Merge pull request #2007 from fidencio/2.1.1-branch-bump

# Kata Containers 2.1.1

.github/workflows/gather-artifacts.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright (c) 2019 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+set -o errexit
+set -o pipefail
+
+pushd kata-artifacts >>/dev/null
+for c in ./*.tar.gz
+do
+    echo "untarring tarball $c"
+    tar -xvf $c
+done
+
+tar cvfJ ../kata-static.tar.xz ./opt
+popd >>/dev/null

.github/workflows/generate-artifact-tarball.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# Copyright (c) 2019 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+set -o errexit
+set -o pipefail
+
+
+main() {
+    artifact_stage=${1:-}
+    artifact=$(echo  ${artifact_stage} | sed -n -e 's/^install_//p' | sed -r 's/_/-/g')
+    if [ -z "${artifact}" ]; then
+        "Scripts needs artifact name to build"
+        exit 1
+    fi
+
+    tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+    export GOPATH=$HOME/go
+
+    go get github.com/kata-containers/packaging || true
+    pushd $GOPATH/src/github.com/kata-containers/packaging/release >>/dev/null
+    git checkout $tag
+    pushd ../obs-packaging
+    ./gen_versions_txt.sh $tag
+    popd
+
+    source ./kata-deploy-binaries.sh
+    ${artifact_stage} $tag
+    popd
+
+    mv $HOME/go/src/github.com/kata-containers/packaging/release/kata-static-${artifact}.tar.gz .
+}
+
+main $@

.github/workflows/generate-local-artifact-tarball.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Copyright (c) 2019 Intel Corporation
+# Copyright (c) 2020 Ant Group
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+set -o errexit
+set -o pipefail
+
+
+main() {
+    artifact_stage=${1:-}
+    artifact=$(echo  ${artifact_stage} | sed -n -e 's/^install_//p' | sed -r 's/_/-/g')
+    if [ -z "${artifact}" ]; then
+        "Scripts needs artifact name to build"
+        exit 1
+    fi
+
+    tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+    pushd $GITHUB_WORKSPACE/tools/packaging
+    git checkout $tag
+    ./scripts/gen_versions_txt.sh $tag
+    popd
+
+    pushd $GITHUB_WORKSPACE/tools/packaging/release
+    source ./kata-deploy-binaries.sh
+    ${artifact_stage} $tag
+    popd
+
+    mv $GITHUB_WORKSPACE/tools/packaging/release/kata-static-${artifact}.tar.gz .
+}
+
+main $@

.github/workflows/kata-deploy-push.yaml

@@ -1,68 +0,0 @@
-name: kata deploy build
-
-on: [push, pull_request]
-
-jobs:
-  build-asset:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        asset:
-          - kernel
-          - kernel-experimental
-          - shim-v2
-          - qemu
-          - cloud-hypervisor
-          - firecracker
-          - rootfs-image
-          - rootfs-initrd
-    steps:
-      - uses: actions/checkout@v2
-      - name: Install docker
-        run: |
-          curl -fsSL https://test.docker.com -o test-docker.sh
-          sh test-docker.sh
-
-      - name: Build ${{ matrix.asset }}
-        run: |
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          sudo cp -r --preserve=all "${build_dir}" "kata-build"
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-artifacts
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
-          if-no-files-found: error
-
-  create-kata-tarball:
-    runs-on: ubuntu-latest
-    needs: build-asset
-    steps:
-      - uses: actions/checkout@v2
-      - name: get-artifacts
-        uses: actions/download-artifact@v2
-        with:
-          name: kata-artifacts
-          path: build
-      - name: merge-artifacts
-        run: |
-          make merge-builds
-      - name: store-artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-static-tarball
-          path: kata-static.tar.xz
-
-  make-kata-tarball:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: make kata-tarball
-        run: |
-          make kata-tarball
-          sudo make install-tarball

.github/workflows/kata-deploy-test.yaml

@@ -5,121 +5,58 @@ on:
 name: test-kata-deploy
 
 jobs:
-  check-comment-and-membership:
-    runs-on: ubuntu-latest
-    if: |
-      github.event.issue.pull_request
-      && github.event_name == 'issue_comment'
-      && github.event.action == 'created'
-      && startsWith(github.event.comment.body, '/test_kata_deploy')
-    steps:
-      - name: Check membership
-        uses: kata-containers/is-organization-member@1.0.1
-        id: is_organization_member
-        with:
-          organization: kata-containers
-          username: ${{ github.event.comment.user.login }}
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Fail if not member
-        run: |
-          result=${{ steps.is_organization_member.outputs.result }}
-          if [ $result == false ]; then
-              user=${{ github.event.comment.user.login }}
-              echo Either ${user} is not part of the kata-containers organization
-              echo or ${user} has its Organization Visibility set to Private at
-              echo https://github.com/orgs/kata-containers/people?query=${user}
-              echo 
-              echo Ensure you change your Organization Visibility to Public and
-              echo trigger the test again.
-              exit 1
-          fi
-
-  build-asset:
-    runs-on: ubuntu-latest
-    needs: check-comment-and-membership
-    strategy:
-      matrix:
-        asset:
-          - cloud-hypervisor
-          - firecracker
-          - kernel
-          - qemu
-          - rootfs-image
-          - rootfs-initrd
-          - shim-v2
-    steps:
-      - uses: actions/checkout@v2
-      - name: Install docker
-        run: |
-          curl -fsSL https://test.docker.com -o test-docker.sh
-          sh test-docker.sh
-
-      - name: Build ${{ matrix.asset }}
-        run: |
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          sudo cp -r "${build_dir}" "kata-build"
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-artifacts
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
-          if-no-files-found: error
-
-  create-kata-tarball:
-    runs-on: ubuntu-latest
-    needs: build-asset
-    steps:
-      - uses: actions/checkout@v2
-      - name: get-artifacts
-        uses: actions/download-artifact@v2
-        with:
-          name: kata-artifacts
-          path: kata-artifacts
-      - name: merge-artifacts
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
-      - name: store-artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-static-tarball
-          path: kata-static.tar.xz
-
-  kata-deploy:
-    needs: create-kata-tarball
+  check_comments:
+    if: ${{ github.event.issue.pull_request }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: get-kata-tarball
-        uses: actions/download-artifact@v2
+      - name: Check for Command
+        id: command
+        uses: kata-containers/slash-command-action@v1
         with:
-          name: kata-static-tarball
-      - name: build-and-push-kata-deploy-ci
-        id: build-and-push-kata-deploy-ci
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          command: "test_kata_deploy"
+          reaction: "true"
+          reaction-type: "eyes"
+          allow-edits: "false"
+          permission-level: admin
+      - name: verify command arg is kata-deploy
         run: |
-          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
-          pushd $GITHUB_WORKSPACE
-          git checkout $tag
-          pkg_sha=$(git rev-parse HEAD)
-          popd
-          mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz
-          docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t quay.io/kata-containers/kata-deploy-ci:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy
-          docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io
-          docker push quay.io/kata-containers/kata-deploy-ci:$pkg_sha
-          mkdir -p packaging/kata-deploy
-          ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action
-          echo "::set-output name=PKG_SHA::${pkg_sha}"
+           echo "The command was '${{ steps.command.outputs.command-name }}' with arguments '${{ steps.command.outputs.command-arguments }}'"
+
+  create-and-test-container:
+    needs: check_comments
+    runs-on: ubuntu-latest
+    steps:
+      - name: get-PR-ref
+        id: get-PR-ref
+        run: |
+            ref=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.pull_request.url' | sed  's#^.*\/pulls#refs\/pull#' | sed 's#$#\/merge#')
+            echo "reference for PR: " ${ref}
+            echo "##[set-output name=pr-ref;]${ref}"
+
+      - name: check out
+        uses: actions/checkout@v2
+        with:
+           ref: ${{ steps.get-PR-ref.outputs.pr-ref }}
+
+      - name: build-container-image
+        id: build-container-image
+        run: |
+            PR_SHA=$(git log --format=format:%H -n1)
+            VERSION="2.0.0"
+            ARTIFACT_URL="https://github.com/kata-containers/kata-containers/releases/download/${VERSION}/kata-static-${VERSION}-x86_64.tar.xz"
+            wget "${ARTIFACT_URL}" -O tools/packaging/kata-deploy/kata-static.tar.xz
+            docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:${PR_SHA} ./tools/packaging/kata-deploy
+            docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
+            docker push katadocker/kata-deploy-ci:$PR_SHA
+            echo "##[set-output name=pr-sha;]${PR_SHA}"
+
       - name: test-kata-deploy-ci-in-aks
-        uses: ./packaging/kata-deploy/action
+        uses: ./tools/packaging/kata-deploy/action
         with:
-          packaging-sha: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
+          packaging-sha: ${{ steps.build-container-image.outputs.pr-sha }}
         env:
-          PKG_SHA: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
+          PKG_SHA: ${{ steps.build-container-image.outputs.pr-sha }}
           AZ_APPID: ${{ secrets.AZ_APPID }}
           AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
           AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

.github/workflows/main.yaml

@@ -0,0 +1,293 @@
+name: Publish release tarball
+on: 
+  push: 
+    tags:
+     - '1.*'
+
+jobs:
+  get-artifact-list:
+    runs-on: ubuntu-latest
+    steps:
+      - name: get the list
+        run: |
+         pushd $GITHUB_WORKSPACE
+         tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+         git checkout $tag
+         popd
+         $GITHUB_WORKSPACE/tools/packaging/artifact-list.sh > artifact-list.txt
+      - name: save-artifact-list
+        uses: actions/upload-artifact@master
+        with:
+          name: artifact-list
+          path: artifact-list.txt
+
+  build-kernel:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_kernel"
+    steps:
+      - uses: actions/checkout@v1
+      - name: get-artifact-list
+        uses: actions/download-artifact@master
+        with:
+          name: artifact-list
+      - run: |
+         sudo apt-get update && sudo apt install -y flex bison libelf-dev bc iptables
+      - name: build-kernel
+        run: |
+         if grep -q $buildstr ./artifact-list/artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@master
+        with:
+          name: kata-artifacts
+          path: kata-static-kernel.tar.gz
+
+  build-experimental-kernel:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_experimental_kernel"
+    steps:
+      - uses: actions/checkout@v1
+      - name: get-artifact-list
+        uses: actions/download-artifact@master
+        with:
+          name: artifact-list
+      - run: |
+         sudo apt-get update && sudo apt install -y flex bison libelf-dev bc iptables
+      - name: build-experimental-kernel
+        run: |
+         if grep -q $buildstr ./artifact-list/artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@master
+        with:
+          name: kata-artifacts
+          path: kata-static-experimental-kernel.tar.gz
+
+  build-qemu:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_qemu"
+    steps:
+      - uses: actions/checkout@v1
+      - name: get-artifact-list
+        uses: actions/download-artifact@master
+        with:
+          name: artifact-list
+      - name: build-qemu
+        run: |
+         if grep -q $buildstr ./artifact-list/artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@master
+        with:
+          name: kata-artifacts
+          path: kata-static-qemu.tar.gz
+
+  # Job for building the image
+  build-image:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_image"
+    steps:
+      - uses: actions/checkout@v1
+      - name: get-artifact-list
+        uses: actions/download-artifact@master
+        with:
+          name: artifact-list
+      - name: build-image
+        run: |
+         if grep -q $buildstr ./artifact-list/artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@master
+        with:
+          name: kata-artifacts
+          path: kata-static-image.tar.gz
+
+  # Job for building firecracker hypervisor
+  build-firecracker:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_firecracker"
+    steps:
+      - uses: actions/checkout@v1
+      - name: get-artifact-list
+        uses: actions/download-artifact@master
+        with:
+          name: artifact-list
+      - name: build-firecracker
+        run: |
+         if grep -q $buildstr ./artifact-list/artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@master
+        with:
+          name: kata-artifacts
+          path: kata-static-firecracker.tar.gz
+
+  # Job for building cloud-hypervisor
+  build-clh:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_clh"
+    steps:
+      - uses: actions/checkout@v1
+      - name: get-artifact-list
+        uses: actions/download-artifact@master
+        with:
+          name: artifact-list
+      - name: build-clh
+        run: |
+         if grep -q $buildstr ./artifact-list/artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@master
+        with:
+          name: kata-artifacts
+          path: kata-static-clh.tar.gz
+
+  # Job for building kata components
+  build-kata-components:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_kata_components"
+    steps:
+      - uses: actions/checkout@v1
+      - name: get-artifact-list
+        uses: actions/download-artifact@master
+        with:
+          name: artifact-list
+      - name: build-kata-components
+        run: |
+         if grep -q $buildstr ./artifact-list/artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@master
+        with:
+          name: kata-artifacts
+          path: kata-static-kata-components.tar.gz
+
+  gather-artifacts:
+    runs-on: ubuntu-16.04
+    needs: [build-experimental-kernel, build-kernel, build-qemu, build-image, build-firecracker, build-kata-components, build-clh]
+    steps:
+      - uses: actions/checkout@v1
+      - name: get-artifacts
+        uses: actions/download-artifact@master
+        with:
+          name: kata-artifacts
+      - name: colate-artifacts
+        run: |
+          $GITHUB_WORKSPACE/.github/workflows/gather-artifacts.sh
+      - name: store-artifacts
+        uses: actions/upload-artifact@master
+        with:
+          name: release-candidate
+          path: kata-static.tar.xz
+
+  kata-deploy:
+    needs: gather-artifacts
+    runs-on: ubuntu-latest
+    steps:
+      - name: get-artifacts
+        uses: actions/download-artifact@master
+        with:
+          name: release-candidate
+      - name: build-and-push-kata-deploy-ci
+        id: build-and-push-kata-deploy-ci
+        run: |
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          git clone https://github.com/kata-containers/packaging
+          pushd packaging
+          git checkout $tag
+          pkg_sha=$(git rev-parse HEAD)
+          popd
+          mv release-candidate/kata-static.tar.xz ./packaging/kata-deploy/kata-static.tar.xz
+          docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:$pkg_sha ./packaging/kata-deploy
+          docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
+          docker push katadocker/kata-deploy-ci:$pkg_sha
+          echo "::set-output name=PKG_SHA::${pkg_sha}"
+      - name: test-kata-deploy-ci-in-aks
+        uses: ./packaging/kata-deploy/action
+        with:
+          packaging-sha: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
+        env:
+          PKG_SHA: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
+          AZ_APPID: ${{ secrets.AZ_APPID }}
+          AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      - name: push-tarball
+        run: |
+          # tag the container image we created and push to DockerHub
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          docker tag katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} katadocker/kata-deploy:${tag}
+          docker push katadocker/kata-deploy:${tag}
+
+  upload-static-tarball:
+    needs: kata-deploy
+    runs-on: ubuntu-latest
+    steps:
+      - name: download-artifacts
+        uses: actions/download-artifact@master
+        with:
+          name: release-candidate
+      - name: install hub
+        run: |
+          HUB_VER=$(curl -s "https://api.github.com/repos/github/hub/releases/latest" | jq -r .tag_name | sed 's/^v//')
+          wget -q -O- https://github.com/github/hub/releases/download/v$HUB_VER/hub-linux-amd64-$HUB_VER.tgz | \
+          tar xz --strip-components=2 --wildcards '*/bin/hub' && sudo mv hub /usr/local/bin/hub
+      - name: push static tarball to github
+        run: |
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          tarball="kata-static-$tag-x86_64.tar.xz"
+          repo="https://github.com/kata-containers/runtime.git"
+          mv release-candidate/kata-static.tar.xz "release-candidate/${tarball}"
+          git clone "${repo}"
+          cd runtime
+          echo "uploading asset '${tarball}' to '${repo}' tag: ${tag}"
+          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "../release-candidate/${tarball}" "${tag}"

.github/workflows/release.yaml

@@ -5,45 +5,213 @@ on:
      - '2.*'
 
 jobs:
-  build-asset:
+  get-artifact-list:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        asset:
-          - cloud-hypervisor
-          - firecracker
-          - kernel
-          - qemu
-          - rootfs-image
-          - rootfs-initrd
-          - shim-v2
     steps:
       - uses: actions/checkout@v2
-      - name: Install docker
+      - name: get the list
         run: |
-          curl -fsSL https://test.docker.com -o test-docker.sh
-          sh test-docker.sh
+         pushd $GITHUB_WORKSPACE
+         tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+         git checkout $tag
+         popd
+         $GITHUB_WORKSPACE/tools/packaging/artifact-list.sh > artifact-list.txt
+      - name: save-artifact-list
+        uses: actions/upload-artifact@v2
+        with:
+          name: artifact-list
+          path: artifact-list.txt
 
-      - name: Build ${{ matrix.asset }}
+  build-kernel:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_kernel"
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-artifact-list
+        uses: actions/download-artifact@v2
+        with:
+          name: artifact-list
+      - run: |
+         sudo apt-get update && sudo apt install -y flex bison libelf-dev bc iptables
+      - name: build-kernel
         run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh --build="${KATA_ASSET}"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          sudo cp -r "${build_dir}" "kata-build"
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-
-      - name: store-artifact ${{ matrix.asset }}
+         if grep -q $buildstr artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
         uses: actions/upload-artifact@v2
         with:
           name: kata-artifacts
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
-          if-no-files-found: error
+          path: kata-static-kernel.tar.gz
 
-  create-kata-tarball:
-    runs-on: ubuntu-latest
-    needs: build-asset
+  build-experimental-kernel:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_experimental_kernel"
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-artifact-list
+        uses: actions/download-artifact@v2
+        with:
+          name: artifact-list
+      - run: |
+         sudo apt-get update && sudo apt install -y flex bison libelf-dev bc iptables
+      - name: build-experimental-kernel
+        run: |
+         if grep -q $buildstr artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-static-experimental-kernel.tar.gz
+
+  build-qemu:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_qemu"
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-artifact-list
+        uses: actions/download-artifact@v2
+        with:
+          name: artifact-list
+      - name: build-qemu
+        run: |
+         if grep -q $buildstr artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-static-qemu.tar.gz
+
+  build-image:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_image"
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-artifact-list
+        uses: actions/download-artifact@v2
+        with:
+          name: artifact-list
+      - name: build-image
+        run: |
+         if grep -q $buildstr artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-static-image.tar.gz
+
+  build-firecracker:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_firecracker"
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-artifact-list
+        uses: actions/download-artifact@v2
+        with:
+          name: artifact-list
+      - name: build-firecracker
+        run: |
+         if grep -q $buildstr artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-static-firecracker.tar.gz
+
+
+  build-clh:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_clh"
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-artifact-list
+        uses: actions/download-artifact@v2
+        with:
+          name: artifact-list
+      - name: build-clh
+        run: |
+         if grep -q $buildstr artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-static-clh.tar.gz
+
+  build-kata-components:
+    runs-on: ubuntu-16.04
+    needs: get-artifact-list
+    env:
+      buildstr: "install_kata_components"
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-artifact-list
+        uses: actions/download-artifact@v2
+        with:
+          name: artifact-list
+      - name: build-kata-components
+        run: |
+         if grep -q $buildstr artifact-list.txt; then
+           $GITHUB_WORKSPACE/.github/workflows/generate-local-artifact-tarball.sh $buildstr
+           echo "artifact-built=true" >> $GITHUB_ENV
+         else
+           echo "artifact-built=false" >> $GITHUB_ENV
+         fi
+      - name: store-artifacts
+        if: ${{ env.artifact-built }} == 'true'
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-static-kata-components.tar.gz
+
+  gather-artifacts:
+    runs-on: ubuntu-16.04
+    needs: [build-experimental-kernel, build-kernel, build-qemu, build-image, build-firecracker, build-kata-components, build-clh]
     steps:
       - uses: actions/checkout@v2
       - name: get-artifacts
@@ -51,24 +219,24 @@ jobs:
         with:
           name: kata-artifacts
           path: kata-artifacts
-      - name: merge-artifacts
+      - name: colate-artifacts
         run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
+          $GITHUB_WORKSPACE/.github/workflows/gather-artifacts.sh
       - name: store-artifacts
         uses: actions/upload-artifact@v2
         with:
-          name: kata-static-tarball
+          name: release-candidate
           path: kata-static.tar.xz
 
   kata-deploy:
-    needs: create-kata-tarball
+    needs: gather-artifacts
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: get-kata-tarball
+      - name: get-artifacts
         uses: actions/download-artifact@v2
         with:
-          name: kata-static-tarball
+          name: release-candidate
       - name: build-and-push-kata-deploy-ci
         id: build-and-push-kata-deploy-ci
         run: |
@@ -78,11 +246,9 @@ jobs:
           pkg_sha=$(git rev-parse HEAD)
           popd
           mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz
-          docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:$pkg_sha -t quay.io/kata-containers/kata-deploy-ci:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy
+          docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy
           docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
           docker push katadocker/kata-deploy-ci:$pkg_sha
-          docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io
-          docker push quay.io/kata-containers/kata-deploy-ci:$pkg_sha
           mkdir -p packaging/kata-deploy
           ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action
           echo "::set-output name=PKG_SHA::${pkg_sha}"
@@ -100,14 +266,8 @@ jobs:
         run: |
           # tag the container image we created and push to DockerHub
           tag=$(echo $GITHUB_REF | cut -d/ -f3-)
-          tags=($tag)
-          tags+=($([[ "$tag" =~ "alpha"|"rc" ]] && echo "latest" || echo "stable"))
-          for tag in ${tags[@]}; do \
-            docker tag katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} katadocker/kata-deploy:${tag} && \
-            docker tag quay.io/kata-containers/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} quay.io/kata-containers/kata-deploy:${tag} && \
-            docker push katadocker/kata-deploy:${tag} && \
-            docker push quay.io/kata-containers/kata-deploy:${tag}; \
-          done
+          docker tag katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} katadocker/kata-deploy:${tag}
+          docker push katadocker/kata-deploy:${tag}
 
   upload-static-tarball:
     needs: kata-deploy
@@ -117,7 +277,7 @@ jobs:
       - name: download-artifacts
         uses: actions/download-artifact@v2
         with:
-          name: kata-static-tarball
+          name: release-candidate
       - name: install hub
         run: |
           HUB_VER=$(curl -s "https://api.github.com/repos/github/hub/releases/latest" | jq -r .tag_name | sed 's/^v//')
@@ -131,49 +291,3 @@ jobs:
           pushd $GITHUB_WORKSPACE
           echo "uploading asset '${tarball}' for tag: ${tag}"
           GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}"
-          popd
-
-  upload-cargo-vendored-tarball:
-    needs: upload-static-tarball
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: generate-and-upload-tarball
-        run: |
-          pushd $GITHUB_WORKSPACE/src/agent
-          cargo vendor >> .cargo/config
-          popd
-          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
-          tarball="kata-containers-$tag-vendor.tar.gz"
-          pushd $GITHUB_WORKSPACE
-          tar -cvzf "${tarball}" src/agent/.cargo/config src/agent/vendor
-          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}" 
-          popd
-
-  upload-libseccomp-tarball:
-    needs: upload-cargo-vendored-tarball
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: download-and-upload-tarball
-        env:
-          GITHUB_TOKEN: ${{ secrets.GIT_UPLOAD_TOKEN }}
-          GOPATH: ${HOME}/go
-        run: |
-          pushd $GITHUB_WORKSPACE
-          ./ci/install_yq.sh
-          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
-          versions_yaml="versions.yaml"
-          version=$(${GOPATH}/bin/yq read ${versions_yaml} "externals.libseccomp.version")
-          repo_url=$(${GOPATH}/bin/yq read ${versions_yaml} "externals.libseccomp.url")
-          download_url="${repo_url}/releases/download/v${version}"
-          tarball="libseccomp-${version}.tar.gz"
-          asc="${tarball}.asc"
-          curl -sSLO "${download_url}/${tarball}"
-          curl -sSLO "${download_url}/${asc}"
-          # "-m" option should be empty to re-use the existing release title
-          # without opening a text editor.
-          # For the details, check https://hub.github.com/hub-release.1.html.
-          hub release edit -m "" -a "${tarball}" "${tag}"
-          hub release edit -m "" -a "${asc}" "${tag}"
-          popd

.github/workflows/require-pr-porting-labels.yaml

@@ -6,14 +6,15 @@
 name: Ensure PR has required porting labels
 
 on:
+  pull_request:
+    branches:
+      - main
   pull_request_target:
     types:
       - opened
       - reopened
       - labeled
       - unlabeled
-    branches:
-      - main
 
 jobs:
   check-pr-porting-labels:
@@ -31,6 +32,8 @@ jobs:
 
       - name: Checkout code to allow hub to communicate with the project
         uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.KATA_GITHUB_ACTIONS_TOKEN }}
 
       - name: Install porting checker script
         run: |

.github/workflows/snap-release.yaml

@@ -9,8 +9,6 @@ jobs:
     steps:
       - name: Check out Git repository
         uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
 
       - name: Install Snapcraft
         uses: samuelmeuli/action-snapcraft@v1

.github/workflows/snap.yaml

@@ -6,8 +6,6 @@ jobs:
     steps:
       - name: Check out
         uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
 
       - name: Install Snapcraft
         uses: samuelmeuli/action-snapcraft@v1

.github/workflows/static-checks.yaml

@@ -1,19 +1,10 @@
-on:
-  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-      - labeled
-      - unlabeled
-
+on: ["pull_request"]
 name: Static checks
 jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.16.x, 1.17.x]
+        go-version: [1.13.x, 1.14.x, 1.15.x]
         os: [ubuntu-20.04]
     runs-on: ${{ matrix.os }}
     env:
@@ -22,77 +13,54 @@ jobs:
       TRAVIS_PULL_REQUEST_BRANCH: ${{ github.head_ref }}
       TRAVIS_PULL_REQUEST_SHA : ${{ github.event.pull_request.head.sha }}
       RUST_BACKTRACE: "1"
-      target_branch: ${{ github.base_ref }}
+      target_branch: ${TRAVIS_BRANCH}
     steps:
     - name: Install Go
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
       uses: actions/setup-go@v2
       with:
         go-version: ${{ matrix.go-version }}
       env:
         GOPATH: ${{ runner.workspace }}/kata-containers
     - name: Setup GOPATH
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
       run: |
         echo "TRAVIS_BRANCH: ${TRAVIS_BRANCH}"
         echo "TRAVIS_PULL_REQUEST_BRANCH: ${TRAVIS_PULL_REQUEST_BRANCH}"
         echo "TRAVIS_PULL_REQUEST_SHA: ${TRAVIS_PULL_REQUEST_SHA}"
         echo "TRAVIS: ${TRAVIS}"
     - name: Set env
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
       run: |
         echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
         echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
     - name: Checkout code
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
       uses: actions/checkout@v2
       with:
         fetch-depth: 0
         path: ./src/github.com/${{ github.repository }}
     - name: Setup travis references
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
       run: |
         echo "TRAVIS_BRANCH=${TRAVIS_BRANCH:-$(echo $GITHUB_REF | awk 'BEGIN { FS = \"/\" } ; { print $3 }')}"
         target_branch=${TRAVIS_BRANCH}
     - name: Setup
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
       run: |
         cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/setup.sh
       env:
         GOPATH: ${{ runner.workspace }}/kata-containers
-    - name: Installing rust
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+    - name: Building rust
       run: |
         cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_rust.sh
         PATH=$PATH:"$HOME/.cargo/bin"
         rustup target add x86_64-unknown-linux-musl
         rustup component add rustfmt clippy
-    - name: Setup seccomp
+    # Must build before static checks as we depend on some generated code in runtime and agent
+    - name: Build
       run: |
-        libseccomp_install_dir=$(mktemp -d -t libseccomp.XXXXXXXXXX)
-        gperf_install_dir=$(mktemp -d -t gperf.XXXXXXXXXX)
-        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
-        echo "Set environment variables for the libseccomp crate to link the libseccomp library statically"
-        echo "LIBSECCOMP_LINK_TYPE=static" >> $GITHUB_ENV
-        echo "LIBSECCOMP_LIB_PATH=${libseccomp_install_dir}/lib" >> $GITHUB_ENV
-    # Check whether the vendored code is up-to-date & working as the first thing
-    - name: Check vendored code
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-      run: |
-        cd ${GOPATH}/src/github.com/${{ github.repository }} && make vendor
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && make
     - name: Static Checks
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
       run: |
-        cd ${GOPATH}/src/github.com/${{ github.repository }} && make static-checks
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/static-checks.sh
     - name: Run Compiler Checks
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
       run: |
         cd ${GOPATH}/src/github.com/${{ github.repository }} && make check
     - name: Run Unit Tests
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
       run: |
         cd ${GOPATH}/src/github.com/${{ github.repository }} && make test
-    - name: Run Unit Tests As Root User
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-      run: |
-        cd ${GOPATH}/src/github.com/${{ github.repository }} && sudo -E PATH="$PATH" make test

Glossary.md

@@ -1,94 +0,0 @@
-# Glossary
-
-[A](#a), [B](#b), [C](#c), [D](#d), [E](#e), [F](#f), [G](#g), [H](#h), [I](#i), [J](#j), [K](#k), [L](#l), [M](#m), [N](#n), [O](#o), [P](#p), [Q](#q), [R](#r), [S](#s), [T](#t), [U](#u), [V](#v), [W](#w), [X](#x), [Y](#y), [Z](#z)
-
-## A
-
-### Auto Scaling
-a method used in cloud computing, whereby the amount of computational resources in a server farm, typically measured in terms of the number of active servers, which vary automatically based on the load on the farm.
-
-## B
-
-## C
-
-### Container Security Solutions
-The process of implementing security tools and policies that will give you the assurance that everything in your container is running as intended, and only as intended.
-
-### Container Software
-A standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.
-
-### Container Runtime Interface
-A plugin interface which enables Kubelet to use a wide variety of container runtimes, without the need to recompile.
-
-### Container Virtualization
-A container is a virtual runtime environment that runs on top of a single operating system (OS) kernel and emulates an operating system rather than the underlying hardware.
-
-## D
-
-## E
-
-## F
-
-## G
-
-## H
-
-## I
-
-### Infrastructure Architecture
-A structured and modern approach for supporting an organization and facilitating innovation within an enterprise.
-
-## J
-
-## K
-
-### Kata Containers
-Kata containers is an open source project delivering increased container security and Workload isolation through an implementation of lightweight virtual machines.
-
-## L
-
-## M
-
-## N
-
-## O
-
-## P
-
-### Pod Containers
-A Group of one or more containers , with shared storage/network, and a specification for how to run the containers.
-
-### Private Cloud
-A computing model that offers a proprietary environment dedicated to a single business entity.
-
-### Public Cloud
-Computing services offered by third-party providers over the public Internet, making them available to anyone who wants to use or purchase them.
-
-## Q
-
-## R
-
-## S
-
-### Serverless Containers
-An architecture in which code is executed on-demand. Serverless workloads are typically in the cloud, but on-premises serverless platforms exist, too.
-
-## T
-
-## U
-
-## V
-
-### Virtual Machine Monitor
-Computer software, firmware or hardware that creates and runs virtual machines.
-
-### Virtual Machine Software
-A software program or operating system that not only exhibits the behavior of a separate computer, but is also capable of performing tasks such as running applications and programs like a separate computer.
-
-## W
-
-## X
-
-## Y
-
-## Z

Makefile

@@ -15,10 +15,9 @@ TOOLS =
 
 TOOLS += agent-ctl
 
-STANDARD_TARGETS = build check clean install test vendor
+STANDARD_TARGETS = build check clean install test
 
 include utils.mk
-include ./tools/packaging/kata-deploy/local-build/Makefile
 
 all: build
 
@@ -30,8 +29,4 @@ $(eval $(call create_all_rules,$(COMPONENTS),$(TOOLS),$(STANDARD_TARGETS)))
 generate-protocols:
 	make -C src/agent generate-protocols
 
-# Some static checks rely on generated source files of components.
-static-checks: build
-	bash ci/static-checks.sh
-
-.PHONY: all default static-checks binary-tarball install-binary-tarball
+.PHONY: all default

README.md

@@ -2,6 +2,22 @@
 
 # Kata Containers
 
+* [Kata Containers](#kata-containers)
+    * [Introduction](#introduction)
+    * [Getting started](#getting-started)
+    * [Documentation](#documentation)
+    * [Community](#community)
+    * [Getting help](#getting-help)
+        * [Raising issues](#raising-issues)
+            * [Kata Containers 1.x versions](#kata-containers-1x-versions)
+    * [Developers](#developers)
+        * [Components](#components)
+            * [Kata Containers 1.x components](#kata-containers-1x-components)
+        * [Common repositories](#common-repositories)
+        * [Packaging and releases](#packaging-and-releases)
+
+---
+
 Welcome to Kata Containers!
 
 This repository is the home of the Kata Containers code for the 2.0 and newer
@@ -10,6 +26,11 @@ releases.
 If you want to learn about Kata Containers, visit the main
 [Kata Containers website](https://katacontainers.io).
 
+For further details on the older (first generation) Kata Containers 1.x
+versions, see the
+[Kata Containers 1.x components](#kata-containers-1x-components)
+section.
+
 ## Introduction
 
 Kata Containers is an open source project and community working to build a
@@ -46,34 +67,69 @@ Please raise an issue
 > **Note:**
 > If you are reporting a security issue, please follow the [vulnerability reporting process](https://github.com/kata-containers/community#vulnerability-handling)
 
+#### Kata Containers 1.x versions
+
+For older Kata Containers 1.x releases, please raise an issue in the
+[Kata Containers 1.x component repository](#kata-containers-1x-components)
+that seems most appropriate.
+
+If in doubt, raise an issue
+[in the Kata Containers 1.x runtime repository](https://github.com/kata-containers/runtime/issues).
+
 ## Developers
 
 ### Components
 
-### Main components
-
-The table below lists the core parts of the project:
-
 | Component | Type | Description |
 |-|-|-|
-| [runtime](src/runtime) | core | Main component run by a container manager and providing a containerd shimv2 runtime implementation. |
+| [agent-ctl](tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. |
 | [agent](src/agent) | core | Management process running inside the virtual machine / POD that sets up the container environment. |
 | [documentation](docs) | documentation | Documentation common to all components (such as design and install documentation). |
-| [tests](https://github.com/kata-containers/tests) | tests | Excludes unit tests which live with the main code. |
+| [osbuilder](tools/osbuilder) | infrastructure | Tool to create "mini O/S" rootfs and initrd images for the hypervisor. |
+| [packaging](tools/packaging) | infrastructure | Scripts and metadata for producing packaged binaries<br/>(components, hypervisors, kernel and rootfs). |
+| [runtime](src/runtime) | core | Main component run by a container manager and providing a containerd shimv2 runtime implementation. |
+| [trace-forwarder](src/trace-forwarder) | utility | Agent tracing helper. |
 
-### Additional components
+#### Kata Containers 1.x components
 
-The table below lists the remaining parts of the project:
+For the first generation of Kata Containers (1.x versions), each component was
+kept in a separate repository.
+
+For information on the Kata Containers 1.x releases, see the
+[Kata Containers 1.x releases page](https://github.com/kata-containers/runtime/releases).
+
+For further information on particular Kata Containers 1.x components, see the
+individual component repositories:
 
 | Component | Type | Description |
 |-|-|-|
-| [packaging](tools/packaging) | infrastructure | Scripts and metadata for producing packaged binaries<br/>(components, hypervisors, kernel and rootfs). |
-| [kernel](https://www.kernel.org) | kernel | Linux kernel used by the hypervisor to boot the guest image. Patches are stored [here](tools/packaging/kernel). |
-| [osbuilder](tools/osbuilder) | infrastructure | Tool to create "mini O/S" rootfs and initrd images and kernel for the hypervisor. |
-| [`agent-ctl`](tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. |
-| [`trace-forwarder`](src/trace-forwarder) | utility | Agent tracing helper. |
-| [`ci`](https://github.com/kata-containers/ci) | CI | Continuous Integration configuration files and scripts. |
-| [`katacontainers.io`](https://github.com/kata-containers/www.katacontainers.io) | Source for the [`katacontainers.io`](https://www.katacontainers.io) site. |
+| [agent](https://github.com/kata-containers/agent) | core | See [components](#components). |
+| [documentation](https://github.com/kata-containers/documentation) | documentation | |
+| [KSM throttler](https://github.com/kata-containers/ksm-throttler) | optional core | Daemon that monitors containers and deduplicates memory to maximize container density on the host. |
+| [osbuilder](https://github.com/kata-containers/osbuilder) | infrastructure | See [components](#components). |
+| [packaging](https://github.com/kata-containers/packaging) | infrastructure | See [components](#components). |
+| [proxy](https://github.com/kata-containers/proxy) | core | Multiplexes communications between the shims, agent and runtime. |
+| [runtime](https://github.com/kata-containers/runtime) | core | See [components](#components). |
+| [shim](https://github.com/kata-containers/shim) | core | Handles standard I/O and signals on behalf of the container process. |
+
+> **Note:**
+>
+> - There are more components for the original Kata Containers 1.x implementation.
+> - The current implementation simplifies the design significantly:
+>   compare the [current](docs/design/architecture.md) and
+>   [previous generation](https://github.com/kata-containers/documentation/blob/master/design/architecture.md)
+>   designs.
+
+### Common repositories
+
+The following repositories are used by both the current and first generation Kata Containers implementations:
+
+| Component | Description | Current | First generation | Notes |
+|-|-|-|-|-|
+| CI | Continuous Integration configuration files and scripts. | [Kata 2.x](https://github.com/kata-containers/ci/tree/main) | [Kata 1.x](https://github.com/kata-containers/ci/tree/master) | |
+| kernel | The Linux kernel used by the hypervisor to boot the guest image. | [Kata 2.x][kernel] | [Kata 1.x][kernel] | Patches are stored in the packaging component. |
+| tests | Test code. | [Kata 2.x](https://github.com/kata-containers/tests/tree/main) | [Kata 1.x](https://github.com/kata-containers/tests/tree/master) | Excludes unit tests which live with the main code. |
+| www.katacontainers.io | Contains the source for the [main web site](https://www.katacontainers.io). | [Kata 2.x][github-katacontainers.io] | [Kata 1.x][github-katacontainers.io] | | |
 
 ### Packaging and releases
 
@@ -82,9 +138,6 @@ Kata Containers is now
 However, packaging scripts and metadata are still used to generate snap and GitHub releases. See
 the [components](#components) section for further details.
 
-## Glossary of Terms
-
-See the [glossary of terms](Glossary.md) related to Kata Containers.
 ---
 
 [kernel]: https://www.kernel.org

VERSION

@@ -1 +1 @@
-2.3.1
+2.1.1

ci/go-no-os-exit.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Check there are no os.Exit() calls creeping into the code
+# We don't use that exit path in the Kata codebase.
+
+# Allow the path to check to be over-ridden.
+# Default to the current directory.
+go_packages=${1:-.}
+
+echo "Checking for no os.Exit() calls for package [${go_packages}]"
+
+candidates=`go list -f '{{.Dir}}/*.go' $go_packages`
+for f in $candidates; do
+	filename=`basename $f`
+	# skip all go test files
+	[[ $filename == *_test.go ]] && continue
+	# skip exit.go where, the only file we should call os.Exit() from.
+	[[ $filename == "exit.go" ]] && continue
+	files="$f $files"
+done
+
+[ -z "$files" ] && echo "No files to check, skipping" && exit 0
+
+if egrep -n '\<os\.Exit\>' $files; then
+	echo "Direct calls to os.Exit() are forbidden, please use exit() so atexit() works"
+	exit 1
+fi

ci/install_libseccomp.sh

@@ -1,109 +0,0 @@
-#!/bin/bash
-#
-# Copyright 2021 Sony Group Corporation
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-set -o errexit
-
-cidir=$(dirname "$0")
-source "${cidir}/lib.sh"
-
-clone_tests_repo
-
-source "${tests_repo_dir}/.ci/lib.sh"
-
-# The following variables if set on the environment will change the behavior
-# of gperf and libseccomp configure scripts, that may lead this script to
-# fail. So let's ensure they are unset here.
-unset PREFIX DESTDIR
-
-arch=$(uname -m)
-workdir="$(mktemp -d --tmpdir build-libseccomp.XXXXX)"
-
-# Variables for libseccomp
-# Currently, specify the libseccomp version directly without using `versions.yaml`
-# because the current Snap workflow is incomplete.
-# After solving the issue, replace this code by using the `versions.yaml`.
-# libseccomp_version=$(get_version "externals.libseccomp.version")
-# libseccomp_url=$(get_version "externals.libseccomp.url")
-libseccomp_version="2.5.1"
-libseccomp_url="https://github.com/seccomp/libseccomp"
-libseccomp_tarball="libseccomp-${libseccomp_version}.tar.gz"
-libseccomp_tarball_url="${libseccomp_url}/releases/download/v${libseccomp_version}/${libseccomp_tarball}"
-cflags="-O2"
-
-# Variables for gperf
-# Currently, specify the gperf version directly without using `versions.yaml`
-# because the current Snap workflow is incomplete.
-# After solving the issue, replace this code by using the `versions.yaml`.
-# gperf_version=$(get_version "externals.gperf.version")
-# gperf_url=$(get_version "externals.gperf.url")
-gperf_version="3.1"
-gperf_url="https://ftp.gnu.org/gnu/gperf"
-gperf_tarball="gperf-${gperf_version}.tar.gz"
-gperf_tarball_url="${gperf_url}/${gperf_tarball}"
-
-# We need to build the libseccomp library from sources to create a static library for the musl libc.
-# However, ppc64le and s390x have no musl targets in Rust. Hence, we do not set cflags for the musl libc.
-if ([ "${arch}" != "ppc64le" ] && [ "${arch}" != "s390x" ]); then
-    # Set FORTIFY_SOURCE=1 because the musl-libc does not have some functions about FORTIFY_SOURCE=2
-    cflags="-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1 -O2"
-fi
-
-die() {
-    msg="$*"
-    echo "[Error] ${msg}" >&2
-    exit 1
-}
-
-finish() {
-    rm -rf "${workdir}"
-}
-
-trap finish EXIT
-
-build_and_install_gperf() {
-    echo "Build and install gperf version ${gperf_version}"
-    mkdir -p "${gperf_install_dir}"
-    curl -sLO "${gperf_tarball_url}"
-    tar -xf "${gperf_tarball}"
-    pushd "gperf-${gperf_version}"
-    ./configure --prefix="${gperf_install_dir}"
-    make
-    make install
-    export PATH=$PATH:"${gperf_install_dir}"/bin
-    popd
-    echo "Gperf installed successfully"
-}
-
-build_and_install_libseccomp() {
-    echo "Build and install libseccomp version ${libseccomp_version}"
-    mkdir -p "${libseccomp_install_dir}"
-    curl -sLO "${libseccomp_tarball_url}"
-    tar -xf "${libseccomp_tarball}"
-    pushd "libseccomp-${libseccomp_version}"
-    ./configure --prefix="${libseccomp_install_dir}" CFLAGS="${cflags}" --enable-static
-    make
-    make install
-    popd
-    echo "Libseccomp installed successfully"
-}
-
-main() {
-    local libseccomp_install_dir="${1:-}"
-    local gperf_install_dir="${2:-}"
-
-    if [ -z "${libseccomp_install_dir}" ] || [ -z "${gperf_install_dir}" ]; then
-        die "Usage: ${0} <libseccomp-install-dir> <gperf-install-dir>"
-    fi
-
-    pushd "$workdir"
-    # gperf is required for building the libseccomp.
-    build_and_install_gperf
-    build_and_install_libseccomp
-    popd
-}
-
-main "$@"

ci/install_rust.sh

@@ -12,5 +12,5 @@ source "${cidir}/lib.sh"
 clone_tests_repo
 
 pushd ${tests_repo_dir}
-.ci/install_rust.sh ${1:-}
+.ci/install_rust.sh
 popd

ci/install_yq.sh

@@ -15,18 +15,12 @@ die() {
 # Install the yq yaml query package from the mikefarah github repo
 # Install via binary download, as we may not have golang installed at this point
 function install_yq() {
+	GOPATH=${GOPATH:-${HOME}/go}
+	local yq_path="${GOPATH}/bin/yq"
 	local yq_pkg="github.com/mikefarah/yq"
 	local yq_version=3.4.1
-	INSTALL_IN_GOPATH=${INSTALL_IN_GOPATH:-true}
 
-	if [ "${INSTALL_IN_GOPATH}"  == "true" ];then
-		GOPATH=${GOPATH:-${HOME}/go}
-		mkdir -p "${GOPATH}/bin"
-		local yq_path="${GOPATH}/bin/yq"
-	else
-		yq_path="/usr/local/bin/yq"
-	fi
-	[ -x  "${yq_path}" ] && [ "`${yq_path} --version`"X == "yq version ${yq_version}"X ] && return
+	[ -x  "${GOPATH}/bin/yq" ] && [ "`${GOPATH}/bin/yq --version`"X == "yq version ${yq_version}"X ] && return
 
 	read -r -a sysInfo <<< "$(uname -sm)"
 
@@ -57,6 +51,7 @@ function install_yq() {
 		;;
 	esac
 
+	mkdir -p "${GOPATH}/bin"
 
 	# Check curl
 	if ! command -v "curl" >/dev/null; then

ci/lib.sh

@@ -3,11 +3,9 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-set -o nounset
-
 export tests_repo="${tests_repo:-github.com/kata-containers/tests}"
 export tests_repo_dir="$GOPATH/src/$tests_repo"
-export branch="${target_branch:-main}"
+export branch="${branch:-main}"
 
 # Clones the tests repository and checkout to the branch pointed out by
 # the global $branch variable.
@@ -17,7 +15,7 @@ export branch="${target_branch:-main}"
 clone_tests_repo()
 {
 	if [ -d "$tests_repo_dir" ]; then
-		[ -n "${CI:-}" ] && return
+		[ -n "$CI" ] && return
 		pushd "${tests_repo_dir}"
 		git checkout "${branch}"
 		git pull

ci/openshift-ci/images/Dockerfile.buildroot

@@ -4,11 +4,6 @@
 #
 # This is the build root image for Kata Containers on OpenShift CI.
 #
-FROM registry.centos.org/centos:8
+FROM centos:8
 
-RUN yum -y update && \
-    yum -y install \
-    git \
-    sudo \
-    wget && \
-    yum clean all
+RUN yum -y update && yum -y install git sudo wget

ci/run.sh

@@ -8,14 +8,9 @@
 set -e
 cidir=$(dirname "$0")
 source "${cidir}/lib.sh"
-export CI_JOB="${CI_JOB:-}"
 
 clone_tests_repo
 
 pushd ${tests_repo_dir}
 .ci/run.sh
-# temporary fix, see https://github.com/kata-containers/tests/issues/3878
-if [ "$(uname -m)" != "s390x" ] && [ "$CI_JOB" == "CRI_CONTAINERD_K8S_MINIMAL" ]; then
-	tracing/test-agent-shutdown.sh
-fi
 popd

docs/Developer-Guide.md

@@ -1,3 +1,55 @@
+- [Warning](#warning)
+- [Assumptions](#assumptions)
+- [Initial setup](#initial-setup)
+- [Requirements to build individual components](#requirements-to-build-individual-components)
+- [Build and install the Kata Containers runtime](#build-and-install-the-kata-containers-runtime)
+- [Check hardware requirements](#check-hardware-requirements)
+  - [Configure to use initrd or rootfs image](#configure-to-use-initrd-or-rootfs-image)
+  - [Enable full debug](#enable-full-debug)
+    - [debug logs and shimv2](#debug-logs-and-shimv2)
+      - [Enabling full `containerd` debug](#enabling-full-containerd-debug)
+      - [Enabling just `containerd shim` debug](#enabling-just-containerd-shim-debug)
+      - [Enabling `CRI-O` and `shimv2` debug](#enabling-cri-o-and-shimv2-debug)
+    - [journald rate limiting](#journald-rate-limiting)
+      - [`systemd-journald` suppressing messages](#systemd-journald-suppressing-messages)
+      - [Disabling `systemd-journald` rate limiting](#disabling-systemd-journald-rate-limiting)
+- [Create and install rootfs and initrd image](#create-and-install-rootfs-and-initrd-image)
+  - [Build a custom Kata agent - OPTIONAL](#build-a-custom-kata-agent---optional)
+  - [Get the osbuilder](#get-the-osbuilder)
+  - [Create a rootfs image](#create-a-rootfs-image)
+    - [Create a local rootfs](#create-a-local-rootfs)
+    - [Add a custom agent to the image - OPTIONAL](#add-a-custom-agent-to-the-image---optional)
+    - [Build a rootfs image](#build-a-rootfs-image)
+    - [Install the rootfs image](#install-the-rootfs-image)
+  - [Create an initrd image - OPTIONAL](#create-an-initrd-image---optional)
+    - [Create a local rootfs for initrd image](#create-a-local-rootfs-for-initrd-image)
+    - [Build an initrd image](#build-an-initrd-image)
+    - [Install the initrd image](#install-the-initrd-image)
+- [Install guest kernel images](#install-guest-kernel-images)
+- [Install a hypervisor](#install-a-hypervisor)
+  - [Build a custom QEMU](#build-a-custom-qemu)
+    - [Build a custom QEMU for aarch64/arm64 - REQUIRED](#build-a-custom-qemu-for-aarch64arm64---required)
+- [Run Kata Containers with Containerd](#run-kata-containers-with-containerd)
+- [Run Kata Containers with Kubernetes](#run-kata-containers-with-kubernetes)
+- [Troubleshoot Kata Containers](#troubleshoot-kata-containers)
+- [Appendices](#appendices)
+  - [Checking Docker default runtime](#checking-docker-default-runtime)
+  - [Set up a debug console](#set-up-a-debug-console)
+    - [Simple debug console setup](#simple-debug-console-setup)
+      - [Enable agent debug console](#enable-agent-debug-console)
+      - [Connect to debug console](#connect-to-debug-console)
+    - [Traditional debug console setup](#traditional-debug-console-setup)
+      - [Create a custom image containing a shell](#create-a-custom-image-containing-a-shell)
+      - [Build the debug image](#build-the-debug-image)
+      - [Configure runtime for custom debug image](#configure-runtime-for-custom-debug-image)
+      - [Create a container](#create-a-container)
+      - [Connect to the virtual machine using the debug console](#connect-to-the-virtual-machine-using-the-debug-console)
+        - [Enabling debug console for QEMU](#enabling-debug-console-for-qemu)
+        - [Enabling debug console for cloud-hypervisor / firecracker](#enabling-debug-console-for-cloud-hypervisor--firecracker)
+        - [Connecting to the debug console](#connecting-to-the-debug-console)
+  - [Obtain details of the image](#obtain-details-of-the-image)
+  - [Capturing kernel boot logs](#capturing-kernel-boot-logs)
+
 # Warning
 
 This document is written **specifically for developers**: it is not intended for end users.
@@ -86,16 +138,6 @@ One of the `initrd` and `image` options in Kata runtime config file **MUST** be
 The main difference between the options is that the size of `initrd`(10MB+) is significantly smaller than
 rootfs `image`(100MB+).
 
-## Enable seccomp
-
-Enable seccomp as follows:
-
-```
-$ sudo sed -i '/^disable_guest_seccomp/ s/true/false/' /etc/kata-containers/configuration.toml
-```
-
-This will pass container seccomp profiles to the kata agent.
-
 ## Enable full debug
 
 Enable full debug as follows:
@@ -226,18 +268,6 @@ $ go get -d -u github.com/kata-containers/kata-containers
 $ cd $GOPATH/src/github.com/kata-containers/kata-containers/src/agent && make
 ```
 
-The agent is built with seccomp capability by default.
-If you want to build the agent without the seccomp capability, you need to run `make` with `SECCOMP=no` as follows.
-
-```
-$ make -C $GOPATH/src/github.com/kata-containers/kata-containers/src/agent SECCOMP=no
-```
-
-> **Note:**
->
-> - If you enable seccomp in the main configuration file but build the agent without seccomp capability,
->   the runtime exits conservatively with an error message.
-
 ## Get the osbuilder
 
 ```
@@ -256,21 +286,9 @@ the following example.
 $ export ROOTFS_DIR=${GOPATH}/src/github.com/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/rootfs
 $ sudo rm -rf ${ROOTFS_DIR}
 $ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/osbuilder/rootfs-builder
-$ script -fec 'sudo -E GOPATH=$GOPATH USE_DOCKER=true ./rootfs.sh ${distro}'
-```
-
-You MUST choose a distribution (e.g., `ubuntu`) for `${distro}`.
-You can get a supported distributions list in the Kata Containers by running the following.
-
-```
-$ ./rootfs.sh -l
-```
-
-If you want to build the agent without seccomp capability, you need to run the `rootfs.sh` script with `SECCOMP=no` as follows.
-
-```
-$ script -fec 'sudo -E GOPATH=$GOPATH AGENT_INIT=yes USE_DOCKER=true SECCOMP=no ./rootfs.sh ${distro}'
+$ script -fec 'sudo -E GOPATH=$GOPATH USE_DOCKER=true SECCOMP=no ./rootfs.sh ${distro}'
 ```
+You MUST choose one of `alpine`, `centos`, `clearlinux`, `debian`, `euleros`, `fedora`, `suse`, and `ubuntu` for `${distro}`. By default `seccomp` packages are not included in the rootfs image. Set `SECCOMP` to `yes` to include them.
 
 > **Note:**
 >
@@ -286,7 +304,7 @@ $ script -fec 'sudo -E GOPATH=$GOPATH AGENT_INIT=yes USE_DOCKER=true SECCOMP=no
 > - You should only do this step if you are testing with the latest version of the agent.
 
 ```
-$ sudo install -o root -g root -m 0550 -t ${ROOTFS_DIR}/usr/bin ../../../src/agent/target/x86_64-unknown-linux-musl/release/kata-agent
+$ sudo install -o root -g root -m 0550 -t ${ROOTFS_DIR}/bin ../../../src/agent/target/x86_64-unknown-linux-musl/release/kata-agent
 $ sudo install -o root -g root -m 0440 ../../../src/agent/kata-agent.service ${ROOTFS_DIR}/usr/lib/systemd/system/
 $ sudo install -o root -g root -m 0440 ../../../src/agent/kata-containers.target ${ROOTFS_DIR}/usr/lib/systemd/system/
 ```
@@ -306,7 +324,6 @@ $ script -fec 'sudo -E USE_DOCKER=true ./image_builder.sh ${ROOTFS_DIR}'
 > - If you do *not* wish to build under Docker, remove the `USE_DOCKER`
 >   variable in the previous command and ensure the `qemu-img` command is
 >   available on your system.
->   - If `qemu-img` is not installed, you will likely see errors such as `ERROR: File /dev/loop19p1 is not a block device` and `losetup: /tmp/tmp.bHz11oY851: Warning: file is smaller than 512 bytes; the loop device may be useless or invisible for system tools`. These can be mitigated by installing the `qemu-img` command (available in the `qemu-img` package on Fedora or the `qemu-utils` package on Debian).
 
 
 ### Install the rootfs image
@@ -325,35 +342,23 @@ $ (cd /usr/share/kata-containers && sudo ln -sf "$image" kata-containers.img)
 $ export ROOTFS_DIR="${GOPATH}/src/github.com/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/rootfs"
 $ sudo rm -rf ${ROOTFS_DIR}
 $ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/osbuilder/rootfs-builder
-$ script -fec 'sudo -E GOPATH=$GOPATH AGENT_INIT=yes USE_DOCKER=true ./rootfs.sh ${distro}'
-```
-`AGENT_INIT` controls if the guest image uses the Kata agent as the guest `init` process. When you create an initrd image,
-always set `AGENT_INIT` to `yes`.
-
-You MUST choose a distribution (e.g., `ubuntu`) for `${distro}`.
-You can get a supported distributions list in the Kata Containers by running the following.
-
-```
-$ ./rootfs.sh -l
-```
-
-If you want to build the agent without seccomp capability, you need to run the `rootfs.sh` script with `SECCOMP=no` as follows.
-
-```
 $ script -fec 'sudo -E GOPATH=$GOPATH AGENT_INIT=yes USE_DOCKER=true SECCOMP=no ./rootfs.sh ${distro}'
 ```
+`AGENT_INIT` controls if the guest image uses the Kata agent as the guest `init` process. When you create an initrd image,
+always set `AGENT_INIT` to `yes`. By default `seccomp` packages are not included in the initrd image. Set `SECCOMP` to `yes` to include them.
+
+You MUST choose one of `alpine`, `centos`, `clearlinux`, `euleros`, and `fedora` for `${distro}`.
 
 > **Note:**
 >
 > - Check the [compatibility matrix](../tools/osbuilder/README.md#platform-distro-compatibility-matrix) before creating rootfs.
 
-Optionally, add your custom agent binary to the rootfs with the following commands. The default `$LIBC` used
-is `musl`, but on ppc64le and s390x, `gnu` should be used. Also, Rust refers to ppc64le as `powerpc64le`:
+Optionally, add your custom agent binary to the rootfs with the following, `LIBC` default is `musl`, if `ARCH` is `ppc64le`, should set the `LIBC=gnu` and `ARCH=powerpc64le`:
 ```
-$ export ARCH=$(uname -m)
-$ [ ${ARCH} == "ppc64le" ] || [ ${ARCH} == "s390x" ] && export LIBC=gnu || export LIBC=musl
+$ export ARCH=$(shell uname -m)
+$ [ ${ARCH} == "ppc64le" ] && export LIBC=gnu || export LIBC=musl
 $ [ ${ARCH} == "ppc64le" ] && export ARCH=powerpc64le
-$ sudo install -o root -g root -m 0550 -T ../../../src/agent/target/${ARCH}-unknown-linux-${LIBC}/release/kata-agent ${ROOTFS_DIR}/sbin/init
+$ sudo install -o root -g root -m 0550 -T ../../../src/agent/target/$(ARCH)-unknown-linux-$(LIBC)/release/kata-agent ${ROOTFS_DIR}/sbin/init
 ```
 
 ### Build an initrd image
@@ -388,40 +393,14 @@ You may choose to manually build your VMM/hypervisor.
 Kata Containers makes use of upstream QEMU branch. The exact version
 and repository utilized can be found by looking at the [versions file](../versions.yaml).
 
-Find the correct version of QEMU from the versions file:
-```
-$ source ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/scripts/lib.sh
-$ qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.version")
-$ echo ${qemu_version}
-```
-Get source from the matching branch of QEMU:
-```
-$ go get -d github.com/qemu/qemu
-$ cd ${GOPATH}/src/github.com/qemu/qemu
-$ git checkout ${qemu_version}
-$ your_qemu_directory=${GOPATH}/src/github.com/qemu/qemu
-```
-
-There are scripts to manage the build and packaging of QEMU. For the examples below, set your
-environment as:
-```
-$ go get -d github.com/kata-containers/kata-containers
-$ packaging_dir="${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging"
-```
-
-Kata often utilizes patches for not-yet-upstream and/or backported fixes for components,
-including QEMU. These can be found in the [packaging/QEMU directory](../tools/packaging/qemu/patches),
-and it's *recommended* that you apply them. For example, suppose that you are going to build QEMU
-version 5.2.0, do:
-```
-$ cd $your_qemu_directory
-$ $packaging_dir/scripts/apply_patches.sh $packaging_dir/qemu/patches/5.2.x/
-```
+Kata often utilizes patches for not-yet-upstream fixes for components,
+including QEMU. These can be found in the [packaging/QEMU directory](../tools/packaging/qemu/patches)
 
 To build utilizing the same options as Kata, you should make use of the `configure-hypervisor.sh` script. For example:
 ```
+$ go get -d github.com/kata-containers/kata-containers/tools/packaging
 $ cd $your_qemu_directory
-$ $packaging_dir/scripts/configure-hypervisor.sh kata-qemu > kata.cfg
+$ ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/scripts/configure-hypervisor.sh kata-qemu > kata.cfg
 $ eval ./configure "$(cat kata.cfg)"
 $ make -j $(nproc)
 $ sudo -E make install
@@ -463,7 +442,7 @@ script and paste its output directly into a
 > [runtime](../src/runtime) repository.
 
 To perform analysis on Kata logs, use the
-[`kata-log-parser`](https://github.com/kata-containers/tests/tree/main/cmd/log-parser)
+[`kata-log-parser`](https://github.com/kata-containers/tests/tree/master/cmd/log-parser)
 tool, which can convert the logs into formats (e.g. JSON, TOML, XML, and YAML).
 
 See [Set up a debug console](#set-up-a-debug-console).
@@ -496,16 +475,6 @@ debug_console_enabled = true
 
 This will pass `agent.debug_console agent.debug_console_vport=1026` to agent as kernel parameters, and sandboxes created using this parameters will start a shell in guest if new connection is accept from VSOCK.
 
-#### Start `kata-monitor` - ONLY NEEDED FOR 2.0.x
-
-For Kata Containers `2.0.x` releases, the `kata-runtime exec` command depends on the`kata-monitor` running, in order to get the sandbox's `vsock` address to connect to. Thus, first start the `kata-monitor` process.
-
-```
-$ sudo kata-monitor
-```
-
-`kata-monitor` will serve at `localhost:8090` by default.
-
 #### Connect to debug console
 
 Command `kata-runtime exec` is used to connect to the debug console.
@@ -650,7 +619,7 @@ VMM solution.
 
 In case of cloud-hypervisor, connect to the `vsock` as shown:
 ```
-$ sudo su -c 'cd /var/run/vc/vm/${sandbox_id}/root/ && socat stdin unix-connect:clh.sock'
+$ sudo su -c 'cd /var/run/vc/vm/{sandbox_id}/root/ && socat stdin unix-connect:clh.sock'
 CONNECT 1026
 ```
 
@@ -658,7 +627,7 @@ CONNECT 1026
 
 For firecracker, connect to the `hvsock` as shown:
 ```
-$ sudo su -c 'cd /var/run/vc/firecracker/${sandbox_id}/root/ && socat stdin unix-connect:kata.hvsock'
+$ sudo su -c 'cd /var/run/vc/firecracker/{sandbox_id}/root/ && socat stdin unix-connect:kata.hvsock'
 CONNECT 1026
 ```
 
@@ -667,7 +636,7 @@ CONNECT 1026
 
 For QEMU, connect to the `vsock` as shown:
 ```
-$ sudo su -c 'cd /var/run/vc/vm/${sandbox_id} && socat "stdin,raw,echo=0,escape=0x11" "unix-connect:console.sock"'
+$ sudo su -c 'cd /var/run/vc/vm/{sandbox_id} && socat "stdin,raw,echo=0,escape=0x11" "unix-connect:console.sock"
 ```
 
 To disconnect from the virtual machine, type `CONTROL+q` (hold down the

docs/Documentation-Requirements.md

@@ -1,3 +1,16 @@
+* [Introduction](#introduction)
+* [General requirements](#general-requirements)
+* [Linking advice](#linking-advice)
+* [Notes](#notes)
+* [Warnings and other admonitions](#warnings-and-other-admonitions)
+* [Files and command names](#files-and-command-names)
+* [Code blocks](#code-blocks)
+* [Images](#images)
+* [Spelling](#spelling)
+* [Names](#names)
+* [Version numbers](#version-numbers)
+* [The apostrophe](#the-apostrophe)
+
 # Introduction
 
 This document outlines the requirements for all documentation in the [Kata
@@ -10,6 +23,10 @@ All documents must:
 - Be written in simple English.
 - Be written in [GitHub Flavored Markdown](https://github.github.com/gfm) format.
 - Have a `.md` file extension.
+- Include a TOC (table of contents) at the top of the document with links to
+  all heading sections. We recommend using the
+  [`kata-check-markdown`](https://github.com/kata-containers/tests/tree/master/cmd/check-markdown)
+  tool to generate the TOC.
 - Be linked to from another document in the same repository.
 
   Although GitHub allows navigation of the entire repository, it should be
@@ -26,10 +43,6 @@ All documents must:
   which can then execute the commands specified to ensure the instructions are
   correct. This avoids documents becoming out of date over time.
 
-> **Note:**
->
-> Do not add a table of contents (TOC) since GitHub will auto-generate one.
-
 # Linking advice
 
 Linking between documents is strongly encouraged to help users and developers
@@ -105,7 +118,7 @@ This section lists requirements for displaying commands and command output.
 The requirements must be adhered to since documentation containing code blocks
 is validated by the CI system, which executes the command blocks with the help
 of the
-[doc-to-script](https://github.com/kata-containers/tests/tree/main/.ci/kata-doc-to-script.sh)
+[doc-to-script](https://github.com/kata-containers/tests/tree/master/.ci/kata-doc-to-script.sh)
 utility.
 
 - If a document includes commands the user should run, they **MUST** be shown
@@ -189,7 +202,7 @@ and compare them with standard tools (e.g. `diff(1)`).
 
 Since this project uses a number of terms not found in conventional
 dictionaries, we have a
-[spell checking tool](https://github.com/kata-containers/tests/tree/main/cmd/check-spelling)
+[spell checking tool](https://github.com/kata-containers/tests/tree/master/cmd/check-spelling)
 that checks both dictionary words and the additional terms we use.
 
 Run the spell checking tool on your document before raising a PR to ensure it

docs/Licensing-strategy.md

@@ -1,5 +1,9 @@
 # Licensing strategy
 
+* [Project License](#project-license)
+* [License file](#license-file)
+* [License for individual files](#license-for-individual-files)      
+
 ## Project License
 
 The license for the [Kata Containers](https://github.com/kata-containers)

docs/Limitations.md

@@ -1,3 +1,35 @@
+* [Overview](#overview)
+* [Definition of a limitation](#definition-of-a-limitation)
+* [Scope](#scope)
+* [Contributing](#contributing)
+* [Pending items](#pending-items)
+    * [Runtime commands](#runtime-commands)
+        * [checkpoint and restore](#checkpoint-and-restore)
+        * [events command](#events-command)
+        * [update command](#update-command)
+    * [Networking](#networking)
+        * [Docker swarm and compose support](#docker-swarm-and-compose-support)
+    * [Resource management](#resource-management)
+        * [docker run and shared memory](#docker-run-and-shared-memory)
+        * [docker run and sysctl](#docker-run-and-sysctl)
+    * [Docker daemon features](#docker-daemon-features)
+        * [SELinux support](#selinux-support)
+* [Architectural limitations](#architectural-limitations)
+    * [Networking limitations](#networking-limitations)
+        * [Support for joining an existing VM network](#support-for-joining-an-existing-vm-network)
+        * [docker --net=host](#docker---nethost)
+        * [docker run --link](#docker-run---link)
+    * [Storage limitations](#storage-limitations)
+        * [Kubernetes `volumeMounts.subPaths`](#kubernetes-volumemountssubpaths)
+    * [Host resource sharing](#host-resource-sharing)
+        * [docker run --privileged](#docker-run---privileged)
+* [Miscellaneous](#miscellaneous)
+    * [Docker --security-opt option partially supported](#docker---security-opt-option-partially-supported)
+* [Appendices](#appendices)
+    * [The constraints challenge](#the-constraints-challenge)
+
+***
+
 # Overview
 
 A [Kata Container](https://github.com/kata-containers) utilizes a Virtual Machine (VM) to enhance security and

docs/README.md

@@ -1,5 +1,16 @@
 # Documentation
 
+* [Getting Started](#getting-started)
+* [More User Guides](#more-user-guides)
+* [Kata Use-Cases](#kata-use-cases)
+* [Developer Guide](#developer-guide)
+    * [Design and Implementations](#design-and-implementations)
+    * [How to Contribute](#how-to-contribute)
+    * [Code Licensing](#code-licensing)
+    * [The Release Process](#the-release-process)
+* [Help Improving the Documents](#help-improving-the-documents)
+* [Website Changes](#website-changes)
+
 The [Kata Containers](https://github.com/kata-containers)
 documentation repository hosts overall system documentation, with information
 common to multiple components.
@@ -11,10 +22,6 @@ For details of the other Kata Containers repositories, see the
 
 * [Installation guides](./install/README.md): Install and run Kata Containers with Docker or Kubernetes
 
-## Tracing
-
-See the [tracing documentation](tracing.md).
-
 ## More User Guides
 
 * [Upgrading](Upgrading.md): how to upgrade from [Clear Containers](https://github.com/clearcontainers) and [runV](https://github.com/hyperhq/runv) to [Kata Containers](https://github.com/kata-containers) and how to upgrade an existing Kata Containers system to the latest version.
@@ -44,7 +51,6 @@ Documents that help to understand and contribute to Kata Containers.
 * [Kata Containers Architecture](design/architecture.md): Architectural overview of Kata Containers
 * [Kata Containers E2E Flow](design/end-to-end-flow.md): The entire end-to-end flow of Kata Containers
 * [Kata Containers design](./design/README.md): More Kata Containers design documents
-* [Kata Containers threat model](./threat-model/threat-model.md): Kata Containers threat model
 
 ### How to Contribute
 

docs/Release-Process.md

@@ -1,6 +1,20 @@
+
 # How to do a Kata Containers Release
   This document lists the tasks required to create a Kata Release.
 
+<!-- TOC START min:1 max:3 link:true asterisk:false update:true -->
+- [How to do a Kata Containers Release](#how-to-do-a-kata-containers-release)
+  - [Requirements](#requirements)
+  - [Release Process](#release-process)
+    - [Bump all Kata repositories](#bump-all-kata-repositories)
+    - [Merge all bump version Pull requests](#merge-all-bump-version-pull-requests)
+    - [Tag all Kata repositories](#tag-all-kata-repositories)
+    - [Check Git-hub Actions](#check-git-hub-actions)
+    - [Create release notes](#create-release-notes)
+    - [Announce the release](#announce-the-release)
+<!-- TOC END -->
+
+
 ## Requirements
 
 - [hub](https://github.com/github/hub)
@@ -15,7 +29,6 @@
 
 ## Release Process
 
-
 ### Bump all Kata repositories
 
   Bump the repositories using a script in the Kata packaging repo, where:
@@ -28,23 +41,6 @@
   $ ./update-repository-version.sh -p "$NEW_VERSION" "$BRANCH"
   ```
 
-### Point tests repository to stable branch
-
-  If you create a new stable branch, i.e. if your release changes a major or minor version number (not a patch release), then
-  you should modify the `tests` repository to point to that newly created stable branch and not the `main` branch.
-  The objective is that changes in the CI on the main branch will not impact the stable branch.
-
-  In the test directory, change references the main branch in:
-  * `README.md`
-  * `versions.yaml`
-  * `cmd/github-labels/labels.yaml.in`
-  * `cmd/pmemctl/pmemctl.sh`
-  * `.ci/lib.sh`
-  * `.ci/static-checks.sh`
-
-  See the commits in [the corresponding PR for stable-2.1](https://github.com/kata-containers/tests/pull/3504) for an example of the changes.
-
-
 ### Merge all bump version Pull requests
 
   - The above step will create a GitHub pull request in the Kata projects. Trigger the CI using `/test` command on each bump Pull request.
@@ -54,7 +50,7 @@
 ### Tag all Kata repositories
 
   Once all the pull requests to bump versions in all Kata repositories are merged,
-  tag all the repositories as shown below.
+  tag all the repositories as shown below.  
   ```
   $ cd ${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/release
   $ git checkout  <kata-branch-to-release>
@@ -64,7 +60,7 @@
 
 ### Check Git-hub Actions
 
-  We make use of [GitHub actions](https://github.com/features/actions) in this [file](https://github.com/kata-containers/kata-containers/blob/main/.github/workflows/release.yaml) in the `kata-containers/kata-containers` repository to build and upload release artifacts. This action is auto triggered with the above step when a new tag is pushed to the `kata-containers/kata-containers` repository.
+  We make use of [GitHub actions](https://github.com/features/actions) in this [file](https://github.com/kata-containers/kata-containers/blob/main/.github/workflows/main.yaml) in the `kata-containers/kata-containers` repository to build and upload release artifacts. This action is auto triggered with the above step when a new tag is pushed to the `kata-containers/kata-containers` repository.
 
   Check the [actions status page](https://github.com/kata-containers/kata-containers/actions) to verify all steps in the actions workflow have completed successfully. On success, a static tarball containing Kata release artifacts will be uploaded to the [Release page](https://github.com/kata-containers/kata-containers/releases).
 

docs/Stable-Branch-Strategy.md

@@ -32,16 +32,16 @@ provides additional information regarding release `99.123.77` in the previous ex
   changing the existing behavior*.
 
 - When `MAJOR` increases, the new release adds **new features, bug fixes, or
-  both** and which **changes the behavior from the previous release** (incompatible with previous releases).
+  both** and which *changes the behavior from the previous release* (incompatible with previous releases).
 
   A major release will also likely require a change of the container manager version used, 
-for example Containerd or CRI-O. Please refer to the release notes for further details.
+for example Docker\*. Please refer to the release notes for further details.
 
 ## Release Strategy
 
 Any new features added since the last release will be available in the next minor
 release. These will include bug fixes as well. To facilitate a stable user environment, 
-Kata provides stable branch-based releases and a main branch release.
+Kata provides stable branch-based releases and a master branch release.
 
 ## Stable branch patch criteria
 
@@ -49,10 +49,9 @@ No new features should be introduced to stable branches.  This is intended to li
 providing only bug and security fixes.
 
 ## Branch Management
-Kata Containers will maintain **one** stable release branch, in addition to the main branch, for
-each active major release.
-Once a new MAJOR or MINOR release is created from main, a new stable branch is created for
-the prior MAJOR or MINOR release and the previous stable branch is no longer maintained. End of
+Kata Containers will maintain two stable release branches in addition to the master branch.
+Once a new MAJOR or MINOR release is created from master, a new stable branch is created for
+the prior MAJOR or MINOR release and the older stable branch is no longer maintained. End of
 maintenance for a branch is announced on the Kata Containers mailing list.  Users can determine
 the version currently installed by running `kata-runtime kata-env`. It is recommended to use the
 latest stable branch available.
@@ -62,59 +61,59 @@ A couple of examples follow to help clarify this process.
 ### New bug fix introduced
 
 A bug fix is submitted against the runtime which does not introduce new inter-component dependencies.
-This fix is applied to both the main and stable branches, and there is no need to create a new
+This fix is applied to both the master and stable branches, and there is no need to create a new
 stable branch.
 
 | Branch | Original version | New version |
 |--|--|--|
-| `main` | `2.3.0-rc0` | `2.3.0-rc1` |
-| `stable-2.2` | `2.2.0` | `2.2.1` |
-| `stable-2.1` | (unmaintained) | (unmaintained) |
+| `master` | `1.3.0-rc0` | `1.3.0-rc1` |
+| `stable-1.2` | `1.2.0` | `1.2.1` |
+| `stable-1.1` | `1.1.2` | `1.1.3` |
 
 
 ### New release made feature or change adding new inter-component dependency
 
 A new feature is introduced, which adds a new inter-component dependency. In this case a new stable
-branch is created (stable-2.3) starting from main and the previous stable branch (stable-2.2)
+branch is created (stable-1.3) starting from master and the older stable branch (stable-1.1)
 is dropped from maintenance.
 
 
 | Branch | Original version | New version |
 |--|--|--|
-| `main` | `2.3.0-rc1` | `2.3.0` |
-| `stable-2.3` | N/A| `2.3.0` |
-| `stable-2.2` | `2.2.1` | (unmaintained) |
-| `stable-2.1` | (unmaintained) | (unmaintained) |
+| `master` | `1.3.0-rc1` | `1.3.0` |
+| `stable-1.3` | N/A| `1.3.0` |
+| `stable-1.2` | `1.2.1` | `1.2.2` |
+| `stable-1.1` | `1.1.3` | (unmaintained) |
 
-Note, the stable-2.2 branch will still exist with tag 2.2.1, but under current plans it is
-not maintained further. The next tag applied to main will be 2.4.0-alpha0. We would then
+Note, the stable-1.1 branch will still exist with tag 1.1.3, but under current plans it is
+not maintained further. The next tag applied to master will be 1.4.0-alpha0. We would then
 create a couple of alpha releases gathering features targeted for that particular release (in
-this case 2.4.0), followed by a release candidate. The release candidate marks a feature freeze.
+this case 1.4.0), followed by a release candidate. The release candidate marks a feature freeze.
 A new stable branch is created for the release candidate. Only bug fixes and any security issues
-are added to the branch going forward until release 2.4.0 is made.
+are added to the branch going forward until release 1.4.0 is made.
    
 ## Backporting Process 
 
-Development that occurs against the main branch and applicable code commits should also be submitted
+Development that occurs against the master branch and applicable code commits should also be submitted
 against the stable branches. Some guidelines for this process follow::
   1. Only bug and security fixes which do not introduce inter-component dependencies are
  candidates for stable branches. These PRs should be marked with "bug" in GitHub.
-  2. Once a PR is created against main which meets requirement of (1), a comparable one
+  2. Once a PR is created against master which meets requirement of (1), a comparable one
  should also be submitted against the stable branches. It is the responsibility of the submitter
  to apply their pull request against stable, and it is the responsibility of the
  reviewers to help identify stable-candidate pull requests.
  
 ## Continuous Integration Testing
 
-The test repository is forked to create stable branches from main. Full CI
-runs on each stable and main PR using its respective tests repository branch.
+The test repository is forked to create stable branches from master. Full CI
+runs on each stable and master PR using its respective tests repository branch.
 
 ### An alternative method for CI testing:
 
-Ideally, the continuous integration infrastructure will run the same test suite on both main
+Ideally, the continuous integration infrastructure will run the same test suite on both master
 and the stable branches.  When tests are modified or new feature tests are introduced, explicit
 logic should exist within the testing CI to make sure only applicable tests are executed against
-stable and main. While this is not in place currently, it should be considered in the long term.
+stable and master. While this is not in place currently, it should be considered in the long term.
 
 ## Release Management
 
@@ -122,7 +121,7 @@ stable and main. While this is not in place currently, it should be considered i
 
 Releases are made every three weeks, which include a GitHub release as
 well as binary packages. These patch releases are made for both stable branches, and a "release candidate"
-for the next `MAJOR` or `MINOR` is created from main. If there are no changes across all the repositories, no
+for the next `MAJOR` or `MINOR` is created from master. If there are no changes across all the repositories, no
 release is created and an announcement is made on the developer mailing list to highlight this.
 If a release is being made, each repository is tagged for this release, regardless
 of whether changes are introduced. The release schedule can be seen on the
@@ -143,10 +142,10 @@ maturity, we have increased the cadence from six weeks to twelve weeks. The rele
 ### Compatibility
 Kata guarantees compatibility between components that are within one minor release of each other. 
  
-This is critical for dependencies which cross between host (shimv2 runtime) and
+This is critical for dependencies which cross between host (runtime, shim, proxy) and
 the guest (hypervisor, rootfs and agent).  For example, consider a cluster with a long-running
-deployment, workload-never-dies, all on Kata version 2.1.3 components. If the operator updates
-the Kata components to the next new minor release (i.e. 2.2.0), we need to guarantee that the 2.2.0
-shimv2 runtime still communicates with 2.1.3 agent within workload-never-dies.
+deployment, workload-never-dies, all on Kata version 1.1.3 components. If the operator updates
+the Kata components to the next new minor release (i.e. 1.2.0), we need to guarantee that the 1.2.0
+runtime still communicates with 1.1.3 agent within workload-never-dies.
 
 Handling live-update is out of the scope of this document. See this [`kata-runtime` issue](https://github.com/kata-containers/runtime/issues/492) for details.

docs/Upgrading.md

@@ -1,3 +1,16 @@
+* [Introduction](#introduction)
+* [Maintenance warning](#maintenance-warning)
+* [Determine current version](#determine-current-version)
+* [Determine latest version](#determine-latest-version)
+* [Configuration changes](#configuration-changes)
+* [Upgrade Kata Containers](#upgrade-kata-containers)
+    * [Upgrade native distribution packaged version](#upgrade-native-distribution-packaged-version)
+    * [Static installation](#static-installation)
+        * [Determine if you are using a static installation](#determine-if-you-are-using-a-static-installation)
+        * [Remove a static installation](#remove-a-static-installation)
+        * [Upgrade a static installation](#upgrade-a-static-installation)
+* [Custom assets](#custom-assets)
+
 # Introduction
 
 This document outlines the options for upgrading from a

docs/design/README.md

@@ -8,9 +8,4 @@ Kata Containers design documents:
 - [VSocks](VSocks.md)
 - [VCPU handling](vcpu-handling.md)
 - [Host cgroups](host-cgroups.md)
-- [`Inotify` support](inotify.md)
 - [Metrics(Kata 2.0)](kata-2-0-metrics.md)
-
----
-
-- [Design proposals](proposals)

docs/design/VSocks.md

@@ -1,5 +1,12 @@
 # Kata Containers and VSOCKs
 
+- [Introduction](#introduction)
+    - [VSOCK communication diagram](#vsock-communication-diagram)
+- [System requirements](#system-requirements)
+- [Advantages of using VSOCKs](#advantages-of-using-vsocks)
+    - [High density](#high-density)
+    - [Reliability](#reliability)
+
 ## Introduction
 
 There are two different ways processes in the virtual machine can communicate

docs/design/architecture.md

@@ -1,5 +1,26 @@
 # Kata Containers Architecture
 
+
+- [Kata Containers Architecture](#kata-containers-architecture)
+  - [Overview](#overview)
+  - [Virtualization](#virtualization)
+  - [Guest assets](#guest-assets)
+    - [Guest kernel](#guest-kernel)
+    - [Guest image](#guest-image)
+      - [Root filesystem image](#root-filesystem-image)
+      - [Initrd image](#initrd-image)
+  - [Agent](#agent)
+  - [Runtime](#runtime)
+    - [Configuration](#configuration)
+  - [Networking](#networking)
+    - [Network Hotplug](#network-hotplug)
+  - [Storage](#storage)
+  - [Kubernetes support](#kubernetes-support)
+      - [OCI annotations](#oci-annotations)
+      - [Mixing VM based and namespace based runtimes](#mixing-vm-based-and-namespace-based-runtimes)
+- [Appendices](#appendices)
+  - [DAX](#dax)
+
 ## Overview
 
 This is an architectural overview of Kata Containers, based on the 2.0 release.
@@ -14,7 +35,7 @@ through the [CRI-O\*](https://github.com/kubernetes-incubator/cri-o) and
 
 Kata Containers creates a QEMU\*/KVM virtual machine for pod that `kubelet` (Kubernetes) creates respectively.
 
-The [`containerd-shim-kata-v2` (shown as `shimv2` from this point onwards)](../../src/runtime/cmd/containerd-shim-kata-v2/)
+The [`containerd-shim-kata-v2` (shown as `shimv2` from this point onwards)](../../src/runtime/containerd-shim-v2) 
 is the Kata Containers entrypoint, which
 implements the [Containerd Runtime V2 (Shim API)](https://github.com/containerd/containerd/tree/master/runtime/v2) for Kata.
 
@@ -259,7 +280,7 @@ With `RuntimeClass`, users can define Kata Containers as a `RuntimeClass` and th
 
 ## DAX
 
-Kata Containers utilizes the Linux kernel DAX [(Direct Access filesystem)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/dax.rst?h=v5.14)
+Kata Containers utilizes the Linux kernel DAX [(Direct Access filesystem)](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/dax.txt)
 feature to efficiently map some host-side files into the guest VM space.
 In particular, Kata Containers uses the QEMU NVDIMM feature to provide a
 memory-mapped virtual device that can be used to DAX map the virtual machine's

docs/design/end-to-end-flow.md

@@ -1,3 +1,4 @@
 # Kata Containers E2E Flow
 
+
 ![Kata containers e2e flow](arch-images/katacontainers-e2e-with-bg.jpg)

docs/design/host-cgroups.md

@@ -1,3 +1,18 @@
+- [Host cgroup management](#host-cgroup-management)
+  - [Introduction](#introduction)
+  - [`SandboxCgroupOnly` enabled](#sandboxcgrouponly-enabled)
+    - [What does Kata do in this configuration?](#what-does-kata-do-in-this-configuration)
+    - [Why create a Kata-cgroup under the parent cgroup?](#why-create-a-kata-cgroup-under-the-parent-cgroup)
+    - [Improvements](#improvements)
+  - [`SandboxCgroupOnly` disabled (default, legacy)](#sandboxcgrouponly-disabled-default-legacy)
+    - [What does this method do?](#what-does-this-method-do)
+      - [Impact](#impact)
+- [Supported cgroups](#supported-cgroups)
+  - [Cgroups V1](#cgroups-v1)
+  - [Cgroups V2](#cgroups-v2)
+    - [Distro Support](#distro-support)
+- [Summary](#summary)
+
 # Host cgroup management
 
 ## Introduction
@@ -12,244 +27,187 @@ The OCI [runtime specification][linux-config] provides guidance on where the con
   > [`cgroupsPath`][cgroupspath]: (string, OPTIONAL) path to the cgroups. It can be used to either control the cgroups
   > hierarchy for containers or to run a new process in an existing container
 
-Cgroups are hierarchical, and this can be seen with the following pod example:
+cgroups are hierarchical, and this can be seen with the following pod example:
 
 - Pod 1: `cgroupsPath=/kubepods/pod1`
-  - Container 1: `cgroupsPath=/kubepods/pod1/container1`
-  - Container 2: `cgroupsPath=/kubepods/pod1/container2`
+  - Container 1:
+`cgroupsPath=/kubepods/pod1/container1`
+  - Container 2:
+`cgroupsPath=/kubepods/pod1/container2`
 
 - Pod 2: `cgroupsPath=/kubepods/pod2`
-  - Container 1: `cgroupsPath=/kubepods/pod2/container2`
-  - Container 2: `cgroupsPath=/kubepods/pod2/container2`
+  - Container 1:
+`cgroupsPath=/kubepods/pod2/container2`
+  - Container 2:
+`cgroupsPath=/kubepods/pod2/container2`
 
-Depending on the upper-level orchestration layers, the cgroup under which the pod is placed is
-managed by the orchestrator or not. In the case of Kubernetes, the pod cgroup is created by Kubelet,
-while the container cgroups are to be handled by the runtime.
-Kubelet will size the pod cgroup based on the container resource requirements, to which it may add
-a configured set of [pod resource overheads](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/).
+Depending on the upper-level orchestrator, the cgroup under which the pod is placed is
+managed by the orchestrator. In the case of Kubernetes, the pod-cgroup is created by Kubelet,
+while the container cgroups are to be handled by the runtime. Kubelet will size the pod-cgroup
+based on the container resource requirements.
 
-Kata Containers introduces a non-negligible resource overhead for running a sandbox (pod). Typically, the Kata shim,
-through its underlying VMM invocation, will create many additional threads compared to process based container runtimes:
-the para-virtualized I/O back-ends, the VMM instance or even the Kata shim process, all of those host processes consume
-memory and CPU time not directly tied to the container workload, and introduces a sandbox resource overhead.
-In order for a Kata workload to run without significant performance degradation, its sandbox overhead must be
-provisioned accordingly. Two scenarios are possible:
+Kata Containers introduces a non-negligible overhead for running a sandbox (pod). Based on this, two scenarios are possible:
+ 1) The upper-layer orchestrator takes the overhead of running a sandbox into account when sizing the pod-cgroup, or
+ 2) Kata Containers do not fully constrain the VMM and associated processes, instead placing a subset of them outside of the pod-cgroup.
 
- 1) The upper-layer orchestrator takes the overhead of running a sandbox into account when sizing the pod cgroup.
-    For example, Kubernetes [`PodOverhead`](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/)
-	feature lets the orchestrator add a configured sandbox overhead to the sum of all its containers resources. In
-	that case, the pod sandbox is properly sized and all Kata created processes will run under the pod cgroup
-	defined constraints and limits.
- 2) The upper-layer orchestrator does **not** take the sandbox overhead into account and the pod cgroup is not
-	sized to properly run all Kata created processes. With that scenario, attaching all the Kata processes to the sandbox
-	cgroup may lead to non-negligible workload performance degradations. As a consequence, Kata Containers will move
-	all processes but the vCPU threads into a dedicated overhead cgroup under `/kata_overhead`. The Kata runtime will
-	not apply any constraints or limits to that cgroup, it is up to the infrastructure owner to optionally set it up.
+Kata Containers provides two options for how cgroups are handled on the host. Selection of these options is done through
+the `SandboxCgroupOnly` flag within the Kata Containers [configuration](../../src/runtime/README.md#configuration)
+file.
 
-Those 2 scenarios are not dynamically detected by the Kata Containers runtime implementation, and thus the
-infrastructure owner must configure the runtime according to how the upper-layer orchestrator creates and sizes the
-pod cgroup. That configuration selection is done through the `sandbox_cgroup_only` flag within the Kata Containers
-[configuration](../../src/runtime/README.md#configuration) file.
+## `SandboxCgroupOnly` enabled
 
-## `sandbox_cgroup_only = true`
+With `SandboxCgroupOnly` enabled, it is expected that the parent cgroup is sized to take the overhead of running
+a sandbox into account. This is ideal, as all the applicable Kata Containers components can be placed within the
+given cgroup-path.
 
-Setting `sandbox_cgroup_only` to `true` from the Kata Containers configuration file means that the pod cgroup is
-properly sized and takes the pod overhead into account. This is ideal, as all the applicable Kata Containers processes
-can simply be placed within the given cgroup path.
-
-In the context of Kubernetes, Kubelet can size the pod cgroup to take the overhead of running a Kata-based sandbox
-into account. This has been supported since the 1.16 Kubernetes release, through the
-[`PodOverhead`](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/) feature.
+In the context of Kubernetes, Kubelet will size the pod-cgroup to take the overhead of running a Kata-based sandbox
+into account. This will be feasible in the 1.16 Kubernetes release through the `PodOverhead` feature.
 
 ```
-┌─────────────────────────────────────────┐
-│                                         │
-│  ┌──────────────────────────────────┐   │
-│  │                                  │   │
-│  │ ┌─────────────────────────────┐  │   │
-│  │ │                             │  │   │
-│  │ │ ┌─────────────────────┐     │  │   │
-│  │ │ │ vCPU threads        │     │  │   │
-│  │ │ │ I/O threads         │     │  │   │
-│  │ │ │ VMM                 │     │  │   │
-│  │ │ │ Kata Shim           │     │  │   │
-│  │ │ │                     │     │  │   │
-│  │ │ │ /kata_<sandbox_id>  │     │  │   │
-│  │ │ └─────────────────────┘     │  │   │
-│  │ │Pod 1                        │  │   │
-│  │ └─────────────────────────────┘  │   │
-│  │                                  │   │
-│  │ ┌─────────────────────────────┐  │   │
-│  │ │                             │  │   │
-│  │ │ ┌─────────────────────┐     │  │   │
-│  │ │ │ vCPU threads        │     │  │   │
-│  │ │ │ I/O threads         │     │  │   │
-│  │ │ │ VMM                 │     │  │   │
-│  │ │ │ Kata Shim           │     │  │   │
-│  │ │ │                     │     │  │   │
-│  │ │ │ /kata_<sandbox_id>  │     │  │   │
-│  │ │ └─────────────────────┘     │  │   │
-│  │ │Pod 2                        │  │   │
-│  │ └─────────────────────────────┘  │   │
-│  │                                  │   │
-│  │/kubepods                         │   │
-│  └──────────────────────────────────┘   │
-│                                         │
-│ Node                                    │
-└─────────────────────────────────────────┘
++----------------------------------------------------------+
+|    +---------------------------------------------------+ |
+|    |   +---------------------------------------------+ | |
+|    |   |   +--------------------------------------+  | | |
+|    |   |   | kata-shimv2, VMM and threads:        |  | | |
+|    |   |   |  (VMM, IO-threads, vCPU threads, etc)|  | | |
+|    |   |   |                                      |  | | |
+|    |   |   | kata_<sandbox-id>                    |  | | |
+|    |   |   +--------------------------------------+  | | |
+|    |   |                                             | | |
+|    |   |Pod 1                                        | | |
+|    |   +---------------------------------------------+ | |
+|    |                                                   | |
+|    |   +---------------------------------------------+ | |
+|    |   |   +--------------------------------------+  | | |
+|    |   |   | kata-shimv2, VMM and threads:        |  | | |
+|    |   |   |  (VMM, IO-threads, vCPU threads, etc)|  | | |
+|    |   |   |                                      |  | | |
+|    |   |   | kata_<sandbox-id>                    |  | | |
+|    |   |   +--------------------------------------+  | | |
+|    |   |Pod 2                                        | | |
+|    |   +---------------------------------------------+ | |
+|    |kubepods                                           | |
+|    +---------------------------------------------------+ |
+|                                                          |
+|Node                                                      |
++----------------------------------------------------------+
 ```
 
-### Implementation details
+### What does Kata do in this configuration?
+1. Given a `PodSandbox` container creation, let:
 
-When `sandbox_cgroup_only` is enabled, the Kata shim will create a per pod
-sub-cgroup under the pod's dedicated cgroup. For example, in the Kubernetes context,
-it will create a `/kata_<PodSandboxID>` under the `/kubepods` cgroup hierarchy.
-On a typical cgroup v1 hierarchy mounted under `/sys/fs/cgroup/`, the memory cgroup
-subsystem for a pod with sandbox ID `12345678` would live under
-`/sys/fs/cgroup/memory/kubepods/kata_12345678`.
+   ```
+   podCgroup=Parent(container.CgroupsPath)
+   KataSandboxCgroup=<podCgroup>/kata_<PodSandboxID>
+   ```
 
-In most cases, the `/kata_<PodSandboxID>` created cgroup is unrestricted and inherits and shares all
-constraints and limits from the parent cgroup (`/kubepods` in the Kubernetes case). The exception is
-for the `cpuset` and `devices` cgroup subsystems, which are managed by the Kata shim.
+2. Create the cgroup, `KataSandboxCgroup`
 
-After creating the `/kata_<PodSandboxID>` cgroup, the Kata Containers shim will move itself to it, **before** starting
-the virtual machine. As a consequence all processes subsequently created by the Kata Containers shim (the VMM itself, and
-all vCPU and I/O related threads) will be created in the `/kata_<PodSandboxID>` cgroup.
+3. Join the `KataSandboxCgroup`
 
-### Why create a kata-cgroup under the parent cgroup?
+Any process created by the runtime will be created in `KataSandboxCgroup`.
+The runtime will limit the cgroup in the host only if the sandbox doesn't have a
+container type annotation, but the caller is free to set the proper limits for the `podCgroup`.
 
-And why not directly adding the per sandbox shim directly to the pod cgroup (e.g. 
-`/kubepods` in the Kubernetes context)?
+In the example above the pod cgroups are `/kubepods/pod1` and `/kubepods/pod2`.
+Kata creates the unrestricted sandbox cgroup under the pod cgroup.
 
-The Kata Containers shim implementation creates a per-sandbox cgroup
-(`/kata_<PodSandboxID>`) to support the `Docker` use case. Although `Docker` does not
-have a notion of pods, Kata Containers still creates a sandbox to support the pod-less,
-single container use case that `Docker` implements. Since `Docker` does create any
-cgroup hierarchy to place a container into, it would be very complex for Kata to map
-a particular container to its sandbox without placing it under a `/kata_<containerID>>`
-sub-cgroup first.
+### Why create a Kata-cgroup under the parent cgroup?
 
-### Advantages
+`Docker` does not have a notion of pods, and will not create a cgroup directory
+to place a particular container in (i.e., all containers would be in a path like
+`/docker/container-id`. To simplify the implementation and continue to support `Docker`,
+Kata Containers creates the sandbox-cgroup, in the case of Kubernetes, or a container cgroup, in the case
+of docker.
 
-Keeping all Kata Containers processes under a properly sized pod cgroup is ideal
-and makes for a simpler Kata Containers implementation. It also helps with gathering
-accurate statistics and preventing Kata workloads from being noisy neighbors.
+### Improvements
 
-#### Pod resources statistics
+- Get statistics about pod resources
 
 If the Kata caller wants to know the resource usage on the host it can get
 statistics from the pod cgroup. All cgroups stats in the hierarchy will include
 the Kata overhead. This gives the possibility of gathering usage-statics at the
 pod level and the container level.
 
-#### Better host resource isolation
+- Better host resource isolation
 
 Because the Kata runtime will place all the Kata processes in the pod cgroup,
 the resource limits that the caller applies to the pod cgroup will affect all
 processes that belong to the Kata sandbox in the host. This will improve the
 isolation in the host preventing Kata to become a noisy neighbor.
 
-## `sandbox_cgroup_only = false` (Default setting)
-
-If the cgroup provided to Kata is not sized appropriately, Kata components will
-consume resources that the actual container workloads expect to see and use.
-This can cause instability and performance degradations.
-
-To avoid that situation, Kata Containers creates an unconstrained overhead
-cgroup and moves all non workload related processes (Anything but the virtual CPU
-threads) to it. The name of this overhead cgroup is `/kata_overhead` and a per
-sandbox sub cgroup will be created under it for each sandbox Kata Containers creates.
-
-Kata Containers does not add any constraints or limitations on the overhead cgroup. It is up to the infrastructure
-owner to either:
-
-- Provision nodes with a pre-sized `/kata_overhead` cgroup. Kata Containers will
-  load that existing cgroup and move all non workload related processes to it.
-- Let Kata Containers create the `/kata_overhead` cgroup, leave it
-  unconstrained or resize it a-posteriori.
+## `SandboxCgroupOnly` disabled (default, legacy)
 
+If the cgroup provided to Kata is not sized appropriately, instability will be
+introduced when fully constraining Kata components, and the user-workload will
+see a subset of resources that were requested. Based on this, the default
+handling for Kata Containers is to not fully constrain the VMM and Kata
+components on the host.
 
 ```
-┌────────────────────────────────────────────────────────────────────┐
-│                                                                    │
-│  ┌─────────────────────────────┐    ┌───────────────────────────┐  │
-│  │                             │    │                           │  │
-│  │   ┌─────────────────────────┼────┼─────────────────────────┐ │  │
-│  │   │                         │    │                         │ │  │
-│  │   │ ┌─────────────────────┐ │    │ ┌─────────────────────┐ │ │  │
-│  │   │ │  vCPU threads       │ │    │ │  VMM                │ │ │  │
-│  │   │ │                     │ │    │ │  I/O threads        │ │ │  │
-│  │   │ │                     │ │    │ │  Kata Shim          │ │ │  │
-│  │   │ │                     │ │    │ │                     │ │ │  │
-│  │   │ │ /kata_<sandbox_id>  │ │    │ │ /<sandbox_id>       │ │ │  │
-│  │   │ └─────────────────────┘ │    │ └─────────────────────┘ │ │  │
-│  │   │                         │    │                         │ │  │
-│  │   │  Pod 1                  │    │                         │ │  │
-│  │   └─────────────────────────┼────┼─────────────────────────┘ │  │
-│  │                             │    │                           │  │
-│  │                             │    │                           │  │
-│  │   ┌─────────────────────────┼────┼─────────────────────────┐ │  │
-│  │   │                         │    │                         │ │  │
-│  │   │ ┌─────────────────────┐ │    │ ┌─────────────────────┐ │ │  │
-│  │   │ │  vCPU threads       │ │    │ │  VMM                │ │ │  │
-│  │   │ │                     │ │    │ │  I/O threads        │ │ │  │
-│  │   │ │                     │ │    │ │  Kata Shim          │ │ │  │
-│  │   │ │                     │ │    │ │                     │ │ │  │
-│  │   │ │ /kata_<sandbox_id>  │ │    │ │ /<sandbox_id>       │ │ │  │
-│  │   │ └─────────────────────┘ │    │ └─────────────────────┘ │ │  │
-│  │   │                         │    │                         │ │  │
-│  │   │  Pod 2                  │    │                         │ │  │
-│  │   └─────────────────────────┼────┼─────────────────────────┘ │  │
-│  │                             │    │                           │  │
-│  │ /kubepods                   │    │ /kata_overhead            │  │
-│  └─────────────────────────────┘    └───────────────────────────┘  │
-│                                                                    │
-│                                                                    │
-│ Node                                                               │
-└────────────────────────────────────────────────────────────────────┘
++----------------------------------------------------------+
+|    +---------------------------------------------------+ |
+|    |   +---------------------------------------------+ | |
+|    |   |   +--------------------------------------+  | | |
+|    |   |   |Container 1       |-|Container 2      |  | | |
+|    |   |   |                  |-|                 |  | | |
+|    |   |   | Shim+container1  |-| Shim+container2 |  | | |
+|    |   |   +--------------------------------------+  | | |
+|    |   |                                             | | |
+|    |   |Pod 1                                        | | |
+|    |   +---------------------------------------------+ | |
+|    |                                                   | |
+|    |   +---------------------------------------------+ | |
+|    |   |   +--------------------------------------+  | | |
+|    |   |   |Container 1       |-|Container 2      |  | | |
+|    |   |   |                  |-|                 |  | | |
+|    |   |   | Shim+container1  |-| Shim+container2 |  | | |
+|    |   |   +--------------------------------------+  | | |
+|    |   |                                             | | |
+|    |   |Pod 2                                        | | |
+|    |   +---------------------------------------------+ | |
+|    |kubepods                                           | |
+|    +---------------------------------------------------+ |
+|    +---------------------------------------------------+ |
+|    |  Hypervisor                                       | |
+|    |Kata                                               | |
+|    +---------------------------------------------------+ |
+|                                                          |
+|Node                                                      |
++----------------------------------------------------------+
 
 ```
 
-### Implementation Details
+### What does this method do?
 
-When `sandbox_cgroup_only` is disabled, the Kata Containers shim will create a per pod
-sub-cgroup under the pods dedicated cgroup, and another one under the overhead cgroup.
-For example, in the Kubernetes context, it will create a `/kata_<PodSandboxID>` under
-the `/kubepods` cgroup hierarchy, and a `/<PodSandboxID>` under the `/kata_overhead` one.
+1. Given a container creation let `containerCgroupHost=container.CgroupsPath`
+1. Rename `containerCgroupHost` path to add `kata_`
+1. Let `PodCgroupPath=PodSanboxContainerCgroup` where `PodSanboxContainerCgroup` is the cgroup of a container of type `PodSandbox`
+1. Limit the `PodCgroupPath` with the sum of all the container limits in the Sandbox
+1. Move only vCPU threads of hypervisor to `PodCgroupPath`
+1. Per each container, move its `kata-shim` to its own `containerCgroupHost`
+1. Move hypervisor and applicable threads to memory cgroup `/kata`
 
-On a typical cgroup v1 hierarchy mounted under `/sys/fs/cgroup/`, for a pod which sandbox
-ID is `12345678`, create with `sandbox_cgroup_only` disabled, the 2 memory subsystems
-for the sandbox cgroup and the overhead cgroup would respectively live under 
-`/sys/fs/cgroup/memory/kubepods/kata_12345678` and `/sys/fs/cgroup/memory/kata_overhead/12345678`.
+_Note_: the Kata Containers runtime will not add all the hypervisor threads to
+the cgroup path requested, only vCPUs. These threads are run unconstrained.
 
-Unlike when `sandbox_cgroup_only` is enabled, the Kata Containers shim will move itself
-to the overhead cgroup first, and then move the vCPU threads to the sandbox cgroup as
-they're created. All Kata processes and threads will run under the overhead cgroup except for
-the vCPU threads. 
+This mitigates the risk of the VMM and other threads receiving an out of memory scenario (`OOM`).
 
-With `sandbox_cgroup_only` disabled, Kata Containers assumes the pod cgroup is only sized
-to accommodate for the actual container workloads processes. For Kata, this maps
-to the VMM created virtual CPU threads and so they are the only ones running under the pod
-cgroup. This mitigates the risk of the VMM, the Kata shim and the I/O threads going through
-a catastrophic out of memory scenario (`OOM`).
 
-#### Pros and Cons
+#### Impact
 
-Running all non vCPU threads under an unconstrained overhead cgroup could lead to workloads
-potentially consuming a large amount of host resources.
+If resources are reserved at a system level to account for the overheads of
+running sandbox containers, this configuration can be utilized with adequate
+stability. In this scenario, non-negligible amounts of CPU and memory will be
+utilized unaccounted for on the host.
 
-On the other hand, running all non vCPU threads under a dedicated overhead cgroup can provide
-accurate metrics on the actual Kata Container pod overhead, allowing for tuning the overhead
-cgroup size and constraints accordingly.
-
-[linux-config]: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md
-[cgroupspath]: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#cgroups-path
+[linux-config]: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md
+[cgroupspath]: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#cgroups-path
 
 # Supported cgroups
 
-Kata Containers currently only supports cgroups `v1`. 
-
-In the following sections each cgroup is described briefly.
+Kata Containers supports cgroups `v1` and `v2`. In the following sections each cgroup is
+described briefly and what changes are needed in Kata Containers to support it.
 
 ## Cgroups V1
 
@@ -301,7 +259,7 @@ diagram:
 A process can join a cgroup by writing its process id (`pid`) to `cgroup.procs` file,
 or join a cgroup partially by writing the task (thread) id (`tid`) to the `tasks` file.
 
-Kata Containers only supports `v1`.
+Kata Containers supports `v1` by default and no change in the configuration file is needed.
 To know more about `cgroups v1`, see [cgroupsv1(7)][2].
 
 ## Cgroups V2
@@ -354,13 +312,22 @@ Same as `cgroups v1`, a process can join the cgroup by writing its process id (`
 `cgroup.procs` file, or join a cgroup partially by writing the task (thread) id (`tid`) to
 `cgroup.threads` file.
 
-Kata Containers does not support cgroups `v2` on the host.
+For backwards compatibility Kata Containers defaults to supporting cgroups v1 by default.
+To change this to `v2`, set `sandbox_cgroup_only=true` in the `configuration.toml` file.
+To know more about `cgroups v2`, see [cgroupsv2(7)][3].
 
 ### Distro Support
 
 Many Linux distributions do not yet support `cgroups v2`, as it is quite a recent addition.
 For more information about the status of this feature see [issue #2494][4].
 
+# Summary
+
+| cgroup option | default? | status | pros | cons | cgroups
+|-|-|-|-|-|-|
+| `SandboxCgroupOnly=false` | yes | legacy | Easiest to make Kata work | Unaccounted for memory and resource utilization | v1
+| `SandboxCgroupOnly=true` | no | recommended | Complete tracking of Kata memory and CPU utilization. In Kubernetes, the Kubelet can fully constrain Kata via the pod cgroup | Requires upper layer orchestrator which sizes sandbox cgroup appropriately | v1, v2
+
 
 [1]: http://man7.org/linux/man-pages/man5/tmpfs.5.html
 [2]: http://man7.org/linux/man-pages/man7/cgroups.7.html#CGROUPS_VERSION_1

docs/design/inotify.md

@@ -1,30 +0,0 @@
-# Kata Containers support for `inotify`
-
-## Background on `inotify` usage
-
-A common pattern in Kubernetes is to watch for changes to files/directories passed in as `ConfigMaps`
-or `Secrets`. Sidecar's normally use `inotify` to watch for changes and then signal the primary container to reload
-the updated configuration. Kata Containers typically will pass these host files into the guest using `virtiofs`, which
-does not support `inotify` today. While we work to enable this use case in `virtiofs`, we introduced a workaround in Kata Containers.
-This document describes how Kata Containers implements this workaround.
-
-### Detecting a `watchable` mount
-
-Kubernetes creates `secrets` and `ConfigMap` mounts at very specific locations on the host filesystem. For container mounts,
-the `Kata Containers` runtime will check the source of the mount to identify these special cases. For these use cases, only a single file
-or very few would typically need to be watched. To avoid excessive overheads in making a mount watchable,
-we enforce a limit of eight files per mount. If a `secret` or `ConfigMap` mount contains more than 8 files, it will not be
-considered watchable. We similarly enforce a limit of 1 MB per mount to be considered watchable. Non-watchable mounts will
-continue to propagate changes from the mount on the host to the container workload, but these updates will not trigger an
-`inotify` event.
-
-If at any point a mount grows beyond the eight file or 1MB limit, it will no longer be `watchable.`
-
-### Presenting a `watchable` mount to the workload
-
-For mounts that are considered `watchable`, inside the guest, the `kata-agent` will poll the mount presented from
-the host through `virtiofs` and copy any changed files to a `tmpfs` mount that is presented to the container. In this way,
-for `watchable` mounts, Kata will do the polling on behalf of the workload and existing workloads needn't change their usage
-of `inotify`.
-
-![drawing](arch-images/inotify-workaround.png)

docs/design/kata-2-0-metrics.md

@@ -1,5 +1,20 @@
 # Kata 2.0 Metrics Design
 
+* [Limitations of Kata 1.x and the target of Kata 2.0](#limitations-of-kata-1x-and-the-target-of-kata-20)
+* [Metrics architecture](#metrics-architecture)
+  * [Kata monitor](#kata-monitor)
+  * [Kata runtime](#kata-runtime)
+  * [Kata agent](#kata-agent)
+  * [Performance and overhead](#performance-and-overhead)
+* [Metrics list](#metrics-list)
+  * [Metric types](#metric-types)
+  * [Kata agent metrics](#kata-agent-metrics)
+  * [Firecracker metrics](#firecracker-metrics)
+  * [Kata guest OS metrics](#kata-guest-os-metrics)
+  * [Hypervisor metrics](#hypervisor-metrics)
+  * [Kata monitor metrics](#kata-monitor-metrics)
+  * [Kata containerd shim v2 metrics](#kata-containerd-shim-v2-metrics)
+
 Kata implement CRI's API and support [`ContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L101) and [`ListContainerStats`](https://github.com/kubernetes/kubernetes/blob/release-1.18/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto#L103) interfaces to expose containers metrics. User can use these interface to get basic metrics about container.
 
 But unlike `runc`, Kata is a VM-based runtime and has a different architecture.
@@ -207,7 +222,7 @@ Metrics for Firecracker vmm.
 | `kata_firecracker_uart`: <br> Metrics specific to the UART device. | `GAUGE` |  | <ul><li>`item`<ul><li>`error_count`</li><li>`flush_count`</li><li>`missed_read_count`</li><li>`missed_write_count`</li><li>`read_count`</li><li>`write_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
 | `kata_firecracker_vcpu`: <br> Metrics specific to VCPUs' mode of functioning. | `GAUGE` |  | <ul><li>`item`<ul><li>`exit_io_in`</li><li>`exit_io_out`</li><li>`exit_mmio_read`</li><li>`exit_mmio_write`</li><li>`failures`</li><li>`filter_cpuid`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
 | `kata_firecracker_vmm`: <br> Metrics specific to the machine manager as a whole. | `GAUGE` |  | <ul><li>`item`<ul><li>`device_events`</li><li>`panic_count`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
-| `kata_firecracker_vsock`: <br> VSOCK-related metrics. | `GAUGE` |  | <ul><li>`item`<ul><li>`activate_fails`</li><li>`cfg_fails`</li><li>`conn_event_fails`</li><li>`conns_added`</li><li>`conns_killed`</li><li>`conns_removed`</li><li>`ev_queue_event_fails`</li><li>`killq_resync`</li><li>`muxer_event_fails`</li><li>`rx_bytes_count`</li><li>`rx_packets_count`</li><li>`rx_queue_event_count`</li><li>`rx_queue_event_fails`</li><li>`rx_read_fails`</li><li>`tx_bytes_count`</li><li>`tx_flush_fails`</li><li>`tx_packets_count`</li><li>`tx_queue_event_count`</li><li>`tx_queue_event_fails`</li><li>`tx_write_fails`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
+| `kata_firecracker_vsock`: <br> Vsock-related metrics. | `GAUGE` |  | <ul><li>`item`<ul><li>`activate_fails`</li><li>`cfg_fails`</li><li>`conn_event_fails`</li><li>`conns_added`</li><li>`conns_killed`</li><li>`conns_removed`</li><li>`ev_queue_event_fails`</li><li>`killq_resync`</li><li>`muxer_event_fails`</li><li>`rx_bytes_count`</li><li>`rx_packets_count`</li><li>`rx_queue_event_count`</li><li>`rx_queue_event_fails`</li><li>`rx_read_fails`</li><li>`tx_bytes_count`</li><li>`tx_flush_fails`</li><li>`tx_packets_count`</li><li>`tx_queue_event_count`</li><li>`tx_queue_event_fails`</li><li>`tx_write_fails`</li></ul></li><li>`sandbox_id`</li></ul> | 2.0.0 |
 
 ### Kata guest OS metrics
 

docs/design/kata-api-design.md

@@ -1,5 +1,4 @@
 # Kata API Design
-
 To fulfill the [Kata design requirements](kata-design-requirements.md), and based on the discussion on [Virtcontainers API extensions](https://docs.google.com/presentation/d/1dbGrD1h9cpuqAPooiEgtiwWDGCYhVPdatq7owsKHDEQ), the Kata runtime library features the following APIs:
 -  Sandbox based top API
 -  Storage and network hotplug API

docs/design/kata-design-requirements.md

@@ -30,7 +30,7 @@ The Kata Containers runtime **MUST** implement the following command line option
 The Kata Containers project **MUST** provide two interfaces for CRI shims to manage hardware
 virtualization based Kubernetes pods and containers:
 -  An OCI and `runc` compatible command line interface, as described in the previous section.
-This interface is used by implementations such as [`CRI-O`](http://cri-o.io) and [`containerd`](https://github.com/containerd/containerd), for example.
+This interface is used by implementations such as [`CRI-O`](http://cri-o.io) and [`cri-containerd`](https://github.com/containerd/cri-containerd), for example.
 - A hardware virtualization runtime library API for CRI shims to consume and provide a more
 CRI native implementation. The [`frakti`](https://github.com/kubernetes/frakti) CRI shim is an example of such a consumer.
 

docs/design/proposals/README.md

@@ -1,5 +0,0 @@
-# Design proposals
-
-Kata Containers design proposal documents:
-
-- [Kata Containers tracing](tracing-proposals.md)

docs/design/proposals/tracing-proposals.md

@@ -1,213 +0,0 @@
-# Kata Tracing proposals
-
-## Overview
-
-This document summarises a set of proposals triggered by the
-[tracing documentation PR][tracing-doc-pr].
-
-## Required context
-
-This section explains some terminology required to understand the proposals.
-Further details can be found in the
-[tracing documentation PR][tracing-doc-pr].
-
-### Agent trace mode terminology
-
-| Trace mode | Description | Use-case |
-|-|-|-|
-| Static |  Trace agent from startup to shutdown | Entire lifespan |
-| Dynamic | Toggle tracing on/off as desired | On-demand "snapshot" |
-
-### Agent trace type terminology
-
-| Trace type | Description | Use-case |
-|-|-|-|
-| isolated | traces all relate to single component | Observing lifespan |
-| collated | traces "grouped" (runtime+agent) | Understanding component interaction |
-
-### Container lifespan
-
-| Lifespan | trace mode | trace type |
-|-|-|-|
-| short-lived | static | collated if possible, else isolated? |
-| long-running | dynamic | collated? (to see interactions) |
-
-## Original plan for agent
-
-- Implement all trace types and trace modes for agent.
-
-- Why?
-  - Maximum flexibility.
-
-    > **Counterargument:**
-    >
-    > Due to the intrusive nature of adding tracing, we have
-    > learnt that landing small incremental changes is simpler and quicker!
-
-  - Compatibility with [Kata 1.x tracing][kata-1x-tracing].
-
-    > **Counterargument:**
-    >
-    > Agent tracing in Kata 1.x was extremely awkward to setup (to the extent
-    > that it's unclear how many users actually used it!)
-    >
-    > This point, coupled with the new architecture for Kata 2.x, suggests
-    > that we may not need to supply the same set of tracing features (in fact
-    > they may not make sense)).
-
-## Agent tracing proposals
-
-### Agent tracing proposal 1: Don't implement dynamic trace mode
-
-- All tracing will be static.
-
-- Why?
-  - Because dynamic tracing will always be "partial"
-
-    > In fact, not only would it be only a "snapshot" of activity, it may not
-    > even be possible to create a complete "trace transaction". If this is
-    > true, the trace output would be partial and would appear "unstructured".
-
-### Agent tracing proposal 2: Simplify handling of trace type
-
-- Agent tracing will be "isolated" by default.
-- Agent tracing will be "collated" if runtime tracing is also enabled.
-
-- Why?
-  - Offers a graceful fallback for agent tracing if runtime tracing disabled.
-  - Simpler code!
-
-## Questions to ask yourself (part 1)
-
-- Are your containers long-running or short-lived?
-
-- Would you ever need to turn on tracing "briefly"?
-  - If "yes", is a "partial trace" useful or useless?
-
-    > Likely to be considered useless as it is a partial snapshot.
-    > Alternative tracing methods may be more appropriate to dynamic
-    > OpenTelemetry tracing.
-
-## Questions to ask yourself (part 2)
-
-- Are you happy to stop a container to enable tracing?
-  If "no", dynamic tracing may be required.
-
-- Would you ever want to trace the agent and the runtime "in isolation" at the
-  same time?
-  - If "yes", we need to fully implement `trace_mode=isolated`
-
-    > This seems unlikely though.
-
-## Trace collection
-
-The second set of proposals affect the way traces are collected.
-
-### Motivation
-
-Currently:
-
-- The runtime sends trace spans to Jaeger directly.
-- The agent will send trace spans to the [`trace-forwarder`][trace-forwarder] component.
-- The trace forwarder will send trace spans to Jaeger.
-
-Kata agent tracing overview:
-
-```
-+-------------------------------------------+
-| Host                                      |
-|                                           |
-| +-----------+                             |
-| | Trace     |                             |
-| | Collector |                             |
-| +-----+-----+                             |
-|       ^                  +--------------+ |
-|       | spans            | Kata VM      | |
-| +-----+-----+            |              | |
-| | Kata      |    spans   |     +-----+  | |
-| | Trace     |<-----------------|Kata |  | |
-| | Forwarder |    VSOCK   |     |Agent|  | |
-| +-----------+    Channel |     +-----+  | |
-|                          +--------------+ |
-+-------------------------------------------+
-```
-
-Currently:
-
-- If agent tracing is enabled but the trace forwarder is not running,
-  the agent will error.
-
-- If the trace forwarder is started but Jaeger is not running,
-  the trace forwarder will error.
-
-### Goals
-
-- The runtime and agent should:
-  - Use the same trace collection implementation.
-  - Use the most the common configuration items.
-
-- Kata should should support more trace collection software or `SaaS`
-  (for example `Zipkin`, `datadog`).
-
-- Trace collection should not block normal runtime/agent operations
-  (for example if `vsock-exporter`/Jaeger is not running, Kata Containers should work normally).
-
-### Trace collection proposals
-
-#### Trace collection proposal 1: Send all spans to the trace forwarder as a span proxy
-
-Kata runtime/agent all send spans to trace forwarder, and the trace forwarder,
-acting as a tracing proxy, sends all spans to a tracing back-end, such as Jaeger or `datadog`.
-
-**Pros:**
-
-- Runtime/agent will be simple.
-- Could update trace collection target while Kata Containers are running.
-
-**Cons:**
-
-- Requires the trace forwarder component to be running (that is a pressure to operation).
-
-#### Trace collection proposal 2: Send spans to collector directly from runtime/agent
-
-Send spans to collector directly from runtime/agent, this proposal need
-network accessible to the collector.
-
-**Pros:**
-
-- No additional trace forwarder component needed.
-
-**Cons:**
-
-- Need more code/configuration to support all trace collectors.
-
-## Future work
-
-- We could add dynamic and fully isolated tracing at a later stage,
-  if required.
-
-## Further details
-
-- See the new [GitHub project](https://github.com/orgs/kata-containers/projects/28).
-- [kata-containers-tracing-status](https://gist.github.com/jodh-intel/0ee54d41d2a803ba761e166136b42277) gist.
-- [tracing documentation PR][tracing-doc-pr].
-
-## Summary
-
-### Time line
-
-- 2021-07-01: A summary of the discussion was
-  [posted to the mail list](http://lists.katacontainers.io/pipermail/kata-dev/2021-July/001996.html).
-- 2021-06-22: These proposals were
-  [discussed in the Kata Architecture Committee meeting](https://etherpad.opendev.org/p/Kata_Containers_2021_Architecture_Committee_Mtgs).
-- 2021-06-18: These proposals where
-  [announced on the mailing list](http://lists.katacontainers.io/pipermail/kata-dev/2021-June/001980.html).
-
-### Outcome
-
-- Nobody opposed the agent proposals, so they are being implemented.
-- The trace collection proposals are still being considered.
-
-[kata-1x-tracing]: https://github.com/kata-containers/agent/blob/master/TRACING.md
-[trace-forwarder]: /src/trace-forwarder
-[tracing-doc-pr]: https://github.com/kata-containers/kata-containers/pull/1937

docs/design/vcpu-handling.md

@@ -1,3 +1,11 @@
+- [Virtual machine vCPU sizing in Kata Containers](#virtual-machine-vcpu-sizing-in-kata-containers)
+  * [Default number of virtual CPUs](#default-number-of-virtual-cpus)
+  * [Virtual CPUs and Kubernetes pods](#virtual-cpus-and-kubernetes-pods)
+  * [Container lifecycle](#container-lifecycle)
+  * [Container without CPU constraint](#container-without-cpu-constraint)
+  * [Container with CPU constraint](#container-with-cpu-constraint)
+  * [Do not waste resources](#do-not-waste-resources)
+
 # Virtual machine vCPU sizing in Kata Containers
 
 ## Default number of virtual CPUs

docs/design/virtualization.md

@@ -1,5 +1,16 @@
 # Virtualization in Kata Containers
 
+- [Virtualization in Kata Containers](#virtualization-in-kata-containers)
+  - [Mapping container concepts to virtual machine technologies](#mapping-container-concepts-to-virtual-machine-technologies)
+  - [Kata Containers Hypervisor and VMM support](#kata-containers-hypervisor-and-vmm-support)
+    - [QEMU/KVM](#qemukvm)
+      - [Machine accelerators](#machine-accelerators)
+      - [Hotplug devices](#hotplug-devices)
+    - [Firecracker/KVM](#firecrackerkvm)
+    - [Cloud Hypervisor/KVM](#cloud-hypervisorkvm)
+    - [Summary](#summary)
+
+
 Kata Containers, a second layer of isolation is created on top of those provided by traditional namespace-containers. The
 hardware virtualization interface is the basis of this additional layer. Kata will launch a lightweight virtual machine,
 and use the guest’s Linux kernel to create a container workload, or workloads in the case of multi-container pods. In Kubernetes

docs/how-to/README.md

@@ -1,11 +1,15 @@
 # Howto Guides
 
-## Kubernetes Integration
+* [Howto Guides](#howto-guides)
+  * [Kubernetes Integration](#kubernetes-integration)
+  * [Hypervisors Integration](#hypervisors-integration)
+  * [Advanced Topics](#advanced-topics)
 
+## Kubernetes Integration
 - [Run Kata containers with `crictl`](run-kata-with-crictl.md)
 - [Run Kata Containers with Kubernetes](run-kata-with-k8s.md)
 - [How to use Kata Containers and Containerd](containerd-kata.md)
-- [How to use Kata Containers and CRI (containerd) with Kubernetes](how-to-use-k8s-with-cri-containerd-and-kata.md)
+- [How to use Kata Containers and CRI (containerd plugin) with Kubernetes](how-to-use-k8s-with-cri-containerd-and-kata.md)
 - [Kata Containers and service mesh for Kubernetes](service-mesh.md)
 - [How to import Kata Containers logs into Fluentd](how-to-import-kata-logs-with-fluentd.md)
 
@@ -17,13 +21,13 @@
 - `firecracker`
 - `ACRN`
 
-  While `qemu` , `cloud-hypervisor` and `firecracker` work out of the box with installation of Kata,
-  some additional configuration is needed in case of `ACRN`.
+  While `qemu` and `cloud-hypervisor` work out of the box with installation of Kata,
+  some additional configuration is needed in case of `firecracker` and `ACRN`.
   Refer to the following guides for additional configuration steps:
+- [Kata Containers with Firecracker](https://github.com/kata-containers/documentation/wiki/Initial-release-of-Kata-Containers-with-Firecracker-support)
 - [Kata Containers with ACRN Hypervisor](how-to-use-kata-containers-with-acrn.md)
 
 ## Advanced Topics
-
 - [How to use Kata Containers with virtio-fs](how-to-use-virtio-fs-with-kata.md)
 - [Setting Sysctls with Kata](how-to-use-sysctls-with-kata.md)
 - [What Is VMCache and How To Enable It](what-is-vm-cache-and-how-do-I-use-it.md)
@@ -33,6 +37,3 @@
 - [How to use Kata Containers with `virtio-mem`](how-to-use-virtio-mem-with-kata.md)
 - [How to set sandbox Kata Containers configurations with pod annotations](how-to-set-sandbox-config-kata.md)
 - [How to monitor Kata Containers in K8s](how-to-set-prometheus-in-k8s.md)
-- [How to use hotplug memory on arm64 in Kata Containers](how-to-hotplug-memory-arm64.md)
-- [How to setup swap devices in guest kernel](how-to-setup-swap-devices-in-guest-kernel.md)
-- [How to run rootless vmm](how-to-run-rootless-vmm.md)

docs/how-to/containerd-kata.md

@@ -1,5 +1,23 @@
 # How to use Kata Containers and Containerd
 
+- [Concepts](#concepts)
+    - [Kubernetes `RuntimeClass`](#kubernetes-runtimeclass)
+    - [Containerd Runtime V2 API: Shim V2 API](#containerd-runtime-v2-api-shim-v2-api)
+- [Install](#install)
+    - [Install Kata Containers](#install-kata-containers)
+    - [Install containerd with CRI plugin](#install-containerd-with-cri-plugin)
+    - [Install CNI plugins](#install-cni-plugins)
+    - [Install `cri-tools`](#install-cri-tools)
+- [Configuration](#configuration)
+    - [Configure containerd to use Kata Containers](#configure-containerd-to-use-kata-containers)
+        - [Kata Containers as a `RuntimeClass`](#kata-containers-as-a-runtimeclass)
+        - [Kata Containers as the runtime for untrusted workload](#kata-containers-as-the-runtime-for-untrusted-workload)
+    - [Kata Containers as the default runtime](#kata-containers-as-the-default-runtime)
+    - [Configuration for `cri-tools`](#configuration-for-cri-tools)
+- [Run](#run)
+    - [Launch containers with `ctr` command line](#launch-containers-with-ctr-command-line)
+    - [Launch Pods with `crictl` command line](#launch-pods-with-crictl-command-line)
+
 This document covers the installation and configuration of [containerd](https://containerd.io/) 
 and [Kata Containers](https://katacontainers.io). The containerd provides not only the `ctr`
 command line tool, but also the [CRI](https://kubernetes.io/blog/2016/12/container-runtime-interface-cri-in-kubernetes/) 
@@ -39,7 +57,7 @@ use `RuntimeClass` instead of the deprecated annotations.
 
 ### Containerd Runtime V2 API: Shim V2 API
 
-The [`containerd-shim-kata-v2` (short as `shimv2` in this documentation)](../../src/runtime/cmd/containerd-shim-kata-v2/)
+The [`containerd-shim-kata-v2` (short as `shimv2` in this documentation)](../../src/runtime/containerd-shim-v2) 
 implements the [Containerd Runtime V2 (Shim API)](https://github.com/containerd/containerd/tree/master/runtime/v2) for Kata.
 With `shimv2`, Kubernetes can launch Pod and OCI-compatible containers with one shim per Pod. Prior to `shimv2`, `2N+1` 
 shims (i.e. a `containerd-shim` and a `kata-shim` for each container and the Pod sandbox itself) and no standalone `kata-proxy` 

docs/how-to/data/kata-monitor-daemonset.yml

@@ -26,7 +26,7 @@ spec:
       hostNetwork: true
       containers:
       - name: kata-monitor
-        image: quay.io/kata-containers/kata-monitor:2.0.0
+        image: docker.io/katadocker/kata-monitor:2.0.0
         args: 
           - -log-level=debug
         ports:

docs/how-to/how-to-hotplug-memory-arm64.md

@@ -1,28 +0,0 @@
-# How to use memory hotplug feature in Kata Containers on arm64
-
-## Introduction
-
-Memory hotplug is a key feature for containers to allocate memory dynamically in deployment.
-As Kata Container bases on VM, this feature needs support both from VMM and guest kernel. Luckily, it has been fully supported for the current default version of QEMU and guest kernel used by Kata on arm64. For other VMMs, e.g, Cloud Hypervisor, the enablement work is on the road. Apart from VMM and guest kernel, memory hotplug also depends on ACPI which depends on firmware either. On x86, you can boot a VM using QEMU with ACPI enabled directly, because it boots up with firmware implicitly. For arm64, however, you need specify firmware explicitly. That is to say, if you are ready to run a normal Kata Container on arm64, what you need extra to do is to install the UEFI ROM before use the memory hotplug feature.
-
-## Install UEFI ROM
-
-We have offered a helper script for you to install the UEFI ROM. If you have installed Kata normally on your host, you just need to run the script as fellows:
-
-```bash
-$ pushd $GOPATH/src/github.com/kata-containers/tests
-$ sudo .ci/aarch64/install_rom_aarch64.sh
-$ popd
-```
-
-## Run for test
-
-Let's test if the memory hotplug is ready for Kata after install the UEFI ROM. Make sure containerd is ready to run Kata before test.
-
-```bash
-$ sudo ctr image pull docker.io/library/ubuntu:latest
-$ sudo ctr run --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/ubuntu:latest hello sh -c "free -h"
-$ sudo ctr run --runtime io.containerd.run.kata.v2 -t --memory-limit 536870912 --rm docker.io/library/ubuntu:latest hello sh -c "free -h"
-```
-
-Compare the results between the two tests. If the latter is 0.5G larger than the former, you have done what you want, and congratulation!

docs/how-to/how-to-import-kata-logs-with-fluentd.md

@@ -1,5 +1,20 @@
 # Importing Kata Containers logs with Fluentd
 
+* [Introduction](#introduction)
+* [Overview](#overview)
+    * [Test stack](#test-stack)
+    * [Importing the logs](#importing-the-logs)
+    * [Direct import `logfmt` from `systemd`](#direct-import-logfmt-from-systemd)
+        * [Configuring `minikube`](#configuring-minikube)
+        * [Pull from `systemd`](#pull-from-systemd)
+        * [Systemd Summary](#systemd-summary)
+    * [Directly importing JSON](#directly-importing-json)
+        * [JSON in files](#json-in-files)
+            * [Prefixing all keys](#prefixing-all-keys)
+* [Kata `shimv2`](#kata-shimv2)
+* [Caveats](#caveats)
+* [Summary](#summary)
+
 # Introduction
 
 This document describes how to import Kata Containers logs into [Fluentd](https://www.fluentd.org/),
@@ -128,7 +143,7 @@ YAML can be found
   tag kata-containers
   path /run/log/journal
   pos_file /run/log/journal/kata-journald.pos
-  filters [{"SYSLOG_IDENTIFIER": "kata-runtime"}, {"SYSLOG_IDENTIFIER": "kata-shim"}]
+  filters [{"SYSLOG_IDENTIFIER": "kata-runtime"}, {"SYSLOG_IDENTIFIER": "kata-proxy"}, {"SYSLOG_IDENTIFIER": "kata-shim"}]
   read_from_head true
 </source>
 ```
@@ -146,7 +161,7 @@ generate some Kata specific log entries:
 
 ```bash
 $ minikube addons open efk
-$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy
+$ cd $GOPATH/src/github.com/kata-containers/packaging/kata-deploy
 $ kubectl apply -f examples/nginx-deployment-qemu.yaml
 ```
 
@@ -163,7 +178,7 @@ sub-filter on, for instance, the `SYSLOG_IDENTIFIER` to differentiate the Kata c
 on the `PRIORITY` to filter out critical issues etc.
 
 Kata generates a significant amount of Kata specific information, which can be seen as
-[`logfmt`](https://github.com/kata-containers/tests/tree/main/cmd/log-parser#logfile-requirements).
+[`logfmt`](https://github.com/kata-containers/tests/tree/master/cmd/log-parser#logfile-requirements).
 data contained in the `MESSAGE` field. Imported as-is, there is no easy way to filter on that data
 in Kibana:
 
@@ -257,8 +272,9 @@ go directly to a full Kata specific JSON format logfile test.
 
 Kata runtime has the ability to generate JSON logs directly, rather than its default `logfmt` format. Passing
 the `--log-format=json` argument to the Kata runtime enables this. The easiest way to pass in this extra
-parameter from a [Kata deploy](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy) installation
-is to edit the `/opt/kata/bin/kata-qemu` shell script.
+parameter from a [Kata deploy](https://github.com/kata-containers/packaging/tree/master/kata-deploy) installation
+is to edit the `/opt/kata/bin/kata-qemu` shell script (generated by the
+[Kata packaging release scripts](https://github.com/kata-containers/packaging/blob/master/release/kata-deploy-binaries.sh)).
 
 At the same time, we will add the `--log=/var/log/kata-runtime.log` argument to store the Kata logs in their
 own file (rather than into the system journal).

docs/how-to/how-to-run-rootless-vmm.md

@@ -1,33 +0,0 @@
-## Introduction
-To improve security, Kata Container supports running the VMM process (currently only QEMU) as a non-`root` user.
-This document describes how to enable the rootless VMM mode and its limitations.
-
-## Pre-requisites
-The permission and ownership of the `kvm` device node (`/dev/kvm`) need to be configured to:
-```
-$ crw-rw---- 1 root kvm
-```
-use the following commands:
-```
-$ sudo groupadd kvm -r
-$ sudo chown root:kvm /dev/kvm
-$ sudo chmod 660 /dev/kvm
-```
-
-## Configure rootless VMM
-By default, the VMM process still runs as the root user. There are two ways to enable rootless VMM:
-1. Set the `rootless` flag to `true` in the hypervisor section of `configuration.toml`.
-2. Set the Kubernetes annotation `io.katacontainers.hypervisor.rootless` to `true`.
-
-## Implementation details
-When `rootless` flag is enabled, upon a request to create a Pod, Kata Containers runtime creates a random user and group (e.g. `kata-123`), and uses them to start the hypervisor process. 
-The `kvm` group is also given to the hypervisor process as a supplemental group to give the hypervisor process access to the `/dev/kvm` device. 
-Another necessary change is to move the hypervisor runtime files (e.g. `vhost-fs.sock`, `qmp.sock`) to a directory (under `/run/user/[uid]/`) where only the non-root hypervisor has access to.
-
-## Limitations
-
-1. Only the VMM process is running as a non-root user. Other processes such as Kata Container shimv2 and `virtiofsd` still run as the root user.
-2. Currently, this feature is only supported in QEMU. Still need to bring it to Firecracker and Cloud Hypervisor (see https://github.com/kata-containers/kata-containers/issues/2567).
-3. Certain features will not work when rootless VMM is enabled, including:
-   1. Passing devices to the guest (`virtio-blk`, `virtio-scsi`) will not work if the non-privileged user does not have permission to access it (leading to a permission denied error). A more permissive permission (e.g. 666) may overcome this issue. However, you need to be aware of the potential security implications of reducing the security on such devices.
-   2. `vfio` device will also not work because of permission denied error.

docs/how-to/how-to-set-prometheus-in-k8s.md

@@ -2,6 +2,14 @@
 
 This document describes how to run `kata-monitor` in a Kubernetes cluster using Prometheus's service discovery to scrape metrics from `kata-agent`.
 
+- [Introduction](#introduction)
+- [Pre-requisites](#pre-requisites)
+- [Configure Prometheus](#configure-prometheus)
+- [Configure `kata-monitor`](#configure-kata-monitor)
+- [Setup Grafana](#setup-grafana)
+  * [Create `datasource`](#create-datasource)
+  * [Import dashboard](#import-dashboard)
+
 > **Warning**: This how-to is only for evaluation purpose, you **SHOULD NOT** running it in production using this configurations.
 
 ## Introduction

docs/how-to/how-to-set-sandbox-config-kata.md

@@ -34,6 +34,8 @@ There are several kinds of Kata configurations and they are listed below.
 | `io.katacontainers.config.agent.enable_tracing` | `boolean` | enable tracing for the agent |
 | `io.katacontainers.config.agent.container_pipe_size` | uint32 | specify the size of the std(in/out) pipes created for containers |
 | `io.katacontainers.config.agent.kernel_modules` | string | the list of kernel modules and their parameters that will be loaded in the guest kernel. Semicolon separated list of kernel modules and their parameters. These modules will be loaded in the guest kernel using `modprobe`(8). E.g., `e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0` |
+| `io.katacontainers.config.agent.trace_mode` | string | the trace mode for the agent |
+| `io.katacontainers.config.agent.trace_type` | string | the trace type for the agent |
 
 ## Hypervisor Options
 | Key | Value Type | Comments |
@@ -77,7 +79,7 @@ There are several kinds of Kata configurations and they are listed below.
 | `io.katacontainers.config.hypervisor.kernel` | string | the kernel used to boot the container VM |
 | `io.katacontainers.config.hypervisor.machine_accelerators` | string | machine specific accelerators for the hypervisor |
 | `io.katacontainers.config.hypervisor.machine_type` | string | the type of machine being emulated by the hypervisor |
-| `io.katacontainers.config.hypervisor.memory_offset` | uint64| the memory space used for `nvdimm` device by the hypervisor |
+| `io.katacontainers.config.hypervisor.memory_offset` | uint32| the memory space used for `nvdimm` device by the hypervisor |
 | `io.katacontainers.config.hypervisor.memory_slots` | uint32| the memory slots assigned to the VM by the hypervisor |
 | `io.katacontainers.config.hypervisor.msize_9p` | uint32 | the `msize` for 9p shares |
 | `io.katacontainers.config.hypervisor.path` | string | the hypervisor that will run the container VM |
@@ -89,13 +91,6 @@ There are several kinds of Kata configurations and they are listed below.
 | `io.katacontainers.config.hypervisor.virtio_fs_cache` | string | the cache mode for virtio-fs, valid values are `always`, `auto` and `none` |
 | `io.katacontainers.config.hypervisor.virtio_fs_daemon` | string | virtio-fs `vhost-user` daemon path |
 | `io.katacontainers.config.hypervisor.virtio_fs_extra_args` | string | extra options passed to `virtiofs` daemon |
-| `io.katacontainers.config.hypervisor.enable_guest_swap` | `boolean` | enable swap in the guest |
-
-## Container Options
-| Key | Value Type | Comments |
-|-------| ----- | ----- |
-| `io.katacontainers.container.resource.swappiness"` | `uint64` | specify the `Resources.Memory.Swappiness` |
-| `io.katacontainers.container.resource.swap_in_bytes"` | `uint64` | specify the `Resources.Memory.Swap` |
 
 # CRI-O Configuration
 
@@ -105,12 +100,11 @@ In case of CRI-O, all annotations specified in the pod spec are passed down to K
 
 For containerd, annotations specified in the pod spec are passed down to Kata
 starting with version `1.3.0` of containerd. Additionally, extra configuration is
-needed for containerd, by providing `pod_annotations` field and
-`container_annotations` field in the containerd config
-file.  The `pod_annotations` field and `container_annotations` field are two lists of
-annotations that can be passed down to Kata as OCI annotations. They support golang match
-patterns. Since annotations supported by Kata follow the pattern `io.katacontainers.*`,
-the following configuration would work for passing annotations to Kata from containerd:
+needed for containerd, by providing a `pod_annotations` field in the containerd config
+file.  The `pod_annotations` field is a list of annotations that can be passed down to
+Kata as OCI annotations. It supports golang match patterns. Since annotations supported
+by Kata follow the pattern `io.katacontainers.*`, the following configuration would work
+for passing annotations to Kata from containerd:
 
 ```
 $ cat /etc/containerd/config
@@ -119,7 +113,6 @@ $ cat /etc/containerd/config
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
            runtime_type = "io.containerd.kata.v2"
            pod_annotations = ["io.katacontainers.*"]
-           container_annotations = ["io.katacontainers.*"]
 ....
 
 ```

docs/how-to/how-to-setup-swap-devices-in-guest-kernel.md

@@ -1,59 +0,0 @@
-# Setup swap device in guest kernel
-
-## Introduction
-
-Setup swap device in guest kernel can help to increase memory capacity, handle some memory issues and increase file access speed sometimes.
-Kata Containers can insert a raw file to the guest as the swap device.
-
-## Requisites
-
-The swap config of the containers should be set by [annotations](how-to-set-sandbox-config-kata.md#container-options).  So [extra configuration is needed for containerd](how-to-set-sandbox-config-kata.md#containerd-configuration).
-
-Kata Containers just supports setup swap device in guest kernel with QEMU.
-Install and setup Kata Containers as shown [here](../install/README.md).
-
-Enable setup swap device in guest kernel as follows:
-```
-$ sudo sed -i -e 's/^#enable_guest_swap.*$/enable_guest_swap = true/g' /etc/kata-containers/configuration.toml
-```
-
-## Run a Kata Container utilizing swap device
-
-Use following command to start a Kata Container with swappiness 60 and 1GB swap device (swap_in_bytes - memory_limit_in_bytes).
-```
-$ pod_yaml=pod.yaml
-$ container_yaml=container.yaml
-$ image="quay.io/prometheus/busybox:latest"
-$ cat << EOF > "${pod_yaml}"
-metadata:
-  name: busybox-sandbox1
-EOF
-$ cat << EOF > "${container_yaml}"
-metadata:
-  name: busybox-test-swap
-annotations:
-  io.katacontainers.container.resource.swappiness: "60"
-  io.katacontainers.container.resource.swap_in_bytes: "2147483648"
-linux:
-  resources:
-    memory_limit_in_bytes: 1073741824
-image:
-  image: "$image"
-command:
-- top
-EOF
-$ sudo crictl pull $image
-$ podid=$(sudo crictl runp $pod_yaml)
-$ cid=$(sudo crictl create $podid $container_yaml $pod_yaml)
-$ sudo crictl start $cid
-```
-
-Kata Container setups swap device for this container only when `io.katacontainers.container.resource.swappiness` is set.
-
-The following table shows the swap size how to decide if `io.katacontainers.container.resource.swappiness` is set.
-|`io.katacontainers.container.resource.swap_in_bytes`|`memory_limit_in_bytes`|swap size|
-|---|---|---|
-|set|set| `io.katacontainers.container.resource.swap_in_bytes` - `memory_limit_in_bytes`|
-|not set|set| `memory_limit_in_bytes`|
-|not set|not set| `io.katacontainers.config.hypervisor.default_memory`|
-|set|not set|cgroup doesn't support this usage|

docs/how-to/how-to-use-k8s-with-cri-containerd-and-kata.md

@@ -1,9 +1,22 @@
 # How to use Kata Containers and CRI (containerd plugin) with Kubernetes
 
+* [Requirements](#requirements)
+* [Install and configure containerd](#install-and-configure-containerd)
+* [Install and configure Kubernetes](#install-and-configure-kubernetes)
+    * [Install Kubernetes](#install-kubernetes)
+    * [Configure Kubelet to use containerd](#configure-kubelet-to-use-containerd)
+    * [Configure HTTP proxy - OPTIONAL](#configure-http-proxy---optional)
+* [Start Kubernetes](#start-kubernetes)
+* [Configure Pod Network](#configure-pod-network)
+* [Allow pods to run in the master node](#allow-pods-to-run-in-the-master-node)
+* [Create runtime class for Kata Containers](#create-runtime-class-for-kata-containers)
+* [Run pod in Kata Containers](#run-pod-in-kata-containers)
+* [Delete created pod](#delete-created-pod)
+
 This document describes how to set up a single-machine Kubernetes (k8s) cluster.
 
 The Kubernetes cluster will use the
-[CRI containerd](https://github.com/containerd/containerd/) and
+[CRI containerd plugin](https://github.com/containerd/cri) and
 [Kata Containers](https://katacontainers.io) to launch untrusted workloads.
 
 ## Requirements
@@ -71,12 +84,12 @@ $ for service in ${services}; do
     service_dir="/etc/systemd/system/${service}.service.d/"
     sudo mkdir -p ${service_dir}
 
-    cat << EOF | sudo tee "${service_dir}/proxy.conf"
+    cat << EOT | sudo tee "${service_dir}/proxy.conf"
 [Service]
 Environment="HTTP_PROXY=${http_proxy}"
 Environment="HTTPS_PROXY=${https_proxy}"
 Environment="NO_PROXY=${no_proxy}"
-EOF
+EOT
 done
 
 $ sudo systemctl daemon-reload
@@ -172,7 +185,7 @@ If a pod has the `runtimeClassName` set to `kata`, the CRI plugin runs the pod w
 - Create an pod configuration that using Kata Containers runtime
 
   ```bash
-  $ cat << EOF | tee nginx-kata.yaml
+  $ cat << EOT | tee nginx-kata.yaml
   apiVersion: v1
   kind: Pod
   metadata:
@@ -183,7 +196,7 @@ If a pod has the `runtimeClassName` set to `kata`, the CRI plugin runs the pod w
     - name: nginx
       image: nginx
       
-  EOF
+  EOT
   ```
 
 - Create the pod

docs/how-to/how-to-use-kata-containers-with-acrn.md

@@ -2,6 +2,11 @@
 
 This document provides an overview on how to run Kata containers with ACRN hypervisor and device model.
 
+- [Introduction](#introduction)
+- [Pre-requisites](#pre-requisites)
+- [Configure Docker](#configure-docker)
+- [Configure Kata Containers with ACRN](#configure-kata-containers-with-acrn)
+
 ## Introduction
 
 ACRN is a flexible, lightweight Type-1 reference hypervisor built with real-time and safety-criticality in mind. ACRN uses an open source platform making it optimized to streamline embedded development.
@@ -22,7 +27,7 @@ This document requires the presence of the ACRN hypervisor and Kata Containers o
 
 - ACRN supported [Hardware](https://projectacrn.github.io/latest/hardware.html#supported-hardware).
   > **Note:** Please make sure to have a minimum of 4 logical processors (HT) or cores.
-- ACRN [software](https://projectacrn.github.io/latest/tutorials/run_kata_containers.html) setup.
+- ACRN [software](https://projectacrn.github.io/latest/tutorials/kbl-nuc-sdc.html#use-the-script-to-set-up-acrn-automatically) setup.
 - For networking, ACRN supports either MACVTAP or TAP. If MACVTAP is not enabled in the Service OS, please follow the below steps to update the kernel:
 
   ```sh

docs/how-to/how-to-use-sysctls-with-kata.md

@@ -1,7 +1,6 @@
 # Setting Sysctls with Kata
 
 ## Sysctls
-
 In Linux, the sysctl interface allows an administrator to modify kernel 
 parameters at runtime. Parameters are available via the `/proc/sys/` virtual 
 process file system. 
@@ -17,10 +16,11 @@ To get a complete list of kernel parameters, run:
 $ sudo sysctl -a
 ```
 
-Kubernetes provide mechanisms for setting namespaced sysctls. 
-Namespaced sysctls can be set per pod in the case of Kubernetes.
+Both Docker and Kubernetes provide mechanisms for setting namespaced sysctls. 
+Namespaced sysctls can be set per pod in the case of Kubernetes or per container
+in case of Docker.
 The following sysctls are known to be namespaced and can be set with 
-Kubernetes:
+Docker and Kubernetes:
 
 - `kernel.shm*`
 - `kernel.msg*`
@@ -30,10 +30,31 @@ Kubernetes:
 
 ### Namespaced Sysctls:
 
-Kata Containers supports setting namespaced sysctls with Kubernetes.
+Kata Containers supports setting namespaced sysctls with Docker and Kubernetes.
 All namespaced sysctls can be set in the same way as regular Linux based
 containers, the difference being, in the case of Kata they are set inside the guest.
 
+#### Setting Namespaced Sysctls with Docker:
+
+```
+$ sudo docker run --runtime=kata-runtime -it alpine cat /proc/sys/fs/mqueue/queues_max
+256
+$ sudo docker run --runtime=kata-runtime --sysctl fs.mqueue.queues_max=512 -it alpine cat /proc/sys/fs/mqueue/queues_max
+512
+```
+
+... and:
+
+```
+$ sudo docker run --runtime=kata-runtime -it alpine cat /proc/sys/kernel/shmmax
+18446744073692774399
+$ sudo docker run --runtime=kata-runtime --sysctl kernel.shmmax=1024 -it alpine cat /proc/sys/kernel/shmmax
+1024
+```
+
+For additional documentation on setting sysctls with Docker please refer to [Docker-sysctl-doc](https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime).
+
+
 #### Setting Namespaced Sysctls with Kubernetes:
 
 Kubernetes considers certain sysctls as safe and others as unsafe. For detailed
@@ -79,7 +100,7 @@ spec:
 
 ### Non-Namespaced Sysctls:
 
-Kubernetes disallow sysctls without a namespace.
+Docker and Kubernetes disallow sysctls without a namespace.
 The recommendation is to set them directly on the host or use a privileged
 container in the case of Kubernetes.
 

docs/how-to/how-to-use-virtio-fs-with-kata.md

@@ -1,9 +1,12 @@
 # Kata Containers with virtio-fs
 
+- [Kata Containers with virtio-fs](#kata-containers-with-virtio-fs)
+  - [Introduction](#introduction)
+
 ## Introduction
 
 Container deployments utilize explicit or implicit file sharing between host filesystem and containers. From a trust perspective, avoiding a shared file-system between the trusted host and untrusted container is recommended. This is not always feasible. In Kata Containers, block-based volumes are preferred as they allow usage of either device pass through or `virtio-blk` for access within the virtual machine.
 
 As of the 2.0 release of Kata Containers, [virtio-fs](https://virtio-fs.gitlab.io/) is the default filesystem sharing mechanism.
 
-virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy#kubernetes-quick-start).
+virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](https://github.com/kata-containers/packaging/tree/master/kata-deploy#kubernetes-quick-start).

docs/how-to/how-to-use-virtio-mem-with-kata.md

@@ -1,5 +1,9 @@
 # Kata Containers with `virtio-mem`
 
+- [Introduction](#introduction)
+- [Requisites](#requisites)
+- [Run a Kata Container utilizing `virtio-mem`](#run-a-kata-container-utilizing-virtio-mem)
+
 ## Introduction
 
 The basic idea of `virtio-mem` is to provide a flexible, cross-architecture memory hot plug and hot unplug solution that avoids many limitations imposed by existing technologies, architectures, and interfaces.
@@ -37,7 +41,7 @@ $ echo 1 | sudo tee /proc/sys/vm/overcommit_memory
 Use following command to start a Kata Container.
 ```
 $ pod_yaml=pod.yaml
-$ container_yaml=container.yaml
+$ container_yaml=${REPORT_DIR}/container.yaml
 $ image="quay.io/prometheus/busybox:latest"
 $ cat << EOF > "${pod_yaml}"
 metadata:

docs/how-to/privileged.md

@@ -3,6 +3,11 @@
 Kata Containers supports creation of containers that are "privileged" (i.e. have additional capabilities and access
 that is not normally granted).
 
+* [Warnings](#warnings)
+    * [Host Devices](#host-devices)
+        * [Containerd and CRI](#containerd-and-cri)
+        * [CRI-O](#cri-o)
+
 ## Warnings
 
 **Warning:** Whilst this functionality is supported, it can decrease the security of Kata Containers if not configured 
@@ -16,9 +21,9 @@ from the host, a potentially undesirable side-effect that decreases the security
 
 The following sections document how to configure this behavior in different container runtimes.
 
-#### Containerd
+#### Containerd and CRI
 
-The Containerd allows configuring the privileged host devices behavior for each runtime in the containerd config. This is
+The Containerd CRI allows configuring the privileged host devices behavior for each runtime in the CRI config. This is
 done with the `privileged_without_host_devices` option. Setting this to `true` will disable hot plugging of the host 
 devices into the guest, even when privileged is enabled.
 
@@ -41,7 +46,7 @@ See below example config:
 ```
 
  - [Kata Containers with Containerd and CRI documentation](how-to-use-k8s-with-cri-containerd-and-kata.md)
- - [Containerd CRI config documentation](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
+ - [Containerd CRI config documentation](https://github.com/containerd/cri/blob/master/docs/config.md)
 
 #### CRI-O
 

docs/how-to/run-kata-with-crictl.md

@@ -1,5 +1,16 @@
 # Working with `crictl`
 
+* [What's `cri-tools`](#whats-cri-tools)
+* [Use `crictl` run Pods in Kata containers](#use-crictl-run-pods-in-kata-containers)
+  * [Run `busybox` Pod](#run-busybox-pod)
+    * [Run pod sandbox with config file](#run-pod-sandbox-with-config-file)
+    * [Create container in the pod sandbox with config file](#create-container-in-the-pod-sandbox-with-config-file)
+    * [Start container](#start-container)
+  * [Run `redis` Pod](#run-redis-pod)
+    * [Create `redis-server` Pod](#create-redis-server-pod)
+    * [Create `redis-client` Pod](#create-redis-client-pod)
+    * [Check `redis` server is working](#check-redis-server-is-working)
+
 ## What's `cri-tools`
 
 [`cri-tools`](https://github.com/kubernetes-sigs/cri-tools) provides debugging and validation tools for Kubelet Container Runtime Interface (CRI).

docs/how-to/run-kata-with-k8s.md

@@ -1,5 +1,18 @@
 # Run Kata Containers with Kubernetes
 
+* [Run Kata Containers with Kubernetes](#run-kata-containers-with-kubernetes)
+  * [Prerequisites](#prerequisites)
+  * [Install a CRI implementation](#install-a-cri-implementation)
+     * [CRI-O](#cri-o)
+        * [Kubernetes Runtime Class (CRI-O v1.12 )](#kubernetes-runtime-class-cri-o-v112)
+        * [Untrusted annotation (until CRI-O v1.12)](#untrusted-annotation-until-cri-o-v112)
+        * [Network namespace management](#network-namespace-management)
+     * [containerd with CRI plugin](#containerd-with-cri-plugin)
+  * [Install Kubernetes](#install-kubernetes)
+     * [Configure for CRI-O](#configure-for-cri-o)
+     * [Configure for containerd](#configure-for-containerd)
+  * [Run a Kubernetes pod with Kata Containers](#run-a-kubernetes-pod-with-kata-containers)
+
 ## Prerequisites
 This guide requires Kata Containers available on your system, install-able by following [this guide](../install/README.md).
 
@@ -9,7 +22,7 @@ Kubernetes CRI (Container Runtime Interface) implementations allow using any
 OCI-compatible runtime with Kubernetes, such as the Kata Containers runtime.
 
 Kata Containers support both the [CRI-O](https://github.com/kubernetes-incubator/cri-o) and
-[containerd](https://github.com/containerd/containerd) CRI implementations.
+[CRI-containerd](https://github.com/containerd/cri) CRI implementations.
 
 After choosing one CRI implementation, you must make the appropriate configuration
 to ensure it integrates with Kata Containers.
@@ -20,7 +33,7 @@ required to spawn pods and containers, and this is the preferred way to run Kata
 An equivalent shim implementation for CRI-O is planned.
 
 ### CRI-O
-For CRI-O installation instructions, refer to the [CRI-O Tutorial](https://github.com/cri-o/cri-o/blob/main/tutorial.md) page.
+For CRI-O installation instructions, refer to the [CRI-O Tutorial](https://github.com/kubernetes-incubator/cri-o/blob/master/tutorial.md) page.
 
 The following sections show how to set up the CRI-O configuration file (default path: `/etc/crio/crio.conf`) for Kata.
 
@@ -30,7 +43,7 @@ Unless otherwise stated, all the following settings are specific to the `crio.ru
 # runtime used and options for how to set up and manage the OCI runtime.
 [crio.runtime]
 ```
-A comprehensive documentation of the configuration file can be found [here](https://github.com/cri-o/cri-o/blob/main/docs/crio.conf.5.md).
+A comprehensive documentation of the configuration file can be found [here](https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md).
 
 > **Note**: After any change to this file, the CRI-O daemon have to be restarted with:
 >````
@@ -111,7 +124,11 @@ manage_ns_lifecycle = true
 ```
 
 
-### containerd
+### containerd with CRI plugin
+
+If you select containerd with `cri` plugin, follow the "Getting Started for Developers"
+instructions [here](https://github.com/containerd/cri#getting-started-for-developers)
+to properly install it.
 
 To customize containerd to select Kata Containers runtime, follow our
 "Configure containerd to use Kata Containers" internal documentation
@@ -154,10 +171,10 @@ $ sudo systemctl daemon-reload
 $ sudo systemctl restart kubelet
 
 # If using CRI-O
-$ sudo kubeadm init --ignore-preflight-errors=all --cri-socket /var/run/crio/crio.sock --pod-network-cidr=10.244.0.0/16
+$ sudo kubeadm init --skip-preflight-checks --cri-socket /var/run/crio/crio.sock --pod-network-cidr=10.244.0.0/16
 
-# If using containerd
-$ sudo kubeadm init --ignore-preflight-errors=all --cri-socket /run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16
+# If using CRI-containerd
+$ sudo kubeadm init --skip-preflight-checks --cri-socket /run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16
 
 $ export KUBECONFIG=/etc/kubernetes/admin.conf
 ```

docs/how-to/service-mesh.md

@@ -1,5 +1,21 @@
 # Kata Containers and service mesh for Kubernetes
 
+* [Assumptions](#assumptions)
+* [How they work](#how-they-work)
+* [Prerequisites](#prerequisites)
+    * [Kata and Kubernetes](#kata-and-kubernetes)
+    * [Restrictions](#restrictions)
+* [Install and deploy your service mesh](#install-and-deploy-your-service-mesh)
+    * [Service Mesh Istio](#service-mesh-istio)
+    * [Service Mesh Linkerd](#service-mesh-linkerd)
+* [Inject your services with sidecars](#inject-your-services-with-sidecars)
+    * [Sidecar Istio](#sidecar-istio)
+    * [Sidecar Linkerd](#sidecar-linkerd)
+* [Run your services with Kata](#run-your-services-with-kata)
+    * [Lower privileges](#lower-privileges)
+    * [Add annotations](#add-annotations)
+    * [Deploy](#deploy)
+
 A service mesh is a way to monitor and control the traffic between
 micro-services running in your Kubernetes cluster. It is a powerful
 tool that you might want to use in combination with the security
@@ -34,7 +50,7 @@ as the proxy starts.
 
 Follow the [instructions](../install/README.md)
 to get Kata Containers properly installed and configured with Kubernetes.
-You can choose between CRI-O and containerd, both are supported
+You can choose between CRI-O and CRI-containerd, both are supported
 through this document.
 
 For both cases, select the workloads as _trusted_ by default. This way,
@@ -60,16 +76,15 @@ is not able to perform a proper setup of the rules.
 
 ### Service Mesh Istio
 
-The following is a summary of what you need to install Istio on your system:
+As a reference, you can follow Istio [instructions](https://istio.io/docs/setup/kubernetes/quick-start/#download-and-prepare-for-the-installation).
 
+The following is a summary of what you need to install Istio on your system:
 ```
 $ curl -L https://git.io/getLatestIstio | sh -
 $ cd istio-*
 $ export PATH=$PWD/bin:$PATH
 ```
 
-See the [Istio documentation](https://istio.io/docs) for further details.
-
 Now deploy Istio in the control plane of your cluster with the following:
 ```
 $ kubectl apply -f install/kubernetes/istio-demo.yaml
@@ -159,7 +174,7 @@ containers with `privileged: true` to `privileged: false`.
 There is no difference between Istio and Linkerd in this section. It is
 about which CRI implementation you use.
 
-For both CRI-O and containerd, you have to add an annotation indicating
+For both CRI-O and CRI-containerd, you have to add an annotation indicating
 the workload for this deployment is not _trusted_, which will trigger
 `kata-runtime` to be called instead of `runc`.
 
@@ -193,9 +208,9 @@ spec:
 ...
 ```
 
-__containerd:__
+__CRI-containerd:__
 
-Add the following annotation for containerd
+Add the following annotation for CRI-containerd
 ```yaml
 io.kubernetes.cri.untrusted-workload: "true"
 ```

docs/how-to/what-is-vm-cache-and-how-do-I-use-it.md

@@ -1,5 +1,10 @@
 # What Is VMCache and How To Enable It
 
+* [What is VMCache](#what-is-vmcache)
+* [How is this different to VM templating](#how-is-this-different-to-vm-templating)
+* [How to enable VMCache](#how-to-enable-vmcache)
+* [Limitations](#limitations)
+
 ### What is VMCache
 
 VMCache is a new function that creates VMs as caches before using it.

docs/how-to/what-is-vm-templating-and-how-do-I-use-it.md

@@ -1,7 +1,6 @@
 # What Is VM Templating and How To Enable It
 
 ### What is VM templating
-
 VM templating is a Kata Containers feature that enables new VM
 creation using a cloning technique. When enabled, new VMs are created
 by cloning from a pre-created template VM, and they will share the
@@ -9,13 +8,11 @@ same initramfs, kernel and agent memory in readonly mode. It is very
 much like a process fork done by the kernel but here we *fork* VMs.
 
 ### How is this different from VMCache
-
 Both [VMCache](../how-to/what-is-vm-cache-and-how-do-I-use-it.md) and VM templating help speed up new container creation.  
 When VMCache enabled, new VMs are created by the VMCache server.  So it is not vulnerable to share memory CVE because each VM doesn't share the memory.  
 VM templating saves a lot of memory if there are many Kata Containers running on the same host.
 
 ### What are the Pros
-
 VM templating helps speed up new container creation and saves a lot
 of memory if there are many Kata Containers running on the same host.
 If you are running a density workload, or care a lot about container
@@ -32,7 +29,6 @@ showed that VM templating speeds up Kata Containers creation by as much as
 38.68%. See [full results here](https://gist.github.com/bergwolf/06974a3c5981494a40e2c408681c085d).
 
 ### What are the Cons
-
 One drawback of VM templating is that it cannot avoid cross-VM side-channel
 attack such as [CVE-2015-2877](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2877)
 that originally targeted at the Linux KSM feature.
@@ -43,11 +39,10 @@ and can be classified as potentially misunderstood behaviors rather than vulnera
 **Warning**: If you care about such attack vector, do not use VM templating or KSM.
 
 ### How to enable VM templating
-
 VM templating can be enabled by changing your Kata Containers config file (`/usr/share/defaults/kata-containers/configuration.toml`,
 overridden by `/etc/kata-containers/configuration.toml` if provided) such that:
 
-  - `qemu` version `v4.1.0` or above is specified in `hypervisor.qemu`->`path` section
+  - `qemu-lite` is specified in `hypervisor.qemu`->`path` section
   - `enable_template = true`
   - `initrd =` is set
   - `image =` option is commented out or removed

docs/hypervisors.md

@@ -1,5 +1,11 @@
 # Hypervisors
 
+* [Hypervisors](#hypervisors)
+    * [Introduction](#introduction)
+    * [Types](#types)
+    * [Determine currently configured hypervisor](#determine-currently-configured-hypervisor)
+    * [Choose a Hypervisor](#choose-a-hypervisor)
+
 ## Introduction
 
 Kata Containers supports multiple hypervisors. This document provides a very

docs/install/README.md

@@ -1,19 +1,39 @@
-# Kata Containers installation guides
+# Kata Containers installation user guides
 
-The following is an overview of the different installation methods available. 
+* [Kata Containers installation user guides](#kata-containers-installation-user-guides)
+    * [Prerequisites](#prerequisites)
+    * [Legacy installation](#legacy-installation)
+    * [Packaged installation methods](#packaged-installation-methods)
+        * [Official packages](#official-packages)
+        * [Snap Installation](#snap-installation)
+        * [Automatic Installation](#automatic-installation)
+        * [Manual Installation](#manual-installation)
+    * [Build from source installation](#build-from-source-installation)
+    * [Installing on a Cloud Service Platform](#installing-on-a-cloud-service-platform)
+    * [Further information](#further-information)
+
+The following is an overview of the different installation methods available. All of these methods equally result
+in a system configured to run Kata Containers.
 
 ## Prerequisites
 
-Kata Containers requires nested virtualization or bare metal. Check 
-[hardware requirements](/src/runtime/README.md#hardware-requirements) to see if your system is capable of running Kata 
-Containers.
+Kata Containers requires nested virtualization or bare metal.
+See the
+[hardware requirements](/src/runtime/README.md#hardware-requirements)
+to see if your system is capable of running Kata Containers.
+
+## Legacy installation
+
+If you wish to install a legacy 1.x version of Kata Containers, see
+[the Kata Containers 1.x installation documentation](https://github.com/kata-containers/documentation/tree/master/install/).
 
 ## Packaged installation methods
 
-Packaged installation methods uses your distribution's native package format (such as RPM or DEB).
-
-*Note:* We encourage installation methods that provides automatic updates, it ensures security updates and bug fixes are
-easily applied.
+> **Notes:**
+>
+> - Packaged installation methods uses your distribution's native package format (such as RPM or DEB).
+> - You are strongly encouraged to choose an installation method that provides
+>   automatic updates, to ensure you benefit from security updates and bug fixes.
 
 | Installation method                                  | Description                                                         | Automatic updates | Use case                                                 |
 |------------------------------------------------------|---------------------------------------------------------------------|-------------------|----------------------------------------------------------|
@@ -32,9 +52,16 @@ Kata packages are provided by official distribution repositories for:
 | [CentOS](centos-installation-guide.md)                   | 8                                                                              |
 | [Fedora](fedora-installation-guide.md)                   | 34                                                                             |
 
+> **Note::**
+>
+> All users are encouraged to uses the official distribution versions of Kata
+> Containers unless they understand the implications of alternative methods.
+
 ### Snap Installation
 
-The snap installation is available for all distributions which support `snapd`.
+> **Note:** The snap installation is available for all distributions which support `snapd`.
+
+[![Get it from the Snap Store](https://snapcraft.io/static/images/badges/en/snap-store-black.svg)](https://snapcraft.io/kata-containers)
 
 [Use snap](snap-installation-guide.md) to install Kata Containers from https://snapcraft.io.
 
@@ -48,9 +75,11 @@ Follow the [containerd installation guide](container-manager/containerd/containe
 
 ## Build from source installation
 
-*Note:* Power users who decide to build from sources should be aware of the
-implications of using an unpackaged system which will not be automatically
-updated as new [releases](../Stable-Branch-Strategy.md) are made available.
+> **Notes:**
+>
+> - Power users who decide to build from sources should be aware of the
+>   implications of using an unpackaged system which will not be automatically
+>   updated as new [releases](../Stable-Branch-Strategy.md) are made available.
 
 [Building from sources](../Developer-Guide.md#initial-setup)  allows power users
 who are comfortable building software from source to use the latest component
@@ -66,6 +95,6 @@ versions. This is not recommended for normal users.
 
 ## Further information
 
-* [upgrading document](../Upgrading.md)
-* [developer guide](../Developer-Guide.md)
-* [runtime documentation](../../src/runtime/README.md)
+* The [upgrading document](../Upgrading.md).
+* The [developer guide](../Developer-Guide.md).
+* The [runtime documentation](../../src/runtime/README.md).

docs/install/aws-installation-guide.md

@@ -1,5 +1,10 @@
 # Install Kata Containers on Amazon Web Services
 
+* [Install and Configure AWS CLI](#install-and-configure-aws-cli)
+* [Create or Import an EC2 SSH key pair](#create-or-import-an-ec2-ssh-key-pair)
+* [Launch i3.metal instance](#launch-i3metal-instance)
+* [Install Kata](#install-kata)
+
 Kata Containers on Amazon Web Services (AWS) makes use of [i3.metal](https://aws.amazon.com/ec2/instance-types/i3/) instances. Most of the installation procedure is identical to that for Kata on your preferred distribution, except that you have to run it on bare metal instances since AWS doesn't support nested virtualization yet. This guide walks you through creating an i3.metal instance.
 
 ## Install and Configure AWS CLI

docs/install/container-manager/containerd/containerd-install.md

@@ -98,12 +98,12 @@
 
     ```toml
     [plugins]
-      [plugins."io.containerd.grpc.v1.cri"]
-        [plugins."io.containerd.grpc.v1.cri".containerd]
-          default_runtime_name = "kata"
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
-            [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
-              runtime_type = "io.containerd.kata.v2"
+        [plugins.cri]
+            [plugins.cri.containerd]
+            default_runtime_name = "kata"
+
+            [plugins.cri.containerd.runtimes.kata]
+            runtime_type = "io.containerd.kata.v2"
     ```
 
     > **Note:**

docs/install/gce-installation-guide.md

@@ -1,5 +1,11 @@
 # Install Kata Containers on Google Compute Engine
 
+* [Create an Image with Nested Virtualization Enabled](#create-an-image-with-nested-virtualization-enabled)
+    * [Create the Image](#create-the-image)
+    * [Verify VMX is Available](#verify-vmx-is-available)
+* [Install Kata](#install-kata)
+* [Create a Kata-enabled Image](#create-a-kata-enabled-image)
+
 Kata Containers on Google Compute Engine (GCE) makes use of [nested virtualization](https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances). Most of the installation procedure is identical to that for Kata on your preferred distribution, but enabling nested virtualization currently requires extra steps on GCE. This guide walks you through creating an image and instance with nested virtualization enabled. Note that `kata-runtime check` checks for nested virtualization, but does not fail if support is not found.
 
 As a pre-requisite this guide assumes an installed and configured instance of the [Google Cloud SDK](https://cloud.google.com/sdk/downloads). For a zero-configuration option, all of the commands below were been tested under [Google Cloud Shell](https://cloud.google.com/shell/) (as of Jun 2018). Verify your `gcloud` installation and configuration:

docs/install/minikube-installation-guide.md

@@ -1,12 +1,24 @@
 # Installing Kata Containers in Minikube
 
+* [Installing Kata Containers in Minikube](#installing-kata-containers-in-minikube)
+    * [Introduction](#introduction)
+    * [Prerequisites](#prerequisites)
+    * [Setting up Minikube](#setting-up-minikube)
+    * [Checking for nested virtualization](#checking-for-nested-virtualization)
+    * [Check Minikube is running](#check-minikube-is-running)
+    * [Installing Kata Containers](#installing-kata-containers)
+    * [Enabling Kata Containers](#enabling-kata-containers)
+        * [Register the runtime](#register-the-runtime)
+    * [Testing Kata Containers](#testing-kata-containers)
+    * [Wrapping up](#wrapping-up)
+
 ## Introduction
 
 [Minikube](https://kubernetes.io/docs/setup/minikube/) is an easy way to try out a Kubernetes (k8s)
 cluster locally. It creates a single node Kubernetes stack in a local VM.
 
 [Kata Containers](https://github.com/kata-containers) can be installed into a Minikube cluster using
-[`kata-deploy`](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy).
+[`kata-deploy`](https://github.com/kata-containers/packaging/tree/master/kata-deploy).
 
 This document details the pre-requisites, installation steps, and how to check
 the installation has been successful.
@@ -123,7 +135,7 @@ $ kubectl apply -f kata-deploy/base/kata-deploy.yaml
 This installs the Kata Containers components into `/opt/kata` inside the Minikube node. It can take
 a few minutes for the operation to complete. You can check the installation has worked by checking
 the status of the `kata-deploy` pod, which will be executing
-[this script](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy/scripts/kata-deploy.sh),
+[this script](https://github.com/kata-containers/packaging/blob/master/kata-deploy/scripts/kata-deploy.sh),
 and will be executing a `sleep infinity` once it has successfully completed its work.
 You can accomplish this by running the following:
 
@@ -154,8 +166,8 @@ $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/node-api/master/
 Now register the `kata qemu` runtime with that class. This should result in no errors:
 
 ```sh
-$ cd kata-containers/tools/packaging/kata-deploy/runtimeclasses
-$ kubectl apply -f kata-runtimeClasses.yaml
+$ cd kata-containers/tools/packaging/kata-deploy/k8s-1.14
+$ kubectl apply -f kata-qemu-runtimeClass.yaml
 ```
 
 The Kata Containers installation process should be complete and enabled in the Minikube cluster.

docs/install/snap-installation-guide.md

@@ -1,5 +1,11 @@
 # Kata Containers snap package
 
+* [Install Kata Containers](#install-kata-containers)
+* [Configure Kata Containers](#configure-kata-containers)
+* [Integration with shim v2 Container Engines](#integration-with-shim-v2-container-engines)
+* [Remove Kata Containers snap package](#remove-kata-containers-snap-package)
+
+
 ## Install Kata Containers
 
 Kata Containers can be installed in any Linux distribution that supports

docs/threat-model/threat-model.md

@@ -1,137 +0,0 @@
-# Kata Containers threat model
-
-This document discusses threat models associated with the Kata Containers project.
-Kata was designed to provide additional isolation of container workloads, protecting
-the host infrastructure from potentially malicious container users or workloads. Since
-Kata Containers adds a level of isolation on top of traditional containers, the focus
-is on the additional layer provided, not on traditional container security.
-
-This document provides a brief background on containers and layered security, describes
-the interface to Kata from CRI runtimes, a review of utilized virtual machine interfaces, and then
-a review of threats.
-
-## Kata security objective
-
-Kata seeks to prevent an untrusted container workload or user of that container workload to gain
-control of, obtain information from, or tamper with the host infrastructure.
-
-In our scenario, an asset is anything on the host system, or elsewhere in the cluster
-infrastructure. The attacker is assumed to be either a malicious user or the workload itself
-running within the container. The goal of Kata is to prevent attacks which would allow
-any access to the defined assets.
-
-## Background on containers, layered security
-
-Traditional containers leverage several key Linux kernel features to provide isolation and
-a view that the container workload is the only entity running on the host. Key features include
-`Namespaces`, `cgroups`, `capablities`, `SELinux` and `seccomp`. The canonical runtime for creating such
-a container is `runc`. In the remainder of the document, the term `traditional-container` will be used
-to describe a container workload created by runc.
-
-Kata Containers provides a second layer of isolation on top of those provided by traditional-containers.
-The hardware virtualization interface is the basis of this additional layer. Kata launches a lightweight
-virtual machine, and uses the guest’s Linux kernel to create a container workload, or workloads in the case
-of multi-container pods. In Kubernetes and in the Kata implementation, the sandbox is carried out at the
-pod level. In Kata, this sandbox is created using a virtual machine.
-
-## Interface to Kata Containers: CRI, v2-shim, OCI
-
-A typical Kata Containers deployment uses Kubernetes with a CRI implementation.
-On every node, Kubelet will interact with a CRI implementor, which will in turn interface with
-an OCI based runtime, such as Kata Containers. Typical CRI implementors are `cri-o` and `containerd`.
-
-The CRI API, as defined at the Kubernetes [CRI-API repo](https://github.com/kubernetes/cri-api/),
-results in a few constructs being supported by the CRI implementation, and ultimately in the OCI
-runtime creating the workloads.
-
-In order to run a container inside of the Kata sandbox, several virtual machine devices and interfaces
-are required. Kata translates sandbox and container definitions to underlying virtualization technologies provided
-by a set of virtual machine monitors (VMMs) and hypervisors. These devices and their underlying
-implementations are discussed in detail in the following section.
-
-## Interface to the Kata sandbox/virtual machine
-
-In case of Kata, today the devices which we need in the guest are:
- - Storage: In the current design of Kata Containers, we are reliant on the CRI implementor to
- assist in image handling and volume management on the host. As a result, we need to support a way of passing to the sandbox the container rootfs, volumes requested
- by the workload, and any other volumes created to facilitate sharing of secrets and `configmaps` with the containers. Depending on how these are managed, a block based device or file-system
- sharing is required. Kata Containers does this by way of `virtio-blk` and/or `virtio-fs`.
- - Networking: A method for enabling network connectivity with the workload is required. Typically this will be done providing a `TAP` device
- to the VMM, and this will be exposed to the guest as a `virtio-net` device. It is feasible to pass in a NIC device directly, in which case `VFIO` is leveraged
- and the device itself will be exposed to the guest.
- - Control: In order to interact with the guest agent and retrieve `STDIO` from containers, a medium of communication is required.
- This is available via `virtio-vsock`.
- - Devices: `VFIO` is utilized when devices are passed directly to the virtual machine and exposed to the container.
-- Dynamic Resource Management: `ACPI` is utilized to allow for dynamic VM resource management (for example: CPU, memory, device hotplug). This is required when containers are resized,
- or more generally when containers are added to a pod. 
- 
-How these devices are utilized varies depending on the VMM utilized. We clarify the default settings provided when integrating Kata
-with the QEMU, Firecracker and Cloud Hypervisor VMMs in the following sections.
-
-### Devices
-
-Each virtio device is implemented by a backend, which may execute within userspace on the host (vhost-user), the VMM itself, or within the host kernel (vhost). While it may provide enhanced performance,
-vhost devices are often seen as higher risk since an exploit would be already running within the kernel space. While VMM and vhost-user are both in userspace on the host, `vhost-user` generally allows for the back-end process to require less system calls and capabilities compared to a full VMM.
-
-#### `virtio-blk` and `virtio-scsi`
-
-The backend for `virtio-blk` and `virtio-scsi` are based in the VMM itself (ring3 in the context of x86) by default for Cloud Hypervisor, Firecracker and QEMU.
-While `vhost` based back-ends are available for QEMU, it is not recommended. `vhost-user` back-ends are being added for Cloud Hypervisor, they are not utilized in Kata today.
-
-#### `virtio-fs`
-
-`virtio-fs` is supported in Cloud Hypervisor and QEMU. `virtio-fs`'s interaction with the host filesystem is done through a vhost-user daemon, `virtiofsd`.
-The `virtio-fs` client, running in the guest, will generate requests to access files. `virtiofsd` will receive requests, open the file, and request the VMM
-to `mmap` it into the guest. When DAX is utilized, the guest will access the host's page cache, avoiding the need for copy and duplication. DAX is still an experimental feature,
-and is not enabled by default.
-
-From the `virtiofsd` [documentation](https://qemu-project.gitlab.io/qemu/tools/virtiofsd.html): 
-```This program must be run as the root user. Upon startup the program will switch into a new file system namespace with the shared directory tree as its root. This prevents “file system escapes” due to symlinks and other file system objects that might lead to files outside the shared directory. The program also sandboxes itself using seccomp(2) to prevent ptrace(2) and other vectors that could allow an attacker to compromise the system after gaining control of the virtiofsd process.```
-
-DAX-less support for `virtio-fs` is available as of the 5.4 Linux kernel. QEMU VMM supports virtio-fs as of v4.2. Cloud Hypervisor
-supports `virtio-fs`.
-
-#### `virtio-net`
-
-`virtio-net` has many options, depending on the VMM and Kata configurations.
-
-##### QEMU networking
-
-While QEMU has options for `vhost`, `virtio-net` and `vhost-user`, the `virtio-net` backend
-for Kata defaults to `vhost-net` for performance reasons. The default configuration is being
-reevaluated.
-
-##### Firecracker networking
-
-For Firecracker, the `virtio-net` backend is within Firecracker's VMM.
-
-##### Cloud Hypervisor networking
-
-For Cloud Hypervisor, the current backend default is within the VMM. `vhost-user-net` support
-is being added (written in rust, Cloud Hypervisor specific).
-
-#### virtio-vsock
-
-##### QEMU vsock
-
-In QEMU, vsock is backed by `vhost_vsock`, which runs within the kernel itself.
-
-##### Firecracker and Cloud Hypervisor
-
-In Firecracker and Cloud Hypervisor, vsock is backed by a unix-domain-socket in the hosts userspace.
-
-#### VFIO
-
-Utilizing VFIO, devices can be passed through to the virtual machine. We will assess this separately. Exposure to
-host is limited to gaps in device pass-through handling. This is supported in QEMU and Cloud Hypervisor, but not
-Firecracker.
-
-#### ACPI
-
-ACPI is necessary for hotplug of CPU, memory and devices. ACPI is available in QEMU and Cloud Hypervisor. Device, CPU and memory hotplug
-are not available in Firecracker.
-
-## Devices and threat model
-
-![Threat model](threat-model-boundaries.svg "threat-model")
-

docs/tracing.md

@@ -1,213 +0,0 @@
-# Overview
-
-This document explains how to trace Kata Containers components.
-
-# Introduction
-
-The Kata Containers runtime and agent are able to generate
-[OpenTelemetry][opentelemetry] trace spans, which allow the administrator to
-observe what those components are doing and how much time they are spending on
-each operation.
-
-# OpenTelemetry summary
-
-An OpenTelemetry-enabled application creates a number of trace "spans". A span
-contains the following attributes:
-
-- A name
-- A pair of timestamps (recording the start time and end time of some operation)
-- A reference to the span's parent span
-
-All spans need to be *finished*, or *completed*, to allow the OpenTelemetry
-framework to generate the final trace information (by effectively closing the
-transaction encompassing the initial (root) span and all its children).
-
-For Kata, the root span represents the total amount of time taken to run a
-particular component from startup to its shutdown (the "run time").
-
-# Architecture
-
-## Runtime tracing architecture
-
-The runtime, which runs in the host environment, has been modified to
-optionally generate trace spans which are sent to a trace collector on the
-host.
-
-## Agent tracing architecture
-
-An OpenTelemetry system (such as [Jaeger][jaeger-tracing]) uses a collector to
-gather up trace spans from the application for viewing and processing. For an
-application to use the collector, it must run in the same context as
-the collector.
-
-This poses a problem for tracing the Kata Containers agent since it does not
-run in the same context as the collector: it runs inside a virtual machine (VM).
-
-To allow spans from the agent to be sent to the trace collector, Kata provides
-a [trace forwarder][trace-forwarder] component. This runs in the same context
-as the collector (generally on the host system) and listens on a
-[`VSOCK`][vsock] channel for traces generated by the agent, forwarding them on
-to the trace collector.
-
-> **Note:**
->
-> This design supports agent tracing without having to make changes to the
-> image, but also means that [custom images][osbuilder] can also benefit from
-> agent tracing.
-
-The following diagram summarises the architecture used to trace the Kata
-Containers agent:
-
-```
-+--------------------------------------------+
-| Host                                       |
-|                                            |
-| +---------------+                          |
-| | OpenTelemetry |                          |
-| | Trace         |                          |
-| | Collector     |                          |
-| +---------------+                          |
-|       ^                  +---------------+ |
-|       | spans            | Kata VM       | |
-| +-----+-----+            |               | |
-| | Kata      |    spans   o     +-------+ | |
-| | Trace     |<-----------------| Kata  | | |
-| | Forwarder |    VSOCK   o     | Agent | | |
-| +-----------+    Channel |     +-------+ | |
-|                          +---------------+ |
-+--------------------------------------------+
-```
-
-# Agent tracing prerequisites
-
-- You must have a trace collector running.
-
-  Although the collector normally runs on the host, it can also be run from
-  inside a Docker image configured to expose the appropriate host ports to the
-  collector.
-
-  The [Jaeger "all-in-one" Docker image][jaeger-all-in-one] method
-  is the quickest and simplest way to run the collector for testing.
-
-- If you wish to trace the agent, you must start the
-  [trace forwarder][trace-forwarder].
-
-> **Notes:**
->
-> - If agent tracing is enabled but the forwarder is not running,
->   the agent will log an error (signalling that it cannot generate trace
->   spans), but continue to work as normal.
->
-> - The trace forwarder requires a trace collector (such as Jaeger) to be
->   running before it is started. If a collector is not running, the trace
->   forwarder will exit with an error.
-
-# Enable tracing
-
-By default, tracing is disabled for all components. To enable _any_ form of
-tracing an `enable_tracing` option must be enabled for at least one component.
-
-> **Note:** 
->
-> Enabling this option will only allow tracing for subsequently
-> started containers.
-
-## Enable runtime tracing
-
-To enable runtime tracing, set the tracing option as shown:
-
-```toml
-[runtime]
-enable_tracing = true
-```
-
-## Enable agent tracing
-
-To enable agent tracing, set the tracing option as shown:
-
-```toml
-[agent.kata]
-enable_tracing = true
-```
-
-> **Note:**
->
-> If both agent tracing and runtime tracing are enabled, the resulting trace
-> spans will be "collated": expanding individual runtime spans in the Jaeger
-> web UI will show the agent trace spans resulting from the runtime
-> operation.
-
-# Appendices
-
-## Agent tracing requirements
-
-### Host environment
-
-- The host kernel must support the VSOCK socket type.
-
-  This will be available if the kernel is built with the
-  `CONFIG_VHOST_VSOCK` configuration option.
-
-- The VSOCK kernel module must be loaded:
-
-   ```
-   $ sudo modprobe vhost_vsock
-   ```
-
-### Guest environment
-
-- The guest kernel must support the VSOCK socket type:
-
-  This will be available if the kernel is built with the
-  `CONFIG_VIRTIO_VSOCKETS` configuration option.
-
-  > **Note:** The default Kata Containers guest kernel provides this feature.
-
-## Agent tracing limitations
-
-- Agent tracing is only "completed" when the workload and the Kata agent
-  process have exited.
-
-  Although trace information *can* be inspected before the workload and agent
-  have exited, it is incomplete. This is shown as `<trace-without-root-span>`
-  in the Jaeger web UI.
-
-  If the workload is still running, the trace transaction -- which spans the entire
-  runtime of the Kata agent -- will not have been completed. To view the complete
-  trace details, wait for the workload to end, or stop the container.
-
-## Performance impact
-
-[OpenTelemetry][opentelemetry] is designed for high performance. It combines
-the best of two previous generation projects (OpenTracing and OpenCensus) and
-uses a very efficient mechanism to capture trace spans. Further, the trace
-points inserted into the agent are generated dynamically at compile time. This
-is advantageous since new versions of the agent will automatically benefit
-from improvements in the tracing infrastructure. Overall, the impact of
-enabling runtime and agent tracing should be extremely low.
-
-## Agent shutdown behaviour
- 
-In normal operation, the Kata runtime manages the VM shutdown and performs
-certain optimisations to speed up this process. However, if agent tracing is
-enabled, the agent itself is responsible for shutting down the VM. This it to
-ensure all agent trace transactions are completed. This means there will be a
-small performance impact for container shutdown when agent tracing is enabled
-as the runtime must wait for the VM to shutdown fully.
-
-## Set up a tracing development environment
-
-If you want to debug, further develop, or test tracing,
-[enabling full debug][enable-full-debug]
-is highly recommended. For working with the agent, you may also wish to
-[enable a debug console][setup-debug-console]
-to allow you to access the VM environment.
-
-[enable-full-debug]: https://github.com/kata-containers/kata-containers/blob/main/docs/Developer-Guide.md#enable-full-debug
-[jaeger-all-in-one]: https://www.jaegertracing.io/docs/getting-started/
-[jaeger-tracing]: https://www.jaegertracing.io
-[opentelemetry]: https://opentelemetry.io
-[osbuilder]: https://github.com/kata-containers/kata-containers/blob/main/tools/osbuilder
-[setup-debug-console]: https://github.com/kata-containers/kata-containers/blob/main/docs/Developer-Guide.md#set-up-a-debug-console
-[trace-forwarder]: /src/trace-forwarder
-[vsock]: https://wiki.qemu.org/Features/VirtioVsock

docs/use-cases/Intel-GPU-passthrough-and-Kata.md

@@ -1,5 +1,13 @@
 # Using Intel GPU device with Kata Containers
 
+- [Using Intel GPU device with Kata Containers](#using-intel-gpu-device-with-kata-containers)   
+   - [Hardware Requirements](#hardware-requirements)   
+   - [Host Kernel Requirements](#host-kernel-requirements)   
+   - [Install and configure Kata Containers](#install-and-configure-kata-containers)   
+   - [Build Kata Containers kernel with GPU support](#build-kata-containers-kernel-with-gpu-support)   
+   - [GVT-d with Kata Containers](#gvt-d-with-kata-containers)   
+   - [GVT-g with Kata Containers](#gvt-g-with-kata-containers)   
+
 An Intel Graphics device can be passed to a Kata Containers container using GPU
 passthrough (Intel GVT-d) as well as GPU mediated passthrough (Intel GVT-g).
 
@@ -57,8 +65,8 @@ configuration in the Kata `configuration.toml` file as shown below.
 $ sudo sed -i -e 's/^# *\(hotplug_vfio_on_root_bus\).*=.*$/\1 = true/g' /usr/share/defaults/kata-containers/configuration.toml
 ```
 
-Make sure you are using the `q35` machine type by verifying `machine_type = "q35"` is
-set in the `configuration.toml`. Make sure `pcie_root_port` is set to a positive value.
+Make sure you are using the `pc` machine type by verifying `machine_type = "pc"` is
+set in the `configuration.toml`.
 
 ## Build Kata Containers kernel with GPU support
 

docs/use-cases/Nvidia-GPU-passthrough-and-Kata.md

@@ -1,5 +1,17 @@
 # Using Nvidia GPU device with Kata Containers
 
+- [Using Nvidia GPU device with Kata Containers](#using-nvidia-gpu-device-with-kata-containers)
+	- [Hardware Requirements](#hardware-requirements)
+	- [Host BIOS Requirements](#host-bios-requirements)
+	- [Host Kernel Requirements](#host-kernel-requirements)
+	- [Install and configure Kata Containers](#install-and-configure-kata-containers)
+	- [Build Kata Containers kernel with GPU support](#build-kata-containers-kernel-with-gpu-support)
+	- [Nvidia GPU pass-through mode with Kata Containers](#nvidia-gpu-pass-through-mode-with-kata-containers)
+	- [Nvidia vGPU mode with Kata Containers](#nvidia-vgpu-mode-with-kata-containers)
+	- [Install Nvidia Driver in Kata Containers](#install-nvidia-driver-in-kata-containers)
+	- [References](#references)
+
+
 An Nvidia GPU device can be passed to a Kata Containers container using GPU passthrough
 (Nvidia GPU pass-through mode) as well as GPU mediated passthrough (Nvidia vGPU mode). 
 
@@ -63,11 +75,18 @@ To use non-large BARs devices (for example, Nvidia Tesla T4), you need Kata vers
 Follow the [Kata Containers setup instructions](../install/README.md)
 to install the latest version of Kata.
 
+The following configuration in the Kata `configuration.toml` file as shown below can work:
+```
+machine_type = "pc"
+
+hotplug_vfio_on_root_bus = true
+```
+
 To use large BARs devices (for example, Nvidia Tesla P100), you need Kata version 1.11.0 or above.
 
 The following configuration in the Kata `configuration.toml` file as shown below can work:
 
-Hotplug for PCI devices by `acpi_pcihp` (Linux's ACPI PCI Hotplug driver):
+Hotplug for PCI devices by `shpchp` (Linux's SHPC PCI Hotplug driver):
 ```
 machine_type = "q35"
 
@@ -91,6 +110,7 @@ The following kernel config options need to be enabled:
 ```
 # Support PCI/PCIe device hotplug (Required for large BARs device)
 CONFIG_HOTPLUG_PCI_PCIE=y
+CONFIG_HOTPLUG_PCI_SHPC=y
 
 # Support for loading modules (Required for load Nvidia drivers)
 CONFIG_MODULES=y
@@ -290,4 +310,4 @@ Tue Mar  3 00:03:49 2020
 
 - [Configuring a VM for GPU Pass-Through by Using the QEMU Command Line](https://docs.nvidia.com/grid/latest/grid-vgpu-user-guide/index.html#using-gpu-pass-through-red-hat-el-qemu-cli)
 - https://gitlab.com/nvidia/container-images/driver/-/tree/master
-- https://github.com/NVIDIA/nvidia-docker/wiki/Driver-containers
+- https://github.com/NVIDIA/nvidia-docker/wiki/Driver-containers-(Beta)

docs/use-cases/using-Intel-QAT-and-kata.md

@@ -1,5 +1,33 @@
 # Table of Contents
 
+- [Table of Contents](#table-of-contents)
+- [Introduction](#introduction)
+  - [Helpful Links before starting](#helpful-links-before-starting)
+  - [Steps to enable Intel® QAT in Kata Containers](#steps-to-enable-intel-qat-in-kata-containers)
+  - [Script variables](#script-variables)
+    - [Set environment variables (Every Reboot)](#set-environment-variables-every-reboot)
+  - [Prepare the Ubuntu Host](#prepare-the-ubuntu-host)
+    - [Identify which PCI Bus the Intel® QAT card is on](#identify-which-pci-bus-the-intel-qat-card-is-on)
+    - [Install necessary packages for Ubuntu](#install-necessary-packages-for-ubuntu)
+    - [Download Intel® QAT drivers](#download-intel-qat-drivers)
+    - [Copy Intel® QAT configuration files and enable virtual functions](#copy-intel-qat-configuration-files-and-enable-virtual-functions)
+    - [Expose and Bind Intel® QAT virtual functions to VFIO-PCI (Every reboot)](#expose-and-bind-intel-qat-virtual-functions-to-vfio-pci-every-reboot)
+    - [Check Intel® QAT virtual functions are enabled](#check-intel-qat-virtual-functions-are-enabled)
+  - [Prepare Kata Containers](#prepare-kata-containers)
+    - [Download Kata kernel Source](#download-kata-kernel-source)
+    - [Build Kata kernel](#build-kata-kernel)
+    - [Copy Kata kernel](#copy-kata-kernel)
+    - [Prepare Kata root filesystem](#prepare-kata-root-filesystem)
+    - [Compile Intel® QAT drivers for Kata Containers kernel and add to Kata Containers rootfs](#compile-intel-qat-drivers-for-kata-containers-kernel-and-add-to-kata-containers-rootfs)
+    - [Copy Kata rootfs](#copy-kata-rootfs)
+  - [Verify Intel® QAT works in a container](#verify-intel-qat-works-in-a-container)
+    - [Build OpenSSL Intel® QAT engine container](#build-openssl-intel-qat-engine-container)
+    - [Test Intel® QAT with the ctr tool](#test-intel-qat-with-the-ctr-tool)
+    - [Test Intel® QAT in Kubernetes](#test-intel-qat-in-kubernetes)
+    - [Troubleshooting](#troubleshooting)
+  - [Optional Scripts](#optional-scripts)
+    - [Verify Intel® QAT card counters are incremented](#verify-intel-qat-card-counters-are-incremented)
+
 # Introduction
 
 Intel® QuickAssist Technology (QAT) provides hardware acceleration 
@@ -46,7 +74,7 @@ Make sure to check [`01.org`](https://01.org/intel-quickassist-technology) for
 the latest driver.
 
 ```bash
-$ export QAT_DRIVER_VER=qat1.7.l.4.14.0-00031.tar.gz
+$ export QAT_DRIVER_VER=qat1.7.l.4.12.0-00011.tar.gz
 $ export QAT_DRIVER_URL=https://downloadmirror.intel.com/30178/eng/${QAT_DRIVER_VER}
 $ export QAT_CONF_LOCATION=~/QAT_conf
 $ export QAT_DOCKERFILE=https://raw.githubusercontent.com/intel/intel-device-plugins-for-kubernetes/master/demo/openssl-qat-engine/Dockerfile
@@ -374,7 +402,7 @@ different hypervisor, different install method for Kata, or a different
 Intel® QAT chipset then the command will need to be modified. 
 
 > **Note: The following was tested with 
-[containerd v1.4.6](https://github.com/containerd/containerd/releases/tag/v1.4.6).**
+[containerd v1.3.9](https://github.com/containerd/containerd/releases/tag/v1.3.9).**
 
 ```bash
 $ config_file="/opt/kata/share/defaults/kata-containers/configuration-qemu.toml"
@@ -576,4 +604,4 @@ $ for i in 0434 0435 37c8 1f18 1f19; do lspci -d 8086:$i; done
 $ sudo watch cat /sys/kernel/debug/qat_c6xx_0000\:b1\:00.0/fw_counters
 $ sudo watch cat /sys/kernel/debug/qat_c6xx_0000\:b3\:00.0/fw_counters
 $ sudo watch cat /sys/kernel/debug/qat_c6xx_0000\:b5\:00.0/fw_counters
-```
+```

docs/use-cases/using-Intel-SGX-and-kata.md

@@ -1,113 +1,112 @@
 # Kata Containers with SGX
 
-Intel Software Guard Extensions (SGX) is a set of instructions that increases the security
+- [Check if SGX is enabled](#check-if-sgx-is-enabled)
+- [Install Host kernel with SGX support](#install-host-kernel-with-sgx-support)
+- [Install Guest kernel with SGX support](#install-guest-kernel-with-sgx-support)
+- [Run Kata Containers with SGX enabled](#run-kata-containers-with-sgx-enabled)
+
+Intel® Software Guard Extensions (SGX) is a set of instructions that increases the security
 of applications code and data, giving them more protections from disclosure or modification.
 
-This document guides you to run containers with SGX enclaves with Kata Containers in Kubernetes.
+> **Note:** At the time of writing this document, SGX patches have not landed on the Linux kernel
+> project, so specific versions for guest and host kernels must be installed to enable SGX.
 
-## Preconditions
+## Check if SGX is enabled
 
-* Intel SGX capable bare metal nodes
-* Host kernel Linux 5.13 or later with SGX and SGX KVM enabled:
+Run the following command to check if your host supports SGX.
 
 ```sh
-$ grep SGX /boot/config-`uname -r`
-CONFIG_X86_SGX=y
-CONFIG_X86_SGX_KVM=y
+$ grep -o sgx /proc/cpuinfo
 ```
 
-* Kubernetes cluster configured with:
-   * [`kata-deploy`](https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy) based Kata Containers installation
-   * [Intel SGX Kubernetes device plugin](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/cmd/sgx_plugin#deploying-with-pre-built-images)
+Continue to the following section if the output of the above command is empty,
+otherwise continue to section [Install Guest kernel with SGX support](#install-guest-kernel-with-sgx-support)
 
-> Note: Kata Containers supports creating VM sandboxes with Intel® SGX enabled
-> using [cloud-hypervisor](https://github.com/cloud-hypervisor/cloud-hypervisor/) VMM only. QEMU support is waiting to get the
-> Intel SGX enabled QEMU upstream release.
+## Install Host kernel with SGX support
 
-## Installation
-
-### Kata Containers Guest Kernel
-
-Follow the instructions to [setup](../../tools/packaging/kernel/README.md#setup-kernel-source-code) and [build](../../tools/packaging/kernel/README.md#build-the-kernel) the experimental guest kernel. Then, install as:
+The following commands were tested on Fedora 32, they might work on other distros too.
 
 ```sh
-$ sudo cp kata-linux-experimental-*/vmlinux /opt/kata/share/kata-containers/vmlinux.sgx
-$ sudo sed -i 's|vmlinux.container|vmlinux.sgx|g' \
-  /opt/kata/share/defaults/kata-containers/configuration-clh.toml
+$ git clone --depth=1 https://github.com/intel/kvm-sgx
+$ pushd kvm-sgx
+$ cp /boot/config-$(uname -r) .config
+$ yes "" | make oldconfig
+$ # In the following step, enable: INTEL_SGX and INTEL_SGX_VIRTUALIZATION
+$ make menuconfig
+$ make -j$(($(nproc)-1)) bzImage
+$ make -j$(($(nproc)-1)) modules
+$ sudo make modules_install
+$ sudo make install
+$ popd
+$ sudo reboot
 ```
 
-### Kata Containers Configuration
+> **Notes:**
+> * Run: `mokutil --sb-state` to check whether secure boot is enabled, if so, you will need to sign the kernel.
+> * You'll lose SGX support when a new distro kernel is installed and the system rebooted.
+
+Once you have restarted your system with the new brand Linux Kernel with SGX support, run
+the following command to make sure it's enabled. If the output is empty, go to the BIOS
+setup and enable SGX manually.
+
+```sh
+$ grep -o sgx /proc/cpuinfo
+```
+
+## Install Guest kernel with SGX support
+
+Install the guest kernel in the Kata Containers directory, this way it can be used to run
+Kata Containers.
+
+```sh
+$ curl -LOk https://github.com/devimc/kvm-sgx/releases/download/v0.0.1/kata-virtiofs-sgx.tar.gz
+$ sudo tar -xf kata-virtiofs-sgx.tar.gz -C /usr/share/kata-containers/
+$ sudo sed -i 's|kernel =|kernel = "/usr/share/kata-containers/vmlinux-virtiofs-sgx.container"|g' \
+  /usr/share/defaults/kata-containers/configuration.toml
+```
+
+## Run Kata Containers with SGX enabled
 
 Before running a Kata Container make sure that your version of `crio` or `containerd`
 supports annotations.
-
 For `containerd` check in `/etc/containerd/config.toml` that the list of `pod_annotations` passed
 to the `sandbox` are: `["io.katacontainers.*", "sgx.intel.com/epc"]`.
 
-## Usage
-
-With the following sample job deployed using `kubectl apply -f`:
-
+> `sgx.yaml`
 ```yaml
-apiVersion: batch/v1
-kind: Job
+apiVersion: v1
+kind: Pod
 metadata:
-  name: oesgx-demo-job
-  labels:
-    jobgroup: oesgx-demo
+  name: sgx
+  annotations:
+    sgx.intel.com/epc: "32Mi"
 spec:
-  template:
-    metadata:
-      labels:
-        jobgroup: oesgx-demo
-    spec:
-      runtimeClassName: kata-clh
-      initContainers:
-        - name: init-sgx
-          image: busybox
-          command: ['sh', '-c', 'mkdir /dev/sgx; ln -s /dev/sgx_enclave /dev/sgx/enclave; ln -s /dev/sgx_provision /dev/sgx/provision']
-          volumeMounts:
-          - mountPath: /dev
-            name: dev-mount
-      restartPolicy: Never
-      containers:
-        -
-          name: eosgx-demo-job-1
-          image: oeciteam/oe-helloworld:latest
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            readOnlyRootFilesystem: true
-            capabilities:
-              add: ["IPC_LOCK"]
-          resources:
-            limits:
-              sgx.intel.com/epc: "512Ki"
-      volumes:
-        - name: dev-mount
-          hostPath:
-            path: /dev
+  terminationGracePeriodSeconds: 0
+  runtimeClassName: kata
+  containers:
+  - name: c1
+    image: busybox
+    command:
+        - sh
+    stdin: true
+    tty: true
+    volumeMounts:
+    - mountPath: /dev/sgx/
+      name: test-volume
+  volumes:
+  - name: test-volume
+    hostPath:
+      path: /dev/sgx/
+      type: Directory
 ```
 
-You'll see the enclave output:
-
 ```sh
-$ kubectl logs oesgx-demo-job-wh42g
-Hello world from the enclave
-Enclave called into host to print: Hello World!
+$ kubectl apply -f sgx.yaml
+$ kubectl exec -ti sgx ls /dev/sgx/
+enclave    provision
 ```
 
-### Notes
+The output of the latest command shouldn't be empty, otherwise check
+your system environment to make sure SGX is fully supported.
 
-* The Kata VM's SGX Encrypted Page Cache (EPC) memory size is based on the sum of `sgx.intel.com/epc`
-resource requests within the pod.
-* `init-sgx` can be removed from the YAML configuration file if the Kata rootfs is modified with the
-necessary udev rules.
-   See the [note on SGX backwards compatibility](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/cmd/sgx_plugin#backwards-compatibility-note).
-* Intel SGX DCAP attestation is known to work from Kata sandboxes but it comes with one limitation: If
-the Intel SGX `aesm` daemon runs on the bare metal node and DCAP `out-of-proc` attestation is used,
-containers within the Kata sandbox cannot get the access to the host's `/var/run/aesmd/aesm.sock`
-because socket passthrough is not supported. An alternative is to deploy the `aesm` daemon as a side-car
-container.
-* Projects like [Gramine Shielded Containers (GSC)](https://gramine-gsc.readthedocs.io/en/latest/) are
-also known to work. For GSC specifically, the Kata guest kernel needs to have the `CONFIG_NUMA=y`
-enabled and at least one CPU online when running the GSC container.
+[1]: github.com/cloud-hypervisor/cloud-hypervisor/

docs/use-cases/using-SPDK-vhostuser-and-kata.md

@@ -1,6 +1,13 @@
 # Setup to run SPDK vhost-user devices with Kata Containers and Docker*
 
-> **Note:** This guide only applies to QEMU, since the vhost-user storage
+- [SPDK vhost-user target overview](#spdk-vhost-user-target-overview)
+- [Install and setup SPDK vhost-user target](#install-and-setup-spdk-vhost-user-target)
+  - [Get source code and build SPDK](#get-source-code-and-build-spdk)
+  - [Run SPDK vhost-user target](#run-spdk-vhost-user-target)
+- [Host setup for vhost-user devices](#host-setup-for-vhost-user-devices)
+- [Launch a Kata container with SPDK vhost-user block device](#launch-a-kata-container-with-spdk-vhost-user-block-device)
+
+> **NOTE:** This guide only applies to QEMU, since the vhost-user storage
 > device is only available for QEMU now. The enablement work on other
 > hypervisors is still ongoing.
 

docs/use-cases/using-SRIOV-and-kata.md

@@ -1,5 +1,13 @@
 # Setup to use SR-IOV with Kata Containers and Docker*
 
+- [Install the SR-IOV Docker\* plugin](#install-the-sr-iov-docker-plugin)
+- [Host setup for SR-IOV](#host-setup-for-sr-iov)
+	- [Checking your NIC for SR-IOV](#checking-your-nic-for-sr-iov)
+	- [IOMMU Groups and PCIe Access Control Services](#iommu-groups-and-pcie-access-control-services)
+	- [Update the host kernel](#update-the-host-kernel)
+- [Set up the SR-IOV Device](#set-up-the-sr-iov-device)
+- [Example: Launch a Kata Containers container using SR-IOV](#example-launch-a-kata-containers-container-using-sr-iov)
+
 Single Root I/O Virtualization (SR-IOV) enables splitting a physical device into
 virtual functions (VFs). Virtual functions enable direct passthrough to virtual
 machines or containers. For Kata Containers, we enabled a Container Network

docs/use-cases/using-vpp-and-kata.md

@@ -12,7 +12,7 @@ For more information about VPP visit their [wiki](https://wiki.fd.io/view/VPP).
 
 ## Install and configure Kata Containers
 
-Follow  the [Kata Containers setup instructions](../Developer-Guide.md).
+Follow  the [Kata Containers setup instructions](https://github.com/kata-containers/documentation/wiki/Developer-Guide).
 
 In order to make use of VHOST-USER based interfaces, the container needs to be backed
 by huge pages. `HugePages` support is required for the large memory pool allocation used for

docs/use-cases/zun_kata.md

@@ -1,5 +1,4 @@
 # OpenStack Zun DevStack working with Kata Containers
-
 ## Introduction
 
 This guide describes how to get Kata Containers to work with OpenStack Zun

pkg/logging/Cargo.toml

@@ -7,15 +7,15 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-serde_json = "1.0.73"
+serde_json = "1.0.39"
 # slog:
 # - Dynamic keys required to allow HashMap keys to be slog::Serialized.
 # - The 'max_*' features allow changing the log level at runtime
 #   (by stopping the compiler from removing log calls).
-slog = { version = "2.7.0", features = ["dynamic-keys", "max_level_trace", "release_max_level_debug"] }
-slog-json = "2.4.0"
-slog-async = "2.7.0"
-slog-scope = "4.4.0"
+slog = { version = "2.5.2", features = ["dynamic-keys", "max_level_trace", "release_max_level_info"] }
+slog-json = "2.3.0"
+slog-async = "2.3.0"
+slog-scope = "4.1.2"
 
 [dev-dependencies]
-tempfile = "3.2.0"
+tempfile = "3.1.0"

snap/README.md

@@ -1,5 +1,13 @@
 # Kata Containers snap image
 
+* [Initial setup](#initial-setup)
+* [Install snap](#install-snap)
+* [Build and install snap image](#build-and-install-snap-image)
+* [Configure Kata Containers](#configure-kata-containers)
+* [Integration with docker and Kubernetes](#integration-with-docker-and-kubernetes)
+* [Remove snap](#remove-snap)
+* [Limitations](#limitations)
+
 This directory contains the resources needed to build the Kata Containers
 [snap][1] image.
 

snap/snapcraft.yaml

@@ -59,7 +59,7 @@ parts:
 
       yq_version=3.4.1
       yq_url="https://${yq_pkg}/releases/download/${yq_version}/yq_${goos}_${goarch}"
-      curl -o "${yq_path}" -L "${yq_url}"
+      curl -o "${yq_path}" -LSsf "${yq_url}"
       chmod +x "${yq_path}"
 
       kata_dir=gopath/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
@@ -80,8 +80,6 @@ parts:
       - uidmap
       - gnupg2
     override-build: |
-      [ "$(uname -m)" = "ppc64le" ] || [ "$(uname -m)" = "s390x" ] && sudo apt-get --no-install-recommends install -y protobuf-compiler
-
       yq=${SNAPCRAFT_STAGE}/yq
 
       # set GOPATH
@@ -90,7 +88,6 @@ parts:
 
       export GOROOT=${SNAPCRAFT_STAGE}
       export PATH="${GOROOT}/bin:${PATH}"
-      export GO111MODULE="auto"
 
       http_proxy=${http_proxy:-""}
       https_proxy=${https_proxy:-""}
@@ -115,17 +112,14 @@ parts:
       cd ${kata_dir}/tools/osbuilder
 
       # build image
+      export AGENT_VERSION=$(cat ${kata_dir}/VERSION)
       export AGENT_INIT=yes
       export USE_DOCKER=1
       export DEBUG=1
       case "$(uname -m)" in
-        aarch64)
+        aarch64|ppc64le|s390x)
           sudo -E PATH=$PATH make initrd DISTRO=alpine
         ;;
-        ppc64le|s390x)
-          # Cannot use alpine on ppc64le/s390x because it would require a musl agent
-          sudo -E PATH=$PATH make initrd DISTRO=ubuntu
-        ;;
         x86_64)
           # In some build systems it's impossible to build a rootfs image, try with the initrd image
           sudo -E PATH=$PATH make image DISTRO=clearlinux || sudo -E PATH=$PATH make initrd DISTRO=alpine
@@ -139,7 +133,7 @@ parts:
       cp kata-containers*.img ${kata_image_dir}
 
   runtime:
-    after: [godeps, image, cloud-hypervisor]
+    after: [godeps, image]
     plugin: nil
     build-attributes: [no-patchelf]
     override-build: |
@@ -147,7 +141,6 @@ parts:
       export GOPATH=${SNAPCRAFT_STAGE}/gopath
       export GOROOT=${SNAPCRAFT_STAGE}
       export PATH="${GOROOT}/bin:${PATH}"
-      export GO111MODULE="auto"
       kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
 
       cd ${kata_dir}/src/runtime
@@ -169,9 +162,12 @@ parts:
         SKIP_GO_VERSION_CHECK=1 \
         QEMUCMD=qemu-system-$arch
 
-      if [ ! -f ${SNAPCRAFT_PART_INSTALL}/../../image/install/usr/share/kata-containers/kata-containers.img ]; then
-        sed -i -e "s|^image =.*|initrd = \"/snap/${SNAPCRAFT_PROJECT_NAME}/current/usr/share/kata-containers/kata-containers-initrd.img\"|" \
-          ${SNAPCRAFT_PART_INSTALL}/usr/share/defaults/${SNAPCRAFT_PROJECT_NAME}/configuration.toml
+      if [ -e ${SNAPCRAFT_PART_INSTALL}/../../image/install/usr/share/kata-containers/kata-containers.img ]; then
+        # Use rootfs image by default
+        sed -i -e '/^initrd =/d' ${SNAPCRAFT_PART_INSTALL}/usr/share/defaults/${SNAPCRAFT_PROJECT_NAME}/configuration.toml
+      else
+        # Use initrd by default
+        sed -i -e '/^image =/d' ${SNAPCRAFT_PART_INSTALL}/usr/share/defaults/${SNAPCRAFT_PROJECT_NAME}/configuration.toml
       fi
 
   kernel:
@@ -184,37 +180,19 @@ parts:
       - bison
       - flex
     override-build: |
-      yq=${SNAPCRAFT_STAGE}/yq
-      export PATH="${PATH}:${SNAPCRAFT_STAGE}"
       export GOPATH=${SNAPCRAFT_STAGE}/gopath
       kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
-      versions_file="${kata_dir}/versions.yaml"
-      kernel_version="$(${yq} r $versions_file assets.kernel.version)"
-      #Remove extra 'v'
-      kernel_version=${kernel_version#v}
-
-      [ "$(uname -m)" = "s390x" ] && sudo apt-get --no-install-recommends install -y libssl-dev
-
-      export GOPATH=${SNAPCRAFT_STAGE}/gopath
-      export GO111MODULE="auto"
-      kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
 
       cd ${kata_dir}/tools/packaging/kernel
-      kernel_dir_prefix="kata-linux-"
 
       # Setup and build kernel
-      if [ "$(uname -m)" = "x86_64" ]; then
-        kernel_version="$(${yq} r $versions_file assets.kernel-experimental.tag)"
-        kernel_version=${kernel_version#v}
-        kernel_dir_prefix="kata-linux-experimental-"
-        ./build-kernel.sh -e -v ${kernel_version} -d setup
-      else
-        ./build-kernel.sh -v ${kernel_version} -d setup
-      fi
+      ./build-kernel.sh -d setup
+      kernel_dir_prefix="kata-linux-"
       cd ${kernel_dir_prefix}*
+      version=$(basename ${PWD} | sed 's|'"${kernel_dir_prefix}"'||' | cut -d- -f1)
       make -j $(($(nproc)-1)) EXTRAVERSION=".container"
 
-      kernel_suffix=${kernel_version}.container
+      kernel_suffix=${version}.container
       kata_kernel_dir=${SNAPCRAFT_PART_INSTALL}/usr/share/kata-containers
       mkdir -p ${kata_kernel_dir}
 
@@ -224,10 +202,8 @@ parts:
       ln -sf ${vmlinuz_name} ${kata_kernel_dir}/vmlinuz.container
 
       # Install raw kernel
-      vmlinux_path=vmlinux
-      [ "$(uname -m)" = "s390x" ] && vmlinux_path=arch/s390/boot/compressed/vmlinux
       vmlinux_name=vmlinux-${kernel_suffix}
-      cp ${vmlinux_path} ${kata_kernel_dir}/${vmlinux_name}
+      cp vmlinux ${kata_kernel_dir}/${vmlinux_name}
       ln -sf ${vmlinux_name} ${kata_kernel_dir}/vmlinux.container
 
   qemu:
@@ -251,24 +227,21 @@ parts:
       - libblkid-dev
       - libffi-dev
       - libmount-dev
-      - libseccomp-dev
       - libselinux1-dev
       - ninja-build
     override-build: |
       yq=${SNAPCRAFT_STAGE}/yq
       export GOPATH=${SNAPCRAFT_STAGE}/gopath
-      export GO111MODULE="auto"
       kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
 
       versions_file="${kata_dir}/versions.yaml"
       # arch-specific definition
       case "$(uname -m)" in
         "aarch64")
-          branch="$(${yq} r ${versions_file} assets.hypervisor.qemu.architecture.aarch64.version)"
+          branch="$(${yq} r ${versions_file} assets.hypervisor.qemu.architecture.aarch64.branch)"
           url="$(${yq} r ${versions_file} assets.hypervisor.qemu.url)"
           commit="$(${yq} r ${versions_file} assets.hypervisor.qemu.architecture.aarch64.commit)"
-          patches_dir="${kata_dir}/tools/packaging/qemu/patches/$(echo ${branch} | sed -e 's/.[[:digit:]]*$//' -e 's/^v//').x"
-          patches_version_dir="${kata_dir}/tools/packaging/qemu/patches/tag_patches/${branch}"
+          patches_dir="${kata_dir}/tools/packaging/obs-packaging/qemu-aarch64/patches/"
         ;;
 
         *)
@@ -282,7 +255,6 @@ parts:
 
       # download source
       qemu_dir=${SNAPCRAFT_STAGE}/qemu
-      rm -rf "${qemu_dir}"
       git clone --branch ${branch} --single-branch ${url} "${qemu_dir}"
       cd ${qemu_dir}
       [ -z "${commit}" ] || git checkout ${commit}
@@ -291,12 +263,11 @@ parts:
       [ -n "$(ls -A capstone)" ] || git clone https://github.com/qemu/capstone capstone
 
       # Apply branch patches
-      [ -d "${patches_version_dir}" ] || mkdir "${patches_version_dir}"
       ${kata_dir}/tools/packaging/scripts/apply_patches.sh "${patches_dir}"
       ${kata_dir}/tools/packaging/scripts/apply_patches.sh "${patches_version_dir}"
 
       # Only x86_64 supports libpmem
-      [ "$(uname -m)" = "x86_64" ] && sudo apt-get --no-install-recommends install -y apt-utils ca-certificates libpmem-dev
+      [ "$(uname -m)" = "x86_64" ] && sudo apt-get --no-install-recommends install -y apt-utils ca-certificates libpmem-dev libseccomp-dev
 
       configure_hypervisor=${kata_dir}/tools/packaging/scripts/configure-hypervisor.sh
       chmod +x ${configure_hypervisor}
@@ -307,15 +278,7 @@ parts:
         | xargs ./configure
 
       # Copy QEMU configurations (Kconfigs)
-      case "${branch}" in
-      "v5.1.0")
-        cp -a ${kata_dir}/tools/packaging/qemu/default-configs/* default-configs
-        ;;
-
-      *)
-        cp -a ${kata_dir}/tools/packaging/qemu/default-configs/* configs/devices/
-        ;;
-      esac
+      cp -a ${kata_dir}/tools/packaging/qemu/default-configs/* default-configs/devices/
 
       # build and install
       make -j $(($(nproc)-1))
@@ -335,22 +298,6 @@ parts:
       # Hack: move qemu to /
       "snap/kata-containers/current/": "./"
 
-  cloud-hypervisor:
-    plugin: nil
-    after: [godeps]
-    override-build: |
-      export GOPATH=${SNAPCRAFT_STAGE}/gopath
-      yq=${SNAPCRAFT_STAGE}/yq
-      kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
-      versions_file="${kata_dir}/versions.yaml"
-      version="$(${yq} r ${versions_file} assets.hypervisor.cloud_hypervisor.version)"
-      url="https://github.com/cloud-hypervisor/cloud-hypervisor/releases/download/${version}"
-      curl -L ${url}/cloud-hypervisor-static -o cloud-hypervisor
-      curl -LO ${url}/clh-remote
-
-      install -D cloud-hypervisor ${SNAPCRAFT_PART_INSTALL}/usr/bin/cloud-hypervisor
-      install -D clh-remote ${SNAPCRAFT_PART_INSTALL}/usr/bin/clh-remote
-
 apps:
   runtime:
     command: usr/bin/kata-runtime

src/agent/.gitignore

@@ -1,2 +1 @@
 tarpaulin-report.html
-vendor/

src/agent/Cargo.toml

@@ -6,63 +6,49 @@ edition = "2018"
 
 [dependencies]
 oci = { path = "oci" }
+logging = { path = "../../pkg/logging" }
 rustjail = { path = "rustjail" }
 protocols = { path = "protocols" }
 lazy_static = "1.3.0"
 ttrpc = { version = "0.5.0", features = ["async", "protobuf-codec"], default-features = false }
 protobuf = "=2.14.0"
 libc = "0.2.58"
-nix = "0.21.0"
-capctl = "0.2.0"
+nix = "0.17.0"
+prctl = "1.0.0"
 serde_json = "1.0.39"
 scan_fmt = "0.2.3"
 scopeguard = "1.0.0"
-thiserror = "1.0.26"
 regex = "1"
-serial_test = "0.5.1"
 
-# Async helpers
 async-trait = "0.1.42"
-async-recursion = "0.3.2"
-futures = "0.3.17"
-
-# Async runtime
-tokio = { version = "1", features = ["full"] }
+tokio = { version = "1.2.0", features = ["rt", "rt-multi-thread", "sync", "macros", "io-util", "time", "signal", "io-std", "process", "fs"] }
+futures = "0.3.12"
+netlink-sys = { version = "0.6.0", features = ["tokio_socket",]}
 tokio-vsock = "0.3.1"
-
-netlink-sys = { version = "0.7.0", features = ["tokio_socket",]}
-rtnetlink = "0.8.0"
-netlink-packet-utils = "0.4.1"
+# Because the author has no time to maintain the crate, we switch the dependency to github,
+# Once the new version released on crates.io, we switch it back.
+# https://github.com/little-dude/netlink/issues/161
+rtnetlink = { git = "https://github.com/little-dude/netlink", rev = "a9367bc4700496ddebc088110c28f40962923326" }
+netlink-packet-utils = "0.4.0"
 ipnetwork = "0.17.0"
 
-# Note: this crate sets the slog 'max_*' features which allows the log level
-# to be modified at runtime.
-logging = { path = "../../pkg/logging" }
-slog = "2.5.2"
+# slog:
+# - Dynamic keys required to allow HashMap keys to be slog::Serialized.
+# - The 'max_*' features allow changing the log level at runtime
+#   (by stopping the compiler from removing log calls).
+slog = { version = "2.5.2", features = ["dynamic-keys", "max_level_trace", "release_max_level_info"] }
 slog-scope = "4.1.2"
 
 # Redirect ttrpc log calls
 slog-stdlog = "4.0.0"
 log = "0.4.11"
 
-prometheus = { version = "0.13.0", features = ["process"] }
-procfs = "0.12.0"
-anyhow = "1.0.32"
-cgroups = { package = "cgroups-rs", version = "0.2.8" }
-
-# Tracing
-tracing = "0.1.26"
-tracing-subscriber = "0.2.18"
-tracing-opentelemetry = "0.13.0"
-opentelemetry = { version = "0.14.0", features = ["rt-tokio-current-thread"]}
-vsock-exporter = { path = "vsock-exporter" }
-
-# Configuration
-serde = { version = "1.0.129", features = ["derive"] }
-toml = "0.5.8"
-
-[dev-dependencies]
+# for testing
 tempfile = "3.1.0"
+prometheus = { version = "0.9.0", features = ["process"] }
+procfs = "0.7.9"
+anyhow = "1.0.32"
+cgroups = { package = "cgroups-rs", version = "0.2.5" }
 
 [workspace]
 members = [
@@ -73,6 +59,3 @@ members = [
 
 [profile.release]
 lto = true
-
-[features]
-seccomp = ["rustjail/seccomp"]

src/agent/LICENSE

@@ -1,4 +1,3 @@
-
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -200,3 +199,4 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+

src/agent/Makefile

@@ -27,21 +27,40 @@ COMMIT_MSG = $(if $(COMMIT),$(COMMIT),unknown)
 # Exported to allow cargo to see it
 export VERSION_COMMIT := $(if $(COMMIT),$(VERSION)-$(COMMIT),$(VERSION))
 
-EXTRA_RUSTFEATURES :=
+##VAR BUILD_TYPE=release|debug type of rust build
+BUILD_TYPE = release
 
-##VAR SECCOMP=yes|no define if agent enables seccomp feature
-SECCOMP := yes
-
-# Enable seccomp feature of rust build
-ifeq ($(SECCOMP),yes)
-    override EXTRA_RUSTFEATURES += seccomp
+##VAR ARCH=arch target to build (format: uname -m)
+ARCH = $(shell uname -m)
+##VAR LIBC=musl|gnu
+LIBC ?= musl
+ifneq ($(LIBC),musl)
+    ifeq ($(LIBC),gnu)
+        override LIBC = gnu
+    else
+        $(error "ERROR: A non supported LIBC value was passed. Supported values are musl and gnu")
+    endif
 endif
 
-ifneq ($(EXTRA_RUSTFEATURES),)
-    override EXTRA_RUSTFEATURES := --features $(EXTRA_RUSTFEATURES)
+ifeq ($(ARCH), ppc64le)
+    override ARCH = powerpc64le
+    override LIBC = gnu
+    $(warning "WARNING: powerpc64le-unknown-linux-musl target is unavailable")
 endif
 
-include ../../utils.mk
+ifeq ($(ARCH), s390x)
+    override LIBC = gnu
+    $(warning "WARNING: s390x-unknown-linux-musl target is unavailable")
+endif
+
+
+EXTRA_RUSTFLAGS :=
+ifeq ($(ARCH), aarch64)
+    override EXTRA_RUSTFLAGS = -C link-arg=-lgcc
+    $(warning "WARNING: aarch64-musl needs extra symbols from libgcc")
+endif
+
+TRIPLE = $(ARCH)-unknown-linux-$(LIBC)
 
 TARGET_PATH = target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)
 
@@ -104,14 +123,15 @@ default: $(TARGET) show-header
 $(TARGET): $(GENERATED_CODE) $(TARGET_PATH)
 
 $(TARGET_PATH): $(SOURCES) | show-summary
-	@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE) $(EXTRA_RUSTFEATURES)
+	@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE)
 
 $(GENERATED_FILES): %: %.in
 	@sed $(foreach r,$(GENERATED_REPLACEMENTS),-e 's|@$r@|$($r)|g') "$<" > "$@"
 
 ##TARGET optimize: optimized  build
 optimize: $(SOURCES) | show-summary show-header
-	@RUSTFLAGS="-C link-arg=-s $(EXTRA_RUSTFLAGS) --deny-warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE) $(EXTRA_RUSTFEATURES)
+	@RUSTFLAGS="-C link-arg=-s $(EXTRA_RUSTFLAGS) --deny-warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE)
+
 
 ##TARGET clippy: run clippy linter
 clippy: $(GENERATED_CODE)
@@ -134,13 +154,9 @@ clean:
 	@rm -f $(GENERATED_FILES)
 	@rm -f tarpaulin-report.html
 
-vendor:
-	@cargo vendor
-
-
 #TARGET test: run cargo tests
 test:
-	@cargo test --all --target $(TRIPLE) $(EXTRA_RUSTFEATURES) -- --nocapture
+	@cargo test --all --target $(TRIPLE)
 
 ##TARGET check: run test
 check: clippy format
@@ -207,8 +223,7 @@ codecov-html: check_tarpaulin
 	help \
 	show-header \
 	show-summary \
-	optimize \
-	vendor
+	optimize
 
 ##TARGET generate-protocols: generate/update grpc agent protocols
 generate-protocols:

src/agent/README.md

@@ -19,7 +19,6 @@ After that, we drafted the initial code here, and any contributions are welcome.
 | I/O stream              | :white_check_mark: |
 | Cgroups                 | :white_check_mark: |
 | Capabilities, `rlimit`, readonly path, masked path, users | :white_check_mark: |
-| Seccomp                 | :white_check_mark: |
 | container stats (`stats_container`)                     | :white_check_mark: |
 | Hooks                   | :white_check_mark: |
 | **Agent Features & APIs** |

src/agent/oci/Cargo.toml

@@ -5,7 +5,7 @@ authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
 edition = "2018"
 
 [dependencies]
-serde = "1.0.131"
-serde_derive = "1.0.131"
-serde_json = "1.0.73"
-libc = "0.2.112"
+serde = "1.0.91"
+serde_derive = "1.0.91"
+serde_json = "1.0.39"
+libc = "0.2.58"

src/agent/protocols/protos/agent.proto

@@ -66,7 +66,6 @@ service AgentService {
 	rpc SetGuestDateTime(SetGuestDateTimeRequest) returns (google.protobuf.Empty);
 	rpc CopyFile(CopyFileRequest) returns (google.protobuf.Empty);
 	rpc GetOOMEvent(GetOOMEventRequest) returns (OOMEvent);
-	rpc AddSwap(AddSwapRequest) returns (google.protobuf.Empty);
 }
 
 message CreateContainerRequest {
@@ -504,10 +503,6 @@ message OOMEvent {
 	string container_id = 1;
 }
 
-message AddSwapRequest {
-	repeated uint32 PCIPath = 1;
-}
-
 message GetMetricsRequest {}
 
 message Metrics {

src/agent/protocols/protos/types.proto

@@ -46,7 +46,6 @@ message Route {
 	string device = 3;
 	string source = 4;
 	uint32 scope = 5;
-	IPFamily family = 6;
 }
 
 message ARPNeighbor {

src/agent/rustjail/Cargo.toml

@@ -11,9 +11,9 @@ serde_derive = "1.0.91"
 oci = { path = "../oci" }
 protocols = { path ="../protocols" }
 caps = "0.5.0"
-nix = "0.21.0"
+nix = "0.17.0"
 scopeguard = "1.0.0"
-capctl = "0.2.0"
+prctl = "1.0.0"
 lazy_static = "1.3.0"
 libc = "0.2.58"
 protobuf = "=2.14.0"
@@ -23,18 +23,14 @@ scan_fmt = "0.2"
 regex = "1.1"
 path-absolutize = "1.2.0"
 anyhow = "1.0.32"
-cgroups = { package = "cgroups-rs", version = "0.2.8" }
+cgroups = { package = "cgroups-rs", version = "0.2.5" }
+tempfile = "3.1.0"
 rlimit = "0.5.3"
 
 tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", "macros"] }
 futures = "0.3"
 async-trait = "0.1.31"
 inotify = "0.9.2"
-libseccomp = { version = "0.1.3", optional = true }
 
 [dev-dependencies]
 serial_test = "0.5.0"
-tempfile = "3.1.0"
-
-[features]
-seccomp = ["libseccomp"]

src/agent/rustjail/src/cgroups/fs/mod.rs

@@ -232,19 +232,19 @@ fn set_devices_resources(
     let mut devices = vec![];
 
     for d in device_resources.iter() {
-        if let Some(dev) = linux_device_group_to_cgroup_device(d) {
+        if let Some(dev) = linux_device_group_to_cgroup_device(&d) {
             devices.push(dev);
         }
     }
 
     for d in DEFAULT_DEVICES.iter() {
-        if let Some(dev) = linux_device_to_cgroup_device(d) {
+        if let Some(dev) = linux_device_to_cgroup_device(&d) {
             devices.push(dev);
         }
     }
 
     for d in DEFAULT_ALLOWED_DEVICES.iter() {
-        if let Some(dev) = linux_device_group_to_cgroup_device(d) {
+        if let Some(dev) = linux_device_group_to_cgroup_device(&d) {
             devices.push(dev);
         }
     }
@@ -828,7 +828,7 @@ fn get_blkio_stats_v2(cg: &cgroups::Cgroup) -> SingularPtrField<BlkioStats> {
 
 fn get_blkio_stats(cg: &cgroups::Cgroup) -> SingularPtrField<BlkioStats> {
     if cg.v2() {
-        return get_blkio_stats_v2(cg);
+        return get_blkio_stats_v2(&cg);
     }
 
     let blkio_controller: &BlkIoController = get_controller_or_return_singular_none!(cg);
@@ -923,12 +923,12 @@ pub fn get_mounts() -> Result<HashMap<String, String>> {
     let paths = get_paths()?;
 
     for l in fs::read_to_string(MOUNTS)?.lines() {
-        let p: Vec<&str> = l.splitn(2, " - ").collect();
+        let p: Vec<&str> = l.split(" - ").collect();
         let pre: Vec<&str> = p[0].split(' ').collect();
         let post: Vec<&str> = p[1].split(' ').collect();
 
         if post.len() != 3 {
-            warn!(sl!(), "can't parse {} line {:?}", MOUNTS, l);
+            warn!(sl!(), "mountinfo corrupted!");
             continue;
         }
 
@@ -1022,7 +1022,7 @@ impl Manager {
                 .unwrap()
                 .trim_start_matches(root_path.to_str().unwrap());
             info!(sl!(), "updating cpuset for parent path {:?}", &r_path);
-            let cg = new_cgroup(cgroups::hierarchies::auto(), r_path);
+            let cg = new_cgroup(cgroups::hierarchies::auto(), &r_path);
             let cpuset_controller: &CpuSetController = cg.controller_of().unwrap();
             cpuset_controller.set_cpus(guest_cpuset)?;
         }

src/agent/rustjail/src/cgroups/notifier.rs

@@ -139,6 +139,19 @@ async fn notify_on_oom(cid: &str, dir: String) -> Result<Receiver<String>> {
     register_memory_event(cid, dir, "memory.oom_control", "").await
 }
 
+// level is one of "low", "medium", or "critical"
+async fn notify_memory_pressure(cid: &str, dir: String, level: &str) -> Result<Receiver<String>> {
+    if dir.is_empty() {
+        return Err(anyhow!("memory controller missing"));
+    }
+
+    if level != "low" && level != "medium" && level != "critical" {
+        return Err(anyhow!("invalid pressure level {}", level));
+    }
+
+    register_memory_event(cid, dir, "memory.pressure_level", level).await
+}
+
 async fn register_memory_event(
     cid: &str,
     cg_dir: String,

src/agent/rustjail/src/configs/device.rs

@@ -0,0 +1,56 @@
+// Copyright (c) 2019 Ant Financial
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use libc::*;
+use serde;
+#[macro_use]
+use serde_derive;
+use serde_json;
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Device {
+    #[serde(default)]
+    r#type: char,
+    #[serde(default)]
+    path: String,
+    #[serde(default)]
+    major: i64,
+    #[serde(default)]
+    minor: i64,
+    #[serde(default)]
+    permissions: String,
+    #[serde(default)]
+    file_mode: mode_t,
+    #[serde(default)]
+    uid: i32,
+    #[serde(default)]
+    gid: i32,
+    #[serde(default)]
+    allow: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct BlockIODevice {
+    #[serde(default)]
+    major: i64,
+    #[serde(default)]
+    minor: i64,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct WeightDevice {
+    block: BlockIODevice,
+    #[serde(default)]
+    weight: u16,
+    #[serde(default, rename = "leafWeight")]
+    leaf_weight: u16,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct ThrottleDevice {
+    block: BlockIODevice,
+    #[serde(default)]
+    rate: u64,
+}

src/agent/rustjail/src/configs/mod.rs

@@ -0,0 +1,372 @@
+// Copyright (c) 2019 Ant Financial
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use serde;
+#[macro_use]
+use serde_derive;
+use serde_json;
+
+use protocols::oci::State as OCIState;
+
+use std::collections::HashMap;
+use std::fmt;
+use std::path::PathBuf;
+use std::time::Duration;
+
+use nix::unistd;
+
+use self::device::{Device, ThrottleDevice, WeightDevice};
+use self::namespaces::Namespaces;
+use crate::specconv::CreateOpts;
+
+pub mod device;
+pub mod namespaces;
+pub mod validator;
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Rlimit {
+    #[serde(default)]
+    r#type: i32,
+    #[serde(default)]
+    hard: i32,
+    #[serde(default)]
+    soft: i32,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct IDMap {
+    #[serde(default)]
+    container_id: i32,
+    #[serde(default)]
+    host_id: i32,
+    #[serde(default)]
+    size: i32,
+}
+
+type Action = i32;
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Seccomp {
+    #[serde(default)]
+    default_action: Action,
+    #[serde(default)]
+    architectures: Vec<String>,
+    #[serde(default)]
+    flags: Vec<String>,
+    #[serde(default)]
+    syscalls: Vec<Syscall>,
+}
+
+type Operator = i32;
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Arg {
+    #[serde(default)]
+    index: u32,
+    #[serde(default)]
+    value: u64,
+    #[serde(default)]
+    value_two: u64,
+    #[serde(default)]
+    op: Operator,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Syscall {
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    names: String,
+    #[serde(default)]
+    action: Action,
+    #[serde(default, rename = "errnoRet")]
+    errno_ret: u32,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    args: Vec<Arg>,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Config<'a> {
+    #[serde(default)]
+    no_pivot_root: bool,
+    #[serde(default)]
+    parent_death_signal: i32,
+    #[serde(default)]
+    rootfs: String,
+    #[serde(default)]
+    readonlyfs: bool,
+    #[serde(default, rename = "rootPropagation")]
+    root_propagation: i32,
+    #[serde(default)]
+    mounts: Vec<Mount>,
+    #[serde(default)]
+    devices: Vec<Device>,
+    #[serde(default)]
+    mount_label: String,
+    #[serde(default)]
+    hostname: String,
+    #[serde(default)]
+    namespaces: Namespaces,
+    #[serde(default)]
+    capabilities: Option<Capabilities>,
+    #[serde(default)]
+    networks: Vec<Network>,
+    #[serde(default)]
+    routes: Vec<Route>,
+    #[serde(default)]
+    cgroups: Option<Cgroup<'a>>,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    apparmor_profile: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    process_label: String,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    rlimits: Vec<Rlimit>,
+    #[serde(default)]
+    oom_score_adj: Option<i32>,
+    #[serde(default)]
+    uid_mappings: Vec<IDMap>,
+    #[serde(default)]
+    gid_mappings: Vec<IDMap>,
+    #[serde(default)]
+    mask_paths: Vec<String>,
+    #[serde(default)]
+    readonly_paths: Vec<String>,
+    #[serde(default)]
+    sysctl: HashMap<String, String>,
+    #[serde(default)]
+    seccomp: Option<Seccomp>,
+    #[serde(default)]
+    no_new_privileges: bool,
+    hooks: Option<Hooks>,
+    #[serde(default)]
+    version: String,
+    #[serde(default)]
+    labels: Vec<String>,
+    #[serde(default)]
+    no_new_keyring: bool,
+    #[serde(default)]
+    intel_rdt: Option<IntelRdt>,
+    #[serde(default)]
+    rootless_euid: bool,
+    #[serde(default)]
+    rootless_cgroups: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Hooks {
+    prestart: Vec<Box<Hook>>,
+    poststart: Vec<Box<Hook>>,
+    poststop: Vec<Box<Hook>>,
+}
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Capabilities {
+    bounding: Vec<String>,
+    effective: Vec<String>,
+    inheritable: Vec<String>,
+    permitted: Vec<String>,
+    ambient: Vec<String>,
+}
+
+pub trait Hook {
+    fn run(&self, state: &OCIState) -> Result<()>;
+}
+
+pub struct FuncHook {
+    // run: fn(&OCIState) -> Result<()>,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Command {
+    #[serde(default)]
+    path: String,
+    #[serde(default)]
+    args: Vec<String>,
+    #[serde(default)]
+    env: Vec<String>,
+    #[serde(default)]
+    dir: String,
+    #[serde(default)]
+    timeout: Duration,
+}
+
+pub struct CommandHook {
+    command: Command,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Mount {
+    #[serde(default)]
+    source: String,
+    #[serde(default)]
+    destination: String,
+    #[serde(default)]
+    device: String,
+    #[serde(default)]
+    flags: i32,
+    #[serde(default)]
+    propagation_flags: Vec<i32>,
+    #[serde(default)]
+    data: String,
+    #[serde(default)]
+    relabel: String,
+    #[serde(default)]
+    extensions: i32,
+    #[serde(default)]
+    premount_cmds: Vec<Command>,
+    #[serde(default)]
+    postmount_cmds: Vec<Command>,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct HugepageLimit {
+    #[serde(default)]
+    page_size: String,
+    #[serde(default)]
+    limit: u64,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct IntelRdt {
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    l3_cache_schema: String,
+    #[serde(
+        default,
+        rename = "memBwSchema",
+        skip_serializing_if = "String::is_empty"
+    )]
+    mem_bw_schema: String,
+}
+
+pub type FreezerState = String;
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Cgroup<'a> {
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    name: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    parent: String,
+    #[serde(default)]
+    path: String,
+    #[serde(default)]
+    scope_prefix: String,
+    paths: HashMap<String, String>,
+    resource: &'a Resources<'a>,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Resources<'a> {
+    #[serde(default)]
+    allow_all_devices: bool,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    allowed_devices: Vec<&'a Device>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    denied_devices: Vec<&'a Device>,
+    #[serde(default)]
+    devices: Vec<&'a Device>,
+    #[serde(default)]
+    memory: i64,
+    #[serde(default)]
+    memory_reservation: i64,
+    #[serde(default)]
+    memory_swap: i64,
+    #[serde(default)]
+    kernel_memory: i64,
+    #[serde(default)]
+    kernel_memory_tcp: i64,
+    #[serde(default)]
+    cpu_shares: u64,
+    #[serde(default)]
+    cpu_quota: i64,
+    #[serde(default)]
+    cpu_period: u64,
+    #[serde(default)]
+    cpu_rt_quota: i64,
+    #[serde(default)]
+    cpu_rt_period: u64,
+    #[serde(default)]
+    cpuset_cpus: String,
+    #[serde(default)]
+    cpuset_mems: String,
+    #[serde(default)]
+    pids_limit: i64,
+    #[serde(default)]
+    blkio_weight: u64,
+    #[serde(default)]
+    blkio_leaf_weight: u64,
+    #[serde(default)]
+    blkio_weight_device: Vec<&'a WeightDevice>,
+    #[serde(default)]
+    blkio_throttle_read_bps_device: Vec<&'a ThrottleDevice>,
+    #[serde(default)]
+    blkio_throttle_write_bps_device: Vec<&'a ThrottleDevice>,
+    #[serde(default)]
+    blkio_throttle_read_iops_device: Vec<&'a ThrottleDevice>,
+    #[serde(default)]
+    blkio_throttle_write_iops_device: Vec<&'a ThrottleDevice>,
+    #[serde(default)]
+    freezer: FreezerState,
+    #[serde(default)]
+    hugetlb_limit: Vec<&'a HugepageLimit>,
+    #[serde(default)]
+    oom_kill_disable: bool,
+    #[serde(default)]
+    memory_swapiness: u64,
+    #[serde(default)]
+    net_prio_ifpriomap: Vec<&'a IfPrioMap>,
+    #[serde(default)]
+    net_cls_classid_u: u32,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Network {
+    #[serde(default)]
+    r#type: String,
+    #[serde(default)]
+    name: String,
+    #[serde(default)]
+    bridge: String,
+    #[serde(default)]
+    mac_address: String,
+    #[serde(default)]
+    address: String,
+    #[serde(default)]
+    gateway: String,
+    #[serde(default)]
+    ipv6_address: String,
+    #[serde(default)]
+    ipv6_gateway: String,
+    #[serde(default)]
+    mtu: i32,
+    #[serde(default)]
+    txqueuelen: i32,
+    #[serde(default)]
+    host_interface_name: String,
+    #[serde(default)]
+    hairpin_mode: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct Route {
+    #[serde(default)]
+    destination: String,
+    #[serde(default)]
+    source: String,
+    #[serde(default)]
+    gateway: String,
+    #[serde(default)]
+    interface_name: String,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct IfPrioMap {
+    #[serde(default)]
+    interface: String,
+    #[serde(default)]
+    priority: i32,
+}
+
+impl IfPrioMap {
+    fn cgroup_string(&self) -> String {
+        format!("{} {}", self.interface, self.priority)
+    }
+}