Compare commits

...

230 Commits

Author SHA1 Message Date
Anastassios Nanos
1e6cea24c8 Merge pull request #10890 from zvonkok/arm64-fix-release
release: Remove artifacts for release
2025-02-17 22:29:23 +02:00
Zvonko Kaiser
1d9915147d release: Remove artifacts for release
We need to make sure the release does not have any residual binaries
left for the release payload

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-17 20:16:48 +00:00
Anastassios Nanos
ae1be28ddd Merge pull request #10880 from nubificus/3.14.0-release
release: Bump version to 3.14.0
2025-02-17 20:25:30 +02:00
Zvonko Kaiser
72833cb00b Merge pull request #10878 from zvonkok/agent_cdi_timeout
gpu: agent cdi timeout
2025-02-17 12:49:51 -05:00
Zvonko Kaiser
fda095a4c9 Merge pull request #10786 from zvonkok/gpu-config-update
gpu: Update config files
2025-02-17 12:45:54 -05:00
Anastassios Nanos
c7347cb76d release: Bump version to 3.14.0
Bump VERSION and helm-chart versions

Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
2025-02-17 16:47:24 +00:00
Fabiano Fidêncio
639bc84329 Merge pull request #10787 from fidencio/topic/bump-kernel-to-6.12.11
version: Bump kernel to 6.12.13
2025-02-17 17:39:14 +01:00
Fabiano Fidêncio
7ae5fa463e versions: Bump coco-guest-components
So attestation-agent and others have a version including the ttrpc bump
to v0.8.4, allowing us to use the latest LTS kernel.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-17 15:16:54 +01:00
Fabiano Fidêncio
1381cab6f0 build: Fix rootfs cache logic
We've been appending to the wrong variable for quite some time, it
seems, leading to not actually regenerating the rootfs when needed.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-17 13:55:36 +01:00
Fabiano Fidêncio
7fc7328bbc versions: Bump kernel to 6.12.13
Let's try to keep up with the LTS patch releases.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-17 13:47:35 +01:00
Simon Kaegi
f5edbfd696 kernel: support loop device in v6.8+ kernels
Set CONFIG_BLK_DEV_WRITE_MOUNTED=y to restore previous kernel behaviour.

Kernel v6.8+ will by default block buffer writes to block devices mounted by filesystems.
This unfortunately is what we need to use mounted loop devices needed by some teams
to build OSIs and as an overlay backing store.

More info on this config item [here](https://cateee.net/lkddb/web-lkddb/BLK_DEV_WRITE_MOUNTED.html)

Fixes: #10808

Signed-off-by: Simon Kaegi <simon.kaegi@gmail.com>
2025-02-17 13:47:35 +01:00
Fabiano Fidêncio
d96e8375c4 Merge pull request #10885 from stevenhorsman/bump-agent-crates-to-resolve-CVEs
agent: Bump agent crates to resolve CVEs
2025-02-17 12:11:43 +01:00
stevenhorsman
e5a284474d deps: Update cookie-store & publicsuffix
Run:
```
cargo update -p cookie-store
cargo update -p publicsuffix
```
to update the version of idna and resolve CVE-2024-12224

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-14 17:30:03 +00:00
stevenhorsman
5656fc6139 deps: Bump reqwest
Bump reqwest to 0.12.12 to pick up fixes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-14 17:30:03 +00:00
stevenhorsman
3a3849efff deps: Update quinn-proto
Update quin-proto to fix CVE-2024-45311

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-14 17:30:03 +00:00
Fabiano Fidêncio
64ceb0832a Merge pull request #10851 from fidencio/topic/bump-image-rs-to-bring-in-ttrpc-0.8.4
agent: Bump image-rs to 514c561d93
2025-02-14 18:21:56 +01:00
Fabiano Fidêncio
d5878437a4 Merge pull request #10845 from DataDog/dind-subcgroup-fix
Add process to init subcgroup when we're using dind with cgroups v2
2025-02-14 18:12:24 +01:00
Steve Horsman
469c651fc0 Merge pull request #10879 from nubificus/fix_version
packaging(release): Properly handle version tag for the release bundle
2025-02-14 14:40:37 +00:00
Zvonko Kaiser
908aacfa78 gpu: Update the logging around CDI
Removed a rogue printf and updated the logging to say
that we're waiting for CDI spec(s) to be generated rather
than saying there is an error, it's not we have a timeout
after that it is an error.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-14 14:32:00 +00:00
Zvonko Kaiser
4bda16565b gpu: Update timeouts
With the create_container_timeout the dial_timeout is lest important.
Add the custom timeout for GPUs in create_container_timeout

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-14 14:29:18 +00:00
Zvonko Kaiser
66ccc25724 tdx: Update GPU config for the latest TDX stack
We need extra kernel_params for TDX

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-14 14:29:18 +00:00
Zvonko Kaiser
d4dd87a974 gpu: Update config files
With the recent changed to cgroupsv1 and AGENT_INIT=no we
need update to the config files.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-14 14:29:18 +00:00
Anastassios Nanos
b13db29aaa packaging(release): Properly handle version tag for the release bundle
The tags created automatically for published Github releases
are probably not annotated, so by simply running `git describe` we are
not getting the correct tag. Use a `git describe --tags` to allow git
to look at all tags, not just annotated ones.

Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
2025-02-14 12:41:08 +00:00
Zvonko Kaiser
2499d013bd gpu: Update handle_cdi_devices
AgentConfig now has the cdi_timeout from the kernel
cmdline, update the proper function signature and use
it in the for loop.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-13 20:11:48 +00:00
Zvonko Kaiser
d28410ed75 Merge pull request #10877 from AdithyaKrishnan/main
CI: Deprecate SEV
2025-02-13 14:55:11 -05:00
Zvonko Kaiser
95aa21f018 gpu: Add CDI timeout via kernel config
Some systems like a DGX where we have 8 H100 or 8 H800 GPUs
need some extended time to be initialized. We need to make
sure we can configure CDI timeout, to enable even systems with 16 GPUs.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-13 19:23:19 +00:00
Adithya Krishnan Kannan
6cc5b79507 CI: Deprecate SEV
Phase 1 of Issue #10840
AMD has deprecated SEV support on
Kata Containers, and going forward,
SNP will be the only AMD feature
supported. As a first step in this
deprecation process, we are removing
the SEV CI workflow from the test suite
to unblock the CI.

Will be adding future commits to
remove redundant SEV code paths.

Signed-Off-By: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
2025-02-13 12:20:21 -06:00
Steve Horsman
0a39f59a9b Merge pull request #10874 from stevenhorsman/skip-consistently-failing-block-volume-test
tests: Skip block volume test on fc, stratovirt
2025-02-13 15:39:45 +00:00
Zvonko Kaiser
a0766986e7 Merge pull request #10832 from RuoqingHe/update-yq
ci: Update yq to v4.44.5 to support riscv64
2025-02-13 08:33:02 -05:00
stevenhorsman
56fb2a9482 tests: Skip block volume test on fc, stratovirt
The block volume test has failed on 10/10 nightlies
and all the PRs I've seen, so skip it until it can be assessed.

See #10873

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-13 11:50:35 +00:00
stevenhorsman
2d266df846 test: Update expected error in signed image tests
We are seeing a different error in the new version of image-rs,
so update our tests to match.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-13 11:44:51 +00:00
stevenhorsman
d28a512d29 agent: Wait for network before init_image_service
Based on the guidance from @Xynnn007 in #10851
> The new version of image-rs will do attestation once
ClientBuilder.build().await() is called, while the old version
will do so lazily the first image pull request comes.
Looks like it's called in  rpc::start() in kata-agent, when
I'm afraid the network hasn't been initialized yet.

> I am not sure if the guest network is prepared after
the DNS is configured (in create_sandbox),
if so we can move (the init_image_service) right after that.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-13 11:44:51 +00:00
Tobin Feldman-Fitzthum
a13d5a3f04 agent: Bump image-rs to 514c561d93
As this brings in the commit bumping ttrpc to 0.8.4, which fixes
connection issues with kernel 6.12.9+.

As image-rs has a new builder pattern and several of the values in the
image client config have been renamed, let's change the agent to account
for this.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-13 11:44:51 +00:00
Steve Horsman
8614e5efc4 Merge pull request #10869 from stevenhorsman/bump-kcli-ubuntu-version
ci: k8s: Bump kcli image version
2025-02-13 09:59:20 +00:00
Antoine Gaillard
4b5b788918 agent: Use init subcgroup for process attachment in DinD
cgroups v2 enforces stricter delegation rules, preventing operations on
cgroups outside our ownership boundary. When running Docker-in-Docker (DinD),
processes must be attached to an "init" subcgroup within the systemd unit.
This fix detects and uses the init subcgroup when proxying process attachment.

Fixes #10733

Signed-off-by: Antoine Gaillard <antoine.gaillard@datadoghq.com>
2025-02-13 10:44:51 +01:00
Dan Mihai
958cd8dd9f Merge pull request #10613 from 3u13r/feat/policy/refactor-out-policy-crate-and-network-namespace
policy: add policy crate and add network namespace check to policy
2025-02-12 18:28:09 -08:00
Alex Lyn
e1b780492f Merge pull request #10839 from RuoqingHe/appease-clippy
dragonball: Appease clippy
2025-02-13 09:12:15 +08:00
Zvonko Kaiser
acd2a933da Merge pull request #10864 from fidencio/topic/packaging-move-to-ubuntu-22-04
packaging: Move builds to Ubuntu 22.04
2025-02-12 14:29:41 -05:00
Wainer Moschetta
62e239ceaa Merge pull request #10810 from arvindskumar99/nydus_perm_install
Skipping SNP and SEV from deploying and deleting Snapshotter
2025-02-12 14:38:56 -03:00
stevenhorsman
fd7bcd88d0 ci: k8s: Bump kcli image version
When trying to deploy nydus on kcli locally we get the
following failure:
```
root@sh-kata-ci1:~# kubectl get pods -n nydus-system
NAMESPACE                   NAME                                          READY   STATUS              RESTARTS      AGE
nydus-system                nydus-snapshotter-5kdqs                       0/1     CrashLoopBackOff    4 (84s ago)   7m29s
```
Digging into this I found that the nydus-snapshotter service
is failing with:
```
ubuntu@kata-k8s-worker-0:~$ journalctl -u nydus-snapshotter.service
-- Logs begin at Wed 2025-02-12 15:06:08 UTC, end at Wed 2025-02-12 15:20:27 UTC. --
Feb 12 15:10:39 kata-k8s-worker-0 systemd[1]: Started nydus snapshotter.
Feb 12 15:10:39 kata-k8s-worker-0 containerd-nydus-grpc[6349]: /usr/local/bin/containerd-nydus-grpc:
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required b>
Feb 12 15:10:39 kata-k8s-worker-0 containerd-nydus-grpc[6349]: /usr/local/bin/containerd-nydus-grpc:
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required b>
Feb 12 15:10:39 kata-k8s-worker-0 systemd[1]: nydus-snapshotter.service: Main process exited, code=exited, status=1/FAILURE
```
I think this is because 20.04 has version:
```
ubuntu@kata-k8s-worker-0:~$ ldd --version
ldd (Ubuntu GLIBC 2.31-0ubuntu9.16) 2.31
```
so it's too old for the nydus snapshotter.
Also 20.04 is EoL soon, so bumping is better.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-12 15:38:18 +00:00
Zvonko Kaiser
fbc8454d3d Merge pull request #10866 from zvonkok/enable-cc-gpu-build
gpu: enable confidential initrd build
2025-02-12 09:26:08 -05:00
Ruoqing He
897e2e2b6e dragonball: Appease clippy
Some problem hidden in `dbs` crates are revealed after making these
crates workspace components, fix according to `cargo clippy` suggests.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-12 19:44:34 +08:00
Leonard Cohnen
ec0af6fbda policy: check the linux network namespace
Peer pods have a linux namespace of type network. We want to make sure that all
container in the same pod use the same namespace. Therefore, we add the first
namespace path to the state and check all other requests against that.

This commit also adds the corresponding integration test in the policy crate
showcasing the benefit of having rust integration tests for the policy.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2025-02-12 10:41:15 +01:00
Leonard Cohnen
7aca7a6671 policy: use agent policy crate in genpolicy test
The generated rego policies for `CreateContainerRequest` are stateful and that
state is handled in the policy crate. We use this policy crate in the
genpolicy integration test to be able to test if those state changes are
handled correctly without spinning up an agent or even a cluster.

This also allows to easily test on a e.g., CreateContainerRequest level
instead of relying on changing the yaml that is applied to a cluster.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2025-02-12 10:41:15 +01:00
Leonard Cohnen
d03738a757 genpolicy: expose create as library
This commit allows to programmatically invoke genpolicy. This allows for other
rust tools that don't want to consume genpolicy as binary to generate policies.
One such use-case is the policy integration test implemented in the following
commits.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2025-02-12 10:41:15 +01:00
Leonard Cohnen
cf54a1b0e1 agent: move policy module into separate crate
The policy module augments the policy generated with genpolicy by keeping and
providing state to each invocation.
Therefore, it is not sufficient anymore to test the passing of requests in
the genpolicy crate.

Since in Rust, integration tests cannot call functions that are not exposed
publicly, this commit factors out the policy module of the agent into its
own crate and exposes the necessary functions to be consumed by the agent
and an integration tests. The integration test itself is implemented in the
following commits.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2025-02-12 10:41:15 +01:00
Fupan Li
ec7b2aa441 Merge pull request #10850 from teawater/direct
Clean the config block_device_cache_direct of runtime-rs
2025-02-12 09:45:37 +08:00
Zvonko Kaiser
5431841a80 Merge pull request #10814 from kata-containers/shellcheck-gha
gha: Add shellcheck
2025-02-11 18:30:41 -05:00
Zvonko Kaiser
b231a795d7 gha: Add shellcheck
We need to start to fix our scripts. Lets run shellcheck
and see what needs to be reworked.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-11 16:00:34 +00:00
Zvonko Kaiser
befb2a7c33 gpu: Confidential Initrd
Start building the confidential initrd

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-11 15:41:36 +00:00
Fupan Li
5b809ca440 CI: a workaround for containerd v2.x e2e test
the latest containerd had an issue for its e2e test, thus we should do
the following fix to workaround this issue. For much info about this issue,
please see:

https://github.com/containerd/containerd/pull/11240

Once this pr was merged and release new version, we can remove
this workaround.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
a3fd3d90bc ci: Add the sandbox api testcases
A test case is added based on the intergrated cri-containerd case.
The difference between cri containerd integrated testcase and sandbox
api testcase is the "sandboxer" setting in the sandbox runtime handler.

If the "sandboxer" is set to "" or "podsandbox", then containerd will
use the legacy shimv2 api, and if the "sandboxer" is set to "shim", then
it will use the sandbox api to launch the pod.

In addition, add a containerd v2.0.0 version. Because containerd officially
supports the sandbox api from version 2.0.0.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
36bf080c1e runtime-rs: register the sandbox api service
add and resiger the sandbox api service, thus runtime-rs
can deal with the sandbox api rpc call from the containerd.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
8332f427d2 runtime-rs: add the wait and status method for sandbox api
Add the sandbox wait and sandbox status method for sandbox
api.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
2d6b1e6b13 runtime-rs: add the sandbox api support
For Kata-Containers, we add SandboxService for these new calls alongside
the existing
TaskService, including processing requests and replies, and properly
calling
VirtSandbox's interfaces. By splitting the start logic of the sandbox,
virt_container
is compatible with calls from the SandboxService and TaskService. In
addition, we modify
the processing of resource configuration to solve the problem that
SandboxService does not
have a spec file when creating a pod.

Sandbox api can be supported from containerd 1.7. But there's a
difference from container 2.0.
To enbale it from 2.0, you can support the sandbox api for a specific
runtime by adding:
 sandboxer = "shim", take kata runtime as an example:

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
          runtime_type = "io.containerd.kata.v2"
          sandboxer = "shim"
          privileged_without_host_devices = true
          pod_annotations = ["io.katacontainers.*"]

For container version 1.7, you can enable it by:

1: add env ENABLE_CRI_SANDBOXES=true
2: add sandbox_mode = "shim" to runtime config.

Acknowledgement

This work was based on @wllenyj's POC code:
(f5b62a2d7c)

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
2025-02-11 15:21:53 +01:00
Fupan Li
65e908a584 runtime-rs: add the sandbox init for sandbox api
For the processing of init sandbox, the init of task
api has some more special processing procedures than
the init of sandbox api, so these two types of init
are separated here.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
be40646d04 runtime-rs: move the sandbox start from sandbox init function
Split the sandbox start from the sandbox init process, and call
them separately.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
438f81b108 runtime-rs: only get the containerd id when start container
When start the sandbox, the sandbox id would be passed from the
shim command line, and it only need to get the containerd id from
oci spec when starting the pod container instead of the pod sandbox.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
9492c45d06 runtime-rs: load the cgroup path correctly
When the sandbox api was enabled, the pause container would
be removed and sandbox start api only pass an empty bundle
directory, which means there's no oci spec file under it, thus
the cgroup config couldn't get the cgroup path from pause container's
oci spec. So we should set a default cgroup path for sandbox api
case.

In the future, we can promote containerd to pass the cgroup path during
the sandbox start phase.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
78b96a6e2e runtime-rs: fix the issue of missing create sandbox dir
It's needed to make sure the sandbox storage path
exist before return it.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
97785b1f3f runtime-rs: rustfmt against lib.rs
It seemed some files was mssing run rustfmt.
This commit do rustfmt for them.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Fupan Li
33555037c0 protocols: Add the cri api protos
Add the cri api protos to support the sandbox api.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-02-11 15:21:53 +01:00
Hui Zhu
27cff15015 runtime-rs: Remove block_device_cache_direct from config of fc
Remove block_device_cache_direct from config of fc in runtime-rs because
fc doesn't support this config.

Fixes: #10849

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-02-11 14:04:11 +08:00
Hui Zhu
70d9afbd1f runtime-rs: Add block_device_cache_direct to config of ch and dragonball
Add block_device_cache_direct to config of ch and dragonball in
runtime-rs because they support this config.

Fixes: #10849

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-02-11 14:04:11 +08:00
Hui Zhu
db04c7ec93 runtime-rs: Add block_device_cache_direct config to ch and qemu
Add block_device_cache_direct config to ch and qemu in runtime-rs.

Fixes: #10849

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-02-11 14:04:11 +08:00
Hui Zhu
e4cbc6abce runtime-rs: CloudHypervisorInner: Change config type
This commit change config in CloudHypervisorInner to normal
HypervisorConfig to decrease the change of its type.

Fixes: #10849

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-02-11 14:04:11 +08:00
Fabiano Fidêncio
75ac09baba packaging: Move builds to Ubuntu 22.04
As Ubuntu 20.04 will reach its EOL in April.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-10 21:25:43 +01:00
Fabiano Fidêncio
c9f5966f56 Merge pull request #10860 from kata-containers/topic/debug-ci
workflows: build: Do not store unnecessary content on the tarball
2025-02-10 20:01:37 +01:00
Fabiano Fidêncio
ec290853e9 workflows: build: Do not store unnecessary content on the tarball
Otherwise we may end up simply unpacking kata-containers specific
binaries into the same location that system ones are needed, leading to
a broken system (most likely what happened with the metrics CI, and also
what's happening with the GHA runners).

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-10 18:57:29 +01:00
Steve Horsman
fb341f8ebb Merge pull request #10857 from fidencio/topic/ci-tdx-only-use-one-machine-for-testing
ci: Only use the Ubuntu TDX machine in the CI
2025-02-10 15:25:06 +00:00
Fabiano Fidêncio
23cb5bb6c2 ci: Only use the Ubuntu TDX machine in the CI
We've been hitting issues with the CentOS 9 Stream machine, which Intel
doesn't have cycles to debug.

After raising this up in the Confidential Containers community meeting
we got the green light from Red Hat (Ariel Adam) to just disable the CI
based on CentOS 9 Stream for now.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-10 12:50:16 +01:00
Zvonko Kaiser
eb1cf792de Merge pull request #10791 from kata-containers/gpu_ci_cd
gpu: Add first target and fix extratarballs
2025-02-06 15:47:27 -05:00
Zvonko Kaiser
62a975603e Merge pull request #10806 from stevenhorsman/rust-1.80.0-bump
Rust 1.80.0 bump
2025-02-06 14:49:23 -05:00
Dan Mihai
fdf3088be0 Merge pull request #10842 from microsoft/danmihai1/disable-job-policy-test
tests: disable k8s-policy-job.bats on coco-dev
2025-02-06 09:09:49 -08:00
Hyounggyu Choi
48c5b1fb55 Merge pull request #10841 from BbolroC/make-measured-rootfs-configurable
local-build: Do not build measured rootfs on s390x
2025-02-06 16:07:15 +01:00
Hyounggyu Choi
1bdb34e880 tests: Skip trusted storage tests for IBM SE
Let's skip all tests for trusted storage until #10838 is resolved.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-02-06 12:09:14 +01:00
Hyounggyu Choi
27ce3eef12 local-build: Do not use measured rootfs on s390x
IBM SE ensures to make initrd measured by genprotimg and verified by ultravisor.
Let's not build the measured rootf on s390x.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-02-06 10:12:55 +01:00
stevenhorsman
fce49d4206 dragonball: Skip unsafe tests
Skip tests that use unsafe uses of file descriptor
which causes
```
fatal runtime error: IO Safety violation: owned file descriptor already closed
```

See #10821

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-06 08:54:17 +00:00
Fabiano Fidêncio
2ceb7a35fc versions: Bump rust to 1.80.0 (matching coco-guest-components)
This is needed in order to avoid agent build issues, such as:
```
error[E0658]: use of unstable library feature 'lazy_cell'
  --> /home/ansible/.cargo/git/checkouts/guest-components-1e54b222ad8d9630/514c561/ocicrypt-rs/src/lib.rs:10:5
   |
10 | use std::sync::LazyLock;
   |     ^^^^^^^^^^^^^^^^^^^
   |
   = note: see issue #109736 <https://github.com/rust-lang/rust/issues/109736> for more information
```

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-06 08:53:51 +00:00
Fabiano Fidêncio
76df852f33 packaging: agent: Add rust version to the builder image name
As we want to make sure a new builder image is generated if the rust
version is bumped.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-06 08:53:51 +00:00
stevenhorsman
d3e0ecc394 kata-ctl: Allow empty const
Due to the way that multi-arch support is done, on various platforms
we will get a clippy error:
```
error: this expression always evaluates to false
```
which might not be true on those other platforms, so
allow this code pattern to suppress the clippy error

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-06 08:53:51 +00:00
Fabiano Fidêncio
6de8e59109 Merge pull request #10824 from stevenhorsman/updates-in-prep-of-rust-1.80-bump
Updates in prep of rust 1.80 bump
2025-02-06 09:05:23 +01:00
Dan Mihai
47ce5dad9d tests: disable k8s-policy-job.bats on coco-dev
k8s-policy-job is modeled after the older k8s-job, and it appears
that both of them fail occasionally on coco-dev.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-02-05 23:06:16 +00:00
Arvind Kumar
47534c1c3e nydus: Skipping SNP and SEV from deploying and deleting Snapshotter
Preparing to install nydus permanently on the AMD node,
so disabling deploy and delete command for SNP and SEV.

Signed-off-by: Arvind Kumar <arvinkum@amd.com>
2025-02-05 12:26:53 -06:00
Zvonko Kaiser
45bd451fa0 ci: add arm64 attestation
Do the very same thing that we do on amd64 and add attestation

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-05 16:30:20 +00:00
Zvonko Kaiser
9a7dff9c40 gpu: Add arm64 targets
We want to make sure we deliver arm64 GPU targets as well

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-05 16:30:20 +00:00
Zvonko Kaiser
968318180d ci: Add extratarballs steps
We introduced extratarballs with a make target. The CI
currently only uploads tarballs that are listed in the matrix.
The NV kernel builds a headers package which needs to be uploaded
as well.

The get-artifacts has a glob to download all artifacts hence we
should be good.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-05 16:30:20 +00:00
Zvonko Kaiser
b04bdf54a5 gpu: Add rootfs target amd64/arm64
Adding the initrd build first to get the rootfs on amd64.
With that we can start to add tests.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-05 16:30:20 +00:00
stevenhorsman
7831caf1e7 libs/safe-path: Fix doc formatting
Clippy fails with
```
error: doc list item missing indentation
```
so indent further to avoid this.
2025-02-05 15:16:47 +00:00
stevenhorsman
17b1e94f1a cargo: Update time crate
So it avoids us hitting
```
error[E0282]: type annotations needed for `Box<_>`
  --> /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/time-0.3.31/src/format_description/parse/mod.rs:83:9
   |
83 |     let items = format_items
   |         ^^^^^
...
86 |     Ok(items.into())
   |              ---- type must be known at this point
   |
help: consider giving `items` an explicit type, where the placeholders `_` are specified
   |
83 |     let items: Box<_> = format_items
   |              ++++++++
```

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 15:16:47 +00:00
stevenhorsman
e9393827e8 agent: Workaround ppc formatting
On powerpc64le platform the ip neigh command has
a trailing space after the state, so the test is failing e.g.
```
 assertion `left == right` failed
  left: "169.254.1.1 lladdr 6a:92:3a:59:70:aa PERMANENT \n"
 right: "169.254.1.1 lladdr 6a:92:3a:59:70:aa PERMANENT\n"
```
Trim the whitespace to make the test pass on all platforms

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 15:16:47 +00:00
stevenhorsman
1ac0e67245 kata-ctl: Add stub of missing method for ppc
`host_is_vmcontainer_capable` is required, but wasn't
implemented for powerpc64, so copy the aarch64 approach
@Amulyam24

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 15:16:47 +00:00
stevenhorsman
bd3c93713f kata-sys-util: Complete code move
In #7236 the guest protection code was moved to kata-sys-utils,
but some of it was left behind, and the adjustment to the new
location wasn't completed, so the powerpc64 code doesn't
build now we've fixed the cfg to test it.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 15:16:47 +00:00
stevenhorsman
9f865f5bad kata-ctl: Allow dead_code
Some of the Kernel structs have `#[allow(dead_code)]`
but not all and this results in the clippy error:
```
 error: fields `name` and `value` are never read
 ```
 so complete the job started before to remove the error.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
61a252094e dragonball: Fix feature typo
Replace `legacy_irq` with `legacy-irq`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
add785f677 dragonball: Remove unused fields
`metrics` is never used, so remove this code

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
dde34bb7b8 runtime-rs: Remove un-used code
The `r#type` method is never used, so neither
are the log type constants

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
71fffb8736 runtime-rs: Allow dead code
Clippy errors with:
```
error: field `driver` is never read
  --> crates/resource/src/network/utils/link/driver_info.rs:77:9
   |
76 | pub struct DriverInfo {
   |            ---------- field in this struct
77 |     pub driver: String,
   |         ^^^^^^
```
We set this, but never read it, so clippy is correct,
but I'm not sure if it's useful for logging, or other purposes,
so I'll allow it for now.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
d75a0ccbd1 dragonball: Allow test-mock feature
Clippy fails with:
```
warning: unexpected `cfg` condition value: `test-mock`
    --> /root/go/src/github.com/kata-containers/kata-containers/src/dragonball/src/dbs_pci/src/vfio.rs:1929:17
     |
1929 | #[cfg(all(test, feature = "test-mock"))]
     |                 ^^^^^^^^^^^^^^^^^^^^^ help: remove the condition
     |
     = note: no expected values for `feature`
     = help: consider adding `test-mock` as a feature in `Cargo.toml`
```
So add it as an expected cfg in the linter to skip this

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
bddaea6df1 runtime-rs: Allow enable-vendor feature
Clippy fails with:
```
error: unexpected `cfg` condition value: `enable-vendor`
   --> crates/hypervisor/src/device/driver/vfio.rs:180:11
    |
180 |     #[cfg(feature = "enable-vendor")]
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^
    |
    = note: expected values for `feature` are: `ch-config`, `cloud-hypervisor`, `default`, and `dragonball`
    = help: consider adding `enable-vendor` as a feature in `Cargo.toml`
```

So add it as an expected cfg in the linter to skip this

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
bed128164a runtime-rs: Allow unexpected config
Clippy fails with:
```
error: unexpected `cfg` condition value: `enable-vendor`
   --> crates/hypervisor/src/device/driver/vfio.rs:180:11
    |
180 |     #[cfg(feature = "enable-vendor")]
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^
    |
    = note: expected values for `feature` are: `ch-config`, `cloud-hypervisor`, `default`, and `dragonball`
    = help: consider adding `enable-vendor` as a feature in `Cargo.toml`
```
allow this until we can check this behaviour with @Apokleos

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
53bcb0b108 runtime-rs: Fix for-loops-over-fallibles
Clippy complains about:
```
error: for loop over a `&Result`. This is more readably written as an `if let` statement
  --> crates/hypervisor/src/firecracker/fc_api.rs:99:22
   |
99 |         for param in &kernel_params.to_string() {
   |                      ^^^^^^^^^^^^^^^^^^^^^^^^^^
```

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
c332a91ef8 runtime-rs: Fix doc list item missing indentation
Add the extra space to format the list correctly

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
fe98d49a29 runtime-rs: Remove direct implementation of ToString
Fix clippy error:
```
direct implementation of `ToString`
```
by switching to implement Display instead

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
730c56af2a runtime-rs: Fix clippy::unnecessary-get-then-check
Clippy errors with:
```
error: unnecessary use of `get(&id).is_none()`
   --> crates/hypervisor/src/device/device_manager.rs:494:29
    |
494 |             if self.devices.get(&id).is_none() {
    |                -------------^^^^^^^^^^^^^^^^^^
    |                |
    |                help: replace it with: `!self.devices.contains_key(&id)`
```
so fix this as suggested

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
a9358b59b7 runtime-rs: Allow unused enum field
Clippy errors with:
```
error: field `0` is never read
   --> crates/hypervisor/src/qemu/cmdline_generator.rs:375:25
    |
375 |     DeviceAlreadyExists(String), // Error when trying to add an existing device
    |     ------------------- ^^^^^^
```
but this is used when creating the error later, so add an allow
to ignore this warning

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
1d9efeb92b runtime-rs: Remove use of legacy constants
Fix clippy error
```
error: usage of a legacy numeric constant
```
by swapping `std::u8::MAX` for `u8::MAX`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
225c7fc026 kata-ctl: Allow unused enum field
Clippy errors with:
```
error: field `0` is never read
```
but the field is required for the `map_err`, so ignore this
error for now to avoid too much disruption

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
f1d3450d1f runtime-rs: Remove unused config
`gdb` is only activated by a feature `guest_debug` that doesn't
exist, so remove this.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
1e90fc38de dragonball: Fix incorrect reference
There were references to `config_manager::DeviceInfoGroup`
which doesn't exist, so I guess it means `DeviceConfigInfo`
instead, so update them

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
f389b05f20 dragonball: Fix doc formatting issue
Clippy errors with:
```
error: doc list item missing indentation
```
which I think is because the Return is between two list
items, so add a blank line to separate this into a separate
paragraph

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
8bea57326a dragonballl: Fix thread_local initializer error
clippy errors with:
```
error: initializer for `thread_local` value can be made `const`
```
so update as suggested

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
7257ee0397 agent: Remove implementation of ToString
Fix clippy error:
```
direct implementation of `ToString`
```
by switching to implement Display instead

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
ca87aca1a6 agent: Remove use of legacy constants
Fix clippy error
```
error: usage of a legacy numeric constant
```
by swapping `std::i32::<MIN/MAX>` for `i32::<MIN/MAX>`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
6008fd56a1 agent: Fix clippy error
```
error: file opened with `create`, but `truncate` behavior not defined
```
`truncate(true)` ensures the file is entirely overwritten with new data
which I believe is the behaviour we want

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
a640bb86ec agent: cdh: Remove unnecessary borrows
Fix clippy error:
```
error: the borrowed expression implements the required traits
```

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
a131eec5c1 agent: config: Remove supports_seccomp
supports_seccomp is never used, so throws a clippy error

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
0bd36a63d9 agent: Fix clippy error
```
error: bound is defined in more than one place
```

Move Sized into the later definition of `R` & `W`
rather than defining them in two places

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
7709198c3b rustjail: Fix clippy error
```
error: file opened with `create`, but `truncate` behavior not defined
```
`truncate(true)` ensures the file is entirely overwritten with new data
which I believe is the behaviour we want

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
Fabiano Fidêncio
b4de302cb2 genpolicy: Adjust to build with rust 1.80.0
```
error: field `image` is never read
  --> src/registry.rs:35:9
   |
34 | pub struct Container {
   |            --------- field in this struct
35 |     pub image: String,
   |         ^^^^^
   |
   = note: `Container` has derived impls for the traits `Debug` and `Clone`, but these are intentionally ignored during dead code analysis
   = note: `-D dead-code` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(dead_code)]`

error: field `use_cache` is never read
   --> src/utils.rs:106:9
    |
105 | pub struct Config {
    |            ------ field in this struct
106 |     pub use_cache: bool,
    |         ^^^^^^^^^
    |
    = note: `Config` has derived impls for the traits `Debug` and `Clone`, but these are intentionally ignored during dead code analysis

error: could not compile `genpolicy` (bin "genpolicy") due to 2 previous errors
```

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
099b241702 powerpc64: Add target_endian = "little"
Based on comments from @Amulyam24 we need to use
the `target_endian = "little"` as well as target_arch = "powerpc64"
to ensure we are working on powerpc64le.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
4c006c707a build: Fix powerpc64le target_arch
Starting with version 1.80, the Rust linter does not accept an invalid
value for `target_arch` in configuration checks:

```
   Compiling kata-sys-util v0.1.0 (/home/ddd/Work/kata/kata-containers/src/libs/kata-sys-util)
error: unexpected `cfg` condition value: `powerpc64le`

  --> /home/ddd/Work/kata/kata-containers/src/libs/kata-sys-util/src/protection.rs:17:34
   |
17 | #[cfg(any(target_arch = "s390x", target_arch = "powerpc64le"))]
   |                                  ^^^^^^^^^^^^^^-------------
   |                                                |
   |                                                help: there is a expected value with a similar name: `"powerpc64"`
   |
   = note: expected values for `target_arch` are: `aarch64`, `arm`, `arm64ec`, `avr`, `bpf`, `csky`, `hexagon`, `loongarch64`, `m68k`, `mips`, `mips32r6`, `mips64`, `mips64r6`, `msp430`, `nvptx64`, `powerpc`, `powerpc64`, `riscv32`, `riscv64`, `s390x`, `sparc`, `sparc64`, `wasm32`, `wasm64`, `x86`, and `x86_64`
   = note: see <https://doc.rust-lang.org/nightly/rustc/check-cfg/cargo-specifics.html> for more information about checking conditional configuration
   = note: `-D unexpected-cfgs` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(unexpected_cfgs)]`
```

According [to GitHub user @Urgau][explain], this is a new warning
introduced in Rust 1.80, but the problem exists before. The correct
architecture name should be `powerpc64`, and the differentiation
between `powerpc64le` and `powerpc64` should use the `target_endian =
"little"` check.

[explain]: #10072 (comment)

Fixes: #10067

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
[emlima: fix some more occurences and typos]
Signed-off-by: Emanuel Lima <emlima@redhat.com>
[stevenhorsman: fix some more occurences and typos]
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:20:47 +00:00
Zvonko Kaiser
429b2654f4 Merge pull request #10812 from zvonkok/fix-arch-build-gpu
gpu: Fix arm64 build
2025-02-04 17:03:37 -05:00
Dan Mihai
3fc170788d Merge pull request #10811 from microsoft/cameronbaird/hyp-loglevel-upstream
CLH: config: add hypervisor_loglevel
2025-02-04 11:59:21 -08:00
Zvonko Kaiser
eeacd8fd74 gpu: Adapt rootfs build for multi-arch
Add aarch64 and x86_64 handling. Especially build the Rust
dependency with the correct rust musl target.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-04 16:44:21 +00:00
Steve Horsman
9060904c4f Merge pull request #10826 from kata-containers/topic/crio-test-timeouts
workflows: Add delete kata-deploy timeouts for crio tests
2025-02-04 13:09:49 +00:00
Ruoqing He
8e073a6715 ci: Update yq to v4.44.5 to support riscv64
In v4.44.5 of `yq`, artifacts for riscv64 are released. Update the
version used for `yq` and enable `install_yq.sh` to work on riscv64.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-04 19:36:34 +08:00
Zvonko Kaiser
95c63f4982 Merge pull request #10827 from stevenhorsman/bump-golang-1.22.11
versions: Bump golang version
2025-02-03 16:06:56 -05:00
Zvonko Kaiser
7dc8060051 Merge pull request #10828 from stevenhorsman/fix-versions-comments
versions: Fix formatting
2025-02-03 16:06:37 -05:00
stevenhorsman
546e3ae9ea versions: Fix formatting
The static_checks_versions test uses yamllint which fails with:
```
[comments] too few spaces before comment
```
many times and so makes code reviews more annoying with
all these extra messages. Other it's probably not the worse issues,
I checked the
[yaml spec](https://yaml.org/spec/1.2.2/#66-comments)
and it does say
> Comments must be separated from other tokens by white space character*s*

so it's easiest to fix it and move on.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-03 17:08:25 +00:00
Zvonko Kaiser
122ad95da6 Merge pull request #10751 from ryansavino/snp-upstream-host-kernel-support
snp: update kata to use latest upstream packages for snp
2025-02-03 11:20:59 -05:00
stevenhorsman
d9eb1b0e06 versions: Bump golang version
Bump golang versions so we are more up-to-date and
have the extra security fixes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-03 15:28:53 +00:00
stevenhorsman
5203158195 workflows: Add delete kata-deploy timeouts for crio tests
I've also seen cases (the qemu, crio, k0s tests) where Delete kata-deploy is still
running for this test after 2 hours, and had to be manually
cancelled, so let's try adding a 5m timeout to the kata-deploy delete to stop CI jobs hanging.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-03 11:45:43 +00:00
Greg Kurz
a806d74ce3 Merge pull request #10807 from kata-containers/dependabot/go_modules/src/tools/csi-kata-directvolume/go_modules-8d4d0c168c
build(deps): bump github.com/golang/glog from 1.2.0 to 1.2.4 in /src/tools/csi-kata-directvolume in the go_modules group across 1 directory
2025-02-01 08:29:44 +01:00
Cameron Baird
b6b0addd5e config: add hypervisor_loglevel
Implement HypervisorLoglevel config option for clh.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-01-31 18:37:03 +00:00
Steve Horsman
41f23f1d2a Merge pull request #10823 from stevenhorsman/fix-virtiofsd-build-error
packaging: virtiofsd: Allow building a specific commit
2025-01-31 16:18:02 +00:00
stevenhorsman
1cf1a332a5 packaging: virtiofsd: Allow building a specific commit
#10714 added support for building a specific commit,
but due to the clone only having `--depth=1`, we can only
reset to a commit if it's the latest on the `main` branch,
otherwise we will get:
```
+ git clone --depth 1 --branch main https://gitlab.com/virtio-fs/virtiofsd virtiofsd
Cloning into 'virtiofsd'...
warning: redirecting to https://gitlab.com/virtio-fs/virtiofsd.git/
+ pushd virtiofsd
+ git reset --hard cecc61bca981ab42aae6ec490dfd59965e79025e
...
fatal: Could not parse object 'cecc61bca981ab42aae6ec490dfd59965e79025e'.
```

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-31 11:24:23 +00:00
Greg Kurz
0215d958da Merge pull request #10805 from balintTobik/egrep_removal
egrep/fgrep removal
2025-01-30 18:26:59 +01:00
Hyounggyu Choi
530fedd188 Merge pull request #10767 from BbolroC/enable-coldplug-vfio-ap-s390x
Enable VFIO-AP coldplug for s390x
2025-01-30 12:11:00 +01:00
Balint Tobik
1943a1c96d tests: replace egrep with grep -E to avoid deprecation warning
https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html

Signed-off-by: Balint Tobik <btobik@redhat.com>
2025-01-29 11:26:27 +01:00
Balint Tobik
47140357c4 docs: replace egrep/fgrep with grep -E/-F to avoid deprecation warning
https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html

Signed-off-by: Balint Tobik <btobik@redhat.com>
2025-01-29 11:25:54 +01:00
Ryan Savino
90e2b7d1bc docs: updated build and host setup instructions for SNP
Referenced AMD developer page for latest SEV firmware.
Instructions to point to upstream 6.11 kernel or later.
Referenced sev-utils and AMDESE fork for kernel setup.

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
2025-01-28 18:09:40 -06:00
Ryan Savino
c1ca49a66c snp: set snp to use upstream qemu in config
use upstream qemu in snp and nvidia snp configs.
load ovmf with bios flag on qemu cmdline instead of file.

Fixes: #10750

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
2025-01-28 18:09:40 -06:00
Ryan Savino
af235fc576 Revert "builds: ovmf: Workaround Zeex repo becoming private"
This reverts commit aff3d98ddd.
2025-01-28 18:09:40 -06:00
Ryan Savino
bb7ca954c7 ovmf: upgrade standard and sev ovmf
ovmf upgraded to latest tag for standard and sev.

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
2025-01-28 18:09:40 -06:00
Ryan Savino
e87231edc7 snp: remove snp certs on qemu cmdline
snp standard attestation with the upstream kernel and qemu do not support extended attestation with certs.

Fixes: #10750

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
2025-01-28 18:09:40 -06:00
Zvonko Kaiser
f9bbe4e439 Merge pull request #10785 from zvonkok/agent-cgv2-activate
agent: Add proper activation param handling to activate cgroupV2
2025-01-28 14:21:15 -05:00
dependabot[bot]
df5eafd2a1 build(deps): bump github.com/golang/glog
Bumps the go_modules group with 1 update in the /src/tools/csi-kata-directvolume directory: [github.com/golang/glog](https://github.com/golang/glog).


Updates `github.com/golang/glog` from 1.2.0 to 1.2.4
- [Release notes](https://github.com/golang/glog/releases)
- [Commits](https://github.com/golang/glog/compare/v1.2.0...v1.2.4)

---
updated-dependencies:
- dependency-name: github.com/golang/glog
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-28 17:38:14 +00:00
Fabiano Fidêncio
5e00a24145 Merge pull request #10749 from zvonkok/pass-through-stack
gpu: Add driver version selection
2025-01-28 16:24:16 +01:00
Hyounggyu Choi
dde627cef4 test: Run full set of zcrypttest for VFIO-AP coldplug
Previously, the test for VFIO-AP coldplug only checked whether a
passthrough device was attached to the VM guest. This commit expands
the test to include a full set of zcrypttest to verify that the device
functions properly within a container.

Additionally, since containerd has been upgraded to v1.7.25 on the
test machine, it is no longer necessary to run the test via crictl.
The commit removes all related codes/files.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-01-28 10:53:00 +01:00
Hyounggyu Choi
47db9b3773 agent: Run check_ap_device() for VFIO-AP coldplug
This commit updates the device handler to call check_ap_device()
instead of wait_for_ap_device() for VFIO-AP coldplug.
The handler now returns a SpecUpdate for passthrough devices if
the device is online (e.g., `/sys/devices/ap/card05/05.001f/online`
is set to 1).

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-01-28 10:53:00 +01:00
Hyounggyu Choi
200cbfd0b0 kata-types: Introduce new type vfio-ap-cold for VFIO-AP coldplug
This newly introduced type will be used by the VFIO-AP device handler
on the agent.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-01-28 10:53:00 +01:00
Hyounggyu Choi
4a6ba534f1 runtime: Introduce new gRPC device type for VFIO-AP coldplug
This commit introduces a new gRPC device type, `vfio-ap-cold`, to support
VFIO-AP coldplug. This enables the VM guest to handle passthrough devices
differently from VFIO-AP hotplug.
With this new type, the guest no longer needs to wait for events (e.g., device
addition) because the device already exists at the time the device type is checked.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-01-28 10:53:00 +01:00
Hyounggyu Choi
419b5ed715 runtime: Add DeviceInfo to Container for VFIO coldplug configuration
Even though ociSpec.Linux.Devices is preserved when vfio_mode is VFIO,
it has not been updated correctly for coldplug scenarios. This happens
because the device info passed to the agent via CreateContainerRequest
is dropped by the Kata runtime.
This commit ensures that the device info is added to the sandbox's
device manager when vfio_mode is VFIO and coldPlugVFIO is true
(e.g., vfio-ap-cold), allowing ociSpec.Linux.Devices to be properly
updated with the device information before the container is created on
the guest.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-01-28 10:53:00 +01:00
Balint Tobik
233d15452b runtime: replace egrep with grep -E to avoid deprecation warning
https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html

Signed-off-by: Balint Tobik <btobik@redhat.com>
2025-01-28 10:46:44 +01:00
Balint Tobik
e657f58cf9 ci: replace egrep with grep -E to avoid deprecation warning
https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html

Signed-off-by: Balint Tobik <btobik@redhat.com>
2025-01-28 10:46:44 +01:00
Zvonko Kaiser
9f2799ba4f Merge pull request #10790 from JakubLedworowski/add-xattr-to-confidential-kernel
kernel: Add CONFIG_TMPFS_XATTR to tdx.conf
2025-01-27 13:47:08 -05:00
Zvonko Kaiser
d2528ef84f gpu: Initialize unbound variables rootfs.sh
Since we're importing some build script for nvidia and we're
setting set -u we have some unbound variables in rootfs.sh
add initialization for those.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-27 18:37:21 +00:00
Zvonko Kaiser
9162103f85 agent: Update macro for e.g. String type
stack-only types are handled properly with the
parse_cmdline_param macro advancted types like
String couldn't be guarded by a guard function since
it passed the variable by value rather than reference.

Now we can have guard functions for the String type

parse_cmdline_param!(
    param,
    CGROUP_NO_V1,
    config.cgroup_no_v1,
    get_string_value,
    | no_v1 | no_v1 == "all"
);

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-27 17:56:43 +00:00
Zvonko Kaiser
aab9d36e47 agent: Add tests for cgroup_no_v1
The only valid value is "all", ignore all other

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-27 17:56:43 +00:00
Zvonko Kaiser
e1596f7abf agent: Add option to parse cgroup_no_v1
For AGENT_INIT=yes we do not run systemd and hence
systemd.unified_... does not mean anything to other init
systems. Providing cgroup_no_v1=all is enough to signal
other init systemd to use cgroupV2.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-27 17:56:43 +00:00
Zvonko Kaiser
cd7001612a gpu: rootfs adjust for AGENT_INIT=no
Since we're defaulting to AGENT_INIT=no for all the initrd/images
adapt the NV build to properly get kata-agent installed.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-27 17:56:21 +00:00
Zvonko Kaiser
10974b7bec gpu: AGENT_INIT=no
We're setting globally for each initrd and image AGENT_INIT=no

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-27 17:56:21 +00:00
Zvonko Kaiser
98e0dc1676 gpu: Add set -u to scripts
Make the scripts more robust by failing on unset varaibles

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-27 17:56:21 +00:00
Zvonko Kaiser
f153229865 gpu: Add driver version selection
Besides latest and lts options add an option to specify
the exact driver version.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-27 17:56:21 +00:00
Steve Horsman
311c3638c6 Merge pull request #10794 from fidencio/topic/bump-ubuntu-version-for-the-confidential-rootfs-and-initrd
versions: Bump Ubuntu base image & initrd
2025-01-27 15:55:16 +00:00
Fabiano Fidêncio
84b0ca1b18 versions: Bump Ubuntu rootfs / initrd versions
While I wish we could be bumping to the very same version everywhere,
it's not possible and it's been quite a ride to get a combination of
things that work.

Let me try to describe my approach here:
* Do *NOT* stay on 20.04
  * This version will be EOL'ed by April
  * This version has a very old version of systemd that causes a bug
    when trying to online the cpusets for guests using systemd as
    init, causing then a breakage on the qemu-coco-non-tee and TDX
    non-attestation set of tests

* Bump to 22.04 when possible
  * This was possible for the majority of the cases, but for the
    confidential initrd & confidential images for x86_64, the reason
    being failures on AMD SEV CI (which I didn't debug), and a kernel
    panic on the CentOS 9 Stream TDX machine
  * 22.04 is being used instead of 24.04 as multistrap is simply broken
    on Ubuntu 24.04, and I'd prefer to stay on an LTS release whenever
    it's possible

* Bump to 24.10 for x86_64 image confidential
  * This was done as we got everything working with 24.10 in the CI.
  * This requires using libtdx-attest from noble (Ubuntu 24.04), as
    Intel only releases their sgx stuff for LTS releases.

* Stick to 20.04 for x86_64 initrd confidential
  * 24.10 caused a panic on their CI
  * This is only being used by AMD so far, so they can decide when to
    bump, after doing the proper testing & debug that the bump will work
    as expected for them

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-27 15:08:20 +01:00
Carlos Segarra
b6e0effc06 tdx: bump version of libtdx-attest in rootfs-builder
Bump libtdx-attest to its 1.22 release.

Signed-off-by: Carlos Segarra <carlos@carlossegarra.com>
2025-01-27 15:08:20 +01:00
Fabiano Fidêncio
2b5dbfacb8 osbuilder: ubuntu: Try to install pyinstaller using --break-system-packages
We first try without passing the `--break-system-packages` argument, as
that's not supported on Ubuntu 22.04 or older, but that's required on
Ubuntu 24.04 or newer.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-27 15:08:20 +01:00
Fabiano Fidêncio
c54f78bc6b local-build: cache: Consider os name & version for image/initrd
Otherwise a bump in the os name and / or os version would lead to the CI
using a cached artefact.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-27 15:08:20 +01:00
Fabiano Fidêncio
4a66acc6f5 osbuilder: ubuntu: Abort if multistrap fails (but not on 20.04)
We have gotten Ubuntu 20.04 working pretty much "by luck", as multistrap
fails the deployment, and then a hacky function was introduced to add
the proper dbus links.  However, this does not scale at all, and we
should:
* Fail if multistrap fails
  * I won't do this for Ubuntu 20.04 as it's working for now and soon
    enough it'll be EOL
* Add better logging to ensure someone can know when multistrap fails

Below you can find the failure that we're hitting on Ubuntu 20.04:
```sh
Errors were encountered while processing:
 dbus
ERR: dpkg configure reported an error.
Native mode configuration reported an error!
I: Tidying up apt cache and list data.

Multistrap system reported 1 error in /rootfs/.
I: Tidying up apt cache and list data.
```

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-27 15:08:16 +01:00
Fabiano Fidêncio
585f82f730 osbuilder: ubuntu: Ensure OS_VERSION is passed & used
Right now we're hitting an interesting situation with osbuilder, where
regardless of what's being passed Ubuntu 20.04 (focal) is being used
when building the rootfs-image, as shown in the snippets of the logs
below:
```
ffidenci@tatu:~/src/upstream/kata-containers/kata-containers$ make rootfs-image-confidential-tarball
/home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build//kata-deploy-copy-libseccomp-installer.sh "agent"
make agent-tarball-build
...
make pause-image-tarball-build
...
make coco-guest-components-tarball-build
...
make kernel-confidential-tarball-build
...
make rootfs-image-confidential-tarball-build
make[1]: Entering directory '/home/ffidenci/src/upstream/kata-containers/kata-containers'
/home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build//kata-deploy-binaries-in-docker.sh  --build=rootfs-image-confidential
sha256:f16c57890b0e85f6e1bbe1957926822495063bc6082a83e6ab7f7f13cabeeb93
Build kata version 3.13.0: rootfs-image-confidential
INFO: DESTDIR /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-image-confidential/destdir
INFO: Create image
build image
~/src/upstream/kata-containers/kata-containers/tools/osbuilder ~/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-image-confidential/builddir
INFO: Build image
INFO: image os: ubuntu
INFO: image os version: latest
Creating rootfs for ubuntu
/home/ffidenci/src/upstream/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/rootfs.sh -o 3.13.0-13f0807e9f5687d8e5e9a0f4a0a8bb57ca50d00c-dirty -r /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-image-confidential/builddir/rootfs-image/ubuntu_rootfs ubuntu
INFO: rootfs_lib.sh file found. Loading content
~/src/upstream/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/ubuntu ~/src/upstream/kata-containers/kata-containers/tools/osbuilder
~/src/upstream/kata-containers/kata-containers/tools/osbuilder

INFO: rootfs_lib.sh file found. Loading content
INFO: build directly

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB]
Get:4 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [4276 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:7 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1297 kB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.9 kB]
Get:9 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [4187 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [4663 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1589 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [34.6 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [4463 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB]
Get:18 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB]
Fetched 34.1 MB in 5s (6284 kB/s)
...
```

The reason this is happening is due to a few issues in different places:
1. IMG_OS_VERSION, passed to osbuilder, is not used anywhere and
   OS_VERSION should be used instead. And we should break if OS_VERSION
   is not properly passed down
2. Using UBUNTU_CODENAME is simply wrong, as it'll use whatever comes as
   the base container from kata-deploy's local-build scripts, and it has
   just been working by luck

Note that at the same time this commit fixes the wrong behaviour, it
would break the rootfses build as they are, this we need to set the
versions.yaml to use 20.04 were it was already using 20.04 even without
us knowing.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-27 14:19:42 +01:00
Fabiano Fidêncio
02a18c1359 versions: Clarify which release matches a codename
It'll make the life of the developers not so familiar with Ubuntu
easier.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-27 14:19:42 +01:00
Fabiano Fidêncio
ca96a6ac76 versions: Use Ubuntu codename instead of versions
As this is required as part of the osbuilder tool to be able to properly
set the repositories used when building the rootfs.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-27 14:19:39 +01:00
Fabiano Fidêncio
353ceb948e versions: Don't use the yaml variable definitions
While having variables are nice, those are more extensive to write down,
and actually confusing for tired developer eyes to read, plus we're
mixing the use of the yaml variables here and there together with not
using them for some architectures.

With the best "all or nothing" spirit, let's just make it easier for our
developers to read the versions.yaml and easily understand what's being
used.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-27 14:19:08 +01:00
Jakub Ledworowski
42531cf6c4 kernel: Add CONFIG_TMPFS_XATTR to confidential kernel
During pull inside the guest, overlayfs expects xattrs.

Fixes: [guest-components#876](https://github.com/confidential-containers/guest-components/issues/876)

Signed-off-by: Jakub Ledworowski <jakub.ledworowski@intel.com>
2025-01-27 07:07:54 +01:00
Zvonko Kaiser
b4c710576e Merge pull request #10782 from stevenhorsman/clh-metrics-write-update
metrics: Increase minval range for blogbench test
2025-01-24 10:21:20 -05:00
Steve Horsman
54e7e1fdc3 Merge pull request #10768 from kata-containers/dependabot/go_modules/src/runtime/go_modules-28d0d344dd
build(deps): bump the go_modules group across 3 directories with 1 update
2025-01-24 12:04:56 +00:00
Greg Kurz
17f3eb0579 Merge pull request #10766 from balintTobik/remove_shebang
Remove shebang in non-executable completion script
2025-01-24 12:29:03 +01:00
Alex Lyn
ee635293c6 Merge pull request #10740 from RuoqingHe/virtiofsd-riscv64
virtiofsd: Enable build for RISC-V
2025-01-24 15:43:56 +08:00
Zvonko Kaiser
f5c509d58e Merge pull request #10779 from kata-containers/topic/arm64-static-build-runner
workflows: Move arm static checks runner
2025-01-23 22:29:16 -05:00
Fabiano Fidêncio
4bc978416c Merge pull request #10720 from fidencio/topic/test-cgroupsv2-on-guest
kernel: Ensure no cgroupsv1 is used
2025-01-23 21:26:49 +01:00
Aurélien Bombo
66d292bdb4 Merge pull request #10732 from microsoft/danmihai/minor-systemd-cleanup
rootfs: minor systemd file deletion cleanup
2025-01-23 11:29:25 -06:00
Fabiano Fidêncio
b47cc6fffe cri-containerd: Skip TestDeviceCgroup till it's adapted to cgroupsv2
As the devices controller works in a different way in cgroupsv2, the
"/sys/fs/cgroup/devices/devices.list" file simply doesn't exist.

For now, let's skip the test till the test maintainer decides to
re-enable it for cgroupsv2.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 17:25:56 +01:00
Fabiano Fidêncio
0626d7182a tests: k8s-cpu-ns: Adapt to cgroupsv2
The changes done are:
* cpu/cpu.shares was replaced by cpu.weight
  * The weight, according to our reference[0], is calculated by:
    weight = (1 + ((request - 2) * 9999) / 262142)

* cpu/cpu.cfs_quota_us & cpu/cpu.cfs_period_us were replaced by cpu.max,
  where quota and period are written together (in this order)

[0]: https://github.com/containers/crun/blob/main/crun.1.md#cgroup-v2

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 17:25:56 +01:00
Fabiano Fidêncio
4307f0c998 Revert "ci: mariner: Ensure kernel_params can be set"
This reverts commit 091ad2a1b2, in order
to ensure tests would be running with cgroupsv2 on the guest.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 17:25:56 +01:00
Fabiano Fidêncio
c653719270 kernel: Ensure no cgroupsv1 is used
Let's ensure that we're fully running the guest on cgroupsv2.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 17:25:56 +01:00
stevenhorsman
d031e479ab metrics: Increase minval range for blogbench test
In the last couple of days I've seen the blogbench
metrics write latency test on clh fail a few times because
the latency was too low, so adjust the minimum range
to tolerate quicker finishes.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-23 15:58:31 +00:00
Fabiano Fidêncio
66d881a5da Merge pull request #10755 from fidencio/topic/ensure-systemd-is-used-as-init-for-coco-cases
rootfs-confidential: Ensure systemd is used as init
2025-01-23 15:25:24 +01:00
stevenhorsman
3acce82c91 ci: Update gatekeeper tests for static workflow
The static-checks targets are `pull_request`, so
they can run the PR workflow version, so we want to
update the required-tests.yaml so that static-check
workflow changes do trigger static checks in order
to test them properly.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-23 14:23:09 +00:00
stevenhorsman
d625f20d18 workflows: Move arm static checks runner
Now we have the build-assets running on the gh-hosted
runners, try the same approach for the static-checks

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-23 14:23:09 +00:00
Zvonko Kaiser
a23d6a1241 Merge pull request #10777 from zvonkok/arm64-nvidia-gpu-kernel
gpu: Fix arm64 kernel build
2025-01-23 07:14:30 -05:00
Christophe de Dinechin
9a92a4bacf cli: Remove shebang in non-executable completion script
Raised during package review [1] by rpmlint

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1590425#c8

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Balint Tobik <btobik@redhat.com>
2025-01-23 13:11:25 +01:00
Fabiano Fidêncio
734ef71cf7 tests: k8s: confidential: Cleanup $HOME/.ssh/known_hosts
I've noticed the following error when running the tests with SEV:
```
2025-01-21T17:10:28.7999896Z # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
2025-01-21T17:10:28.8000614Z # @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
2025-01-21T17:10:28.8001217Z # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
2025-01-21T17:10:28.8001857Z # IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
2025-01-21T17:10:28.8003009Z # Someone could be eavesdropping on you right now (man-in-the-middle attack)!
2025-01-21T17:10:28.8003348Z # It is also possible that a host key has just been changed.
2025-01-21T17:10:28.8004422Z # The fingerprint for the ED25519 key sent by the remote host is
2025-01-21T17:10:28.8005019Z # SHA256:x7wF8zI+LLyiwphzmUhqY12lrGY4gs5qNCD81f1Cn1E.
2025-01-21T17:10:28.8005459Z # Please contact your system administrator.
2025-01-21T17:10:28.8006734Z # Add correct host key in /home/kata/.ssh/known_hosts to get rid of this message.
2025-01-21T17:10:28.8007031Z # Offending ED25519 key in /home/kata/.ssh/known_hosts:178
2025-01-21T17:10:28.8007254Z #   remove with:
2025-01-21T17:10:28.8008172Z #   ssh-keygen -f "/home/kata/.ssh/known_hosts" -R "10.244.0.71"
```

And this was causing a failure to ssh into the confidential pod.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 12:04:13 +01:00
Fabiano Fidêncio
18137b1583 tests: k8s: confidential: Increase log_buf_len to 4M
Relying on dmesg is really not ideal, as we may lose important info,
mainly those which happen very early in the boot, depending on the size
of kernel ring buffer.

So, for this specific test, let's increase the kernel ring buffer, by
default, to 4M.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 12:04:13 +01:00
Fabiano Fidêncio
d5f907dcf1 rootfs-confidential: Ensure systemd is used as init
Let's make sure that we don't use Kata Containers' agent as init for the
Confidential related rootfses*, as we don't want to increase the agent's
complexity for no reason ... mainly when we can rely on a proper init
system.

*:
- images already used systemd as init
- initrds are now using systemd as init

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 12:04:13 +01:00
dependabot[bot]
d2cb14cdbc build(deps): bump the go_modules group across 3 directories with 1 update
Bumps the go_modules group with 1 update in the /src/runtime directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /src/tools/csi-kata-directvolume directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /tools/testing/kata-webhook directory: [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/net` from 0.25.0 to 0.33.0
- [Commits](https://github.com/golang/net/compare/v0.25.0...v0.33.0)

Updates `golang.org/x/net` from 0.23.0 to 0.33.0
- [Commits](https://github.com/golang/net/compare/v0.25.0...v0.33.0)

Updates `golang.org/x/net` from 0.23.0 to 0.33.0
- [Commits](https://github.com/golang/net/compare/v0.25.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-23 10:18:22 +00:00
Fupan Li
944eb2cf3f Merge pull request #10762 from teawater/remove_enable_swap
libs/kata-types: Remove config enable_swap
2025-01-23 14:03:42 +08:00
Fupan Li
ebd8ec227b Merge pull request #10778 from zvonkok/kata-agent-cgroupsV2
agent: Ensure proper cgroupsV2 handling with init_mode=true
2025-01-23 14:00:13 +08:00
Zvonko Kaiser
afd286f6d6 agent: Ensure proper cgroupsV2 with init_mode=yes
When the agent is run as the init process cgroupfs is being
setup. In the case of cgroupsV1 we needed to enable the memory hiearchy
this is now per default enabled in cgroupsV2. Additionally the file
/sys/fs/cgroup/memory/memory.use_hierarchy isn't even available with V2.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-23 03:54:51 +00:00
Fabiano Fidêncio
3f8abb4da7 Merge pull request #10776 from kata-containers/topic/arm64-runners
workflows: Switch to github-hosted arm runners
2025-01-22 23:14:28 +01:00
Zvonko Kaiser
91c6d524f8 gpu: Fix arm64 kernel build
CONFIG_IOASID (not configurable) in newer kernels.
Removing it.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-22 18:15:57 +00:00
Fabiano Fidêncio
6baa60d77d Merge pull request #10775 from fidencio/topic/update-ttrpc-crate
agent: Update ttrpc to include the fix for connectivity issues
2025-01-22 17:45:38 +01:00
stevenhorsman
ab27e11d31 workflows: Switch to github-hosted arm runner
Now that gituhb have hosted arm runners
https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/
we should try and switch our arm64 builder jobs to
run on these.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-22 16:27:17 +00:00
Greg Kurz
90b6d5725b Merge pull request #10773 from RuoqingHe/retry-on-aks-throttle
ci: Retry on failure of Create AKS cluster
2025-01-22 15:30:57 +01:00
Ruoqing He
373a388844 ci: Retry on failure of Create AKS cluster
The `Create AKS cluster` step in `run-k8s-tests-on-aks.yaml` is likely
to fail fail since we are trying to issue `PUT` to `aks` in a relatively
high frequency, while the `aks` end has it's limit on `bucket-size` and
`refill-rate`, documented here [1].

Use `nick-fields/retry@v3` to retry in 10 seconds after request fail,
based on observations that AKS were request 7, or 8 second delays
before retry as part of their 429 response

[1] https://learn.microsoft.com/en-us/azure/aks/quotas-skus-regions#throttling-limits-on-aks-resource-provider-apis

Fixes: #10772

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-22 13:24:51 +00:00
Fabiano Fidêncio
a8678a7794 deps: Update ttrpc to v0.8.4
Update the ttrpc crate to include the fix from Moritz Sanft, which
solves the connectivity issues with 6.12.x kernels*

*: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.12.9&id=3257813a3ae7462ac5cde04e120806f0c0776850

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-22 13:05:43 +01:00
Fabiano Fidêncio
e71bc1f068 Merge pull request #10770 from zvonkok/gpu_kernel_dep
gpu: Add kernel dep for the non coco use-case
2025-01-22 12:53:39 +01:00
Greg Kurz
17d053f4bb Merge pull request #10711 from teawater/balloon
Add reclaim_guest_freed_memory config to qemu and cloud-hypervisor
2025-01-22 10:57:13 +01:00
Hui Zhu
c148b70da7 libs/kata-types: Remove config enable_swap
Remove config enable_swap because there is no code use it.

Fixes: #10761

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-01-22 11:08:45 +08:00
Aurélien Bombo
4e9d1363b3 Merge pull request #10754 from sprt/sprt/ci-gh-pr-number-coco
ci: Unify on `$GH_PR_NUMBER` environment variable
2025-01-21 15:07:24 -06:00
Zvonko Kaiser
4621f53e4a gpu: Add kernel dep for the non coco use-case
Add the kernel dependency to the non coco use-case
so that a rootfs build can be executed via GHA.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-21 16:18:14 +00:00
Zvonko Kaiser
61c282c725 Merge pull request #10769 from kata-containers/revert-10764-gpu_ci_cd
Revert "gpu: Add rootfs target amd64/arm64"
2025-01-21 11:09:52 -05:00
Zvonko Kaiser
9fd430e46b Revert "gpu: Add rootfs target amd64/arm64"
Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-21 16:08:30 +00:00
Zvonko Kaiser
ef1639b6bf Merge pull request #10764 from zvonkok/gpu_ci_cd
gpu: Add rootfs target amd64/arm64
2025-01-21 09:51:20 -05:00
Ruoqing He
7e76ef587a virtiofsd: Enable build for RISC-V
With this change, `virtiofsd` (gnu target) could be built and then to be
used with other components.

Depends: #10741
Fixes: #10739

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-01-21 18:05:37 +08:00
Hui Zhu
185b94b7fa runtime-rs: Add reclaim_guest_freed_memory cloud-hypervisor support
Add reclaim_guest_freed_memory config to cloud-hypervisor in runtime-rs.

Fixes: #10710

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-01-21 10:34:21 +08:00
Hui Zhu
487171d992 runtime-rs: Add reclaim_guest_freed_memory qemu support
Add reclaim_guest_freed_memory config to qemu in runtime-rs.

Fixes: #10710

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-01-21 10:34:18 +08:00
Hui Zhu
8f550de88a runtime-rs: db: Change config enable_balloon_f_reporting
Change config enable_balloon_f_reporting of db to
reclaim_guest_freed_memory.

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-01-21 10:34:08 +08:00
Hui Zhu
42f5ef9ff1 kernel: config: Add CONFIG_VIRTIO_BALLOON to virtio.conf
Add CONFIG_VIRTIO_BALLOON to virtio.conf to open virtio-balloon.

Fixes: #10710

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-01-21 10:34:04 +08:00
Zvonko Kaiser
8b097244e7 gpu: Add rootfs initrd build for arm64
We need the arm64 builds as well for GH and GB systems.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-20 19:03:52 +00:00
Zvonko Kaiser
f525631522 gpu: Add rootfs target amd64
Adding the initrd build first to get the rootfs on amd64.
With that we can start to add tests.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-20 19:01:42 +00:00
Zvonko Kaiser
d7059e9024 Merge pull request #10736 from zvonkok/gpu-rootfs-fix
gpu: Fix rootfs build
2025-01-17 14:44:41 -05:00
Aurélien Bombo
0d70dc31c1 ci: Unify on $GH_PR_NUMBER environment variable
While working on #10559, I realized that some parts of the codebase use
$GH_PR_NUMBER, while other parts use $PR_NUMBER.

Notably, in that PR, since I used $GH_PR_NUMBER for CoCo non-TEE tests
without realizing that TEE tests use $PR_NUMBER, the tests on that PR
fail on TEEs:

https://github.com/kata-containers/kata-containers/actions/runs/12818127344/job/35744760351?pr=10559#step:10:45

  ...
  44      error: error parsing STDIN: error converting YAML to JSON: yaml: line 90: mapping values are not allowed in this context
  ...
  135               image: ghcr.io/kata-containers/csi-kata-directvolume:
  ...

So let's unify on $GH_PR_NUMBER so that this issue doesn't repro in the
future: I replaced all instances of PR_NUMBER with GH_PR_NUMBER.

Note that since some test scripts also refer to that variable, the CI
for this PR will fail (would have also happened with the converse
substitution), hence I'm not adding the ok-to-test label and we should
force-merge this after review.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-01-17 10:53:08 -06:00
Fabiano Fidêncio
c018a1cc61 Merge pull request #10741 from RuoqingHe/update-virtiofsd-build-image
virtiofsd: Update ubuntu to 22.04 for gnu target
2025-01-16 20:51:10 +01:00
Ruoqing He
c70195d629 virtiofsd: Update ubuntu to 22.04 for gnu target
With ubuntu 20.04 image, virtiofsd gnu target couldn't be built due to
"unsupported ISA subset z" reported by "cc".

Updating to ubuntu 22.04 image addresses this problem.

Relates: #10739

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-01-16 17:27:38 +08:00
Zvonko Kaiser
f0bd83b073 gpu: Fix rootfs build
The pyinstaller is located per default under /usr/local/bin
some prior versions were installing it to ${HOME}.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-01-15 20:37:51 +00:00
Dan Mihai
c4da296326 rootfs: delete links to deleted files
Delete symbolic links to files being deleted.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-01-13 21:28:44 +00:00
Dan Mihai
5b8471ffce rootfs: print the path to files being deleted
Show the list of files being deleted.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-01-13 21:28:34 +00:00
Dan Mihai
a49d0fb343 rootfs: delete systemd units/files from rootfs.sh
Move the deletion of unnecessary systemd units and files from
image_builder.sh into rootfs.sh.

The files being deleted can be applicable to other image file formats
too, not just to the rootfs-image format created by image_builder.sh.

Also, image_builder.sh was deleting these files *after* it calculated
the size of the rootfs files, thus missing out on the opportunity to
possibly create a smaller image file.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-01-13 21:28:23 +00:00
337 changed files with 9418 additions and 2842 deletions

View File

@@ -7,7 +7,7 @@
self-hosted-runner:
# Labels of self-hosted runner that linter should ignore
labels:
- arm64-builder
- ubuntu-22.04-arm
- garm-ubuntu-2004
- garm-ubuntu-2004-smaller
- garm-ubuntu-2204
@@ -21,5 +21,4 @@ self-hosted-runner:
- sev-snp
- s390x
- s390x-large
- tdx-no-attestation
- tdx-attestation
- tdx

View File

@@ -56,6 +56,51 @@ jobs:
timeout-minutes: 10
run: bash tests/integration/cri-containerd/gha-run.sh run
run-containerd-sandboxapi:
strategy:
# We can set this to true whenever we're 100% sure that
# the all the tests are not flaky, otherwise we'll fail
# all the tests due to a single flaky instance.
fail-fast: false
matrix:
containerd_version: ['latest']
vmm: ['dragonball', 'cloud-hypervisor', 'qemu-runtime-rs']
runs-on: ubuntu-22.04
env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }}
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
#the latest containerd from 2.0 need to set the CGROUP_DRIVER for e2e testing
CGROUP_DRIVER: ""
SANDBOXER: "shim"
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install dependencies
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: Install kata
run: bash tests/integration/cri-containerd/gha-run.sh install-kata kata-artifacts
- name: Run containerd-sandboxapi tests
timeout-minutes: 10
run: bash tests/integration/cri-containerd/gha-run.sh run
run-containerd-stability:
strategy:
fail-fast: false
@@ -67,6 +112,7 @@ jobs:
CONTAINERD_VERSION: ${{ matrix.containerd_version }}
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
SANDBOXER: "podsandbox"
steps:
- uses: actions/checkout@v4
with:

View File

@@ -34,6 +34,7 @@ jobs:
asset:
- agent
- agent-ctl
- busybox
- cloud-hypervisor
- cloud-hypervisor-glibc
- coco-guest-components
@@ -136,6 +137,15 @@ jobs:
retention-days: 15
if-no-files-found: error
- name: store-extratarballs-artifact ${{ matrix.asset }}
if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
retention-days: 15
if-no-files-found: error
build-asset-rootfs:
runs-on: ubuntu-22.04
needs: build-asset
@@ -147,6 +157,8 @@ jobs:
- rootfs-image-mariner
- rootfs-initrd
- rootfs-initrd-confidential
- rootfs-nvidia-gpu-initrd
- rootfs-nvidia-gpu-confidential-initrd
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -207,9 +219,24 @@ jobs:
strategy:
matrix:
asset:
- agent
- busybox
- coco-guest-components
- kernel-nvidia-gpu-headers
- kernel-nvidia-gpu-confidential-headers
- pause-image
steps:
- uses: geekyeggo/delete-artifact@v5
with:
name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts-for-release:
runs-on: ubuntu-22.04
needs: build-asset-rootfs
strategy:
matrix:
asset:
- agent
steps:
- uses: geekyeggo/delete-artifact@v5
if: ${{ inputs.stage == 'release' }}
@@ -218,7 +245,7 @@ jobs:
build-asset-shim-v2:
runs-on: ubuntu-22.04
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}

View File

@@ -23,19 +23,28 @@ on:
jobs:
build-asset:
runs-on: arm64-builder
runs-on: ubuntu-22.04-arm
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy:
matrix:
asset:
- agent
- busybox
- cloud-hypervisor
- firecracker
- kernel
- kernel-dragonball-experimental
- kernel-nvidia-gpu
- nydus
- qemu
- stratovirt
- virtiofsd
env:
PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -72,6 +81,34 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: Parse OCI image name and digest
id: parse-oci-segments
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
run: |
oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
- uses: oras-project/setup-oras@v1
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
version: "1.2.0"
# for pushing attestations to the registry
- uses: docker/login-action@v3
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@v1
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }}
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
with:
@@ -80,14 +117,24 @@ jobs:
retention-days: 15
if-no-files-found: error
- name: store-extratarballs-artifact ${{ matrix.asset }}
if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
retention-days: 15
if-no-files-found: error
build-asset-rootfs:
runs-on: arm64-builder
runs-on: ubuntu-22.04-arm
needs: build-asset
strategy:
matrix:
asset:
- rootfs-image
- rootfs-initrd
- rootfs-nvidia-gpu-initrd
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -142,7 +189,21 @@ jobs:
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts:
runs-on: ubuntu-22.04
runs-on: ubuntu-22.04-arm
needs: build-asset-rootfs
strategy:
matrix:
asset:
- busybox
- kernel-nvidia-gpu-headers
steps:
- uses: geekyeggo/delete-artifact@v5
with:
name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts-for-release:
runs-on: ubuntu-22.04-arm
needs: build-asset-rootfs
strategy:
matrix:
@@ -155,8 +216,8 @@ jobs:
name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
build-asset-shim-v2:
runs-on: arm64-builder
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
runs-on: ubuntu-22.04-arm
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -210,13 +271,9 @@ jobs:
if-no-files-found: error
create-kata-tarball:
runs-on: arm64-builder
runs-on: ubuntu-22.04-arm
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
steps:
- name: Adjust a permission for repo
run: |
sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE"
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}

View File

@@ -18,7 +18,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: 1.22.2
go-version: 1.22.11
- name: Checkout code
uses: actions/checkout@v4
- name: Build utils

View File

@@ -14,7 +14,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: 1.22.2
go-version: 1.22.11
env:
GOPATH: ${{ github.workspace }}/kata-containers
- name: Set env

View File

@@ -29,7 +29,7 @@ jobs:
TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMIT_HASH: ${{ github.event.pull_request.head.sha }}
PR_NUMBER: ${{ github.event.pull_request.number }}
GH_PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
#!/usr/bin/env bash -x
mapfile -t lines < <(python3 tools/testing/gatekeeper/skips.py -t)

View File

@@ -24,12 +24,8 @@ on:
jobs:
kata-payload:
runs-on: arm64-builder
runs-on: ubuntu-22.04-arm
steps:
- name: Adjust a permission for repo
run: |
sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE"
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}

View File

@@ -16,7 +16,7 @@ jobs:
kata-deploy:
needs: build-kata-static-tarball-arm64
runs-on: arm64-builder
runs-on: ubuntu-22.04-arm
steps:
- name: Login to Kata Containers docker.io
uses: docker/login-action@v3

View File

@@ -103,8 +103,13 @@ jobs:
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh create-cluster
uses: nick-fields/retry@v3
with:
timeout_minutes: 15
max_attempts: 20
retry_on: error
retry_wait_seconds: 10
command: bash tests/integration/kubernetes/gha-run.sh create-cluster
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats

View File

@@ -49,7 +49,7 @@ jobs:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
PR_NUMBER: ${{ inputs.pr-number }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: ${{ matrix.k8s }}
KUBERNETES_EXTRA_PARAMS: ${{ matrix.container_runtime != 'crio' && '' || '--cri-socket remote:unix:///var/run/crio/crio.sock --kubelet-extra-args --cgroup-driver="systemd"' }}
@@ -105,4 +105,5 @@ jobs:
- name: Delete kata-deploy
if: always()
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh cleanup

View File

@@ -36,7 +36,7 @@ jobs:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
PR_NUMBER: ${{ inputs.pr-number }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: ${{ matrix.k8s }}

View File

@@ -64,7 +64,6 @@ jobs:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
PR_NUMBER: ${{ inputs.pr-number }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HOST_OS: "ubuntu"
KATA_HYPERVISOR: ${{ matrix.vmm }}

View File

@@ -87,8 +87,13 @@ jobs:
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh create-cluster
uses: nick-fields/retry@v3
with:
timeout_minutes: 15
max_attempts: 20
retry_on: error
retry_wait_seconds: 10
command: bash tests/integration/kubernetes/gha-run.sh create-cluster
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats

View File

@@ -36,25 +36,17 @@ jobs:
- nydus
pull-type:
- guest-pull
k8s-test-host-type:
- baremetal-attestation
- baremetal-no-attestation
include:
- k8s-test-host-type: baremetal-attestation
machine: tdx-attestation
- k8s-test-host-type: baremetal-no-attestation
machine: tdx-no-attestation
runs-on: ${{ matrix.machine }}
runs-on: tdx
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
PR_NUMBER: ${{ inputs.pr-number }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: "vanilla"
USING_NFD: "true"
KBS: "true"
K8S_TEST_HOST_TYPE: ${{ matrix.k8s-test-host-type }}
K8S_TEST_HOST_TYPE: "baremetal"
KBS_INGRESS: "nodeport"
SNAPSHOTTER: ${{ matrix.snapshotter }}
PULL_TYPE: ${{ matrix.pull-type }}
@@ -83,17 +75,14 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
- name: Uninstall previous `kbs-client`
if: ${{ matrix.machine != 'tdx-no-attestation' }}
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
- name: Deploy CoCo KBS
if: ${{ matrix.machine != 'tdx-no-attestation' }}
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
- name: Install `kbs-client`
if: ${{ matrix.machine != 'tdx-no-attestation' }}
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
@@ -114,79 +103,14 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
- name: Delete CoCo KBS
if: ${{ always() && matrix.machine != 'tdx-no-attestation' }}
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
- name: Delete CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
run-k8s-tests-on-sev:
strategy:
fail-fast: false
matrix:
vmm:
- qemu-sev
snapshotter:
- nydus
pull-type:
- guest-pull
runs-on: sev
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBECONFIG: /home/kata/.kube/config
KUBERNETES: "vanilla"
USING_NFD: "false"
K8S_TEST_HOST_TYPE: "baremetal"
SNAPSHOTTER: ${{ matrix.snapshotter }}
PULL_TYPE: ${{ matrix.pull-type }}
AUTHENTICATED_IMAGE_USER: ${{ secrets.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AUTO_GENERATE_POLICY: "yes"
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Deploy Snapshotter
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
- name: Deploy Kata
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-sev
- name: Deploy CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
- name: Run tests
timeout-minutes: 50
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Delete CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
- name: Delete kata-deploy
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-sev
- name: Delete Snapshotter
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
# AMD has deprecated SEV support on Kata and henceforth SNP will be the only feature supported for Kata Containers.
run-k8s-tests-sev-snp:
strategy:
fail-fast: false
@@ -202,7 +126,7 @@ jobs:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
PR_NUMBER: ${{ inputs.pr-number }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBECONFIG: /home/kata/.kube/config
KUBERNETES: "vanilla"
@@ -333,8 +257,13 @@ jobs:
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh create-cluster
uses: nick-fields/retry@v3
with:
timeout_minutes: 15
max_attempts: 20
retry_on: error
retry_wait_seconds: 10
command: bash tests/integration/kubernetes/gha-run.sh create-cluster
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats

View File

@@ -71,8 +71,13 @@ jobs:
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
timeout-minutes: 10
run: bash tests/functional/kata-deploy/gha-run.sh create-cluster
uses: nick-fields/retry@v3
with:
timeout_minutes: 15
max_attempts: 20
retry_on: error
retry_wait_seconds: 10
command: bash tests/integration/kubernetes/gha-run.sh create-cluster
- name: Install `bats`
run: bash tests/functional/kata-deploy/gha-run.sh install-bats
@@ -85,7 +90,7 @@ jobs:
- name: Run tests
run: bash tests/functional/kata-deploy/gha-run.sh run-tests
- name: Delete AKS cluster
if: always()
run: bash tests/functional/kata-deploy/gha-run.sh delete-cluster

View File

@@ -43,7 +43,7 @@ jobs:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
PR_NUMBER: ${{ inputs.pr-number }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: ${{ matrix.k8s }}
USING_NFD: "false"

29
.github/workflows/shellcheck.yaml vendored Normal file
View File

@@ -0,0 +1,29 @@
# https://github.com/marketplace/actions/shellcheck
name: Check shell scripts
on:
workflow_dispatch:
pull_request:
types:
- opened
- edited
- reopened
- synchronize
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
shellcheck:
runs-on: ubuntu-24.04
steps:
- name: Checkout the code
uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/checkout@v4
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master

View File

@@ -26,7 +26,7 @@ jobs:
fail-fast: false
matrix:
instance:
- "arm-no-k8s"
- "ubuntu-22.04-arm"
- "s390x"
- "ppc64le"
uses: ./.github/workflows/build-checks.yaml

View File

@@ -1 +1 @@
3.13.0
3.14.0

View File

@@ -79,8 +79,8 @@ list_issues_for_pr()
# "<git-commit> <git-commit-msg>"
#
local issues=$(echo "$commits" |\
egrep -v "^( | )" |\
egrep -i "fixes:* *(#*[0-9][0-9]*)" |\
grep -v -E "^( | )" |\
grep -i -E "fixes:* *(#*[0-9][0-9]*)" |\
tr ' ' '\n' |\
grep "[0-9][0-9]*" |\
sed 's/[.,\#]//g' |\

View File

@@ -29,7 +29,7 @@ function verify_yq_exists() {
# Install via binary download, as we may not have golang installed at this point
function install_yq() {
local yq_pkg="github.com/mikefarah/yq"
local yq_version=v4.40.7
local yq_version=v4.44.5
local precmd=""
local yq_path=""
INSTALL_IN_GOPATH=${INSTALL_IN_GOPATH:-true}
@@ -82,6 +82,9 @@ function install_yq() {
goarch=arm64
fi
;;
"riscv64")
goarch=riscv64
;;
"ppc64le")
goarch=ppc64le
;;

View File

@@ -198,7 +198,7 @@ it stores. When messages are suppressed, it is noted in the logs. This can be ch
for by looking for those notifications, such as:
```bash
$ sudo journalctl --since today | fgrep Suppressed
$ sudo journalctl --since today | grep -F Suppressed
Jun 29 14:51:17 mymachine systemd-journald[346]: Suppressed 4150 messages from /system.slice/docker.service
```
@@ -268,7 +268,7 @@ to install `libseccomp` for the agent.
```bash
$ mkdir -p ${seccomp_install_path} ${gperf_install_path}
$ pushd kata-containers/ci
$ pushd kata-containers/ci
$ script -fec 'sudo -E ./install_libseccomp.sh ${seccomp_install_path} ${gperf_install_path}"'
$ export LIBSECCOMP_LIB_PATH="${seccomp_install_path}/lib"
$ popd

View File

@@ -10,7 +10,19 @@ To run Kata Containers in SNP-VMs, the following software stack is used.
![Kubernetes integration with shimv2](./images/SNP-stack.svg)
The host BIOS and kernel must be capable of supporting AMD SEV-SNP and configured accordingly. For Kata Containers, the host kernel with branch [`sev-snp-iommu-avic_5.19-rc6_v3`](https://github.com/AMDESE/linux/tree/sev-snp-iommu-avic_5.19-rc6_v3) and commit [`3a88547`](https://github.com/AMDESE/linux/commit/3a885471cf89156ea555341f3b737ad2a8d9d3d0) is known to work in conjunction with SEV Firmware version 1.51.3 (0xh\_1.33.03) available on AMD's [SEV developer website](https://developer.amd.com/sev/). See [AMD's guide](https://github.com/AMDESE/AMDSEV/tree/sev-snp-devel) to configure the host accordingly. Verify that you are able to run SEV-SNP encrypted VMs first. The guest components required for Kata Containers are built as described below.
The host BIOS and kernel must be capable of supporting AMD SEV-SNP and the host must be configured accordingly.
The latest SEV Firmware version is available on AMD's [SEV Developer Webpage](https://www.amd.com/en/developer/sev.html). It can also be updated via a platform OEM BIOS update.
The host kernel must be equal to or later than upstream version [6.11](https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.11.tar.xz).
[`sev-utils`](https://github.com/amd/sev-utils/blob/coco-202501150000/docs/snp.md) is an easy way to install the required host kernel with the `setup-host` command. However, it will also build compatible guest kernel, OVMF, and QEMU components which are not necessary as these components are packaged with kata. The `sev-utils` script utility can be used with these additional components to test the memory encrypted launch and attestation of a base QEMU SNP guest.
For a simplified way to build just the upstream compatible host kernel, use the Confidential Containers fork of [AMDESE AMDSEV](https://github.com/confidential-containers/amdese-amdsev/tree/amd-snp-202501150000). Individual components can be built by running the following command:
```
./build.sh kernel host --install
```
**Tip**: It is easiest to first have Kata Containers running on your system and then modify it to run containers in SNP-VMs. Follow the [Developer guide](../Developer-Guide.md#warning) and then follow the below steps. Nonetheless, you can just follow this guide from the start.

View File

@@ -98,7 +98,7 @@ a number larger than `0` if you have either of the `vmx` or `svm` nested virtual
available:
```sh
$ minikube ssh "egrep -c 'vmx|svm' /proc/cpuinfo"
$ minikube ssh "grep -c -E 'vmx|svm' /proc/cpuinfo"
```
## Installing Kata Containers
@@ -122,8 +122,8 @@ and will be executing a `sleep infinity` once it has successfully completed its
You can accomplish this by running the following:
```sh
$ podname=$(kubectl -n kube-system get pods -o=name | fgrep kata-deploy | sed 's?pod/??')
$ kubectl -n kube-system exec ${podname} -- ps -ef | fgrep infinity
$ podname=$(kubectl -n kube-system get pods -o=name | grep -F kata-deploy | sed 's?pod/??')
$ kubectl -n kube-system exec ${podname} -- ps -ef | grep -F infinity
```
> *NOTE:* This check only works for single node clusters, which is the default for Minikube.
@@ -197,7 +197,7 @@ $ minikube ssh -- uname -a
And then compare that against the kernel that is running inside the container:
```sh
$ podname=$(kubectl get pods -o=name | fgrep php-apache-kata-qemu | sed 's?pod/??')
$ podname=$(kubectl get pods -o=name | grep -F php-apache-kata-qemu | sed 's?pod/??')
$ kubectl exec ${podname} -- uname -a
```

View File

@@ -2,13 +2,13 @@
# Introduction
Intel® QuickAssist Technology (QAT) provides hardware acceleration
for security (cryptography) and compression. These instructions cover the
steps for the latest [Ubuntu LTS release](https://ubuntu.com/download/desktop)
which already include the QAT host driver. These instructions can be adapted to
any Linux distribution. These instructions guide the user on how to download
the kernel sources, compile kernel driver modules against those sources, and
load them onto the host as well as preparing a specially built Kata Containers
Intel® QuickAssist Technology (QAT) provides hardware acceleration
for security (cryptography) and compression. These instructions cover the
steps for the latest [Ubuntu LTS release](https://ubuntu.com/download/desktop)
which already include the QAT host driver. These instructions can be adapted to
any Linux distribution. These instructions guide the user on how to download
the kernel sources, compile kernel driver modules against those sources, and
load them onto the host as well as preparing a specially built Kata Containers
kernel and custom Kata Containers rootfs.
* Download kernel sources
@@ -16,7 +16,7 @@ kernel and custom Kata Containers rootfs.
* Compile kernel driver modules against those sources
* Download rootfs
* Add driver modules to rootfs
* Build rootfs image
* Build rootfs image
## Helpful Links before starting
@@ -35,8 +35,8 @@ reboot, and some steps to complete when the host kernel changes.
## Script variables
The following list of variables must be set before running through the
scripts. These variables refer to locations to store modules and configuration
The following list of variables must be set before running through the
scripts. These variables refer to locations to store modules and configuration
files on the host and links to the drivers to use. Modify these as
needed to point to updated drivers or different install locations.
@@ -58,9 +58,9 @@ $ export KATA_ROOTFS_LOCATION=~/kata
## Prepare the Ubuntu Host
The host could be a bare metal instance or a virtual machine. If using a
virtual machine, make sure that KVM nesting is enabled. The following
instructions reference an Intel® C62X chipset. Some of the instructions must be
The host could be a bare metal instance or a virtual machine. If using a
virtual machine, make sure that KVM nesting is enabled. The following
instructions reference an Intel® C62X chipset. Some of the instructions must be
modified if using a different Intel® QAT device. The Intel® QAT chipset can be
identified by executing the following.
@@ -74,7 +74,7 @@ $ for i in 0434 0435 37c8 1f18 1f19; do lspci -d 8086:$i; done
These packages are necessary to compile the Kata kernel, Intel® QAT driver, and to
prepare the rootfs for Kata. [Docker](https://docs.docker.com/engine/install/ubuntu/)
also needs to be installed to be able to build the rootfs. To test that
also needs to be installed to be able to build the rootfs. To test that
everything works a Kubernetes pod is started requesting Intel® QAT resources. For the
pass through of the virtual functions the kernel boot parameter needs to have
`INTEL_IOMMU=on`.
@@ -89,7 +89,7 @@ $ sudo reboot
### Download Intel® QAT drivers
This will download the [Intel® QAT drivers](https://www.intel.com/content/www/us/en/developer/topic-technology/open/quick-assist-technology/overview.html).
This will download the [Intel® QAT drivers](https://www.intel.com/content/www/us/en/developer/topic-technology/open/quick-assist-technology/overview.html).
Make sure to check the website for the latest version.
```bash
@@ -100,13 +100,13 @@ $ curl -L $QAT_DRIVER_URL | tar zx
### Copy Intel® QAT configuration files and enable virtual functions
Modify the instructions below as necessary if using a different Intel® QAT hardware
platform. You can learn more about customizing configuration files at the
Modify the instructions below as necessary if using a different Intel® QAT hardware
platform. You can learn more about customizing configuration files at the
[Intel® QAT Engine repository](https://github.com/intel/QAT_Engine/#copy-the-correct-intel-quickassist-technology-driver-config-files)
This section starts from a base config file and changes the `SSL` section to
This section starts from a base config file and changes the `SSL` section to
`SHIM` to support the OpenSSL engine. There are more tweaks that you can make
depending on the use case and how many Intel® QAT engines should be run. You
can find more information about how to customize in the
can find more information about how to customize in the
[Intel® QuickAssist Technology Software for Linux* - Programmer's Guide.](https://www.intel.com/content/www/us/en/content-details/709196/intel-quickassist-technology-api-programmer-s-guide.html)
> **Note: This section assumes that a Intel® QAT `c6xx` platform is used.**
@@ -119,16 +119,16 @@ $ sed -i 's/\[SSL\]/\[SHIM\]/g' $QAT_CONF_LOCATION/c6xxvf_dev0.conf
### Expose and Bind Intel® QAT virtual functions to VFIO-PCI (Every reboot)
To enable virtual functions, the host OS should have IOMMU groups enabled. In
the UEFI Firmware Intel® Virtualization Technology for Directed I/O
(Intel® VT-d) must be enabled. Also, the kernel boot parameter should be
To enable virtual functions, the host OS should have IOMMU groups enabled. In
the UEFI Firmware Intel® Virtualization Technology for Directed I/O
(Intel® VT-d) must be enabled. Also, the kernel boot parameter should be
`intel_iommu=on` or `intel_iommu=ifgx_off`. This should have been set from
the instructions above. Check the output of `/proc/cmdline` to confirm. The
the instructions above. Check the output of `/proc/cmdline` to confirm. The
following commands assume you installed an Intel® QAT card, IOMMU is on, and
VT-d is enabled. The vendor and device ID add to the `VFIO-PCI` driver so that
each exposed virtual function can be bound to the `VFIO-PCI` driver. Once
complete, each virtual function passes into a Kata Containers container using
the PCIe device passthrough feature. For Kubernetes, the
the PCIe device passthrough feature. For Kubernetes, the
[Intel device plugin](https://github.com/intel/intel-device-plugins-for-kubernetes)
for Kubernetes handles the binding of the driver, but the VFs still must be
enabled.
@@ -155,10 +155,10 @@ $ for f in /sys/bus/pci/devices/0000:$QAT_PCI_BUS_PF_1/virtfn*
### Check Intel® QAT virtual functions are enabled
If the following command returns empty, then the virtual functions are not
properly enabled. This command checks the enumerated device IDs for just the
virtual functions. Using the Intel® QAT as an example, the physical device ID
is `37c8` and virtual function device ID is `37c9`. The following command checks
If the following command returns empty, then the virtual functions are not
properly enabled. This command checks the enumerated device IDs for just the
virtual functions. Using the Intel® QAT as an example, the physical device ID
is `37c8` and virtual function device ID is `37c9`. The following command checks
if VF's are enabled for any of the currently known Intel® QAT device ID's. The
following `ls` command should show the 16 VF's bound to `VFIO-PCI`.
@@ -182,7 +182,7 @@ follows the instructions from the
[packaging kernel repository](../../tools/packaging/kernel)
and uses the latest Kata kernel
[config](../../tools/packaging/kernel/configs).
There are some patches that must be installed as well, which the
There are some patches that must be installed as well, which the
`build-kernel.sh` script should automatically apply. If you are using a
different kernel version, then you might need to manually apply them. Since
the Kata Containers kernel has a minimal set of kernel flags set, you must
@@ -228,17 +228,17 @@ $ cp ${GOPATH}/${LINUX_VER}/vmlinux ${KATA_KERNEL_LOCATION}/${KATA_KERNEL_NAME}
### Prepare Kata root filesystem
These instructions build upon the OS builder instructions located in the
These instructions build upon the OS builder instructions located in the
[Developer Guide](../Developer-Guide.md). At this point it is recommended that
[Docker](https://docs.docker.com/engine/install/ubuntu/) is installed first, and
then [Kata-deploy](../../tools/packaging/kata-deploy)
is use to install Kata. This will make sure that the correct `agent` version
is use to install Kata. This will make sure that the correct `agent` version
is installed into the rootfs in the steps below.
The following instructions use Ubuntu as the root filesystem with systemd as
the init and will add in the `kmod` binary, which is not a standard binary in
a Kata rootfs image. The `kmod` binary is necessary to load the Intel® QAT
kernel modules when the virtual machine rootfs boots.
The following instructions use Ubuntu as the root filesystem with systemd as
the init and will add in the `kmod` binary, which is not a standard binary in
a Kata rootfs image. The `kmod` binary is necessary to load the Intel® QAT
kernel modules when the virtual machine rootfs boots.
```bash
$ export OSBUILDER=$GOPATH/src/github.com/kata-containers/kata-containers/tools/osbuilder
@@ -247,7 +247,7 @@ $ export EXTRA_PKGS='kmod'
```
Make sure that the `kata-agent` version matches the installed `kata-runtime`
version. Also make sure the `kata-runtime` install location is in your `PATH`
version. Also make sure the `kata-runtime` install location is in your `PATH`
variable. The following `AGENT_VERSION` can be set manually to match
the `kata-runtime` version if the following commands don't work.
@@ -262,10 +262,10 @@ $ script -fec 'sudo -E GOPATH=$GOPATH USE_DOCKER=true SECCOMP=no ./rootfs.sh ubu
### Compile Intel® QAT drivers for Kata Containers kernel and add to Kata Containers rootfs
After the Kata Containers kernel builds with the proper configuration flags,
After the Kata Containers kernel builds with the proper configuration flags,
you must build the Intel® QAT drivers against that Kata Containers kernel
version in a similar way they were previously built for the host OS. You must
set the `KERNEL_SOURCE_ROOT` variable to the Kata Containers kernel source
version in a similar way they were previously built for the host OS. You must
set the `KERNEL_SOURCE_ROOT` variable to the Kata Containers kernel source
directory and build the Intel® QAT drivers again. The `make` command will
install the Intel® QAT modules into the Kata rootfs.
@@ -284,16 +284,16 @@ $ sudo -E make INSTALL_MOD_PATH=$ROOTFS_DIR qat-driver-install -j $(nproc)
```
The `usdm_drv` module also needs to be copied into the rootfs modules path and
`depmod` should be run.
`depmod` should be run.
```bash
$ sudo cp $QAT_SRC/build/usdm_drv.ko $ROOTFS_DIR/lib/modules/${KERNEL_ROOTFS_DIR}/updates/drivers
$ sudo cp $QAT_SRC/build/usdm_drv.ko $ROOTFS_DIR/lib/modules/${KERNEL_ROOTFS_DIR}/updates/drivers
$ sudo depmod -a -b ${ROOTFS_DIR} ${KERNEL_ROOTFS_DIR}
$ cd ${OSBUILDER}/image-builder
$ script -fec 'sudo -E USE_DOCKER=true ./image_builder.sh ${ROOTFS_DIR}'
```
> **Note: Ignore any errors on modules.builtin and modules.order when running
> **Note: Ignore any errors on modules.builtin and modules.order when running
> `depmod`.**
### Copy Kata rootfs
@@ -305,17 +305,17 @@ $ cp ${OSBUILDER}/image-builder/kata-containers.img $KATA_ROOTFS_LOCATION
## Verify Intel® QAT works in a container
The following instructions uses a OpenSSL Dockerfile that builds the
Intel® QAT engine to allow OpenSSL to offload crypto functions. It is a
The following instructions uses a OpenSSL Dockerfile that builds the
Intel® QAT engine to allow OpenSSL to offload crypto functions. It is a
convenient way to test that VFIO device passthrough for the Intel® QAT VFs are
working properly with the Kata Containers VM.
### Build OpenSSL Intel® QAT engine container
Use the OpenSSL Intel® QAT [Dockerfile](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/demo/openssl-qat-engine)
to build a container image with an optimized OpenSSL engine for
Use the OpenSSL Intel® QAT [Dockerfile](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/demo/openssl-qat-engine)
to build a container image with an optimized OpenSSL engine for
Intel® QAT. Using `docker build` with the Kata Containers runtime can sometimes
have issues. Therefore, make sure that `runc` is the default Docker container
have issues. Therefore, make sure that `runc` is the default Docker container
runtime.
```bash
@@ -324,12 +324,12 @@ $ curl -O $QAT_DOCKERFILE
$ sudo docker build -t openssl-qat-engine .
```
> **Note: The Intel® QAT driver version in this container might not match the
> **Note: The Intel® QAT driver version in this container might not match the
> Intel® QAT driver compiled and loaded on the host when compiling.**
### Test Intel® QAT with the ctr tool
The `ctr` tool can be used to interact with the containerd daemon. It may be
The `ctr` tool can be used to interact with the containerd daemon. It may be
more convenient to use this tool to verify the kernel and image instead of
setting up a Kubernetes cluster. The correct Kata runtimes need to be added
to the containerd `config.toml`. Below is a sample snippet that can be added
@@ -350,7 +350,7 @@ to allow QEMU and Cloud Hypervisor (CLH) to work with `ctr`.
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration-clh.toml"
```
In addition, containerd expects the binary to be in `/usr/local/bin` so add
In addition, containerd expects the binary to be in `/usr/local/bin` so add
this small script so that it redirects to be able to use either QEMU or
Cloud Hypervisor with Kata.
@@ -363,30 +363,30 @@ $ echo 'KATA_CONF_FILE=/opt/kata/share/defaults/kata-containers/configuration-cl
$ sudo chmod +x /usr/local/bin/containerd-shim-kata-clh-v2
```
After the OpenSSL image is built and imported into containerd, a Intel® QAT
virtual function exposed in the step above can be added to the `ctr` command.
Make sure to change the `/dev/vfio` number to one that actually exists on the
host system. When using the `ctr` tool, the`configuration.toml` for Kata needs
to point to the custom Kata kernel and rootfs built above and the Intel® QAT
modules in the Kata rootfs need to load at boot. The following steps assume that
`kata-deploy` was used to install Kata and QEMU is being tested. If using a
different hypervisor, different install method for Kata, or a different
Intel® QAT chipset then the command will need to be modified.
After the OpenSSL image is built and imported into containerd, a Intel® QAT
virtual function exposed in the step above can be added to the `ctr` command.
Make sure to change the `/dev/vfio` number to one that actually exists on the
host system. When using the `ctr` tool, the`configuration.toml` for Kata needs
to point to the custom Kata kernel and rootfs built above and the Intel® QAT
modules in the Kata rootfs need to load at boot. The following steps assume that
`kata-deploy` was used to install Kata and QEMU is being tested. If using a
different hypervisor, different install method for Kata, or a different
Intel® QAT chipset then the command will need to be modified.
> **Note: The following was tested with
> **Note: The following was tested with
[containerd v1.4.6](https://github.com/containerd/containerd/releases/tag/v1.4.6).**
```bash
$ config_file="/opt/kata/share/defaults/kata-containers/configuration-qemu.toml"
$ sudo sed -i "/kernel =/c kernel = "\"${KATA_ROOTFS_LOCATION}/${KATA_KERNEL_NAME}\""" $config_file
$ sudo sed -i "/image =/c image = "\"${KATA_KERNEL_LOCATION}/kata-containers.img\""" $config_file
$ sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 modules-load=usdm_drv,qat_c62xvf"/g' $config_file
$ sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 modules-load=usdm_drv,qat_c62xvf"/g' $config_file
$ sudo docker save -o openssl-qat-engine.tar openssl-qat-engine:latest
$ sudo ctr images import openssl-qat-engine.tar
$ sudo ctr run --runtime io.containerd.run.kata-qemu.v2 --privileged -t --rm --device=/dev/vfio/180 --mount type=bind,src=/dev,dst=/dev,options=rbind:rw --mount type=bind,src=${QAT_CONF_LOCATION}/c6xxvf_dev0.conf,dst=/etc/c6xxvf_dev0.conf,options=rbind:rw docker.io/library/openssl-qat-engine:latest bash
```
Below are some commands to run in the container image to verify Intel® QAT is
Below are some commands to run in the container image to verify Intel® QAT is
working
```sh
@@ -412,24 +412,24 @@ root@67561dc2757a/ # openssl engine -c -t qat-hw
### Test Intel® QAT in Kubernetes
Start a Kubernetes cluster with containerd as the CRI. The host should
already be setup with 16 virtual functions of the Intel® QAT card bound to
`VFIO-PCI`. Verify this by looking in `/dev/vfio` for a listing of devices.
You might need to disable Docker before initializing Kubernetes. Be aware
Start a Kubernetes cluster with containerd as the CRI. The host should
already be setup with 16 virtual functions of the Intel® QAT card bound to
`VFIO-PCI`. Verify this by looking in `/dev/vfio` for a listing of devices.
You might need to disable Docker before initializing Kubernetes. Be aware
that the OpenSSL container image built above will need to be exported from
Docker and imported into containerd.
If Kata is installed through [`kata-deploy`](../../tools/packaging/kata-deploy/README.md)
there will be multiple `configuration.toml` files associated with different
hypervisors. Rather than add in the custom Kata kernel, Kata rootfs, and
there will be multiple `configuration.toml` files associated with different
hypervisors. Rather than add in the custom Kata kernel, Kata rootfs, and
kernel modules to each `configuration.toml` as the default, instead use
[annotations](../how-to/how-to-load-kernel-modules-with-kata.md)
in the Kubernetes YAML file to tell Kata which kernel and rootfs to use. The
in the Kubernetes YAML file to tell Kata which kernel and rootfs to use. The
easy way to do this is to use `kata-deploy` which will install the Kata binaries
to `/opt` and properly configure the `/etc/containerd/config.toml` with annotation
to `/opt` and properly configure the `/etc/containerd/config.toml` with annotation
support. However, the `configuration.toml` needs to enable support for
annotations as well. The following configures both QEMU and Cloud Hypervisor
`configuration.toml` files that are currently available with Kata Container
`configuration.toml` files that are currently available with Kata Container
versions 2.0 and higher.
```bash
@@ -446,15 +446,15 @@ $ sudo ctr -n=k8s.io images import openssl-qat-engine.tar
The [Intel® QAT Plugin](https://github.com/intel/intel-device-plugins-for-kubernetes/blob/main/cmd/qat_plugin/README.md)
needs to be started so that the virtual functions can be discovered and
used by Kubernetes.
used by Kubernetes.
The following YAML file can be used to start a Kata container with Intel® QAT
support. If Kata is installed with `kata-deploy`, then the containerd
`configuration.toml` should have all of the Kata runtime classes already
populated and annotations supported. To use a Intel® QAT virtual function, the
Intel® QAT plugin needs to be started after the VF's are bound to `VFIO-PCI` as
described [above](#expose-and-bind-intel-qat-virtual-functions-to-vfio-pci-every-reboot).
Edit the following to point to the correct Kata kernel and rootfs location
support. If Kata is installed with `kata-deploy`, then the containerd
`configuration.toml` should have all of the Kata runtime classes already
populated and annotations supported. To use a Intel® QAT virtual function, the
Intel® QAT plugin needs to be started after the VF's are bound to `VFIO-PCI` as
described [above](#expose-and-bind-intel-qat-virtual-functions-to-vfio-pci-every-reboot).
Edit the following to point to the correct Kata kernel and rootfs location
built with Intel® QAT support.
```bash
@@ -497,7 +497,7 @@ spec:
EOF
```
Use `kubectl` to start the pod. Verify that Intel® QAT card acceleration is
Use `kubectl` to start the pod. Verify that Intel® QAT card acceleration is
working with the Intel® QAT engine.
```bash
$ kubectl apply -f kata-openssl-qat.yaml
@@ -531,14 +531,14 @@ $ ls /dev/vfio
* Check that the modules load when inside the Kata Container.
```sh
bash-5.0# egrep "qat|usdm_drv" /proc/modules
bash-5.0# grep -E "qat|usdm_drv" /proc/modules
qat_c62xvf 16384 - - Live 0x0000000000000000 (O)
usdm_drv 86016 - - Live 0x0000000000000000 (O)
intel_qat 184320 - - Live 0x0000000000000000 (O)
```
* Verify that at least the first `c6xxvf_dev0.conf` file mounts inside the
container image in `/etc`. You will need one configuration file for each VF
* Verify that at least the first `c6xxvf_dev0.conf` file mounts inside the
container image in `/etc`. You will need one configuration file for each VF
passed into the container.
```sh
@@ -548,10 +548,10 @@ c6xxvf_dev1.conf c6xxvf_dev12.conf c6xxvf_dev15.conf c6xxvf_dev4.conf c6xxv
c6xxvf_dev10.conf c6xxvf_dev13.conf c6xxvf_dev2.conf c6xxvf_dev5.conf c6xxvf_dev8.conf hosts
```
* Check `dmesg` inside the container to see if there are any issues with the
* Check `dmesg` inside the container to see if there are any issues with the
Intel® QAT driver.
* If there are issues building the OpenSSL Intel® QAT container image, then
* If there are issues building the OpenSSL Intel® QAT container image, then
check to make sure that runc is the default runtime for building container.
```sh
@@ -564,11 +564,11 @@ Environment="DOCKER_DEFAULT_RUNTIME=--default-runtime runc"
### Verify Intel® QAT card counters are incremented
To check the built in firmware counters, the Intel® QAT driver has to be compiled
and installed to the host and can't rely on the built in host driver. The
counters will increase when the accelerator is actively being used. To verify
Intel® QAT is actively accelerating the containerized application, use the
following instructions to check if any of the counters increment. Make
To check the built in firmware counters, the Intel® QAT driver has to be compiled
and installed to the host and can't rely on the built in host driver. The
counters will increase when the accelerator is actively being used. To verify
Intel® QAT is actively accelerating the containerized application, use the
following instructions to check if any of the counters increment. Make
sure to change the PCI Device ID to match whats in the system.
```bash

View File

@@ -42,7 +42,7 @@ The following is an example of how to use `lspci` to check if your NIC supports
SR-IOV.
```
$ lspci | fgrep -i ethernet
$ lspci | grep -i -F ethernet
01:00.0 Ethernet controller: Intel Corporation Ethernet Controller 10-Gigabit X540-AT2 (rev 03)
...

562
src/agent/Cargo.lock generated

File diff suppressed because it is too large Load Diff

View File

@@ -12,7 +12,7 @@ oci-spec = { version = "0.6.8", features = ["runtime"] }
rustjail = { path = "rustjail" }
protocols = { path = "../libs/protocols", features = ["async", "with-serde"] }
lazy_static = "1.3.0"
ttrpc = { version = "0.8", features = ["async"], default-features = false }
ttrpc = { version = "0.8.4", features = ["async"], default-features = false }
protobuf = "3.2.0"
libc = "0.2.58"
nix = "0.24.2"
@@ -78,7 +78,7 @@ strum = "0.26.2"
strum_macros = "0.26.2"
# Image pull/decrypt
image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "v0.10.0", default-features = false, optional = true }
image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "514c561d933cb11a0f1628621a0b930157af76cd", default-features = false, optional = true }
# Agent Policy
regorus = { version = "0.2.6", default-features = false, features = [
@@ -88,6 +88,7 @@ regorus = { version = "0.2.6", default-features = false, features = [
], optional = true }
cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" }
json-patch = "2.0.0"
kata-agent-policy = { path = "policy" }
[dev-dependencies]
tempfile = "3.1.0"
@@ -97,7 +98,7 @@ rstest = "0.18.0"
async-std = { version = "1.12.0", features = ["attributes"] }
[workspace]
members = ["rustjail"]
members = ["rustjail", "policy"]
[profile.release]
lto = true

View File

@@ -0,0 +1,33 @@
[package]
name = "kata-agent-policy"
version = "0.1.0"
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
license = "Apache-2.0"
[dependencies]
# Async runtime
tokio = { version = "1.39.0", features = ["full"] }
tokio-vsock = "0.3.4"
anyhow = "1"
# Configuration
serde = { version = "1.0.129", features = ["derive"] }
serde_json = "1.0.39"
# Agent Policy
regorus = { version = "0.2.8", default-features = false, features = [
"arc",
"regex",
"std",
] }
json-patch = "2.0.0"
# Note: this crate sets the slog 'max_*' features which allows the log level
# to be modified at runtime.
logging = { path = "../../libs/logging" }
slog = "2.5.2"
slog-scope = "4.1.2"
slog-term = "2.9.0"

View File

@@ -0,0 +1,6 @@
// Copyright (c) 2024 Edgeless Systems GmbH
//
// SPDX-License-Identifier: Apache-2.0
//
pub mod policy;

View File

@@ -0,0 +1,243 @@
// Copyright (c) 2023 Microsoft Corporation
// Copyright (c) 2024 Edgeless Systems GmbH
//
// SPDX-License-Identifier: Apache-2.0
//
//! Policy evaluation for the kata-agent.
use anyhow::{bail, Result};
use slog::{debug, error, info, warn};
use tokio::io::AsyncWriteExt;
static POLICY_LOG_FILE: &str = "/tmp/policy.txt";
static POLICY_DEFAULT_FILE: &str = "/etc/kata-opa/default-policy.rego";
/// Convenience macro to obtain the scope logger
macro_rules! sl {
() => {
slog_scope::logger()
};
}
/// Singleton policy object.
#[derive(Debug, Default)]
pub struct AgentPolicy {
/// When true policy errors are ignored, for debug purposes.
allow_failures: bool,
/// "/tmp/policy.txt" log file for policy activity.
log_file: Option<tokio::fs::File>,
/// Regorus engine
engine: regorus::Engine,
}
#[derive(serde::Deserialize, Debug)]
struct MetadataResponse {
allowed: bool,
ops: Option<json_patch::Patch>,
}
impl AgentPolicy {
/// Create AgentPolicy object.
pub fn new() -> Self {
Self {
allow_failures: false,
engine: Self::new_engine(),
..Default::default()
}
}
fn new_engine() -> regorus::Engine {
let mut engine = regorus::Engine::new();
engine.set_strict_builtin_errors(false);
engine.set_gather_prints(true);
// assign a slice of the engine data "pstate" to be used as policy state
engine
.add_data(
regorus::Value::from_json_str(
r#"{
"pstate": {}
}"#,
)
.unwrap(),
)
.unwrap();
engine
}
/// Initialize regorus.
pub async fn initialize(
&mut self,
log_level: usize,
default_policy_file: String,
log_file: Option<String>,
) -> Result<()> {
// log file path
let log_file_path = match log_file {
Some(path) => path,
None => POLICY_LOG_FILE.to_string(),
};
let log_file_path = log_file_path.as_str();
if log_level >= slog::Level::Debug.as_usize() {
self.log_file = Some(
tokio::fs::OpenOptions::new()
.write(true)
.truncate(true)
.create(true)
.open(&log_file_path)
.await?,
);
debug!(sl!(), "policy: log file: {}", log_file_path);
}
// Check if policy file has been set via AgentConfig
// If empty, use default file.
let mut default_policy_file = default_policy_file;
if default_policy_file.is_empty() {
default_policy_file = POLICY_DEFAULT_FILE.to_string();
}
info!(sl!(), "default policy: {default_policy_file}");
self.engine.add_policy_from_file(default_policy_file)?;
self.update_allow_failures_flag().await?;
Ok(())
}
async fn apply_patch_to_state(&mut self, patch: json_patch::Patch) -> Result<()> {
// Convert the current engine data to a JSON value
let mut state = serde_json::to_value(self.engine.get_data())?;
// Apply the patch to the state
json_patch::patch(&mut state, &patch)?;
// Clear the existing data in the engine
self.engine.clear_data();
// Add the patched state back to the engine
self.engine
.add_data(regorus::Value::from_json_str(&state.to_string())?)?;
Ok(())
}
/// Ask regorus if an API call should be allowed or not.
pub async fn allow_request(&mut self, ep: &str, ep_input: &str) -> Result<(bool, String)> {
debug!(sl!(), "policy check: {ep}");
self.log_eval_input(ep, ep_input).await;
let query = format!("data.agent_policy.{ep}");
self.engine.set_input_json(ep_input)?;
let results = self.engine.eval_query(query, false)?;
let prints = match self.engine.take_prints() {
Ok(p) => p.join(" "),
Err(e) => format!("Failed to get policy log: {e}"),
};
if results.result.len() != 1 {
// Results are empty when AllowRequestsFailingPolicy is used to allow a Request that hasn't been defined in the policy
if self.allow_failures {
return Ok((true, prints));
}
bail!(
"policy check: unexpected eval_query result len {:?}",
results
);
}
if results.result[0].expressions.len() != 1 {
bail!(
"policy check: unexpected eval_query result expressions {:?}",
results
);
}
let mut allow = match &results.result[0].expressions[0].value {
regorus::Value::Bool(b) => *b,
// Match against a specific variant that could be interpreted as MetadataResponse
regorus::Value::Object(obj) => {
let json_str = serde_json::to_string(obj)?;
self.log_eval_input(ep, &json_str).await;
let metadata_response: MetadataResponse = serde_json::from_str(&json_str)?;
if metadata_response.allowed {
if let Some(ops) = metadata_response.ops {
self.apply_patch_to_state(ops).await?;
}
}
metadata_response.allowed
}
_ => {
error!(sl!(), "allow_request: unexpected eval_query result type");
bail!(
"policy check: unexpected eval_query result type {:?}",
results
);
}
};
if !allow && self.allow_failures {
warn!(sl!(), "policy: ignoring error for {ep}");
allow = true;
}
Ok((allow, prints))
}
/// Replace the Policy in regorus.
pub async fn set_policy(&mut self, policy: &str) -> Result<()> {
self.engine = Self::new_engine();
self.engine
.add_policy("agent_policy".to_string(), policy.to_string())?;
self.update_allow_failures_flag().await?;
Ok(())
}
async fn log_eval_input(&mut self, ep: &str, input: &str) {
if let Some(log_file) = &mut self.log_file {
match ep {
"StatsContainerRequest" | "ReadStreamRequest" | "SetPolicyRequest" => {
// - StatsContainerRequest and ReadStreamRequest are called
// relatively often, so we're not logging them, to avoid
// growing this log file too much.
// - Confidential Containers Policy documents are relatively
// large, so we're not logging them here, for SetPolicyRequest.
// The Policy text can be obtained directly from the pod YAML.
}
_ => {
let log_entry = format!("[\"ep\":\"{ep}\",{input}],\n\n");
if let Err(e) = log_file.write_all(log_entry.as_bytes()).await {
warn!(sl!(), "policy: log_eval_input: write_all failed: {}", e);
} else if let Err(e) = log_file.flush().await {
warn!(sl!(), "policy: log_eval_input: flush failed: {}", e);
}
}
}
}
}
async fn update_allow_failures_flag(&mut self) -> Result<()> {
self.allow_failures = match self.allow_request("AllowRequestsFailingPolicy", "{}").await {
Ok((allowed, _prints)) => {
if allowed {
warn!(
sl!(),
"policy: AllowRequestsFailingPolicy is enabled - will ignore errors"
);
}
allowed
}
Err(_) => false,
};
Ok(())
}
}

View File

@@ -1170,6 +1170,23 @@ impl Manager {
})
}
pub fn subcgroup(&self) -> &str {
// Check if we're in a Docker-in-Docker setup by verifying:
// 1. We're using cgroups v2 (which restricts direct process control)
// 2. An "init" subdirectory exists (used by DinD for process delegation)
let is_dind = cgroups::hierarchies::is_cgroup2_unified_mode()
&& cgroups::hierarchies::auto()
.root()
.join(&self.cpath)
.join("init")
.exists();
if is_dind {
"/init/"
} else {
"/"
}
}
fn get_paths_and_mounts(
cpath: &str,
) -> Result<(HashMap<String, String>, HashMap<String, String>)> {

View File

@@ -19,7 +19,7 @@ pub trait SystemdInterface {
fn kill_unit(&self) -> Result<()>;
fn freeze_unit(&self) -> Result<()>;
fn thaw_unit(&self) -> Result<()>;
fn add_process(&self, pid: i32) -> Result<()>;
fn add_process(&self, pid: i32, subcgroup: &str) -> Result<()>;
fn get_version(&self) -> Result<String>;
fn unit_exists(&self) -> Result<bool>;
}
@@ -151,11 +151,10 @@ impl SystemdInterface for DBusClient {
}
}
fn add_process(&self, pid: i32) -> Result<()> {
fn add_process(&self, pid: i32, subcgroup: &str) -> Result<()> {
let proxy = self.build_proxy()?;
proxy
.attach_processes_to_unit(&self.unit_name, "/", &[pid as u32])
.attach_processes_to_unit(&self.unit_name, subcgroup, &[pid as u32])
.context(format!(
"failed to add process into unit {}",
self.unit_name

View File

@@ -41,7 +41,8 @@ pub struct Manager {
impl CgroupManager for Manager {
fn apply(&self, pid: pid_t) -> Result<()> {
if self.dbus_client.unit_exists()? {
self.dbus_client.add_process(pid)?;
let subcgroup = self.fs_manager.subcgroup();
self.dbus_client.add_process(pid, subcgroup)?;
} else {
self.dbus_client.start_unit(
(pid as u32).try_into().unwrap(),

View File

@@ -836,6 +836,7 @@ fn mount_from(
if !src.is_dir() {
let _ = OpenOptions::new()
.create(true)
.truncate(true)
.write(true)
.open(&dest)
.map_err(|e| {

View File

@@ -147,7 +147,7 @@ pub async fn unseal_file(path: &str) -> Result<()> {
continue;
}
let target_path = fs::canonicalize(&entry.path())?;
let target_path = fs::canonicalize(entry.path())?;
info!(sl(), "sealed source entry target path: {:?}", target_path);
// Skip if the target path is not a file (e.g., it's a symlink pointing to the secret file).
@@ -177,8 +177,8 @@ pub async fn unseal_file(path: &str) -> Result<()> {
fs::write(&unsealed_filename, unsealed_value)?;
// Remove the original sealed symlink and create a symlink to the unsealed file
fs::remove_file(&entry.path())?;
symlink(unsealed_filename_symlink, &entry.path())?;
fs::remove_file(entry.path())?;
symlink(unsealed_filename_symlink, entry.path())?;
}
}
Ok(())

View File

@@ -2,7 +2,7 @@
//
// SPDX-License-Identifier: Apache-2.0
//
use crate::rpc;
use anyhow::{anyhow, bail, ensure, Context, Result};
use serde::Deserialize;
use std::env;
@@ -23,9 +23,11 @@ const SERVER_ADDR_OPTION: &str = "agent.server_addr";
const PASSFD_LISTENER_PORT: &str = "agent.passfd_listener_port";
const HOTPLUG_TIMOUT_OPTION: &str = "agent.hotplug_timeout";
const CDH_API_TIMOUT_OPTION: &str = "agent.cdh_api_timeout";
const CDI_TIMEOUT_OPTION: &str = "agent.cdi_timeout";
const DEBUG_CONSOLE_VPORT_OPTION: &str = "agent.debug_console_vport";
const LOG_VPORT_OPTION: &str = "agent.log_vport";
const CONTAINER_PIPE_SIZE_OPTION: &str = "agent.container_pipe_size";
const CGROUP_NO_V1: &str = "cgroup_no_v1";
const UNIFIED_CGROUP_HIERARCHY_OPTION: &str = "systemd.unified_cgroup_hierarchy";
const CONFIG_FILE: &str = "agent.config_file";
const GUEST_COMPONENTS_REST_API_OPTION: &str = "agent.guest_components_rest_api";
@@ -69,6 +71,7 @@ const MEM_AGENT_COMPACT_FORCE_TIMES: &str = "agent.mem_agent_compact_force_times
const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info;
const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3);
const DEFAULT_CDH_API_TIMEOUT: time::Duration = time::Duration::from_secs(50);
const DEFAULT_CDI_TIMEOUT: time::Duration = time::Duration::from_secs(100);
const DEFAULT_CONTAINER_PIPE_SIZE: i32 = 0;
const VSOCK_ADDR: &str = "vsock://-1";
@@ -131,14 +134,15 @@ pub struct AgentConfig {
pub log_level: slog::Level,
pub hotplug_timeout: time::Duration,
pub cdh_api_timeout: time::Duration,
pub cdi_timeout: time::Duration,
pub debug_console_vport: i32,
pub log_vport: i32,
pub container_pipe_size: i32,
pub server_addr: String,
pub passfd_listener_port: i32,
pub cgroup_no_v1: String,
pub unified_cgroup_hierarchy: bool,
pub tracing: bool,
pub supports_seccomp: bool,
pub https_proxy: String,
pub no_proxy: String,
pub guest_components_rest_api: GuestComponentsFeatures,
@@ -168,6 +172,7 @@ pub struct AgentConfigBuilder {
pub log_level: Option<String>,
pub hotplug_timeout: Option<time::Duration>,
pub cdh_api_timeout: Option<time::Duration>,
pub cdi_timeout: Option<time::Duration>,
pub debug_console_vport: Option<i32>,
pub log_vport: Option<i32>,
pub container_pipe_size: Option<i32>,
@@ -250,7 +255,7 @@ macro_rules! parse_cmdline_param {
($param:ident, $key:ident, $field:expr, $func:ident, $guard:expr) => {
if $param.starts_with(format!("{}=", $key).as_str()) {
let val = $func($param)?;
if $guard(val) {
if $guard(&val) {
$field = val;
}
continue;
@@ -266,14 +271,15 @@ impl Default for AgentConfig {
log_level: DEFAULT_LOG_LEVEL,
hotplug_timeout: DEFAULT_HOTPLUG_TIMEOUT,
cdh_api_timeout: DEFAULT_CDH_API_TIMEOUT,
cdi_timeout: DEFAULT_CDI_TIMEOUT,
debug_console_vport: 0,
log_vport: 0,
container_pipe_size: DEFAULT_CONTAINER_PIPE_SIZE,
server_addr: format!("{}:{}", VSOCK_ADDR, DEFAULT_AGENT_VSOCK_PORT),
passfd_listener_port: 0,
cgroup_no_v1: String::from(""),
unified_cgroup_hierarchy: false,
tracing: false,
supports_seccomp: rpc::have_seccomp(),
https_proxy: String::from(""),
no_proxy: String::from(""),
guest_components_rest_api: GuestComponentsFeatures::default(),
@@ -311,6 +317,7 @@ impl FromStr for AgentConfig {
);
config_override!(agent_config_builder, agent_config, hotplug_timeout);
config_override!(agent_config_builder, agent_config, cdh_api_timeout);
config_override!(agent_config_builder, agent_config, cdi_timeout);
config_override!(agent_config_builder, agent_config, debug_console_vport);
config_override!(agent_config_builder, agent_config, log_vport);
config_override!(agent_config_builder, agent_config, container_pipe_size);
@@ -474,7 +481,7 @@ impl AgentConfig {
HOTPLUG_TIMOUT_OPTION,
config.hotplug_timeout,
get_timeout,
|hotplug_timeout: time::Duration| hotplug_timeout.as_secs() > 0
|hotplug_timeout: &time::Duration| hotplug_timeout.as_secs() > 0
);
// ensure the timeout is a positive value
@@ -483,7 +490,16 @@ impl AgentConfig {
CDH_API_TIMOUT_OPTION,
config.cdh_api_timeout,
get_timeout,
|cdh_api_timeout: time::Duration| cdh_api_timeout.as_secs() > 0
|cdh_api_timeout: &time::Duration| cdh_api_timeout.as_secs() > 0
);
// ensure the timeout is a positive value
parse_cmdline_param!(
param,
CDI_TIMEOUT_OPTION,
config.cdi_timeout,
get_timeout,
|cdi_timeout: &time::Duration| cdi_timeout.as_secs() > 0
);
// vsock port should be positive values
@@ -492,21 +508,21 @@ impl AgentConfig {
DEBUG_CONSOLE_VPORT_OPTION,
config.debug_console_vport,
get_number_value,
|port| port > 0
|port: &i32| *port > 0
);
parse_cmdline_param!(
param,
LOG_VPORT_OPTION,
config.log_vport,
get_number_value,
|port| port > 0
|port: &i32| *port > 0
);
parse_cmdline_param!(
param,
PASSFD_LISTENER_PORT,
config.passfd_listener_port,
get_number_value,
|port| port > 0
|port: &i32| *port > 0
);
parse_cmdline_param!(
param,
@@ -514,6 +530,13 @@ impl AgentConfig {
config.container_pipe_size,
get_container_pipe_size
);
parse_cmdline_param!(
param,
CGROUP_NO_V1,
config.cgroup_no_v1,
get_string_value,
|no_v1| no_v1 == "all"
);
parse_cmdline_param!(
param,
UNIFIED_CGROUP_HIERARCHY_OPTION,
@@ -712,7 +735,7 @@ where
fields[1]
.parse::<T>()
.map_err(|e| anyhow!("parse from {} failed: {:?}", &fields[1], e))
.map_err(|e| anyhow!("parse from {} failed: {:?}", fields[1], e))
}
// Map logrus (https://godoc.org/github.com/sirupsen/logrus)
@@ -755,7 +778,10 @@ fn get_timeout(param: &str) -> Result<time::Duration> {
let fields: Vec<&str> = param.split('=').collect();
ensure!(fields.len() == 2, ERR_INVALID_TIMEOUT);
ensure!(
matches!(fields[0], HOTPLUG_TIMOUT_OPTION | CDH_API_TIMOUT_OPTION),
matches!(
fields[0],
HOTPLUG_TIMOUT_OPTION | CDH_API_TIMOUT_OPTION | CDI_TIMEOUT_OPTION
),
ERR_INVALID_TIMEOUT_KEY
);
@@ -898,6 +924,7 @@ mod tests {
hotplug_timeout: time::Duration,
container_pipe_size: i32,
server_addr: &'a str,
cgroup_no_v1: &'a str,
unified_cgroup_hierarchy: bool,
tracing: bool,
https_proxy: &'a str,
@@ -927,6 +954,7 @@ mod tests {
hotplug_timeout: DEFAULT_HOTPLUG_TIMEOUT,
container_pipe_size: DEFAULT_CONTAINER_PIPE_SIZE,
server_addr: TEST_SERVER_ADDR,
cgroup_no_v1: "",
unified_cgroup_hierarchy: false,
tracing: false,
https_proxy: "",
@@ -1073,6 +1101,22 @@ mod tests {
dev_mode: true,
..Default::default()
},
TestData {
contents: "cgroup_no_v1=1",
cgroup_no_v1: "",
..Default::default()
},
TestData {
contents: "cgroup_no_v1=all",
cgroup_no_v1: "all",
..Default::default()
},
TestData {
contents: "cgroup_no_v1=0 systemd.unified_cgroup_hierarchy=1",
cgroup_no_v1: "",
unified_cgroup_hierarchy: true,
..Default::default()
},
TestData {
contents: "agent.devmode agent.debug_console agent.hotplug_timeout=100 systemd.unified_cgroup_hierarchy=a",
debug_console: true,
@@ -1508,6 +1552,7 @@ mod tests {
assert_eq!(d.debug_console, config.debug_console, "{}", msg);
assert_eq!(d.dev_mode, config.dev_mode, "{}", msg);
assert_eq!(d.cgroup_no_v1, config.cgroup_no_v1, "{}", msg);
assert_eq!(
d.unified_cgroup_hierarchy, config.unified_cgroup_hierarchy,
"{}",
@@ -1677,6 +1722,7 @@ Caused by:
)))]
#[case("agent.chd_api_timeout=1", Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)))]
#[case("agent.cdh_api_timeout=600", Ok(time::Duration::from_secs(600)))]
#[case("agent.cdi_timeout=320", Ok(time::Duration::from_secs(320)))]
fn test_timeout(#[case] param: &str, #[case] expected: Result<time::Duration>) {
let result = get_timeout(param);
let msg = format!("expected: {:?}, result: {:?}", expected, result);

View File

@@ -248,7 +248,7 @@ pub async fn handle_cdi_devices(
logger: &Logger,
spec: &mut Spec,
spec_dir: &str,
cdi_timeout: u64,
cdi_timeout: time::Duration,
) -> Result<()> {
if let Some(container_type) = spec
.annotations()
@@ -271,7 +271,7 @@ pub async fn handle_cdi_devices(
let options: Vec<CdiOption> = vec![with_auto_refresh(false), with_spec_dirs(&[spec_dir])];
let cache: Arc<std::sync::Mutex<cdi::cache::Cache>> = new_cache(options);
for _ in 0..=cdi_timeout {
for i in 0..=cdi_timeout.as_secs() {
let inject_result = {
// Lock cache within this scope, std::sync::Mutex has no Send
// and await will not work with time::sleep
@@ -294,15 +294,20 @@ pub async fn handle_cdi_devices(
return Ok(());
}
Err(e) => {
info!(logger, "error injecting devices: {:?}", e);
println!("error injecting devices: {:?}", e);
info!(
logger,
"waiting for CDI spec(s) to be generated ({} of {} max tries) {:?}",
i,
cdi_timeout.as_secs(),
e
);
}
}
time::sleep(Duration::from_millis(1000)).await;
time::sleep(Duration::from_secs(1)).await;
}
Err(anyhow!(
"failed to inject devices after CDI timeout of {} seconds",
cdi_timeout
cdi_timeout.as_secs()
))
}
@@ -1243,8 +1248,15 @@ mod tests {
fs::write(&cdi_file, cdi_content).expect("Failed to write CDI file");
let res =
handle_cdi_devices(&logger, &mut spec, temp_dir.path().to_str().unwrap(), 0).await;
let cdi_timeout = Duration::from_secs(0);
let res = handle_cdi_devices(
&logger,
&mut spec,
temp_dir.path().to_str().unwrap(),
cdi_timeout,
)
.await;
println!("modfied spec {:?}", spec);
assert!(res.is_ok(), "{}", res.err().unwrap());

View File

@@ -12,7 +12,9 @@ use crate::pci;
use crate::sandbox::Sandbox;
use crate::uevent::{wait_for_uevent, Uevent, UeventMatcher};
use anyhow::{anyhow, Context, Result};
use kata_types::device::{DRIVER_VFIO_AP_TYPE, DRIVER_VFIO_PCI_GK_TYPE, DRIVER_VFIO_PCI_TYPE};
use kata_types::device::{
DRIVER_VFIO_AP_COLD_TYPE, DRIVER_VFIO_AP_TYPE, DRIVER_VFIO_PCI_GK_TYPE, DRIVER_VFIO_PCI_TYPE,
};
use protocols::agent::Device;
use slog::Logger;
use std::ffi::OsStr;
@@ -94,7 +96,7 @@ impl DeviceHandler for VfioPciDeviceHandler {
impl DeviceHandler for VfioApDeviceHandler {
#[instrument]
fn driver_types(&self) -> &[&str] {
&[DRIVER_VFIO_AP_TYPE]
&[DRIVER_VFIO_AP_TYPE, DRIVER_VFIO_AP_COLD_TYPE]
}
#[cfg(target_arch = "s390x")]
@@ -103,7 +105,16 @@ impl DeviceHandler for VfioApDeviceHandler {
// Force AP bus rescan
fs::write(AP_SCANS_PATH, "1")?;
for apqn in device.options.iter() {
wait_for_ap_device(ctx.sandbox, ap::Address::from_str(apqn)?).await?;
let ap_address = ap::Address::from_str(apqn).context("Failed to parse AP address")?;
match device.type_.as_str() {
DRIVER_VFIO_AP_TYPE => {
wait_for_ap_device(ctx.sandbox, ap_address).await?;
}
DRIVER_VFIO_AP_COLD_TYPE => {
check_ap_device(ctx.sandbox, ap_address).await?;
}
_ => return Err(anyhow!("Unsupported AP device type: {}", device.type_)),
}
}
let dev_update = Some(DevUpdate::new(Z9_CRYPT_DEV_PATH, Z9_CRYPT_DEV_PATH)?);
Ok(SpecUpdate {
@@ -201,6 +212,37 @@ async fn wait_for_ap_device(sandbox: &Arc<Mutex<Sandbox>>, address: ap::Address)
Ok(())
}
#[cfg(target_arch = "s390x")]
#[instrument]
async fn check_ap_device(sandbox: &Arc<Mutex<Sandbox>>, address: ap::Address) -> Result<()> {
let ap_path = format!(
"/sys/{}/card{:02x}/{}/online",
AP_ROOT_BUS_PATH, address.adapter_id, address
);
if !Path::new(&ap_path).is_file() {
return Err(anyhow!(
"AP device online file not found or not accessible: {}",
ap_path
));
}
match fs::read_to_string(&ap_path) {
Ok(content) => {
let is_online = content.trim() == "1";
if !is_online {
return Err(anyhow!("AP device {} exists but is not online", address));
}
}
Err(e) => {
return Err(anyhow!(
"Failed to read online status for AP device {}: {}",
address,
e
));
}
}
Ok(())
}
pub async fn wait_for_pci_device(
sandbox: &Arc<Mutex<Sandbox>>,
pcipath: &pci::Path,

View File

@@ -9,10 +9,11 @@ use safe_path::scoped_join;
use std::collections::HashMap;
use std::env;
use std::fs;
use std::path::{Path, PathBuf};
use std::path::Path;
use std::sync::Arc;
use anyhow::{anyhow, bail, Context, Result};
use image_rs::builder::ClientBuilder;
use image_rs::image::ImageClient;
use kata_sys_util::validate::verify_id;
use oci_spec::runtime as oci;
@@ -57,15 +58,16 @@ pub struct ImageService {
}
impl ImageService {
pub fn new() -> Self {
let mut image_client = ImageClient::new(PathBuf::from(KATA_IMAGE_WORK_DIR));
pub async fn new() -> Result<Self> {
let mut image_client_builder =
ClientBuilder::default().work_dir(KATA_IMAGE_WORK_DIR.into());
#[cfg(feature = "guest-pull")]
{
if !AGENT_CONFIG.image_registry_auth.is_empty() {
let registry_auth = &AGENT_CONFIG.image_registry_auth;
debug!(sl(), "Set registry auth file {:?}", registry_auth);
image_client.config.file_paths.auth_file = registry_auth.clone();
image_client.config.auth = true;
image_client_builder = image_client_builder
.authenticated_registry_credentials_uri(registry_auth.into());
}
let enable_signature_verification = &AGENT_CONFIG.enable_signature_verification;
@@ -73,15 +75,15 @@ impl ImageService {
sl(),
"Enable image signature verification: {:?}", enable_signature_verification
);
image_client.config.security_validate = *enable_signature_verification;
if !AGENT_CONFIG.image_policy_file.is_empty() {
if !AGENT_CONFIG.image_policy_file.is_empty() && *enable_signature_verification {
let image_policy_file = &AGENT_CONFIG.image_policy_file;
debug!(sl(), "Use imagepolicy file {:?}", image_policy_file);
image_client.config.file_paths.policy_path = image_policy_file.clone();
debug!(sl(), "Use image policy file {:?}", image_policy_file);
image_client_builder =
image_client_builder.image_security_policy_uri(image_policy_file.into());
}
}
Self { image_client }
let image_client = image_client_builder.build().await?;
Ok(Self { image_client })
}
/// get guest pause image process specification
@@ -276,9 +278,10 @@ pub async fn set_proxy_env_vars() {
}
/// Init the image service
pub async fn init_image_service() {
let image_service = ImageService::new();
pub async fn init_image_service() -> Result<()> {
let image_service = ImageService::new().await?;
*IMAGE_SERVICE.lock().await = Some(image_service);
Ok(())
}
pub async fn pull_image(

View File

@@ -12,7 +12,7 @@ use std::fs;
pub const SYSFS_DIR: &str = "/sys";
#[cfg(any(
target_arch = "powerpc64",
all(target_arch = "powerpc64", target_endian = "little"),
target_arch = "s390x",
target_arch = "x86_64",
target_arch = "x86"

View File

@@ -134,7 +134,7 @@ lazy_static! {
#[cfg(feature = "agent-policy")]
lazy_static! {
static ref AGENT_POLICY: Mutex<policy::AgentPolicy> = Mutex::new(AgentPolicy::new());
static ref AGENT_POLICY: Mutex<AgentPolicy> = Mutex::new(AgentPolicy::new());
}
#[derive(Parser)]
@@ -228,8 +228,9 @@ async fn real_main(init_mode: bool) -> std::result::Result<(), Box<dyn std::erro
})?;
lazy_static::initialize(&AGENT_CONFIG);
let cgroup_v2 = AGENT_CONFIG.unified_cgroup_hierarchy || AGENT_CONFIG.cgroup_no_v1 == "all";
init_agent_as_init(&logger, AGENT_CONFIG.unified_cgroup_hierarchy)?;
init_agent_as_init(&logger, cgroup_v2)?;
drop(logger_async_guard);
} else {
lazy_static::initialize(&AGENT_CONFIG);
@@ -632,7 +633,15 @@ fn init_agent_as_init(logger: &Logger, unified_cgroup_hierarchy: bool) -> Result
#[cfg(feature = "agent-policy")]
async fn initialize_policy() -> Result<()> {
AGENT_POLICY.lock().await.initialize().await
AGENT_POLICY
.lock()
.await
.initialize(
AGENT_CONFIG.log_level.as_usize(),
AGENT_CONFIG.policy_file.clone(),
None,
)
.await
}
// The Rust standard library had suppressed the default SIGPIPE behavior,
@@ -650,7 +659,7 @@ use crate::config::AgentConfig;
use std::os::unix::io::{FromRawFd, RawFd};
#[cfg(feature = "agent-policy")]
use crate::policy::AgentPolicy;
use kata_agent_policy::policy::AgentPolicy;
#[cfg(test)]
mod tests {

View File

@@ -299,7 +299,13 @@ pub fn cgroups_mount(logger: &Logger, unified_cgroup_hierarchy: bool) -> Result<
// Enable memory hierarchical account.
// For more information see https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt
online_device("/sys/fs/cgroup/memory/memory.use_hierarchy")
// cgroupsV2 will automatically enable memory.use_hierarchy.
// additinoally this directory layout is not present in cgroupsV2.
if !unified_cgroup_hierarchy {
return online_device("/sys/fs/cgroup/memory/memory.use_hierarchy");
}
Ok(())
}
#[instrument]
@@ -531,6 +537,7 @@ mod tests {
OpenOptions::new()
.create(true)
.truncate(true)
.write(true)
.open(test_file_filename)
.expect("failed to create test file");

View File

@@ -1079,8 +1079,8 @@ mod tests {
.expect("failed to show neigh")
.stdout;
let stdout = std::str::from_utf8(&stdout).expect("failed to conveert stdout");
assert_eq!(stdout, format!("{} lladdr {} PERMANENT\n", to_ip, mac));
let stdout = std::str::from_utf8(&stdout).expect("failed to convert stdout");
assert_eq!(stdout.trim(), format!("{} lladdr {} PERMANENT", to_ip, mac));
clean_env_for_test_add_one_arp_neighbor(dummy_name, to_ip);
}

View File

@@ -3,22 +3,11 @@
// SPDX-License-Identifier: Apache-2.0
//
use anyhow::{bail, Result};
use protobuf::MessageDyn;
use tokio::io::AsyncWriteExt;
use crate::rpc::ttrpc_error;
use crate::{AGENT_CONFIG, AGENT_POLICY};
static POLICY_LOG_FILE: &str = "/tmp/policy.txt";
static POLICY_DEFAULT_FILE: &str = "/etc/kata-opa/default-policy.rego";
/// Convenience macro to obtain the scope logger
macro_rules! sl {
() => {
slog_scope::logger()
};
}
use crate::AGENT_POLICY;
use kata_agent_policy::policy::AgentPolicy;
async fn allow_request(policy: &mut AgentPolicy, ep: &str, request: &str) -> ttrpc::Result<()> {
match policy.allow_request(ep, request).await {
@@ -54,213 +43,3 @@ pub async fn do_set_policy(req: &protocols::agent::SetPolicyRequest) -> ttrpc::R
.await
.map_err(|e| ttrpc_error(ttrpc::Code::INVALID_ARGUMENT, e))
}
/// Singleton policy object.
#[derive(Debug, Default)]
pub struct AgentPolicy {
/// When true policy errors are ignored, for debug purposes.
allow_failures: bool,
/// "/tmp/policy.txt" log file for policy activity.
log_file: Option<tokio::fs::File>,
/// Regorus engine
engine: regorus::Engine,
}
#[derive(serde::Deserialize, Debug)]
struct MetadataResponse {
allowed: bool,
ops: Option<json_patch::Patch>,
}
impl AgentPolicy {
/// Create AgentPolicy object.
pub fn new() -> Self {
Self {
allow_failures: false,
engine: Self::new_engine(),
..Default::default()
}
}
fn new_engine() -> regorus::Engine {
let mut engine = regorus::Engine::new();
engine.set_strict_builtin_errors(false);
engine.set_gather_prints(true);
// assign a slice of the engine data "pstate" to be used as policy state
engine
.add_data(
regorus::Value::from_json_str(
r#"{
"pstate": {}
}"#,
)
.unwrap(),
)
.unwrap();
engine
}
/// Initialize regorus.
pub async fn initialize(&mut self) -> Result<()> {
if AGENT_CONFIG.log_level.as_usize() >= slog::Level::Debug.as_usize() {
self.log_file = Some(
tokio::fs::OpenOptions::new()
.write(true)
.truncate(true)
.create(true)
.open(POLICY_LOG_FILE)
.await?,
);
debug!(sl!(), "policy: log file: {}", POLICY_LOG_FILE);
}
// Check if policy file has been set via AgentConfig
// If empty, use default file.
let mut default_policy_file = AGENT_CONFIG.policy_file.clone();
if default_policy_file.is_empty() {
default_policy_file = POLICY_DEFAULT_FILE.to_string();
}
info!(sl!(), "default policy: {default_policy_file}");
self.engine.add_policy_from_file(default_policy_file)?;
self.update_allow_failures_flag().await?;
Ok(())
}
async fn apply_patch_to_state(&mut self, patch: json_patch::Patch) -> Result<()> {
// Convert the current engine data to a JSON value
let mut state = serde_json::to_value(self.engine.get_data())?;
// Apply the patch to the state
json_patch::patch(&mut state, &patch)?;
// Clear the existing data in the engine
self.engine.clear_data();
// Add the patched state back to the engine
self.engine
.add_data(regorus::Value::from_json_str(&state.to_string())?)?;
Ok(())
}
/// Ask regorus if an API call should be allowed or not.
async fn allow_request(&mut self, ep: &str, ep_input: &str) -> Result<(bool, String)> {
debug!(sl!(), "policy check: {ep}");
self.log_eval_input(ep, ep_input).await;
let query = format!("data.agent_policy.{ep}");
self.engine.set_input_json(ep_input)?;
let results = self.engine.eval_query(query, false)?;
let prints = match self.engine.take_prints() {
Ok(p) => p.join(" "),
Err(e) => format!("Failed to get policy log: {e}"),
};
if results.result.len() != 1 {
// Results are empty when AllowRequestsFailingPolicy is used to allow a Request that hasn't been defined in the policy
if self.allow_failures {
return Ok((true, prints));
}
bail!(
"policy check: unexpected eval_query result len {:?}",
results
);
}
if results.result[0].expressions.len() != 1 {
bail!(
"policy check: unexpected eval_query result expressions {:?}",
results
);
}
let mut allow = match &results.result[0].expressions[0].value {
regorus::Value::Bool(b) => *b,
// Match against a specific variant that could be interpreted as MetadataResponse
regorus::Value::Object(obj) => {
let json_str = serde_json::to_string(obj)?;
self.log_eval_input(ep, &json_str).await;
let metadata_response: MetadataResponse = serde_json::from_str(&json_str)?;
if metadata_response.allowed {
if let Some(ops) = metadata_response.ops {
self.apply_patch_to_state(ops).await?;
}
}
metadata_response.allowed
}
_ => {
error!(sl!(), "allow_request: unexpected eval_query result type");
bail!(
"policy check: unexpected eval_query result type {:?}",
results
);
}
};
if !allow && self.allow_failures {
warn!(sl!(), "policy: ignoring error for {ep}");
allow = true;
}
Ok((allow, prints))
}
/// Replace the Policy in regorus.
pub async fn set_policy(&mut self, policy: &str) -> Result<()> {
self.engine = Self::new_engine();
self.engine
.add_policy("agent_policy".to_string(), policy.to_string())?;
self.update_allow_failures_flag().await?;
Ok(())
}
async fn log_eval_input(&mut self, ep: &str, input: &str) {
if let Some(log_file) = &mut self.log_file {
match ep {
"StatsContainerRequest" | "ReadStreamRequest" | "SetPolicyRequest" => {
// - StatsContainerRequest and ReadStreamRequest are called
// relatively often, so we're not logging them, to avoid
// growing this log file too much.
// - Confidential Containers Policy documents are relatively
// large, so we're not logging them here, for SetPolicyRequest.
// The Policy text can be obtained directly from the pod YAML.
}
_ => {
let log_entry = format!("[\"ep\":\"{ep}\",{input}],\n\n");
if let Err(e) = log_file.write_all(log_entry.as_bytes()).await {
warn!(sl!(), "policy: log_eval_input: write_all failed: {}", e);
} else if let Err(e) = log_file.flush().await {
warn!(sl!(), "policy: log_eval_input: flush failed: {}", e);
}
}
}
}
}
async fn update_allow_failures_flag(&mut self) -> Result<()> {
self.allow_failures = match self.allow_request("AllowRequestsFailingPolicy", "{}").await {
Ok((allowed, _prints)) => {
if allowed {
warn!(
sl!(),
"policy: AllowRequestsFailingPolicy is enabled - will ignore errors"
);
}
allowed
}
Err(_) => false,
};
Ok(())
}
}

View File

@@ -12,9 +12,9 @@ use std::os::unix::io::{AsRawFd, FromRawFd};
use tracing::instrument;
pub const RNGDEV: &str = "/dev/random";
#[cfg(target_arch = "powerpc64")]
#[cfg(all(target_arch = "powerpc64", target_endian = "little"))]
pub const RNDADDTOENTCNT: libc::c_uint = 0x80045201;
#[cfg(target_arch = "powerpc64")]
#[cfg(all(target_arch = "powerpc64", target_endian = "little"))]
pub const RNDRESEEDCRNG: libc::c_int = 0x20005207;
#[cfg(not(target_arch = "powerpc64"))]
pub const RNDADDTOENTCNT: libc::c_int = 0x40045201;

View File

@@ -130,8 +130,6 @@ const ERR_NO_SANDBOX_PIDNS: &str = "Sandbox does not have sandbox_pidns";
// not available.
const IPTABLES_RESTORE_WAIT_SEC: u64 = 5;
const CDI_TIMEOUT_LIMIT: u64 = 100;
// Convenience function to obtain the scope logger.
fn sl() -> slog::Logger {
slog_scope::logger()
@@ -234,7 +232,7 @@ impl AgentService {
// or other entities for a specifc device.
// In Kata we only consider the directory "/var/run/cdi", "/etc" may be
// readonly
handle_cdi_devices(&sl(), &mut oci, "/var/run/cdi", CDI_TIMEOUT_LIMIT).await?;
handle_cdi_devices(&sl(), &mut oci, "/var/run/cdi", AGENT_CONFIG.cdi_timeout).await?;
cdh_handler(&mut oci).await?;
@@ -1294,6 +1292,9 @@ impl agent_ttrpc::AgentService for AgentService {
}
}
#[cfg(feature = "guest-pull")]
image::init_image_service().await.map_ttrpc_err(same)?;
Ok(Empty::new())
}
@@ -1748,9 +1749,6 @@ pub async fn start(
let health_service = Box::new(HealthService {}) as Box<dyn health_ttrpc::Health + Send + Sync>;
let hservice = health_ttrpc::create_health(Arc::new(health_service));
#[cfg(feature = "guest-pull")]
image::init_image_service().await;
let server = TtrpcServer::new()
.bind(server_address)?
.register_service(aservice)

View File

@@ -1065,7 +1065,7 @@ mod tests {
let logger = slog::Logger::root(slog::Discard, o!());
let test_pids = [std::i32::MIN, -1, 0, 1, std::i32::MAX];
let test_pids = [i32::MIN, -1, 0, 1, i32::MAX];
for test_pid in test_pids {
let mut s = Sandbox::new(&logger).unwrap();

View File

@@ -18,14 +18,14 @@ const BUF_SIZE: usize = 8192;
// Interruptable I/O copy using readers and writers
// (an interruptable version of "io::copy()").
pub async fn interruptable_io_copier<R: Sized, W: Sized>(
pub async fn interruptable_io_copier<R, W>(
mut reader: R,
mut writer: W,
mut shutdown: Receiver<bool>,
) -> io::Result<u64>
where
R: tokio::io::AsyncRead + Unpin,
W: tokio::io::AsyncWrite + Unpin,
R: tokio::io::AsyncRead + Unpin + Sized,
W: tokio::io::AsyncWrite + Unpin + Sized,
{
let mut total_bytes: u64 = 0;
@@ -181,13 +181,13 @@ mod tests {
}
}
impl ToString for BufWriter {
fn to_string(&self) -> String {
impl std::fmt::Display for BufWriter {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
let data_ref = self.data.clone();
let output = data_ref.lock().unwrap();
let s = (*output).clone();
String::from_utf8(s).unwrap()
write!(f, "{}", String::from_utf8(s).unwrap())
}
}

View File

@@ -428,9 +428,12 @@ dependencies = [
[[package]]
name = "deranged"
version = "0.3.8"
version = "0.3.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f2696e8a945f658fd14dc3b87242e6b80cd0f36ff04ea560fa39082368847946"
checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
dependencies = [
"powerfmt",
]
[[package]]
name = "derivative"
@@ -1146,6 +1149,12 @@ dependencies = [
"memoffset",
]
[[package]]
name = "num-conv"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
[[package]]
name = "num-traits"
version = "0.2.16"
@@ -1379,6 +1388,12 @@ version = "0.3.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
[[package]]
name = "powerfmt"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
[[package]]
name = "proc-macro2"
version = "1.0.66"
@@ -1897,14 +1912,16 @@ dependencies = [
[[package]]
name = "time"
version = "0.3.28"
version = "0.3.37"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "17f6bb557fd245c28e6411aa56b6403c689ad95061f50e4be16c274e70a17e48"
checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
dependencies = [
"deranged",
"itoa",
"libc",
"num-conv",
"num_threads",
"powerfmt",
"serde",
"time-core",
"time-macros",
@@ -1912,16 +1929,17 @@ dependencies = [
[[package]]
name = "time-core"
version = "0.1.1"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb"
checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
[[package]]
name = "time-macros"
version = "0.2.14"
version = "0.2.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a942f44339478ef67935ab2bbaec2fb0322496cf3cbe84b261e06ac3814c572"
checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de"
dependencies = [
"num-conv",
"time-core",
]

View File

@@ -50,7 +50,7 @@ vm-memory = { version = "0.10.0", features = ["backend-mmap"] }
crossbeam-channel = "0.5.6"
fuse-backend-rs = "0.10.5"
vfio-bindings = { version = "0.3.0", optional = true }
vfio-ioctls = { version = "0.1.0", optional = true }
vfio-ioctls = { version = "0.1.0", optional = true }
[dev-dependencies]
slog-async = "2.7.0"
@@ -81,3 +81,8 @@ vhost-user-fs = ["dbs-virtio-devices/vhost-user-fs"]
vhost-user-net = ["dbs-virtio-devices/vhost-user-net"]
vhost-user-blk = ["dbs-virtio-devices/vhost-user-blk"]
host-device = ["dep:vfio-bindings", "dep:vfio-ioctls", "dep:dbs-pci"]
[lints.rust]
unexpected_cfgs = { level = "warn", check-cfg = [
'cfg(feature, values("test-mock"))',
] }

View File

@@ -6,7 +6,7 @@ include ../../utils.mk
PROJECT_DIRS := $(shell find . -name Cargo.toml -printf '%h\n' | sort -u)
ifeq ($(ARCH), $(filter $(ARCH), s390x ppc64le))
ifeq ($(ARCH), $(filter $(ARCH), s390x powerpc64le))
default build check test clippy vendor:
@echo "$(ARCH) is not support currently"
exit 0
@@ -34,7 +34,7 @@ vendor:
format:
@echo "INFO: rust fmt..."
# This is kinda dirty step here simply because cargo fmt --all will apply fmt to all dependencies of dragonball which will include /src/libs/protocols with some file generated during compilation time and could not be formatted when you use cargo fmt --all before building the whole project. In order to avoid this problem, we do fmt check in this following way.
# This is kinda dirty step here simply because cargo fmt --all will apply fmt to all dependencies of dragonball which will include /src/libs/protocols with some file generated during compilation time and could not be formatted when you use cargo fmt --all before building the whole project. In order to avoid this problem, we do fmt check in this following way.
rustfmt --edition 2018 ./src/dbs_address_space/src/lib.rs ./src/dbs_allocator/src/lib.rs ./src/dbs_arch/src/lib.rs ./src/dbs_boot/src/lib.rs ./src/dbs_device/src/lib.rs ./src/dbs_interrupt/src/lib.rs ./src/dbs_legacy_devices/src/lib.rs ./src/dbs_pci/src/lib.rs ./src/dbs_upcall/src/lib.rs ./src/dbs_utils/src/lib.rs ./src/dbs_virtio_devices/src/lib.rs ./src/lib.rs --check
clean:

View File

@@ -165,7 +165,7 @@ impl<T> DeviceConfigInfo<T>
where
T: ConfigItem + Clone,
{
/// Create a new instance of ['DeviceInfoGroup'].
/// Create a new instance of ['DeviceConfigInfo'].
pub fn new(config: T) -> Self {
DeviceConfigInfo {
config,
@@ -173,7 +173,7 @@ where
}
}
/// Create a new instance of ['DeviceInfoGroup'] with optional device.
/// Create a new instance of ['DeviceConfigInfo'] with optional device.
pub fn new_with_device(config: T, device: Option<Arc<dyn DeviceIo>>) -> Self {
DeviceConfigInfo { config, device }
}

View File

@@ -166,15 +166,6 @@ impl Range {
}
}
impl PartialOrd for Range {
fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
match self.min.cmp(&other.min) {
Ordering::Equal => Some(self.max.cmp(&other.max)),
res => Some(res),
}
}
}
impl Ord for Range {
fn cmp(&self, other: &Self) -> Ordering {
match self.min.cmp(&other.min) {
@@ -184,6 +175,12 @@ impl Ord for Range {
}
}
impl PartialOrd for Range {
fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
Some(self.cmp(other))
}
}
/// State of interval tree node.
///
/// Valid state transitions:
@@ -424,7 +421,7 @@ impl<T> Node<T> {
let l = height(&self.0.left);
let r = height(&self.0.right);
match (l as i32) - (r as i32) {
1 | 0 | -1 => self,
-1..=1 => self,
2 => self.rotate_left_successor(),
-2 => self.rotate_right_successor(),
_ => unreachable!(),

View File

@@ -152,7 +152,7 @@ impl Ord for IoRange {
impl PartialOrd for IoRange {
fn partial_cmp(&self, other: &IoRange) -> Option<Ordering> {
self.base.partial_cmp(&other.base)
Some(self.cmp(other))
}
}

View File

@@ -93,7 +93,7 @@ mod test {
}
}
#[cfg(all(feature = "legacy_irq", target_arch = "x86_64"))]
#[cfg(all(feature = "legacy-irq", target_arch = "x86_64"))]
#[test]
fn test_new_msi_routing_multi() {
let mut msi_fds = Vec::with_capacity(16);

View File

@@ -85,7 +85,6 @@ mod tests {
#[test]
fn test_i8042_valid_ops() {
let reset_evt = EventFdTrigger::new(EventFd::new(libc::EFD_NONBLOCK).unwrap());
let metrics = Arc::new(I8042DeviceMetrics::default());
let mut i8042 = I8042Device::new(reset_evt.try_clone().unwrap());
let mut v = [0x00u8; 1];
@@ -106,7 +105,6 @@ mod tests {
#[test]
fn test_i8042_invalid_ops() {
let reset_evt = EventFdTrigger::new(EventFd::new(libc::EFD_NONBLOCK).unwrap());
let metrics = Arc::new(I8042DeviceMetrics::default());
let mut i8042 = I8042Device::new(reset_evt.try_clone().unwrap());
let mut v = [0x00u8; 2];
@@ -125,9 +123,9 @@ mod tests {
}
#[test]
#[ignore = "Issue #10821 - IO Safety violation: owned file descriptor already closed"]
fn test_i8042_reset_err() {
let reset_evt = EventFdTrigger::new(unsafe { EventFd::from_raw_fd(i32::MAX) });
let metrics = Arc::new(I8042DeviceMetrics::default());
let mut i8042 = I8042Device::new(reset_evt);
i8042.pio_write(
PioAddress(0),

View File

@@ -9,14 +9,18 @@ homepage = "https://github.com/openanolis/dragonball-sandbox"
repository = "https://github.com/openanolis/dragonball-sandbox/tree/main/crates/dbs-pci"
keywords = ["dragonball", "secure-sandbox", "devices", "pci"]
readme = "README.md"
[dependencies]
log = "0.4.14"
thiserror = "1"
dbs-allocator = { path = "../dbs_allocator" }
dbs-boot = { path = "../dbs_boot" }
dbs-device = { path = "../dbs_device" }
dbs-interrupt = { path = "../dbs_interrupt", features = ["kvm-irq", "kvm-legacy-irq", "kvm-msi-irq"] }
dbs-interrupt = { path = "../dbs_interrupt", features = [
"kvm-irq",
"kvm-legacy-irq",
"kvm-msi-irq",
] }
downcast-rs = "1.2.0"
byteorder = "1.4.3"
vm-memory = "0.10.0"
@@ -28,4 +32,9 @@ libc = "0.2.39"
[dev-dependencies]
dbs-arch = { path = "../dbs_arch" }
kvm-ioctls = "0.12.0"
kvm-ioctls = "0.12.0"
[lints.rust]
unexpected_cfgs = { level = "warn", check-cfg = [
'cfg(feature, values("test-mock"))',
] }

View File

@@ -431,6 +431,7 @@ mod tests {
}
#[test]
#[ignore = "Issue #10821 - IO Safety violation: owned file descriptor already closed"]
fn test_set_options() {
// This line will fail to provide an initialized FD if the test is not run as root.
let tap = Tap::new().unwrap();

View File

@@ -110,7 +110,7 @@ fn validate_and_configure_tap(tap: &Tap, vq_pairs: usize) -> VirtioResult<()> {
TapError::MissingFlags(
missing_flags
.into_iter()
.map(|flag| *flag)
.copied()
.collect::<Vec<&str>>()
.join(", "),
),
@@ -372,7 +372,7 @@ where
let intr_evts = config.get_queue_interrupt_eventfds();
assert_eq!(config.queues.len(), intr_evts.len());
let vq_pair = vec![
let vq_pair = [
&config.queues[2 * pair_index],
&config.queues[2 * pair_index + 1],
];

View File

@@ -165,7 +165,7 @@ where
if queue_idx < self.intr_evts.len() {
if let Err(e) = self.intr_evts[queue_idx].read() {
error!("{}: failed to read queue eventfd, {:?}", self.id, e);
} else if let Err(e) = self.config.queues[queue_idx as usize].notify() {
} else if let Err(e) = self.config.queues[queue_idx].notify() {
error!("{}: failed to notify guest, {:?}", self.id, e);
}
} else {
@@ -249,7 +249,7 @@ impl VhostUserBlockDevice {
master.set_protocol_features(protocol_featuers)?;
let config_len = mem::size_of::<VirtioBlockConfig>();
let config_space: Vec<u8> = vec![0u8; config_len as usize];
let config_space: Vec<u8> = vec![0u8; config_len];
let (_, mut config_space) = master
.get_config(

View File

@@ -229,8 +229,8 @@ impl Endpoint {
})?;
regions.push(VhostUserMemoryRegionInfo {
guest_phys_addr: guest_phys_addr.raw_value() as u64,
memory_size: region.len() as u64,
guest_phys_addr: guest_phys_addr.raw_value(),
memory_size: region.len(),
userspace_addr: userspace_addr as *const u8 as u64,
mmap_offset: file_offset.start(),
mmap_handle: file_offset.file().as_raw_fd(),
@@ -330,8 +330,8 @@ impl Endpoint {
.map_err(|_| VirtioError::InvalidGuestAddress(guest_phys_addr))?;
regions.push(VhostUserMemoryRegionInfo {
guest_phys_addr: guest_phys_addr.raw_value() as u64,
memory_size: region.len() as u64,
guest_phys_addr: guest_phys_addr.raw_value(),
memory_size: region.len(),
userspace_addr: userspace_addr as *const u8 as u64,
mmap_offset: file_offset.start(),
mmap_handle: file_offset.file().as_raw_fd(),
@@ -342,7 +342,7 @@ impl Endpoint {
// 9. setup vrings
for queue_cfg in config.virtio_config.queues.iter() {
master.set_vring_num(queue_cfg.index() as usize, queue_cfg.actual_size() as u16)?;
master.set_vring_num(queue_cfg.index() as usize, queue_cfg.actual_size())?;
info!(
"{}: set_vring_num(idx: {}, size: {})",
self.name,

View File

@@ -55,9 +55,9 @@ impl VsockStream for HybridStream {
let mut flag = unsafe { libc::fcntl(fd, libc::F_GETFL) };
if nonblocking {
flag = flag | libc::O_NONBLOCK;
flag |= libc::O_NONBLOCK;
} else {
flag = flag & !libc::O_NONBLOCK;
flag |= !libc::O_NONBLOCK;
}
let ret = unsafe { libc::fcntl(fd, libc::F_SETFL, flag) };

View File

@@ -729,10 +729,10 @@ mod tests {
use vm_memory::{GuestAddress, GuestMemoryMmap, MmapRegion};
use super::*;
use crate::config_manager::DeviceInfoGroup;
use crate::config_manager::DeviceConfigInfo;
use crate::test_utils::tests::create_vm_for_test;
type VfioDeviceInfo = DeviceInfoGroup<VfioDeviceConfigInfo, VfioDeviceError>;
type VfioDeviceInfo = DeviceConfigInfo<VfioDeviceConfigInfo, VfioDeviceError>;
fn get_vfio_dev_mgr() -> VfioDeviceMgr {
let kvm = Kvm::new().unwrap();

View File

@@ -320,7 +320,7 @@ pub struct Vcpu {
type VcpuCell = Cell<Option<*const Vcpu>>;
impl Vcpu {
thread_local!(static TLS_VCPU_PTR: VcpuCell = Cell::new(None));
thread_local!(static TLS_VCPU_PTR: VcpuCell = const { Cell::new(None) });
/// Associates `self` with the current thread.
///

View File

@@ -484,6 +484,7 @@ impl VcpuManager {
/// Get available vcpus to create with target vcpu_count
/// Argument:
/// * vcpu_count: target vcpu_count online in VcpuManager.
///
/// Return:
/// * return available vcpu ids to create vcpu .
fn calculate_available_vcpus(&self, vcpu_count: u8) -> Vec<u8> {

63
src/libs/Cargo.lock generated
View File

@@ -400,6 +400,15 @@ dependencies = [
"syn 2.0.66",
]
[[package]]
name = "deranged"
version = "0.3.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
dependencies = [
"powerfmt",
]
[[package]]
name = "derive-new"
version = "0.5.9"
@@ -676,6 +685,15 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "home"
version = "0.5.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5"
dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "http"
version = "0.2.8"
@@ -983,6 +1001,12 @@ dependencies = [
"winapi",
]
[[package]]
name = "num-conv"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
[[package]]
name = "num-integer"
version = "0.1.44"
@@ -1120,6 +1144,12 @@ version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
[[package]]
name = "powerfmt"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
[[package]]
name = "ppv-lite86"
version = "0.2.16"
@@ -1544,9 +1574,9 @@ checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b"
[[package]]
name = "serde"
version = "1.0.147"
version = "1.0.210"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d193d69bae983fc11a79df82342761dfbf28a99fc8d203dca4c3c1b590948965"
checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a"
dependencies = [
"serde_derive",
]
@@ -1583,13 +1613,13 @@ checksum = "794e44574226fc701e3be5c651feb7939038fc67fb73f6f4dd5c4ba90fd3be70"
[[package]]
name = "serde_derive"
version = "1.0.147"
version = "1.0.210"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4f1d362ca8fc9c3e3a7484440752472d68a6caa98f1ab81d99b5dfe517cec852"
checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f"
dependencies = [
"proc-macro2",
"quote",
"syn 1.0.91",
"syn 2.0.66",
]
[[package]]
@@ -1703,7 +1733,7 @@ dependencies = [
"slog",
"term",
"thread_local",
"time 0.3.22",
"time 0.3.37",
]
[[package]]
@@ -1889,13 +1919,16 @@ dependencies = [
[[package]]
name = "time"
version = "0.3.22"
version = "0.3.37"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea9e1b3cf1243ae005d9e74085d4d542f3125458f3a81af210d901dcd7411efd"
checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
dependencies = [
"deranged",
"itoa",
"libc",
"num-conv",
"num_threads",
"powerfmt",
"serde",
"time-core",
"time-macros",
@@ -1903,16 +1936,17 @@ dependencies = [
[[package]]
name = "time-core"
version = "0.1.1"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb"
checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
[[package]]
name = "time-macros"
version = "0.2.9"
version = "0.2.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "372950940a5f07bf38dbe211d7283c9e6d7327df53794992d293e534c733d09b"
checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de"
dependencies = [
"num-conv",
"time-core",
]
@@ -2015,14 +2049,15 @@ checksum = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642"
[[package]]
name = "ttrpc"
version = "0.8.1"
version = "0.8.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "55ea338db445bee75c596cf8a478fbfcefad5a943c9e92a7e1c805c65ed39551"
checksum = "2c580c498a547b4c083ec758be543e11a0772e03013aef4cdb1fbe77c8b62cae"
dependencies = [
"async-trait",
"byteorder",
"crossbeam",
"futures",
"home",
"libc",
"log",
"nix 0.26.4",

View File

@@ -9,12 +9,17 @@ use anyhow::anyhow;
use anyhow::Result;
use serde::{Deserialize, Serialize};
use std::fmt;
#[cfg(all(target_arch = "powerpc64", target_endian = "little"))]
use std::fs;
#[cfg(target_arch = "x86_64")]
use std::path::Path;
use std::path::PathBuf;
use thiserror::Error;
#[cfg(any(target_arch = "s390x", target_arch = "powerpc64le"))]
#[cfg(any(
target_arch = "s390x",
all(target_arch = "powerpc64", target_endian = "little")
))]
use nix::unistd::Uid;
#[cfg(target_arch = "x86_64")]
@@ -198,7 +203,6 @@ pub fn arch_guest_protection(
#[cfg(target_arch = "s390x")]
#[allow(dead_code)]
// Guest protection is not supported on ARM64.
pub fn available_guest_protection() -> Result<GuestProtection, ProtectionError> {
if !Uid::effective().is_root() {
return Err(ProtectionError::NoPerms)?;
@@ -234,18 +238,21 @@ pub fn available_guest_protection() -> Result<GuestProtection, ProtectionError>
Ok(GuestProtection::Se)
}
#[cfg(target_arch = "powerpc64le")]
pub fn available_guest_protection() -> Result<check::GuestProtection, check::ProtectionError> {
#[cfg(all(target_arch = "powerpc64", target_endian = "little"))]
const PEF_SYS_FIRMWARE_DIR: &str = "/sys/firmware/ultravisor/";
#[cfg(all(target_arch = "powerpc64", target_endian = "little"))]
pub fn available_guest_protection() -> Result<GuestProtection, ProtectionError> {
if !Uid::effective().is_root() {
return Err(check::ProtectionError::NoPerms);
return Err(ProtectionError::NoPerms);
}
let metadata = fs::metadata(PEF_SYS_FIRMWARE_DIR);
if metadata.is_ok() && metadata.unwrap().is_dir() {
Ok(check::GuestProtection::Pef)
return Ok(GuestProtection::Pef);
}
Ok(check::GuestProtection::NoProtection)
Ok(GuestProtection::NoProtection)
}
#[cfg(target_arch = "aarch64")]

View File

@@ -227,9 +227,6 @@ pub const KATA_ANNO_CFG_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR: &str =
/// A sandbox annotation that is used to enable/disable virtio-mem.
pub const KATA_ANNO_CFG_HYPERVISOR_VIRTIO_MEM: &str =
"io.katacontainers.config.hypervisor.enable_virtio_mem";
/// A sandbox annotation to enable swap of vm memory.
pub const KATA_ANNO_CFG_HYPERVISOR_ENABLE_SWAP: &str =
"io.katacontainers.config.hypervisor.enable_swap";
/// A sandbox annotation to enable swap in the guest.
pub const KATA_ANNO_CFG_HYPERVISOR_ENABLE_GUEST_SWAP: &str =
"io.katacontainers.config.hypervisor.enable_guest_swap";
@@ -786,14 +783,6 @@ impl Annotation {
return Err(bool_err);
}
},
KATA_ANNO_CFG_HYPERVISOR_ENABLE_SWAP => match self.get_value::<bool>(key) {
Ok(r) => {
hv.memory_info.enable_swap = r.unwrap_or_default();
}
Err(_e) => {
return Err(bool_err);
}
},
KATA_ANNO_CFG_HYPERVISOR_ENABLE_GUEST_SWAP => match self.get_value::<bool>(key)
{
Ok(r) => {

View File

@@ -499,7 +499,7 @@ pub struct DeviceInfo {
///
/// Enabling this will result in the VM balloon device having f_reporting=on set
#[serde(default)]
pub enable_balloon_f_reporting: bool,
pub reclaim_guest_freed_memory: bool,
}
impl DeviceInfo {
@@ -708,12 +708,6 @@ pub struct MemoryInfo {
#[serde(default)]
pub enable_virtio_mem: bool,
/// Enable swap of vm memory. Default false.
///
/// The behaviour is undefined if mem_prealloc is also set to true
#[serde(default)]
pub enable_swap: bool,
/// Enable swap in the guest. Default false.
///
/// When enable_guest_swap is enabled, insert a raw file to the guest as the swap device if the

View File

@@ -22,8 +22,10 @@ pub const DRIVER_VFIO_PCI_GK_TYPE: &str = "vfio-pci-gk";
/// VFIO PCI device to be bound to vfio-pci and made available inside the
/// container as a VFIO device node
pub const DRIVER_VFIO_PCI_TYPE: &str = "vfio-pci";
/// DRIVER_VFIO_AP_TYPE is the device driver for vfio-ap.
/// DRIVER_VFIO_AP_TYPE is the device driver for vfio-ap hotplug.
pub const DRIVER_VFIO_AP_TYPE: &str = "vfio-ap";
/// DRIVER_VFIO_AP_COLD_TYPE is the device driver for vfio-ap coldplug.
pub const DRIVER_VFIO_AP_COLD_TYPE: &str = "vfio-ap-cold";
/// DRIVER_9P_TYPE is the driver for 9pfs volume.
pub const DRIVER_9P_TYPE: &str = "9p";

View File

@@ -11,7 +11,7 @@ mod tests {
KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_DRIVER, KATA_ANNO_CFG_HYPERVISOR_CTLPATH,
KATA_ANNO_CFG_HYPERVISOR_DEFAULT_MEMORY, KATA_ANNO_CFG_HYPERVISOR_DEFAULT_VCPUS,
KATA_ANNO_CFG_HYPERVISOR_ENABLE_GUEST_SWAP, KATA_ANNO_CFG_HYPERVISOR_ENABLE_HUGEPAGES,
KATA_ANNO_CFG_HYPERVISOR_ENABLE_IO_THREADS, KATA_ANNO_CFG_HYPERVISOR_ENABLE_SWAP,
KATA_ANNO_CFG_HYPERVISOR_ENABLE_IO_THREADS
KATA_ANNO_CFG_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR,
KATA_ANNO_CFG_HYPERVISOR_GUEST_HOOK_PATH, KATA_ANNO_CFG_HYPERVISOR_JAILER_PATH,
KATA_ANNO_CFG_HYPERVISOR_KERNEL_PATH, KATA_ANNO_CFG_HYPERVISOR_MEMORY_PREALLOC,
@@ -129,10 +129,6 @@ mod tests {
KATA_ANNO_CFG_HYPERVISOR_ENABLE_IO_THREADS.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CFG_HYPERVISOR_ENABLE_SWAP.to_string(),
"false".to_string(),
);
anno_hash.insert(
KATA_ANNO_CFG_HYPERVISOR_FILE_BACKED_MEM_ROOT_DIR.to_string(),
"./test_file_backend_mem_root".to_string(),
@@ -201,7 +197,6 @@ mod tests {
assert_eq!(hv.memory_info.default_memory, 100);
assert!(!hv.enable_iothreads);
assert!(!hv.enable_iothreads);
assert!(!hv.memory_info.enable_swap);
assert_eq!(
hv.memory_info.file_mem_backend,
"./test_file_backend_mem_root"

View File

@@ -19,7 +19,7 @@ default_maxvcpus = 64
machine_type = "q35"
confidential_guest = true
rootless = true
enable_annotations = ["shared_fs","path", "ctlpath","jailer_path","enable_iothreads","default_memory","memory_slots","enable_mem_prealloc","enable_hugepages","file_mem_backend","enable_virtio_mem","enable_swap","enable_guest_swap","default_vcpus","virtio_fs_extra_args","block_device_driver","vhost_user_store_path","kernel","guest_hook_path","block_device_cache_noflush","virtio_fs_daemon"]
enable_annotations = ["shared_fs","path", "ctlpath","jailer_path","enable_iothreads","default_memory","memory_slots","enable_mem_prealloc","enable_hugepages","file_mem_backend","enable_virtio_mem","enable_guest_swap","default_vcpus","virtio_fs_extra_args","block_device_driver","vhost_user_store_path","kernel","guest_hook_path","block_device_cache_noflush","virtio_fs_daemon"]
machine_accelerators="noapic"
default_bridges = 2
default_memory = 128
@@ -46,7 +46,6 @@ enable_iommu = true
enable_iommu_platform = true
file_mem_backend = "/dev/shm"
valid_file_mem_backends = ["/dev/shm","/dev/snd","./test_file_backend_mem_root"]
enable_swap = true
pflashes = ["/proc/mounts"]
enable_debug = true
msize_9p = 16384

View File

@@ -45,7 +45,6 @@ enable_iommu = true
enable_iommu_platform = true
file_mem_backend = "/dev/shm"
valid_file_mem_backends = ["/dev/shm"]
enable_swap = true
pflashes = ["/proc/mounts"]
enable_debug = true
msize_9p = 16384

View File

@@ -11,7 +11,7 @@ with-serde = []
async = ["ttrpc/async", "async-trait"]
[dependencies]
ttrpc = "0.8"
ttrpc = "0.8.4"
async-trait = { version = "0.1.42", optional = true }
protobuf = { version = "3.2.0" }
serde = { version = "1.0.130", features = ["derive"] }

View File

@@ -229,6 +229,8 @@ fn real_main() -> Result<(), std::io::Error> {
false,
)?;
codegen("src", &["protos/cri-api/api.proto"], false)?;
// There is a message named 'Box' in oci.proto
// so there is a struct named 'Box', we should replace Box<Self> to ::std::boxed::Box<Self>
// to avoid the conflict.

File diff suppressed because it is too large Load Diff

View File

@@ -25,6 +25,7 @@ pub mod remote;
pub mod remote_ttrpc;
#[cfg(feature = "async")]
pub mod remote_ttrpc_async;
pub mod api;
#[cfg(feature = "with-serde")]
pub use serde_config::{

View File

@@ -49,9 +49,9 @@
//!
//! The work is inspired by:
//! - [`filepath-securejoin`](https://github.com/cyphar/filepath-securejoin): secure_join() written
//! in Go.
//! in Go.
//! - [CVE-2021-30465](https://github.com/advisories/GHSA-c3xm-pvg7-gh7r): symlink related TOCTOU
//! flaw in `runC`.
//! flaw in `runC`.
#![deny(missing_docs)]

View File

@@ -37,8 +37,10 @@ fn get_uds_with_sid(short_id: &str, path: &str) -> Result<String> {
return Ok(format!("unix://{}", p.display()));
}
let _ = fs::create_dir_all(kata_run_path.join(short_id))
.context(format!("failed to create directory {:?}", kata_run_path.join(short_id)));
let _ = fs::create_dir_all(kata_run_path.join(short_id)).context(format!(
"failed to create directory {:?}",
kata_run_path.join(short_id)
));
let target_ids: Vec<String> = fs::read_dir(&kata_run_path)?
.filter_map(|e| {
@@ -71,8 +73,11 @@ fn get_uds_with_sid(short_id: &str, path: &str) -> Result<String> {
}
// return sandbox's storage path
pub fn sb_storage_path() -> String {
String::from(KATA_PATH)
pub fn sb_storage_path() -> Result<&'static str> {
//make sure the path existed
std::fs::create_dir_all(KATA_PATH).context(format!("failed to create dir: {}", KATA_PATH))?;
Ok(KATA_PATH)
}
// returns the address of the unix domain socket(UDS) for communication with shim
@@ -85,7 +90,7 @@ pub fn mgmt_socket_addr(sid: &str) -> Result<String> {
));
}
get_uds_with_sid(sid, &sb_storage_path())
get_uds_with_sid(sid, &sb_storage_path()?)
}
#[cfg(test)]

View File

@@ -513,6 +513,7 @@ dependencies = [
"oci-spec",
"persist",
"protobuf 3.2.0",
"protocols",
"resource",
"runtime-spec",
"serde_json",
@@ -571,7 +572,7 @@ dependencies = [
"signal-hook",
"signal-hook-tokio",
"thiserror",
"time 0.3.31",
"time 0.3.37",
"tokio",
"windows-sys 0.48.0",
]
@@ -1579,6 +1580,15 @@ dependencies = [
"digest 0.10.7",
]
[[package]]
name = "home"
version = "0.5.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5"
dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "http"
version = "0.2.9"
@@ -2279,6 +2289,12 @@ dependencies = [
"winapi",
]
[[package]]
name = "num-conv"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
[[package]]
name = "num-traits"
version = "0.2.16"
@@ -3889,7 +3905,7 @@ dependencies = [
"serde",
"serde_json",
"slog",
"time 0.3.31",
"time 0.3.37",
]
[[package]]
@@ -3924,7 +3940,7 @@ dependencies = [
"slog",
"term",
"thread_local",
"time 0.3.31",
"time 0.3.37",
]
[[package]]
@@ -4191,13 +4207,14 @@ dependencies = [
[[package]]
name = "time"
version = "0.3.31"
version = "0.3.37"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f657ba42c3f86e7680e53c8cd3af8abbe56b5491790b46e22e19c0d57463583e"
checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
dependencies = [
"deranged",
"itoa",
"libc",
"num-conv",
"num_threads",
"powerfmt",
"serde",
@@ -4213,10 +4230,11 @@ checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
[[package]]
name = "time-macros"
version = "0.2.16"
version = "0.2.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "26197e33420244aeb70c3e8c78376ca46571bc4e701e4791c2cd9f57dcb3a43f"
checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de"
dependencies = [
"num-conv",
"time-core",
]
@@ -4426,14 +4444,15 @@ checksum = "3528ecfd12c466c6f163363caf2d02a71161dd5e1cc6ae7b34207ea2d42d81ed"
[[package]]
name = "ttrpc"
version = "0.8.1"
version = "0.8.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "55ea338db445bee75c596cf8a478fbfcefad5a943c9e92a7e1c805c65ed39551"
checksum = "2c580c498a547b4c083ec758be543e11a0772e03013aef4cdb1fbe77c8b62cae"
dependencies = [
"async-trait",
"byteorder",
"crossbeam",
"futures 0.3.28",
"home",
"libc",
"log",
"nix 0.26.2",
@@ -4629,6 +4648,7 @@ dependencies = [
"serde_json",
"slog",
"slog-scope",
"strum 0.24.1",
"tokio",
"toml 0.4.10",
"tracing",

View File

@@ -5,7 +5,7 @@
#
MACHINETYPE :=
KERNELPARAMS :=
KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
MACHINEACCELERATORS :=
CPUFEATURES := pmu=off

View File

@@ -5,7 +5,7 @@
#
MACHINETYPE := pseries
KERNELPARAMS :=
KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
MACHINEACCELERATORS := "cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken,cap-large-decr=off,cap-ccf-assist=off"
CPUFEATURES := pmu=off

View File

@@ -5,7 +5,7 @@
#
MACHINETYPE := s390-ccw-virtio
KERNELPARAMS :=
KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
MACHINEACCELERATORS :=
CPUFEATURES :=

View File

@@ -5,7 +5,8 @@
#
MACHINETYPE := q35
KERNELPARAMS :=
KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
KERNELTDXPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
MACHINEACCELERATORS :=
CPUFEATURES := pmu=off

View File

@@ -158,10 +158,25 @@ virtio_fs_cache = "@DEFVIRTIOFSCACHE@"
# > 5 --> will be set to 5
default_bridges = @DEFBRIDGES@
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device.
block_device_driver = "virtio-blk-pci"
# Specifies cache-related options for block devices.
# Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
# Default false
#block_device_cache_direct = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -98,11 +98,15 @@ default_maxvcpus = @DEFMAXVCPUS_DB@
# > 5 --> will be set to 5
default_bridges = @DEFBRIDGES@
# Enable balloon f_reporting
# Enabling this will result in the VM balloon device having f_reporting=on set
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#enable_balloon_f_reporting = true
#reclaim_guest_freed_memory = true
# Default memory size in MiB for SB/VM.
# If unspecified then it will be set @DEFMEMSZ@ MiB.
@@ -200,6 +204,11 @@ virtio_fs_extra_args = @DEFVIRTIOFSEXTRAARGS@
# Metadata, data, and pathname lookup are cached in guest and never expire.
virtio_fs_cache = "@DEFVIRTIOFSCACHE@"
# Specifies cache-related options for block devices.
# Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
# Default false
#block_device_cache_direct = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -143,6 +143,16 @@ default_maxvcpus = @DEFMAXVCPUS_QEMU@
# > 5 --> will be set to 5
default_bridges = @DEFBRIDGES@
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Default memory size in MiB for SB/VM.
# If unspecified then it will be set @DEFMEMSZ@ MiB.
default_memory = @DEFMEMSZ@

View File

@@ -121,11 +121,6 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@"
# Default false
#block_device_cache_set = true
# Specifies cache-related options for block devices.
# Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
# Default false
#block_device_cache_direct = true
# Specifies cache-related options for block devices.
# Denotes whether flush requests for the device are ignored.
# Default false

View File

@@ -17,7 +17,7 @@ serde = { version = "^1.0", features = ["derive"] }
serde_json = ">=1.0.9"
slog = "2.5.2"
slog-scope = "4.4.0"
ttrpc = "0.8"
ttrpc = "0.8.4"
tokio = { version = "1.38.0", features = ["fs", "rt"] }
tracing = "0.1.36"
url = "2.2.2"

View File

@@ -28,7 +28,7 @@ rand = "0.8.4"
path-clean = "1.0.1"
lazy_static = "1.4"
tracing = "0.1.36"
ttrpc = {version = "0.8.1", features = ["async"] }
ttrpc = { version = "0.8.4", features = ["async"] }
protobuf = "3.1.0"
kata-sys-util = { path = "../../../libs/kata-sys-util" }
@@ -46,15 +46,28 @@ safe-path = "0.1.0"
crossbeam-channel = "0.5.6"
tempdir = "0.3.7"
qapi = { version = "0.14", features = [ "qmp", "async-tokio-all" ] }
qapi = { version = "0.14", features = ["qmp", "async-tokio-all"] }
qapi-spec = "0.3.1"
qapi-qmp = "0.14.0"
[target.'cfg(not(target_arch = "s390x"))'.dependencies]
dragonball = { path = "../../../dragonball", features = ["atomic-guest-memory", "virtio-vsock", "hotplug", "virtio-blk", "virtio-net", "virtio-fs", "vhost-net", "dbs-upcall", "virtio-mem", "virtio-balloon", "vhost-user-net", "host-device"], optional = true }
dragonball = { path = "../../../dragonball", features = [
"atomic-guest-memory",
"virtio-vsock",
"hotplug",
"virtio-blk",
"virtio-net",
"virtio-fs",
"vhost-net",
"dbs-upcall",
"virtio-mem",
"virtio-balloon",
"vhost-user-net",
"host-device",
], optional = true }
dbs-utils = { path = "../../../dragonball/src/dbs_utils" }
hyperlocal = "0.8.0"
hyper = {version = "0.14.18", features = ["client"]}
hyper = { version = "0.14.18", features = ["client"] }
[features]
default = []
@@ -76,3 +89,8 @@ serial_test = "2.0.0"
[build-dependencies]
ttrpc-codegen = "0.4.2"
[lints.rust]
unexpected_cfgs = { level = "warn", check-cfg = [
'cfg(feature, values("enable-vendor"))',
] }

View File

@@ -180,6 +180,15 @@ impl TryFrom<NamedHypervisorConfig> for VmConfig {
let platform = get_platform_cfg(guest_protection_to_use);
let balloon = if cfg.device_info.reclaim_guest_freed_memory {
Some(crate::BalloonConfig {
free_page_reporting: true,
..Default::default()
})
} else {
None
};
let cfg = VmConfig {
cpus,
memory,
@@ -193,6 +202,7 @@ impl TryFrom<NamedHypervisorConfig> for VmConfig {
vsock: Some(vsock),
rng,
platform,
balloon,
..Default::default()
};
@@ -1643,7 +1653,6 @@ mod tests {
result: Result<VmConfig, VmConfigError>,
}
let u8_max = std::u8::MAX;
let sysinfo = nix::sys::sysinfo::sysinfo().unwrap();
let actual_max_mem_bytes = sysinfo.ram_total();
@@ -1669,8 +1678,8 @@ mod tests {
let valid_vsock =
VsockConfig::try_from((vsock_socket_path.to_string(), DEFAULT_VSOCK_CID)).unwrap();
let (cpu_info, cpus_config) = make_cpu_objects(7, u8_max, false);
let (cpu_info_tdx, cpus_config_tdx) = make_cpu_objects(7, u8_max, true);
let (cpu_info, cpus_config) = make_cpu_objects(7, u8::MAX, false);
let (cpu_info_tdx, cpus_config_tdx) = make_cpu_objects(7, u8::MAX, true);
let (memory_info_std, mem_config_std) =
make_memory_objects(79, usable_max_mem_bytes, false);

View File

@@ -446,8 +446,6 @@ pub struct VmConfig {
pub numa: Option<Vec<NumaConfig>>,
#[serde(default)]
pub watchdog: bool,
#[cfg(feature = "guest_debug")]
pub gdb: bool,
#[serde(skip_serializing_if = "Option::is_none")]
pub platform: Option<PlatformConfig>,
}

View File

@@ -27,7 +27,7 @@ pub struct CloudHypervisorInner {
pub(crate) api_socket: Option<UnixStream>,
pub(crate) extra_args: Option<Vec<String>>,
pub(crate) config: Option<HypervisorConfig>,
pub(crate) config: HypervisorConfig,
pub(crate) process: Option<Child>,
pub(crate) pid: Option<u32>,
@@ -101,7 +101,7 @@ impl CloudHypervisorInner {
process: None,
pid: None,
config: None,
config: Default::default(),
state: VmmState::NotReady,
timeout_secs: CH_DEFAULT_TIMEOUT_SECS as i32,
id: String::default(),
@@ -124,11 +124,11 @@ impl CloudHypervisorInner {
}
pub fn set_hypervisor_config(&mut self, config: HypervisorConfig) {
self.config = Some(config);
self.config = config;
}
pub fn hypervisor_config(&self) -> HypervisorConfig {
self.config.clone().unwrap_or_default()
self.config.clone()
}
}
@@ -168,7 +168,7 @@ impl Persist for CloudHypervisorInner {
let (tx, rx) = channel(true);
let mut ch = Self {
config: Some(hypervisor_state.config),
config: hypervisor_state.config,
state: VmmState::NotReady,
id: hypervisor_state.id,
vm_path: hypervisor_state.vm_path,

View File

@@ -315,7 +315,8 @@ impl CloudHypervisorInner {
.ok_or("missing socket")
.map_err(|e| anyhow!(e))?;
let disk_config = DiskConfig::try_from(device.config)?;
let mut disk_config = DiskConfig::try_from(device.config.clone())?;
disk_config.direct = self.config.blockdev_info.block_device_cache_direct;
let response = cloud_hypervisor_vm_blockdev_add(
socket.try_clone().context("failed to clone socket")?,

View File

@@ -117,11 +117,7 @@ impl CloudHypervisorInner {
}
async fn get_kernel_params(&self) -> Result<String> {
let cfg = self
.config
.as_ref()
.ok_or("no hypervisor config for CH")
.map_err(|e| anyhow!(e))?;
let cfg = &self.config;
let enable_debug = cfg.debug_info.enable_debug;
@@ -200,15 +196,10 @@ impl CloudHypervisorInner {
let vsock_socket_path = get_vsock_path(&self.id)?;
let hypervisor_config = self
.config
.as_ref()
.ok_or("no hypervisor config for CH")
.map_err(|e| anyhow!(e))?;
debug!(
sl!(),
"generic Hypervisor configuration: {:?}", hypervisor_config
"generic Hypervisor configuration: {:?}",
self.config.clone()
);
let kernel_params = self.get_kernel_params().await?;
@@ -217,7 +208,7 @@ impl CloudHypervisorInner {
kernel_params,
sandbox_path,
vsock_socket_path,
cfg: hypervisor_config.clone(),
cfg: self.config.clone(),
guest_protection_to_use: self.guest_protection_to_use.clone(),
shared_fs_devices,
network_devices,
@@ -324,11 +315,7 @@ impl CloudHypervisorInner {
async fn cloud_hypervisor_launch(&mut self, _timeout_secs: i32) -> Result<()> {
self.cloud_hypervisor_ensure_not_launched().await?;
let cfg = self
.config
.as_ref()
.ok_or("no hypervisor config for CH")
.map_err(|e| anyhow!(e))?;
let cfg = &self.config;
let debug = cfg.debug_info.enable_debug;
@@ -338,13 +325,7 @@ impl CloudHypervisorInner {
let _ = std::fs::remove_file(api_socket_path.clone());
let binary_path = self
.config
.as_ref()
.ok_or("no hypervisor config for CH")
.map_err(|e| anyhow!(e))?
.path
.to_string();
let binary_path = cfg.path.to_string();
let path = Path::new(&binary_path).canonicalize()?;
@@ -567,11 +548,7 @@ impl CloudHypervisorInner {
// call, if confidential_guest is set, a confidential
// guest will be created.
async fn handle_guest_protection(&mut self) -> Result<()> {
let cfg = self
.config
.as_ref()
.ok_or("missing hypervisor config")
.map_err(|e| anyhow!(e))?;
let cfg = &self.config;
let confidential_guest = cfg.security_info.confidential_guest;

View File

@@ -491,7 +491,7 @@ impl DeviceManager {
let id = format!("{:x}", rand_bytes);
// check collision in devices
if self.devices.get(&id).is_none() {
if !self.devices.contains_key(&id) {
return Ok(id);
}
}

View File

@@ -177,6 +177,7 @@ pub struct HostDevice {
pub guest_pci_path: Option<PciPath>,
/// vfio_vendor for vendor's some special cases.
#[allow(unexpected_cfgs)]
#[cfg(feature = "enable-vendor")]
pub vfio_vendor: VfioVendor,
}
@@ -560,11 +561,8 @@ impl PCIeDevice for VfioDevice {
))?;
hostdev.guest_pci_path = Some(pci_path.clone());
self.device_options.push(format!(
"0000:{}={}",
hostdev.bus_slot_func,
pci_path.to_string()
));
self.device_options
.push(format!("0000:{}={}", hostdev.bus_slot_func, pci_path));
}
Ok(())

View File

@@ -33,9 +33,9 @@ impl PciSlot {
}
}
impl ToString for PciSlot {
fn to_string(&self) -> String {
format!("{:02x}", self.0)
impl std::fmt::Display for PciSlot {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
write!(f, "{:02x}", self.0)
}
}
@@ -116,14 +116,17 @@ impl PciPath {
}
}
impl ToString for PciPath {
// method to format the PciPath into a string
fn to_string(&self) -> String {
self.slots
.iter()
.map(|pci_slot| format!("{:02x}", pci_slot.0))
.collect::<Vec<String>>()
.join("/")
impl std::fmt::Display for PciPath {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
write!(
f,
"{}",
self.slots
.iter()
.map(|pci_slot| format!("{:02x}", pci_slot.0))
.collect::<Vec<String>>()
.join("/")
)
}
}

Some files were not shown because too many files have changed in this diff Show More