github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-02-22 14:54:23 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:3.18.0
Branches Tags
github:main github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/agent/clap-3aa4e9778d github:dependabot/cargo/src/tools/genpolicy/openssl-6888b711b6 github:topic/tests-lower-the-load-on-aks github:dependabot/cargo/src/tools/agent-ctl/keccak-0.1.6 github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:osv-scanner-bump-2.3.3 github:topic/oras-cache-still-not-working github:workflow-improvements github:bump-to-go-1.25 github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.0 github:dependabot/go_modules/src/runtime/github.com/BurntSushi/toml-1.6.0 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.2 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:zizmor-update-to-1.20 github:dependabot/github_actions/actions/attest-build-provenance-3.2.0 github:dependabot/github_actions/docker/login-action-3.7.0 github:stale-issues-by-date github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:dependabot/github_actions/actions/download-artifact-7.0.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vmm-sys-util-0.15.0 github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:zvonkok-patch-1 github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:dependabot/go_modules/src/runtime/github.com/BurntSushi/toml-1.5.0 github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:saul/updateimg github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0
...
compare: github:3.19.1
Branches Tags
github:main github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/agent/clap-3aa4e9778d github:dependabot/cargo/src/tools/genpolicy/openssl-6888b711b6 github:topic/tests-lower-the-load-on-aks github:dependabot/cargo/src/tools/agent-ctl/keccak-0.1.6 github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:osv-scanner-bump-2.3.3 github:topic/oras-cache-still-not-working github:workflow-improvements github:bump-to-go-1.25 github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.0 github:dependabot/go_modules/src/runtime/github.com/BurntSushi/toml-1.6.0 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.2 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:zizmor-update-to-1.20 github:dependabot/github_actions/actions/attest-build-provenance-3.2.0 github:dependabot/github_actions/docker/login-action-3.7.0 github:stale-issues-by-date github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:dependabot/github_actions/actions/download-artifact-7.0.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vmm-sys-util-0.15.0 github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:zvonkok-patch-1 github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:dependabot/go_modules/src/runtime/github.com/BurntSushi/toml-1.5.0 github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:saul/updateimg github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0

260 Commits
3.18.0 ... 3.19.1

Author SHA1 Message Date
Fabiano Fidêncio
acae4480ac Merge pull request #11604 from fidencio/release/3.19.1 
release: Bump version to 3.19.1
 2025-07-22 09:00:15 +02:00
Fabiano Fidêncio
0220b4d661 release: Bump version to 3.19.1 
As there were a few moderate security vulnerability fixes missed as part
of the 3.19.0 release.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-21 20:09:21 +02:00
Steve Horsman
09efcfbd86 Merge pull request #11606 from kata-containers/dependabot/cargo/src/tools/genpolicy/zerocopy-0.6.6 
build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy
 2025-07-21 18:58:56 +01:00
Steve Horsman
9f04d8e121 Merge pull request #11605 from kata-containers/dependabot/cargo/src/tools/kata-ctl/unsafe-libyaml-0.2.11 
build(deps): bump unsafe-libyaml from 0.2.9 to 0.2.11 in /src/tools/kata-ctl
 2025-07-21 18:50:01 +01:00
dependabot[bot]
a9c8377073 build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy 
---
updated-dependencies:
- dependency-name: zerocopy
  dependency-version: 0.6.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-21 12:50:38 +00:00
dependabot[bot]
0b4c434ece build(deps): bump unsafe-libyaml in /src/tools/kata-ctl 
Bumps [unsafe-libyaml](https://github.com/dtolnay/unsafe-libyaml) from 0.2.9 to 0.2.11.
- [Release notes](https://github.com/dtolnay/unsafe-libyaml/releases)
- [Commits](https://github.com/dtolnay/unsafe-libyaml/compare/0.2.9...0.2.11)

---
updated-dependencies:
- dependency-name: unsafe-libyaml
  dependency-version: 0.2.11
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-21 12:46:27 +00:00
Fabiano Fidêncio
35629d0690 Merge pull request #11603 from stevenhorsman/security-updates-21-jul 
dependencies: More crate bumps to resolve security issues
 2025-07-21 14:33:07 +02:00
stevenhorsman
162ba19b85 agent-ctl: Bump rusttls 
Bump rusttls to >=0.23.18 to remediate RUSTSEC-2024-0399

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:41:59 +01:00
stevenhorsman
42339e9cdf dragonball: Update url crate 
Update url to 2.5.4 to bump idna to 1.0.3 and remediate
RUSTSEC-2024-0421

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:35:05 +01:00
stevenhorsman
1795361589 runk: Update rustjail 
Update the rustjail crate to pull in the latest security fixes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:31:18 +01:00
stevenhorsman
28929f5b3e runtime: Bump promethus 
Bump this crate to remove the old version of protobuf
and remediate RUSTSEC-2024-0437

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:29:57 +01:00
stevenhorsman
e66aa1ef8c runtime: Bump promethus and ttrpc-codegen 
Bump these crates to remove the old version of protobuf
and remediate RUSTSEC-2024-0437

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:29:39 +01:00
Fabiano Fidêncio
d60513ece9 Merge pull request #11597 from kata-containers/topic/fix-release-static-tarball-content 
release: Copy the VERSION file to the tarball
 2025-07-20 21:06:40 +02:00
Fabiano Fidêncio
55aae75ed7 shellcheck: Fix issues on kata-deploy-merge-builds.sh 
As we're already touching the file, let's get those fixed.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-20 09:33:50 +02:00
Fabiano Fidêncio
aaeb3b3221 release: Copy the VERSION file to the tarball 
For the release itself, let's simply copy the VERSION file to the
tarball.

To do so, we had to change the logic that merges the build, as at that
point the tag is not yet pushed to the repo.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-20 00:06:14 +02:00
Fabiano Fidêncio
21ccaf4a80 Merge pull request #11596 from fidencio/release/v3.19.0 
release: Bump version to 3.19.0
 2025-07-19 18:27:36 +02:00
Fabiano Fidêncio
60f312b4ae release: Bump version to 3.19.0 
Bump VERSION and helm-chart versions

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-19 09:11:30 +02:00
Fabiano Fidêncio
1351ccb2de Merge pull request #11576 from Tim-Zhang/update-protobuf-to-fix-CVE-2025-53605 
chore: Update protobuf to fix CVE-2025-53605
 2025-07-19 07:43:13 +02:00
Fabiano Fidêncio
7f5f032aca runtime-rs: Update containerd-shim / containerd-shim-protos 
Let's bump those to their 0.10.0 releases, which contain fixes for the
CVE-2025-53605.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-19 00:18:01 +02:00
Fabiano Fidêncio
6dc4c0faae Merge pull request #11589 from fidencio/topic/fix-tdx-qemu-path-for-non-gpu 
qemu: tdx: Fix binary path for non-gpu TDX
 2025-07-18 17:24:00 +02:00
Tim Zhang
2fe9df16cc gent-ctl: update Cargo.lock to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/392
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:13:25 +02:00
Tim Zhang
45b44742de genpolicy: update Cargo.lock to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/394
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:10:52 +02:00
Tim Zhang
fa9ff1b299 kata-ctl: update prometheus/protobuf to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/395
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:05:13 +02:00
Tim Zhang
d0e7a51f7b dragonball: update prometheus/protobuf to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/396
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
 2025-07-18 16:02:29 +02:00
Tim Zhang
222393375a agent: update ttrpc-codegen to remove dependency on protobuf v2 
To fix CVE-2025-53605.

Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/397
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:02:07 +02:00
Fabiano Fidêncio
60c3d89767 Merge pull request #11558 from gmintoco/feature/helm-nodeSelector 
helm: add nodeSelector support to kata-deploy chart
 2025-07-18 15:52:19 +02:00
Fabiano Fidêncio
3143787f69 qemu: tdx: Fix binary path for non-gpu TDX 
On commit 90bc749a19, we've changed the
QEMUTDXPATH in order to get it to work with GPUs, but the change broke
the non-GPU TDX use-case, which depends on the distro binary.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 15:26:27 +02:00
Fabiano Fidêncio
497a3620c2 tests: Remove references to qemu-sev 
As it's been removed from our codebase.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 12:49:54 +02:00
Fabiano Fidêncio
17ce44083c runtime: Remove reference to sev package 
Otherwise it'll just break static checks.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 12:49:54 +02:00
Gus Minto-Cowcher
3b5cd2aad6 helm: remove qemu-sev references 
qemu-sev support has been removed, but those bits were left behind by
mistake.

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
 2025-07-18 12:49:54 +02:00
Gus Minto-Cowcher
41d41d51f7 helm: add nodeSelector support to kata-deploy chart 
- Add nodeSelector configuration to values.yaml with empty default
- Update DaemonSet template to conditionally include nodeSelector
- Add documentation and examples for nodeSelector usage in README
- Allows users to restrict kata-containers deployment to specific nodes by labeling them

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
 2025-07-18 12:49:54 +02:00
Fabiano Fidêncio
7d709a0759 Merge pull request #11493 from stevenhorsman/agent-ctl-tag-cache 
ci: cache: Tag agent-ctl cache
 2025-07-18 12:12:46 +02:00
Fabiano Fidêncio
4a6c718f23 Merge pull request #11584 from zvonkok/fix-kernel-debug-enabled 
kernel: fix enable kernel debug
 2025-07-18 11:38:36 +02:00
Sumedh Alok Sharma
47184e82f5 Merge pull request #11313 from Ankita13-code/ankitapareek/exec-id-agent-fix 
agent: update the processes hashmap to use exec_id as primary key
 2025-07-18 14:07:15 +05:30
Fabiano Fidêncio
d9daddce28 Merge pull request #11578 from justxuewei/vsock-async 
runtime-rs: Fix the issue of blocking socket with Tokio
 2025-07-18 10:13:03 +02:00
Xuewei Niu
629c942d4b runtime-rs: Fix the issue of blocking socket with Tokio 
According to the issue [1], Tokio will panic when we are giving a blocking
socket to Tokio's `from_std()` method, the information is as follows:

```
A panic occurred at crates/agent/src/sock/vsock.rs:59: Registering a
blocking socket with the tokio runtime is unsupported. If you wish to do
anyways, please add `--cfg tokio_allow_from_blocking_fd` to your RUSTFLAGS.
```

A workaround is to set the socket to non-blocking.

1: https://github.com/tokio-rs/tokio/issues/7172

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Xuewei Niu
1508e6f0f5 agent: Bump Tokio to v1.46.1 
Tokio now has a newer version, let us bump it.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Xuewei Niu
5a4050660a runtime-rs: Bump Tokio to v1.46.1 
Tokio now has a newer version, let us bump it.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Zvonko Kaiser
a786dc48b0 kernel: fix enable kernel debug 
The KERNEL_DEBUG_ENABLED was missing in the outer shell script
so overrides via make were not possible.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-18 02:24:19 +00:00
Fabiano Fidêncio
eb2bfbf7ac Merge pull request #11572 from stevenhorsman/RUSTSEC-2024-0384-remediate 
More crate bumps for security remediations
 2025-07-17 22:35:05 +02:00
Zvonko Kaiser
cef9485634 Merge pull request #11450 from kata-containers/dependabot/cargo/src/agent/nix-0.27.1 
build(deps): bump nix to 0.26.4 in agent, libs, runtime-rs
 2025-07-17 14:22:40 -04:00
stevenhorsman
41a608e5ce tools: Bump borsh, liboci-cli and oci-spec 
Bump these crates to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
e56f493191 deps: Bump zbus, serial_test & async-std 
Bump these crates across various components to remove the
dependency on unmaintained instant crate and remediate
RUSTSEC-2024-0384

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
bb820714cb agent-ctl: Update borsh 
- Update borsh to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
Steve Horsman
549fd2a196 Merge pull request #11581 from stevenhorsman/osv-scanner-action-permissions-fix 
workflow: Fix osv-scanner action
 2025-07-17 18:18:16 +01:00
stevenhorsman
a7e27b9b68 workflow: Fix osv-scanner action 
- The github generated template had an old version which
isn't valid for the pr-scan, so update to the latest
- The action needs also `actions: read` and `contents:read` to run in kata-containers

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 17:29:35 +01:00
Steve Horsman
8741f2ab3d Merge pull request #11580 from kata-containers/osv-scanner-action 
workflow: Add osv-scanner action
 2025-07-17 17:00:34 +01:00
stevenhorsman
1a75c12651 workflow: Add osv-scanner action 
Add action to check for vulnerabilities in the project and
on each PR

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 16:41:56 +01:00
stevenhorsman
4c776167e5 trace-forwarder: Add nix features 
Some of the nix apis we are using are now enabled by features,
so add these to resolve the compilation issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:09:21 +01:00
dependabot[bot]
cd79108c77 build(deps): bump nix in /src/tools/trace-forwarder 
Bumps [nix](https://github.com/nix-rust/nix) from 0.23.1 to 0.30.1.
- [Changelog](https://github.com/nix-rust/nix/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nix-rust/nix/compare/v0.23.1...v0.30.1)

---
updated-dependencies:
- dependency-name: nix
  dependency-version: 0.30.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 15:09:06 +01:00
stevenhorsman
9185ef1a67 runtime-rs: Bump nix to matching version 
runtime-rs needs the same version as libs,
so sync this up as well.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:08:46 +01:00
dependabot[bot]
219ad505c2 build(deps): bump nix from 0.24.3 to 0.26.4 in /src/agent 
Nix needs to be in sync between libs and agent, so bump
the agent to the libs version

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:01:06 +01:00
dependabot[bot]
a4d22fe330 build(deps): bump nix from 0.24.2 to 0.26.4 in /src/libs 
---
updated-dependencies:
- dependency-name: nix
  dependency-version: 0.26.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 15:01:06 +01:00
Fabiano Fidêncio
6dabb3683f Merge pull request #10961 from zvonkok/shellcheck-zero 
shellcheck: fix kernel/build.sh
 2025-07-17 12:59:00 +02:00
Steve Horsman
405f5283f0 Merge pull request #11573 from arvindskumar99/versions_comment 
OVMF: Making comment in versions.yaml for SEV-SNP
 2025-07-17 10:11:58 +01:00
Fabiano Fidêncio
32d40849fa Merge pull request #11577 from Xynnn007/bump-gc 
deps(chore): bump guest-components to candidate v0.14.0
 2025-07-17 11:08:36 +02:00
Zvonko Kaiser
ca4f96ed00 shellcheck: fix kernel/build.sh 
Refactor code to make shellcheck happy

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-17 10:15:41 +02:00
Xynnn007
82b890349d deps(chore): bump guest-components to candidate v0.14.0 
This new version of gc fixes s390x attestation, also introduces registry
configuration setting directly via initdata.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
 2025-07-17 10:19:02 +08:00
stevenhorsman
51f41b1669 ci: cache: Tag agent-ctl cache 
The peer pods project is using the agent-ctl tool in some
tests, so tagging our cache will let them more easily identify
development versions of kata for testing between releases.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-16 11:32:33 +01:00
Fupan Li
75d23b8884 Merge pull request #11504 from lifupan/fix_fd_leak 
agent: fix the issue of parent writer pipe fd leak
 2025-07-16 18:29:24 +08:00
Fupan Li
83f54eec52 agent: fix the issue of parent writer pipe fd leak 
Sometimes, containers or execs do not use stdin, so there is no chance
to add parent stdin to the process's writer hashmap, resulting in the
parent stdin's fd not being closed when the process is cleaned up later.

Therefore, when creating a process, first explicitly add parent stdin to
the wirter hashmap. Make sure that the parent stdin's fd can be closed
when the process is cleaned up later.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-16 16:15:31 +08:00
Fupan Li
752c8b611e Merge pull request #11575 from Tim-Zhang/fix-runk-build 
runk: Fix build errors
 2025-07-16 15:23:58 +08:00
Arvind Kumar
2a52351822 OVMF: Making comment in versions.yaml for SEV-SNP 
Adding comment to versions.yaml to indicate that the ovmf-sev is also
used by AMD SEV-SNP, as per the discussion in
https://github.com/kata-containers/kata-containers/pull/11561.

Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-16 06:35:21 +02:00
Tim Zhang
c8183a2c14 runk: rename imported crate from users to uzers 
To adapt the new crate name and fix build errors
introduced in the commit 39f51b4c6d

Fixes: #11574

Signed-off-by: Tim Zhang <tim@hyper.sh>
 2025-07-16 11:35:39 +08:00
Fabiano Fidêncio
9cebbab29d Merge pull request #11335 from zvonkok/fix-kata-deploy.sh 
gpu: Fix kata deploy.sh
 2025-07-15 19:50:44 +02:00
Fabiano Fidêncio
c8b7a51d72 Merge pull request #11082 from zvonkok/debug-kernel 
kernel: debug config
 2025-07-15 19:04:15 +02:00
Zvonko Kaiser
c56c896fc6 qemu: remove the experimental suffix for qemu-snp 
We switched to vanilla QEMU for the CPU SNP use-case.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:49:58 +02:00
Zvonko Kaiser
a282fa6865 gpu: Add TDX related runtime adjustments 
We have the QEMU adjustments for SNP but missing those for TDX

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:49:56 +02:00
Zvonko Kaiser
0d2993dcfd kernel: bump kernel version 
Obligatory kernel version bump

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:48:23 +02:00
Zvonko Kaiser
a4597672c0 kernel: Add KERNEL_DEBUG_ENABLED to build scripts 
We want to be able to build a debug version of the kernel for various
use-cases like debugging, tracing and others.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:48:03 +02:00
Fabiano Fidêncio
b7af7f344b Merge pull request #11569 from Xynnn007/bump-coco 
deps(chore): update guest-components and trustee
 2025-07-15 16:34:23 +02:00
Fabiano Fidêncio
aac555eeff Merge pull request #11571 from fidencio/topic/fix-nvidia-gpu-initrd-cache 
build: Fix cache for nvidia-gpu-initrd builds
 2025-07-15 16:28:03 +02:00
Fabiano Fidêncio
4415a47fff Merge pull request #11557 from Apokleos/fix-initdata 
runtime-rs: Fix initdata length field missing when create block
 2025-07-15 16:22:45 +02:00
Fabiano Fidêncio
11c744c5c3 Merge pull request #11567 from zvonkok/remove-gpu-admin-tools 
Remove gpu admin tools
 2025-07-15 15:11:56 +02:00
Fabiano Fidêncio
fa7598f6ec Merge pull request #11568 from zvonkok/tdx-qemu-path 
gpu: Add  proper TDX config path
 2025-07-15 14:54:13 +02:00
Fabiano Fidêncio
3e86f3a95c build: Rename rootfs-nvidia-* to fix cache issues 
The convention for rootfs-* names is:
* rootfs-${image_type}-${special_build}

If this is not followed, cache will never work as expected, leading to
building the initrd / image on every single build, which is specially
constly when building the nvidia specific targets.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-15 14:48:45 +02:00
alex.lyn
56c0c172fa runtime-rs: Fix initdata length field missing when create block 
The init data could not be read properly within kata-agent because the
data length field was omitted, a consequence of a mismatch in the data
write format.

Fixes #11556

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-15 19:22:17 +08:00
Fabiano Fidêncio
b76efa2a25 Merge pull request #11564 from BbolroC/make-qemu-coco-dev-s390x-required 
ci: Make qemu-coco-dev for s390x (zVSI) required again
 2025-07-15 12:04:18 +02:00
Xynnn007
4da31bf2f9 agent: deliver initdata toml to attestation agent 
Now AA supports to receive initdata toml plaintext and deliver it in the
attestation. This patch creates a file under
'/run/confidential-containers/initdata'
to store the initdata toml and give it to AA process.

When we have a separate component to handle initdata, we will move the
logic to that component.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
 2025-07-15 17:10:56 +08:00
Steve Horsman
d219fc20e1 Merge pull request #11555 from stevenhorsman/rust-advisory-fixes-pre-3.19.0 
Rust advisory fixes pre 3.19.0
 2025-07-15 09:11:33 +01:00
Hui Zhu
3577e4bb43 Merge pull request #11480 from teawater/update_ma 
mem-agent: Update to https://github.com/teawater/mem-agent/tree/kata-20250627
 2025-07-15 15:22:10 +08:00
Xynnn007
19001af1e2 deps(chore): update guest-components and trustee 
to the version of pre v0.14.0

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
 2025-07-15 09:12:47 +08:00
teawater
028f25ac84 mem-agent: Update to kata-20250627 
Update to https://github.com/teawater/mem-agent/tree/kata-20250627.

The commit list:
3854b3a Update nix version from 0.23.2 to 0.30.1
d9a4ced Update tokio version from 1.33 to 1.45.1
9115c4d run_eviction_single_config: Simplify check evicted pages after
	eviction
68b48d2 get_swappiness: Use a rounding method to obtain the swappiness
	value
14c4508 run_eviction_single_config: Add max_seq and min_seq check with
	each info
8a3a642 run_eviction_single_config: Move infov update to main loop
b6d30cf memcg.rs: run_aging_single_config: Fix error of last_inc_time
	check
54fce7e memcg.rs: Update anon eviction code
41c31bf cgroup.rs: Fix build issue with musl
0d6aa77 Remove lazy_static from dependencies
a66711d memcg.rs: update_and_add: Fix memcg not work after set memcg
	issue
cb932b1 Add logs and change some level of some logs
93c7ad8 Add per-cgroup and per-numa config support
092a75b Remove all Cargo.lock to support different versions of rust
540bf04 Update mem-agent-srv, mem-agent-ctl and mem-agent-lib to
	v0.2.0
81f39b2 compact.rs: Change default value of compact_sec_max to 300
c455d47 compact.rs: Fix psi_path error with cgroup v2 issue
6016e86 misc.rs: Fix log error
ded90e9 Set mem-agent-srv and mem-agent-ctl as bin

Fixes: #11478

Signed-off-by: teawater <zhuhui@kylinos.cn>
 2025-07-15 08:57:41 +08:00
Zvonko Kaiser
90bc749a19 gpu: Add proper TDX config path 
This was missed during the GPU TDX experimental enablement

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-14 23:26:28 +00:00
Zvonko Kaiser
da17b06d28 gpu: Pin toolkit version 
New versions have incompatibilites, pin toolkit to a working
version

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-14 22:07:21 +00:00
Zvonko Kaiser
97a4a1574e gpu: Remove gpu-admin-tools 
NVRC got a new feature reading the CC mode directly from register

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-14 21:59:31 +00:00
stevenhorsman
18597588c0 agent: Bump cdi version 
Bump cdi version to the pick up fixes to:
- RUSTSEC-2025-0024
- RUSTSEC-2025-0023
- RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-14 16:54:30 +01:00
stevenhorsman
661d88b11f versions: Bump oci-spec 
Try bumping oci-spec to 0.8.1 as it included fixes for vulnerabilities
including RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-14 16:54:30 +01:00
Fabiano Fidêncio
579d373623 Merge pull request #11521 from stevenhorsman/idna-1.0.4-bump 
versions: Bump idna crate to >= 1.0.3
 2025-07-14 17:39:30 +02:00
Fabiano Fidêncio
f5decea13e Merge pull request #11550 from stevenhorsman/runtime-rs-bump-chrono-0.4.41 
runtime-rs | trace-forwarder: Bump chrono crate version
 2025-07-14 16:45:58 +02:00
Steve Horsman
0fa2cd8202 Merge pull request #11519 from wainersm/tests_teardown_common 
tests/k8s: instrument some tests for debugging
 2025-07-14 13:20:01 +01:00
Hyounggyu Choi
a224b4f9e4 ci: Make qemu-coco-dev for s390x (zVSI) required again 
As the following job has passed 10 days in a row for the nightly test:

```
kata-containers-ci-on-push / run-k8s-tests-on-zvsi / run-k8s-tests (nydus, qemu-coco-dev, kubeadm)
```

this commit makes the job required again.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-07-14 11:03:54 +02:00
Wainer dos Santos Moschetta
f0f1974e14 tests/k8s: call teardown_common in k8s-parallel.bats 
The teardown_common will print the description of the running pods, kill
them all and print the system's syslogs afterwards.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-12 10:13:51 +01:00
Wainer dos Santos Moschetta
8dfeed77cd tests/k8s: add handler for Job in set_node() 
Set the node in the spec template of a Job manifest, allowing to use
set_node() on tests like k8s-parallel.bats

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-12 10:13:51 +01:00
Wainer dos Santos Moschetta
806d63d1d8 tests/k8s: call teardown_common in k8s-credentials-secrets.bats 
The teardown_common will print the description of the running pods, kill
them all and print the system's syslogs afterwards.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-12 10:13:51 +01:00
Wainer dos Santos Moschetta
c8f40fe12c tests/k8s: call teardown_common in k8s-sandbox-vcpus-allocation.bats 
The teardown_common will print the description of the running pods, kill
them all and print the system's syslogs afterwards.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-12 10:13:51 +01:00
Fabiano Fidêncio
4a79c2520d Merge pull request #11491 from Apokleos/default-blk-driver 
runtime-rs: Change default block device driver from virtio-scsi to virtio-blk-*
 2025-07-11 23:14:13 +02:00
alex.lyn
9cc14e4908 runtime-rs: Update block device driver docs within configuration 
The previous description for the `block_device_driver` was inaccurate or
outdated. This commit updates the documentation to provide a more
precise explanation of its function.

Fixes #11488

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-11 17:40:58 +02:00
alex.lyn
92160c82ff runtime-rs: Change block device driver defualt with virtio-blk-* 
When we run a kata pod with runtime-rs/qemu and with a default
configuration toml, it will fail with error "unsupported driver type
virtio-scsi".
As virtio-scsi within runtime-rs is not so popular, we set default block
device driver with `virtio-blk-*`.

Fixes #11488

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-11 17:40:58 +02:00
Ankita Pareek
5f08cc75b3 agent: update the processes hashmap to use exec_id as primary key 
This patch changes the container process HashMap to use exec_id as the primary
key instead of PID, preventing exec_id collisions that could be exploited in
Confidential Computing scenarios where the host is less trusted than the guest.

Key changes:
- Changed `processes: HashMap<pid_t, Process>` to `HashMap<String, Process>`
- Added exec_id collision detection in `start()` method
- Updated process lookup operations to use exec_id directly
- Simplified `get_process()` with direct HashMap access

This prevents multiple exec operations from reusing the same exec_id, which
could be problematic in CoCo use cases where process isolation and unique
identification are critical for security.

Signed-off-by: Ankita Pareek <ankitapareek@microsoft.com>
 2025-07-11 10:10:23 +00:00
Steve Horsman
878e50f978 Merge pull request #11554 from fidencio/topic/fix-version-file-on-release 
gh: Fix released VERSION file
 2025-07-11 09:20:06 +01:00
Fabiano Fidêncio
fb22e873cd gh: Fix released VERSION file 
The `/opt/kata/VERSION` file, which is created using `git describe
--tags`, requires the newly released tag to be updated in order to be
accurate.

To do so, let's add a `fetch-tags: true` to the checkout action used
during the `create-kata-tarball` job.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-11 09:47:11 +02:00
Alex Lyn
87e41e2a09 Merge pull request #11549 from stevenhorsman/bump-remove_dir_all 
runtime-rs: Switch tempdir to tempfile
 2025-07-11 13:46:12 +08:00
Alex Lyn
f22272b8f7 Merge pull request #11540 from Apokleos/coldplug-vfio-clh 
runtime-rs: Add vfio support with coldplug for cloud-hypervisor
 2025-07-11 10:33:59 +08:00
RuoqingHe
7cd4e3278a Merge pull request #11545 from RuoqingHe/remove-lockfile-for-libs 
libs: Remove lockfile for libs
 2025-07-10 21:56:10 +08:00
stevenhorsman
c740896b1c trace-forwarder: Bump chrono crate version 
Bump chrono version to drop time@0.1.43 and remediate
vulnerability CVE-2020-26235

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-10 14:55:20 +01:00
stevenhorsman
3916507553 runtime-rs: Bump chrono crate version 
Bump chrono version to drop time@0.1.45 and remediate
vulnerability CVE-2020-26235

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-10 13:47:05 +01:00
stevenhorsman
c5ceae887b runtime-rs: Switch tempdir to tempfile 
tempdir hasn't been updated for seven years and pulls in
remove_dir_all@0.5.3 which has security advisory
GHSA-mc8h-8q98-g5hr, so replace this with using tempfile,
which the crate got merged into and we use elsewhere in the
project

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-10 12:16:35 +01:00
Ruoqing He
4039506740 libs: Ignore Cargo.lock in libs workspace 
Ignore Cargo.lock in `libs` to prevent developers from accidentally
track lock files in `libs` workspace.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-10 09:31:45 +00:00
alex.lyn
3fbe493edc runtime-rs: Convert host devices within VmConfig for cloud-hypervisor 
This PR adds support for adding a network device before starting the
cloud-hypervisor VM.
This commit will get the host devices from NamedHypervisorConfig and
assign it to VmConfig's devices which is for vfio devices when clh
starts launching.
And with this, it successfully finish the vfio devices conversion from
a generic Hypervisor config to a clh specific VmConfig.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-10 16:33:43 +08:00
alex.lyn
0b5b8f549d runtime-rs: Introduce a field host_devices within NamedHypervisorConfig 
This commit introduce `host_devices` to help convert vfio devices from
a generic hypervisor config to a cloud-hypervisor specific VmConfig.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-10 16:33:41 +08:00
alex.lyn
d37183d754 runtime-rs: Add vfio support with coldplug for cloud-hypervisor 
This PR adds support for adding a vfio device before starting the
cloud-hypervisor VM (or cold-plug vfio device).

This commit changes "pending_devices" for clh implementation via adding
DeviceType::Vfio() into pending_devices. And it will get shared host devices
after correctly handling vfio devices (Specially for primary device).

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-10 16:32:21 +08:00
Ruoqing He
ffa3a5a15e libs: Remove Cargo.lock 
crates in `libs` workspace do not ship binaries, they are just libraries
for other workspace to reference, the `Cargo.lock` file hence would not
take effect. Removing Cargo.lock for `libs` workspace.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-10 03:14:55 +00:00
Fabiano Fidêncio
c68eb58f3f Merge pull request #11529 from fidencio/topic/only-use-fixed-version-of-k0s-for-crio 
tests: k0s: Always use latest version, apart from CRI-O tests
 2025-07-09 18:47:18 +02:00
Hyounggyu Choi
09297b7955 Merge pull request #11537 from BbolroC/set-sharedfs-to-none-for-ibm-sel 
runtime/runtime-rs: Set shared_fs to none for IBM SEL in config file
 2025-07-09 18:30:08 +02:00
Hyounggyu Choi
bca31d5a4d runtime/runtime-rs: Set shared_fs to none for IBM SEL in config file 
In line with configuration for other TEEs, shared_fs should
be set to none for IBM SEL. This commit updates the value for
runtime/runtime-rs.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-07-09 14:22:28 +02:00
Fabiano Fidêncio
5f17e61d11 tests: kata-deploy: Remove --wait from helm uninstall 
As we're using a `kubectl wait --timeout ...` to check whether the
kata-deploy pod's been deleted or not, let's remove the `--wait` from
the `helm uninstall ...` call as k0s tests were failing because the
`kubectl wait --timeout...` was starting after the pod was deleted,
making the test fail.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-09 14:01:30 +02:00
Fabiano Fidêncio
842e17b756 tests: k0s: Always use latest version, apart from CRI-O tests 
We've been pinning a specific version of k0s for CRI-O tests, which may
make sense for CRI-O, but doesn't make sense at all when it comes to
testing that we can install kata-deploy on latest k0s (and currently our
test for that is broken).

Let's bump to the latest, and from this point we start debugging,
instead of debugging on an ancient version of the project.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-09 13:27:18 +02:00
Steve Horsman
7bc25b0259 Merge pull request #11494 from katexochen/p/opa-1.6 
versions: bump opa 1.5.1 -> 1.6.0
 2025-07-09 11:45:54 +01:00
Steve Horsman
967f66f677 Merge pull request #11380 from arvindskumar99/sev-deprecation 
Sev deprecation
 2025-07-09 11:38:13 +01:00
stevenhorsman
f96b8fb690 kata-ctl: Update expected test failure message 
Update expected error after url crate bump

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-09 11:34:27 +01:00
stevenhorsman
b7bf46fdfa versions: Bump idna crate to >= 1.0.4 
Bump url, reqwests and idna crates in order to move away from
idna <1.0.3 and remediate CVE-2024-12224.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-09 11:34:27 +01:00
Xuewei Niu
b8838140d0 Merge pull request #11527 from StevenFryto/fix-runtime-rootless-bugs 
runtime: Fix rootlessDir not correctly set in rootless VMM mode
 2025-07-09 16:40:11 +08:00
Steve Horsman
990c4e68ee Merge pull request #11523 from wainersm/ci_setup_kubectl 
workflows: adopting azure/setup-kubectl
 2025-07-09 09:09:38 +01:00
stevenfryto
3c7a670129 runtime: Fix rootlessDir not correctly set in rootless VMM mode 
Previously, the rootlessDir variable in `src/runtime/virtcontainers/pkg/rootless.go` was initialized at
package load time using `os.Getenv("XDG_RUNTIME_DIR")`. However, in rootless
VMM mode, the correct value of $XDG_RUNTIME_DIR is set later during runtime
using os.Setenv(), so rootlessDir remained empty.

This patch defers the initialization of rootlessDir until the first call
to `GetRootlessDir()`, ensuring it always reflects the current environment
value of $XDG_RUNTIME_DIR.

Fixes: #11526

Signed-off-by: stevenfryto <sunzitai_1832@bupt.edu.cn>
 2025-07-09 09:51:48 +08:00
Wainer dos Santos Moschetta
e4da3b84a3 workflows: adopting azure/setup-kubectl 
There are workflows that rely on `az aks install-cli` to get kubectl
installed. There is a well-known problem on install-cli, related with
API usage rate limit, that has recently caused the command to fail
quite often.

This is replacing install-cli with the azure/setup-kubectl github
action which has no such as rate limit problem.

While here, removed the install_cli() function from gha-run-k8s-common.sh
so avoid developers using it by mistake in the future.

Fixes #11463
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-08 15:15:54 -03:00
Alex Lyn
294b2c1c10 Merge pull request #11528 from Apokleos/remote-initdata 
runtime-rs: add initdata annotation for remote hypervisor
 2025-07-08 09:13:13 +08:00
Arvind Kumar
afedad0965 kernel: Removing SEV kernel packages 
Removing kernel config files realting
to SEV as part of the SEV deprecation
efforts.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-07 11:21:11 -05:00
Arvind Kumar
ecac3d2d28 runtime: Removing runtime logic for SEV 
Removing runtime SEV functionality,
such as the kbs, ovmf, VMSA handling,
and SEV configs as part of deprecating
SEV from kata.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-07 11:17:32 -05:00
Arvind Kumar
8eebcef8fb tests: Removing testing framework for SEV 
Removing files pertaining to SEV from
the CI framework.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-07 11:17:32 -05:00
Arvind Kumar
675ea86aba kata-deploy: Removing SEV from kata-deploy 
Removing files related to SEV, responsible for
installing and configuring Kata containers.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-07 11:17:32 -05:00
Paul Meyer
ff7ac58579 versions: bump opa 1.5.1 -> 1.6.0 
Bumping opa to latest release.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-07-07 14:19:08 +02:00
alex.lyn
fcaade24f4 runtime-rs: add initdata annotation for remote hypervisor 
Add init data annotation within preparing remote hypervisor annotations
when prepare vm, so that it can be passed within CreateVMRequest.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-07 12:46:05 +01:00
Fabiano Fidêncio
110f68a0f1 Merge pull request #11530 from fidencio/topic/tests-fix-runtime-class-check 
tests: runtimeclasses: Adjust gpu runtimeclasses
 2025-07-07 13:42:46 +02:00
Fabiano Fidêncio
2c2995b7b0 tests: runtimeclasses: Adjust gpu runtimeclasses 
679cc9d47c was merged and bumped the
podoverhead for the gpu related runtimeclasses. However, the bump on the
`kata-runtimeClasses.yaml` as overlooked, making our tests fail due to
that discrepancy.

Let's just adjust the values here and move on.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-07 11:43:40 +02:00
Fabiano Fidêncio
ef545eed86 Merge pull request #11513 from lifupan/dragonball_6.12.x 
tools: port the dragonball kernel patch to 6.12.x
 2025-07-07 10:31:49 +02:00
Steve Horsman
d291e9bda0 Merge pull request #11336 from zvonkok/fix-podoverhead 
gpu: Update runtimeClasses for correct podoverhead
 2025-07-07 09:20:07 +01:00
Fabiano Fidêncio
a2faf93211 kernel: Bump to v6.12.36 
As that's the latest releasesd LTS.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-06 23:48:20 +02:00
Fupan Li
fd21c9df59 tools: port the dragonball kernel patch to 6.12.x 
Backport the dragonball's kernel patches to
6.12.x kernel version.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-06 23:48:20 +02:00
Zvonko Kaiser
679cc9d47c gpu: Update runtimeClasses for correct podoverhead 
We cannot only rely only on default_cpu and default_memory in the
config, default is 1 and 2Gi but we need some overhead for QEMU and
the other related binaries running as the pod overhead. Especially
when QEMU is hot-plugging GPUs, CPUs, and memory it can consume more
memory.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-04 12:20:15 -04:00
Steve Horsman
1c718dbcdd Merge pull request #11506 from stevenhorsman/remove-atty-dependency 
Remove atty dependency
 2025-07-04 10:46:28 +01:00
Alex Lyn
362ea54763 Merge pull request #11517 from zvonkok/fix-nvrc-build 
gpu: NVRC static build
 2025-07-04 13:51:03 +08:00
Alex Lyn
2e35a8067d Merge pull request #11482 from Apokleos/fix-force-guestpull 
runtime-rs:  refactor and fix the implementation of guest-pull
 2025-07-04 11:29:33 +08:00
stevenhorsman
6f23608e96 ci: Remove atty group 
atty is unmaintained, with the last release almost 3 years
ago, so we don't need to check for updates, but instead will
remove it from out dependency tree.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-04 09:43:34 +08:00
stevenhorsman
7ffbdf7b3a mem-agent: Remove structopts crate 
structopt features were integrated into clap v3 and so is not
actively updated and pulls in the atty crate which has a security
advisory, so update clap, remove structopts, update the code that
used it to remove the outdated dependencies.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-04 09:43:34 +08:00
stevenhorsman
7845129bdc versions: Bump slog-term to 2.9.1 
slog-term 2.9.0 included atty, which is unmaintained
as has a security advisory GHSA-g98v-hv3f-hcfr,
so bump the version across our components to remove
this dependency.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-04 09:43:34 +08:00
Aurélien Bombo
fe532f9d04 Merge pull request #11475 from kata-containers/sprt/zizmor-fixes 
security: ci: Fixes for Zizmor GHA security scanning
 2025-07-03 13:29:47 -05:00
Zvonko Kaiser
c3b2d69452 gpu: NVRC static build 
We had the proper config.toml configuration for static builds
but were building the glibc  target and not the musl target.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-03 15:31:00 +00:00
Aurélien Bombo
8723eedad2 gha: Remove path restriction for Zizmor workflow 
The way GH works, we can only require Zizmor results on ALL PR runs, or
none, so remove the path filter.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-07-03 08:18:34 -05:00
Alex Lyn
c857f59a1a Merge pull request #11510 from lifupan/sync_resize_vcpu 
runtime-rs: make the resize_vcpu api support sync
 2025-07-03 17:35:08 +08:00
alex.lyn
2b95facc6f kata-type: Relax Mandatory source Field Check in Guest-Pull Mode 
Previously, the source field was subject to mandatory checks. However,
in guest-pull mode, this field doesn't consistently provide useful
information. Our practical experience has shown that relying on this
field for critical data isn't always necessary.

In other aspect, not all cases need mandatory check for KataVirtualVolume.
based on this fact, we'd better to make from_base64 do only one thing and
remove the validate(). Of course, We also keep the previous capability to
make it easy for possible cases which use such method and we rename it
clearly with from_base64_and_validate.

This commit relaxes the mandatory checks on the KataVirtualVolume specifically
for guest-pull mode, acknowledging its diminished utility in this context.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-03 17:07:20 +08:00
alex.lyn
8f8b196705 runtime-rs: refactor merging metadata within image_pull 
refactor implementation for merging metadata.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-03 17:07:08 +08:00
Fupan Li
fb1c35335a runtime-rs: make the resize_vcpu sync 
When hot plugging vcpu in dragonball hypervisor, use the synchronization
interface and wait until the hot plug cpu is executed in the guest
before returning. This ensures that the subsequent device hot plug will
not conflict with the previous call.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-03 15:11:36 +08:00
Fupan Li
72a38457f0 dragonball: make the resize_vcpu api support sync 
Let dragonball's resize_vcpu api support synchronization, and only
return after the hot-plug of the CPU is successfully executed in the
guest kernel. This ensures that the subsequent device hot-plug operation
can also proceed smoothly.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-03 15:11:36 +08:00
Alex Lyn
210844ce6b Merge pull request #11509 from teawater/agent_test 
kata-agent: mount.rs: Fix warning of test
 2025-07-03 15:05:04 +08:00
Alex Lyn
95d513b379 Merge pull request #11423 from zhaodiaoer/test 
test: fix broken testing code in libs
 2025-07-03 11:15:39 +08:00
teawater
0347698c59 kata-agent: mount.rs: Fix warning of test 
Got follow warning with make test of kata-agent:
   Compiling rustjail v0.1.0 (/data/teawater/kata-containers/src/agent/rustjail)
   Compiling kata-agent v0.1.0 (/data/teawater/kata-containers/src/agent)
warning: unused import: `std::os::unix::fs`
    --> rustjail/src/mount.rs:1147:9
     |
1147 |     use std::os::unix::fs;
     |         ^^^^^^^^^^^^^^^^^
     |
     = note: `#[warn(unused_imports)]` on by default

This commit fixes it.

Fixes: #11508

Signed-off-by: teawater <zhuhui@kylinos.cn>
 2025-07-03 10:01:19 +08:00
alex.lyn
7a59d7f937 runtime-rs: Import the public const value from libs 
Introduce a const value `KATA_VIRTUAL_VOLUME_PREFIX` defined in the libs/kata-types,
and it'll be better import such const value from there.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-03 09:42:17 +08:00
Aurélien Bombo
8d86bcea4b Merge pull request #11499 from kata-containers/sprt/fix-commit-check 
gha: Eliminate use of force-skip-ci label
 2025-07-02 10:53:55 -05:00
Aurélien Bombo
8d7d859e30 gha: Eliminate use of force-skip-ci label 
This was originally implemented as a Jenkins skip and is only used in a few
workflows.  Nowadays this would be better implemented via the gatekeeper.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-07-02 10:29:50 -05:00
Saul Paredes
e7b9eddced Merge pull request #11248 from microsoft/archana1/storages 
genpolicy: add validation for storages
 2025-07-01 10:02:10 -07:00
Fabiano Fidêncio
07b41c88de Merge pull request #11490 from Apokleos/fix-noise 
runtime-rs: Fix noise with frequently appearing in unstaged changes
 2025-07-01 17:43:41 +02:00
Archana Choudhary
6932beb01f policy: fix parse errors in rules.rego 
This patch fixes the rules.rego file to ensure that the
policy is correctly parsed and applied by opa.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 12:43:41 +00:00
Archana Choudhary
abbe1be69f tests: enable confidential_guest setting for coco 
This commit updates the `tests_common.sh` script
to enable the `confidential_guest`
setting for the coco tests in the Kubernetes
integration tests.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
9dd365fdb5 genpolicy: fix mount source check in rules.rego 
This commit fixes the mount source check in rules.rego.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
1cbea890f1 genpolicy: tests: update testcases for execprocess 
This patch removes storages from the testcases.json file for execprocess.
This is because input storage objects are invalid for two reasons:
1. "io.katacontainers.fs-opt.layer=" is missing option in annotations.
2. by default, we don't have host-tarfs-dm-verity enabled, so the storage
objects are not created in policy.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
---
 2025-07-01 10:35:20 +00:00
Archana Choudhary
6adec0737c genpolicy: add rules for image_guest_pull storage 
This patch introduces some basic checks for the
`image_guest_pull` storage type in the genpolicy tool.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
bd2dc1422e genpolicy: add test for container images having volumes 
This patch adds a test case to genpolicy for container images that have volumes.
Examples of such container images include:
 - quay.io/opstree/redis
 - https://github.com/kubernetes/examples/blob/master/cassandra/image/Dockerfile

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
d7f998fbd5 genpolicy: tests: update test for emptydir volumes 
This patch
  - updates testcases.json for emptydir volumes/storages

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
68c8c31718 genpolicy: tests: add test for config_map volumes 
This patch adds test for config_map volumes.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
9ebbc08d70 genpolicy: enable storage checks 
This patch
 - adds condition to add container image layers as storages
 - enable storage checks
 - fix CI policy test cases
 - update genpolicy-settings.json to enable storage checks
 - remove storage object addition in container image parsing

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
5b1459e623 genpolicy: test framework: enable config map usage 
This patch improves the test framework for the
genpolicy tool by enabling the use of config maps.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Alex Lyn
8784cebb84 Merge pull request #10693 from Apokleos/guest-pullimage-timeout 
runtime-rs: support setting create_container timeout with request_timeout_ms for image pulling in guest
 2025-07-01 11:40:19 +08:00
alex.lyn
b7c1d04a47 runtime-rs: Fix noise with frequently appearing in unstaged changes 
Fixes #11489

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-01 10:19:02 +08:00
alex.lyn
9839c17cad build: add Makefile variable for create_container_timeout 
Add the definiation of variable DEFCREATECONTAINERTIMEOUT into
Makefile target with default timeout 30s.

Fixes: #485

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-30 20:04:56 +08:00
alex.lyn
1a06bd1f08 kata-types: Introduce annotation *_RUNTIME_CREATE_CONTAINTER_TIMEOUT 
It's used to indicate timeout value set for image pulling in
guest during creating container.
This allows users to set this timeout with annotation according to the
size of image to be pulled.

Fixes #10692

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-30 20:04:56 +08:00
alex.lyn
f886e82f03 runtime-rs: support setting create_container_timeout 
It allows users to set this create container timeout within
configuration.toml according to the size of image to be pulled
inside guest.

Fixes #10692

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-30 20:04:56 +08:00
alex.lyn
ce524a3958 kata-types: Give a more comprehensive definition of request_timeout_ms 
To better understand the impact of different timeout values on system
behavior, this section provides a more comprehensive explanation of the
request_timeout_ms:

This timeout value is used to set the maximum duration for the agent to
process a CreateContainerRequest. It's also used to ensure that workloads,
especially those involving large image pulls within the guest, have sufficient
time to complete.
Based on explaination above, it's renamed with `create_container_timeout`,
Specially, exposed in 'configuration.toml'

Fixes #10692

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-30 20:04:56 +08:00
Steve Horsman
f04bb3f34c Merge pull request #11479 from stevenhorsman/skip-weekly-coco-stability-tests 
workflows: Skip weekly coco stability tests
 2025-06-30 09:05:14 +01:00
Fabiano Fidêncio
b024d8737c Merge pull request #11481 from fidencio/topic/fix-passing-image-size-alignment 
build: Allow passing IMAGE_SIZE_ALIGNMENT_MB as an env var
 2025-06-30 09:04:39 +02:00
Alex Lyn
69d2c078d1 Merge pull request #11484 from stevenhorsman/bump-nydus-snapshotter-0.15.2 
version: Bump nydus-snapshotter
 2025-06-30 14:44:01 +08:00
Alex Lyn
e66baf503b Merge pull request #11474 from Apokleos/remote-annotation 
runtime-rs: Add GPU annotations for remote hypervisor
 2025-06-30 14:05:15 +08:00
Fabiano Fidêncio
8d4e3b47b1 Merge pull request #11470 from fidencio/topic/runtime-rs-fix-odd-memory-size-calculation 
runtime-rs: Fix calculation of odd memory sizes
 2025-06-30 07:26:30 +02:00
Champ-Goblem
91cadb7bfe runtime-rs: Fix calculation of odd memory sizes 
An odd memory size leads to the runtime breaking during its startup, as
shown below:
```
Warning  FailedCreatePodSandBox  34s   kubelet            Failed to
create pod sandbox: rpc error: code = Unknown desc = failed to start
sandbox
"708c81910f4e67e53b4170b6615083339b220154cb9a0c521b3232cdb40d50f9":
failed to create containerd task: failed to create shim task:
Others("failed to handle message start sandbox in task handler\n\nCaused
by:\n    0: start vm\n    1: set vm base config\n    2: set vm
configuration\n    3: Failed to set vm configuration VmConfigInfo {
vcpu_count: 2, max_vcpu_count: 16, cpu_pm: \"on\", cpu_topology:
CpuTopology { threads_per_core: 1, cores_per_die: 1, dies_per_socket: 1,
sockets: 1 }, vpmu_feature: 0, mem_type: \"shmem\", mem_file_path: \"\",
mem_size_mib: 4513, serial_path:
Some(\"/run/kata/708c81910f4e67e53b4170b6615083339b220154cb9a0c521b3232cdb40d50f9/console.sock\"),
pci_hotplug_enabled: true }\n    4: vmm action error:
MachineConfig(InvalidMemorySize(4513))\n\nStack backtrace:\n   0:
anyhow::error::<impl anyhow::Error>::msg\n   1:
hypervisor::dragonball::vmm_instance::VmmInstance::handle_request\n   2:
hypervisor::dragonball::vmm_instance::VmmInstance::set_vm_configuration\n
3: hypervisor::dragonball::inner::DragonballInner::set_vm_base_config\n
4: <hypervisor::dragonball::Dragonball as
hypervisor::Hypervisor>::start_vm::{{closure}}::{{closure}}\n   5:
<hypervisor::dragonball::Dragonball as
hypervisor::Hypervisor>::start_vm::{{closure}}\n   6:
<virt_container::sandbox::VirtSandbox as
common::sandbox::Sandbox>::start::{{closure}}::{{closure}}\n   7:
<virt_container::sandbox::VirtSandbox as
common::sandbox::Sandbox>::start::{{closure}}\n   8:
runtimes::manager::RuntimeHandlerManager::handler_task_message::{{closure}}::{{closure}}\n
9:
runtimes::manager::RuntimeHandlerManager::handler_task_message::{{closure}}\n
10: <service::task_service::TaskService as
containerd_shim_protos::shim::shim_ttrpc_async::Task>::create::{{closure}}\n
11: <containerd_shim_protos::shim::shim_ttrpc_async::CreateMethod as
ttrpc::asynchronous::utils::MethodHandler>::handler::{{closure}}\n  12:
<tokio::time::timeout::Timeout<T> as
core::future::future::Future>::poll\n  13:
ttrpc::asynchronous::server::HandlerContext::handle_msg::{{closure}}\n
14: <core::future::poll_fn::PollFn<F> as
core::future::future::Future>::poll\n  15:
<ttrpc::asynchronous::server::ServerReader as
ttrpc::asynchronous::connection::ReaderDelegate>::handle_msg::{{closure}}::{{closure}}\n
16: tokio::runtime::task::core::Core<T,S>::poll\n  17:
tokio::runtime::task::harness::Harness<T,S>::poll\n  18:
tokio::runtime::scheduler::multi_thread::worker::Context::run_task\n
19: tokio::runtime::scheduler::multi_thread::worker::Context::run\n  20:
tokio::runtime::context::runtime::enter_runtime\n  21:
tokio::runtime::scheduler::multi_thread::worker::run\n  22:
<tokio::runtime::blocking::task::BlockingTask<T> as
core::future::future::Future>::poll\n  23:
tokio::runtime::task::core::Core<T,S>::poll\n  24:
tokio::runtime::task::harness::Harness<T,S>::poll\n  25:
tokio::runtime::blocking::pool::Inner::run\n  26:
std::sys::backtrace::__rust_begin_short_backtrace\n  27:
core::ops::function::FnOnce::call_once{{vtable.shim}}\n  28:
std::sys::pal::unix::thread::Thread::new::thread_start")
```

As we cannot control what the users will set, let's just round it up to
the next acceptable value.

Signed-off-by: Champ-Goblem <cameron@northflank.com>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-06-28 14:29:18 +02:00
Fabiano Fidêncio
e2b93fff3f build: Allow passing IMAGE_SIZE_ALIGNMENT_MB as an env var 
This helps considerably to avoid patching the code, and just adjusting
the build environment to use a smaller alignment than the default one.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-06-28 00:05:20 +02:00
stevenhorsman
fe5d43b4bd workflows: Skip weekly coco stability tests 
These tests are not passing, or being maintained,
so as discussed on the AC meeting, we will skip them
from automatically running until they can be reviewed
and re-worked, so avoid wasting CI cycles.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-27 16:51:53 +01:00
stevenhorsman
61b12d4e1b version: Bump nydus-snapshotter 
Bump to version v0.15.2 to pick up fix to mount source in
https://github.com/containerd/nydus-snapshotter/pull/636

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-27 14:04:00 +01:00
RuoqingHe
a43e06e0eb Merge pull request #11461 from stevenhorsman/bump-guest-components-4cd62c3 
versions: Bump guest-components
 2025-06-27 10:45:06 +08:00
Aurélien Bombo
d94085916e ci: set Zizmor as required test 
This adds Zizmor GHA security scanning as a PR gate.

Note that this does NOT require that Zizmor returns 0 alerts, but rather
that Zizmor's invocation completes successfully (regardless of how many
alerts it raises).

I will set up the former after this commit is merged (through the GH UI).

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-06-26 12:36:41 -05:00
Aurélien Bombo
820c1389db security: ci: remove overly broad permission 
This removes the permission from the workflow since it's already present
at the job level.

https://github.com/kata-containers/kata-containers/security/code-scanning/111

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-06-26 12:29:23 -05:00
Aurélien Bombo
bb2a427a8a security: ci: fix template injection 
This fixes a Zizmor error where some variables are vulnerable to template
injection.

https://github.com/kata-containers/kata-containers/security/code-scanning/67

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-06-26 12:29:11 -05:00
Saul Paredes
8c57beb943 Merge pull request #11471 from microsoft/saulparedes/fix_kata_monitor_dockerfile 
tools: kata-monitor: update go version used to build in Dockerfile
 2025-06-26 08:37:08 -07:00
Chao Wu
ac928218f3 Merge pull request #11434 from hsiangkao/erofs 
runtime: improve EROFS snapshotter support
 2025-06-26 22:40:48 +08:00
Cameron McDermott
b6cd6e6914 Merge pull request #11469 from fidencio/topic/dragonball-set-default_maxvcpus-to-zero 
runtime-rs: Set default_maxvcpus to 0
 2025-06-26 15:20:21 +01:00
Aurélien Bombo
a1aa3e79d4 Merge pull request #11392 from kata-containers/sprt/zizmor 
ci: Run zizmor for GHA security analysis
 2025-06-26 08:55:22 -05:00
Fupan Li
1ff54a95d2 Merge pull request #11422 from lifupan/memory_hotplug 
runtime-rs: Add the memory and vcpu hotplug for cloud-hypervisor
 2025-06-26 17:56:49 +08:00
Aurélien Bombo
34c8cd810d ci: Run zizmor for GHA security analysis 
This runs the zizmor security lint [1] on our GH Actions.
The initial workflow uses [2] as a base.

[1] https://docs.zizmor.sh/
[2] https://docs.zizmor.sh/usage/#use-in-github-actions

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-06-26 10:52:28 +01:00
alex.lyn
e6e4cd91b8 runtime-rs: Enable GPU annotations in remote hypervisor configuration 
Enable GPU annotations by adding `default_gpus` and `default_gpu_model`
into the list of valid annotations `enable_annotations`.

Fixes #10484

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-26 17:29:36 +08:00
alex.lyn
e5f44fae30 runtime-rs: Add GPU annotations during remote hypervisor preparation 
Add GPU specific annotations used by remote hypervisor for instance
selection during `prepare_vm`.

Fixes #10484

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-26 17:27:41 +08:00
alex.lyn
866d3facba kata-types: Introduce two GPU annotations for remote hypervisor 
Two annotations: `default_gpus and `default_gpu_model` as GPU annotations
are introduced for Kata VM configurations to improve instance selection on
remote hypervisors. By adding these annotations:
(1) `default_gpus`: Allows users to specify the minimum number of GPUs a VM
requires. This ensures that the remote hypervisor selects an instance
with at least that many GPUs, preventing resource under-provisioning.
(2) `default_gpu_model`: Lets users define the specific GPU model needed for
the VM. This is crucial for workloads that depend on particular GPU archs or
features, ensuring compatibility and optimal performance.

Fixes #10484

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-26 17:27:41 +08:00
alex.lyn
ed0c0b2367 kata-types: Introduce GPU related fields in RemoteInfo 
To provide the remote hypervisor with the necessary intelligence
to select the most appropriate instance for a given GPU instance,
leading to better resource allocation, two fields `default_gpus`
and `default_gpu_model` are introduced in `RemoteInfo`.

Fixes #10484

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-26 17:27:28 +08:00
Alex Lyn
9a1d4fc5d6 Merge pull request #11468 from Apokleos/fix-sharefs-none 
runtime-rs: Support shared fs with "none" on non-tee platforms
 2025-06-26 15:37:44 +08:00
Gao Xiang
9079c8e598 runtime: improve EROFS snapshotter support 
To better support containerd 2.1 and later versions, remove the
hardcoded `layer.erofs` and instead parse `/proc/mounts` to obtain the
real mount source (and `/sys/block/loopX/loop/backing_file` if needed).

If the mount source doesn't end with `layer.erofs`, it should be marked
as unsupported, as it may be a filesystem meta file generated by later
containerd versions for the EROFS flattened filesystem feature.

Also check whether the filesystem type is `overlay` or not, since the
containerd mount manager [1] may change it after being introduced.

[1] https://github.com/containerd/containerd/issues/11303

Fixes: f63ec50ba3 ("runtime: Add EROFS snapshotter with block device support")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
 2025-06-26 10:12:12 +08:00
Saul Paredes
d53c720ac1 tools: kata-monitor: update go version used to build in Dockerfile 
Current Dockerfile fails when trying to build from the root of the repo
docker build -t kata-monitor -f tools/packaging/kata-monitor/Dockerfile .
with "invalid go version '1.23.0': must match format 1.23"

Using go 1.23 in the Dockerfile fixes the build error

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-06-25 15:32:41 -07:00
stevenhorsman
290fda9b97 agent-ctl: Bump image-rs version 
I notices that agent-ctl is including a 9 month old version of
image-rs and the libs crates haven't been update for potentially
many years, so bump all of these.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-25 16:30:58 +01:00
stevenhorsman
c7da62dd1e versions: Bump guest-components 
Bump to pick up the new guest-components
and matching trustee which use rust 1.85.1

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-25 15:05:07 +01:00
Fabiano Fidêncio
bebe377f0d runtime-rs: Set default_maxvcpus to 0 
Otherwise we just cannot start a container that requests more than 1
vcpu.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-06-25 14:36:46 +02:00
Steve Horsman
9ff30c6aeb Merge pull request #11462 from kata-containers/add-scorecard-action 
ci: Add scorecard action
 2025-06-25 12:48:11 +01:00
Fabiano Fidêncio
69c706b570 Merge pull request #11441 from stevenhorsman/protobuf-3.7.2-bump 
versions: Bump protobuf to 3.7.2
 2025-06-25 13:47:28 +02:00
alex.lyn
eae62ca9ac runtime-rs: Support shared fs with "none" on non-tee platforms 
This commit introduces the ability to run Pods without shared fs
mechanism in Kata.

The default shared fs can lead to unnecessary resource consumption
and security risks for certain use cases. Specifically, scenarios
where files only need to be copied into the VM once at Pod creation
(e.g., non-tee envs) and don't require dynamic updates make the shared
fs redundant and inefficient.

By explicitly disabling shared fs functionality, we reduce resource
overhead and shrink the attack surface. Users will need to employ
alternative methods(e.g. guest-pull) to ensure container images are
shared into the guest VM for these specific scenarios.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-25 17:36:57 +08:00
Fabiano Fidêncio
4719c08184 Merge pull request #11467 from lifupan/fixblockfile 
runtime-rs: fix the issue return the wrong volume
 2025-06-25 09:56:28 +02:00
Fupan Li
48c8e0f296 runtime-rs: fix the issue return the wrong volume 
In the pre commit:74eccc54e7b31cc4c9abd8b6e4007c3a4c1d4dd4,
it missed return the right rootfs volume.

In the is_block_rootfs fn, if the rootfs is based on a
block device such as devicemapper, it should clear the
volume's source and let the device_manager to use the
dev_id to get the device's host path.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-06-25 10:02:52 +08:00
Alex Lyn
648fef4f52 Merge pull request #11466 from lifupan/blockfile 
runtime-rs: add the blockfile based rootfs support
 2025-06-25 09:46:54 +08:00
Dan Mihai
2d43b3f9fc Merge pull request #11424 from katexochen/p/regorus-oras-cache 
ci/static-checks: use oras cache for regorus
 2025-06-24 14:49:00 -07:00
Fupan Li
74eccc54e7 runtime-rs: add the blockfile based rootfs support 
For containerd's Blockfile Snapshotter, it will pass
a rootfs mounts with a rawfile as a mount source
and mount options with "loop" embeded.

To support this type of rootfs, it is necessary to identify this as a
blockfile rootfs through the "loop" flag, and then use the volume source
of the rootfs as the source of the block device to hot-insert it into
the guest.

Fixes:#11464

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-06-24 22:31:54 +08:00
Paul Meyer
43739cefdf ci/static-checks: use oras cache for regorus 
Instead of building it every time, we can store the regorus
binary in OCI registry using oras and download it from there.
This reduces the install time from ~1m40s to ~15s.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-06-24 13:14:18 +02:00
Fupan Li
9bdbd82690 Merge pull request #11181 from Apokleos/initdata-runtime-rs 
runtime-rs: Implement Initdata Spec Support in runtime-rs for CoCo
 2025-06-24 18:59:34 +08:00
Fupan Li
1c59516d72 runtime-rs: add support resize_vcpu for cloud-hypervisor 
This commit add support of resize_vcpu for cloud-hypervisor
using the it's vm resize api. It can support bothof vcpu hotplug
and hot unplug.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-06-24 17:15:05 +08:00
Fupan Li
a3671b7a5c runtime-rs: Add the memory hotplug for cloud-hypervisor 
For cloud-hypervisor, currently only hot plugging of memory is
supported, but hot unplugging of memory is not supported. In addition,
by default, cloud-hypervisor uses ACPI-based memory hot-plugging instead
of virtio-mem based memory hot-plugging.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-06-24 17:15:05 +08:00
Fupan Li
7df29605a4 runtime-rs: add the vm resize and get vminfo api for clh 
Add API interfaces for get vminfo and resize. get vminfo can obtain the
memory size and number of vCPUs from the cloud hypervisor vmm in real
time. This interface provides information for the subsequent resize
memory and vCPU.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-06-24 17:15:05 +08:00
Fupan Li
9a51ade4e2 runtime-rs: impl the Deserialize trait for MacAddr 
The system's own Deserialize cannot implement parsing from string to
MacAddr, so we need to implement this trait ourself.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-06-24 17:15:05 +08:00
Fupan Li
ceaae3049c runtime-rs: move the bytes_to_megs and megs_to_bytes to utils 
Since those two functions would be used by other hypervisors,
thus move them into the utils crate.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-06-24 17:15:05 +08:00
alex.lyn
871465f5d3 kata-agent: Allow unrecognized fields in InitData 
To make it flexibility and extensibility This change modifies the Kata
Agent's handling of `InitData` to allow for unrecognized key-value pairs.

The `InitData` field now directly utilizes `HashMap<String, String>`,
enabling it to carry arbitrary metadata and information that may be
consumed by other components

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
afcb042c28 runtime-rs: Specify the initdata to mrconfigid correctly 
During sandbox preparation, initdata should be specified to TdxConfig,
specially mrconfigid, which is used to pass to tdx guest report for
measurement.

Fixes #11180

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
d6d8497b56 runtime-rs: Add host-data property to sev-snp-guest object 
SEV-SNP guest configuration utilizes a different set of properties
compared to the existing 'sev-guest' object. This change introduces
the `host-data` property within the sev-snp-guest object. This property
allows for configuring an SEV-SNP guest with host-provided data, which
is crucial for data integrity verification during attestation.

The `host-data` property is specifically valid for SEV-SNP guests
running
on a capable platform. It is configured as a base64-encoded string when
using the sev-snp-guest object.

the example cmdline looks like:
```shell
   -object sev-snp-guest,id=sev-snp0,host-data=CGNkCHoBC5CcdGXir...
```

Fixes #11180

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
4a4361393c runtime-rs: Introduce host-data in SevSnpConfig for validation 
To facilitate the transfer of initdata generated during
`prepare_initdata_device_config`, a new parameter has been
introduced into the `prepare_protection_device_config` function.

Furthermore, to specifically pass initdata to SEV-SNP Guests, a
`host_data` field has been added to the `SevSnpConfig` structure.
However, this field is exclusively applicable to the SEV-SNP platform.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
5c8170dbb9 runtime-rs: Handle initdata block device config during sandbox start 
Retrieve the Initdata string content from the security_info of the
Configuration. Based on the Protection Platform type, calculate the
digest of the Initdata. Write the Initdata content to the block
device. Subsequently, construct the BlockConfig based on this block
device information.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
6ea1494701 runtime-rs: Add InitData Resource type for block device management 
To correctly manage initdata as a block device, a new InitData
Resource type, inherently a block device, has been introduced
within the ResourceManager. As a component of the Sandbox's
resources, this InitData Resource needs to be appropriately
handled by the Device Manager's handler.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
8c1482a221 runtime-rs: Introduce coco_data dir and initdata block 
Implement resource storage infrastructure with initial
initdata support:

1. Create dedicated `coco_data` directory for:
- Centralized management of CoCo resources;
- Future expansion of CoCo artifacts;

2. Atomic initdata block as foundational component in
`coco_data`, it will implement creation of compressed
initdata blocks with:
- Gzip compression with level customization (0-9)
- Sector-aligned (512B) image format with magic header
- Adaptive buffering (4KB-128KB) based on payload size
- Temp-file atomic writes with 0o600 permissions

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
9b21d062c9 kata-types: Implement InitData retrieval from Pod annotation 
This commit implements the retrieval and processing of InitData provided
via a Pod annotation. Specifically, it enables runtime-rs to:

(1) Parse the "io.katacontainers.config.hypervisor.cc_init_data"
annotation from the Pod YAML.
(2) Perform reverse operations on the annotation value: base64 decoding
followed by gzip decompression.
(3) Deserialize the decompressed data into the internal InitData
structure.
(4) Serialize the resulting InitData into a string and store it in the
Configuration.

This allows users to inject configuration data into the TEE Guest by
encoding and compressing it and passing it as an annotation in the Pod
configuration. This mechanism supports scenarios where dynamic config
is required for Confidential Containers.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
4ca394f4fc kata-types: Implement Initdata Spec and Digest Calculation Logic 
This commit introduces the Initdata Spec and the logic for
calculating its digest. It includes:

(1) Define a `ProtectedPlatform` enum to represent major TEE platform
types.
(2) Create an `InitData` struct to support building and serializing
initialization data in TOML format.
(3) Implement adaptation for SHA-256, SHA-384, and SHA-512 digest
algorithms.
(4) Provide a platform-specific mechanism for adjusting digest lengths
(zero-padding).
(5) Supporting the decoding and verification of base64+gzip encoded
Initdata.

The core functionality ensures the integrity of data injected by the
host through trusted algorithms, while also accommodating the
measurement requirements of different TEE platforms.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
2603ee66b8 kata-types: Introduce initdata to SecurityInfo for data injection 
This commit introduces a new `initdata` field of type String to
hypervisor `SecurityInfo`.

In accordance with the Initdata Specification, this field will
facilitate the injection of well-defined data from an untrusted host
into the TEE. To ensure the integrity of this injected data, the TEE
evidence's hostdata capability or the (v)TPM dynamic measurement
capability will be leveraged, as outlined in the specification.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
Dan Mihai
89dcc8fb27 Merge pull request #11444 from microsoft/danmihai1/k8s-policy-rc 
tests: k8s-policy-rc: print pod descriptions
 2025-06-23 16:14:56 -07:00
Dan Mihai
0a57e09259 Merge pull request #11426 from charludo/fix/genpolicy-corruption-of-layer-cache-file 
genpolicy: prevent corruption of the layer cache file
 2025-06-23 14:00:45 -07:00
Dan Mihai
8aecf14b34 Merge pull request #11405 from kata-containers/dependabot/cargo/src/agent/clap-77d1155c52 
build(deps): bump the clap group across 6 directories with 1 update
 2025-06-23 13:05:59 -07:00
Dan Mihai
62c9845623 tests: k8s-policy-rc: print pod descriptions 
Don't use local launched_pods variable in test_rc_policy(), because
teardown() needs to use this variable to print a description of the
pods, for debugging purposes.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-06-23 16:23:26 +00:00
stevenhorsman
649e31340b doc: Add scorecard badge 
Add our scorecard badge to our readme for transparency
and to help motivate us to update our score

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-23 16:22:59 +01:00
stevenhorsman
6dd025d0ed workflows: Add scorecard workflow 
Add a workflow to update our scorecard score on
each change

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-23 16:09:14 +01:00
Steve Horsman
4f245df4a0 Merge pull request #11420 from kata-containers/pin-gha-actions 
workflows: Pin action hashes
 2025-06-23 15:26:03 +01:00
charludo
4e57cc0ed2 genpolicy: keep layers cache in-memory to prevent corruption 
The locking mechanism around the layers cache file was insufficient to
prevent corruption of the file. This commit moves the layers cache's
management in-memory, only reading the cache file once at the beginning
of `genpolicy`, and only writing to it once, at the end of `genpolicy`.

In the case that obtaining a lock on the cache file fails,
reading/writing to it is skipped, and the cache is not used/persisted.

Signed-off-by: charludo <git@charlotteharludo.com>
 2025-06-23 16:16:42 +02:00
RuoqingHe
8c1f6e827d Merge pull request #11448 from RuoqingHe/remove-dup-ignore 
ci: Remove duplicated `rust-vmm` dependencies
 2025-06-23 10:34:30 +08:00
Ruoqing He
1d2d2cc3d5 ci: Remove duplicated rust-vmm dependencies 
`vmm-sys-util` was duplicated while updating the `ignore` list of
`rust-vmm` crates in #11431, remove duplicated one and sort the list.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-21 21:02:59 +00:00
stevenhorsman
9685e2aeca trace-forwarder: Replace removed clap functions 
When moving from clap v2 to v4 a bunch of
functions have been removed, so update the code
to handle these replacements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 17:15:12 +01:00
stevenhorsman
e204847df5 agent-ctl: Replace removed clap functions 
When moving from clap v2 to v4 a bunch of
functions have been removed, so update the code
to handle these replacements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 17:15:12 +01:00
stevenhorsman
e11fc3334e agent: Clap v4 updates 
AppSettings was removed, so refactor
based on new documentation

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 17:15:12 +01:00
dependabot[bot]
0aa80313eb build(deps): bump the clap group across 6 directories with 1 update 
Bumps the clap group with 1 update in the /src/agent directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/agent-ctl directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/genpolicy directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/kata-ctl directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/runk directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/trace-forwarder directory: [clap](https://github.com/clap-rs/clap).

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

---
updated-dependencies:
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-21 17:15:12 +01:00
RuoqingHe
b22135f4e5 Merge pull request #11431 from RuoqingHe/udpate-rust-vmm-ignore-list 
ci: Update dependabot ignore list
 2025-06-21 18:20:41 +08:00
Ruoqing He
6628ba3208 ci: Update dependabot ignore list 
Update dependabot ignore list in cargo ecosystem to ignore upgrades from
rust-vmm crates, since those crates need to be managed carefully and
manually.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-21 08:18:20 +01:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes 
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 08:14:13 +01:00
Steve Horsman
4bfa74c2a5 Merge pull request #11331 from stevenhorsman/helm-ghcr-login-update 
workflow: Remove code injection in helm login
 2025-06-21 08:13:40 +01:00
Steve Horsman
353b4bc853 Merge pull request #11440 from stevenhorsman/osbuilder-fedora-42-update 
osbuilder: Update image-builder base to f42
 2025-06-21 08:11:12 +01:00
Steve Horsman
cac1cb75ce Merge pull request #11378 from kata-containers/dependabot/cargo/src/tools/agent-ctl/rustix-0.37.28 
build(deps): bump rustix in various components
 2025-06-21 08:05:21 +01:00
stevenhorsman
900d9be55e build(deps): bump rustix in various components 
Bumps of rustix 0.36, 0.37 and 0.38 to resolve
CVE-2024-43806

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 14:52:43 -05:00
stevenhorsman
d9defd5102 osbuilder: Update image-builder base to f42 
Fedora 40 is EoL, and I've seen the registry pull fail
a few times recently, so let's bump to fedora 42 which
has 10 months of support left.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 20:52:30 +01:00
stevenhorsman
0f1c326ca0 versions: Bump protobuf to 3.7.2 
Now we are decoupled from the image-rs crate,
we can bump the protobuf version across our project
to resolve the GHSA-2gh3-rmm4-6rq5 advisory

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 20:52:04 +01:00
Saul Paredes
cc27966aa1 Merge pull request #11443 from microsoft/saulparedes/update_image 
tests: update container image for ci and unit test
 2025-06-20 12:50:42 -07:00
Archana Choudhary
e093919b42 tests: update container image for ci and unit test 
This patch updates the container image for the CI test workloads:
- `k8s-layered-sc-deployment.yaml`
- `k8s-pod-sc-deployment.yaml`
- `k8s-pod-sc-nobodyupdate-deployment.yaml`
- `k8s-pod-sc-supplementalgroups-deployment.yaml`
- `k8s-policy-deployment.yaml`

Also updates unit tests:
- `test_create_container_security_context`
- `test_create_container_security_context_supplemental_groups`

This fixes tests failing due to an image pull error as the previous image is no longer available in
the container registry.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-06-20 10:46:56 -07:00
stevenhorsman
776c89453c workflow: Remove code injection in helm login 
In theory `github.actor` could be used for code
injection, so swap it out.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 16:27:52 +01:00
Lei Liu
71d1cdf40a test: fix broken testing code in libs 
After commit a3f973db3b merged, protection::GuestProtection::[Snp,Sev]
have changed to tuple variants, and can no longer be used in assert_eq
marco without tuple values, or some errors will raised:

```
assert_eq!(actual.unwrap(), GuestProtection::Snp);
    |                                     ^^^^^^^^^^^^^^^^^^^^ expected  \
				`GuestProtection`, found enum constructor
```

Signed-off-by: Lei Liu <liulei.pt@bytedance.com>
 2025-06-17 12:38:39 +08:00
Paul Meyer
822f54c800 ci/static-checks: add dispatch trigger 
This simplifies executing the workflow on a fork during testing.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-06-16 16:12:10 +02:00
271 changed files with 11439 additions and 11624 deletions
Expand all files Collapse all files

1
.github/actionlint.yaml vendored
View File

@@ -19,7 +19,6 @@ self-hosted-runner:
- metrics
- ppc64le
- riscv-builder
- sev
- sev-snp
- s390x
- s390x-large

15
.github/dependabot.yml vendored
View File

@@ -19,20 +19,23 @@ updates:
ignore:
# rust-vmm repos might cause incompatibilities on patch versions, so
# lets handle them manually for now.
- dependency-name: "vhost"
- dependency-name: "vhost-user-backend"
- dependency-name: "event-manager"
- dependency-name: "kvm-bindings"
- dependency-name: "kvm-ioctls"
- dependency-name: "linux-loader"
- dependency-name: "seccompiler"
- dependency-name: "vfio-bindings"
- dependency-name: "vfio-ioctls"
- dependency-name: "virtio-bindings"
- dependency-name: "virtio-queue"
- dependency-name: "virtio-vsock"
- dependency-name: "vm-fdt"
- dependency-name: "vm-memory"
- dependency-name: "vm-superio"
- dependency-name: "vmm-sys-util"
# As we often have up to 8/9 components that need the same versions bumps
# create groups for common dependencies, so they can all go in a single PR
# We can extend this as we see more frequent groups
groups:
atty:
patterns:
- atty
bit-vec:
patterns:
- bit-vec

1
.github/workflows/PR-wip-checks.yaml vendored
View File

@@ -22,7 +22,6 @@ jobs:
name: WIP Check
steps:
- name: WIP Check
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755 # master (2021-06-10)
with:
labels: '["do-not-merge", "wip", "rfc"]'

2
.github/workflows/actionlint.yaml vendored
View File

@@ -25,7 +25,7 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Checkout the code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false

38
.github/workflows/basic-ci-amd64.yaml vendored
View File

@@ -35,7 +35,7 @@ jobs:
KATA_HYPERVISOR: ${{ matrix.vmm }}
SANDBOXER: "shim"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -51,7 +51,7 @@ jobs:
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -76,7 +76,7 @@ jobs:
KATA_HYPERVISOR: ${{ matrix.vmm }}
SANDBOXER: "podsandbox"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -91,7 +91,7 @@ jobs:
run: bash tests/stability/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -118,7 +118,7 @@ jobs:
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -134,7 +134,7 @@ jobs:
run: bash tests/integration/nydus/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -153,7 +153,7 @@ jobs:
env:
CONTAINERD_VERSION: lts
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -169,7 +169,7 @@ jobs:
run: bash tests/integration/runk/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -195,7 +195,7 @@ jobs:
env:
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -211,7 +211,7 @@ jobs:
run: bash tests/functional/tracing/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -239,7 +239,7 @@ jobs:
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -255,7 +255,7 @@ jobs:
run: bash tests/functional/vfio/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -280,7 +280,7 @@ jobs:
env:
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -296,7 +296,7 @@ jobs:
run: bash tests/integration/docker/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -324,7 +324,7 @@ jobs:
env:
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -342,7 +342,7 @@ jobs:
run: bash tests/integration/nerdctl/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -360,7 +360,7 @@ jobs:
continue-on-error: true
- name: Archive artifacts ${{ matrix.vmm }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: nerdctl-tests-garm-${{ matrix.vmm }}
path: /tmp/artifacts
@@ -369,7 +369,7 @@ jobs:
run-kata-agent-apis:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -385,7 +385,7 @@ jobs:
run: bash tests/functional/kata-agent-apis/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts

12
.github/workflows/basic-ci-s390x.yaml vendored
View File

@@ -35,7 +35,7 @@ jobs:
KATA_HYPERVISOR: ${{ matrix.vmm }}
SANDBOXER: "shim"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -51,7 +51,7 @@ jobs:
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -76,7 +76,7 @@ jobs:
KATA_HYPERVISOR: ${{ matrix.vmm }}
SANDBOXER: "podsandbox"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -92,7 +92,7 @@ jobs:
run: bash tests/stability/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -116,7 +116,7 @@ jobs:
env:
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -132,7 +132,7 @@ jobs:
run: bash tests/integration/docker/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts

2
.github/workflows/build-checks-preview-riscv64.yaml vendored
View File

@@ -72,7 +72,7 @@ jobs:
sudo rm -f /tmp/kata_hybrid* # Sometime we got leftover from test_setup_hvsock_failed()
- name: Checkout the code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false

2
.github/workflows/build-checks.yaml vendored
View File

@@ -70,7 +70,7 @@ jobs:
sudo rm -f /tmp/kata_hybrid* # Sometime we got leftover from test_setup_hvsock_failed()
- name: Checkout the code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false

33
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@@ -80,7 +80,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -130,7 +130,7 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@v1
- uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
@@ -138,7 +138,7 @@ jobs:
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -147,7 +147,7 @@ jobs:
- name: store-extratarballs-artifact ${{ matrix.asset }}
if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
@@ -168,8 +168,8 @@ jobs:
- rootfs-image-mariner
- rootfs-initrd
- rootfs-initrd-confidential
- rootfs-nvidia-gpu-initrd
- rootfs-nvidia-gpu-confidential-initrd
- rootfs-initrd-nvidia-gpu
- rootfs-initrd-nvidia-gpu-confidential
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -179,7 +179,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -192,7 +192,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -217,7 +217,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -270,7 +270,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -283,7 +283,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -309,7 +309,7 @@ jobs:
MEASURED_ROOTFS: yes
- name: store-artifact shim-v2
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
@@ -323,10 +323,11 @@ jobs:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
@@ -334,7 +335,7 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -342,8 +343,10 @@ jobs:
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-static.tar.xz

31
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@@ -61,7 +61,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -110,7 +110,7 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@v1
- uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
@@ -118,7 +118,7 @@ jobs:
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -127,7 +127,7 @@ jobs:
- name: store-extratarballs-artifact ${{ matrix.asset }}
if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
@@ -145,7 +145,7 @@ jobs:
asset:
- rootfs-image
- rootfs-initrd
- rootfs-nvidia-gpu-initrd
- rootfs-initrd-nvidia-gpu
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -155,7 +155,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -168,7 +168,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -192,7 +192,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -242,7 +242,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -255,7 +255,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -279,7 +279,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact shim-v2
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
@@ -293,10 +293,11 @@ jobs:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
@@ -304,7 +305,7 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -312,8 +313,10 @@ jobs:
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
path: kata-static.tar.xz

25
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@@ -51,7 +51,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -80,7 +80,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -108,7 +108,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -121,7 +121,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -145,7 +145,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -181,7 +181,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -194,7 +194,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -218,7 +218,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact shim-v2
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
@@ -236,10 +236,11 @@ jobs:
run: |
sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE"
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
@@ -247,7 +248,7 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -255,8 +256,10 @@ jobs:
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }}
path: kata-static.tar.xz

4
.github/workflows/build-kata-static-tarball-riscv64.yaml vendored
View File

@@ -49,7 +49,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -78,7 +78,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz

33
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@@ -59,7 +59,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -104,7 +104,7 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@v1
- uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
@@ -112,7 +112,7 @@ jobs:
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -141,7 +141,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -154,7 +154,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -179,7 +179,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -193,7 +193,7 @@ jobs:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Rebase atop of the latest target branch
@@ -203,7 +203,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -227,7 +227,7 @@ jobs:
HKD_PATH: "host-key-document"
- name: store-artifact boot-image-se
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
path: kata-build/kata-static-boot-image-se.tar.xz
@@ -265,7 +265,7 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -278,7 +278,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -304,7 +304,7 @@ jobs:
MEASURED_ROOTFS: no
- name: store-artifact shim-v2
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
@@ -322,10 +322,11 @@ jobs:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
@@ -333,7 +334,7 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -341,8 +342,10 @@ jobs:
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-static.tar.xz

5
.github/workflows/cargo-deny-runner.yaml vendored
View File

@@ -20,16 +20,13 @@ jobs:
steps:
- name: Checkout Code
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Generate Action
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
run: bash cargo-deny-generator.sh
working-directory: ./.github/cargo-deny-composite-action/
env:
GOPATH: ${{ github.workspace }}/kata-containers
- name: Run Action
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
uses: ./.github/cargo-deny-composite-action

5
.github/workflows/ci-coco-stability.yaml vendored
View File

@@ -1,7 +1,8 @@
name: Kata Containers CoCo Stability Tests Weekly
on:
schedule:
- cron: '0 0 * * 0'
# Note: This workload is not currently maintained, so skipping it's scheduled runs
# schedule:
# - cron: '0 0 * * 0'
workflow_dispatch:
concurrency:

1
.github/workflows/ci-on-push.yaml vendored
View File

@@ -16,7 +16,6 @@ on:
permissions:
contents: read
id-token: write
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

2
.github/workflows/ci-weekly.yaml vendored
View File

@@ -69,7 +69,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0

6
.github/workflows/ci.yaml vendored
View File

@@ -185,7 +185,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -227,7 +227,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -240,7 +240,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64-${{ inputs.tag }}
path: kata-artifacts

2
.github/workflows/cleanup-resources.yaml vendored
View File

@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-22.04
environment: ci
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

2
.github/workflows/codeql.yml vendored
View File

@@ -60,7 +60,7 @@ jobs:
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

10
.github/workflows/commit-message-check.yaml vendored
View File

@@ -27,7 +27,6 @@ jobs:
name: Commit Message Check
steps:
- name: Get PR Commits
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
id: 'get-pr-commits'
uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0
with:
@@ -43,19 +42,18 @@ jobs:
filter_out_pattern: '^Revert "|^Reapply "'
- name: DCO Check
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20 # master (2020-04-28)
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
- name: Commit Body Missing Check
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
if: ${{ success() || failure() }}
uses: tim-actions/commit-body-check@d2e0e8e1f0332b3281c98867c42a2fbe25ad3f15 # v1.0.2
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
- name: Check Subject Line Length
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }}
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
@@ -64,7 +62,7 @@ jobs:
post_error: ${{ env.error_msg }}
- name: Check Body Line Length
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }}
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
@@ -95,7 +93,7 @@ jobs:
post_error: ${{ env.error_msg }}
- name: Check Subsystem
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }}
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}

4
.github/workflows/darwin-tests.yaml vendored
View File

@@ -19,11 +19,11 @@ jobs:
runs-on: macos-latest
steps:
- name: Install Go
uses: actions/setup-go@v5
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: 1.23.10
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Build utils

4
.github/workflows/docs-url-alive-check.yaml vendored
View File

@@ -15,7 +15,7 @@ jobs:
target_branch: ${{ github.base_ref }}
steps:
- name: Install Go
uses: actions/setup-go@v5
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: 1.23.10
env:
@@ -25,7 +25,7 @@ jobs:
echo "GOPATH=${{ github.workspace }}" >> "$GITHUB_ENV"
echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false

2
.github/workflows/gatekeeper-skipper.yaml vendored
View File

@@ -42,7 +42,7 @@ jobs:
skip_test: ${{ steps.skipper.outputs.skip_test }}
skip_static: ${{ steps.skipper.outputs.skip_static }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0

2
.github/workflows/gatekeeper.yaml vendored
View File

@@ -28,7 +28,7 @@ jobs:
issues: read
pull-requests: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0

2
.github/workflows/kata-runtime-classes-sync.yaml vendored
View File

@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Ensure the split out runtime classes match the all-in-one file

41
.github/workflows/osv-scanner.yaml vendored Normal file
View File

@@ -0,0 +1,41 @@
# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
# in addition to a PR check which fails if new vulnerabilities are introduced.
#
# For more examples and options, including how to ignore specific vulnerabilities,
# see https://google.github.io/osv-scanner/github-action/
name: OSV-Scanner
on:
workflow_dispatch:
pull_request:
branches: [ "main" ]
schedule:
- cron: '0 1 * * 0'
push:
branches: [ "main" ]
jobs:
scan-scheduled:
permissions:
actions: read # # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0
with:
scan-args: |-
-r
./
scan-pr:
permissions:
actions: read # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
if: ${{ github.event_name == 'pull_request' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0
with:
# Example of specifying custom arguments
scan-args: |-
-r
./

2
.github/workflows/payload-after-push.yaml vendored
View File

@@ -143,7 +143,7 @@ jobs:
needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le]
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

13
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@@ -44,7 +44,7 @@ jobs:
packages: write
runs-on: ${{ inputs.runner }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -57,7 +57,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball for ${{ inputs.arch }}
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-${{ inputs.arch}}${{ inputs.tarball-suffix }}
@@ -79,7 +79,12 @@ jobs:
- name: build-and-push-kata-payload for ${{ inputs.arch }}
id: build-and-push-kata-payload
env:
REGISTRY: ${{ inputs.registry }}
REPO: ${{ inputs.repo }}
TAG: ${{ inputs.tag }}
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz \
${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }}
"$(pwd)/kata-static.tar.xz" \
"${REGISTRY}/${REPO}" \
"${TAG}"

10
.github/workflows/release-amd64.yaml vendored
View File

@@ -47,16 +47,18 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64
- name: build-and-push-kata-deploy-ci-amd64
id: build-and-push-kata-deploy-ci-amd64
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: |
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
@@ -70,8 +72,8 @@ jobs:
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
done

10
.github/workflows/release-arm64.yaml vendored
View File

@@ -47,16 +47,18 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-arm64
- name: build-and-push-kata-deploy-ci-arm64
id: build-and-push-kata-deploy-ci-arm64
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: |
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
@@ -70,8 +72,8 @@ jobs:
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
done

10
.github/workflows/release-ppc64le.yaml vendored
View File

@@ -47,16 +47,18 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-ppc64le
- name: build-and-push-kata-deploy-ci-ppc64le
id: build-and-push-kata-deploy-ci-ppc64le
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: |
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
@@ -70,8 +72,8 @@ jobs:
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
done

10
.github/workflows/release-s390x.yaml vendored
View File

@@ -51,16 +51,18 @@ jobs:
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-s390x
- name: build-and-push-kata-deploy-ci-s390x
id: build-and-push-kata-deploy-ci-s390x
env:
TARGET_ARCH: ${{ inputs.target-arch }}
run: |
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
@@ -74,8 +76,8 @@ jobs:
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"${tag}-${{ inputs.target-arch }}"
"${tag}-${TARGET_ARCH}"
done

31
.github/workflows/release.yaml vendored
View File

@@ -12,7 +12,7 @@ jobs:
contents: write # needed for the `gh release create` command
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
@@ -84,7 +84,7 @@ jobs:
packages: write # needed to push the multi-arch manifest to ghcr.io
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
@@ -120,7 +120,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
@@ -130,7 +130,7 @@ jobs:
echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
- name: Download amd64 artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64
@@ -142,7 +142,7 @@ jobs:
ARCHITECTURE: amd64
- name: Download arm64 artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-arm64
@@ -154,7 +154,7 @@ jobs:
ARCHITECTURE: arm64
- name: Download s390x artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-s390x
@@ -166,7 +166,7 @@ jobs:
ARCHITECTURE: s390x
- name: Download ppc64le artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-ppc64le
@@ -184,7 +184,7 @@ jobs:
contents: write # needed for the `gh release` commands
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
@@ -201,7 +201,7 @@ jobs:
contents: write # needed for the `gh release` commands
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
@@ -218,7 +218,7 @@ jobs:
contents: write # needed for the `gh release` commands
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
@@ -236,7 +236,7 @@ jobs:
packages: write # needed to push the helm chart to ghcr.io
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
@@ -251,9 +251,12 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: Login to the OCI registries
env:
QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
GITHUB_ACTOR: ${{ github.actor }}
run: |
echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${{ vars.QUAY_DEPLOYER_USERNAME }}" --password-stdin
echo "${{ github.token }}" | helm registry login ghcr.io --username "${{ github.actor }}" --password-stdin
echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
- name: Push helm chart to the OCI registries
run: |
@@ -268,7 +271,7 @@ jobs:
contents: write # needed for the `gh release` commands
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

4
.github/workflows/run-cri-containerd-tests.yaml vendored
View File

@@ -44,7 +44,7 @@ jobs:
GOPATH: ${{ github.workspace }}
KATA_HYPERVISOR: ${{ inputs.vmm }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -61,7 +61,7 @@ jobs:
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
- name: get-kata-tarball for ${{ inputs.arch }}
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-${{ inputs.arch }}${{ inputs.tarball-suffix }}
path: kata-artifacts

12
.github/workflows/run-k8s-tests-on-aks.yaml vendored
View File

@@ -85,7 +85,7 @@ jobs:
GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -98,7 +98,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -107,7 +107,9 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Download Azure CLI
run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -129,7 +131,9 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials

6
.github/workflows/run-k8s-tests-on-amd64.yaml vendored
View File

@@ -61,7 +61,7 @@ jobs:
K8S_TEST_HOST_TYPE: all
CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -79,6 +79,8 @@ jobs:
- name: Deploy ${{ matrix.k8s }}
run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
env:
CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
- name: Configure the ${{ matrix.snapshotter }} snapshotter
if: matrix.snapshotter != ''
@@ -101,7 +103,7 @@ jobs:
continue-on-error: true
- name: Archive artifacts ${{ matrix.vmm }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: k8s-tests-${{ matrix.vmm }}-${{ matrix.snapshotter }}-${{ matrix.k8s }}-${{ inputs.tag }}
path: /tmp/artifacts

4
.github/workflows/run-k8s-tests-on-arm64.yaml vendored
View File

@@ -46,7 +46,7 @@ jobs:
K8S_TEST_HOST_TYPE: all
TARGET_ARCH: "aarch64"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -75,7 +75,7 @@ jobs:
continue-on-error: true
- name: Archive artifacts ${{ matrix.vmm }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
path: /tmp/artifacts

2
.github/workflows/run-k8s-tests-on-ppc64le.yaml vendored
View File

@@ -46,7 +46,7 @@ jobs:
USING_NFD: "false"
TARGET_ARCH: "ppc64le"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0

2
.github/workflows/run-k8s-tests-on-zvsi.yaml vendored
View File

@@ -81,7 +81,7 @@ jobs:
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0

8
.github/workflows/run-kata-coco-stability-tests.yaml vendored
View File

@@ -70,7 +70,7 @@ jobs:
SNAPSHOTTER: ${{ matrix.snapshotter }}
USING_NFD: "false"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -83,7 +83,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -114,7 +114,9 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials

13
.github/workflows/run-kata-coco-tests.yaml vendored
View File

@@ -70,7 +70,7 @@ jobs:
ITA_KEY: ${{ secrets.ITA_KEY }}
AUTO_GENERATE_POLICY: "yes"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -126,7 +126,6 @@ jobs:
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
# AMD has deprecated SEV support on Kata and henceforth SNP will be the only feature supported for Kata Containers.
run-k8s-tests-sev-snp:
strategy:
fail-fast: false
@@ -156,7 +155,7 @@ jobs:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AUTO_GENERATE_POLICY: "yes"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -248,7 +247,7 @@ jobs:
USING_NFD: "false"
AUTO_GENERATE_POLICY: "yes"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -261,7 +260,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -292,7 +291,9 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials

6
.github/workflows/run-kata-deploy-tests-on-aks.yaml vendored
View File

@@ -60,7 +60,7 @@ jobs:
KUBERNETES: "vanilla"
USING_NFD: "false"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -95,7 +95,9 @@ jobs:
run: bash tests/functional/kata-deploy/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/functional/kata-deploy/gha-run.sh install-kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/functional/kata-deploy/gha-run.sh get-cluster-credentials

2
.github/workflows/run-kata-deploy-tests.yaml vendored
View File

@@ -47,7 +47,7 @@ jobs:
KUBERNETES: ${{ matrix.k8s }}
USING_NFD: "false"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0

4
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@@ -40,7 +40,7 @@ jobs:
#CONTAINERD_VERSION: ${{ matrix.containerd_version }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -56,7 +56,7 @@ jobs:
run: bash tests/functional/kata-monitor/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts

4
.github/workflows/run-metrics.yaml vendored
View File

@@ -47,7 +47,7 @@ jobs:
USING_NFD: "false"
KUBERNETES: kubeadm
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -116,7 +116,7 @@ jobs:
run: bash tests/metrics/gha-run.sh make-tarball-results
- name: archive metrics results ${{ matrix.vmm }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: metrics-artifacts-${{ matrix.vmm }}
path: results-${{ matrix.vmm }}.tar.gz

4
.github/workflows/run-runk-tests.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
env:
CONTAINERD_VERSION: lts
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
@@ -40,7 +40,7 @@ jobs:
run: bash tests/integration/runk/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts

60
.github/workflows/scorecard.yaml vendored Normal file
View File

@@ -0,0 +1,60 @@
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
push:
branches: [ "main" ]
workflow_dispatch:
permissions: {}
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
# `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif

2
.github/workflows/shellcheck.yaml vendored
View File

@@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Checkout the code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false

2
.github/workflows/shellcheck_required.yaml vendored
View File

@@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Checkout the code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false

2
.github/workflows/stale.yaml vendored
View File

@@ -11,7 +11,7 @@ jobs:
stale:
runs-on: ubuntu-22.04
steps:
- uses: actions/stale@v9
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
with:
stale-pr-message: 'This PR has been opened without with no activity for 180 days. Comment on the issue otherwise it will be closed in 7 days'
days-before-pr-stale: 180

14
.github/workflows/static-checks.yaml vendored
View File

@@ -5,6 +5,7 @@ on:
- edited
- reopened
- synchronize
workflow_dispatch:
permissions:
contents: read
@@ -27,7 +28,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout the code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
@@ -69,7 +70,7 @@ jobs:
component-path: src/dragonball
steps:
- name: Checkout the code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
@@ -105,9 +106,12 @@ jobs:
- "make static-checks"
env:
GOPATH: ${{ github.workspace }}
permissions:
contents: read # for checkout
packages: write # for push to ghcr.io
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
@@ -131,6 +135,10 @@ jobs:
cd "${GOPATH}/src/github.com/${{ github.repository }}"
./tests/install_opa.sh
- name: Install regorus
env:
ARTEFACT_REPOSITORY: "${{ github.repository }}"
ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
run: |
"${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh"
- name: Run check

29
.github/workflows/zizmor.yaml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: GHA security analysis
on:
push:
branches: ["main"]
pull_request:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
zizmor:
runs-on: ubuntu-22.04
permissions:
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1

1
README.md
View File

@@ -1,6 +1,7 @@
<img src="https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/kata/SVG/kata-1.svg" width="900">
[![CI | Publish Kata Containers payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml) [![Kata Containers Nightly CI](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/kata-containers/kata-containers/badge)](https://scorecard.dev/viewer/?uri=github.com/kata-containers/kata-containers)
# Kata Containers

2
VERSION
View File

@@ -1 +1 @@
3.18.0
3.19.1

634
src/agent/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

19
src/agent/Cargo.toml
View File

@@ -8,18 +8,19 @@ license = "Apache-2.0"
rust-version = "1.85.1"
[workspace.dependencies]
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
lazy_static = "1.3.0"
ttrpc = { version = "0.8.4", features = ["async"], default-features = false }
protobuf = "=3.7.1"
protobuf = "3.7.2"
libc = "0.2.94"
nix = "0.24.2"
# Notes: nix needs to stay in sync with libs
nix = "0.26.4"
capctl = "0.2.0"
scan_fmt = "0.2.6"
scopeguard = "1.0.0"
thiserror = "1.0.26"
regex = "1.10.5"
serial_test = "0.5.1"
serial_test = "0.10.0"
url = "2.5.0"
derivative = "2.2.0"
const_format = "0.2.30"
@@ -30,7 +31,7 @@ async-recursion = "0.3.2"
futures = "0.3.30"
# Async runtime
tokio = { version = "1.44.2", features = ["full"] }
tokio = { version = "1.46.1", features = ["full"] }
tokio-vsock = "0.3.4"
netlink-sys = { version = "0.7.0", features = ["tokio_socket"] }
@@ -49,7 +50,7 @@ slog-stdlog = "4.0.0"
log = "0.4.11"
cfg-if = "1.0.0"
prometheus = { version = "0.13.0", features = ["process"] }
prometheus = { version = "0.14.0", features = ["process"] }
procfs = "0.12.0"
anyhow = "1"
@@ -66,7 +67,7 @@ opentelemetry = { version = "0.14.0", features = ["rt-tokio-current-thread"] }
serde = { version = "1.0.129", features = ["derive"] }
serde_json = "1.0.39"
toml = "0.5.8"
clap = { version = "3.0.1", features = ["derive"] }
clap = { version = "4.5.40", features = ["derive"] }
strum = "0.26.2"
strum_macros = "0.26.2"
@@ -80,7 +81,7 @@ kata-agent-policy = { path = "policy" }
rustjail = { path = "rustjail" }
vsock-exporter = { path = "vsock-exporter" }
mem-agent = { path = "../mem-agent" }
mem-agent = { path = "../mem-agent", package = "mem-agent-lib" }
kata-sys-util = { path = "../libs/kata-sys-util" }
kata-types = { path = "../libs/kata-types" }
@@ -163,7 +164,7 @@ strum.workspace = true
strum_macros.workspace = true
# Agent Policy
cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" }
cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "3b1e83dda5efcc83c7a4f134466ec006b37109c9" }
# Local dependencies
kata-agent-policy = { workspace = true, optional = true }

42
src/agent/rustjail/src/container.rs
View File

@@ -32,6 +32,7 @@ use crate::cgroups::{DevicesCgroupInfo, Manager};
use crate::console;
use crate::log_child;
use crate::process::Process;
use crate::process::ProcessOperations;
#[cfg(feature = "seccomp")]
use crate::seccomp;
use crate::selinux;
@@ -261,7 +262,7 @@ pub struct LinuxContainer {
pub init_process_start_time: u64,
pub uid_map_path: String,
pub gid_map_path: String,
pub processes: HashMap<pid_t, Process>,
pub processes: HashMap<String, Process>,
pub status: ContainerStatus,
pub created: SystemTime,
pub logger: Logger,
@@ -933,17 +934,13 @@ impl BaseContainer for LinuxContainer {
}
fn processes(&self) -> Result<Vec<i32>> {
Ok(self.processes.keys().cloned().collect())
Ok(self.processes.values().map(|p| p.pid).collect())
}
fn get_process(&mut self, eid: &str) -> Result<&mut Process> {
for (_, v) in self.processes.iter_mut() {
if eid == v.exec_id.as_str() {
return Ok(v);
}
}
Err(anyhow!("invalid eid {}", eid))
self.processes
.get_mut(eid)
.ok_or_else(|| anyhow!("invalid eid {}", eid))
}
fn stats(&self) -> Result<StatsContainerResponse> {
@@ -967,6 +964,12 @@ impl BaseContainer for LinuxContainer {
async fn start(&mut self, mut p: Process) -> Result<()> {
let logger = self.logger.new(o!("eid" => p.exec_id.clone()));
// Check if exec_id is already in use to prevent collisions
if self.processes.contains_key(p.exec_id.as_str()) {
return Err(anyhow!("exec_id '{}' already exists", p.exec_id));
}
let tty = p.tty;
let fifo_file = format!("{}/{}", &self.root, EXEC_FIFO_FILENAME);
info!(logger, "enter container.start!");
@@ -1235,7 +1238,7 @@ impl BaseContainer for LinuxContainer {
let spec = self.config.spec.as_mut().unwrap();
update_namespaces(&self.logger, spec, p.pid)?;
}
self.processes.insert(p.pid, p);
self.processes.insert(p.exec_id.clone(), p);
info!(logger, "wait on child log handler");
let _ = log_handler
@@ -1261,13 +1264,13 @@ impl BaseContainer for LinuxContainer {
let spec = self.config.spec.as_ref().unwrap();
let st = self.oci_state()?;
for pid in self.processes.keys() {
match signal::kill(Pid::from_raw(*pid), Some(Signal::SIGKILL)) {
for process in self.processes.values() {
match signal::kill(process.pid(), Some(Signal::SIGKILL)) {
Err(Errno::ESRCH) => {
info!(
self.logger,
"kill encounters ESRCH, pid: {}, container: {}",
pid,
process.pid(),
self.id.clone()
);
continue;
@@ -2081,13 +2084,14 @@ mod tests {
});
}
#[test]
fn test_linuxcontainer_get_process() {
#[tokio::test]
async fn test_linuxcontainer_get_process() {
let _ = new_linux_container_and_then(|mut c: LinuxContainer| {
c.processes.insert(
1,
Process::new(&sl(), &oci::Process::default(), "123", true, 1, None).unwrap(),
);
let process =
Process::new(&sl(), &oci::Process::default(), "123", true, 1, None).unwrap();
let exec_id = process.exec_id.clone();
c.processes.insert(exec_id, process);
let p = c.get_process("123");
assert!(p.is_ok(), "Expecting Ok, Got {:?}", p);
Ok(())

1
src/agent/rustjail/src/mount.rs
View File

@@ -1144,7 +1144,6 @@ mod tests {
use std::fs::remove_dir_all;
use std::fs::remove_file;
use std::io;
use std::os::unix::fs;
use std::os::unix::io::AsRawFd;
use tempfile::tempdir;
use test_utils::assert_result;

9
src/agent/rustjail/src/process.rs
View File

@@ -179,6 +179,11 @@ impl Process {
p.parent_stdin = Some(pstdin);
p.stdin = Some(stdin);
// Make sure the parent stdin writer be inserted into
// p.writes hashmap, thus the cleanup_process_stream can
// cleanup and close the parent stdin fd.
let _ = p.get_writer(StreamType::ParentStdin);
// These pipes are necessary as the stdout/stderr of the child process
// cannot be a socket. Otherwise, some images relying on the /dev/stdout(stderr)
// and /proc/self/fd/1(2) will fail to boot as opening an existing socket
@@ -308,8 +313,8 @@ mod tests {
assert_eq!(max_size, actual_size);
}
#[test]
fn test_process() {
#[tokio::test]
async fn test_process() {
let id = "abc123rgb";
let init = true;
let process = Process::new(

38
src/agent/src/config.rs
View File

@@ -323,31 +323,31 @@ impl FromStr for AgentConfig {
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_disable,
mac.memcg_config.disabled
mac.memcg_config.default.disabled
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_swap,
mac.memcg_config.swap
mac.memcg_config.default.swap
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_swappiness_max,
mac.memcg_config.swappiness_max
mac.memcg_config.default.swappiness_max
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_period_secs,
mac.memcg_config.period_secs
mac.memcg_config.default.period_secs
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_period_psi_percent_limit,
mac.memcg_config.period_psi_percent_limit
mac.memcg_config.default.period_psi_percent_limit
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_eviction_psi_percent_limit,
mac.memcg_config.eviction_psi_percent_limit
mac.memcg_config.default.eviction_psi_percent_limit
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_eviction_run_aging_count_min,
mac.memcg_config.eviction_run_aging_count_min
mac.memcg_config.default.eviction_run_aging_count_min
);
mem_agent_config_override!(
@@ -549,43 +549,43 @@ impl AgentConfig {
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_DISABLE,
mac.memcg_config.disabled,
mac.memcg_config.default.disabled,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_SWAP,
mac.memcg_config.swap,
mac.memcg_config.default.swap,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_SWAPPINESS_MAX,
mac.memcg_config.swappiness_max,
mac.memcg_config.default.swappiness_max,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_PERIOD_SECS,
mac.memcg_config.period_secs,
mac.memcg_config.default.period_secs,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_PERIOD_PSI_PERCENT_LIMIT,
mac.memcg_config.period_psi_percent_limit,
mac.memcg_config.default.period_psi_percent_limit,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_EVICTION_PSI_PERCENT_LIMIT,
mac.memcg_config.eviction_psi_percent_limit,
mac.memcg_config.default.eviction_psi_percent_limit,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_EVICTION_RUN_AGING_COUNT_MIN,
mac.memcg_config.eviction_run_aging_count_min,
mac.memcg_config.default.eviction_run_aging_count_min,
get_number_value
);
parse_cmdline_param!(
@@ -1408,7 +1408,10 @@ mod tests {
contents: "agent.mem_agent_enable=1\nagent.mem_agent_memcg_period_secs=300",
mem_agent: Some(MemAgentConfig {
memcg_config: mem_agent::memcg::Config {
period_secs: 300,
default: mem_agent::memcg::SingleConfig {
period_secs: 300,
..Default::default()
},
..Default::default()
},
..Default::default()
@@ -1419,7 +1422,10 @@ mod tests {
contents: "agent.mem_agent_enable=1\nagent.mem_agent_memcg_period_secs=300\nagent.mem_agent_compact_order=6",
mem_agent: Some(MemAgentConfig {
memcg_config: mem_agent::memcg::Config {
period_secs: 300,
default: mem_agent::memcg::SingleConfig {
period_secs: 300,
..Default::default()
},
..Default::default()
},
compact_config: mem_agent::compact::Config {

58
src/agent/src/initdata.rs
View File

@@ -15,7 +15,7 @@ use anyhow::{bail, Context, Result};
use async_compression::tokio::bufread::GzipDecoder;
use base64::{engine::general_purpose::STANDARD, Engine};
use const_format::concatcp;
use serde::Deserialize;
use kata_types::initdata::InitData;
use sha2::{Digest, Sha256, Sha384, Sha512};
use slog::Logger;
use tokio::io::{AsyncReadExt, AsyncSeekExt};
@@ -23,6 +23,13 @@ use tokio::io::{AsyncReadExt, AsyncSeekExt};
/// This is the target directory to store the extracted initdata.
pub const INITDATA_PATH: &str = "/run/confidential-containers/initdata";
const AA_CONFIG_KEY: &str = "aa.toml";
const CDH_CONFIG_KEY: &str = "cdh.toml";
const POLICY_KEY: &str = "policy.rego";
/// The path of initdata toml
pub const INITDATA_TOML_PATH: &str = concatcp!(INITDATA_PATH, "/initdata.toml");
/// The path of AA's config file
pub const AA_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/aa.toml");
@@ -32,30 +39,6 @@ pub const CDH_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/cdh.toml");
/// Magic number of initdata device
pub const INITDATA_MAGIC_NUMBER: &[u8] = b"initdata";
/// Now only initdata `0.1.0` is defined.
const INITDATA_VERSION: &str = "0.1.0";
/// Initdata defined in
/// <https://github.com/confidential-containers/trustee/blob/47d7a2338e0be76308ac19be5c0c172c592780aa/kbs/docs/initdata.md>
#[derive(Deserialize)]
pub struct Initdata {
version: String,
algorithm: String,
data: DefinedFields,
}
/// Well-defined keys for initdata of kata/CoCo
#[derive(Deserialize, Default)]
#[serde(deny_unknown_fields)]
pub struct DefinedFields {
#[serde(rename = "aa.toml")]
aa_config: Option<String>,
#[serde(rename = "cdh.toml")]
cdh_config: Option<String>,
#[serde(rename = "policy.rego")]
policy: Option<String>,
}
async fn detect_initdata_device(logger: &Logger) -> Result<Option<String>> {
let dev_dir = Path::new("/dev");
let mut read_dir = tokio::fs::read_dir(dev_dir).await?;
@@ -115,7 +98,7 @@ pub async fn read_initdata(device_path: &str) -> Result<Vec<u8>> {
}
pub struct InitdataReturnValue {
pub digest: Vec<u8>,
pub _digest: Vec<u8>,
pub _policy: Option<String>,
}
@@ -137,40 +120,41 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
.await
.inspect_err(|e| error!(logger, "Failed to read initdata: {e:?}"))?;
let initdata: Initdata =
let initdata: InitData =
toml::from_slice(&initdata_content).context("parse initdata failed")?;
info!(logger, "Initdata version: {}", initdata.version);
info!(logger, "Initdata version: {}", initdata.version());
initdata.validate()?;
if initdata.version != INITDATA_VERSION {
bail!("Unsupported initdata version");
}
tokio::fs::write(INITDATA_TOML_PATH, &initdata_content)
.await
.context("write initdata toml failed")?;
let digest = match &initdata.algorithm[..] {
let _digest = match initdata.algorithm() {
"sha256" => Sha256::digest(&initdata_content).to_vec(),
"sha384" => Sha384::digest(&initdata_content).to_vec(),
"sha512" => Sha512::digest(&initdata_content).to_vec(),
others => bail!("Unsupported hash algorithm {others}"),
};
if let Some(config) = initdata.data.aa_config {
if let Some(config) = initdata.get_coco_data(AA_CONFIG_KEY) {
tokio::fs::write(AA_CONFIG_PATH, config)
.await
.context("write aa config failed")?;
info!(logger, "write AA config from initdata");
}
if let Some(config) = initdata.data.cdh_config {
if let Some(config) = initdata.get_coco_data(CDH_CONFIG_KEY) {
tokio::fs::write(CDH_CONFIG_PATH, config)
.await
.context("write cdh config failed")?;
info!(logger, "write CDH config from initdata");
}
debug!(logger, "Initdata digest: {}", STANDARD.encode(&digest));
debug!(logger, "Initdata digest: {}", STANDARD.encode(&_digest));
let res = InitdataReturnValue {
digest,
_policy: initdata.data.policy,
_digest,
_policy: initdata.get_coco_data(POLICY_KEY).cloned(),
};
Ok(Some(res))

14
src/agent/src/main.rs
View File

@@ -19,9 +19,8 @@ extern crate scopeguard;
extern crate slog;
use anyhow::{anyhow, bail, Context, Result};
use base64::Engine;
use cfg_if::cfg_if;
use clap::{AppSettings, Parser};
use clap::Parser;
use const_format::concatcp;
use initdata::{InitdataReturnValue, AA_CONFIG_PATH, CDH_CONFIG_PATH};
use nix::fcntl::OFlag;
@@ -128,7 +127,7 @@ lazy_static! {
#[derive(Parser)]
// The default clap version info doesn't match our form, so we need to override it
#[clap(global_setting(AppSettings::DisableVersionFlag))]
#[clap(disable_version_flag = true)]
struct AgentOpts {
/// Print the version information
#[clap(short, long)]
@@ -485,12 +484,9 @@ async fn launch_guest_component_procs(
debug!(logger, "spawning attestation-agent process {}", AA_PATH);
let mut aa_args = vec!["--attestation_sock", AA_ATTESTATION_URI];
let initdata_parameter;
if let Some(initdata_return_value) = initdata_return_value {
initdata_parameter =
base64::engine::general_purpose::STANDARD.encode(&initdata_return_value.digest);
aa_args.push("--initdata");
aa_args.push(&initdata_parameter);
if initdata_return_value.is_some() {
aa_args.push("--initdata-toml");
aa_args.push(initdata::INITDATA_TOML_PATH);
}
launch_process(

31
src/agent/src/rpc.rs
View File

@@ -554,7 +554,7 @@ impl AgentService {
req: protocols::agent::WaitProcessRequest,
) -> Result<protocols::agent::WaitProcessResponse> {
let cid = req.container_id;
let eid = req.exec_id;
let mut eid = req.exec_id;
let mut resp = WaitProcessResponse::new();
info!(
@@ -587,7 +587,7 @@ impl AgentService {
.get_container(&cid)
.ok_or_else(|| anyhow!("Invalid container id"))?;
let p = match ctr.processes.get_mut(&pid) {
let p = match ctr.processes.values_mut().find(|p| p.pid == pid) {
Some(p) => p,
None => {
// Lost race, pick up exit code from channel
@@ -600,6 +600,8 @@ impl AgentService {
}
};
eid = p.exec_id.clone();
// need to close all fd
// ignore errors for some fd might be closed by stream
p.cleanup_process_stream();
@@ -611,7 +613,7 @@ impl AgentService {
let _ = s.send(p.exit_code).await;
}
ctr.processes.remove(&pid);
ctr.processes.remove(&eid);
Ok(resp)
}
@@ -708,13 +710,15 @@ fn mem_agent_memcgconfig_to_memcg_optionconfig(
mc: &protocols::agent::MemAgentMemcgConfig,
) -> mem_agent::memcg::OptionConfig {
mem_agent::memcg::OptionConfig {
disabled: mc.disabled,
swap: mc.swap,
swappiness_max: mc.swappiness_max.map(|x| x as u8),
period_secs: mc.period_secs,
period_psi_percent_limit: mc.period_psi_percent_limit.map(|x| x as u8),
eviction_psi_percent_limit: mc.eviction_psi_percent_limit.map(|x| x as u8),
eviction_run_aging_count_min: mc.eviction_run_aging_count_min,
default: mem_agent::memcg::SingleOptionConfig {
disabled: mc.disabled,
swap: mc.swap,
swappiness_max: mc.swappiness_max.map(|x| x as u8),
period_secs: mc.period_secs,
period_psi_percent_limit: mc.period_psi_percent_limit.map(|x| x as u8),
eviction_psi_percent_limit: mc.eviction_psi_percent_limit.map(|x| x as u8),
eviction_run_aging_count_min: mc.eviction_run_aging_count_min,
},
..Default::default()
}
}
@@ -2621,11 +2625,6 @@ mod tests {
}),
..Default::default()
},
TestData {
has_fd: false,
result: Err(anyhow!(ERR_CANNOT_GET_WRITER)),
..Default::default()
},
];
for (i, d) in tests.iter().enumerate() {
@@ -2673,7 +2672,7 @@ mod tests {
}
linux_container
.processes
.insert(exec_process_id, exec_process);
.insert(exec_process.exec_id.clone(), exec_process);
sandbox.add_container(linux_container);
}

49
src/agent/src/sandbox.rs
View File

@@ -272,8 +272,10 @@ impl Sandbox {
pub fn find_process(&mut self, pid: pid_t) -> Option<&mut Process> {
for (_, c) in self.containers.iter_mut() {
if let Some(p) = c.processes.get_mut(&pid) {
return Some(p);
for p in c.processes.values_mut() {
if p.pid == pid {
return Some(p);
}
}
}
@@ -286,9 +288,11 @@ impl Sandbox {
.ok_or_else(|| anyhow!(ERR_INVALID_CONTAINER_ID))?;
if eid.is_empty() {
let init_pid = ctr.init_process_pid;
return ctr
.processes
.get_mut(&ctr.init_process_pid)
.values_mut()
.find(|p| p.pid == init_pid)
.ok_or_else(|| anyhow!("cannot find init process!"));
}
@@ -1014,23 +1018,26 @@ mod tests {
linux_container.init_process_pid = 1;
linux_container.id = cid.to_string();
// add init process
linux_container.processes.insert(
1,
Process::new(&logger, &oci::Process::default(), "1", true, 1, None).unwrap(),
);
let mut init_process =
Process::new(&logger, &oci::Process::default(), "1", true, 1, None).unwrap();
init_process.pid = 1;
linux_container
.processes
.insert("1".to_string(), init_process);
// add exec process
linux_container.processes.insert(
123,
Process::new(
&logger,
&oci::Process::default(),
"exec-123",
false,
1,
None,
)
.unwrap(),
);
let mut exec_process = Process::new(
&logger,
&oci::Process::default(),
"exec-123",
false,
1,
None,
)
.unwrap();
exec_process.pid = 123;
linux_container
.processes
.insert("exec-123".to_string(), exec_process);
s.add_container(linux_container);
@@ -1081,8 +1088,8 @@ mod tests {
.unwrap();
// processes interally only have pids when manually set
test_process.pid = test_pid;
linux_container.processes.insert(test_pid, test_process);
let test_exec_id = test_process.exec_id.clone();
linux_container.processes.insert(test_exec_id, test_process);
s.add_container(linux_container);

597
src/dragonball/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

2
src/dragonball/Cargo.toml
View File

@@ -87,7 +87,7 @@ linux-loader = {workspace = true}
log = "0.4.14"
nix = "0.24.2"
procfs = "0.12.0"
prometheus = { version = "0.13.0", features = ["process"] }
prometheus = { version = "0.14.0", features = ["process"] }
seccompiler = {workspace = true}
serde = "1.0.27"
serde_derive = "1.0.27"

1
src/dragonball/out Normal file
View File

File diff suppressed because one or more lines are too long

13
src/dragonball/src/api/v1/vmm_action.rs
View File

@@ -9,8 +9,9 @@
use std::fs::File;
use std::sync::{Arc, Mutex};
use crossbeam_channel::{unbounded, Receiver, Sender, TryRecvError};
use crossbeam_channel::{Receiver, Sender, TryRecvError};
use log::{debug, error, info, warn};
use std::sync::mpsc;
use tracing::instrument;
use crate::error::{Result, StartMicroVmError, StopMicrovmError};
@@ -284,7 +285,7 @@ pub enum VmmData {
/// Return vfio device's slot number in guest.
VfioDeviceData(Option<u8>),
/// Sync Hotplug
SyncHotplug((Sender<Option<i32>>, Receiver<Option<i32>>)),
SyncHotplug((mpsc::Sender<Option<i32>>, mpsc::Receiver<Option<i32>>)),
}
/// Request data type used to communicate between the API and the VMM.
@@ -900,7 +901,7 @@ impl VmmService {
}
})?;
let (sender, receiver) = unbounded();
let (sender, receiver) = mpsc::channel();
// It is safe because we don't expect poison lock.
let vfio_manager = vm.device_manager.vfio_manager.lock().unwrap();
@@ -965,15 +966,17 @@ impl VmmService {
));
}
let (sender, revceiver) = mpsc::channel();
#[cfg(feature = "dbs-upcall")]
vm.resize_vcpu(config, None).map_err(|e| {
vm.resize_vcpu(config, Some(sender.clone())).map_err(|e| {
if let VcpuResizeError::UpcallServerNotReady = e {
return VmmActionError::UpcallServerNotReady;
}
VmmActionError::ResizeVcpu(e)
})?;
Ok(VmmData::Empty)
Ok(VmmData::SyncHotplug((sender, revceiver)))
}
#[cfg(feature = "virtio-mem")]

2
src/dragonball/src/device_manager/vfio_dev_mgr/mod.rs
View File

@@ -16,9 +16,9 @@ use std::collections::HashMap;
use std::ops::Deref;
use std::os::fd::RawFd;
use std::path::Path;
use std::sync::mpsc::Sender;
use std::sync::{Arc, Weak};
use crossbeam_channel::Sender;
use dbs_device::resources::Resource::LegacyIrq;
use dbs_device::resources::{DeviceResources, Resource, ResourceConstraint};
use dbs_device::DeviceIo;

8
src/dragonball/src/vcpu/vcpu_manager.rs
View File

@@ -225,7 +225,7 @@ pub struct VcpuManager {
vm_as: GuestAddressSpaceImpl,
pub(crate) vm_fd: Arc<VmFd>,
action_sycn_tx: Option<Sender<bool>>,
action_sycn_tx: Option<Sender<Option<i32>>>,
vcpus_in_action: (VcpuAction, Vec<u8>),
pub(crate) reset_event_fd: Option<EventFd>,
@@ -756,7 +756,9 @@ impl VcpuManager {
fn sync_action_finish(&mut self, got_error: bool) {
if let Some(tx) = self.action_sycn_tx.take() {
if let Err(e) = tx.send(got_error) {
let result = if got_error { 0 } else { -1 };
if let Err(e) = tx.send(Some(result)) {
debug!("cpu sync action send to closed channel {}", e);
}
}
@@ -856,7 +858,7 @@ mod hotplug {
pub fn resize_vcpu(
&mut self,
vcpu_count: u8,
sync_tx: Option<Sender<bool>>,
sync_tx: Option<Sender<Option<i32>>>,
) -> std::result::Result<(), VcpuResizeError> {
if self.get_vcpus_action() != VcpuAction::None {
return Err(VcpuResizeError::VcpuIsHotplugging);

2
src/dragonball/src/vm/mod.rs
View File

@@ -832,7 +832,7 @@ impl Vm {
pub fn resize_vcpu(
&mut self,
config: VcpuResizeInfo,
sync_tx: Option<Sender<bool>>,
sync_tx: Option<Sender<Option<i32>>>,
) -> std::result::Result<(), VcpuResizeError> {
if self.upcall_client().is_none() {
Err(VcpuResizeError::UpcallClientMissing)

1
src/libs/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
Cargo.lock

2700
src/libs/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

4
src/libs/kata-sys-util/Cargo.toml
View File

@@ -18,7 +18,7 @@ common-path = "=1.0.0"
fail = "0.5.0"
lazy_static = "1.4.0"
libc = "0.2.100"
nix = "0.24.2"
nix = "0.26.4"
once_cell = "1.9.0"
serde = { version = "1.0.138", features = ["derive"] }
serde_json = "1.0.73"
@@ -32,7 +32,7 @@ pci-ids = "0.2.5"
mockall = "0.13.1"
kata-types = { path = "../kata-types" }
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
runtime-spec = { path = "../runtime-spec" }
safe-path = { path = "../safe-path" }

4
src/libs/kata-sys-util/src/protection.rs
View File

@@ -225,7 +225,7 @@ mod tests {
let actual = arch_guest_protection("/xyz/tmp", path.to_str().unwrap());
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), GuestProtection::Snp);
assert!(matches!(actual.unwrap(), GuestProtection::Snp(_)));
writeln!(snp_file, "N").unwrap();
let actual = arch_guest_protection("/xyz/tmp", path.to_str().unwrap());
@@ -244,7 +244,7 @@ mod tests {
let actual = arch_guest_protection(sev_path.to_str().unwrap(), "/xyz/tmp");
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), GuestProtection::Sev);
assert!(matches!(actual.unwrap(), GuestProtection::Sev(_)));
writeln!(sev_file, "N").unwrap();
let actual = arch_guest_protection(sev_path.to_str().unwrap(), "/xyz/tmp");

7
src/libs/kata-types/Cargo.toml
View File

@@ -27,14 +27,17 @@ thiserror = "1.0"
toml = "0.5.8"
serde-enum-str = "0.4"
sysinfo = "0.34.2"
sha2 = "0.10.8"
flate2 = { version = "1.0", features = ["zlib"] }
hex = "0.4"
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
safe-path = { path = "../safe-path" }
[dev-dependencies]
tempfile = "3.19.1"
test-utils = { path = "../test-utils" }
nix = "0.24.2"
nix = "0.26.4"
[features]
default = []

38
src/libs/kata-types/src/annotations/mod.rs
View File

@@ -15,6 +15,7 @@ use serde::Deserialize;
use crate::config::hypervisor::{get_hypervisor_plugin, HugePageType};
use crate::config::TomlConfig;
use crate::initdata::add_hypervisor_initdata_overrides;
use crate::sl;
use self::cri_containerd::{SANDBOX_CPU_PERIOD_KEY, SANDBOX_CPU_QUOTA_KEY, SANDBOX_MEM_KEY};
@@ -271,6 +272,17 @@ pub const KATA_ANNO_CFG_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS: &str =
"io.katacontainers.config.hypervisor.virtio_fs_extra_args";
/// A sandbox annotation to specify as the msize for 9p shares.
pub const KATA_ANNO_CFG_HYPERVISOR_MSIZE_9P: &str = "io.katacontainers.config.hypervisor.msize_9p";
/// The initdata annotation passed in when CVM launchs
pub const KATA_ANNO_CFG_HYPERVISOR_INIT_DATA: &str =
"io.katacontainers.config.hypervisor.cc_init_data";
/// GPU specific annotations for remote hypervisor to help with instance selection
/// It's for minimum number of GPUs required for the VM.
pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPUS: &str =
"io.katacontainers.config.hypervisor.default_gpus";
/// It's for the GPU model(tesla, h100, a100, radeon etc.) required for the VM.
pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPU_MODEL: &str =
"io.katacontainers.config.hypervisor.default_gpu_model";
// Runtime related annotations
/// Prefix for Runtime configurations.
@@ -303,6 +315,9 @@ pub const KATA_ANNO_CFG_DISABLE_NEW_NETNS: &str =
pub const KATA_ANNO_CFG_VFIO_MODE: &str = "io.katacontainers.config.runtime.vfio_mode";
/// An annotation to declare shared mount points, which is a set of mount points that directly share mounted objects between containers.
pub const KATA_ANNO_CFG_SHARED_MOUNTS: &str = "io.katacontainers.config.runtime.shared_mounts";
/// An annotation to set timeout value in second when do create container
pub const KATA_ANNO_CFG_RUNTIME_CREATE_CONTAINTER_TIMEOUT: &str =
"io.katacontainers.config.runtime.create_container_timeout";
/// A sandbox annotation used to specify prefetch_files.list host path container image
/// being used,
@@ -880,6 +895,21 @@ impl Annotation {
hv.security_info.validate_path(value)?;
hv.security_info.guest_hook_path = value.to_string();
}
KATA_ANNO_CFG_HYPERVISOR_INIT_DATA => {
hv.security_info.initdata =
add_hypervisor_initdata_overrides(value).unwrap();
}
KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPUS => match self.get_value::<u32>(key) {
Ok(r) => {
hv.remote_info.default_gpus = r.unwrap_or_default();
}
Err(_e) => {
return Err(u32_err);
}
},
KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPU_MODEL => {
hv.remote_info.default_gpu_model = value.to_string();
}
KATA_ANNO_CFG_HYPERVISOR_ENABLE_ROOTLESS_HYPERVISOR => {
match self.get_value::<bool>(key) {
Ok(r) => {
@@ -962,6 +992,14 @@ impl Annotation {
return Err(u32_err);
}
},
KATA_ANNO_CFG_RUNTIME_CREATE_CONTAINTER_TIMEOUT => match self.get_value::<u32>(key) {
Ok(v) => {
ag.request_timeout_ms = v.unwrap_or_default() * 1000;
}
Err(_e) => {
return Err(u32_err);
}
},
// update runtime config
KATA_ANNO_CFG_RUNTIME_NAME => {
let runtime = vec!["virt-container", "linux-container", "wasm-container"];

5
src/libs/kata-types/src/config/agent.rs
View File

@@ -112,7 +112,10 @@ pub struct Agent {
pub reconnect_timeout_ms: u32,
/// Agent request timeout value in millisecond
#[serde(default = "default_request_timeout")]
/// This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest.
/// It's also used to ensure that workloads, especially those involving large image pulls within the guest,
/// have sufficient time to complete.
#[serde(default = "default_request_timeout", rename = "create_container_timeout")]
pub request_timeout_ms: u32,
/// Agent health check request timeout value in millisecond

14
src/libs/kata-types/src/config/hypervisor/mod.rs
View File

@@ -885,6 +885,12 @@ pub struct SecurityInfo {
#[serde(default)]
pub guest_hook_path: String,
/// Initdata is dynamic configuration (like policies, configs, and identity files) with encoded format that users inject
/// into the TEE Guest upon CVM launch. And it's implemented based on the `InitData Specification`:
/// https://github.com/confidential-containers/trustee/blob/61c1dc60ee1f926c2eb95d69666c2430c3fea808/kbs/docs/initdata.md
#[serde(default)]
pub initdata: String,
/// List of valid annotation names for the hypervisor.
///
/// Each member of the list is a regular expression, which is the base name of the annotation,
@@ -1104,6 +1110,14 @@ pub struct RemoteInfo {
/// Remote hyperisor timeout of creating (in seconds)
#[serde(default)]
pub hypervisor_timeout: i32,
/// GPU specific annotations (currently only applicable for Remote Hypervisor)
/// default_gpus specifies the number of GPUs required for the Kata VM
#[serde(default)]
pub default_gpus: u32,
/// default_gpu_model specifies GPU model like tesla, h100, a100, readeon etc.
#[serde(default)]
pub default_gpu_model: String,
}
/// Common configuration information for hypervisors.

351
src/libs/kata-types/src/initdata.rs Normal file
View File

@@ -0,0 +1,351 @@
// Copyright (c) 2025 Ant Group
//
// SPDX-License-Identifier: Apache-2.0
//
use anyhow::{anyhow, Context, Result};
use flate2::read::GzDecoder;
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256, Sha384, Sha512};
use std::{collections::HashMap, io::Read};
/// Currently, initdata only supports version 0.1.0.
const INITDATA_VERSION: &str = "0.1.0";
/// supported algorithms list
const SUPPORTED_ALGORITHMS: [&str; 3] = ["sha256", "sha384", "sha512"];
/// TEE platform type
#[derive(Debug, Default, Clone, Copy)]
pub enum ProtectedPlatform {
/// Tdx platform for Intel TDX
Tdx,
/// Snp platform for AMD SEV-SNP
Snp,
/// Cca platform for ARM CCA
Cca,
/// Default with no protection
#[default]
NoProtection,
}
#[allow(clippy::doc_lazy_continuation)]
/// <https://github.com/confidential-containers/trustee/blob/47d7a2338e0be76308ac19be5c0c172c592780aa/kbs/docs/initdata.md>
/// The Initdata specification defines the key data structures and algorithms for injecting any well-defined data
/// from an untrusted host into a TEE (Trusted Execution Environment). To guarantee the integrity of the data,
/// either the hostdata capability of TEE evidence or the (v)TPM dynamic measurement capability will be utilized.
/// And its format looks like as below:
/// ```toml
/// algorithm = "sha384"
/// version = "0.1.0"
///
/// [data]
/// key1 = "value1"
/// key2 = "value2"
///```
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub struct InitData {
/// version of InitData Spec
version: String,
/// algorithm: sha256, sha512, sha384
algorithm: String,
/// data for specific "key:value"
data: HashMap<String, String>,
}
impl InitData {
/// new InitData
pub fn new(algorithm: impl Into<String>, version: impl Into<String>) -> Self {
Self {
version: version.into(),
algorithm: algorithm.into(),
data: HashMap::new(),
}
}
/// get coco data
pub fn get_coco_data(&self, key: &str) -> Option<&String> {
self.data.get(key)
}
/// insert data items
pub fn insert_data(&mut self, key: impl Into<String>, value: impl Into<String>) {
self.data.insert(key.into(), value.into());
}
/// get algorithm
pub fn algorithm(&self) -> &str {
&self.algorithm
}
/// get version
pub fn version(&self) -> &str {
&self.version
}
/// get data
pub fn data(&self) -> &HashMap<String, String> {
&self.data
}
/// serialize it to Vec<u8>
pub fn to_vec(&self) -> Result<Vec<u8>> {
Ok(toml::to_vec(&self)?)
}
/// serialize config to TOML string
pub fn to_string(&self) -> Result<String> {
Ok(toml::to_string_pretty(self)?)
}
/// Validate InitData
pub fn validate(&self) -> Result<()> {
// Currently, it only supports 0.1.0
if self.version != INITDATA_VERSION {
return Err(anyhow!(
"unsupported version: {}, expected: {}",
self.version,
INITDATA_VERSION
));
}
if !SUPPORTED_ALGORITHMS
.iter()
.any(|&alg| alg == self.algorithm)
{
return Err(anyhow!(
"unsupported algorithm: {}, supported algorithms: {}",
self.algorithm,
SUPPORTED_ALGORITHMS.join(", ")
));
}
Ok(())
}
}
/// calculate initdata digest
fn calculate_digest(algorithm: &str, data: &str) -> Result<Vec<u8>> {
let digest = match algorithm {
"sha256" => {
let mut hasher = Sha256::new();
hasher.update(&data);
hasher.finalize().to_vec()
}
"sha384" => {
let mut hasher = Sha384::new();
hasher.update(&data);
hasher.finalize().to_vec()
}
"sha512" => {
let mut hasher = Sha512::new();
hasher.update(&data);
hasher.finalize().to_vec()
}
_ => return Err(anyhow!("unsupported Hash algorithm: {}", algorithm).into()),
};
Ok(digest)
}
/// Handle digest for different TEE platform
fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec<u8> {
let required_len = match platform {
ProtectedPlatform::Tdx => 48,
ProtectedPlatform::Snp => 32,
ProtectedPlatform::Cca => 64,
ProtectedPlatform::NoProtection => digest.len(),
};
let mut adjusted = Vec::with_capacity(required_len);
if digest.len() >= required_len {
adjusted.extend_from_slice(&digest[..required_len]);
} else {
adjusted.extend_from_slice(digest);
adjusted.resize(required_len, 0u8); // padding with zero
}
// Vec<u8>
adjusted
}
/// Parse initdata
fn parse_initdata(initdata_str: &str) -> Result<InitData> {
let initdata: InitData = toml::from_str(&initdata_str)?;
initdata.validate()?;
Ok(initdata)
}
/// calculate initdata digest
/// 1. Parse InitData
/// 2. Calculate Digest
/// 3. Adjust Digest with Platform
/// 4. Encode digest with base64/Standard
pub fn calculate_initdata_digest(
initdata_toml: &str,
platform: ProtectedPlatform,
) -> Result<String> {
// 1. Parse InitData
let initdata: InitData = parse_initdata(initdata_toml).context("parse initdata")?;
let algorithm: &str = &initdata.algorithm;
// 2. Calculate Digest
let digest = calculate_digest(algorithm, &initdata_toml).context("calculate digest")?;
// 3. Adjust Digest with Platform
let digest_platform = adjust_digest(&digest, platform);
// 4. Encode digest with base64/Standard
let b64encoded_digest = base64::encode_config(digest_platform, base64::STANDARD);
Ok(b64encoded_digest)
}
/// The argument `initda_annotation` is a Standard base64 encoded string containing a TOML formatted content.
/// This function decodes the base64 string, parses the TOML content into an InitData structure.
pub fn add_hypervisor_initdata_overrides(initda_annotation: &str) -> Result<String> {
// Base64 decode the annotation value
let b64_decoded =
base64::decode_config(initda_annotation, base64::STANDARD).context("base64 decode")?;
// Gzip decompress the decoded data
let mut gz_decoder = GzDecoder::new(&b64_decoded[..]);
let mut initdata_str = String::new();
gz_decoder
.read_to_string(&mut initdata_str)
.context("gz decoder failed")?;
// Parse the initdata
let initdata: InitData = parse_initdata(&initdata_str).context("parse initdata overrides")?;
// initdata within a TOML string
initdata.to_string()
}
#[cfg(test)]
mod tests {
use super::*;
use flate2::write::GzEncoder;
use flate2::Compression;
use std::io::Write;
/// Test InitData creation and serialization
#[test]
fn test_init_data() {
let mut init_data = InitData::new("sha384", "0.1.0");
init_data.insert_data("initdata_key", "initdata_value");
// Verify data insertion
assert_eq!(
init_data.data().get("initdata_key").unwrap(),
"initdata_value"
);
assert_eq!(init_data.version(), "0.1.0");
assert_eq!(init_data.algorithm(), "sha384");
// Test TOML serialization
let toml_str = init_data.to_string().unwrap();
assert!(toml_str.contains("initdata_key = 'initdata_value'\n"));
assert!(toml_str.starts_with("version = '0.1.0'"));
}
/// Test calculate_digest with different algorithms
#[test]
fn test_calculate_digest() {
let data = "test_data";
// Test SHA256
let sha256 = calculate_digest("sha256", data).unwrap();
assert_eq!(sha256.len(), 32);
// Test SHA384
let sha384 = calculate_digest("sha384", data).unwrap();
assert_eq!(sha384.len(), 48);
// Test SHA512
let sha512 = calculate_digest("sha512", data).unwrap();
assert_eq!(sha512.len(), 64);
// Test invalid algorithm
assert!(calculate_digest("md5", data).is_err());
}
/// Test digest adjustment for different platforms
#[test]
fn test_adjust_digest() {
let sample_digest = vec![0xAA; 64]; // 64-byte digest
// Test TDX platform (requires 48 bytes)
let tdx_result = adjust_digest(&sample_digest, ProtectedPlatform::Tdx);
assert_eq!(tdx_result.len(), 48);
assert_eq!(&tdx_result[..48], &sample_digest[..48]);
// Test SNP platform (requires 32 bytes)
let snp_result = adjust_digest(&sample_digest, ProtectedPlatform::Snp);
assert_eq!(snp_result.len(), 32);
// Test short digest with CCA platform (requires 64 bytes)
let short_digest = vec![0xBB; 32];
let cca_result = adjust_digest(&short_digest, ProtectedPlatform::Cca);
assert_eq!(cca_result.len(), 64);
assert_eq!(&cca_result[..32], &short_digest[..]);
assert_eq!(&cca_result[32..], vec![0u8; 32]);
}
/// Test hypervisor initdata processing with compression
#[test]
fn test_hypervisor_initdata_processing() {
// Create test initdata
let mut init_data = InitData::new("sha512", "0.1.0");
init_data.insert_data("hypervisor_key", "config_value");
// Create compressed annotation
let mut encoder = GzEncoder::new(Vec::new(), Compression::default());
encoder
.write_all(init_data.to_string().unwrap().as_bytes())
.unwrap();
let compressed = encoder.finish().unwrap();
let b64_annotation = base64::encode(compressed);
// Test processing
let result = add_hypervisor_initdata_overrides(&b64_annotation).unwrap();
assert!(result.contains("hypervisor_key = 'config_value'\n"));
assert!(result.contains("algorithm = 'sha512'\n"));
}
/// Test input validation
#[test]
fn test_initdata_validation() {
// Valid TOML
let valid_toml = r#"
version = "0.1.0"
algorithm = "sha384"
[data]
valid_key = "valid_value"
"#;
assert!(parse_initdata(valid_toml).is_ok());
// Invalid TOML (missing version)
let invalid_toml = r#"
algorithm = "sha256"
[data]
key = "value"
"#;
assert!(parse_initdata(invalid_toml).is_err());
}
/// Test error handling for malformed inputs
#[test]
fn test_error_handling() {
// Invalid base64
assert!(add_hypervisor_initdata_overrides("invalid_base64!!").is_err());
// Invalid compression format
let invalid_data = base64::encode("raw uncompressed data");
assert!(add_hypervisor_initdata_overrides(&invalid_data).is_err());
}
}

4
src/libs/kata-types/src/lib.rs
View File

@@ -40,6 +40,10 @@ pub(crate) mod utils;
/// hypervisor capabilities
pub mod capabilities;
/// The Initdata specification defines the key data structures and algorithms for injecting
/// any well-defined data from an untrusted host into a TEE (Trusted Execution Environment).
pub mod initdata;
/// Common error codes.
#[derive(thiserror::Error, Debug)]
pub enum Error {

16
src/libs/kata-types/src/mount.rs
View File

@@ -47,6 +47,9 @@ pub const SANDBOX_BIND_MOUNTS_RO: &str = ":ro";
/// SANDBOX_BIND_MOUNTS_RO is for sandbox bindmounts with readwrite
pub const SANDBOX_BIND_MOUNTS_RW: &str = ":rw";
/// KATA_VIRTUAL_VOLUME_PREFIX is for container image guest pull
pub const KATA_VIRTUAL_VOLUME_PREFIX: &str = "io.katacontainers.volume=";
/// Directly assign a block volume to vm and mount it inside guest.
pub const KATA_VIRTUAL_VOLUME_DIRECT_BLOCK: &str = "direct_block";
/// Present a container image as a generic block device.
@@ -384,7 +387,15 @@ impl KataVirtualVolume {
pub fn from_base64(value: &str) -> Result<Self> {
let json = base64::decode(value)?;
let volume: KataVirtualVolume = serde_json::from_slice(&json)?;
Ok(volume)
}
/// Decode and deserialize a virtual volume object from base64 encoded json string and validate it.
pub fn from_base64_and_validate(value: &str) -> Result<Self> {
let volume = Self::from_base64(value)?;
volume.validate()?;
Ok(volume)
}
}
@@ -532,7 +543,7 @@ pub fn adjust_rootfs_mounts() -> Result<Vec<Mount>> {
// Create a new Vec<Mount> with a single Mount entry.
// This Mount's options will contain the base64-encoded virtual volume.
Ok(vec![Mount {
options: vec![format!("{}={}", "io.katacontainers.volume", b64_vol)],
options: vec![format!("{}{}", KATA_VIRTUAL_VOLUME_PREFIX, b64_vol)],
..Default::default() // Use default values for other Mount fields
}])
}
@@ -647,7 +658,8 @@ mod tests {
volume.direct_volume = Some(DirectAssignedVolume { metadata });
let value = volume.to_base64().unwrap();
let volume2: KataVirtualVolume = KataVirtualVolume::from_base64(value.as_str()).unwrap();
let volume2: KataVirtualVolume =
KataVirtualVolume::from_base64_and_validate(value.as_str()).unwrap();
assert_eq!(volume.volume_type, volume2.volume_type);
assert_eq!(volume.source, volume2.source);
assert_eq!(volume.fs_type, volume2.fs_type);

8
src/libs/logging/Cargo.toml
View File

@@ -13,9 +13,13 @@ serde_json = "1.0.73"
# - Dynamic keys required to allow HashMap keys to be slog::Serialized.
# - The 'max_*' features allow changing the log level at runtime
# (by stopping the compiler from removing log calls).
slog = { version = "2.5.2", features = ["dynamic-keys", "max_level_trace", "release_max_level_debug"] }
slog = { version = "2.5.2", features = [
"dynamic-keys",
"max_level_trace",
"release_max_level_debug",
] }
slog-json = "2.4.0"
slog-term = "2.9.0"
slog-term = "2.9.1"
slog-async = "2.7.0"
slog-scope = "4.4.0"
lazy_static = "1.3.0"

8
src/libs/protocols/Cargo.toml
View File

@@ -13,11 +13,11 @@ async = ["ttrpc/async", "async-trait"]
[dependencies]
ttrpc = "0.8.4"
async-trait = { version = "0.1.42", optional = true }
protobuf = { version = "=3.7.1" }
protobuf = { version = "3.7.2" }
serde = { version = "1.0.130", features = ["derive"] }
serde_json = "1.0.68"
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
[build-dependencies]
ttrpc-codegen = "0.5.0"
protobuf = { version = "=3.7.1" }
ttrpc-codegen = "0.6.0"
protobuf = { version = "3.7.2" }

2
src/libs/shim-interface/Cargo.toml
View File

@@ -13,7 +13,7 @@ edition = "2018"
[dependencies]
anyhow = "^1.0"
nix = "0.24.0"
nix = "0.26.4"
tokio = { version = "1.44.2", features = ["rt-multi-thread"] }
hyper = { version = "0.14.20", features = ["stream", "server", "http1"] }
hyperlocal = "0.8"

2
src/libs/test-utils/Cargo.toml
View File

@@ -12,4 +12,4 @@ license = "Apache-2.0"
edition = "2018"
[dependencies]
nix = "0.24.2"
nix = "0.26.4"

5
src/mem-agent/.gitignore vendored
View File

@@ -1,5 +0,0 @@
/target
/example/target
/.vscode
.vscode-ctags

917
src/mem-agent/Cargo.lock generated
View File

@@ -1,917 +0,0 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 4
[[package]]
name = "addr2line"
version = "0.21.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a30b2e23b9e17a9f90641c7ab1549cd9b44f296d3ccbf309d2863cfe398a0cb"
dependencies = [
"gimli",
]
[[package]]
name = "adler"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
[[package]]
name = "android-tzdata"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
[[package]]
name = "android_system_properties"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
dependencies = [
"libc",
]
[[package]]
name = "anyhow"
version = "1.0.81"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0952808a6c2afd1aa8947271f3a60f1a6763c7b912d210184c5149b5cf147247"
[[package]]
name = "arc-swap"
version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7b3d0060af21e8d11a926981cc00c6c1541aa91dd64b9f881985c3da1094425f"
[[package]]
name = "async-trait"
version = "0.1.77"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c980ee35e870bd1a4d2c8294d4c04d0499e67bca1e4b5cefcc693c2fa00caea9"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "autocfg"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
[[package]]
name = "backtrace"
version = "0.3.69"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2089b7e3f35b9dd2d0ed921ead4f6d318c27680d4a5bd167b3ee120edb105837"
dependencies = [
"addr2line",
"cc",
"cfg-if",
"libc",
"miniz_oxide",
"object",
"rustc-demangle",
]
[[package]]
name = "bitflags"
version = "1.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
[[package]]
name = "bitflags"
version = "2.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
[[package]]
name = "bumpalo"
version = "3.15.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7ff69b9dd49fd426c69a0db9fc04dd934cdb6645ff000864d98f7e2af8830eaa"
[[package]]
name = "bytes"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223"
[[package]]
name = "cc"
version = "1.0.90"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5"
[[package]]
name = "cfg-if"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "chrono"
version = "0.4.35"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8eaf5903dcbc0a39312feb77df2ff4c76387d591b9fc7b04a238dcf8bb62639a"
dependencies = [
"android-tzdata",
"iana-time-zone",
"js-sys",
"num-traits",
"wasm-bindgen",
"windows-targets 0.52.4",
]
[[package]]
name = "core-foundation-sys"
version = "0.8.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f"
[[package]]
name = "crossbeam-channel"
version = "0.5.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
dependencies = [
"crossbeam-utils",
]
[[package]]
name = "crossbeam-utils"
version = "0.8.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
[[package]]
name = "deranged"
version = "0.3.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
dependencies = [
"powerfmt",
]
[[package]]
name = "dirs-next"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1"
dependencies = [
"cfg-if",
"dirs-sys-next",
]
[[package]]
name = "dirs-sys-next"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d"
dependencies = [
"libc",
"redox_users",
"winapi",
]
[[package]]
name = "getrandom"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
dependencies = [
"cfg-if",
"libc",
"wasi",
]
[[package]]
name = "gimli"
version = "0.28.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253"
[[package]]
name = "hermit-abi"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc"
[[package]]
name = "iana-time-zone"
version = "0.1.60"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141"
dependencies = [
"android_system_properties",
"core-foundation-sys",
"iana-time-zone-haiku",
"js-sys",
"wasm-bindgen",
"windows-core",
]
[[package]]
name = "iana-time-zone-haiku"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
dependencies = [
"cc",
]
[[package]]
name = "is-terminal"
version = "0.4.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "261f68e344040fbd0edea105bef17c66edf46f984ddb1115b775ce31be948f4b"
dependencies = [
"hermit-abi",
"libc",
"windows-sys",
]
[[package]]
name = "itoa"
version = "1.0.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
[[package]]
name = "js-sys"
version = "0.3.69"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "29c15563dc2726973df627357ce0c9ddddbea194836909d655df6a75d2cf296d"
dependencies = [
"wasm-bindgen",
]
[[package]]
name = "lazy_static"
version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
[[package]]
name = "libc"
version = "0.2.172"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
[[package]]
name = "libredox"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
dependencies = [
"bitflags 2.6.0",
"libc",
]
[[package]]
name = "lock_api"
version = "0.4.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45"
dependencies = [
"autocfg",
"scopeguard",
]
[[package]]
name = "log"
version = "0.4.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c"
[[package]]
name = "maplit"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d"
[[package]]
name = "mem-agent"
version = "0.1.0"
dependencies = [
"anyhow",
"async-trait",
"chrono",
"lazy_static",
"maplit",
"nix",
"once_cell",
"page_size",
"slog",
"slog-async",
"slog-scope",
"slog-term",
"tokio",
]
[[package]]
name = "memchr"
version = "2.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149"
[[package]]
name = "memoffset"
version = "0.6.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce"
dependencies = [
"autocfg",
]
[[package]]
name = "miniz_oxide"
version = "0.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9d811f3e15f28568be3407c8e7fdb6514c1cda3cb30683f15b6a1a1dc4ea14a7"
dependencies = [
"adler",
]
[[package]]
name = "mio"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
dependencies = [
"libc",
"wasi",
"windows-sys",
]
[[package]]
name = "nix"
version = "0.23.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f3790c00a0150112de0f4cd161e3d7fc4b2d8a5542ffc35f099a2562aecb35c"
dependencies = [
"bitflags 1.3.2",
"cc",
"cfg-if",
"libc",
"memoffset",
]
[[package]]
name = "num-conv"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
[[package]]
name = "num-traits"
version = "0.2.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a"
dependencies = [
"autocfg",
]
[[package]]
name = "object"
version = "0.32.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a6a622008b6e321afc04970976f62ee297fdbaa6f95318ca343e3eebb9648441"
dependencies = [
"memchr",
]
[[package]]
name = "once_cell"
version = "1.19.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
[[package]]
name = "page_size"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "30d5b2194ed13191c1999ae0704b7839fb18384fa22e49b57eeaa97d79ce40da"
dependencies = [
"libc",
"winapi",
]
[[package]]
name = "parking_lot"
version = "0.12.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
dependencies = [
"lock_api",
"parking_lot_core",
]
[[package]]
name = "parking_lot_core"
version = "0.9.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e"
dependencies = [
"cfg-if",
"libc",
"redox_syscall",
"smallvec",
"windows-targets 0.48.5",
]
[[package]]
name = "pin-project-lite"
version = "0.2.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58"
[[package]]
name = "powerfmt"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
[[package]]
name = "proc-macro2"
version = "1.0.79"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e835ff2298f5721608eb1a980ecaee1aef2c132bf95ecc026a11b7bf3c01c02e"
dependencies = [
"unicode-ident",
]
[[package]]
name = "quote"
version = "1.0.35"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef"
dependencies = [
"proc-macro2",
]
[[package]]
name = "redox_syscall"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa"
dependencies = [
"bitflags 1.3.2",
]
[[package]]
name = "redox_users"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43"
dependencies = [
"getrandom",
"libredox",
"thiserror",
]
[[package]]
name = "rustc-demangle"
version = "0.1.23"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
[[package]]
name = "rustversion"
version = "1.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0e819f2bc632f285be6d7cd36e25940d45b2391dd6d9b939e79de557f7014248"
[[package]]
name = "scopeguard"
version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
[[package]]
name = "serde"
version = "1.0.210"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.210"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "signal-hook-registry"
version = "1.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d8229b473baa5980ac72ef434c4415e70c4b5e71b423043adb4ba059f89c99a1"
dependencies = [
"libc",
]
[[package]]
name = "slog"
version = "2.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8347046d4ebd943127157b94d63abb990fcf729dc4e9978927fdf4ac3c998d06"
[[package]]
name = "slog-async"
version = "2.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72c8038f898a2c79507940990f05386455b3a317d8f18d4caea7cbc3d5096b84"
dependencies = [
"crossbeam-channel",
"slog",
"take_mut",
"thread_local",
]
[[package]]
name = "slog-scope"
version = "4.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2f95a4b4c3274cd2869549da82b57ccc930859bdbf5bcea0424bc5f140b3c786"
dependencies = [
"arc-swap",
"lazy_static",
"slog",
]
[[package]]
name = "slog-term"
version = "2.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6e022d0b998abfe5c3782c1f03551a596269450ccd677ea51c56f8b214610e8"
dependencies = [
"is-terminal",
"slog",
"term",
"thread_local",
"time",
]
[[package]]
name = "smallvec"
version = "1.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7"
[[package]]
name = "socket2"
version = "0.5.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "05ffd9c0a93b7543e062e759284fcf5f5e3b098501104bfbdde4d404db792871"
dependencies = [
"libc",
"windows-sys",
]
[[package]]
name = "syn"
version = "2.0.52"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b699d15b36d1f02c3e7c69f8ffef53de37aefae075d8488d4ba1a7788d574a07"
dependencies = [
"proc-macro2",
"quote",
"unicode-ident",
]
[[package]]
name = "take_mut"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f764005d11ee5f36500a149ace24e00e3da98b0158b3e2d53a7495660d3f4d60"
[[package]]
name = "term"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f"
dependencies = [
"dirs-next",
"rustversion",
"winapi",
]
[[package]]
name = "thiserror"
version = "1.0.65"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d11abd9594d9b38965ef50805c5e469ca9cc6f197f883f717e0269a3057b3d5"
dependencies = [
"thiserror-impl",
]
[[package]]
name = "thiserror-impl"
version = "1.0.65"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ae71770322cbd277e69d762a16c444af02aa0575ac0d174f0b9562d3b37f8602"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "thread_local"
version = "1.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c"
dependencies = [
"cfg-if",
"once_cell",
]
[[package]]
name = "time"
version = "0.3.37"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
dependencies = [
"deranged",
"itoa",
"num-conv",
"powerfmt",
"serde",
"time-core",
"time-macros",
]
[[package]]
name = "time-core"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
[[package]]
name = "time-macros"
version = "0.2.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de"
dependencies = [
"num-conv",
"time-core",
]
[[package]]
name = "tokio"
version = "1.44.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6b88822cbe49de4185e3a4cbf8321dd487cf5fe0c5c65695fef6346371e9c48"
dependencies = [
"backtrace",
"bytes",
"libc",
"mio",
"parking_lot",
"pin-project-lite",
"signal-hook-registry",
"socket2",
"tokio-macros",
"windows-sys",
]
[[package]]
name = "tokio-macros"
version = "2.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "unicode-ident"
version = "1.0.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
[[package]]
name = "wasi"
version = "0.11.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
[[package]]
name = "wasm-bindgen"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4be2531df63900aeb2bca0daaaddec08491ee64ceecbee5076636a3b026795a8"
dependencies = [
"cfg-if",
"wasm-bindgen-macro",
]
[[package]]
name = "wasm-bindgen-backend"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "614d787b966d3989fa7bb98a654e369c762374fd3213d212cfc0251257e747da"
dependencies = [
"bumpalo",
"log",
"once_cell",
"proc-macro2",
"quote",
"syn",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-macro"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1f8823de937b71b9460c0c34e25f3da88250760bec0ebac694b49997550d726"
dependencies = [
"quote",
"wasm-bindgen-macro-support",
]
[[package]]
name = "wasm-bindgen-macro-support"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e94f17b526d0a461a191c78ea52bbce64071ed5c04c9ffe424dcb38f74171bb7"
dependencies = [
"proc-macro2",
"quote",
"syn",
"wasm-bindgen-backend",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-shared"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "af190c94f2773fdb3729c55b007a722abb5384da03bc0986df4c289bf5567e96"
[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
"winapi-i686-pc-windows-gnu",
"winapi-x86_64-pc-windows-gnu",
]
[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows-core"
version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
dependencies = [
"windows-targets 0.52.4",
]
[[package]]
name = "windows-sys"
version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
dependencies = [
"windows-targets 0.52.4",
]
[[package]]
name = "windows-targets"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
dependencies = [
"windows_aarch64_gnullvm 0.48.5",
"windows_aarch64_msvc 0.48.5",
"windows_i686_gnu 0.48.5",
"windows_i686_msvc 0.48.5",
"windows_x86_64_gnu 0.48.5",
"windows_x86_64_gnullvm 0.48.5",
"windows_x86_64_msvc 0.48.5",
]
[[package]]
name = "windows-targets"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7dd37b7e5ab9018759f893a1952c9420d060016fc19a472b4bb20d1bdd694d1b"
dependencies = [
"windows_aarch64_gnullvm 0.52.4",
"windows_aarch64_msvc 0.52.4",
"windows_i686_gnu 0.52.4",
"windows_i686_msvc 0.52.4",
"windows_x86_64_gnu 0.52.4",
"windows_x86_64_gnullvm 0.52.4",
"windows_x86_64_msvc 0.52.4",
]
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bcf46cf4c365c6f2d1cc93ce535f2c8b244591df96ceee75d8e83deb70a9cac9"
[[package]]
name = "windows_aarch64_msvc"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
[[package]]
name = "windows_aarch64_msvc"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da9f259dd3bcf6990b55bffd094c4f7235817ba4ceebde8e6d11cd0c5633b675"
[[package]]
name = "windows_i686_gnu"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
[[package]]
name = "windows_i686_gnu"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b474d8268f99e0995f25b9f095bc7434632601028cf86590aea5c8a5cb7801d3"
[[package]]
name = "windows_i686_msvc"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
[[package]]
name = "windows_i686_msvc"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1515e9a29e5bed743cb4415a9ecf5dfca648ce85ee42e15873c3cd8610ff8e02"
[[package]]
name = "windows_x86_64_gnu"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
[[package]]
name = "windows_x86_64_gnu"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5eee091590e89cc02ad514ffe3ead9eb6b660aedca2183455434b93546371a03"
[[package]]
name = "windows_x86_64_gnullvm"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
[[package]]
name = "windows_x86_64_gnullvm"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77ca79f2451b49fa9e2af39f0747fe999fcda4f5e241b2898624dca97a1f2177"
[[package]]
name = "windows_x86_64_msvc"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
[[package]]
name = "windows_x86_64_msvc"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32b752e52a2da0ddfbdbcc6fceadfeede4c939ed16d13e648833a61dfb611ed8"

13
src/mem-agent/Cargo.toml
View File

@@ -1,7 +1,7 @@
[package]
name = "mem-agent"
version = "0.1.0"
edition = "2018"
name = "mem-agent-lib"
version = "0.2.0"
edition = "2021"
[dependencies]
slog = "2.5.2"
@@ -9,13 +9,14 @@ slog-scope = "4.1.2"
anyhow = "1.0"
page_size = "0.6"
chrono = "0.4"
tokio = { version = "1.44.2", features = ["full"] }
tokio = { version = "1.45.1", features = ["full"] }
async-trait = "0.1"
lazy_static = "1.4"
nix = "0.23.2"
maplit = "1.0"
nix = { version = "0.30.1", features = ["fs", "sched"] }
[dev-dependencies]
maplit = "1.0"
slog-term = "2.9.0"
slog-async = "2.7"
once_cell = "1.9.0"
lazy_static = "1.4"

6
src/mem-agent/Makefile
View File

@@ -1,6 +0,0 @@
# Copyright (C) 2024 Ant group. All rights reserved.
#
# SPDX-License-Identifier: Apache-2.0
default:
cd example; cargo build --examples --target x86_64-unknown-linux-musl

1641
src/mem-agent/example/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

36
src/mem-agent/example/Cargo.toml
View File

@@ -1,36 +0,0 @@
[package]
name = "mem-agent-bin"
version = "0.1.0"
edition = "2018"
[dependencies]
slog = "2.5.2"
slog-scope = "4.1.2"
slog-term = "2.9.0"
slog-async = "2.7"
structopt = "0.3"
anyhow = "1.0"
libc = "0.2"
page_size = "0.6"
chrono = "0.4"
maplit = "1.0"
ttrpc = { version = "0.8", features = ["async"] }
tokio = { version = "1.44.2", features = ["full"] }
async-trait = "0.1"
byteorder = "1.5"
protobuf = "3.1"
lazy_static = "1.4"
# Rust 1.68 doesn't support 0.5.9
home = "=0.5.5"
mem-agent = { path = "../" }
[[example]]
name = "mem-agent-srv"
path = "./srv.rs"
[[example]]
name = "mem-agent-ctl"
path = "./ctl.rs"
[build-dependencies]
ttrpc-codegen = "0.4"

29
src/mem-agent/example/build.rs
View File

@@ -1,29 +0,0 @@
// Copyright (C) 2024 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
use ttrpc_codegen::{Codegen, Customize, ProtobufCustomize};
fn main() -> Result<(), Box<dyn std::error::Error>> {
let protos = vec![
"protocols/protos/mem-agent.proto",
"protocols/protos/google/protobuf/empty.proto",
"protocols/protos/google/protobuf/timestamp.proto",
];
let protobuf_customized = ProtobufCustomize::default().gen_mod_rs(false);
Codegen::new()
.out_dir("protocols/")
.inputs(&protos)
.include("protocols/protos/")
.rust_protobuf()
.customize(Customize {
async_all: true,
..Default::default()
})
.rust_protobuf_customize(protobuf_customized.clone())
.run()?;
Ok(())
}

79
src/mem-agent/example/ctl.rs
View File

@@ -1,79 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
mod protocols;
mod share;
use anyhow::{anyhow, Result};
use protocols::empty;
use protocols::mem_agent_ttrpc;
use share::option::{CompactSetOption, MemcgSetOption};
use structopt::StructOpt;
use ttrpc::r#async::Client;
#[derive(Debug, StructOpt)]
enum Command {
#[structopt(name = "memcgstatus", about = "get memory cgroup status")]
MemcgStatus,
#[structopt(name = "memcgset", about = "set memory cgroup")]
MemcgSet(MemcgSetOption),
#[structopt(name = "compactset", about = "set compact")]
CompactSet(CompactSetOption),
}
#[derive(StructOpt, Debug)]
#[structopt(name = "mem-agent-ctl", about = "Memory agent controler")]
struct Opt {
#[structopt(long, default_value = "unix:///var/run/mem-agent.sock")]
addr: String,
#[structopt(subcommand)]
command: Command,
}
#[tokio::main]
async fn main() -> Result<()> {
let opt = Opt::from_args();
// setup client
let c = Client::connect(&opt.addr).unwrap();
let client = mem_agent_ttrpc::ControlClient::new(c.clone());
match opt.command {
Command::MemcgStatus => {
let mss = client
.memcg_status(ttrpc::context::with_timeout(0), &empty::Empty::new())
.await
.map_err(|e| anyhow!("client.memcg_status fail: {}", e))?;
for mcg in mss.mem_cgroups {
println!("{:?}", mcg);
for (numa_id, n) in mcg.numa {
if let Some(t) = n.last_inc_time.into_option() {
println!("{} {:?}", numa_id, share::misc::timestamp_to_datetime(t)?);
}
}
}
}
Command::MemcgSet(c) => {
let config = c.to_rpc_memcg_config();
client
.memcg_set(ttrpc::context::with_timeout(0), &config)
.await
.map_err(|e| anyhow!("client.memcg_status fail: {}", e))?;
}
Command::CompactSet(c) => {
let config = c.to_rpc_compact_config();
client
.compact_set(ttrpc::context::with_timeout(0), &config)
.await
.map_err(|e| anyhow!("client.memcg_status fail: {}", e))?;
}
}
Ok(())
}

8
src/mem-agent/example/protocols/mod.rs
View File

@@ -1,8 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
pub mod empty;
pub mod mem_agent;
pub mod mem_agent_ttrpc;
pub mod timestamp;

52
src/mem-agent/example/protocols/protos/google/protobuf/empty.proto
View File

@@ -1,52 +0,0 @@
// Protocol Buffers - Google's data interchange format
// Copyright 2008 Google Inc. All rights reserved.
// https://developers.google.com/protocol-buffers/
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
syntax = "proto3";
package google.protobuf;
option csharp_namespace = "Google.Protobuf.WellKnownTypes";
option go_package = "types";
option java_package = "com.google.protobuf";
option java_outer_classname = "EmptyProto";
option java_multiple_files = true;
option objc_class_prefix = "GPB";
option cc_enable_arenas = true;
// A generic empty message that you can re-use to avoid defining duplicated
// empty messages in your APIs. A typical example is to use it as the request
// or the response type of an API method. For instance:
//
// service Foo {
// rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
// }
//
// The JSON representation for `Empty` is empty JSON object `{}`.
message Empty {}

138
src/mem-agent/example/protocols/protos/google/protobuf/timestamp.proto
View File

@@ -1,138 +0,0 @@
// Protocol Buffers - Google's data interchange format
// Copyright 2008 Google Inc. All rights reserved.
// https://developers.google.com/protocol-buffers/
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
syntax = "proto3";
package google.protobuf;
option csharp_namespace = "Google.Protobuf.WellKnownTypes";
option cc_enable_arenas = true;
option go_package = "github.com/golang/protobuf/ptypes/timestamp";
option java_package = "com.google.protobuf";
option java_outer_classname = "TimestampProto";
option java_multiple_files = true;
option objc_class_prefix = "GPB";
// A Timestamp represents a point in time independent of any time zone or local
// calendar, encoded as a count of seconds and fractions of seconds at
// nanosecond resolution. The count is relative to an epoch at UTC midnight on
// January 1, 1970, in the proleptic Gregorian calendar which extends the
// Gregorian calendar backwards to year one.
//
// All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
// second table is needed for interpretation, using a [24-hour linear
// smear](https://developers.google.com/time/smear).
//
// The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
// restricting to that range, we ensure that we can convert to and from [RFC
// 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
//
// # Examples
//
// Example 1: Compute Timestamp from POSIX `time()`.
//
// Timestamp timestamp;
// timestamp.set_seconds(time(NULL));
// timestamp.set_nanos(0);
//
// Example 2: Compute Timestamp from POSIX `gettimeofday()`.
//
// struct timeval tv;
// gettimeofday(&tv, NULL);
//
// Timestamp timestamp;
// timestamp.set_seconds(tv.tv_sec);
// timestamp.set_nanos(tv.tv_usec * 1000);
//
// Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
//
// FILETIME ft;
// GetSystemTimeAsFileTime(&ft);
// UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
//
// // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
// // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
// Timestamp timestamp;
// timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
// timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
//
// Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
//
// long millis = System.currentTimeMillis();
//
// Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
// .setNanos((int) ((millis % 1000) * 1000000)).build();
//
//
// Example 5: Compute Timestamp from current time in Python.
//
// timestamp = Timestamp()
// timestamp.GetCurrentTime()
//
// # JSON Mapping
//
// In JSON format, the Timestamp type is encoded as a string in the
// [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
// format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
// where {year} is always expressed using four digits while {month}, {day},
// {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
// seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
// are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
// is required. A proto3 JSON serializer should always use UTC (as indicated by
// "Z") when printing the Timestamp type and a proto3 JSON parser should be
// able to accept both UTC and other timezones (as indicated by an offset).
//
// For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
// 01:30 UTC on January 15, 2017.
//
// In JavaScript, one can convert a Date object to this format using the
// standard
// [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
// method. In Python, a standard `datetime.datetime` object can be converted
// to this format using
// [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
// the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
// the Joda Time's [`ISODateTimeFormat.dateTime()`](
// http://www.joda.org/joda-time/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime%2D%2D
// ) to obtain a formatter capable of generating timestamps in this format.
//
//
message Timestamp {
// Represents seconds of UTC time since Unix epoch
// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
// 9999-12-31T23:59:59Z inclusive.
int64 seconds = 1;
// Non-negative fractions of a second at nanosecond resolution. Negative
// second values with fractions must still have non-negative nanos values
// that count forward in time. Must be from 0 to 999,999,999
// inclusive.
int32 nanos = 2;
}

66
src/mem-agent/example/protocols/protos/mem-agent.proto
View File

@@ -1,66 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
syntax = "proto3";
package MemAgent;
import "google/protobuf/empty.proto";
import "google/protobuf/timestamp.proto";
service Control {
rpc MemcgStatus(google.protobuf.Empty) returns (MemcgStatusReply);
rpc MemcgSet(MemcgConfig) returns (google.protobuf.Empty);
rpc CompactSet(CompactConfig) returns (google.protobuf.Empty);
}
message EvictionCount {
uint64 page = 1;
uint64 no_min_lru_file = 2;
uint64 min_lru_inc = 3;
uint64 other_error = 4;
uint64 error = 5;
uint64 psi_exceeds_limit = 6;
}
message StatusNuma {
google.protobuf.Timestamp last_inc_time = 1;
uint64 max_seq = 2;
uint64 min_seq = 3;
uint64 run_aging_count = 4;
EvictionCount eviction_count = 5;
}
message MemCgroup {
uint32 id = 1;
uint64 ino = 2;
string path = 3;
uint64 sleep_psi_exceeds_limit = 4;
map<uint32, StatusNuma> numa = 5;
}
message MemcgStatusReply {
repeated MemCgroup mem_cgroups = 1;
}
message MemcgConfig {
optional bool disabled = 1;
optional bool swap = 2;
optional uint32 swappiness_max = 3;
optional uint64 period_secs = 4;
optional uint32 period_psi_percent_limit = 5;
optional uint32 eviction_psi_percent_limit = 6;
optional uint64 eviction_run_aging_count_min = 7;
}
message CompactConfig {
optional bool disabled = 1;
optional uint64 period_secs = 2;
optional uint32 period_psi_percent_limit = 3;
optional uint32 compact_psi_percent_limit = 4;
optional int64 compact_sec_max = 5;
optional uint32 compact_order = 6;
optional uint64 compact_threshold = 7;
optional uint64 compact_force_times = 8;
}

29
src/mem-agent/example/share/misc.rs
View File

@@ -1,29 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
use anyhow::{anyhow, Result};
use chrono::{DateTime, LocalResult, TimeZone, Utc};
use protobuf::well_known_types::timestamp::Timestamp;
pub fn datatime_to_timestamp(dt: DateTime<Utc>) -> Timestamp {
let seconds = dt.timestamp();
let nanos = dt.timestamp_subsec_nanos();
Timestamp {
seconds,
nanos: nanos as i32,
..Default::default()
}
}
#[allow(dead_code)]
pub fn timestamp_to_datetime(timestamp: Timestamp) -> Result<DateTime<Utc>> {
let seconds = timestamp.seconds;
let nanos = timestamp.nanos;
match Utc.timestamp_opt(seconds, nanos as u32) {
LocalResult::Single(t) => Ok(t),
_ => Err(anyhow!("Utc.timestamp_opt {} fail", timestamp)),
}
}

Some files were not shown because too many files have changed in this diff Show More