agent within workload-never-dies.
Handling live-update is out of the scope of this document. See this [`kata-runtime` issue](https://github.com/kata-containers/runtime/issues/492) for details.

379
docs/Unit-Test-Advice.md Normal file
View File

@@ -0,0 +1,379 @@
# Unit Test Advice
## Overview
This document offers advice on writing a Unit Test (UT) in
[Golang](https://golang.org) and [Rust](https://www.rust-lang.org).
## General advice
### Unit test strategies
#### Positive and negative tests
Always add positive tests (where success is expected) *and* negative
tests (where failure is expected).
#### Boundary condition tests
Try to add unit tests that exercise boundary conditions such as:
- Missing values (`null` or `None`).
- Empty strings and huge strings.
- Empty (or uninitialised) complex data structures
(such as lists, vectors and hash tables).
- Common numeric values (such as `-1`, `0`, `1` and the minimum and
maximum values).
#### Test unusual values
Also always consider "unusual" input values such as:
- String values containing spaces, Unicode characters, special
characters, escaped characters or null bytes.
> **Note:** Consider these unusual values in prefix, infix and
> suffix position.
- String values that cannot be converted into numeric values or which
contain invalid structured data (such as invalid JSON).
#### Other types of tests
If the code requires other forms of testing (such as stress testing,
fuzz testing and integration testing), raise a GitHub issue and
reference it on the issue you are using for the main work. This
ensures the test team are aware that a new test is required.
### Test environment
#### Create unique files and directories
Ensure your tests do not write to a fixed file or directory. This can
cause problems when running multiple tests simultaneously and also
when running tests after a previous test run failure.
#### Assume parallel testing
Always assume your tests will be run *in parallel*. If this is
problematic for a test, force it to run in isolation using the
`serial_test` crate for Rust code for example.
### Running
Ensure you run the unit tests and they all pass before raising a PR.
Ideally do this on different distributions on different architectures
to maximise coverage (and so minimise surprises when your code runs in
the CI).
## Assertions
### Golang assertions
Use the `testify` assertions package to create a new assertion object as this
keeps the test code free from distracting `if` tests:
```go
func TestSomething(t *testing.T) {
assert := assert.New(t)
err := doSomething()
assert.NoError(err)
}
```
### Rust assertions
Use the standard set of `assert!()` macros.
## Table driven tests
Try to write tests using a table-based approach. This allows you to distill
the logic into a compact table (rather than spreading the tests across
multiple test functions). It also makes it easy to cover all the
interesting boundary conditions:
### Golang table driven tests
Assume the following function:
```go
// The function under test.
//
// Accepts a string and an integer and returns the
// result of sticking them together separated by a dash as a string.
func joinParamsWithDash(str string, num int) (string, error) {
if str == "" {
return "", errors.New("string cannot be blank")
}
if num <= 0 {
return "", errors.New("number must be positive")
}
return fmt.Sprintf("%s-%d", str, num), nil
}
```
A table driven approach to testing it:
```go
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestJoinParamsWithDash(t *testing.T) {
assert := assert.New(t)
// Type used to hold function parameters and expected results.
type testData struct {
param1 string
param2 int
expectedResult string
expectError bool
}
// List of tests to run including the expected results
data := []testData{
// Failure scenarios
{"", -1, "", true},
{"", 0, "", true},
{"", 1, "", true},
{"foo", 0, "", true},
{"foo", -1, "", true},
// Success scenarios
{"foo", 1, "foo-1", false},
{"bar", 42, "bar-42", false},
}
// Run the tests
for i, d := range data {
// Create a test-specific string that is added to each assert
// call. It will be displayed if any assert test fails.
msg := fmt.Sprintf("test[%d]: %+v", i, d)
// Call the function under test
result, err := joinParamsWithDash(d.param1, d.param2)
// update the message for more information on failure
msg = fmt.Sprintf("%s, result: %q, err: %v", msg, result, err)
if d.expectError {
assert.Error(err, msg)
// If an error is expected, there is no point
// performing additional checks.
continue
}
assert.NoError(err, msg)
assert.Equal(d.expectedResult, result, msg)
}
}
```
### Rust table driven tests
Assume the following function:
```rust
// Convenience type to allow Result return types to only specify the type
// for the true case; failures are specified as static strings.
// XXX: This is an example. In real code use the "anyhow" and
// XXX: "thiserror" crates.
pub type Result<T> = std::result::Result<T, &'static str>;
// The function under test.
//
// Accepts a string and an integer and returns the
// result of sticking them together separated by a dash as a string.
fn join_params_with_dash(str: &str, num: i32) -> Result<String> {
if str.is_empty() {
return Err("string cannot be blank");
}
if num <= 0 {
return Err("number must be positive");
}
let result = format!("{}-{}", str, num);
Ok(result)
}
```
A table driven approach to testing it:
```rust
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_join_params_with_dash() {
// This is a type used to record all details of the inputs
// and outputs of the function under test.
#[derive(Debug)]
struct TestData<'a> {
str: &'a str,
num: i32,
result: Result<String>,
}
// The tests can now be specified as a set of inputs and outputs
let tests = &[
// Failure scenarios
TestData {
str: "",
num: 0,
result: Err("string cannot be blank"),
},
TestData {
str: "foo",
num: -1,
result: Err("number must be positive"),
},
// Success scenarios
TestData {
str: "foo",
num: 42,
result: Ok("foo-42".to_string()),
},
TestData {
str: "-",
num: 1,
result: Ok("--1".to_string()),
},
];
// Run the tests
for (i, d) in tests.iter().enumerate() {
// Create a string containing details of the test
let msg = format!("test[{}]: {:?}", i, d);
// Call the function under test
let result = join_params_with_dash(d.str, d.num);
// Update the test details string with the results of the call
let msg = format!("{}, result: {:?}", msg, result);
// Perform the checks
if d.result.is_ok() {
assert!(result == d.result, msg);
continue;
}
let expected_error = format!("{}", d.result.as_ref().unwrap_err());
let actual_error = format!("{}", result.unwrap_err());
assert!(actual_error == expected_error, msg);
}
}
}
```
## Temporary files
Always delete temporary files on success.
### Golang temporary files
```go
func TestSomething(t *testing.T) {
assert := assert.New(t)
// Create a temporary directory
tmpdir, err := ioutil.TempDir("", "")
assert.NoError(err)
// Delete it at the end of the test
defer os.RemoveAll(tmpdir)
// Add test logic that will use the tmpdir here...
}
```
### Rust temporary files
Use the `tempfile` crate which allows files and directories to be deleted
automatically:
```rust
#[cfg(test)]
mod tests {
use tempfile::tempdir;
#[test]
fn test_something() {
// Create a temporary directory (which will be deleted automatically
let dir = tempdir().expect("failed to create tmpdir");
let filename = dir.path().join("file.txt");
// create filename ...
}
}
```
## Test user
[Unit tests are run *twice*](https://github.com/kata-containers/tests/blob/main/.ci/go-test.sh):
- as the current user
- as the `root` user (if different to the current user)
When writing a test consider which user should run it; even if the code the
test is exercising runs as `root`, it may be necessary to *only* run the test
as a non-`root` for the test to be meaningful. Add appropriate skip
guards around code that requires `root` and non-`root` so that the test
will run if the correct type of user is detected and skipped if not.
### Run Golang tests as a different user
The main repository has the most comprehensive set of skip abilities. See:
- https://github.com/kata-containers/kata-containers/tree/main/src/runtime/pkg/katatestutils
### Run Rust tests as a different user
One method is to use the `nix` crate along with some custom macros:
```
#[cfg(test)]
mod tests {
#[allow(unused_macros)]
macro_rules! skip_if_root {
() => {
if nix::unistd::Uid::effective().is_root() {
println!("INFO: skipping {} which needs non-root", module_path!());
return;
}
};
}
#[allow(unused_macros)]
macro_rules! skip_if_not_root {
() => {
if !nix::unistd::Uid::effective().is_root() {
println!("INFO: skipping {} which needs root", module_path!());
return;
}
};
}
#[test]
fn test_that_must_be_run_as_root() {
// Not running as the superuser, so skip.
skip_if_not_root!();
// Run test *iff* the user running the test is root
// ...
}
}
```

View File

@@ -1,16 +1,3 @@
* [Introduction](#introduction)
* [Maintenance warning](#maintenance-warning)
* [Determine current version](#determine-current-version)
* [Determine latest version](#determine-latest-version)
* [Configuration changes](#configuration-changes)
* [Upgrade Kata Containers](#upgrade-kata-containers)
* [Upgrade native distribution packaged version](#upgrade-native-distribution-packaged-version)
* [Static installation](#static-installation)
* [Determine if you are using a static installation](#determine-if-you-are-using-a-static-installation)
* [Remove a static installation](#remove-a-static-installation)
* [Upgrade a static installation](#upgrade-a-static-installation)
* [Custom assets](#custom-assets)
# Introduction
This document outlines the options for upgrading from a

246
docs/code-pr-advice.md Normal file
View File

@@ -0,0 +1,246 @@
# Code PR Advice
Before raising a PR containing code changes, we suggest you consider
the following to ensure a smooth and fast process.
> **Note:**
>
> - All the advice in this document is optional. However, if the
> advice provided is not followed, there is no guarantee your PR
> will be merged.
>
> - All the check tools will be run automatically on your PR by the CI.
> However, if you run them locally first, there is a much better
> chance of a successful initial CI run.
## Assumptions
This document assumes you have already read (and in the case of the
code of conduct agreed to):
- The [Kata Containers code of conduct](https://github.com/kata-containers/community/blob/main/CODE_OF_CONDUCT.md).
- The [Kata Containers contributing guide](https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md).
## Code
### Architectures
Do not write architecture-specific code if it is possible to write the
code generically.
### General advice
- Do not write code to impress: instead write code that is easy to read and understand.
- Always consider which user will run the code. Try to minimise
the privileges the code requires.
### Comments
Always add comments if the intent of the code is not obvious. However,
try to avoid comments if the code could be made clearer (for example
by using more meaningful variable names).
### Constants
Don't embed magic numbers and strings in functions, particularly if
they are used repeatedly.
Create constants at the top of the file instead.
### Copyright and license
Ensure all new files contain a copyright statement and an SPDX license
identifier in the comments at the top of the file.
### FIXME and TODO
If the code contains areas that are not fully implemented, make this
clear a comment which provides a link to a GitHub issue that provides
further information.
Do not just rely on comments in this case though: if possible, return
a "`BUG: feature X not implemented see {bug-url}`" type error.
### Functions
- Keep functions relatively short (less than 100 lines is a good "rule of thumb").
- Document functions if the parameters, return value or general intent
of the function is not obvious.
- Always return errors where possible.
Do not discard error return values from the functions this function
calls.
### Logging
- Don't use multiple log calls when a single log call could be used.
- Use structured logging where possible to allow
[standard tooling](https://github.com/kata-containers/tests/tree/main/cmd/log-parser)
be able to extract the log fields.
### Names
Give functions, macros and variables clear and meaningful names.
### Structures
#### Golang structures
Unlike Rust, Go does not enforce that all structure members be set.
This has lead to numerous bugs in the past where code like the
following is used:
```go
type Foo struct {
Key string
Value string
}
// BUG: Key not set, but nobody noticed! ;(
let foo1 = Foo {
Value: "foo",
}
```
A much safer approach is to create a constructor function to enforce
integrity:
```go
type Foo struct {
Key string
Value string
}
func NewFoo(key, value string) (*Foo, error) {
if key == "" {
return nil, errors.New("Foo needs a key")
}
if value == "" {
return nil, errors.New("Foo needs a value")
}
return &Foo{
Key: key,
Value: value,
}, nil
}
func testFoo() error {
// BUG: Key not set, but nobody noticed! ;(
badFoo := Foo{Value: "value"}
// Ok - the constructor performs needed validation
goodFoo, err := NewFoo("name", "value")
if err != nil {
return err
}
return nil
```
> **Note:**
>
> The above is just an example. The *safest* approach would be to move
> `NewFoo()` into a separate package and make `Foo` and it's elements
> private. The compiler would then enforce the use of the constructor
> to guarantee correctly defined objects.
### Tracing
Consider if the code needs to create a new
[trace span](https://github.com/kata-containers/kata-containers/blob/main/docs/tracing.md).
Ensure any new trace spans added to the code are completed.
## Tests
### Unit tests
Where possible, code changes should be accompanied by unit tests.
Consider using the standard
[table-based approach](https://github.com/kata-containers/tests/blob/main/Unit-Test-Advice.md)
as it encourages you to make functions small and simple, and also
allows you to think about what types of value to test.
### Other categories of test
Raised a GitHub issue in the
[`tests`](https://github.com/kata-containers/tests) repository that
explains what sort of test is required along with as much detail as
possible. Ensure the original issue is referenced on the `tests` issue.
### Unsafe code
#### Rust language specifics
Minimise the use of `unsafe` blocks in Rust code and since it is
potentially dangerous always write [unit tests][#unit-tests]
for this code where possible.
`expect()` and `unwrap()` will cause the code to panic on error.
Prefer to return a `Result` on error rather than using these calls to
allow the caller to deal with the error condition.
The table below lists the small number of cases where use of
`expect()` and `unwrap()` are permitted:
| Area | Rationale for permitting |
|-|-|
| In test code (the `tests` module) | Panics will cause the test to fail, which is desirable. |
| `lazy_static!()` | This magic macro cannot "return" a value as it runs before `main()`. |
| `defer!()` | Similar to golang's `defer()` but doesn't allow the use of `?`. |
| `tokio::spawn(async move {})` | Cannot currently return a `Result` from an `async move` closure. |
| If an explicit test is performed before the `unwrap()` / `expect()` | *"Just about acceptable"*, but not ideal `[*]` |
`[*]` - There can lead to bad *future* code: consider what would
happen if the explicit test gets dropped in the future. This is easier
to happen if the test and the extraction of the value are two separate
operations. In summary, this strategy can introduce an insidious
maintenance issue.
## Documentation
### General requirements
- All new features should be accompanied by documentation explaining:
- What the new feature does
- Why it is useful
- How to use the feature
- Any known issues or limitations
Links should be provided to GitHub issues tracking the issues
- The [documentation requirements document](Documentation-Requirements.md)
explains how the project formats documentation.
### Markdown syntax
Run the
[markdown checker](https://github.com/kata-containers/tests/tree/main/cmd/check-markdown)
on your documentation changes.
### Spell check
Run the
[spell checker](https://github.com/kata-containers/tests/tree/main/cmd/check-spelling)
on your documentation changes.
## Finally
You may wish to read the documentation that the
[Kata Review Team](https://github.com/kata-containers/community/blob/main/Rota-Process.md) use to help review PRs:
- [PR review guide](https://github.com/kata-containers/community/blob/main/PR-Review-Guide.md).
- [documentation review process](https://github.com/kata-containers/community/blob/main/Documentation-Review-Process.md).

View File

@@ -8,4 +8,9 @@ Kata Containers design documents:
- [VSocks](VSocks.md)
- [VCPU handling](vcpu-handling.md)
- [Host cgroups](host-cgroups.md)
- [`Inotify` support](inotify.md)
- [Metrics(Kata 2.0)](kata-2-0-metrics.md)
---
- [Design proposals](proposals)

View File

@@ -1,12 +1,5 @@
# Kata Containers and VSOCKs
- [Introduction](#introduction)
- [VSOCK communication diagram](#vsock-communication-diagram)
- [System requirements](#system-requirements)
- [Advantages of using VSOCKs](#advantages-of-using-vsocks)
- [High density](#high-density)
- [Reliability](#reliability)
## Introduction
There are two different ways processes in the virtual machine can communicate

Binary file not shown.

After

Width:  |  Height:  |  Size: 101 KiB

View File

@@ -1 +1 @@
<mxfile host="Chrome" modified="2020-07-02T06:44:28.736Z" agent="5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" etag="r7FpfnbGNK7jbg54Gu9x" version="13.3.5" type="device"><diagram id="XNV8G0dePIPkhS_Khqr4" name="Page-1">7VvZcuI4FP0aHqFky+sjkNCTqfR0qtLV6fTLlMDy0hiLscWWrx8Zy3iRQkhjQxbygnVlhK1zz9HRkg4cztZfYjT3vxIHhx0VOOsOvOqoKrRthX2kkU0WMTWYBbw4cLIQKAL3wRPOgkoeXQQOTngsC1FCQhrMq8EJiSI8oZUYimOyqt7mktCpBObIw0LgfoJCMfoQONTPoiqEdlHxFw48n/80hIA/+Qzld/NA4iOHrEoheN2Bw5gQml3N1kMcpr1X7ZjRM7W7J4txRA/5wrd/v5rDewTubvrjyZDYg1l/01W0rJklChf8lfnT0k3eBzFZRA5OW1E6cLDyA4rv52iS1q4Y6izm01nIq10SUQ4jwxAOvBg5AXvCIQlJvG0PmhgZOK1zgzAsxR2ELXfC4gmNyRSXaoyJhccuqxHfmXfDEscUr0sh3gdfMJlhGm/YLby2q+i6nn2J56QOzKy8KhDWctT8Eri7rEQ8q7xd60W/swve9a+BQW8PBlWTw+C6jm0YIgyu66oTKQyOMTZ0oykYNLsGQ/7OJRgYnUQYFENvCYYWUXgvZFDss5PBuHBBVc7OBQUKvY4dNjbyIompTzwSofC6iA4KXNKULu65JWTO0fiNKd1wONCCkipWeB3Qn6Xrx7Spns5LV2ve8raw4YUyy7R9iCRkEU/4u3i3328se/zw+97wp99Wf4fTh2I0pCj2MN3TOZwjaYfsBTjGIaLBsmomGodKhQJjKI3nEymAt2jMPFql01EYeBG7nrAOwyy/B2nqBswE9XnFLHCcDF+cBE9ovG0v7fo5CSK6fR190NGvDgJjb7YJpNlZO/6rFfMkJRPoKbahVUUtKx2MBm/8Ln27Ustqmonldrt2tQ3iugnLmzqeu4c8COK9mVkRRSNkXTpwgmUFZeO/RWopt0h0ky0UfXaDos3XWzzyenblpZ+sfykKIhw73cQPZt0poqi73DXPHnf7C9nNzY2Hmqi2yhgpWJWpLQDGdX/EW6jqM/trSoUts6bCUBwLFdPMk6Csw0YDg6EcePMV3H6D4szwiDc/y4XSt9Ji8bVtSSbq5nGibouivpdjL6o6TxjQA5ZuVjMGHKc0jQqJfKwQzdQHzpwj7YAkc+Sj17nswN7HLklGofHNCbglCrjhWKahyQQc9nUN5i20JeBMnMHLAi6bzLQm35r+megGjqKbeqhQw0OF+jR8U0W+3cVp2z5eJOmL45gl8ccmnm1XiGdIltQUS2uHePJx7py8K7j2WKbaC7wrqPaYt3eSYQ5KZr1yMTsb76QQi1Min9K5FPe3OelVnyHaq+e8oMfYVWXgkVPefIKrKL3aAlN71lRcxXgWz5PxWP2YRIYHEnmXXxBa1fSyj8uvRrMJ/XBvb7q/6A348c9DF/34nvjgzANA61lzgizJMX4jNguKer9dqpqRKKCkXX917pUpW1drS48yh6Xqp1yZ0kS9Tshk2hwOsl0xCwATynDo6wBooG0cLFibYFoiCjIQYGs2VxH6+43OL/9omNu32vLyqozxpuyqKurXe9uleZYyf+BYoa6rx3mInJWGUuFkVwOn86yKgOllW6Zp0TVr2zKaRHRPvS2jiWT+8IOfqcBeDQodqucd/8TdMeSl7/iRzaCm1bYpVREEWwZCW0dFLAGEnXilCtcsGJLTO7bpANOUEEbHliNdFbXUMczO+1SBGo0AGI2aAgqqdaC0XKTK0qWdkjB79oZYWJw0f1qsDMkgc1Kk8vN15fWwzRzHyyCRzHbZi9IqGNWOjEiEa73OQ4f7Shn61blE/aidT+LgKc2vsPPCssWrzizWBVB2ZlF2ZLE1qEQb6C1wkprUKY6j9Ez8u4CrmeEJVNGBsk1Y46TwiCdKP59L0HOhOpdLkJxkutgE2dCjw/PbBGW/p7v4hB1Y5tl9gmjpLj5B6hNka+Yn9QmqaOkuPmGHjtaeT2DF4h/tsrW/4v8V4fX/</diagram></mxfile>
<mxfile host="app.diagrams.net" modified="2021-11-05T13:07:32.992Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" etag="j5e7J3AOXxeQrt-Zz2uw" version="15.6.8" type="device"><diagram id="XNV8G0dePIPkhS_Khqr4" name="Page-1">7Vxdd9o4EP01nLP7QI5s+fORUNhNT7rNbnqaZl/2CCywG2OxQhDIr18Z29iyZD6CDZRuHho8toQ9986dGVlNC3Yny98omvqfiIfDlg68ZQt+aOm6AUyb/4otq8TiGnpiGNPAS0wgNzwGbzgxapl1Hnh4ltoSEyMkZMFUNA5JFOEhE2yIUvIqXjYioScYpmiMJcPjEIWy9SnwmJ9YdQjd/MTvOBj76VdDCNI7n6Ds6tQw85FHXgsm2GvBLiWEJZ8myy4OY++JjulXnN3cGcUR22fAn3fPzx+jj7e9HrIXA330feIZ7czPCxTO00dO75atMh+MKZlP08swZXip8jwaZJcD+ca0zeNyomAywYyu+CXpRG3NNM1kUMoSXU+PX3OfG9nEfsHdG56gFOfxZvbcE/xD6gy1Yz7/88nuPiLwcNcZDLvEvZ10Vm1zt1+4WyIPx5NoLXj76gcMP07RMD77yqOB23w2CdPTIxKxlN78nuHtmCIv4A7qkpDQ9XzQxsjC8blREIYFu4ewMxpy+4xR8oILZ6yhgwcjfkZ2+Xa0yzDK2JzP81ZzntcNtedHI8+1LNnzo9FIHyo971kDy7Qa8Xx61gJCSGhyRHCtkXHRLLMhXGwJF659/KFrCwtHBkAbIA3rKgAAsHqdfjqDCBn/aRIYTRORUWiVa8rAwKZwcSRcuCQzFESYcrNWLz6K4HFtD9i2QrZM7HiGCjtHH8Ak3ETs+n0A+v0msdNhCTv7RkZPM1TwNSV37lb4asw6VwifDc4MnqJ88ldTTBfBjHulDB1/SibiI/o2IhEuAZGaUBiMI3445B7lvIC3sc8CXqZ20hOTwPPir1ESIqcMUORDn9DgLaZcmF7QnHKWUhqQ4TNUpUZj6GkSeuM5nvGUBl4wjeJW5odAsDnAzBJihiLgrIYgUz6DrJYSRqdvVwzblol82qJZM3Y75sfrV9wKGC+pXdEa7BTP16/s7/lLbVc0uY+8hn7lYGCkdgVKyJy0XdHkPvJn6VcOxu4C2xVte7t5zf3K0fCdv12Ry6efpl05XDgvrFvR5V7zmruVw/E6Z7OiDjcoQYK9MX5MDwllPhmTCIW93FpyXn7NPSHTFMXvmLFV6lI0Z0TEGC8D9q3w+TmeiueN5OjDMp15fbCSMdJijDg0dPUtuzI+KMwSH+bTrI+yeWRss3xO5nSYsfb+y53jDp6+P1r+y+fXj+HLU97AMETHmG1xalo+xI7cygqKQ8SCBRZuQwXxemiHUrQqXDAlQcRmhZkfYoPQBNqOmJstu0gYxQjD1ksjnBLFkrvICbd5nCNUA0qqwRidDpXMvEcDLiMCm/ZXAopnwVvaV8dcSF3IJzdvW+YHBctktmwNo727+erWHdxormWIMpEcHUYXGV0osmFz09kUZDSaYSZJymEIqyNHLqirEb5A7Xmv1hTZZB+nPa6sPVtFaqf45HyDBrRFvtnHEa5WQqklQy7ir5g6aiE6hjpqEbuQtOUCUf52p63yCFOzS6w7Lm1t9WtB1LqFNrMXjfmnlm6FcYE74CZrHH/6ZdOLeq04F/T5v92/7tqff5UoXeeyj+U5tqXsPWHHNGA2w37LPtlLib0L37auOa4IKpQXpDXHkktfq4bSV4lf1tb+HBpyXOmr75t+4L7pZ28ROQpjXY7RBxrP7eP5LH5wTBdYXla4rsATyz4LqALPaCbw1Mn7nHGXx9pzMdR2xF0eas/ZfCfJ3VDRcqrFrPa4e2fytk1bSbfq5F0eYTpmrclbyUH5XaTP2FRJzMvsOPUKJTi44QQ3Um6uqd/MXm9l/aZuiFM01x7ICwqV6J5MdqCY8QGwTqI98aQPmAbcpTFTj1wC21+P4J56tGGhCQEUK8QjaVhNs8NVzbHFezNAaSP7TlUrjTha1dDX0f1d+292B77+8dRGX7/MfHCmzPpOplaycPcah9tIslM1lpq4jWZTPGWTJBGTjjuGYVXftKXpLY0wHbh9hA5ca9uIZtpkKKfaF8RQe0KigCle6V3sXofDa2/NNfWbCgIVqm/dVLxgba76lrcvXGjb+64yetvK1u4VMKtuYTkOKjl0frQXI5VR8446FZqmXlNlCsqvQkqyXktpqnxnvMdWvOZ3hzqGmAgMR7EmYG928hR1yW5s05XCMcnaqRcsBAdZ/87j/5C4pmR7tuZkh1+gGdPlmpjZ+WzFNV9wbc/8YNJep5/FZnp+t+tvSC6uLx8ZDeejrfQ6aDtqBdTNrbzKujYjw5f6XK/a8esAwIt4hes7JgAGOKXrs/2o2o1e2qUtb51T1QZ1bL5SPoL8mvYCxEn5pkDNWKcpxir3rv+vToeGiF1BnMtSJ3n16ArUaX/XV6qTKW9Wq0md+GH+RwaSSiv/Ww2w9x8=</diagram></mxfile>

Binary file not shown.

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 90 KiB

View File

@@ -1,26 +1,5 @@
# Kata Containers Architecture
- [Kata Containers Architecture](#kata-containers-architecture)
- [Overview](#overview)
- [Virtualization](#virtualization)
- [Guest assets](#guest-assets)
- [Guest kernel](#guest-kernel)
- [Guest image](#guest-image)
- [Root filesystem image](#root-filesystem-image)
- [Initrd image](#initrd-image)
- [Agent](#agent)
- [Runtime](#runtime)
- [Configuration](#configuration)
- [Networking](#networking)
- [Network Hotplug](#network-hotplug)
- [Storage](#storage)
- [Kubernetes support](#kubernetes-support)
- [OCI annotations](#oci-annotations)
- [Mixing VM based and namespace based runtimes](#mixing-vm-based-and-namespace-based-runtimes)
- [Appendices](#appendices)
- [DAX](#dax)
## Overview
This is an architectural overview of Kata Containers, based on the 2.0 release.
@@ -35,7 +14,7 @@ through the [CRI-O\*](https://github.com/kubernetes-incubator/cri-o) and
Kata Containers creates a QEMU\*/KVM virtual machine for pod that `kubelet` (Kubernetes) creates respectively.
The [`containerd-shim-kata-v2` (shown as `shimv2` from this point onwards)](../../src/runtime/containerd-shim-v2)
The [`containerd-shim-kata-v2` (shown as `shimv2` from this point onwards)](../../src/runtime/cmd/containerd-shim-kata-v2/)
is the Kata Containers entrypoint, which
implements the [Containerd Runtime V2 (Shim API)](https://github.com/containerd/containerd/tree/master/runtime/v2) for Kata.
@@ -280,7 +259,7 @@ With `RuntimeClass`, users can define Kata Containers as a `RuntimeClass` and th
## DAX
Kata Containers utilizes the Linux kernel DAX [(Direct Access filesystem)](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/dax.txt)
Kata Containers utilizes the Linux kernel DAX [(Direct Access filesystem)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/dax.rst?h=v5.14)
feature to efficiently map some host-side files into the guest VM space.
In particular, Kata Containers uses the QEMU NVDIMM feature to provide a
memory-mapped virtual device that can be used to DAX map the virtual machine's

View File

@@ -1825,12 +1825,8 @@ components:
desc: ""
- value: grpc.StartContainerRequest
desc: ""
- value: grpc.StartTracingRequest
desc: ""
- value: grpc.StatsContainerRequest
desc: ""
- value: grpc.StopTracingRequest
desc: ""
- value: grpc.TtyWinResizeRequest
desc: ""
- value: grpc.UpdateContainerRequest

View File

@@ -1,4 +1,3 @@
# Kata Containers E2E Flow
![Kata containers e2e flow](arch-images/katacontainers-e2e-with-bg.jpg)

View File

@@ -1,18 +1,3 @@
- [Host cgroup management](#host-cgroup-management)
- [Introduction](#introduction)
- [`SandboxCgroupOnly` enabled](#sandboxcgrouponly-enabled)
- [What does Kata do in this configuration?](#what-does-kata-do-in-this-configuration)
- [Why create a Kata-cgroup under the parent cgroup?](#why-create-a-kata-cgroup-under-the-parent-cgroup)
- [Improvements](#improvements)
- [`SandboxCgroupOnly` disabled (default, legacy)](#sandboxcgrouponly-disabled-default-legacy)
- [What does this method do?](#what-does-this-method-do)
- [Impact](#impact)
- [Supported cgroups](#supported-cgroups)
- [Cgroups V1](#cgroups-v1)
- [Cgroups V2](#cgroups-v2)
- [Distro Support](#distro-support)
- [Summary](#summary)
# Host cgroup management
## Introduction
@@ -27,187 +12,244 @@ The OCI [runtime specification][linux-config] provides guidance on where the con
> [`cgroupsPath`][cgroupspath]: (string, OPTIONAL) path to the cgroups. It can be used to either control the cgroups
> hierarchy for containers or to run a new process in an existing container
cgroups are hierarchical, and this can be seen with the following pod example:
Cgroups are hierarchical, and this can be seen with the following pod example:
- Pod 1: `cgroupsPath=/kubepods/pod1`
- Container 1:
`cgroupsPath=/kubepods/pod1/container1`
- Container 2:
`cgroupsPath=/kubepods/pod1/container2`
- Container 1: `cgroupsPath=/kubepods/pod1/container1`
- Container 2: `cgroupsPath=/kubepods/pod1/container2`
- Pod 2: `cgroupsPath=/kubepods/pod2`
- Container 1:
`cgroupsPath=/kubepods/pod2/container2`
- Container 2:
`cgroupsPath=/kubepods/pod2/container2`
- Container 1: `cgroupsPath=/kubepods/pod2/container2`
- Container 2: `cgroupsPath=/kubepods/pod2/container2`
Depending on the upper-level orchestrator, the cgroup under which the pod is placed is
managed by the orchestrator. In the case of Kubernetes, the pod-cgroup is created by Kubelet,
while the container cgroups are to be handled by the runtime. Kubelet will size the pod-cgroup
based on the container resource requirements.
Depending on the upper-level orchestration layers, the cgroup under which the pod is placed is
managed by the orchestrator or not. In the case of Kubernetes, the pod cgroup is created by Kubelet,
while the container cgroups are to be handled by the runtime.
Kubelet will size the pod cgroup based on the container resource requirements, to which it may add
a configured set of [pod resource overheads](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/).
Kata Containers introduces a non-negligible overhead for running a sandbox (pod). Based on this, two scenarios are possible:
1) The upper-layer orchestrator takes the overhead of running a sandbox into account when sizing the pod-cgroup, or
2) Kata Containers do not fully constrain the VMM and associated processes, instead placing a subset of them outside of the pod-cgroup.
Kata Containers introduces a non-negligible resource overhead for running a sandbox (pod). Typically, the Kata shim,
through its underlying VMM invocation, will create many additional threads compared to process based container runtimes:
the para-virtualized I/O back-ends, the VMM instance or even the Kata shim process, all of those host processes consume
memory and CPU time not directly tied to the container workload, and introduces a sandbox resource overhead.
In order for a Kata workload to run without significant performance degradation, its sandbox overhead must be
provisioned accordingly. Two scenarios are possible:
Kata Containers provides two options for how cgroups are handled on the host. Selection of these options is done through
the `SandboxCgroupOnly` flag within the Kata Containers [configuration](../../src/runtime/README.md#configuration)
file.
1) The upper-layer orchestrator takes the overhead of running a sandbox into account when sizing the pod cgroup.
For example, Kubernetes [`PodOverhead`](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/)
feature lets the orchestrator add a configured sandbox overhead to the sum of all its containers resources. In
that case, the pod sandbox is properly sized and all Kata created processes will run under the pod cgroup
defined constraints and limits.
2) The upper-layer orchestrator does **not** take the sandbox overhead into account and the pod cgroup is not
sized to properly run all Kata created processes. With that scenario, attaching all the Kata processes to the sandbox
cgroup may lead to non-negligible workload performance degradations. As a consequence, Kata Containers will move
all processes but the vCPU threads into a dedicated overhead cgroup under `/kata_overhead`. The Kata runtime will
not apply any constraints or limits to that cgroup, it is up to the infrastructure owner to optionally set it up.
## `SandboxCgroupOnly` enabled
Those 2 scenarios are not dynamically detected by the Kata Containers runtime implementation, and thus the
infrastructure owner must configure the runtime according to how the upper-layer orchestrator creates and sizes the
pod cgroup. That configuration selection is done through the `sandbox_cgroup_only` flag within the Kata Containers
[configuration](../../src/runtime/README.md#configuration) file.
With `SandboxCgroupOnly` enabled, it is expected that the parent cgroup is sized to take the overhead of running
a sandbox into account. This is ideal, as all the applicable Kata Containers components can be placed within the
given cgroup-path.
## `sandbox_cgroup_only = true`
In the context of Kubernetes, Kubelet will size the pod-cgroup to take the overhead of running a Kata-based sandbox
into account. This will be feasible in the 1.16 Kubernetes release through the `PodOverhead` feature.
Setting `sandbox_cgroup_only` to `true` from the Kata Containers configuration file means that the pod cgroup is
properly sized and takes the pod overhead into account. This is ideal, as all the applicable Kata Containers processes
can simply be placed within the given cgroup path.
In the context of Kubernetes, Kubelet can size the pod cgroup to take the overhead of running a Kata-based sandbox
into account. This has been supported since the 1.16 Kubernetes release, through the
[`PodOverhead`](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/) feature.
```
+----------------------------------------------------------+
| +---------------------------------------------------+ |
| | +---------------------------------------------+ | |
| | | +--------------------------------------+ | | |
| | | | kata-shimv2, VMM and threads: | | | |
| | | | (VMM, IO-threads, vCPU threads, etc)| | | |
| | | | | | | |
| | | | kata_<sandbox-id> | | | |
| | | +--------------------------------------+ | | |
| | | | | |
| | |Pod 1 | | |
| | +---------------------------------------------+ | |
| | | |
| | +---------------------------------------------+ | |
| | | +--------------------------------------+ | | |
| | | | kata-shimv2, VMM and threads: | | | |
| | | | (VMM, IO-threads, vCPU threads, etc)| | | |
| | | | | | | |
| | | | kata_<sandbox-id> | | | |
| | | +--------------------------------------+ | | |
| | |Pod 2 | | |
| | +---------------------------------------------+ | |
| |kubepods | |
| +---------------------------------------------------+ |
| |
|Node |
+----------------------------------------------------------+
┌─────────────────────────────────────────┐
│ │
┌──────────────────────────────────┐ │
│ │
│ ┌─────────────────────────────┐ │ │
│ │ │ │ │
│ │ ┌─────────────────────┐
│ │ │ vCPU threads
│ │ │ I/O threads │ │ │ │
│ │ │ │ VMM
│ │ │ Kata Shim
│ │ │ │ │ │ │
│ │ │ /kata_<sandbox_id>
│ │ │ └─────────────────────┘ │ │
│ │Pod 1 │ │ │
│ └─────────────────────────────┘ │ │
│ │
│ │ ┌─────────────────────────────┐
│ │ │ │
│ │ ┌─────────────────────┐ │ │ │
│ │ │ vCPU threads
│ │ │ │ I/O threads │ │ │
│ │ │ VMM
│ │ │ │ Kata Shim │ │
│ │ │
│ │ │ │ /kata_<sandbox_id> │
│ │ │ └─────────────────────┘ │ │ │
│ │ │Pod 2 │ │ │
│ │ └─────────────────────────────┘ │ │
│ │ │ │
│ │/kubepods │ │
│ └──────────────────────────────────┘ │
│ │
│ Node │
└─────────────────────────────────────────┘
```
### What does Kata do in this configuration?
1. Given a `PodSandbox` container creation, let:
### Implementation details
```
podCgroup=Parent(container.CgroupsPath)
KataSandboxCgroup=<podCgroup>/kata_<PodSandboxID>
```
When `sandbox_cgroup_only` is enabled, the Kata shim will create a per pod
sub-cgroup under the pod's dedicated cgroup. For example, in the Kubernetes context,
it will create a `/kata_<PodSandboxID>` under the `/kubepods` cgroup hierarchy.
On a typical cgroup v1 hierarchy mounted under `/sys/fs/cgroup/`, the memory cgroup
subsystem for a pod with sandbox ID `12345678` would live under
`/sys/fs/cgroup/memory/kubepods/kata_12345678`.
2. Create the cgroup, `KataSandboxCgroup`
In most cases, the `/kata_<PodSandboxID>` created cgroup is unrestricted and inherits and shares all
constraints and limits from the parent cgroup (`/kubepods` in the Kubernetes case). The exception is
for the `cpuset` and `devices` cgroup subsystems, which are managed by the Kata shim.
3. Join the `KataSandboxCgroup`
After creating the `/kata_<PodSandboxID>` cgroup, the Kata Containers shim will move itself to it, **before** starting
the virtual machine. As a consequence all processes subsequently created by the Kata Containers shim (the VMM itself, and
all vCPU and I/O related threads) will be created in the `/kata_<PodSandboxID>` cgroup.
Any process created by the runtime will be created in `KataSandboxCgroup`.
The runtime will limit the cgroup in the host only if the sandbox doesn't have a
container type annotation, but the caller is free to set the proper limits for the `podCgroup`.
### Why create a kata-cgroup under the parent cgroup?
In the example above the pod cgroups are `/kubepods/pod1` and `/kubepods/pod2`.
Kata creates the unrestricted sandbox cgroup under the pod cgroup.
And why not directly adding the per sandbox shim directly to the pod cgroup (e.g.
`/kubepods` in the Kubernetes context)?
### Why create a Kata-cgroup under the parent cgroup?
The Kata Containers shim implementation creates a per-sandbox cgroup
(`/kata_<PodSandboxID>`) to support the `Docker` use case. Although `Docker` does not
have a notion of pods, Kata Containers still creates a sandbox to support the pod-less,
single container use case that `Docker` implements. Since `Docker` does create any
cgroup hierarchy to place a container into, it would be very complex for Kata to map
a particular container to its sandbox without placing it under a `/kata_<containerID>>`
sub-cgroup first.
`Docker` does not have a notion of pods, and will not create a cgroup directory
to place a particular container in (i.e., all containers would be in a path like
`/docker/container-id`. To simplify the implementation and continue to support `Docker`,
Kata Containers creates the sandbox-cgroup, in the case of Kubernetes, or a container cgroup, in the case
of docker.
### Advantages
### Improvements
Keeping all Kata Containers processes under a properly sized pod cgroup is ideal
and makes for a simpler Kata Containers implementation. It also helps with gathering
accurate statistics and preventing Kata workloads from being noisy neighbors.
- Get statistics about pod resources
#### Pod resources statistics
If the Kata caller wants to know the resource usage on the host it can get
statistics from the pod cgroup. All cgroups stats in the hierarchy will include
the Kata overhead. This gives the possibility of gathering usage-statics at the
pod level and the container level.
- Better host resource isolation
#### Better host resource isolation
Because the Kata runtime will place all the Kata processes in the pod cgroup,
the resource limits that the caller applies to the pod cgroup will affect all
processes that belong to the Kata sandbox in the host. This will improve the
isolation in the host preventing Kata to become a noisy neighbor.
## `SandboxCgroupOnly` disabled (default, legacy)
## `sandbox_cgroup_only = false` (Default setting)
If the cgroup provided to Kata is not sized appropriately, Kata components will
consume resources that the actual container workloads expect to see and use.
This can cause instability and performance degradations.
To avoid that situation, Kata Containers creates an unconstrained overhead
cgroup and moves all non workload related processes (Anything but the virtual CPU
threads) to it. The name of this overhead cgroup is `/kata_overhead` and a per
sandbox sub cgroup will be created under it for each sandbox Kata Containers creates.
Kata Containers does not add any constraints or limitations on the overhead cgroup. It is up to the infrastructure
owner to either:
- Provision nodes with a pre-sized `/kata_overhead` cgroup. Kata Containers will
load that existing cgroup and move all non workload related processes to it.
- Let Kata Containers create the `/kata_overhead` cgroup, leave it
unconstrained or resize it a-posteriori.
If the cgroup provided to Kata is not sized appropriately, instability will be
introduced when fully constraining Kata components, and the user-workload will
see a subset of resources that were requested. Based on this, the default
handling for Kata Containers is to not fully constrain the VMM and Kata
components on the host.
```
+----------------------------------------------------------+
| +---------------------------------------------------+ |
| | +---------------------------------------------+ | |
| | | +--------------------------------------+ | | |
| | | |Container 1 |-|Container 2 | | | |
| | | | |-| | | | |
| | | | Shim+container1 |-| Shim+container2 | | | |
| | | +--------------------------------------+ | | |
| | | | | |
| | |Pod 1 | | |
| | +---------------------------------------------+ | |
| | | |
| | +---------------------------------------------+ | |
| | | +--------------------------------------+ | | |
| | | |Container 1 |-|Container 2 | | | |
| | | | |-| | | | |
| | | | Shim+container1 |-| Shim+container2 | | | |
| | | +--------------------------------------+ | | |
| | | | | |
| | |Pod 2 | | |
| | +---------------------------------------------+ | |
| |kubepods | |
| +---------------------------------------------------+ |
| +---------------------------------------------------+ |
| | Hypervisor | |
| |Kata | |
| +---------------------------------------------------+ |
| |
|Node |
+----------------------------------------------------------+
┌────────────────────────────────────────────────────────────────────┐
│ ┌─────────────────────────────┐ ┌───────────────────────────┐ │
│ │ │ │
┌─────────────────────────┼────┼─────────────────────────┐ │ │
│ │ │ │ │
│ ┌─────────────────────┐ │ │ ┌─────────────────────┐ │ │ │
│ │ vCPU threads │ │ │ │ VMM │ │ │ │
│ │ │ │ │ │ │ │ I/O threads │ │ │ │
│ │ │ │ │ │ │ │ Kata Shim │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ /kata_<sandbox_id> │ │ │ │ /<sandbox_id> │ │ │ │
│ └─────────────────────┘ │ │ └─────────────────────┘ │ │ │
│ │ │ │ │
│ Pod 1 │ │ │ │ │
└─────────────────────────┼────┼─────────────────────────┘ │ │
│ │ │ │
│ │ │ │
┌─────────────────────────┼────┼─────────────────────────┐ │ │
│ │ │ │ │
│ ┌─────────────────────┐ │ │ ┌─────────────────────┐ │ │ │
│ │ vCPU threads │ │ │ │ VMM │ │ │ │
│ │ │ │ │ │ I/O threads │ │ │ │
│ │ │ │ │ │ Kata Shim │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ /kata_<sandbox_id> │ │ │ │ /<sandbox_id> │ │ │ │
│ └─────────────────────┘ │ │ └─────────────────────┘ │ │ │
│ │ │ │ │ │
Pod 2 │ │ │
│ │ └─────────────────────────┼────┼─────────────────────────┘ │ │
│ │ │ │ │ │
│ │ /kubepods │ │ /kata_overhead │ │
│ └─────────────────────────────┘ └───────────────────────────┘ │
│ │
│ │
│ Node │
└────────────────────────────────────────────────────────────────────┘
```
### What does this method do?
### Implementation Details
1. Given a container creation let `containerCgroupHost=container.CgroupsPath`
1. Rename `containerCgroupHost` path to add `kata_`
1. Let `PodCgroupPath=PodSanboxContainerCgroup` where `PodSanboxContainerCgroup` is the cgroup of a container of type `PodSandbox`
1. Limit the `PodCgroupPath` with the sum of all the container limits in the Sandbox
1. Move only vCPU threads of hypervisor to `PodCgroupPath`
1. Per each container, move its `kata-shim` to its own `containerCgroupHost`
1. Move hypervisor and applicable threads to memory cgroup `/kata`
When `sandbox_cgroup_only` is disabled, the Kata Containers shim will create a per pod
sub-cgroup under the pods dedicated cgroup, and another one under the overhead cgroup.
For example, in the Kubernetes context, it will create a `/kata_<PodSandboxID>` under
the `/kubepods` cgroup hierarchy, and a `/<PodSandboxID>` under the `/kata_overhead` one.
_Note_: the Kata Containers runtime will not add all the hypervisor threads to
the cgroup path requested, only vCPUs. These threads are run unconstrained.
On a typical cgroup v1 hierarchy mounted under `/sys/fs/cgroup/`, for a pod which sandbox
ID is `12345678`, create with `sandbox_cgroup_only` disabled, the 2 memory subsystems
for the sandbox cgroup and the overhead cgroup would respectively live under
`/sys/fs/cgroup/memory/kubepods/kata_12345678` and `/sys/fs/cgroup/memory/kata_overhead/12345678`.
This mitigates the risk of the VMM and other threads receiving an out of memory scenario (`OOM`).
Unlike when `sandbox_cgroup_only` is enabled, the Kata Containers shim will move itself
to the overhead cgroup first, and then move the vCPU threads to the sandbox cgroup as
they're created. All Kata processes and threads will run under the overhead cgroup except for
the vCPU threads.
With `sandbox_cgroup_only` disabled, Kata Containers assumes the pod cgroup is only sized
to accommodate for the actual container workloads processes. For Kata, this maps
to the VMM created virtual CPU threads and so they are the only ones running under the pod
cgroup. This mitigates the risk of the VMM, the Kata shim and the I/O threads going through
a catastrophic out of memory scenario (`OOM`).
#### Impact
#### Pros and Cons
If resources are reserved at a system level to account for the overheads of
running sandbox containers, this configuration can be utilized with adequate
stability. In this scenario, non-negligible amounts of CPU and memory will be
utilized unaccounted for on the host.
Running all non vCPU threads under an unconstrained overhead cgroup could lead to workloads
potentially consuming a large amount of host resources.
On the other hand, running all non vCPU threads under a dedicated overhead cgroup can provide
accurate metrics on the actual Kata Container pod overhead, allowing for tuning the overhead
cgroup size and constraints accordingly.
[linux-config]: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md
[cgroupspath]: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#cgroups-path
# Supported cgroups
Kata Containers supports cgroups `v1` and `v2`. In the following sections each cgroup is
described briefly and what changes are needed in Kata Containers to support it.
Kata Containers currently only supports cgroups `v1`.
In the following sections each cgroup is described briefly.
## Cgroups V1
@@ -259,7 +301,7 @@ diagram:
A process can join a cgroup by writing its process id (`pid`) to `cgroup.procs` file,
or join a cgroup partially by writing the task (thread) id (`tid`) to the `tasks` file.
Kata Containers supports `v1` by default and no change in the configuration file is needed.
Kata Containers only supports `v1`.
To know more about `cgroups v1`, see [cgroupsv1(7)][2].
## Cgroups V2
@@ -312,22 +354,13 @@ Same as `cgroups v1`, a process can join the cgroup by writing its process id (`
`cgroup.procs` file, or join a cgroup partially by writing the task (thread) id (`tid`) to
`cgroup.threads` file.
For backwards compatibility Kata Containers defaults to supporting cgroups v1 by default.
To change this to `v2`, set `sandbox_cgroup_only=true` in the `configuration.toml` file.
To know more about `cgroups v2`, see [cgroupsv2(7)][3].
Kata Containers does not support cgroups `v2` on the host.
### Distro Support
Many Linux distributions do not yet support `cgroups v2`, as it is quite a recent addition.
For more information about the status of this feature see [issue #2494][4].
# Summary
| cgroup option | default? | status | pros | cons | cgroups
|-|-|-|-|-|-|
| `SandboxCgroupOnly=false` | yes | legacy | Easiest to make Kata work | Unaccounted for memory and resource utilization | v1
| `SandboxCgroupOnly=true` | no | recommended | Complete tracking of Kata memory and CPU utilization. In Kubernetes, the Kubelet can fully constrain Kata via the pod cgroup | Requires upper layer orchestrator which sizes sandbox cgroup appropriately | v1, v2
[1]: http://man7.org/linux/man-pages/man5/tmpfs.5.html
[2]: http://man7.org/linux/man-pages/man7/cgroups.7.html#CGROUPS_VERSION_1

30
docs/design/inotify.md Normal file
View File

@@ -0,0 +1,30 @@
# Kata Containers support for `inotify`
## Background on `inotify` usage
A common pattern in Kubernetes is to watch for changes to files/directories passed in as `ConfigMaps`
or `Secrets`. Sidecar's normally use `inotify` to watch for changes and then signal the primary container to reload
the updated configuration. Kata Containers typically will pass these host files into the guest using `virtiofs`, which
does not support `inotify` today. While we work to enable this use case in `virtiofs`, we introduced a workaround in Kata Containers.
This document describes how Kata Containers implements this workaround.
### Detecting a `watchable` mount
Kubernetes creates `secrets` and `ConfigMap` mounts at very specific locations on the host filesystem. For container mounts,
the `Kata Containers` runtime will check the source of the mount to identify these special cases. For these use cases, only a single file
or very few would typically need to be watched. To avoid excessive overheads in making a mount watchable,
we enforce a limit of eight files per mount. If a `secret` or `ConfigMap` mount contains more than 8 files, it will not be
considered watchable. We similarly enforce a limit of 1 MB per mount to be considered watchable. Non-watchable mounts will
continue to propagate changes from the mount on the host to the container workload, but these updates will not trigger an
`inotify` event.
If at any point a mount grows beyond the eight file or 1MB limit, it will no longer be `watchable.`
### Presenting a `watchable` mount to the workload
For mounts that are considered `watchable`, inside the guest, the `kata-agent` will poll the mount presented from
the host through `virtiofs` and copy any changed files to a `tmpfs` mount that is presented to the container. In this way,
for `watchable` mounts, Kata will do the polling on behalf of the workload and existing workloads needn't change their usage
of `inotify`.
![drawing](arch-images/inotify-workaround.png)

View File

@@ -1,36 +1,21 @@
# Kata 2.0 Metrics Design
* [Limitations of Kata 1.x and the target of Kata 2.0](#limitations-of-kata-1x-and-the-target-of-kata-20)
* [Metrics architecture](#metrics-architecture)
* [Kata monitor](#kata-monitor)
* [Kata runtime](#kata-runtime)
* [Kata agent](#kata-agent)
* [Performance and overhead](#performance-and-overhead)
* [Metrics list](#metrics-list)
* [Metric types](#metric-types)
* [Kata agent metrics](#kata-agent-metrics)
* [Firecracker metrics](#firecracker-metrics)
* [Kata guest OS metrics](#kata-guest-os-metrics)
* [Hypervisor metrics](#hypervisor-metrics)
* [Kata monitor metrics](#kata-monitor-metrics)
* [Kata containerd shim v2 metrics](#kata-containerd-shim-v2-metrics)
Kata implements CRI's API and supports [`ContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L101) and [`ListContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L103) interfaces to expose containers metrics. User can use these interfaces to get basic metrics about containers.
Kata implement CRI's API and support [`ContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L101) and [`ListContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L103) interfaces to expose containers metrics. User can use these interface to get basic metrics about container.
Unlike `runc`, Kata is a VM-based runtime and has a different architecture.
But unlike `runc`, Kata is a VM-based runtime and has a different architecture.
## Limitations of Kata 1.x and the target of Kata 2.0
## Limitations of Kata 1.x and target of Kata 2.0
Kata 1.x has a number of limitations related to observability that may be obstacles to running Kata Containers at scale.
In Kata 2.0, the following components will be able to provide more details about the system.
In Kata 2.0, the following components will be able to provide more details about the system:
- containerd shim v2 (effectively `kata-runtime`)
- Hypervisor statistics
- Agent process
- Guest OS statistics
> **Note**: In Kata 1.x, the main user-facing component was the runtime (`kata-runtime`). From 1.5, Kata then introduced the Kata containerd shim v2 (`containerd-shim-kata-v2`) which is essentially a modified runtime that is loaded by containerd to simplify and improve the way VM-based containers are created and managed.
> **Note**: In Kata 1.x, the main user-facing component was the runtime (`kata-runtime`). From 1.5, Kata introduced the Kata containerd shim v2 (`containerd-shim-kata-v2`) which is essentially a modified runtime that is loaded by containerd to simplify and improve the way VM-based containers are created and managed.
>
> For Kata 2.0, the main component is the Kata containerd shim v2, although the deprecated `kata-runtime` binary will be maintained for a period of time.
>
@@ -40,14 +25,15 @@ In Kata 2.0, the following components will be able to provide more details about
Kata 2.0 metrics strongly depend on [Prometheus](https://prometheus.io/), a graduated project from CNCF.
Kata Containers 2.0 introduces a new Kata component called `kata-monitor` which is used to monitor the other Kata components on the host. It's the monitor interface with Kata runtime, and we can do something like these:
Kata Containers 2.0 introduces a new Kata component called `kata-monitor` which is used to monitor the Kata components on the host. It's shipped with the Kata runtime to provide an interface to:
- Get metrics
- Get events
In this document we will cover metrics only. And until now it only supports metrics function.
At present, `kata-monitor` supports retrieval of metrics only: this is what will be covered in this document.
This is the architecture overview metrics in Kata Containers 2.0.
This is the architecture overview of metrics in Kata Containers 2.0:
![Kata Containers 2.0 metrics](arch-images/kata-2-metrics.png)
@@ -60,38 +46,38 @@ For a quick evaluation, you can check out [this how to](../how-to/how-to-set-pro
### Kata monitor
`kata-monitor` is a management agent on one node, where many Kata containers are running. `kata-monitor`'s work include:
The `kata-monitor` management agent should be started on each node where the Kata containers runtime is installed. `kata-monitor` will:
> **Note**: node is a single host system or a node in K8s clusters.
> **Note**: a *node* running Kata containers will be either a single host system or a worker node belonging to a K8s cluster capable of running Kata pods.
- Aggregate sandbox metrics running on this node, and add `sandbox_id` label
- As a Prometheus target, all metrics from Kata shim on this node will be collected by Prometheus indirectly. This can easy the targets count in Prometheus, and also need not to expose shim's metrics by `ip:port`
- Aggregate sandbox metrics running on the node, adding the `sandbox_id` label to them.
- Expose a new Prometheus target, allowing all node metrics coming from the Kata shim to be collected by Prometheus indirectly. This simplifies the targets count in Prometheus and avoids exposing shim's metrics by `ip:port`.
Only one `kata-monitor` process are running on one node.
Only one `kata-monitor` process runs in each node.
`kata-monitor` is using a different communication channel other than that `conatinerd` communicating with Kata shim, and Kata shim listen on a new socket address for communicating with `kata-monitor`.
`kata-monitor` uses a different communication channel than the one used by the container engine (`containerd`/`CRI-O`) to communicate with the Kata shim. The Kata shim exposes a dedicated socket address reserved to `kata-monitor`.
The way `kata-monitor` get shim's metrics socket file(`monitor_address`) like that `containerd` get shim address. The socket is an abstract socket and saved as file `abstract` with the same directory of `address` for `containerd`.
The shim's metrics socket file is created under the virtcontainers sandboxes directory, i.e. `vc/sbs/${PODID}/shim-monitor.sock`.
> **Note**: If there is no Prometheus server is configured, i.e., there is no scrape operations, `kata-monitor` will do nothing initiative.
> **Note**: If there is no Prometheus server configured, i.e., there are no scrape operations, `kata-monitor` will not collect any metrics.
### Kata runtime
Runtime is responsible for:
Kata runtime is responsible for:
- Gather metrics about shim process
- Gather metrics about hypervisor process
- Gather metrics about running sandbox
- Get metrics from Kata agent(through `ttrpc`)
- Get metrics from Kata agent (through `ttrpc`)
### Kata agent
Agent is responsible for:
Kata agent is responsible for:
- Gather agent process metrics
- Gather guest OS metrics
And in Kata 2.0, agent will add a new interface:
In Kata 2.0, the agent adds a new interface:
```protobuf
rpc GetMetrics(GetMetricsRequest) returns (Metrics);
@@ -108,33 +94,49 @@ The `metrics` field is Prometheus encoded content. This can avoid defining a fix
### Performance and overhead
Metrics should not become the bottleneck of system, downgrade the performance, and run with minimal overhead.
Metrics should not become a bottleneck for the system or downgrade the performance: they should run with minimal overhead.
Requirements:
* Metrics **MUST** be quick to collect
* Metrics **MUST** be small.
* Metrics **MUST** be small
* Metrics **MUST** be generated only if there are subscribers to the Kata metrics service
* Metrics **MUST** be stateless
In Kata 2.0, metrics are collected mainly from `/proc` filesystem, and consumed by Prometheus, based on a pull mode, that is mean if there is no Prometheus collector is running, so there will be zero overhead if nobody cares the metrics.
In Kata 2.0, metrics are collected only when needed (pull mode), mainly from the `/proc` filesystem, and consumed by Prometheus. This means that if the Prometheus collector is not running (so no one cares about the metrics) the overhead will be zero.
Metrics service also doesn't hold any metrics in memory.
The metrics service also doesn't hold any metrics in memory.
#### Metrics size ####
|\*|No Sandbox | 1 Sandbox | 2 Sandboxes |
|---|---|---|---|
|Metrics count| 39 | 106 | 173 |
|Metrics size(bytes)| 9K | 144K | 283K |
|Metrics size(`gzipped`, bytes)| 2K | 10K | 17K |
|Metrics size (bytes)| 9K | 144K | 283K |
|Metrics size (`gzipped`, bytes)| 2K | 10K | 17K |
*Metrics size*: Response size of one Prometheus scrape request.
*Metrics size*: response size of one Prometheus scrape request.
It's easy to estimated that if there are 10 sandboxes running in the host, the size of one metrics fetch request issued by Prometheus will be about to 9 + (144 - 9) * 10 = 1.35M (not `gzipped`) or 2 + (10 - 2) * 10 = 82K (`gzipped`). Of course Prometheus support `gzip` compression, that can reduce the response size of every request.
It's easy to estimate the size of one metrics fetch request issued by Prometheus.
The formula to calculate the expected size when no gzip compression is in place is:
9 + (144 - 9) * `number of kata sandboxes`
Prometheus supports `gzip compression`. When enabled, the response size of each request will be smaller:
2 + (10 - 2) * `number of kata sandboxes`
**Example**
We have 10 sandboxes running on a node. The expected size of one metrics fetch request issued by Prometheus against the kata-monitor agent running on that node will be:
9 + (144 - 9) * 10 = **1.35M**
If `gzip compression` is enabled:
2 + (10 - 2) * 10 = **82K**
#### Metrics delay ####
And here is some test data:
- End-to-end (from Prometheus server to `kata-monitor` and `kata-monitor` write response back): 20ms(avg)
- Agent(RPC all from shim to agent): 3ms(avg)
- End-to-end (from Prometheus server to `kata-monitor` and `kata-monitor` write response back): **20ms**(avg)
- Agent (RPC all from shim to agent): **3ms**(avg)
Test infrastructure:
@@ -143,13 +145,13 @@ Test infrastructure:
**Scrape interval**
Prometheus default `scrape_interval` is 1 minute, and usually it is set to 15s. Small `scrape_interval` will cause more overhead, so user should set it on monitor demand.
Prometheus default `scrape_interval` is 1 minute, but it is usually set to 15 seconds. A smaller `scrape_interval` causes more overhead, so users should set it depending on their monitoring needs.
## Metrics list
Here listed is all supported metrics by Kata 2.0. Some metrics is dependent on guest kernels in the VM, so there may be some different by your environment.
Here are listed all the metrics supported by Kata 2.0. Some metrics are dependent on the VM guest kernel, so the available ones may differ based on the environment.
Metrics is categorized by component where metrics are collected from and for.
Metrics are categorized by the component from/for which the metrics are collected.
* [Metric types](#metric-types)
* [Kata agent metrics](#kata-agent-metrics)
@@ -160,15 +162,15 @@ Metrics is categorized by component where metrics are collected from and for.
* [Kata containerd shim v2 metrics](#kata-containerd-shim-v2-metrics)
> **Note**:
> * Labels here are not include `instance` and `job` labels that added by Prometheus.
> * Labels here do not include the `instance` and `job` labels added by Prometheus.
> * Notes about metrics unit
> * `Kibibytes`, abbreviated `KiB`. 1 `KiB` equals 1024 B.
> * For some metrics (like network devices statistics from file `/proc/net/dev`), unit is depend on label( for example `recv_bytes` and `recv_packets` are having different units).
> * Most of these metrics is collected from `/proc` filesystem, so the unit of metrics are keeping the same unit as `/proc`. See the `proc(5)` manual page for further details.
> * For some metrics (like network devices statistics from file `/proc/net/dev`), unit depends on label( for example `recv_bytes` and `recv_packets` have different units).
> * Most of these metrics are collected from the `/proc` filesystem, so the unit of each metric matches the unit of the relevant `/proc` entry. See the `proc(5)` manual page for further details.
### Metric types
Prometheus offer four core metric types.
Prometheus offers four core metric types.
- Counter: A counter is a cumulative metric that represents a single monotonically increasing counter whose value can only increase.
@@ -222,7 +224,7 @@ Metrics for Firecracker vmm.
| `kata_firecracker_uart`: <br> Metrics specific to the UART device. | `GAUGE` | | <ul><li>`item`<ul><li>`error_count`</li><li>`flush_count`</li><li>`missed_read_count`</li><li>`missed_write_count`</li><li>`read_count`</li><li>`write_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_vcpu`: <br> Metrics specific to VCPUs' mode of functioning. | `GAUGE` | | <ul><li>`item`<ul><li>`exit_io_in`</li><li>`exit_io_out`</li><li>`exit_mmio_read`</li><li>`exit_mmio_write`</li><li>`failures`</li><li>`filter_cpuid`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_vmm`: <br> Metrics specific to the machine manager as a whole. | `GAUGE` | | <ul><li>`item`<ul><li>`device_events`</li><li>`panic_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_vsock`: <br> Vsock-related metrics. | `GAUGE` | | <ul><li>`item`<ul><li>`activate_fails`</li><li>`cfg_fails`</li><li>`conn_event_fails`</li><li>`conns_added`</li><li>`conns_killed`</li><li>`conns_removed`</li><li>`ev_queue_event_fails`</li><li>`killq_resync`</li><li>`muxer_event_fails`</li><li>`rx_bytes_count`</li><li>`rx_packets_count`</li><li>`rx_queue_event_count`</li><li>`rx_queue_event_fails`</li><li>`rx_read_fails`</li><li>`tx_bytes_count`</li><li>`tx_flush_fails`</li><li>`tx_packets_count`</li><li>`tx_queue_event_count`</li><li>`tx_queue_event_fails`</li><li>`tx_write_fails`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_firecracker_vsock`: <br> VSOCK-related metrics. | `GAUGE` | | <ul><li>`item`<ul><li>`activate_fails`</li><li>`cfg_fails`</li><li>`conn_event_fails`</li><li>`conns_added`</li><li>`conns_killed`</li><li>`conns_removed`</li><li>`ev_queue_event_fails`</li><li>`killq_resync`</li><li>`muxer_event_fails`</li><li>`rx_bytes_count`</li><li>`rx_packets_count`</li><li>`rx_queue_event_count`</li><li>`rx_queue_event_fails`</li><li>`rx_read_fails`</li><li>`tx_bytes_count`</li><li>`tx_flush_fails`</li><li>`tx_packets_count`</li><li>`tx_queue_event_count`</li><li>`tx_queue_event_fails`</li><li>`tx_write_fails`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
### Kata guest OS metrics
@@ -303,7 +305,7 @@ Metrics about Kata containerd shim v2 process.
| Metric name | Type | Units | Labels | Introduced in Kata version |
|---|---|---|---|---|
| `kata_shim_agent_rpc_durations_histogram_milliseconds`: <br> RPC latency distributions. | `HISTOGRAM` | `milliseconds` | <ul><li>`action` (RPC actions of Kata agent)<ul><li>`grpc.CheckRequest`</li><li>`grpc.CloseStdinRequest`</li><li>`grpc.CopyFileRequest`</li><li>`grpc.CreateContainerRequest`</li><li>`grpc.CreateSandboxRequest`</li><li>`grpc.DestroySandboxRequest`</li><li>`grpc.ExecProcessRequest`</li><li>`grpc.GetMetricsRequest`</li><li>`grpc.GuestDetailsRequest`</li><li>`grpc.ListInterfacesRequest`</li><li>`grpc.ListProcessesRequest`</li><li>`grpc.ListRoutesRequest`</li><li>`grpc.MemHotplugByProbeRequest`</li><li>`grpc.OnlineCPUMemRequest`</li><li>`grpc.PauseContainerRequest`</li><li>`grpc.RemoveContainerRequest`</li><li>`grpc.ReseedRandomDevRequest`</li><li>`grpc.ResumeContainerRequest`</li><li>`grpc.SetGuestDateTimeRequest`</li><li>`grpc.SignalProcessRequest`</li><li>`grpc.StartContainerRequest`</li><li>`grpc.StartTracingRequest`</li><li>`grpc.StatsContainerRequest`</li><li>`grpc.StopTracingRequest`</li><li>`grpc.TtyWinResizeRequest`</li><li>`grpc.UpdateContainerRequest`</li><li>`grpc.UpdateInterfaceRequest`</li><li>`grpc.UpdateRoutesRequest`</li><li>`grpc.WaitProcessRequest`</li><li>`grpc.WriteStreamRequest`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_agent_rpc_durations_histogram_milliseconds`: <br> RPC latency distributions. | `HISTOGRAM` | `milliseconds` | <ul><li>`action` (RPC actions of Kata agent)<ul><li>`grpc.CheckRequest`</li><li>`grpc.CloseStdinRequest`</li><li>`grpc.CopyFileRequest`</li><li>`grpc.CreateContainerRequest`</li><li>`grpc.CreateSandboxRequest`</li><li>`grpc.DestroySandboxRequest`</li><li>`grpc.ExecProcessRequest`</li><li>`grpc.GetMetricsRequest`</li><li>`grpc.GuestDetailsRequest`</li><li>`grpc.ListInterfacesRequest`</li><li>`grpc.ListProcessesRequest`</li><li>`grpc.ListRoutesRequest`</li><li>`grpc.MemHotplugByProbeRequest`</li><li>`grpc.OnlineCPUMemRequest`</li><li>`grpc.PauseContainerRequest`</li><li>`grpc.RemoveContainerRequest`</li><li>`grpc.ReseedRandomDevRequest`</li><li>`grpc.ResumeContainerRequest`</li><li>`grpc.SetGuestDateTimeRequest`</li><li>`grpc.SignalProcessRequest`</li><li>`grpc.StartContainerRequest`</li><li>`grpc.StatsContainerRequest`</li><li>`grpc.TtyWinResizeRequest`</li><li>`grpc.UpdateContainerRequest`</li><li>`grpc.UpdateInterfaceRequest`</li><li>`grpc.UpdateRoutesRequest`</li><li>`grpc.WaitProcessRequest`</li><li>`grpc.WriteStreamRequest`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_fds`: <br> Kata containerd shim v2 open FDs. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_gc_duration_seconds`: <br> A summary of the pause duration of garbage collection cycles. | `SUMMARY` | `seconds` | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |
| `kata_shim_go_goroutines`: <br> Number of goroutines that currently exist. | `GAUGE` | | <ul><li>`sandbox_id`</li></ul> | 2.0.0 |

View File

@@ -1,4 +1,5 @@
# Kata API Design
To fulfill the [Kata design requirements](kata-design-requirements.md), and based on the discussion on [Virtcontainers API extensions](https://docs.google.com/presentation/d/1dbGrD1h9cpuqAPooiEgtiwWDGCYhVPdatq7owsKHDEQ), the Kata runtime library features the following APIs:
- Sandbox based top API
- Storage and network hotplug API

View File

@@ -30,7 +30,7 @@ The Kata Containers runtime **MUST** implement the following command line option
The Kata Containers project **MUST** provide two interfaces for CRI shims to manage hardware
virtualization based Kubernetes pods and containers:
- An OCI and `runc` compatible command line interface, as described in the previous section.
This interface is used by implementations such as [`CRI-O`](http://cri-o.io) and [`cri-containerd`](https://github.com/containerd/cri-containerd), for example.
This interface is used by implementations such as [`CRI-O`](http://cri-o.io) and [`containerd`](https://github.com/containerd/containerd), for example.
- A hardware virtualization runtime library API for CRI shims to consume and provide a more
CRI native implementation. The [`frakti`](https://github.com/kubernetes/frakti) CRI shim is an example of such a consumer.

View File

@@ -0,0 +1,5 @@
# Design proposals
Kata Containers design proposal documents:
- [Kata Containers tracing](tracing-proposals.md)

View File

@@ -0,0 +1,213 @@
# Kata Tracing proposals
## Overview
This document summarises a set of proposals triggered by the
[tracing documentation PR][tracing-doc-pr].
## Required context
This section explains some terminology required to understand the proposals.
Further details can be found in the
[tracing documentation PR][tracing-doc-pr].
### Agent trace mode terminology
| Trace mode | Description | Use-case |
|-|-|-|
| Static | Trace agent from startup to shutdown | Entire lifespan |
| Dynamic | Toggle tracing on/off as desired | On-demand "snapshot" |
### Agent trace type terminology
| Trace type | Description | Use-case |
|-|-|-|
| isolated | traces all relate to single component | Observing lifespan |
| collated | traces "grouped" (runtime+agent) | Understanding component interaction |
### Container lifespan
| Lifespan | trace mode | trace type |
|-|-|-|
| short-lived | static | collated if possible, else isolated? |
| long-running | dynamic | collated? (to see interactions) |
## Original plan for agent
- Implement all trace types and trace modes for agent.
- Why?
- Maximum flexibility.
> **Counterargument:**
>
> Due to the intrusive nature of adding tracing, we have
> learnt that landing small incremental changes is simpler and quicker!
- Compatibility with [Kata 1.x tracing][kata-1x-tracing].
> **Counterargument:**
>
> Agent tracing in Kata 1.x was extremely awkward to setup (to the extent
> that it's unclear how many users actually used it!)
>
> This point, coupled with the new architecture for Kata 2.x, suggests
> that we may not need to supply the same set of tracing features (in fact
> they may not make sense)).
## Agent tracing proposals
### Agent tracing proposal 1: Don't implement dynamic trace mode
- All tracing will be static.
- Why?
- Because dynamic tracing will always be "partial"
> In fact, not only would it be only a "snapshot" of activity, it may not
> even be possible to create a complete "trace transaction". If this is
> true, the trace output would be partial and would appear "unstructured".
### Agent tracing proposal 2: Simplify handling of trace type
- Agent tracing will be "isolated" by default.
- Agent tracing will be "collated" if runtime tracing is also enabled.
- Why?
- Offers a graceful fallback for agent tracing if runtime tracing disabled.
- Simpler code!
## Questions to ask yourself (part 1)
- Are your containers long-running or short-lived?
- Would you ever need to turn on tracing "briefly"?
- If "yes", is a "partial trace" useful or useless?
> Likely to be considered useless as it is a partial snapshot.
> Alternative tracing methods may be more appropriate to dynamic
> OpenTelemetry tracing.
## Questions to ask yourself (part 2)
- Are you happy to stop a container to enable tracing?
If "no", dynamic tracing may be required.
- Would you ever want to trace the agent and the runtime "in isolation" at the
same time?
- If "yes", we need to fully implement `trace_mode=isolated`
> This seems unlikely though.
## Trace collection
The second set of proposals affect the way traces are collected.
### Motivation
Currently:
- The runtime sends trace spans to Jaeger directly.
- The agent will send trace spans to the [`trace-forwarder`][trace-forwarder] component.
- The trace forwarder will send trace spans to Jaeger.
Kata agent tracing overview:
```
+-------------------------------------------+
| Host |
| |
| +-----------+ |
| | Trace | |
| | Collector | |
| +-----+-----+ |
| ^ +--------------+ |
| | spans | Kata VM | |
| +-----+-----+ | | |
| | Kata | spans | +-----+ | |
| | Trace |<-----------------|Kata | | |
| | Forwarder | VSOCK | |Agent| | |
| +-----------+ Channel | +-----+ | |
| +--------------+ |
+-------------------------------------------+
```
Currently:
- If agent tracing is enabled but the trace forwarder is not running,
the agent will error.
- If the trace forwarder is started but Jaeger is not running,
the trace forwarder will error.
### Goals
- The runtime and agent should:
- Use the same trace collection implementation.
- Use the most the common configuration items.
- Kata should should support more trace collection software or `SaaS`
(for example `Zipkin`, `datadog`).
- Trace collection should not block normal runtime/agent operations
(for example if `vsock-exporter`/Jaeger is not running, Kata Containers should work normally).
### Trace collection proposals
#### Trace collection proposal 1: Send all spans to the trace forwarder as a span proxy
Kata runtime/agent all send spans to trace forwarder, and the trace forwarder,
acting as a tracing proxy, sends all spans to a tracing back-end, such as Jaeger or `datadog`.
**Pros:**
- Runtime/agent will be simple.
- Could update trace collection target while Kata Containers are running.
**Cons:**
- Requires the trace forwarder component to be running (that is a pressure to operation).
#### Trace collection proposal 2: Send spans to collector directly from runtime/agent
Send spans to collector directly from runtime/agent, this proposal need
network accessible to the collector.
**Pros:**
- No additional trace forwarder component needed.
**Cons:**
- Need more code/configuration to support all trace collectors.
## Future work
- We could add dynamic and fully isolated tracing at a later stage,
if required.
## Further details
- See the new [GitHub project](https://github.com/orgs/kata-containers/projects/28).
- [kata-containers-tracing-status](https://gist.github.com/jodh-intel/0ee54d41d2a803ba761e166136b42277) gist.
- [tracing documentation PR][tracing-doc-pr].
## Summary
### Time line
- 2021-07-01: A summary of the discussion was
[posted to the mail list](http://lists.katacontainers.io/pipermail/kata-dev/2021-July/001996.html).
- 2021-06-22: These proposals were
[discussed in the Kata Architecture Committee meeting](https://etherpad.opendev.org/p/Kata_Containers_2021_Architecture_Committee_Mtgs).
- 2021-06-18: These proposals where
[announced on the mailing list](http://lists.katacontainers.io/pipermail/kata-dev/2021-June/001980.html).
### Outcome
- Nobody opposed the agent proposals, so they are being implemented.
- The trace collection proposals are still being considered.
[kata-1x-tracing]: https://github.com/kata-containers/agent/blob/master/TRACING.md
[trace-forwarder]: /src/trace-forwarder
[tracing-doc-pr]: https://github.com/kata-containers/kata-containers/pull/1937

View File

@@ -1,11 +1,3 @@
- [Virtual machine vCPU sizing in Kata Containers](#virtual-machine-vcpu-sizing-in-kata-containers)
* [Default number of virtual CPUs](#default-number-of-virtual-cpus)
* [Virtual CPUs and Kubernetes pods](#virtual-cpus-and-kubernetes-pods)
* [Container lifecycle](#container-lifecycle)
* [Container without CPU constraint](#container-without-cpu-constraint)
* [Container with CPU constraint](#container-with-cpu-constraint)
* [Do not waste resources](#do-not-waste-resources)
# Virtual machine vCPU sizing in Kata Containers
## Default number of virtual CPUs

View File

@@ -1,16 +1,5 @@
# Virtualization in Kata Containers
- [Virtualization in Kata Containers](#virtualization-in-kata-containers)
- [Mapping container concepts to virtual machine technologies](#mapping-container-concepts-to-virtual-machine-technologies)
- [Kata Containers Hypervisor and VMM support](#kata-containers-hypervisor-and-vmm-support)
- [QEMU/KVM](#qemukvm)
- [Machine accelerators](#machine-accelerators)
- [Hotplug devices](#hotplug-devices)
- [Firecracker/KVM](#firecrackerkvm)
- [Cloud Hypervisor/KVM](#cloud-hypervisorkvm)
- [Summary](#summary)
Kata Containers, a second layer of isolation is created on top of those provided by traditional namespace-containers. The
hardware virtualization interface is the basis of this additional layer. Kata will launch a lightweight virtual machine,
and use the guests Linux kernel to create a container workload, or workloads in the case of multi-container pods. In Kubernetes

View File

@@ -1,15 +1,11 @@
# Howto Guides
* [Howto Guides](#howto-guides)
* [Kubernetes Integration](#kubernetes-integration)
* [Hypervisors Integration](#hypervisors-integration)
* [Advanced Topics](#advanced-topics)
## Kubernetes Integration
- [Run Kata containers with `crictl`](run-kata-with-crictl.md)
- [Run Kata Containers with Kubernetes](run-kata-with-k8s.md)
- [How to use Kata Containers and Containerd](containerd-kata.md)
- [How to use Kata Containers and CRI (containerd plugin) with Kubernetes](how-to-use-k8s-with-cri-containerd-and-kata.md)
- [How to use Kata Containers and CRI (containerd) with Kubernetes](how-to-use-k8s-with-cri-containerd-and-kata.md)
- [Kata Containers and service mesh for Kubernetes](service-mesh.md)
- [How to import Kata Containers logs into Fluentd](how-to-import-kata-logs-with-fluentd.md)
@@ -21,13 +17,13 @@
- `firecracker`
- `ACRN`
While `qemu` and `cloud-hypervisor` work out of the box with installation of Kata,
some additional configuration is needed in case of `firecracker` and `ACRN`.
While `qemu` , `cloud-hypervisor` and `firecracker` work out of the box with installation of Kata,
some additional configuration is needed in case of `ACRN`.
Refer to the following guides for additional configuration steps:
- [Kata Containers with Firecracker](https://github.com/kata-containers/documentation/wiki/Initial-release-of-Kata-Containers-with-Firecracker-support)
- [Kata Containers with ACRN Hypervisor](how-to-use-kata-containers-with-acrn.md)
## Advanced Topics
- [How to use Kata Containers with virtio-fs](how-to-use-virtio-fs-with-kata.md)
- [Setting Sysctls with Kata](how-to-use-sysctls-with-kata.md)
- [What Is VMCache and How To Enable It](what-is-vm-cache-and-how-do-I-use-it.md)
@@ -37,3 +33,6 @@
- [How to use Kata Containers with `virtio-mem`](how-to-use-virtio-mem-with-kata.md)
- [How to set sandbox Kata Containers configurations with pod annotations](how-to-set-sandbox-config-kata.md)
- [How to monitor Kata Containers in K8s](how-to-set-prometheus-in-k8s.md)
- [How to use hotplug memory on arm64 in Kata Containers](how-to-hotplug-memory-arm64.md)
- [How to setup swap devices in guest kernel](how-to-setup-swap-devices-in-guest-kernel.md)
- [How to run rootless vmm](how-to-run-rootless-vmm.md)

View File

@@ -1,23 +1,5 @@
# How to use Kata Containers and Containerd
- [Concepts](#concepts)
- [Kubernetes `RuntimeClass`](#kubernetes-runtimeclass)
- [Containerd Runtime V2 API: Shim V2 API](#containerd-runtime-v2-api-shim-v2-api)
- [Install](#install)
- [Install Kata Containers](#install-kata-containers)
- [Install containerd with CRI plugin](#install-containerd-with-cri-plugin)
- [Install CNI plugins](#install-cni-plugins)
- [Install `cri-tools`](#install-cri-tools)
- [Configuration](#configuration)
- [Configure containerd to use Kata Containers](#configure-containerd-to-use-kata-containers)
- [Kata Containers as a `RuntimeClass`](#kata-containers-as-a-runtimeclass)
- [Kata Containers as the runtime for untrusted workload](#kata-containers-as-the-runtime-for-untrusted-workload)
- [Kata Containers as the default runtime](#kata-containers-as-the-default-runtime)
- [Configuration for `cri-tools`](#configuration-for-cri-tools)
- [Run](#run)
- [Launch containers with `ctr` command line](#launch-containers-with-ctr-command-line)
- [Launch Pods with `crictl` command line](#launch-pods-with-crictl-command-line)
This document covers the installation and configuration of [containerd](https://containerd.io/)
and [Kata Containers](https://katacontainers.io). The containerd provides not only the `ctr`
command line tool, but also the [CRI](https://kubernetes.io/blog/2016/12/container-runtime-interface-cri-in-kubernetes/)
@@ -57,7 +39,7 @@ use `RuntimeClass` instead of the deprecated annotations.
### Containerd Runtime V2 API: Shim V2 API
The [`containerd-shim-kata-v2` (short as `shimv2` in this documentation)](../../src/runtime/containerd-shim-v2)
The [`containerd-shim-kata-v2` (short as `shimv2` in this documentation)](../../src/runtime/cmd/containerd-shim-kata-v2/)
implements the [Containerd Runtime V2 (Shim API)](https://github.com/containerd/containerd/tree/master/runtime/v2) for Kata.
With `shimv2`, Kubernetes can launch Pod and OCI-compatible containers with one shim per Pod. Prior to `shimv2`, `2N+1`
shims (i.e. a `containerd-shim` and a `kata-shim` for each container and the Pod sandbox itself) and no standalone `kata-proxy`

View File

@@ -26,7 +26,7 @@ spec:
hostNetwork: true
containers:
- name: kata-monitor
image: docker.io/katadocker/kata-monitor:2.0.0
image: quay.io/kata-containers/kata-monitor:2.0.0
args:
- -log-level=debug
ports:

View File

@@ -0,0 +1,28 @@
# How to use memory hotplug feature in Kata Containers on arm64
## Introduction
Memory hotplug is a key feature for containers to allocate memory dynamically in deployment.
As Kata Container bases on VM, this feature needs support both from VMM and guest kernel. Luckily, it has been fully supported for the current default version of QEMU and guest kernel used by Kata on arm64. For other VMMs, e.g, Cloud Hypervisor, the enablement work is on the road. Apart from VMM and guest kernel, memory hotplug also depends on ACPI which depends on firmware either. On x86, you can boot a VM using QEMU with ACPI enabled directly, because it boots up with firmware implicitly. For arm64, however, you need specify firmware explicitly. That is to say, if you are ready to run a normal Kata Container on arm64, what you need extra to do is to install the UEFI ROM before use the memory hotplug feature.
## Install UEFI ROM
We have offered a helper script for you to install the UEFI ROM. If you have installed Kata normally on your host, you just need to run the script as fellows:
```bash
$ pushd $GOPATH/src/github.com/kata-containers/tests
$ sudo .ci/aarch64/install_rom_aarch64.sh
$ popd
```
## Run for test
Let's test if the memory hotplug is ready for Kata after install the UEFI ROM. Make sure containerd is ready to run Kata before test.
```bash
$ sudo ctr image pull docker.io/library/ubuntu:latest
$ sudo ctr run --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/ubuntu:latest hello sh -c "free -h"
$ sudo ctr run --runtime io.containerd.run.kata.v2 -t --memory-limit 536870912 --rm docker.io/library/ubuntu:latest hello sh -c "free -h"
```
Compare the results between the two tests. If the latter is 0.5G larger than the former, you have done what you want, and congratulation!

View File

@@ -1,20 +1,5 @@
# Importing Kata Containers logs with Fluentd
* [Introduction](#introduction)
* [Overview](#overview)
* [Test stack](#test-stack)
* [Importing the logs](#importing-the-logs)
* [Direct import `logfmt` from `systemd`](#direct-import-logfmt-from-systemd)
* [Configuring `minikube`](#configuring-minikube)
* [Pull from `systemd`](#pull-from-systemd)
* [Systemd Summary](#systemd-summary)
* [Directly importing JSON](#directly-importing-json)
* [JSON in files](#json-in-files)
* [Prefixing all keys](#prefixing-all-keys)
* [Kata `shimv2`](#kata-shimv2)
* [Caveats](#caveats)
* [Summary](#summary)
# Introduction
This document describes how to import Kata Containers logs into [Fluentd](https://www.fluentd.org/),
@@ -143,7 +128,7 @@ YAML can be found
tag kata-containers
path /run/log/journal
pos_file /run/log/journal/kata-journald.pos
filters [{"SYSLOG_IDENTIFIER": "kata-runtime"}, {"SYSLOG_IDENTIFIER": "kata-proxy"}, {"SYSLOG_IDENTIFIER": "kata-shim"}]
filters [{"SYSLOG_IDENTIFIER": "kata-runtime"}, {"SYSLOG_IDENTIFIER": "kata-shim"}]
read_from_head true
</source>
```
@@ -161,7 +146,7 @@ generate some Kata specific log entries:
```bash
$ minikube addons open efk
$ cd $GOPATH/src/github.com/kata-containers/packaging/kata-deploy
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy
$ kubectl apply -f examples/nginx-deployment-qemu.yaml
```
@@ -178,7 +163,7 @@ sub-filter on, for instance, the `SYSLOG_IDENTIFIER` to differentiate the Kata c
on the `PRIORITY` to filter out critical issues etc.
Kata generates a significant amount of Kata specific information, which can be seen as
[`logfmt`](https://github.com/kata-containers/tests/tree/master/cmd/log-parser#logfile-requirements).
[`logfmt`](https://github.com/kata-containers/tests/tree/main/cmd/log-parser#logfile-requirements).
data contained in the `MESSAGE` field. Imported as-is, there is no easy way to filter on that data
in Kibana:
@@ -272,9 +257,8 @@ go directly to a full Kata specific JSON format logfile test.
Kata runtime has the ability to generate JSON logs directly, rather than its default `logfmt` format. Passing
the `--log-format=json` argument to the Kata runtime enables this. The easiest way to pass in this extra
parameter from a [Kata deploy](https://github.com/kata-containers/packaging/tree/master/kata-deploy) installation
is to edit the `/opt/kata/bin/kata-qemu` shell script (generated by the
[Kata packaging release scripts](https://github.com/kata-containers/packaging/blob/master/release/kata-deploy-binaries.sh)).
parameter from a [Kata deploy](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy) installation
is to edit the `/opt/kata/bin/kata-qemu` shell script.
At the same time, we will add the `--log=/var/log/kata-runtime.log` argument to store the Kata logs in their
own file (rather than into the system journal).

View File

@@ -0,0 +1,33 @@
## Introduction
To improve security, Kata Container supports running the VMM process (currently only QEMU) as a non-`root` user.
This document describes how to enable the rootless VMM mode and its limitations.
## Pre-requisites
The permission and ownership of the `kvm` device node (`/dev/kvm`) need to be configured to:
```
$ crw-rw---- 1 root kvm
```
use the following commands:
```
$ sudo groupadd kvm -r
$ sudo chown root:kvm /dev/kvm
$ sudo chmod 660 /dev/kvm
```
## Configure rootless VMM
By default, the VMM process still runs as the root user. There are two ways to enable rootless VMM:
1. Set the `rootless` flag to `true` in the hypervisor section of `configuration.toml`.
2. Set the Kubernetes annotation `io.katacontainers.hypervisor.rootless` to `true`.
## Implementation details
When `rootless` flag is enabled, upon a request to create a Pod, Kata Containers runtime creates a random user and group (e.g. `kata-123`), and uses them to start the hypervisor process.
The `kvm` group is also given to the hypervisor process as a supplemental group to give the hypervisor process access to the `/dev/kvm` device.
Another necessary change is to move the hypervisor runtime files (e.g. `vhost-fs.sock`, `qmp.sock`) to a directory (under `/run/user/[uid]/`) where only the non-root hypervisor has access to.
## Limitations
1. Only the VMM process is running as a non-root user. Other processes such as Kata Container shimv2 and `virtiofsd` still run as the root user.
2. Currently, this feature is only supported in QEMU. Still need to bring it to Firecracker and Cloud Hypervisor (see https://github.com/kata-containers/kata-containers/issues/2567).
3. Certain features will not work when rootless VMM is enabled, including:
1. Passing devices to the guest (`virtio-blk`, `virtio-scsi`) will not work if the non-privileged user does not have permission to access it (leading to a permission denied error). A more permissive permission (e.g. 666) may overcome this issue. However, you need to be aware of the potential security implications of reducing the security on such devices.
2. `vfio` device will also not work because of permission denied error.

View File

@@ -2,14 +2,6 @@
This document describes how to run `kata-monitor` in a Kubernetes cluster using Prometheus's service discovery to scrape metrics from `kata-agent`.
- [Introduction](#introduction)
- [Pre-requisites](#pre-requisites)
- [Configure Prometheus](#configure-prometheus)
- [Configure `kata-monitor`](#configure-kata-monitor)
- [Setup Grafana](#setup-grafana)
* [Create `datasource`](#create-datasource)
* [Import dashboard](#import-dashboard)
> **Warning**: This how-to is only for evaluation purpose, you **SHOULD NOT** running it in production using this configurations.
## Introduction

View File

@@ -26,6 +26,7 @@ There are several kinds of Kata configurations and they are listed below.
| `io.katacontainers.config.runtime.disable_new_netns` | `boolean` | determines if a new netns is created for the hypervisor process |
| `io.katacontainers.config.runtime.internetworking_model` | string| determines how the VM should be connected to the container network interface. Valid values are `macvtap`, `tcfilter` and `none` |
| `io.katacontainers.config.runtime.sandbox_cgroup_only`| `boolean` | determines if Kata processes are managed only in sandbox cgroup |
| `io.katacontainers.config.runtime.enable_pprof` | `boolean` | enables Golang `pprof` for `containerd-shim-kata-v2` process |
## Agent Options
| Key | Value Type | Comments |
@@ -33,8 +34,6 @@ There are several kinds of Kata configurations and they are listed below.
| `io.katacontainers.config.agent.enable_tracing` | `boolean` | enable tracing for the agent |
| `io.katacontainers.config.agent.container_pipe_size` | uint32 | specify the size of the std(in/out) pipes created for containers |
| `io.katacontainers.config.agent.kernel_modules` | string | the list of kernel modules and their parameters that will be loaded in the guest kernel. Semicolon separated list of kernel modules and their parameters. These modules will be loaded in the guest kernel using `modprobe`(8). E.g., `e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0` |
| `io.katacontainers.config.agent.trace_mode` | string | the trace mode for the agent |
| `io.katacontainers.config.agent.trace_type` | string | the trace type for the agent |
## Hypervisor Options
| Key | Value Type | Comments |
@@ -78,7 +77,7 @@ There are several kinds of Kata configurations and they are listed below.
| `io.katacontainers.config.hypervisor.kernel` | string | the kernel used to boot the container VM |
| `io.katacontainers.config.hypervisor.machine_accelerators` | string | machine specific accelerators for the hypervisor |
| `io.katacontainers.config.hypervisor.machine_type` | string | the type of machine being emulated by the hypervisor |
| `io.katacontainers.config.hypervisor.memory_offset` | uint32| the memory space used for `nvdimm` device by the hypervisor |
| `io.katacontainers.config.hypervisor.memory_offset` | uint64| the memory space used for `nvdimm` device by the hypervisor |
| `io.katacontainers.config.hypervisor.memory_slots` | uint32| the memory slots assigned to the VM by the hypervisor |
| `io.katacontainers.config.hypervisor.msize_9p` | uint32 | the `msize` for 9p shares |
| `io.katacontainers.config.hypervisor.path` | string | the hypervisor that will run the container VM |
@@ -90,6 +89,13 @@ There are several kinds of Kata configurations and they are listed below.
| `io.katacontainers.config.hypervisor.virtio_fs_cache` | string | the cache mode for virtio-fs, valid values are `always`, `auto` and `none` |
| `io.katacontainers.config.hypervisor.virtio_fs_daemon` | string | virtio-fs `vhost-user` daemon path |
| `io.katacontainers.config.hypervisor.virtio_fs_extra_args` | string | extra options passed to `virtiofs` daemon |
| `io.katacontainers.config.hypervisor.enable_guest_swap` | `boolean` | enable swap in the guest |
## Container Options
| Key | Value Type | Comments |
|-------| ----- | ----- |
| `io.katacontainers.container.resource.swappiness"` | `uint64` | specify the `Resources.Memory.Swappiness` |
| `io.katacontainers.container.resource.swap_in_bytes"` | `uint64` | specify the `Resources.Memory.Swap` |
# CRI-O Configuration
@@ -99,11 +105,12 @@ In case of CRI-O, all annotations specified in the pod spec are passed down to K
For containerd, annotations specified in the pod spec are passed down to Kata
starting with version `1.3.0` of containerd. Additionally, extra configuration is
needed for containerd, by providing a `pod_annotations` field in the containerd config
file. The `pod_annotations` field is a list of annotations that can be passed down to
Kata as OCI annotations. It supports golang match patterns. Since annotations supported
by Kata follow the pattern `io.katacontainers.*`, the following configuration would work
for passing annotations to Kata from containerd:
needed for containerd, by providing `pod_annotations` field and
`container_annotations` field in the containerd config
file. The `pod_annotations` field and `container_annotations` field are two lists of
annotations that can be passed down to Kata as OCI annotations. They support golang match
patterns. Since annotations supported by Kata follow the pattern `io.katacontainers.*`,
the following configuration would work for passing annotations to Kata from containerd:
```
$ cat /etc/containerd/config
@@ -112,6 +119,7 @@ $ cat /etc/containerd/config
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
pod_annotations = ["io.katacontainers.*"]
container_annotations = ["io.katacontainers.*"]
....
```

View File

@@ -0,0 +1,59 @@
# Setup swap device in guest kernel
## Introduction
Setup swap device in guest kernel can help to increase memory capacity, handle some memory issues and increase file access speed sometimes.
Kata Containers can insert a raw file to the guest as the swap device.
## Requisites
The swap config of the containers should be set by [annotations](how-to-set-sandbox-config-kata.md#container-options). So [extra configuration is needed for containerd](how-to-set-sandbox-config-kata.md#containerd-configuration).
Kata Containers just supports setup swap device in guest kernel with QEMU.
Install and setup Kata Containers as shown [here](../install/README.md).
Enable setup swap device in guest kernel as follows:
```
$ sudo sed -i -e 's/^#enable_guest_swap.*$/enable_guest_swap = true/g' /etc/kata-containers/configuration.toml
```
## Run a Kata Container utilizing swap device
Use following command to start a Kata Container with swappiness 60 and 1GB swap device (swap_in_bytes - memory_limit_in_bytes).
```
$ pod_yaml=pod.yaml
$ container_yaml=container.yaml
$ image="quay.io/prometheus/busybox:latest"
$ cat << EOF > "${pod_yaml}"
metadata:
name: busybox-sandbox1
EOF
$ cat << EOF > "${container_yaml}"
metadata:
name: busybox-test-swap
annotations:
io.katacontainers.container.resource.swappiness: "60"
io.katacontainers.container.resource.swap_in_bytes: "2147483648"
linux:
resources:
memory_limit_in_bytes: 1073741824
image:
image: "$image"
command:
- top
EOF
$ sudo crictl pull $image
$ podid=$(sudo crictl runp $pod_yaml)
$ cid=$(sudo crictl create $podid $container_yaml $pod_yaml)
$ sudo crictl start $cid
```
Kata Container setups swap device for this container only when `io.katacontainers.container.resource.swappiness` is set.
The following table shows the swap size how to decide if `io.katacontainers.container.resource.swappiness` is set.
|`io.katacontainers.container.resource.swap_in_bytes`|`memory_limit_in_bytes`|swap size|
|---|---|---|
|set|set| `io.katacontainers.container.resource.swap_in_bytes` - `memory_limit_in_bytes`|
|not set|set| `memory_limit_in_bytes`|
|not set|not set| `io.katacontainers.config.hypervisor.default_memory`|
|set|not set|cgroup doesn't support this usage|

View File

@@ -1,22 +1,9 @@
# How to use Kata Containers and CRI (containerd plugin) with Kubernetes
* [Requirements](#requirements)
* [Install and configure containerd](#install-and-configure-containerd)
* [Install and configure Kubernetes](#install-and-configure-kubernetes)
* [Install Kubernetes](#install-kubernetes)
* [Configure Kubelet to use containerd](#configure-kubelet-to-use-containerd)
* [Configure HTTP proxy - OPTIONAL](#configure-http-proxy---optional)
* [Start Kubernetes](#start-kubernetes)
* [Configure Pod Network](#configure-pod-network)
* [Allow pods to run in the master node](#allow-pods-to-run-in-the-master-node)
* [Create runtime class for Kata Containers](#create-runtime-class-for-kata-containers)
* [Run pod in Kata Containers](#run-pod-in-kata-containers)
* [Delete created pod](#delete-created-pod)
This document describes how to set up a single-machine Kubernetes (k8s) cluster.
The Kubernetes cluster will use the
[CRI containerd plugin](https://github.com/containerd/cri) and
[CRI containerd](https://github.com/containerd/containerd/) and
[Kata Containers](https://katacontainers.io) to launch untrusted workloads.
## Requirements
@@ -84,12 +71,12 @@ $ for service in ${services}; do
service_dir="/etc/systemd/system/${service}.service.d/"
sudo mkdir -p ${service_dir}
cat << EOT | sudo tee "${service_dir}/proxy.conf"
cat << EOF | sudo tee "${service_dir}/proxy.conf"
[Service]
Environment="HTTP_PROXY=${http_proxy}"
Environment="HTTPS_PROXY=${https_proxy}"
Environment="NO_PROXY=${no_proxy}"
EOT
EOF
done
$ sudo systemctl daemon-reload
@@ -185,7 +172,7 @@ If a pod has the `runtimeClassName` set to `kata`, the CRI plugin runs the pod w
- Create an pod configuration that using Kata Containers runtime
```bash
$ cat << EOT | tee nginx-kata.yaml
$ cat << EOF | tee nginx-kata.yaml
apiVersion: v1
kind: Pod
metadata:
@@ -196,7 +183,7 @@ If a pod has the `runtimeClassName` set to `kata`, the CRI plugin runs the pod w
- name: nginx
image: nginx
EOT
EOF
```
- Create the pod

View File

@@ -2,11 +2,6 @@
This document provides an overview on how to run Kata containers with ACRN hypervisor and device model.
- [Introduction](#introduction)
- [Pre-requisites](#pre-requisites)
- [Configure Docker](#configure-docker)
- [Configure Kata Containers with ACRN](#configure-kata-containers-with-acrn)
## Introduction
ACRN is a flexible, lightweight Type-1 reference hypervisor built with real-time and safety-criticality in mind. ACRN uses an open source platform making it optimized to streamline embedded development.
@@ -27,7 +22,7 @@ This document requires the presence of the ACRN hypervisor and Kata Containers o
- ACRN supported [Hardware](https://projectacrn.github.io/latest/hardware.html#supported-hardware).
> **Note:** Please make sure to have a minimum of 4 logical processors (HT) or cores.
- ACRN [software](https://projectacrn.github.io/latest/tutorials/kbl-nuc-sdc.html#use-the-script-to-set-up-acrn-automatically) setup.
- ACRN [software](https://projectacrn.github.io/latest/tutorials/run_kata_containers.html) setup.
- For networking, ACRN supports either MACVTAP or TAP. If MACVTAP is not enabled in the Service OS, please follow the below steps to update the kernel:
```sh

View File

@@ -1,6 +1,7 @@
# Setting Sysctls with Kata
## Sysctls
In Linux, the sysctl interface allows an administrator to modify kernel
parameters at runtime. Parameters are available via the `/proc/sys/` virtual
process file system.
@@ -16,11 +17,10 @@ To get a complete list of kernel parameters, run:
$ sudo sysctl -a
```
Both Docker and Kubernetes provide mechanisms for setting namespaced sysctls.
Namespaced sysctls can be set per pod in the case of Kubernetes or per container
in case of Docker.
Kubernetes provide mechanisms for setting namespaced sysctls.
Namespaced sysctls can be set per pod in the case of Kubernetes.
The following sysctls are known to be namespaced and can be set with
Docker and Kubernetes:
Kubernetes:
- `kernel.shm*`
- `kernel.msg*`
@@ -30,31 +30,10 @@ Docker and Kubernetes:
### Namespaced Sysctls:
Kata Containers supports setting namespaced sysctls with Docker and Kubernetes.
Kata Containers supports setting namespaced sysctls with Kubernetes.
All namespaced sysctls can be set in the same way as regular Linux based
containers, the difference being, in the case of Kata they are set inside the guest.
#### Setting Namespaced Sysctls with Docker:
```
$ sudo docker run --runtime=kata-runtime -it alpine cat /proc/sys/fs/mqueue/queues_max
256
$ sudo docker run --runtime=kata-runtime --sysctl fs.mqueue.queues_max=512 -it alpine cat /proc/sys/fs/mqueue/queues_max
512
```
... and:
```
$ sudo docker run --runtime=kata-runtime -it alpine cat /proc/sys/kernel/shmmax
18446744073692774399
$ sudo docker run --runtime=kata-runtime --sysctl kernel.shmmax=1024 -it alpine cat /proc/sys/kernel/shmmax
1024
```
For additional documentation on setting sysctls with Docker please refer to [Docker-sysctl-doc](https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime).
#### Setting Namespaced Sysctls with Kubernetes:
Kubernetes considers certain sysctls as safe and others as unsafe. For detailed
@@ -100,7 +79,7 @@ spec:
### Non-Namespaced Sysctls:
Docker and Kubernetes disallow sysctls without a namespace.
Kubernetes disallow sysctls without a namespace.
The recommendation is to set them directly on the host or use a privileged
container in the case of Kubernetes.

View File

@@ -1,12 +1,9 @@
# Kata Containers with virtio-fs
- [Kata Containers with virtio-fs](#kata-containers-with-virtio-fs)
- [Introduction](#introduction)
## Introduction
Container deployments utilize explicit or implicit file sharing between host filesystem and containers. From a trust perspective, avoiding a shared file-system between the trusted host and untrusted container is recommended. This is not always feasible. In Kata Containers, block-based volumes are preferred as they allow usage of either device pass through or `virtio-blk` for access within the virtual machine.
As of the 2.0 release of Kata Containers, [virtio-fs](https://virtio-fs.gitlab.io/) is the default filesystem sharing mechanism.
virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](https://github.com/kata-containers/packaging/tree/master/kata-deploy#kubernetes-quick-start).
virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy#kubernetes-quick-start).

View File

@@ -1,9 +1,5 @@
# Kata Containers with `virtio-mem`
- [Introduction](#introduction)
- [Requisites](#requisites)
- [Run a Kata Container utilizing `virtio-mem`](#run-a-kata-container-utilizing-virtio-mem)
## Introduction
The basic idea of `virtio-mem` is to provide a flexible, cross-architecture memory hot plug and hot unplug solution that avoids many limitations imposed by existing technologies, architectures, and interfaces.
@@ -13,26 +9,23 @@ Kata Containers with `virtio-mem` supports memory resize.
## Requisites
Kata Containers with `virtio-mem` requires Linux and the QEMU that support `virtio-mem`.
The Linux kernel and QEMU upstream version still not support `virtio-mem`. @davidhildenbrand is working on them.
Please use following unofficial version of the Linux kernel and QEMU that support `virtio-mem` with Kata Containers.
Kata Containers just supports `virtio-mem` with QEMU.
Install and setup Kata Containers as shown [here](../install/README.md).
The Linux kernel is at https://github.com/davidhildenbrand/linux/tree/virtio-mem-rfc-v4.
The Linux kernel config that can work with Kata Containers is at https://gist.github.com/teawater/016194ee84748c768745a163d08b0fb9.
The QEMU is at https://github.com/teawater/qemu/tree/kata-virtio-mem. (The original source is at https://github.com/davidhildenbrand/qemu/tree/virtio-mem. Its base version of QEMU cannot work with Kata Containers. So merge the commit of `virtio-mem` to upstream QEMU.)
Set Linux and the QEMU that support `virtio-mem` with following line in the Kata Containers QEMU configuration `configuration-qemu.toml`:
```toml
[hypervisor.qemu]
path = "qemu-dir"
kernel = "vmlinux-dir"
### With x86_64
The `virtio-mem` config of the x86_64 Kata Linux kernel is open.
Enable `virtio-mem` as follows:
```
$ sudo sed -i -e 's/^#enable_virtio_mem.*$/enable_virtio_mem = true/g' /etc/kata-containers/configuration.toml
```
Enable `virtio-mem` with following line in the Kata Containers configuration:
```toml
enable_virtio_mem = true
### With other architectures
The `virtio-mem` config of the others Kata Linux kernel is not open.
You can open `virtio-mem` config as follows:
```
CONFIG_VIRTIO_MEM=y
```
Then you can build and install the guest kernel image as shown [here](../../tools/packaging/kernel/README.md#build-kata-containers-kernel).
## Run a Kata Container utilizing `virtio-mem`
@@ -41,13 +34,35 @@ Use following command to enable memory overcommitment of a Linux kernel. Becaus
$ echo 1 | sudo tee /proc/sys/vm/overcommit_memory
```
Use following command start a Kata Container.
Use following command to start a Kata Container.
```
$ docker run --rm -it --runtime=kata --name test busybox
$ pod_yaml=pod.yaml
$ container_yaml=container.yaml
$ image="quay.io/prometheus/busybox:latest"
$ cat << EOF > "${pod_yaml}"
metadata:
name: busybox-sandbox1
EOF
$ cat << EOF > "${container_yaml}"
metadata:
name: busybox-killed-vmm
image:
image: "$image"
command:
- top
EOF
$ sudo crictl pull $image
$ podid=$(sudo crictl runp $pod_yaml)
$ cid=$(sudo crictl create $podid $container_yaml $pod_yaml)
$ sudo crictl start $cid
```
Use following command set the memory size of test to default_memory + 512m.
Use the following command to set the container memory limit to 2g and the memory size of the VM to its default_memory + 2g.
```
$ docker update -m 512m --memory-swap -1 test
$ sudo crictl update --memory $((2*1024*1024*1024)) $cid
```
Use the following command to set the container memory limit to 1g and the memory size of the VM to its default_memory + 1g.
```
$ sudo crictl update --memory $((1*1024*1024*1024)) $cid
```

View File

@@ -3,11 +3,6 @@
Kata Containers supports creation of containers that are "privileged" (i.e. have additional capabilities and access
that is not normally granted).
* [Warnings](#warnings)
* [Host Devices](#host-devices)
* [Containerd and CRI](#containerd-and-cri)
* [CRI-O](#cri-o)
## Warnings
**Warning:** Whilst this functionality is supported, it can decrease the security of Kata Containers if not configured
@@ -21,9 +16,9 @@ from the host, a potentially undesirable side-effect that decreases the security
The following sections document how to configure this behavior in different container runtimes.
#### Containerd and CRI
#### Containerd
The Containerd CRI allows configuring the privileged host devices behavior for each runtime in the CRI config. This is
The Containerd allows configuring the privileged host devices behavior for each runtime in the containerd config. This is
done with the `privileged_without_host_devices` option. Setting this to `true` will disable hot plugging of the host
devices into the guest, even when privileged is enabled.
@@ -46,7 +41,7 @@ See below example config:
```
- [Kata Containers with Containerd and CRI documentation](how-to-use-k8s-with-cri-containerd-and-kata.md)
- [Containerd CRI config documentation](https://github.com/containerd/cri/blob/master/docs/config.md)
- [Containerd CRI config documentation](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
#### CRI-O

View File

@@ -1,16 +1,5 @@
# Working with `crictl`
* [What's `cri-tools`](#whats-cri-tools)
* [Use `crictl` run Pods in Kata containers](#use-crictl-run-pods-in-kata-containers)
* [Run `busybox` Pod](#run-busybox-pod)
* [Run pod sandbox with config file](#run-pod-sandbox-with-config-file)
* [Create container in the pod sandbox with config file](#create-container-in-the-pod-sandbox-with-config-file)
* [Start container](#start-container)
* [Run `redis` Pod](#run-redis-pod)
* [Create `redis-server` Pod](#create-redis-server-pod)
* [Create `redis-client` Pod](#create-redis-client-pod)
* [Check `redis` server is working](#check-redis-server-is-working)
## What's `cri-tools`
[`cri-tools`](https://github.com/kubernetes-sigs/cri-tools) provides debugging and validation tools for Kubelet Container Runtime Interface (CRI).

View File

@@ -1,18 +1,5 @@
# Run Kata Containers with Kubernetes
* [Run Kata Containers with Kubernetes](#run-kata-containers-with-kubernetes)
* [Prerequisites](#prerequisites)
* [Install a CRI implementation](#install-a-cri-implementation)
* [CRI-O](#cri-o)
* [Kubernetes Runtime Class (CRI-O v1.12 )](#kubernetes-runtime-class-cri-o-v112)
* [Untrusted annotation (until CRI-O v1.12)](#untrusted-annotation-until-cri-o-v112)
* [Network namespace management](#network-namespace-management)
* [containerd with CRI plugin](#containerd-with-cri-plugin)
* [Install Kubernetes](#install-kubernetes)
* [Configure for CRI-O](#configure-for-cri-o)
* [Configure for containerd](#configure-for-containerd)
* [Run a Kubernetes pod with Kata Containers](#run-a-kubernetes-pod-with-kata-containers)
## Prerequisites
This guide requires Kata Containers available on your system, install-able by following [this guide](../install/README.md).
@@ -22,7 +9,7 @@ Kubernetes CRI (Container Runtime Interface) implementations allow using any
OCI-compatible runtime with Kubernetes, such as the Kata Containers runtime.
Kata Containers support both the [CRI-O](https://github.com/kubernetes-incubator/cri-o) and
[CRI-containerd](https://github.com/containerd/cri) CRI implementations.
[containerd](https://github.com/containerd/containerd) CRI implementations.
After choosing one CRI implementation, you must make the appropriate configuration
to ensure it integrates with Kata Containers.
@@ -33,9 +20,9 @@ required to spawn pods and containers, and this is the preferred way to run Kata
An equivalent shim implementation for CRI-O is planned.
### CRI-O
For CRI-O installation instructions, refer to the [CRI-O Tutorial](https://github.com/kubernetes-incubator/cri-o/blob/master/tutorial.md) page.
For CRI-O installation instructions, refer to the [CRI-O Tutorial](https://github.com/cri-o/cri-o/blob/main/tutorial.md) page.
The following sections show how to set up the CRI-O configuration file (default path: `/etc/crio/crio.conf`) for Kata.
The following sections show how to set up the CRI-O snippet configuration file (default path: `/etc/crio/crio.conf`) for Kata.
Unless otherwise stated, all the following settings are specific to the `crio.runtime` table:
```toml
@@ -43,7 +30,7 @@ Unless otherwise stated, all the following settings are specific to the `crio.ru
# runtime used and options for how to set up and manage the OCI runtime.
[crio.runtime]
```
A comprehensive documentation of the configuration file can be found [here](https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md).
A comprehensive documentation of the configuration file can be found [here](https://github.com/cri-o/cri-o/blob/main/docs/crio.conf.5.md).
> **Note**: After any change to this file, the CRI-O daemon have to be restarted with:
>````
@@ -53,82 +40,20 @@ A comprehensive documentation of the configuration file can be found [here](http
#### Kubernetes Runtime Class (CRI-O v1.12+)
The [Kubernetes Runtime Class](https://kubernetes.io/docs/concepts/containers/runtime-class/)
is the preferred way of specifying the container runtime configuration to run a Pod's containers.
To use this feature, Kata must added as a runtime handler with:
To use this feature, Kata must added as a runtime handler. This can be done by
dropping a `50-kata` snippet file into `/etc/crio/crio.conf.d`, with the
content shown below:
```toml
[crio.runtime.runtimes.kata-runtime]
runtime_path = "/usr/bin/kata-runtime"
runtime_type = "oci"
```
You can also add multiple entries to specify alternatives hypervisors, e.g.:
```toml
[crio.runtime.runtimes.kata-qemu]
runtime_path = "/usr/bin/kata-runtime"
runtime_type = "oci"
[crio.runtime.runtimes.kata-fc]
runtime_path = "/usr/bin/kata-runtime"
runtime_type = "oci"
```
#### Untrusted annotation (until CRI-O v1.12)
The untrusted annotation is used to specify a runtime for __untrusted__ workloads, i.e.
a runtime to be used when the workload cannot be trusted and a higher level of security
is required. An additional flag can be used to let CRI-O know if a workload
should be considered _trusted_ or _untrusted_ by default.
For further details, see the documentation
[here](../design/architecture.md#mixing-vm-based-and-namespace-based-runtimes).
```toml
# runtime is the OCI compatible runtime used for trusted container workloads.
# This is a mandatory setting as this runtime will be the default one
# and will also be used for untrusted container workloads if
# runtime_untrusted_workload is not set.
runtime = "/usr/bin/runc"
# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
# container workloads. This is an optional setting, except if
# default_container_trust is set to "untrusted".
runtime_untrusted_workload = "/usr/bin/kata-runtime"
# default_workload_trust is the default level of trust crio puts in container
# workloads. It can either be "trusted" or "untrusted", and the default
# is "trusted".
# Containers can be run through different container runtimes, depending on
# the trust hints we receive from kubelet:
# - If kubelet tags a container workload as untrusted, crio will try first to
# run it through the untrusted container workload runtime. If it is not set,
# crio will use the trusted runtime.
# - If kubelet does not provide any information about the container workload trust
# level, the selected runtime will depend on the default_container_trust setting.
# If it is set to "untrusted", then all containers except for the host privileged
# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
# containers are by definition trusted and will always use the trusted container
# runtime. If default_container_trust is set to "trusted", crio will use the trusted
# container runtime for all containers.
default_workload_trust = "untrusted"
```
#### Network namespace management
To enable networking for the workloads run by Kata, CRI-O needs to be configured to
manage network namespaces, by setting the following key to `true`.
In CRI-O v1.16:
```toml
manage_network_ns_lifecycle = true
```
In CRI-O v1.17+:
```toml
manage_ns_lifecycle = true
[crio.runtime.runtimes.kata]
runtime_path = "/usr/bin/containerd-shim-kata-v2"
runtime_type = "vm"
runtime_root = "/run/vc"
privileged_without_host_devices = true
```
### containerd with CRI plugin
If you select containerd with `cri` plugin, follow the "Getting Started for Developers"
instructions [here](https://github.com/containerd/cri#getting-started-for-developers)
to properly install it.
### containerd
To customize containerd to select Kata Containers runtime, follow our
"Configure containerd to use Kata Containers" internal documentation
@@ -171,10 +96,10 @@ $ sudo systemctl daemon-reload
$ sudo systemctl restart kubelet
# If using CRI-O
$ sudo kubeadm init --skip-preflight-checks --cri-socket /var/run/crio/crio.sock --pod-network-cidr=10.244.0.0/16
$ sudo kubeadm init --ignore-preflight-errors=all --cri-socket /var/run/crio/crio.sock --pod-network-cidr=10.244.0.0/16
# If using CRI-containerd
$ sudo kubeadm init --skip-preflight-checks --cri-socket /run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16
# If using containerd
$ sudo kubeadm init --ignore-preflight-errors=all --cri-socket /run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16
$ export KUBECONFIG=/etc/kubernetes/admin.conf
```

View File

@@ -1,21 +1,5 @@
# Kata Containers and service mesh for Kubernetes
* [Assumptions](#assumptions)
* [How they work](#how-they-work)
* [Prerequisites](#prerequisites)
* [Kata and Kubernetes](#kata-and-kubernetes)
* [Restrictions](#restrictions)
* [Install and deploy your service mesh](#install-and-deploy-your-service-mesh)
* [Service Mesh Istio](#service-mesh-istio)
* [Service Mesh Linkerd](#service-mesh-linkerd)
* [Inject your services with sidecars](#inject-your-services-with-sidecars)
* [Sidecar Istio](#sidecar-istio)
* [Sidecar Linkerd](#sidecar-linkerd)
* [Run your services with Kata](#run-your-services-with-kata)
* [Lower privileges](#lower-privileges)
* [Add annotations](#add-annotations)
* [Deploy](#deploy)
A service mesh is a way to monitor and control the traffic between
micro-services running in your Kubernetes cluster. It is a powerful
tool that you might want to use in combination with the security
@@ -50,7 +34,7 @@ as the proxy starts.
Follow the [instructions](../install/README.md)
to get Kata Containers properly installed and configured with Kubernetes.
You can choose between CRI-O and CRI-containerd, both are supported
You can choose between CRI-O and containerd, both are supported
through this document.
For both cases, select the workloads as _trusted_ by default. This way,
@@ -76,15 +60,16 @@ is not able to perform a proper setup of the rules.
### Service Mesh Istio
As a reference, you can follow Istio [instructions](https://istio.io/docs/setup/kubernetes/quick-start/#download-and-prepare-for-the-installation).
The following is a summary of what you need to install Istio on your system:
```
$ curl -L https://git.io/getLatestIstio | sh -
$ cd istio-*
$ export PATH=$PWD/bin:$PATH
```
See the [Istio documentation](https://istio.io/docs) for further details.
Now deploy Istio in the control plane of your cluster with the following:
```
$ kubectl apply -f install/kubernetes/istio-demo.yaml
@@ -174,7 +159,7 @@ containers with `privileged: true` to `privileged: false`.
There is no difference between Istio and Linkerd in this section. It is
about which CRI implementation you use.
For both CRI-O and CRI-containerd, you have to add an annotation indicating
For both CRI-O and containerd, you have to add an annotation indicating
the workload for this deployment is not _trusted_, which will trigger
`kata-runtime` to be called instead of `runc`.
@@ -208,9 +193,9 @@ spec:
...
```
__CRI-containerd:__
__containerd:__
Add the following annotation for CRI-containerd
Add the following annotation for containerd
```yaml
io.kubernetes.cri.untrusted-workload: "true"
```

View File

@@ -1,10 +1,5 @@
# What Is VMCache and How To Enable It
* [What is VMCache](#what-is-vmcache)
* [How is this different to VM templating](#how-is-this-different-to-vm-templating)
* [How to enable VMCache](#how-to-enable-vmcache)
* [Limitations](#limitations)
### What is VMCache
VMCache is a new function that creates VMs as caches before using it.

View File

@@ -1,6 +1,7 @@
# What Is VM Templating and How To Enable It
### What is VM templating
VM templating is a Kata Containers feature that enables new VM
creation using a cloning technique. When enabled, new VMs are created
by cloning from a pre-created template VM, and they will share the
@@ -8,11 +9,13 @@ same initramfs, kernel and agent memory in readonly mode. It is very
much like a process fork done by the kernel but here we *fork* VMs.
### How is this different from VMCache
Both [VMCache](../how-to/what-is-vm-cache-and-how-do-I-use-it.md) and VM templating help speed up new container creation.
When VMCache enabled, new VMs are created by the VMCache server. So it is not vulnerable to share memory CVE because each VM doesn't share the memory.
VM templating saves a lot of memory if there are many Kata Containers running on the same host.
### What are the Pros
VM templating helps speed up new container creation and saves a lot
of memory if there are many Kata Containers running on the same host.
If you are running a density workload, or care a lot about container
@@ -29,6 +32,7 @@ showed that VM templating speeds up Kata Containers creation by as much as
38.68%. See [full results here](https://gist.github.com/bergwolf/06974a3c5981494a40e2c408681c085d).
### What are the Cons
One drawback of VM templating is that it cannot avoid cross-VM side-channel
attack such as [CVE-2015-2877](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2877)
that originally targeted at the Linux KSM feature.
@@ -39,10 +43,11 @@ and can be classified as potentially misunderstood behaviors rather than vulnera
**Warning**: If you care about such attack vector, do not use VM templating or KSM.
### How to enable VM templating
VM templating can be enabled by changing your Kata Containers config file (`/usr/share/defaults/kata-containers/configuration.toml`,
overridden by `/etc/kata-containers/configuration.toml` if provided) such that:
- `qemu-lite` is specified in `hypervisor.qemu`->`path` section
- `qemu` version `v4.1.0` or above is specified in `hypervisor.qemu`->`path` section
- `enable_template = true`
- `initrd =` is set
- `image =` option is commented out or removed

View File

@@ -1,11 +1,5 @@
# Hypervisors
* [Hypervisors](#hypervisors)
* [Introduction](#introduction)
* [Types](#types)
* [Determine currently configured hypervisor](#determine-currently-configured-hypervisor)
* [Choose a Hypervisor](#choose-a-hypervisor)
## Introduction
Kata Containers supports multiple hypervisors. This document provides a very

View File

@@ -1,47 +1,37 @@
# Kata Containers installation user guides
# Kata Containers installation guides
* [Kata Containers installation user guides](#kata-containers-installation-user-guides)
* [Prerequisites](#prerequisites)
* [Legacy installation](#legacy-installation)
* [Packaged installation methods](#packaged-installation-methods)
* [Official packages](#official-packages)
* [Snap Installation](#snap-installation)
* [Automatic Installation](#automatic-installation)
* [Manual Installation](#manual-installation)
* [Build from source installation](#build-from-source-installation)
* [Installing on a Cloud Service Platform](#installing-on-a-cloud-service-platform)
* [Further information](#further-information)
The following is an overview of the different installation methods available. All of these methods equally result
in a system configured to run Kata Containers.
The following is an overview of the different installation methods available.
## Prerequisites
Kata Containers requires nested virtualization or bare metal.
See the
[hardware requirements](/src/runtime/README.md#hardware-requirements)
to see if your system is capable of running Kata Containers.
## Legacy installation
If you wish to install a legacy 1.x version of Kata Containers, see
[the Kata Containers 1.x installation documentation](https://github.com/kata-containers/documentation/tree/master/install/).
Kata Containers requires nested virtualization or bare metal. Check
[hardware requirements](/src/runtime/README.md#hardware-requirements) to see if your system is capable of running Kata
Containers.
## Packaged installation methods
> **Notes:**
>
> - Packaged installation methods uses your distribution's native package format (such as RPM or DEB).
> - You are strongly encouraged to choose an installation method that provides
> automatic updates, to ensure you benefit from security updates and bug fixes.
Packaged installation methods uses your distribution's native package format (such as RPM or DEB).
| Installation method | Description | Automatic updates | Use case |
|------------------------------------------------------|---------------------------------------------------------------------|-------------------|----------------------------------------------------------|
| [Using official distro packages](#official-packages) | Kata packages provided by Linux distributions official repositories | yes | Recommended for most users. |
| [Using snap](#snap-installation) | Easy to install | yes | Good alternative to official distro packages. |
| [Automatic](#automatic-installation) | Run a single command to install a full system | **No!** | For those wanting the latest release quickly. |
| [Manual](#manual-installation) | Follow a guide step-by-step to install a working system | **No!** | For those who want the latest release with more control. |
| [Build from source](#build-from-source-installation) | Build the software components manually | **No!** | Power users and developers only. |
> **Note:** We encourage installation methods that provides automatic updates, it ensures security updates and bug fixes are
> easily applied.
| Installation method | Description | Automatic updates | Use case |
|------------------------------------------------------|----------------------------------------------------------------------------------------------|-------------------|-----------------------------------------------------------------------------------------------|
| [Using kata-deploy](#kata-deploy-installation) | The preferred way to deploy the Kata Containers distributed binaries on a Kubernetes cluster | **No!** | Best way to give it a try on kata-containers on an already up and running Kubernetes cluster. |
| [Using official distro packages](#official-packages) | Kata packages provided by Linux distributions official repositories | yes | Recommended for most users. |
| [Using snap](#snap-installation) | Easy to install | yes | Good alternative to official distro packages. |
| [Automatic](#automatic-installation) | Run a single command to install a full system | **No!** | For those wanting the latest release quickly. |
| [Manual](#manual-installation) | Follow a guide step-by-step to install a working system | **No!** | For those who want the latest release with more control. |
| [Build from source](#build-from-source-installation) | Build the software components manually | **No!** | Power users and developers only. |
### Kata Deploy Installation
Kata Deploy provides a Dockerfile, which contains all of the binaries and
artifacts required to run Kata Containers, as well as reference DaemonSets,
which can be utilized to install Kata Containers on a running Kubernetes
cluster.
[Use Kata Deploy](/tools/packaging/kata-deploy/README.md) to install Kata Containers on a Kubernetes Cluster.
### Official packages
@@ -52,16 +42,9 @@ Kata packages are provided by official distribution repositories for:
| [CentOS](centos-installation-guide.md) | 8 |
| [Fedora](fedora-installation-guide.md) | 34 |
> **Note::**
>
> All users are encouraged to uses the official distribution versions of Kata
> Containers unless they understand the implications of alternative methods.
### Snap Installation
> **Note:** The snap installation is available for all distributions which support `snapd`.
[![Get it from the Snap Store](https://snapcraft.io/static/images/badges/en/snap-store-black.svg)](https://snapcraft.io/kata-containers)
The snap installation is available for all distributions which support `snapd`.
[Use snap](snap-installation-guide.md) to install Kata Containers from https://snapcraft.io.
@@ -75,11 +58,9 @@ Follow the [containerd installation guide](container-manager/containerd/containe
## Build from source installation
> **Notes:**
>
> - Power users who decide to build from sources should be aware of the
> implications of using an unpackaged system which will not be automatically
> updated as new [releases](../Stable-Branch-Strategy.md) are made available.
> **Note:** Power users who decide to build from sources should be aware of the
> implications of using an unpackaged system which will not be automatically
> updated as new [releases](../Stable-Branch-Strategy.md) are made available.
[Building from sources](../Developer-Guide.md#initial-setup) allows power users
who are comfortable building software from source to use the latest component
@@ -95,6 +76,6 @@ versions. This is not recommended for normal users.
## Further information
* The [upgrading document](../Upgrading.md).
* The [developer guide](../Developer-Guide.md).
* The [runtime documentation](../../src/runtime/README.md).
* [upgrading document](../Upgrading.md)
* [developer guide](../Developer-Guide.md)
* [runtime documentation](../../src/runtime/README.md)

View File

@@ -1,10 +1,5 @@
# Install Kata Containers on Amazon Web Services
* [Install and Configure AWS CLI](#install-and-configure-aws-cli)
* [Create or Import an EC2 SSH key pair](#create-or-import-an-ec2-ssh-key-pair)
* [Launch i3.metal instance](#launch-i3metal-instance)
* [Install Kata](#install-kata)
Kata Containers on Amazon Web Services (AWS) makes use of [i3.metal](https://aws.amazon.com/ec2/instance-types/i3/) instances. Most of the installation procedure is identical to that for Kata on your preferred distribution, except that you have to run it on bare metal instances since AWS doesn't support nested virtualization yet. This guide walks you through creating an i3.metal instance.
## Install and Configure AWS CLI

View File

@@ -98,12 +98,12 @@
```toml
[plugins]
[plugins.cri]
[plugins.cri.containerd]
default_runtime_name = "kata"
[plugins.cri.containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
[plugins."io.containerd.grpc.v1.cri"]
[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "kata"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
```
> **Note:**

View File

@@ -1,11 +1,5 @@
# Install Kata Containers on Google Compute Engine
* [Create an Image with Nested Virtualization Enabled](#create-an-image-with-nested-virtualization-enabled)
* [Create the Image](#create-the-image)
* [Verify VMX is Available](#verify-vmx-is-available)
* [Install Kata](#install-kata)
* [Create a Kata-enabled Image](#create-a-kata-enabled-image)
Kata Containers on Google Compute Engine (GCE) makes use of [nested virtualization](https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances). Most of the installation procedure is identical to that for Kata on your preferred distribution, but enabling nested virtualization currently requires extra steps on GCE. This guide walks you through creating an image and instance with nested virtualization enabled. Note that `kata-runtime check` checks for nested virtualization, but does not fail if support is not found.
As a pre-requisite this guide assumes an installed and configured instance of the [Google Cloud SDK](https://cloud.google.com/sdk/downloads). For a zero-configuration option, all of the commands below were been tested under [Google Cloud Shell](https://cloud.google.com/shell/) (as of Jun 2018). Verify your `gcloud` installation and configuration:

View File

@@ -1,24 +1,12 @@
# Installing Kata Containers in Minikube
* [Installing Kata Containers in Minikube](#installing-kata-containers-in-minikube)
* [Introduction](#introduction)
* [Prerequisites](#prerequisites)
* [Setting up Minikube](#setting-up-minikube)
* [Checking for nested virtualization](#checking-for-nested-virtualization)
* [Check Minikube is running](#check-minikube-is-running)
* [Installing Kata Containers](#installing-kata-containers)
* [Enabling Kata Containers](#enabling-kata-containers)
* [Register the runtime](#register-the-runtime)
* [Testing Kata Containers](#testing-kata-containers)
* [Wrapping up](#wrapping-up)
## Introduction
[Minikube](https://kubernetes.io/docs/setup/minikube/) is an easy way to try out a Kubernetes (k8s)
cluster locally. It creates a single node Kubernetes stack in a local VM.
[Kata Containers](https://github.com/kata-containers) can be installed into a Minikube cluster using
[`kata-deploy`](https://github.com/kata-containers/packaging/tree/master/kata-deploy).
[`kata-deploy`](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy).
This document details the pre-requisites, installation steps, and how to check
the installation has been successful.
@@ -135,7 +123,7 @@ $ kubectl apply -f kata-deploy/base/kata-deploy.yaml
This installs the Kata Containers components into `/opt/kata` inside the Minikube node. It can take
a few minutes for the operation to complete. You can check the installation has worked by checking
the status of the `kata-deploy` pod, which will be executing
[this script](https://github.com/kata-containers/packaging/blob/master/kata-deploy/scripts/kata-deploy.sh),
[this script](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy/scripts/kata-deploy.sh),
and will be executing a `sleep infinity` once it has successfully completed its work.
You can accomplish this by running the following:
@@ -166,8 +154,8 @@ $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/node-api/master/
Now register the `kata qemu` runtime with that class. This should result in no errors:
```sh
$ cd kata-containers/tools/packaging/kata-deploy/k8s-1.14
$ kubectl apply -f kata-qemu-runtimeClass.yaml
$ cd kata-containers/tools/packaging/kata-deploy/runtimeclasses
$ kubectl apply -f kata-runtimeClasses.yaml
```
The Kata Containers installation process should be complete and enabled in the Minikube cluster.

View File

@@ -1,11 +1,5 @@
# Kata Containers snap package
* [Install Kata Containers](#install-kata-containers)
* [Configure Kata Containers](#configure-kata-containers)
* [Integration with shim v2 Container Engines](#integration-with-shim-v2-container-engines)
* [Remove Kata Containers snap package](#remove-kata-containers-snap-package)
## Install Kata Containers
Kata Containers can be installed in any Linux distribution that supports
@@ -14,7 +8,7 @@ Kata Containers can be installed in any Linux distribution that supports
Run the following command to install **Kata Containers**:
```sh
$ sudo snap install kata-containers --candidate --classic
$ sudo snap install kata-containers --stable --classic
```
## Configure Kata Containers

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 150 KiB

View File

@@ -0,0 +1,137 @@
# Kata Containers threat model
This document discusses threat models associated with the Kata Containers project.
Kata was designed to provide additional isolation of container workloads, protecting
the host infrastructure from potentially malicious container users or workloads. Since
Kata Containers adds a level of isolation on top of traditional containers, the focus
is on the additional layer provided, not on traditional container security.
This document provides a brief background on containers and layered security, describes
the interface to Kata from CRI runtimes, a review of utilized virtual machine interfaces, and then
a review of threats.
## Kata security objective
Kata seeks to prevent an untrusted container workload or user of that container workload to gain
control of, obtain information from, or tamper with the host infrastructure.
In our scenario, an asset is anything on the host system, or elsewhere in the cluster
infrastructure. The attacker is assumed to be either a malicious user or the workload itself
running within the container. The goal of Kata is to prevent attacks which would allow
any access to the defined assets.
## Background on containers, layered security
Traditional containers leverage several key Linux kernel features to provide isolation and
a view that the container workload is the only entity running on the host. Key features include
`Namespaces`, `cgroups`, `capablities`, `SELinux` and `seccomp`. The canonical runtime for creating such
a container is `runc`. In the remainder of the document, the term `traditional-container` will be used
to describe a container workload created by runc.
Kata Containers provides a second layer of isolation on top of those provided by traditional-containers.
The hardware virtualization interface is the basis of this additional layer. Kata launches a lightweight
virtual machine, and uses the guests Linux kernel to create a container workload, or workloads in the case
of multi-container pods. In Kubernetes and in the Kata implementation, the sandbox is carried out at the
pod level. In Kata, this sandbox is created using a virtual machine.
## Interface to Kata Containers: CRI, v2-shim, OCI
A typical Kata Containers deployment uses Kubernetes with a CRI implementation.
On every node, Kubelet will interact with a CRI implementor, which will in turn interface with
an OCI based runtime, such as Kata Containers. Typical CRI implementors are `cri-o` and `containerd`.
The CRI API, as defined at the Kubernetes [CRI-API repo](https://github.com/kubernetes/cri-api/),
results in a few constructs being supported by the CRI implementation, and ultimately in the OCI
runtime creating the workloads.
In order to run a container inside of the Kata sandbox, several virtual machine devices and interfaces
are required. Kata translates sandbox and container definitions to underlying virtualization technologies provided
by a set of virtual machine monitors (VMMs) and hypervisors. These devices and their underlying
implementations are discussed in detail in the following section.
## Interface to the Kata sandbox/virtual machine
In case of Kata, today the devices which we need in the guest are:
- Storage: In the current design of Kata Containers, we are reliant on the CRI implementor to
assist in image handling and volume management on the host. As a result, we need to support a way of passing to the sandbox the container rootfs, volumes requested
by the workload, and any other volumes created to facilitate sharing of secrets and `configmaps` with the containers. Depending on how these are managed, a block based device or file-system
sharing is required. Kata Containers does this by way of `virtio-blk` and/or `virtio-fs`.
- Networking: A method for enabling network connectivity with the workload is required. Typically this will be done providing a `TAP` device
to the VMM, and this will be exposed to the guest as a `virtio-net` device. It is feasible to pass in a NIC device directly, in which case `VFIO` is leveraged
and the device itself will be exposed to the guest.
- Control: In order to interact with the guest agent and retrieve `STDIO` from containers, a medium of communication is required.
This is available via `virtio-vsock`.
- Devices: `VFIO` is utilized when devices are passed directly to the virtual machine and exposed to the container.
- Dynamic Resource Management: `ACPI` is utilized to allow for dynamic VM resource management (for example: CPU, memory, device hotplug). This is required when containers are resized,
or more generally when containers are added to a pod.
How these devices are utilized varies depending on the VMM utilized. We clarify the default settings provided when integrating Kata
with the QEMU, Firecracker and Cloud Hypervisor VMMs in the following sections.
### Devices
Each virtio device is implemented by a backend, which may execute within userspace on the host (vhost-user), the VMM itself, or within the host kernel (vhost). While it may provide enhanced performance,
vhost devices are often seen as higher risk since an exploit would be already running within the kernel space. While VMM and vhost-user are both in userspace on the host, `vhost-user` generally allows for the back-end process to require less system calls and capabilities compared to a full VMM.
#### `virtio-blk` and `virtio-scsi`
The backend for `virtio-blk` and `virtio-scsi` are based in the VMM itself (ring3 in the context of x86) by default for Cloud Hypervisor, Firecracker and QEMU.
While `vhost` based back-ends are available for QEMU, it is not recommended. `vhost-user` back-ends are being added for Cloud Hypervisor, they are not utilized in Kata today.
#### `virtio-fs`
`virtio-fs` is supported in Cloud Hypervisor and QEMU. `virtio-fs`'s interaction with the host filesystem is done through a vhost-user daemon, `virtiofsd`.
The `virtio-fs` client, running in the guest, will generate requests to access files. `virtiofsd` will receive requests, open the file, and request the VMM
to `mmap` it into the guest. When DAX is utilized, the guest will access the host's page cache, avoiding the need for copy and duplication. DAX is still an experimental feature,
and is not enabled by default.
From the `virtiofsd` [documentation](https://qemu-project.gitlab.io/qemu/tools/virtiofsd.html):
```This program must be run as the root user. Upon startup the program will switch into a new file system namespace with the shared directory tree as its root. This prevents “file system escapes” due to symlinks and other file system objects that might lead to files outside the shared directory. The program also sandboxes itself using seccomp(2) to prevent ptrace(2) and other vectors that could allow an attacker to compromise the system after gaining control of the virtiofsd process.```
DAX-less support for `virtio-fs` is available as of the 5.4 Linux kernel. QEMU VMM supports virtio-fs as of v4.2. Cloud Hypervisor
supports `virtio-fs`.
#### `virtio-net`
`virtio-net` has many options, depending on the VMM and Kata configurations.
##### QEMU networking
While QEMU has options for `vhost`, `virtio-net` and `vhost-user`, the `virtio-net` backend
for Kata defaults to `vhost-net` for performance reasons. The default configuration is being
reevaluated.
##### Firecracker networking
For Firecracker, the `virtio-net` backend is within Firecracker's VMM.
##### Cloud Hypervisor networking
For Cloud Hypervisor, the current backend default is within the VMM. `vhost-user-net` support
is being added (written in rust, Cloud Hypervisor specific).
#### virtio-vsock
##### QEMU vsock
In QEMU, vsock is backed by `vhost_vsock`, which runs within the kernel itself.
##### Firecracker and Cloud Hypervisor
In Firecracker and Cloud Hypervisor, vsock is backed by a unix-domain-socket in the hosts userspace.
#### VFIO
Utilizing VFIO, devices can be passed through to the virtual machine. We will assess this separately. Exposure to
host is limited to gaps in device pass-through handling. This is supported in QEMU and Cloud Hypervisor, but not
Firecracker.
#### ACPI
ACPI is necessary for hotplug of CPU, memory and devices. ACPI is available in QEMU and Cloud Hypervisor. Device, CPU and memory hotplug
are not available in Firecracker.
## Devices and threat model
![Threat model](threat-model-boundaries.svg "threat-model")

214
docs/tracing.md Normal file
View File

@@ -0,0 +1,214 @@
# Overview
This document explains how to trace Kata Containers components.
# Introduction
The Kata Containers runtime and agent are able to generate
[OpenTelemetry][opentelemetry] trace spans, which allow the administrator to
observe what those components are doing and how much time they are spending on
each operation.
# OpenTelemetry summary
An OpenTelemetry-enabled application creates a number of trace "spans". A span
contains the following attributes:
- A name
- A pair of timestamps (recording the start time and end time of some operation)
- A reference to the span's parent span
All spans need to be *finished*, or *completed*, to allow the OpenTelemetry
framework to generate the final trace information (by effectively closing the
transaction encompassing the initial (root) span and all its children).
For Kata, the root span represents the total amount of time taken to run a
particular component from startup to its shutdown (the "run time").
# Architecture
## Runtime tracing architecture
The runtime, which runs in the host environment, has been modified to
optionally generate trace spans which are sent to a trace collector on the
host.
## Agent tracing architecture
An OpenTelemetry system (such as [Jaeger][jaeger-tracing]) uses a collector to
gather up trace spans from the application for viewing and processing. For an
application to use the collector, it must run in the same context as
the collector.
This poses a problem for tracing the Kata Containers agent since it does not
run in the same context as the collector: it runs inside a virtual machine (VM).
To allow spans from the agent to be sent to the trace collector, Kata provides
a [trace forwarder][trace-forwarder] component. This runs in the same context
as the collector (generally on the host system) and listens on a
[`VSOCK`][vsock] channel for traces generated by the agent, forwarding them on
to the trace collector.
> **Note:**
>
> This design supports agent tracing without having to make changes to the
> image, but also means that [custom images][osbuilder] can also benefit from
> agent tracing.
The following diagram summarises the architecture used to trace the Kata
Containers agent:
```
+--------------------------------------------+
| Host |
| |
| +---------------+ |
| | OpenTelemetry | |
| | Trace | |
| | Collector | |
| +---------------+ |
| ^ +---------------+ |
| | spans | Kata VM | |
| +-----+-----+ | | |
| | Kata | spans o +-------+ | |
| | Trace |<-----------------| Kata | | |
| | Forwarder | VSOCK o | Agent | | |
| +-----------+ Channel | +-------+ | |
| +---------------+ |
+--------------------------------------------+
```
# Agent tracing prerequisites
- You must have a trace collector running.
Although the collector normally runs on the host, it can also be run from
inside a Docker image configured to expose the appropriate host ports to the
collector.
The [Jaeger "all-in-one" Docker image][jaeger-all-in-one] method
is the quickest and simplest way to run the collector for testing.
- If you wish to trace the agent, you must start the
[trace forwarder][trace-forwarder].
> **Notes:**
>
> - If agent tracing is enabled but the forwarder is not running,
> the agent will log an error (signalling that it cannot generate trace
> spans), but continue to work as normal.
>
> - The trace forwarder requires a trace collector (such as Jaeger) to be
> running before it is started. If a collector is not running, the trace
> forwarder will exit with an error.
# Enable tracing
By default, tracing is disabled for all components. To enable _any_ form of
tracing an `enable_tracing` option must be enabled for at least one component.
> **Note:**
>
> Enabling this option will only allow tracing for subsequently
> started containers.
## Enable runtime tracing
To enable runtime tracing, set the tracing option as shown:
```toml
[runtime]
enable_tracing = true
```
## Enable agent tracing
To enable agent tracing, set the tracing option as shown:
```toml
[agent.kata]
enable_tracing = true
```
> **Note:**
>
> If both agent tracing and runtime tracing are enabled, the resulting trace
> spans will be "collated": expanding individual runtime spans in the Jaeger
> web UI will show the agent trace spans resulting from the runtime
> operation.
# Appendices
## Agent tracing requirements
### Host environment
- The host kernel must support the VSOCK socket type.
This will be available if the kernel is built with the
`CONFIG_VHOST_VSOCK` configuration option.
- The VSOCK kernel module must be loaded:
```
$ sudo modprobe vhost_vsock
```
### Guest environment
- The guest kernel must support the VSOCK socket type:
This will be available if the kernel is built with the
`CONFIG_VIRTIO_VSOCKETS` configuration option.
> **Note:** The default Kata Containers guest kernel provides this feature.
## Agent tracing limitations
- Agent tracing is only "completed" when the workload and the Kata agent
process have exited.
Although trace information *can* be inspected before the workload and agent
have exited, it is incomplete. This is shown as `<trace-without-root-span>`
in the Jaeger web UI.
If the workload is still running, the trace transaction -- which spans the entire
runtime of the Kata agent -- will not have been completed. To view the complete
trace details, wait for the workload to end, or stop the container.
## Performance impact
[OpenTelemetry][opentelemetry] is designed for high performance. It combines
the best of two previous generation projects (OpenTracing and OpenCensus) and
uses a very efficient mechanism to capture trace spans. Further, the trace
points inserted into the agent are generated dynamically at compile time. This
is advantageous since new versions of the agent will automatically benefit
from improvements in the tracing infrastructure. Overall, the impact of
enabling runtime and agent tracing should be extremely low.
## Agent shutdown behaviour
In normal operation, the Kata runtime manages the VM shutdown and performs
certain optimisations to speed up this process. However, if agent tracing is
enabled, the agent itself is responsible for shutting down the VM. This it to
ensure all agent trace transactions are completed. This means there will be a
small performance impact for container shutdown when agent tracing is enabled
as the runtime must wait for the VM to shutdown fully.
## Set up a tracing development environment
If you want to debug, further develop, or test tracing,
[enabling full debug][enable-full-debug]
is highly recommended. For working with the agent, you may also wish to
[enable a debug console][setup-debug-console]
to allow you to access the VM environment.
[agent-ctl]: https://github.com/kata-containers/kata-containers/blob/main/tools/agent-ctl
[enable-full-debug]: https://github.com/kata-containers/kata-containers/blob/main/docs/Developer-Guide.md#enable-full-debug
[jaeger-all-in-one]: https://www.jaegertracing.io/docs/getting-started/
[jaeger-tracing]: https://www.jaegertracing.io
[opentelemetry]: https://opentelemetry.io
[osbuilder]: https://github.com/kata-containers/kata-containers/blob/main/tools/osbuilder
[setup-debug-console]: https://github.com/kata-containers/kata-containers/blob/main/docs/Developer-Guide.md#set-up-a-debug-console
[trace-forwarder]: https://github.com/kata-containers/kata-containers/blob/main/src/trace-forwarder
[vsock]: https://wiki.qemu.org/Features/VirtioVsock

View File

@@ -1,13 +1,5 @@
# Using Intel GPU device with Kata Containers
- [Using Intel GPU device with Kata Containers](#using-intel-gpu-device-with-kata-containers)
- [Hardware Requirements](#hardware-requirements)
- [Host Kernel Requirements](#host-kernel-requirements)
- [Install and configure Kata Containers](#install-and-configure-kata-containers)
- [Build Kata Containers kernel with GPU support](#build-kata-containers-kernel-with-gpu-support)
- [GVT-d with Kata Containers](#gvt-d-with-kata-containers)
- [GVT-g with Kata Containers](#gvt-g-with-kata-containers)
An Intel Graphics device can be passed to a Kata Containers container using GPU
passthrough (Intel GVT-d) as well as GPU mediated passthrough (Intel GVT-g).
@@ -65,8 +57,8 @@ configuration in the Kata `configuration.toml` file as shown below.
$ sudo sed -i -e 's/^# *\(hotplug_vfio_on_root_bus\).*=.*$/\1 = true/g' /usr/share/defaults/kata-containers/configuration.toml
```
Make sure you are using the `pc` machine type by verifying `machine_type = "pc"` is
set in the `configuration.toml`.
Make sure you are using the `q35` machine type by verifying `machine_type = "q35"` is
set in the `configuration.toml`. Make sure `pcie_root_port` is set to a positive value.
## Build Kata Containers kernel with GPU support

View File

@@ -1,17 +1,5 @@
# Using Nvidia GPU device with Kata Containers
- [Using Nvidia GPU device with Kata Containers](#using-nvidia-gpu-device-with-kata-containers)
- [Hardware Requirements](#hardware-requirements)
- [Host BIOS Requirements](#host-bios-requirements)
- [Host Kernel Requirements](#host-kernel-requirements)
- [Install and configure Kata Containers](#install-and-configure-kata-containers)
- [Build Kata Containers kernel with GPU support](#build-kata-containers-kernel-with-gpu-support)
- [Nvidia GPU pass-through mode with Kata Containers](#nvidia-gpu-pass-through-mode-with-kata-containers)
- [Nvidia vGPU mode with Kata Containers](#nvidia-vgpu-mode-with-kata-containers)
- [Install Nvidia Driver in Kata Containers](#install-nvidia-driver-in-kata-containers)
- [References](#references)
An Nvidia GPU device can be passed to a Kata Containers container using GPU passthrough
(Nvidia GPU pass-through mode) as well as GPU mediated passthrough (Nvidia vGPU mode). 
@@ -75,18 +63,11 @@ To use non-large BARs devices (for example, Nvidia Tesla T4), you need Kata vers
Follow the [Kata Containers setup instructions](../install/README.md)
to install the latest version of Kata.
The following configuration in the Kata `configuration.toml` file as shown below can work:
```
machine_type = "pc"
hotplug_vfio_on_root_bus = true
```
To use large BARs devices (for example, Nvidia Tesla P100), you need Kata version 1.11.0 or above.
The following configuration in the Kata `configuration.toml` file as shown below can work:
Hotplug for PCI devices by `shpchp` (Linux's SHPC PCI Hotplug driver):
Hotplug for PCI devices by `acpi_pcihp` (Linux's ACPI PCI Hotplug driver):
```
machine_type = "q35"
@@ -110,7 +91,6 @@ The following kernel config options need to be enabled:
```
# Support PCI/PCIe device hotplug (Required for large BARs device)
CONFIG_HOTPLUG_PCI_PCIE=y
CONFIG_HOTPLUG_PCI_SHPC=y
# Support for loading modules (Required for load Nvidia drivers)
CONFIG_MODULES=y
@@ -310,4 +290,4 @@ Tue Mar 3 00:03:49 2020
- [Configuring a VM for GPU Pass-Through by Using the QEMU Command Line](https://docs.nvidia.com/grid/latest/grid-vgpu-user-guide/index.html#using-gpu-pass-through-red-hat-el-qemu-cli)
- https://gitlab.com/nvidia/container-images/driver/-/tree/master
- https://github.com/NVIDIA/nvidia-docker/wiki/Driver-containers-(Beta)
- https://github.com/NVIDIA/nvidia-docker/wiki/Driver-containers

View File

@@ -1,33 +1,5 @@
# Table of Contents
- [Table of Contents](#table-of-contents)
- [Introduction](#introduction)
- [Helpful Links before starting](#helpful-links-before-starting)
- [Steps to enable Intel® QAT in Kata Containers](#steps-to-enable-intel-qat-in-kata-containers)
- [Script variables](#script-variables)
- [Set environment variables (Every Reboot)](#set-environment-variables-every-reboot)
- [Prepare the Ubuntu Host](#prepare-the-ubuntu-host)
- [Identify which PCI Bus the Intel® QAT card is on](#identify-which-pci-bus-the-intel-qat-card-is-on)
- [Install necessary packages for Ubuntu](#install-necessary-packages-for-ubuntu)
- [Download Intel® QAT drivers](#download-intel-qat-drivers)
- [Copy Intel® QAT configuration files and enable virtual functions](#copy-intel-qat-configuration-files-and-enable-virtual-functions)
- [Expose and Bind Intel® QAT virtual functions to VFIO-PCI (Every reboot)](#expose-and-bind-intel-qat-virtual-functions-to-vfio-pci-every-reboot)
- [Check Intel® QAT virtual functions are enabled](#check-intel-qat-virtual-functions-are-enabled)
- [Prepare Kata Containers](#prepare-kata-containers)
- [Download Kata kernel Source](#download-kata-kernel-source)
- [Build Kata kernel](#build-kata-kernel)
- [Copy Kata kernel](#copy-kata-kernel)
- [Prepare Kata root filesystem](#prepare-kata-root-filesystem)
- [Compile Intel® QAT drivers for Kata Containers kernel and add to Kata Containers rootfs](#compile-intel-qat-drivers-for-kata-containers-kernel-and-add-to-kata-containers-rootfs)
- [Copy Kata rootfs](#copy-kata-rootfs)
- [Verify Intel® QAT works in a container](#verify-intel-qat-works-in-a-container)
- [Build OpenSSL Intel® QAT engine container](#build-openssl-intel-qat-engine-container)
- [Test Intel® QAT with the ctr tool](#test-intel-qat-with-the-ctr-tool)
- [Test Intel® QAT in Kubernetes](#test-intel-qat-in-kubernetes)
- [Troubleshooting](#troubleshooting)
- [Optional Scripts](#optional-scripts)
- [Verify Intel® QAT card counters are incremented](#verify-intel-qat-card-counters-are-incremented)
# Introduction
Intel® QuickAssist Technology (QAT) provides hardware acceleration
@@ -74,7 +46,7 @@ Make sure to check [`01.org`](https://01.org/intel-quickassist-technology) for
the latest driver.
```bash
$ export QAT_DRIVER_VER=qat1.7.l.4.12.0-00011.tar.gz
$ export QAT_DRIVER_VER=qat1.7.l.4.14.0-00031.tar.gz
$ export QAT_DRIVER_URL=https://downloadmirror.intel.com/30178/eng/${QAT_DRIVER_VER}
$ export QAT_CONF_LOCATION=~/QAT_conf
$ export QAT_DOCKERFILE=https://raw.githubusercontent.com/intel/intel-device-plugins-for-kubernetes/master/demo/openssl-qat-engine/Dockerfile
@@ -402,7 +374,7 @@ different hypervisor, different install method for Kata, or a different
Intel® QAT chipset then the command will need to be modified.
> **Note: The following was tested with
[containerd v1.3.9](https://github.com/containerd/containerd/releases/tag/v1.3.9).**
[containerd v1.4.6](https://github.com/containerd/containerd/releases/tag/v1.4.6).**
```bash
$ config_file="/opt/kata/share/defaults/kata-containers/configuration-qemu.toml"
@@ -604,4 +576,4 @@ $ for i in 0434 0435 37c8 1f18 1f19; do lspci -d 8086:$i; done
$ sudo watch cat /sys/kernel/debug/qat_c6xx_0000\:b1\:00.0/fw_counters
$ sudo watch cat /sys/kernel/debug/qat_c6xx_0000\:b3\:00.0/fw_counters
$ sudo watch cat /sys/kernel/debug/qat_c6xx_0000\:b5\:00.0/fw_counters
```
```

View File

@@ -1,112 +1,113 @@
# Kata Containers with SGX
- [Check if SGX is enabled](#check-if-sgx-is-enabled)
- [Install Host kernel with SGX support](#install-host-kernel-with-sgx-support)
- [Install Guest kernel with SGX support](#install-guest-kernel-with-sgx-support)
- [Run Kata Containers with SGX enabled](#run-kata-containers-with-sgx-enabled)
Intel® Software Guard Extensions (SGX) is a set of instructions that increases the security
Intel Software Guard Extensions (SGX) is a set of instructions that increases the security
of applications code and data, giving them more protections from disclosure or modification.
> **Note:** At the time of writing this document, SGX patches have not landed on the Linux kernel
> project, so specific versions for guest and host kernels must be installed to enable SGX.
This document guides you to run containers with SGX enclaves with Kata Containers in Kubernetes.
## Check if SGX is enabled
## Preconditions
Run the following command to check if your host supports SGX.
* Intel SGX capable bare metal nodes
* Host kernel Linux 5.13 or later with SGX and SGX KVM enabled:
```sh
$ grep -o sgx /proc/cpuinfo
$ grep SGX /boot/config-`uname -r`
CONFIG_X86_SGX=y
CONFIG_X86_SGX_KVM=y
```
Continue to the following section if the output of the above command is empty,
otherwise continue to section [Install Guest kernel with SGX support](#install-guest-kernel-with-sgx-support)
* Kubernetes cluster configured with:
* [`kata-deploy`](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy) based Kata Containers installation
* [Intel SGX Kubernetes device plugin](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/cmd/sgx_plugin#deploying-with-pre-built-images)
## Install Host kernel with SGX support
> Note: Kata Containers supports creating VM sandboxes with Intel® SGX enabled
> using [cloud-hypervisor](https://github.com/cloud-hypervisor/cloud-hypervisor/) VMM only. QEMU support is waiting to get the
> Intel SGX enabled QEMU upstream release.
The following commands were tested on Fedora 32, they might work on other distros too.
## Installation
### Kata Containers Guest Kernel
Follow the instructions to [setup](../../tools/packaging/kernel/README.md#setup-kernel-source-code) and [build](../../tools/packaging/kernel/README.md#build-the-kernel) the experimental guest kernel. Then, install as:
```sh
$ git clone --depth=1 https://github.com/intel/kvm-sgx
$ pushd kvm-sgx
$ cp /boot/config-$(uname -r) .config
$ yes "" | make oldconfig
$ # In the following step, enable: INTEL_SGX and INTEL_SGX_VIRTUALIZATION
$ make menuconfig
$ make -j$(($(nproc)-1)) bzImage
$ make -j$(($(nproc)-1)) modules
$ sudo make modules_install
$ sudo make install
$ popd
$ sudo reboot
$ sudo cp kata-linux-experimental-*/vmlinux /opt/kata/share/kata-containers/vmlinux.sgx
$ sudo sed -i 's|vmlinux.container|vmlinux.sgx|g' \
/opt/kata/share/defaults/kata-containers/configuration-clh.toml
```
> **Notes:**
> * Run: `mokutil --sb-state` to check whether secure boot is enabled, if so, you will need to sign the kernel.
> * You'll lose SGX support when a new distro kernel is installed and the system rebooted.
Once you have restarted your system with the new brand Linux Kernel with SGX support, run
the following command to make sure it's enabled. If the output is empty, go to the BIOS
setup and enable SGX manually.
```sh
$ grep -o sgx /proc/cpuinfo
```
## Install Guest kernel with SGX support
Install the guest kernel in the Kata Containers directory, this way it can be used to run
Kata Containers.
```sh
$ curl -LOk https://github.com/devimc/kvm-sgx/releases/download/v0.0.1/kata-virtiofs-sgx.tar.gz
$ sudo tar -xf kata-virtiofs-sgx.tar.gz -C /usr/share/kata-containers/
$ sudo sed -i 's|kernel =|kernel = "/usr/share/kata-containers/vmlinux-virtiofs-sgx.container"|g' \
/usr/share/defaults/kata-containers/configuration.toml
```
## Run Kata Containers with SGX enabled
### Kata Containers Configuration
Before running a Kata Container make sure that your version of `crio` or `containerd`
supports annotations.
For `containerd` check in `/etc/containerd/config.toml` that the list of `pod_annotations` passed
to the `sandbox` are: `["io.katacontainers.*", "sgx.intel.com/epc"]`.
> `sgx.yaml`
## Usage
With the following sample job deployed using `kubectl apply -f`:
```yaml
apiVersion: v1
kind: Pod
apiVersion: batch/v1
kind: Job
metadata:
name: sgx
annotations:
sgx.intel.com/epc: "32Mi"
name: oesgx-demo-job
labels:
jobgroup: oesgx-demo
spec:
terminationGracePeriodSeconds: 0
runtimeClassName: kata
containers:
- name: c1
image: busybox
command:
- sh
stdin: true
tty: true
volumeMounts:
- mountPath: /dev/sgx/
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /dev/sgx/
type: Directory
template:
metadata:
labels:
jobgroup: oesgx-demo
spec:
runtimeClassName: kata-clh
initContainers:
- name: init-sgx
image: busybox
command: ['sh', '-c', 'mkdir /dev/sgx; ln -s /dev/sgx_enclave /dev/sgx/enclave; ln -s /dev/sgx_provision /dev/sgx/provision']
volumeMounts:
- mountPath: /dev
name: dev-mount
restartPolicy: Never
containers:
-
name: eosgx-demo-job-1
image: oeciteam/oe-helloworld:latest
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
capabilities:
add: ["IPC_LOCK"]
resources:
limits:
sgx.intel.com/epc: "512Ki"
volumes:
- name: dev-mount
hostPath:
path: /dev
```
You'll see the enclave output:
```sh
$ kubectl apply -f sgx.yaml
$ kubectl exec -ti sgx ls /dev/sgx/
enclave provision
$ kubectl logs oesgx-demo-job-wh42g
Hello world from the enclave
Enclave called into host to print: Hello World!
```
The output of the latest command shouldn't be empty, otherwise check
your system environment to make sure SGX is fully supported.
### Notes
[1]: github.com/cloud-hypervisor/cloud-hypervisor/
* The Kata VM's SGX Encrypted Page Cache (EPC) memory size is based on the sum of `sgx.intel.com/epc`
resource requests within the pod.
* `init-sgx` can be removed from the YAML configuration file if the Kata rootfs is modified with the
necessary udev rules.
See the [note on SGX backwards compatibility](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/cmd/sgx_plugin#backwards-compatibility-note).
* Intel SGX DCAP attestation is known to work from Kata sandboxes but it comes with one limitation: If
the Intel SGX `aesm` daemon runs on the bare metal node and DCAP `out-of-proc` attestation is used,
containers within the Kata sandbox cannot get the access to the host's `/var/run/aesmd/aesm.sock`
because socket passthrough is not supported. An alternative is to deploy the `aesm` daemon as a side-car
container.
* Projects like [Gramine Shielded Containers (GSC)](https://gramine-gsc.readthedocs.io/en/latest/) are
also known to work. For GSC specifically, the Kata guest kernel needs to have the `CONFIG_NUMA=y`
enabled and at least one CPU online when running the GSC container.

View File

@@ -1,13 +1,6 @@
# Setup to run SPDK vhost-user devices with Kata Containers and Docker*
# Setup to run SPDK vhost-user devices with Kata Containers
- [SPDK vhost-user target overview](#spdk-vhost-user-target-overview)
- [Install and setup SPDK vhost-user target](#install-and-setup-spdk-vhost-user-target)
- [Get source code and build SPDK](#get-source-code-and-build-spdk)
- [Run SPDK vhost-user target](#run-spdk-vhost-user-target)
- [Host setup for vhost-user devices](#host-setup-for-vhost-user-devices)
- [Launch a Kata container with SPDK vhost-user block device](#launch-a-kata-container-with-spdk-vhost-user-block-device)
> **NOTE:** This guide only applies to QEMU, since the vhost-user storage
> **Note:** This guide only applies to QEMU, since the vhost-user storage
> device is only available for QEMU now. The enablement work on other
> hypervisors is still ongoing.
@@ -229,26 +222,43 @@ minor `0` should be created for it, in order to be recognized by Kata runtime:
$ sudo mknod /var/run/kata-containers/vhost-user/block/devices/vhostblk0 b 241 0
```
> **Note:** The enablement of vhost-user block device in Kata containers
> is supported by Kata Containers `1.11.0-alpha1` or newer.
> Make sure you have updated your Kata containers before evaluation.
## Launch a Kata container with SPDK vhost-user block device
To use `vhost-user-blk` device, use Docker to pass a host `vhost-user-blk`
device to the container. In docker, `--device=HOST-DIR:CONTAINER-DIR` is used
To use `vhost-user-blk` device, use `ctr` to pass a host `vhost-user-blk`
device to the container. In your `config.json`, you should use `devices`
to pass a host device to the container.
For example:
For example (only `vhost-user-blk` listed):
```json
{
"linux": {
"devices": [
{
"path": "/dev/vda",
"type": "b",
"major": 241,
"minor": 0,
"fileMode": 420,
"uid": 0,
"gid": 0
}
]
}
}
```
With `rootfs` provisioned under `bundle` directory, you can run your SPDK container:
```bash
$ sudo docker run --runtime kata-runtime --device=/var/run/kata-containers/vhost-user/block/devices/vhostblk0:/dev/vda -it busybox sh
$ sudo ctr run -d --runtime io.containerd.run.kata.v2 --config bundle/config.json spdk_container
```
Example of performing I/O operations on the `vhost-user-blk` device inside
container:
```
$ sudo ctr t exec --exec-id 1 -t spdk_container sh
/ # ls -l /dev/vda
brw-r--r-- 1 root root 254, 0 Jan 20 03:54 /dev/vda
/ # dd if=/dev/vda of=/tmp/ddtest bs=4k count=20

View File

@@ -1,13 +1,5 @@
# Setup to use SR-IOV with Kata Containers and Docker*
- [Install the SR-IOV Docker\* plugin](#install-the-sr-iov-docker-plugin)
- [Host setup for SR-IOV](#host-setup-for-sr-iov)
- [Checking your NIC for SR-IOV](#checking-your-nic-for-sr-iov)
- [IOMMU Groups and PCIe Access Control Services](#iommu-groups-and-pcie-access-control-services)
- [Update the host kernel](#update-the-host-kernel)
- [Set up the SR-IOV Device](#set-up-the-sr-iov-device)
- [Example: Launch a Kata Containers container using SR-IOV](#example-launch-a-kata-containers-container-using-sr-iov)
Single Root I/O Virtualization (SR-IOV) enables splitting a physical device into
virtual functions (VFs). Virtual functions enable direct passthrough to virtual
machines or containers. For Kata Containers, we enabled a Container Network

View File

@@ -12,7 +12,7 @@ For more information about VPP visit their [wiki](https://wiki.fd.io/view/VPP).
## Install and configure Kata Containers
Follow the [Kata Containers setup instructions](https://github.com/kata-containers/documentation/wiki/Developer-Guide).
Follow the [Kata Containers setup instructions](../Developer-Guide.md).
In order to make use of VHOST-USER based interfaces, the container needs to be backed
by huge pages. `HugePages` support is required for the large memory pool allocation used for

View File

@@ -1,4 +1,5 @@
# OpenStack Zun DevStack working with Kata Containers
## Introduction
This guide describes how to get Kata Containers to work with OpenStack Zun

View File

@@ -12,7 +12,7 @@ serde_json = "1.0.39"
# - Dynamic keys required to allow HashMap keys to be slog::Serialized.
# - The 'max_*' features allow changing the log level at runtime
# (by stopping the compiler from removing log calls).
slog = { version = "2.5.2", features = ["dynamic-keys", "max_level_trace", "release_max_level_info"] }
slog = { version = "2.5.2", features = ["dynamic-keys", "max_level_trace", "release_max_level_debug"] }
slog-json = "2.3.0"
slog-async = "2.3.0"
slog-scope = "4.1.2"

18
pkg/logging/Makefile Normal file
View File

@@ -0,0 +1,18 @@
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
# It is not necessary to have a build target as this crate is built
# automatically by the consumers of it.
#
# However, it is essential that the crate be tested.
default: test
# It is essential to run these tests using *both* build profiles.
# See the `test_logger_levels()` test for further information.
test:
@echo "INFO: testing log levels for development build"
@cargo test
@echo "INFO: testing log levels for release build"
@cargo test --release

View File

@@ -20,6 +20,8 @@ const LOG_LEVELS: &[(&str, slog::Level)] = &[
("critical", slog::Level::Critical),
];
const DEFAULT_SUBSYSTEM: &str = "root";
// XXX: 'writer' param used to make testing possible.
pub fn create_logger<W>(
name: &str,
@@ -50,7 +52,7 @@ where
let logger = slog::Logger::root(
async_drain.fuse(),
o!("version" => env!("CARGO_PKG_VERSION"),
"subsystem" => "root",
"subsystem" => DEFAULT_SUBSYSTEM,
"pid" => process::id().to_string(),
"name" => name.to_string(),
"source" => source.to_string()),
@@ -216,8 +218,8 @@ where
#[cfg(test)]
mod tests {
use super::*;
use serde_json::Value;
use slog::info;
use serde_json::{json, Value};
use slog::{crit, debug, error, info, warn, Logger};
use std::io::prelude::*;
use tempfile::NamedTempFile;
@@ -295,15 +297,15 @@ mod tests {
let result_level = result.unwrap();
let expected_level = d.result.unwrap();
assert!(result_level == expected_level, msg);
assert!(result_level == expected_level, "{}", msg);
continue;
} else {
assert!(result.is_err(), msg);
assert!(result.is_err(), "{}", msg);
}
let expected_error = format!("{}", d.result.as_ref().unwrap_err());
let actual_error = format!("{}", result.unwrap_err());
assert!(actual_error == expected_error, msg);
let expected_error = d.result.as_ref().unwrap_err();
let actual_error = result.unwrap_err();
assert!(&actual_error == expected_error, "{}", msg);
}
}
@@ -350,13 +352,13 @@ mod tests {
let msg = format!("{}, result: {:?}", msg, result);
if d.result.is_ok() {
assert!(result == d.result, msg);
assert!(result == d.result, "{}", msg);
continue;
}
let expected_error = format!("{}", d.result.as_ref().unwrap_err());
let actual_error = format!("{}", result.unwrap_err());
assert!(actual_error == expected_error, msg);
let expected_error = d.result.as_ref().unwrap_err();
let actual_error = result.unwrap_err();
assert!(&actual_error == expected_error, "{}", msg);
}
}
@@ -376,14 +378,17 @@ mod tests {
let record_key = "record-key-1";
let record_value = "record-key-2";
let logger = create_logger(name, source, level, writer);
let (logger, guard) = create_logger(name, source, level, writer);
let msg = "foo, bar, baz";
// Call the logger (which calls the drain)
info!(logger, "{}", msg; "subsystem" => record_subsystem, record_key => record_value);
// Note: This "mid level" log level should be available in debug or
// release builds.
info!(&logger, "{}", msg; "subsystem" => record_subsystem, record_key => record_value);
// Force temp file to be flushed
drop(guard);
drop(logger);
let mut contents = String::new();
@@ -430,4 +435,168 @@ mod tests {
.expect("failed to find record key field");
assert_eq!(field_record_value, record_value);
}
#[test]
fn test_logger_levels() {
let name = "name";
let source = "source";
let debug_msg = "a debug log level message";
let info_msg = "an info log level message";
let warn_msg = "a warn log level message";
let error_msg = "an error log level message";
let critical_msg = "a critical log level message";
// The slog crate will *remove* macro calls for log levels "above" the
// configured log level.lock
//
// At the time of writing, the default slog log
// level is "info", but this crate overrides that using the magic
// "*max_level*" features in the "Cargo.toml" manifest.
// However, there are two log levels:
//
// - max_level_${level}
//
// This is the log level for normal "cargo build" (development/debug)
// builds.
//
// - release_max_level_${level}
//
// This is the log level for "cargo install" and
// "cargo build --release" (release) builds.
//
// This crate sets them to different values, which is sensible and
// standard practice. However, that causes a problem: there is
// currently no clean way for this test code to detect _which_
// profile the test is being built for (development or release),
// meaning we cannot know which macros are expected to produce output
// and which aren't ;(
//
// The best we can do is test the following log levels which
// are expected to work in all build profiles.
let debug_closure = |logger: &Logger, msg: String| debug!(logger, "{}", msg);
let info_closure = |logger: &Logger, msg: String| info!(logger, "{}", msg);
let warn_closure = |logger: &Logger, msg: String| warn!(logger, "{}", msg);
let error_closure = |logger: &Logger, msg: String| error!(logger, "{}", msg);
let critical_closure = |logger: &Logger, msg: String| crit!(logger, "{}", msg);
struct TestData<'a> {
slog_level: slog::Level,
slog_level_tag: &'a str,
msg: String,
closure: Box<dyn Fn(&Logger, String)>,
}
let tests = &[
TestData {
slog_level: slog::Level::Debug,
// Looks like a typo but tragically it isn't! ;(
slog_level_tag: "DEBG",
msg: debug_msg.into(),
closure: Box::new(debug_closure),
},
TestData {
slog_level: slog::Level::Info,
slog_level_tag: "INFO",
msg: info_msg.into(),
closure: Box::new(info_closure),
},
TestData {
slog_level: slog::Level::Warning,
slog_level_tag: "WARN",
msg: warn_msg.into(),
closure: Box::new(warn_closure),
},
TestData {
slog_level: slog::Level::Error,
// Another language tragedy
slog_level_tag: "ERRO",
msg: error_msg.into(),
closure: Box::new(error_closure),
},
TestData {
slog_level: slog::Level::Critical,
slog_level_tag: "CRIT",
msg: critical_msg.into(),
closure: Box::new(critical_closure),
},
];
for (i, d) in tests.iter().enumerate() {
let msg = format!("test[{}]", i);
// Create a writer for the logger drain to use
let writer =
NamedTempFile::new().expect(&format!("{:}: failed to create tempfile", msg));
// Used to check file contents before the temp file is unlinked
let mut writer_ref = writer
.reopen()
.expect(&format!("{:?}: failed to clone tempfile", msg));
let (logger, logger_guard) = create_logger(name, source, d.slog_level, writer);
// Call the logger (which calls the drain)
(d.closure)(&logger, d.msg.to_owned());
// Force temp file to be flushed
drop(logger_guard);
drop(logger);
let mut contents = String::new();
writer_ref
.read_to_string(&mut contents)
.expect(&format!("{:?}: failed to read tempfile contents", msg));
// Convert file to JSON
let fields: Value = serde_json::from_str(&contents)
.expect(&format!("{:?}: failed to convert logfile to json", msg));
// Check the expected JSON fields
let field_ts = fields
.get("ts")
.expect(&format!("{:?}: failed to find timestamp field", msg));
assert_ne!(field_ts, "", "{}", msg);
let field_version = fields
.get("version")
.expect(&format!("{:?}: failed to find version field", msg));
assert_eq!(field_version, env!("CARGO_PKG_VERSION"), "{}", msg);
let field_pid = fields
.get("pid")
.expect(&format!("{:?}: failed to find pid field", msg));
assert_ne!(field_pid, "", "{}", msg);
let field_level = fields
.get("level")
.expect(&format!("{:?}: failed to find level field", msg));
assert_eq!(field_level, d.slog_level_tag, "{}", msg);
let field_msg = fields
.get("msg")
.expect(&format!("{:?}: failed to find msg field", msg));
assert_eq!(field_msg, &json!(d.msg), "{}", msg);
let field_name = fields
.get("name")
.expect(&format!("{:?}: failed to find name field", msg));
assert_eq!(field_name, name, "{}", msg);
let field_source = fields
.get("source")
.expect(&format!("{:?}: failed to find source field", msg));
assert_eq!(field_source, source, "{}", msg);
let field_subsystem = fields
.get("subsystem")
.expect(&format!("{:?}: failed to find subsystem field", msg));
// No explicit subsystem, so should be the default
assert_eq!(field_subsystem, &json!(DEFAULT_SUBSYSTEM), "{}", msg);
}
}
}

View File

@@ -1,13 +1,5 @@
# Kata Containers snap image
* [Initial setup](#initial-setup)
* [Install snap](#install-snap)
* [Build and install snap image](#build-and-install-snap-image)
* [Configure Kata Containers](#configure-kata-containers)
* [Integration with docker and Kubernetes](#integration-with-docker-and-kubernetes)
* [Remove snap](#remove-snap)
* [Limitations](#limitations)
This directory contains the resources needed to build the Kata Containers
[snap][1] image.

View File

@@ -59,7 +59,7 @@ parts:
yq_version=3.4.1
yq_url="https://${yq_pkg}/releases/download/${yq_version}/yq_${goos}_${goarch}"
curl -o "${yq_path}" -LSsf "${yq_url}"
curl -o "${yq_path}" -L "${yq_url}"
chmod +x "${yq_path}"
kata_dir=gopath/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
@@ -80,6 +80,8 @@ parts:
- uidmap
- gnupg2
override-build: |
[ "$(uname -m)" = "ppc64le" ] || [ "$(uname -m)" = "s390x" ] && sudo apt-get --no-install-recommends install -y protobuf-compiler
yq=${SNAPCRAFT_STAGE}/yq
# set GOPATH
@@ -88,6 +90,7 @@ parts:
export GOROOT=${SNAPCRAFT_STAGE}
export PATH="${GOROOT}/bin:${PATH}"
export GO111MODULE="auto"
http_proxy=${http_proxy:-""}
https_proxy=${https_proxy:-""}
@@ -112,14 +115,17 @@ parts:
cd ${kata_dir}/tools/osbuilder
# build image
export AGENT_VERSION=$(cat ${kata_dir}/VERSION)
export AGENT_INIT=yes
export USE_DOCKER=1
export DEBUG=1
case "$(uname -m)" in
aarch64|ppc64le|s390x)
aarch64)
sudo -E PATH=$PATH make initrd DISTRO=alpine
;;
ppc64le|s390x)
# Cannot use alpine on ppc64le/s390x because it would require a musl agent
sudo -E PATH=$PATH make initrd DISTRO=ubuntu
;;
x86_64)
# In some build systems it's impossible to build a rootfs image, try with the initrd image
sudo -E PATH=$PATH make image DISTRO=clearlinux || sudo -E PATH=$PATH make initrd DISTRO=alpine
@@ -133,7 +139,7 @@ parts:
cp kata-containers*.img ${kata_image_dir}
runtime:
after: [godeps, image]
after: [godeps, image, cloud-hypervisor]
plugin: nil
build-attributes: [no-patchelf]
override-build: |
@@ -141,6 +147,7 @@ parts:
export GOPATH=${SNAPCRAFT_STAGE}/gopath
export GOROOT=${SNAPCRAFT_STAGE}
export PATH="${GOROOT}/bin:${PATH}"
export GO111MODULE="auto"
kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
cd ${kata_dir}/src/runtime
@@ -162,12 +169,9 @@ parts:
SKIP_GO_VERSION_CHECK=1 \
QEMUCMD=qemu-system-$arch
if [ -e ${SNAPCRAFT_PART_INSTALL}/../../image/install/usr/share/kata-containers/kata-containers.img ]; then
# Use rootfs image by default
sed -i -e '/^initrd =/d' ${SNAPCRAFT_PART_INSTALL}/usr/share/defaults/${SNAPCRAFT_PROJECT_NAME}/configuration.toml
else
# Use initrd by default
sed -i -e '/^image =/d' ${SNAPCRAFT_PART_INSTALL}/usr/share/defaults/${SNAPCRAFT_PROJECT_NAME}/configuration.toml
if [ ! -f ${SNAPCRAFT_PART_INSTALL}/../../image/install/usr/share/kata-containers/kata-containers.img ]; then
sed -i -e "s|^image =.*|initrd = \"/snap/${SNAPCRAFT_PROJECT_NAME}/current/usr/share/kata-containers/kata-containers-initrd.img\"|" \
${SNAPCRAFT_PART_INSTALL}/usr/share/defaults/${SNAPCRAFT_PROJECT_NAME}/configuration.toml
fi
kernel:
@@ -180,19 +184,37 @@ parts:
- bison
- flex
override-build: |
yq=${SNAPCRAFT_STAGE}/yq
export PATH="${PATH}:${SNAPCRAFT_STAGE}"
export GOPATH=${SNAPCRAFT_STAGE}/gopath
kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
versions_file="${kata_dir}/versions.yaml"
kernel_version="$(${yq} r $versions_file assets.kernel.version)"
#Remove extra 'v'
kernel_version=${kernel_version#v}
[ "$(uname -m)" = "s390x" ] && sudo apt-get --no-install-recommends install -y libssl-dev
export GOPATH=${SNAPCRAFT_STAGE}/gopath
export GO111MODULE="auto"
kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
cd ${kata_dir}/tools/packaging/kernel
kernel_dir_prefix="kata-linux-"
# Setup and build kernel
./build-kernel.sh -d setup
kernel_dir_prefix="kata-linux-"
if [ "$(uname -m)" = "x86_64" ]; then
kernel_version="$(${yq} r $versions_file assets.kernel-experimental.tag)"
kernel_version=${kernel_version#v}
kernel_dir_prefix="kata-linux-experimental-"
./build-kernel.sh -e -v ${kernel_version} -d setup
else
./build-kernel.sh -v ${kernel_version} -d setup
fi
cd ${kernel_dir_prefix}*
version=$(basename ${PWD} | sed 's|'"${kernel_dir_prefix}"'||' | cut -d- -f1)
make -j $(($(nproc)-1)) EXTRAVERSION=".container"
kernel_suffix=${version}.container
kernel_suffix=${kernel_version}.container
kata_kernel_dir=${SNAPCRAFT_PART_INSTALL}/usr/share/kata-containers
mkdir -p ${kata_kernel_dir}
@@ -202,8 +224,10 @@ parts:
ln -sf ${vmlinuz_name} ${kata_kernel_dir}/vmlinuz.container
# Install raw kernel
vmlinux_path=vmlinux
[ "$(uname -m)" = "s390x" ] && vmlinux_path=arch/s390/boot/compressed/vmlinux
vmlinux_name=vmlinux-${kernel_suffix}
cp vmlinux ${kata_kernel_dir}/${vmlinux_name}
cp ${vmlinux_path} ${kata_kernel_dir}/${vmlinux_name}
ln -sf ${vmlinux_name} ${kata_kernel_dir}/vmlinux.container
qemu:
@@ -227,21 +251,24 @@ parts:
- libblkid-dev
- libffi-dev
- libmount-dev
- libseccomp-dev
- libselinux1-dev
- ninja-build
override-build: |
yq=${SNAPCRAFT_STAGE}/yq
export GOPATH=${SNAPCRAFT_STAGE}/gopath
export GO111MODULE="auto"
kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
versions_file="${kata_dir}/versions.yaml"
# arch-specific definition
case "$(uname -m)" in
"aarch64")
branch="$(${yq} r ${versions_file} assets.hypervisor.qemu.architecture.aarch64.branch)"
branch="$(${yq} r ${versions_file} assets.hypervisor.qemu.architecture.aarch64.version)"
url="$(${yq} r ${versions_file} assets.hypervisor.qemu.url)"
commit="$(${yq} r ${versions_file} assets.hypervisor.qemu.architecture.aarch64.commit)"
patches_dir="${kata_dir}/tools/packaging/obs-packaging/qemu-aarch64/patches/"
patches_dir="${kata_dir}/tools/packaging/qemu/patches/$(echo ${branch} | sed -e 's/.[[:digit:]]*$//' -e 's/^v//').x"
patches_version_dir="${kata_dir}/tools/packaging/qemu/patches/tag_patches/${branch}"
;;
*)
@@ -255,6 +282,7 @@ parts:
# download source
qemu_dir=${SNAPCRAFT_STAGE}/qemu
rm -rf "${qemu_dir}"
git clone --branch ${branch} --single-branch ${url} "${qemu_dir}"
cd ${qemu_dir}
[ -z "${commit}" ] || git checkout ${commit}
@@ -263,11 +291,12 @@ parts:
[ -n "$(ls -A capstone)" ] || git clone https://github.com/qemu/capstone capstone
# Apply branch patches
[ -d "${patches_version_dir}" ] || mkdir "${patches_version_dir}"
${kata_dir}/tools/packaging/scripts/apply_patches.sh "${patches_dir}"
${kata_dir}/tools/packaging/scripts/apply_patches.sh "${patches_version_dir}"
# Only x86_64 supports libpmem
[ "$(uname -m)" = "x86_64" ] && sudo apt-get --no-install-recommends install -y apt-utils ca-certificates libpmem-dev libseccomp-dev
[ "$(uname -m)" = "x86_64" ] && sudo apt-get --no-install-recommends install -y apt-utils ca-certificates libpmem-dev
configure_hypervisor=${kata_dir}/tools/packaging/scripts/configure-hypervisor.sh
chmod +x ${configure_hypervisor}
@@ -278,7 +307,15 @@ parts:
| xargs ./configure
# Copy QEMU configurations (Kconfigs)
cp -a ${kata_dir}/tools/packaging/qemu/default-configs/* default-configs/devices/
case "${branch}" in
"v5.1.0")
cp -a ${kata_dir}/tools/packaging/qemu/default-configs/* default-configs
;;
*)
cp -a ${kata_dir}/tools/packaging/qemu/default-configs/* configs/devices/
;;
esac
# build and install
make -j $(($(nproc)-1))
@@ -298,6 +335,22 @@ parts:
# Hack: move qemu to /
"snap/kata-containers/current/": "./"
cloud-hypervisor:
plugin: nil
after: [godeps]
override-build: |
export GOPATH=${SNAPCRAFT_STAGE}/gopath
yq=${SNAPCRAFT_STAGE}/yq
kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
versions_file="${kata_dir}/versions.yaml"
version="$(${yq} r ${versions_file} assets.hypervisor.cloud_hypervisor.version)"
url="https://github.com/cloud-hypervisor/cloud-hypervisor/releases/download/${version}"
curl -L ${url}/cloud-hypervisor-static -o cloud-hypervisor
curl -LO ${url}/clh-remote
install -D cloud-hypervisor ${SNAPCRAFT_PART_INSTALL}/usr/bin/cloud-hypervisor
install -D clh-remote ${SNAPCRAFT_PART_INSTALL}/usr/bin/clh-remote
apps:
runtime:
command: usr/bin/kata-runtime

View File

@@ -1 +1,2 @@
tarpaulin-report.html
vendor/

885
src/agent/Cargo.lock generated

File diff suppressed because it is too large Load Diff

View File

@@ -6,47 +6,64 @@ edition = "2018"
[dependencies]
oci = { path = "oci" }
logging = { path = "../../pkg/logging" }
rustjail = { path = "rustjail" }
protocols = { path = "protocols" }
lazy_static = "1.3.0"
ttrpc = { version = "0.5.0", features = ["async", "protobuf-codec"], default-features = false }
protobuf = "=2.14.0"
libc = "0.2.58"
nix = "0.17.0"
prctl = "1.0.0"
nix = "0.21.0"
capctl = "0.2.0"
serde_json = "1.0.39"
scan_fmt = "0.2.3"
scopeguard = "1.0.0"
thiserror = "1.0.26"
regex = "1"
serial_test = "0.5.1"
# Async helpers
async-trait = "0.1.42"
tokio = { version = "1.2.0", features = ["rt", "rt-multi-thread", "sync", "macros", "io-util", "time", "signal", "io-std", "process", "fs"] }
async-recursion = "0.3.2"
futures = "0.3.12"
netlink-sys = { version = "0.6.0", features = ["tokio_socket",]}
tokio-vsock = "0.3.0"
rtnetlink = "0.7.0"
netlink-packet-utils = "0.4.0"
# Async runtime
tokio = { version = "1", features = ["full"] }
tokio-vsock = "0.3.1"
netlink-sys = { version = "0.7.0", features = ["tokio_socket",]}
rtnetlink = "0.8.0"
netlink-packet-utils = "0.4.1"
ipnetwork = "0.17.0"
# slog:
# - Dynamic keys required to allow HashMap keys to be slog::Serialized.
# - The 'max_*' features allow changing the log level at runtime
# (by stopping the compiler from removing log calls).
slog = { version = "2.5.2", features = ["dynamic-keys", "max_level_trace", "release_max_level_info"] }
# Note: this crate sets the slog 'max_*' features which allows the log level
# to be modified at runtime.
logging = { path = "../../pkg/logging" }
slog = "2.5.2"
slog-scope = "4.1.2"
# Redirect ttrpc log calls
slog-stdlog = "4.0.0"
log = "0.4.11"
# for testing
tempfile = "3.1.0"
prometheus = { version = "0.9.0", features = ["process"] }
procfs = "0.7.9"
anyhow = "1.0.32"
cgroups = { package = "cgroups-rs", version = "0.2.5" }
# Tracing
tracing = "0.1.26"
tracing-subscriber = "0.2.18"
tracing-opentelemetry = "0.13.0"
opentelemetry = { version = "0.14.0", features = ["rt-tokio-current-thread"]}
vsock-exporter = { path = "vsock-exporter" }
# Configuration
serde = { version = "1.0.129", features = ["derive"] }
toml = "0.5.8"
[dev-dependencies]
tempfile = "3.1.0"
[workspace]
members = [
"oci",
@@ -56,3 +73,6 @@ members = [
[profile.release]
lto = true
[features]
seccomp = ["rustjail/seccomp"]

View File

@@ -27,40 +27,21 @@ COMMIT_MSG = $(if $(COMMIT),$(COMMIT),unknown)
# Exported to allow cargo to see it
export VERSION_COMMIT := $(if $(COMMIT),$(VERSION)-$(COMMIT),$(VERSION))
##VAR BUILD_TYPE=release|debug type of rust build
BUILD_TYPE = release
EXTRA_RUSTFEATURES :=
##VAR ARCH=arch target to build (format: uname -m)
ARCH = $(shell uname -m)
##VAR LIBC=musl|gnu
LIBC ?= musl
ifneq ($(LIBC),musl)
ifeq ($(LIBC),gnu)
override LIBC = gnu
else
$(error "ERROR: A non supported LIBC value was passed. Supported values are musl and gnu")
endif
##VAR SECCOMP=yes|no define if agent enables seccomp feature
SECCOMP := yes
# Enable seccomp feature of rust build
ifeq ($(SECCOMP),yes)
override EXTRA_RUSTFEATURES += seccomp
endif
ifeq ($(ARCH), ppc64le)
override ARCH = powerpc64le
override LIBC = gnu
$(warning "WARNING: powerpc64le-unknown-linux-musl target is unavailable")
ifneq ($(EXTRA_RUSTFEATURES),)
override EXTRA_RUSTFEATURES := --features $(EXTRA_RUSTFEATURES)
endif
ifeq ($(ARCH), s390x)
override LIBC = gnu
$(warning "WARNING: s390x-unknown-linux-musl target is unavailable")
endif
EXTRA_RUSTFLAGS :=
ifeq ($(ARCH), aarch64)
override EXTRA_RUSTFLAGS = -C link-arg=-lgcc
$(warning "WARNING: aarch64-musl needs extra symbols from libgcc")
endif
TRIPLE = $(ARCH)-unknown-linux-$(LIBC)
include ../../utils.mk
TARGET_PATH = target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)
@@ -120,18 +101,20 @@ endef
##TARGET default: build code
default: $(TARGET) show-header
$(TARGET): $(GENERATED_CODE) $(TARGET_PATH)
$(TARGET): $(GENERATED_CODE) logging-crate-tests $(TARGET_PATH)
logging-crate-tests:
make -C $(CWD)/../../pkg/logging
$(TARGET_PATH): $(SOURCES) | show-summary
@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE)
@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE) $(EXTRA_RUSTFEATURES)
$(GENERATED_FILES): %: %.in
@sed $(foreach r,$(GENERATED_REPLACEMENTS),-e 's|@$r@|$($r)|g') "$<" > "$@"
##TARGET optimize: optimized build
optimize: $(SOURCES) | show-summary show-header
@RUSTFLAGS="-C link-arg=-s $(EXTRA_RUSTFLAGS) --deny-warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE)
@RUSTFLAGS="-C link-arg=-s $(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE) $(EXTRA_RUSTFEATURES)
##TARGET clippy: run clippy linter
clippy: $(GENERATED_CODE)
@@ -154,9 +137,13 @@ clean:
@rm -f $(GENERATED_FILES)
@rm -f tarpaulin-report.html
vendor:
@cargo vendor
#TARGET test: run cargo tests
test:
@cargo test --all --target $(TRIPLE)
@cargo test --all --target $(TRIPLE) $(EXTRA_RUSTFEATURES) -- --nocapture
##TARGET check: run test
check: clippy format
@@ -221,9 +208,11 @@ codecov-html: check_tarpaulin
.PHONY: \
help \
logging-crate-tests \
optimize \
show-header \
show-summary \
optimize
vendor
##TARGET generate-protocols: generate/update grpc agent protocols
generate-protocols:

View File

@@ -1,47 +1,38 @@
# Kata Agent in Rust
# Kata Agent
This is a rust version of the [`kata-agent`](https://github.com/kata-containers/agent).
## Overview
In Denver PTG, [we discussed about re-writing agent in rust](https://etherpad.openstack.org/p/katacontainers-2019-ptg-denver-agenda):
The Kata agent is a long running process that runs inside the Virtual Machine
(VM) (also known as the "pod" or "sandbox").
> In general, we all think about re-write agent in rust to reduce the footprint of agent. Moreover, Eric mentioned the possibility to stop using gRPC, which may have some impact on footprint. We may begin to do some POC to show how much we could save by re-writing agent in rust.
The agent is packaged inside the Kata Containers
[guest image](../../docs/design/architecture.md#guest-image)
which is used to boot the VM. Once the runtime has launched the configured
[hypervisor](../../docs/hypervisors.md) to create a new VM, the agent is
started. From this point on, the agent is responsible for creating and
managing the life cycle of the containers inside the VM.
After that, we drafted the initial code here, and any contributions are welcome.
For further details, see the
[architecture document](../../docs/design/architecture.md).
## Features
## Audience
| Feature | Status |
| :--|:--:|
| **OCI Behaviors** |
| create/start containers | :white_check_mark: |
| signal/wait process | :white_check_mark: |
| exec/list process | :white_check_mark: |
| I/O stream | :white_check_mark: |
| Cgroups | :white_check_mark: |
| Capabilities, `rlimit`, readonly path, masked path, users | :white_check_mark: |
| container stats (`stats_container`) | :white_check_mark: |
| Hooks | :white_check_mark: |
| **Agent Features & APIs** |
| run agent as `init` (mount fs, udev, setup `lo`) | :white_check_mark: |
| block device as root device | :white_check_mark: |
| Health API | :white_check_mark: |
| network, interface/routes (`update_container`) | :white_check_mark: |
| File transfer API (`copy_file`) | :white_check_mark: |
| Device APIs (`reseed_random_device`, , `online_cpu_memory`, `mem_hotplug_probe`, `set_guet_data_time`) | :white_check_mark: |
| VSOCK support | :white_check_mark: |
| virtio-serial support | :heavy_multiplication_x: |
| OCI Spec validator | :white_check_mark: |
| **Infrastructures**|
| Debug Console | :white_check_mark: |
| Command line | :white_check_mark: |
| Tracing | :heavy_multiplication_x: |
If you simply wish to use Kata Containers, it is not necessary to understand
the details of how the agent operates. Please see the
[installation documentation](../../docs/install) for details of how deploy
Kata Containers (which will include the Kata agent).
## Getting Started
The remainder of this document is only useful for developers and testers.
### Build from Source
The rust-agent needs to be built statically and linked with `musl`
## Build from Source
> **Note:** skip this step for ppc64le, the build scripts explicitly use gnu for ppc64le.
Since the agent is written in the Rust language this section assumes the tool
chain has been installed using standard Rust `rustup` tool.
### Build with musl
If you wish to build the agent with the `musl` C library, you need to run the
following commands:
```bash
$ arch=$(uname -m)
@@ -49,12 +40,15 @@ $ rustup target add "${arch}-unknown-linux-musl"
$ sudo ln -s /usr/bin/g++ /bin/musl-g++
```
ppc64le-only: Manually install `protoc`, e.g.
```bash
$ sudo dnf install protobuf-compiler
```
> **Note:**
>
> It is not currently possible to build using `musl` on ppc64le and s390x
> since both platforms lack the `musl` target.
### Build the agent binary
The following steps download the Kata Containers source files and build the agent:
Download the source files in the Kata containers repository and build the agent:
```bash
$ GOPATH="${GOPATH:-$HOME/go}"
$ dir="$GOPATH/src/github.com/kata-containers"
@@ -62,17 +56,56 @@ $ git -C ${dir} clone --depth 1 https://github.com/kata-containers/kata-containe
$ make -C ${dir}/kata-containers/src/agent
```
## Run Kata CI with rust-agent
* Firstly, install Kata as noted by ["how to install Kata"](../../docs/install/README.md)
* Secondly, build your own Kata initrd/image following the steps in ["how to build your own initrd/image"](../../docs/Developer-Guide.md#create-and-install-rootfs-and-initrd-image).
notes: Please use your rust agent instead of the go agent when building your initrd/image.
* Clone the Kata CI test cases from: https://github.com/kata-containers/tests.git, and then run the CRI test with:
## Change the agent API
The Kata runtime communicates with the Kata agent using a ttRPC based API protocol.
This ttRPC API is defined by a set of [protocol buffers files](protocols/protos).
The protocol files are used to generate the bindings for the following components:
| Component | Language | Generation method | Tooling required |
|-|-|-|-|
| runtime | Golang | Run, `make generate-protocols` | `protoc` |
| agent | Rust | Run, `make` | |
If you wish to change the API, these files must be regenerated. Although the
rust code will be automatically generated by the
[build script](protocols/build.rs),
the Golang code generation requires the external `protoc` command to be
available in `$PATH`.
To install the `protoc` command on a Fedora/CentOS/RHEL system:
```bash
$sudo -E PATH=$PATH -E GOPATH=$GOPATH integration/containerd/shimv2/shimv2-tests.sh
$ sudo dnf install -y protobuf-compiler
```
## Mini Benchmark
The memory of `RssAnon` consumed by the go-agent and rust-agent as below:
go-agent: about 11M
rust-agent: about 1.1M
## Custom guest image and kernel assets
If you wish to develop or test changes to the agent, you will need to create a
custom guest image using the [osbuilder tool](../../tools/osbuilder). You
may also wish to create a custom [guest kernel](../../tools/packaging/kernel).
Once created, [configure](../runtime/README.md#configuration) Kata Containers to use
these custom assets to allow you to test your changes.
> **Note:**
>
> To simplify development and testing, you may wish to run the agent
> [stand alone](#run-the-agent-stand-alone) initially.
## Tracing
For details of tracing the operation of the agent, see the
[tracing documentation](../../docs/tracing.md).
## Run the agent stand alone
Although the agent is designed to run in a VM environment, for development and
testing purposes it is possible to run it as a normal application.
When run in this way, the agent can be controlled using the low-level Kata
agent control tool, rather than the Kata runtime.
For further details, see the
[agent control tool documentation](../../tools/agent-ctl/README.md#run-the-tool-and-the-agent-in-the-same-environment).

View File

@@ -15,7 +15,7 @@ Wants=kata-containers.target
StandardOutput=tty
Type=simple
ExecStart=@BINDIR@/@AGENT_NAME@
LimitNOFILE=infinity
LimitNOFILE=1048576
# ExecStop is required for static agent tracing; in all other scenarios
# the runtime handles shutting down the VM.
ExecStop=/bin/sync ; /usr/bin/systemctl --force poweroff

View File

@@ -4,10 +4,16 @@ version = "0.1.0"
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
[features]
default = []
with-serde = [ "serde", "serde_json" ]
[dependencies]
ttrpc = { version = "0.5.0", features = ["async"] }
async-trait = "0.1.42"
protobuf = "=2.14.0"
protobuf = { version = "=2.14.0", features = ["with-serde"] }
serde = { version = "1.0.130", features = ["derive"], optional = true }
serde_json = { version = "1.0.68", optional = true }
[build-dependencies]
ttrpc-codegen = "0.2.0"

View File

@@ -3,29 +3,148 @@
// SPDX-License-Identifier: Apache-2.0
//
use std::fs;
use ttrpc_codegen::{Codegen, Customize};
use std::fs::File;
use std::io::{BufRead, BufReader, Read, Write};
use std::path::Path;
use std::process::exit;
use ttrpc_codegen::{Codegen, Customize, ProtobufCustomize};
fn replace_text_in_file(file_name: &str, from: &str, to: &str) -> Result<(), std::io::Error> {
let mut src = File::open(file_name)?;
let mut contents = String::new();
src.read_to_string(&mut contents).unwrap();
drop(src);
let new_contents = contents.replace(from, to);
let mut dst = File::create(&file_name)?;
dst.write_all(new_contents.as_bytes())?;
Ok(())
}
fn use_serde(protos: &[&str], out_dir: &Path) -> Result<(), std::io::Error> {
protos
.iter()
.try_for_each(|f: &&str| -> Result<(), std::io::Error> {
let out_file = Path::new(f)
.file_name()
.and_then(|s| s.to_str())
.ok_or(format!("failed to get proto file name for {:?}", f))
.map(|s| {
let t = s.replace(".proto", ".rs");
out_dir.join(t)
})
.map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))?
.to_str()
.ok_or(format!("cannot convert {:?} path to string", f))
.map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))?
.to_string();
replace_text_in_file(
&out_file,
"derive(Serialize, Deserialize)",
"derive(serde::Serialize, serde::Deserialize)",
)
})
}
fn handle_file(autogen_comment: &str, rust_filename: &str) -> Result<(), std::io::Error> {
let mut new_contents = Vec::new();
let file = File::open(rust_filename)?;
let reader = BufReader::new(file);
// Guard the code since it is only needed for the agent-ctl tool,
// not the agent itself.
let serde_default_code = r#"#[cfg_attr(feature = "with-serde", serde(default))]"#;
for line in reader.lines() {
let line = line?;
new_contents.push(line.clone());
let pattern = "//! Generated file from";
if line.starts_with(&pattern) {
new_contents.push(autogen_comment.into());
}
let struct_pattern = "pub struct ";
// Although we've requested serde support via `Customize`, to
// allow the `kata-agent-ctl` tool to partially deserialise structures
// specified in JSON, we need this bit of additional magic.
if line.starts_with(&struct_pattern) {
new_contents.insert(new_contents.len() - 1, serde_default_code.trim().into());
}
}
let data = new_contents.join("\n");
let mut dst = File::create(&rust_filename)?;
dst.write_all(data.as_bytes())?;
Ok(())
}
fn real_main() -> Result<(), std::io::Error> {
let autogen_comment = format!("\n//! Generated by {:?} ({:?})", file!(), module_path!());
fn main() {
let protos = vec![
"protos/types.proto",
"protos/agent.proto",
"protos/health.proto",
"protos/google/protobuf/empty.proto",
"protos/health.proto",
"protos/oci.proto",
"protos/types.proto",
];
// Tell Cargo that if the .proto files changed, to rerun this build script.
protos
.iter()
.for_each(|p| println!("cargo:rerun-if-changed={}", &p));
let ttrpc_options = Customize {
async_server: true,
..Default::default()
};
let protobuf_options = ProtobufCustomize {
serde_derive: Some(true),
..Default::default()
};
let out_dir = Path::new("src");
Codegen::new()
.out_dir("src")
.out_dir(out_dir)
.inputs(&protos)
.include("protos")
.customize(ttrpc_options)
.rust_protobuf()
.customize(Customize {
async_server: true,
..Default::default()
})
.run()
.expect("Gen codes failed.");
.rust_protobuf_customize(protobuf_options)
.run()?;
for file in protos.iter() {
let proto_filename = Path::new(file).file_name().unwrap();
let generated_file = proto_filename
.to_str()
.ok_or("failed")
.map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))?
.replace(".proto", ".rs");
let out_file = out_dir.join(generated_file);
let out_file_str = out_file
.to_str()
.ok_or("failed")
.map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))?;
handle_file(&autogen_comment, out_file_str)?;
}
// There is a message named 'Box' in oci.proto
// so there is a struct named 'Box', we should replace Box<Self> to ::std::boxed::Box<Self>
@@ -34,11 +153,16 @@ fn main() {
"src/oci.rs",
"self: Box<Self>",
"self: ::std::boxed::Box<Self>",
)
.unwrap();
)?;
use_serde(&protos, out_dir)?;
Ok(())
}
fn replace_text_in_file(file_name: &str, from: &str, to: &str) -> Result<(), std::io::Error> {
let new_contents = fs::read_to_string(file_name)?.replace(from, to);
fs::write(&file_name, new_contents.as_bytes())
fn main() {
if let Err(e) = real_main() {
eprintln!("ERROR: {}", e);
exit(1);
}
}

Some files were not shown because too many files have changed in this diff Show More