Compare commits

..

35 Commits

Author SHA1 Message Date
Alex Lyn
8c2e32f075 kata-types: Support create_container_timeout set within configuration
Since it aligns with the create_container_timeout definition in
runtime-go, we need to set the value in configuration.toml in seconds,
not milliseconds. We must also convert it to milliseconds when the
configuration is loaded for request_timeout_ms.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-08-29 17:17:23 +08:00
Xuewei Niu
f6ff9cf717 Merge pull request #11689 from Caspian443/fix-devmapper-selinux-mount-issue
runtime-rs: Empty block-rootfs Storage.options and align with Go runtime
2025-08-29 15:29:46 +08:00
Aurélien Bombo
754f07cff2 Merge pull request #11614 from kata-containers/workflow-permissions-tightening
Workflow permissions tightening
2025-08-28 10:56:03 -05:00
Fabiano Fidêncio
08d2ba1969 cgroups: Fix "." parent cgroup special case
ef642fe890 added a special case to avoid
moving cgroups that are on the "default" slice in case of deletion.

However, this special check should be done in the Parent() method
instead, which ensures that the default resource controller ID is
returned, instead of ".".

Fixes: #11599

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-27 08:15:15 +02:00
Caspian443
617af4cb3b runtime-rs: Empty block-rootfs Storage.options and align with Go runtime
- Set guest Storage.options for block rootfs to empty (do not propagate host mount options).
- Align behavior with Go runtime: only add xfs nouuid when needed.

Signed-off-by: Caspian443 <scrisis843@gmail.com>
2025-08-26 01:27:21 +00:00
Caspian443
9a7aadaaca libs: Introduce rootfs fs types
- Add new kata-types::fs module with:
  - VM_ROOTFS_FILESYSTEM_EXT4
  - VM_ROOTFS_FILESYSTEM_XFS
  - VM_ROOTFS_FILESYSTEM_EROFS
- Export fs module in src/libs/kata-types/src/lib.rs
- Remove duplicated filesystem constants from src/runtime-rs/crates/hypervisor/src/lib.rs
- Update src/runtime-rs/crates/hypervisor/src/kernel_param.rs (and tests) to import from kata_types::fs

Signed-off-by: Caspian443 <scrisis843@gmail.com>
2025-08-26 01:26:53 +00:00
Fabiano Fidêncio
63f6dcdeb9 kata-manager: Support xz and zst suffixes for the kata tarball
We moved to `.zst`, but users still use the upstream kata-manager to
download older versions of the project, thus we need to support both
suffixes.

Fixes: #11714

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-25 21:15:06 +02:00
Fupan Li
687d0bf94a Merge pull request #11715 from fidencio/topic/backport-qemu-reclaim-guest-freed-memory
runtime: qemu: Add reclaim_guest_freed_memory [BACKPORT]
2025-08-25 16:59:29 +08:00
Fabiano Fidêncio
fd1b8ceed1 runtime: qemu: Add reclaim_guest_freed_memory [BACKPORT]
Similar to what we've done for Cloud Hypervisor in the commit
9f76467cb7, we're backporting a runtime-rs
feature that would be benificial to have as part of the go runtime.

This allows users to use virito-balloon for the hypervisor to reclaim
memory freed by the guest.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-22 23:56:47 +02:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
stevenhorsman
f79e453313 workflows: Tighten up workflow permissions
Since the previous tightening a few workflow updates have
gone in and the zizmor job isn't flagging them as issues,
so address this to remove potential attack vectors

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Fabiano Fidêncio
e396a460bc Revert "local-build: Enforce USE_CACHE=no"
This reverts commit cb5f143b1b, as the
cached packages have been regenerated after the switch to using zstd.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-22 14:03:36 +02:00
Steve Horsman
23d2dfaedc Merge pull request #11707 from fidencio/topic/switch-to-use-zstd-when-possible
kata-deploy: local-build: Use zstd instead of xz
2025-08-22 10:06:00 +01:00
stevenhorsman
8cbb1a4357 runtime: Fix non constant Errorf formatting
As part of the go 1.24.6 bump there are errors about the incorrect
use of a errorf, so switch to the non-formatting version, or add
the format string as appropriate

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
stevenhorsman
381da9e603 versions: Bump golang to 1.24.6
golang 1.25 has been released, so 1.23 is EoL,
so we should update to ensure we don't end up with security issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
stevenhorsman
0ccf429a3d workflows: Switch workflows to use install_go.sh
Update the two workflows that used setup-go to
instead call `install_go.sh` script, which handles
installing the correct version of golang

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
stevenhorsman
5f7525f099 build: Add darwin support to arch_to_golang
Avoid the error `ERROR: unsupported architecture: arm64`
in install_go.sh on darwin

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
stevenhorsman
3391c6f1c5 ci: Make install_go.sh more portable
`${kernel_name,,}`  is bash 4.0 and not posix compliant, so doesn't
work on macos, so switch to `tr` which is more widely
supported

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
Alex Lyn
91913f9e82 Merge pull request #11711 from stevenhorsman/remote-allow-cc_init_data-annotation
runtime: Enable init_data annotation
2025-08-22 14:41:53 +08:00
Fupan Li
1a0fbbfa32 Merge pull request #11699 from Apokleos/support-nonprotection
runtime-rs: Support initdata within NonProtection scenarios
2025-08-22 10:24:47 +08:00
Hyounggyu Choi
41dcfb4a9f Merge pull request #11321 from BbolroC/reconnect-timeout-qemu-se
runtime-rs: Adjust VSOCK timeouts for IBM SEL
2025-08-22 00:34:05 +02:00
Fabiano Fidêncio
cb5f143b1b local-build: Enforce USE_CACHE=no
We need that to regenerate the tarballs that are already cached in the
zstd format.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-21 21:00:20 +02:00
stevenhorsman
081823b388 runtime: Enable init_data annotation
In #11693 the cc_init_data annotation was changes to be hypervisor
scoped, so each hypervisor needs to explicitly allow it in order to
use it now, so add this to both the go and rust runtime's remote
configurations

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-21 19:26:10 +01:00
Fabiano Fidêncio
f8d7ff40b4 local-build: Fix shim-v2 no cache build with measured rootfs
We need to get the root_hash.txt file from the image build, otherwise
there's no way to build the shim using those values for the
configuration files.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-21 19:56:01 +02:00
Fabiano Fidêncio
ad240a39e6 kata-deploy: tools: tests: Use zstd instead of xz
Although the compress ratio is not as optimal as using xz, it's way
faster to compress / uncompress, and it's "good enough".

This change is not small, but it's still self-contained, and has to get
in at once, in order to help bisects in the future.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-08-21 19:53:55 +02:00
Fabiano Fidêncio
9cc97ad35c kata-deploy: Bump image to use alpine 3.22
As 3.18 is already EOL.

We need to add `--break-system-packages` to enforce the install of the
installation of the yq version that we rely on.  The tests have shown
that no breakage actually happens, fortunately.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-08-21 19:53:55 +02:00
Fabiano Fidêncio
1329ce355e versions: image / initrd: Bump to alpine 3.22
As the 3.18 is EOL'ed.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-21 19:53:55 +02:00
Fabiano Fidêncio
c32fc409ec rootfs-builder: Bump alpine to 3.22
As we were using a very old non-supported version.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-21 19:53:55 +02:00
Zvonko Kaiser
60d87b7785 gpu: Add more debugging to CI/CD
Capture NVRC logs via journalctl

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-08-21 18:09:20 +02:00
Alex Lyn
e430727cb6 runtime-rs: Change the initdata device driver with block_device_driver
Currently, we change vm_rootfs_driver as the initdata device driver
with block_device_driver.

Fixes #11697

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-08-21 18:56:26 +08:00
Alex Lyn
5cc028a8b1 runtime-rs: Support initdata within NonProtection scenarios
we also need support initdat within nonprotection even though the
platform is detected as NonProtection or usually is called nontee
host. Within these cases, there's no need to validate the item of
`confidential_guest=true`, we believe the result of the method
`available_guest_protection()?`.

Fixes #11697

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-08-21 18:56:23 +08:00
Hyounggyu Choi
faf5aed965 runtime-rs: Adjust VSOCK timeouts for IBM SEL
The default `reconnect_timeout` (3 seconds) was found to be insufficient for
IBM SEL when using VSOCK. This commit updates the timeouts as follows:

- `dial_timeout_ms`: Set to 90ms to match the value used in go-runtime for IBM SEL
- `reconnect_timeout_ms`: Increased to 5000ms based on empirical testing

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-08-21 12:35:44 +02:00
Hyounggyu Choi
b7d2973ce5 Merge pull request #11696 from BbolroC/enable-initdata-ibm-sel-runtime-rs
runtime-rs Enable initdata IBM SEL
2025-08-21 09:23:46 +02:00
Hyounggyu Choi
c4b4a3d8bb tests: Add hypervisor qemu-se-runtime-rs for initdata
This commit adds a new hypervisor `qemu-se-runtime-rs`
to test initdata for IBM SEL (s390x).

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-08-20 18:57:50 +02:00
Hyounggyu Choi
2ec70bc8e2 runtime-rs: Enable initdata spec for IBM SEL
Add support for the `InitData` resource config on IBM SEL,
so that a corresponding block device is created and the
initdata is passed to the guest through this device.

Note that we skip passing the initdata hash via QEMU’s
object, since the hypervisor does not yet support this
mechanism for IBM SEL. It will be introduced separately
once QEMU adds the feature.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-08-20 18:57:50 +02:00
111 changed files with 482 additions and 314 deletions

View File

@@ -9,8 +9,7 @@ on:
- labeled
- unlabeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -11,8 +11,8 @@ on:
paths:
- '.github/workflows/**'
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:

View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:

View File

@@ -12,8 +12,7 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks preview riscv64
jobs:

View File

@@ -5,8 +5,8 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks
jobs:

View File

@@ -26,8 +26,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -144,7 +143,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -153,7 +152,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
retention-days: 15
if-no-files-found: error
@@ -224,7 +223,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -316,7 +315,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
path: kata-build/kata-static-shim-v2.tar.zst
retention-days: 15
if-no-files-found: error
@@ -353,6 +352,6 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-static.tar.xz
path: kata-static.tar.zst
retention-days: 15
if-no-files-found: error

View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: false
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -121,7 +120,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -130,7 +129,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
retention-days: 15
if-no-files-found: error
@@ -195,7 +194,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -282,7 +281,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
path: kata-build/kata-static-shim-v2.tar.zst
retention-days: 15
if-no-files-found: error
@@ -319,6 +318,6 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
path: kata-static.tar.xz
path: kata-static.tar.zst
retention-days: 15
if-no-files-found: error

View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -83,7 +82,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 1
if-no-files-found: error
@@ -148,7 +147,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 1
if-no-files-found: error
@@ -221,7 +220,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
path: kata-build/kata-static-shim-v2.tar.zst
retention-days: 1
if-no-files-found: error
@@ -262,6 +261,6 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }}
path: kata-static.tar.xz
path: kata-static.tar.zst
retention-days: 1
if-no-files-found: error

View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -81,6 +80,6 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error

View File

@@ -27,8 +27,7 @@ on:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -115,7 +114,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -182,7 +181,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -230,7 +229,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
path: kata-build/kata-static-boot-image-se.tar.xz
path: kata-build/kata-static-boot-image-se.tar.zst
retention-days: 1
if-no-files-found: error
@@ -307,7 +306,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
path: kata-build/kata-static-shim-v2.tar.zst
retention-days: 15
if-no-files-found: error
@@ -348,6 +347,6 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-static.tar.xz
path: kata-static.tar.zst
retention-days: 15
if-no-files-found: error

View File

@@ -11,8 +11,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
cargo-deny-runner:

View File

@@ -9,8 +9,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

View File

@@ -2,8 +2,7 @@ name: Kata Containers CI (manually triggered)
on:
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

View File

@@ -4,8 +4,7 @@ on:
name: Nightly CI for s390x
permissions:
contents: read
permissions: {}
jobs:
check-internal-test-result:

View File

@@ -7,8 +7,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

View File

@@ -13,8 +13,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -30,8 +30,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:

View File

@@ -40,9 +40,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
build-kata-static-tarball-amd64:
@@ -292,6 +290,10 @@ jobs:
if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
@@ -351,6 +353,9 @@ jobs:
- build-and-publish-tee-confidential-unencrypted-image
- publish-csi-driver-amd64
uses: ./.github/workflows/run-kata-coco-tests.yaml
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io

View File

@@ -4,13 +4,13 @@ on:
- cron: "0 0 * * *"
workflow_dispatch:
permissions:
contents: read
id-token: write
permissions: {}
jobs:
cleanup-resources:
runs-on: ubuntu-22.04
permissions:
id-token: write # Used for OIDC access to log into Azure
environment: ci
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View File

@@ -19,8 +19,8 @@ on:
schedule:
- cron: '45 0 * * 1'
permissions:
contents: read
permissions: {}
jobs:
analyze:

View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -18,13 +17,15 @@ jobs:
test:
runs-on: macos-latest
steps:
- name: Install Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: 1.23.10
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install golang
run: |
./tests/install_go.sh -f -p
echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
- name: Build utils
run: ./ci/darwin-test.sh

View File

@@ -2,8 +2,7 @@ on:
schedule:
- cron: '0 23 * * 0'
permissions:
contents: read
permissions: {}
name: Docs URL Alive Check
jobs:
@@ -14,23 +13,21 @@ jobs:
env:
target_branch: ${{ github.base_ref }}
steps:
- name: Install Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: 1.23.10
env:
GOPATH: ${{ github.workspace }}/kata-containers
- name: Set env
run: |
echo "GOPATH=${{ github.workspace }}" >> "$GITHUB_ENV"
echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
path: ./src/github.com/${{ github.repository }}
# docs url alive check
- name: Install golang
run: |
./tests/install_go.sh -f -p
echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
- name: Docs URL Alive Check
run: |
cd "${GOPATH}/src/github.com/${{ github.repository }}" && make docs-url-alive-check

View File

@@ -31,8 +31,7 @@ on:
skip_static:
value: ${{ jobs.skipper.outputs.skip_static }}
permissions:
contents: read
permissions: {}
jobs:
skipper:

View File

@@ -12,8 +12,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -3,8 +3,7 @@ on:
name: Govulncheck
permissions:
contents: read
permissions: {}
jobs:
govulncheck:
@@ -14,12 +13,12 @@ jobs:
include:
- binary: "kata-runtime"
make_target: "runtime"
- binary: "containerd-shim-kata-v2"
- binary: "containerd-shim-kata-v2"
make_target: "containerd-shim-v2"
- binary: "kata-monitor"
make_target: "monitor"
fail-fast: false
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -15,6 +15,8 @@ on:
push:
branches: [ "main" ]
permissions: {}
jobs:
scan-scheduled:
permissions:

View File

@@ -5,8 +5,7 @@ on:
- main
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -34,8 +34,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
kata-payload:
@@ -85,6 +84,6 @@ jobs:
TAG: ${{ inputs.tag }}
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)/kata-static.tar.xz" \
"$(pwd)/kata-static.tar.zst" \
"${REGISTRY}/${REPO}" \
"${TAG}"

View File

@@ -11,8 +11,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:
@@ -74,9 +73,9 @@ jobs:
fi
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
done

View File

@@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-arm64:
@@ -71,9 +70,9 @@ jobs:
fi
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
done

View File

@@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-ppc64le:
@@ -71,9 +70,9 @@ jobs:
fi
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
done

View File

@@ -11,8 +11,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-s390x:
@@ -75,9 +74,9 @@ jobs:
fi
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
done

View File

@@ -2,8 +2,7 @@ name: Release Kata Containers
on:
workflow_dispatch
permissions:
contents: read
permissions: {}
jobs:
release:
@@ -127,7 +126,7 @@ jobs:
- name: Set KATA_STATIC_TARBALL env var
run: |
tarball=$(pwd)/kata-static.tar.xz
tarball=$(pwd)/kata-static.tar.zst
echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
- name: Download amd64 artifacts

View File

@@ -1,7 +1,6 @@
name: CI | Run cri-containerd tests
permissions:
contents: read
permissions: {}
on:
workflow_call:

View File

@@ -34,9 +34,7 @@ on:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
run-k8s-tests:
@@ -71,6 +69,9 @@ jobs:
instance-type: normal
auto-generate-policy: yes
runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
environment: ci
env:
DOCKER_REGISTRY: ${{ inputs.registry }}

View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-amd64:

View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-on-arm64:

View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

View File

@@ -25,8 +25,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

View File

@@ -35,9 +35,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
# Generate jobs for testing CoCo on non-TEE environments
@@ -52,6 +50,9 @@ jobs:
pull-type:
- guest-pull
runs-on: ubuntu-22.04
permissions:
id-token: write # Used for OIDC access to log into Azure
environment: ci
env:
DOCKER_REGISTRY: ${{ inputs.registry }}

View File

@@ -36,9 +36,7 @@ on:
ITA_KEY:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
run-k8s-tests-on-tdx:
@@ -223,6 +221,8 @@ jobs:
pull-type:
- guest-pull
runs-on: ubuntu-22.04
permissions:
id-token: write # Used for OIDC access to log into Azure
environment: ci
env:
DOCKER_REGISTRY: ${{ inputs.registry }}

View File

@@ -29,9 +29,7 @@ on:
AZ_SUBSCRIPTION_ID:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
run-kata-deploy-tests:
@@ -50,6 +48,8 @@ jobs:
vmm: clh
runs-on: ubuntu-22.04
environment: ci
permissions:
id-token: write # Used for OIDC access to log into Azure
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}

View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-kata-deploy-tests:

View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-monitor:

View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-metrics:

View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-runk:

View File

@@ -10,8 +10,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -11,8 +11,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -4,8 +4,7 @@ on:
- cron: '0 0 * * *'
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
stale:

View File

@@ -6,8 +6,7 @@ on:
- reopened
- labeled # a workflow runs only when the 'ok-to-test' label is added
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -7,8 +7,7 @@ on:
- synchronize
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -5,8 +5,7 @@ on:
branches: ["main"]
pull_request:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

View File

@@ -306,7 +306,7 @@ tarball to the newly created VM that will be used for debugging purposes.
> [!NOTE]
> Those artifacts are only available (for 15 days) when all jobs are finished.
Once you have the `kata-static.tar.xz` in your VM, you can login to the VM with
Once you have the `kata-static.tar.zst` in your VM, you can login to the VM with
`kcli ssh debug-nerdctl-pr8070`, go ahead and then clone your development branch
```bash
@@ -323,15 +323,15 @@ $ git config --global user.name "Your Name"
$ git rebase upstream/main
```
Now copy the `kata-static.tar.xz` into your `kata-containers/kata-artifacts` directory
Now copy the `kata-static.tar.zst` into your `kata-containers/kata-artifacts` directory
```bash
$ mkdir kata-artifacts
$ cp ../kata-static.tar.xz kata-artifacts/
$ cp ../kata-static.tar.zst kata-artifacts/
```
> [!NOTE]
> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.xz`
> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.zst`
And finally run the tests following what's in the yaml file for the test you're
debugging.
@@ -363,11 +363,11 @@ and have fun debugging and hacking!
Steps for debugging the Kubernetes tests are very similar to the ones for
debugging non-Kubernetes tests, with the caveat that what you'll need, this
time, is not the `kata-static.tar.xz` tarball, but rather a payload to be used
time, is not the `kata-static.tar.zst` tarball, but rather a payload to be used
with kata-deploy.
In order to generate your own kata-deploy image you can generate your own
`kata-static.tar.xz` and then take advantage of the following script. Be aware
`kata-static.tar.zst` and then take advantage of the following script. Be aware
that the image generated and uploaded must be accessible by the VM where you'll
be performing your tests.

View File

@@ -89,16 +89,16 @@ However, if any of these components are absent, they must be built from the
$ # Assume that the project is cloned at $GOPATH/src/github.com/kata-containers
$ cd $GOPATH/src/github.com/kata-containers/kata-containers
$ make rootfs-initrd-confidential-tarball
$ tar -tf build/kata-static-kernel-confidential.tar.xz | grep vmlinuz
$ tar --zstd -tf build/kata-static-kernel-confidential.tar.zst | grep vmlinuz
./opt/kata/share/kata-containers/vmlinuz-confidential.container
./opt/kata/share/kata-containers/vmlinuz-6.7-136-confidential
$ kernel_version=6.7-136
$ tar -tf build/kata-static-rootfs-initrd-confidential.tar.xz | grep initrd
$ tar --zstd -tf build/kata-static-rootfs-initrd-confidential.tar.zst | grep initrd
./opt/kata/share/kata-containers/kata-containers-initrd-confidential.img
./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
$ mkdir artifacts
$ tar -xvf build/kata-static-kernel-confidential.tar.xz -C artifacts ./opt/kata/share/kata-containers/vmlinuz-${kernel_version}-confidential
$ tar -xvf build/kata-static-rootfs-initrd-confidential.tar.xz -C artifacts ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
$ tar --zstd -xvf build/kata-static-kernel-confidential.tar.zst -C artifacts ./opt/kata/share/kata-containers/vmlinuz-${kernel_version}-confidential
$ tar --zstd -xvf build/kata-static-rootfs-initrd-confidential.tar.zst -C artifacts ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
$ ls artifacts/opt/kata/share/kata-containers/
kata-ubuntu-20.04-confidential.initrd vmlinuz-${kernel_version}-confidential
```
@@ -190,8 +190,8 @@ can be easily accomplished by issuing the following make target:
$ cd $GOPATH/src/github.com/kata-containers/kata-containers
$ mkdir hkd_dir && cp $host_key_document hkd_dir
$ HKD_PATH=hkd_dir SE_KERNEL_PARAMS="agent.log=debug" make boot-image-se-tarball
$ ls build/kata-static-boot-image-se.tar.xz
build/kata-static-boot-image-se.tar.xz
$ ls build/kata-static-boot-image-se.tar.zst
build/kata-static-boot-image-se.tar.zst
```
`SE_KERNEL_PARAMS` could be used to add any extra kernel parameters. If no additional kernel configuration is required, this can be omitted.
@@ -344,18 +344,18 @@ $ make virtiofsd-tarball
$ make shim-v2-tarball
$ mkdir kata-artifacts
$ build_dir=$(readlink -f build)
$ cp -r $build_dir/*.tar.xz kata-artifacts
$ cp -r $build_dir/*.tar.zst kata-artifacts
$ ls -1 kata-artifacts
kata-static-agent.tar.xz
kata-static-boot-image-se.tar.xz
kata-static-coco-guest-components.tar.xz
kata-static-kernel-confidential-modules.tar.xz
kata-static-kernel-confidential.tar.xz
kata-static-pause-image.tar.xz
kata-static-qemu.tar.xz
kata-static-rootfs-initrd-confidential.tar.xz
kata-static-shim-v2.tar.xz
kata-static-virtiofsd.tar.xz
kata-static-agent.tar.zst
kata-static-boot-image-se.tar.zst
kata-static-coco-guest-components.tar.zst
kata-static-kernel-confidential-modules.tar.zst
kata-static-kernel-confidential.tar.zst
kata-static-pause-image.tar.zst
kata-static-qemu.tar.zst
kata-static-rootfs-initrd-confidential.tar.zst
kata-static-shim-v2.tar.zst
kata-static-virtiofsd.tar.zst
$ ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
```
@@ -369,7 +369,7 @@ command before running `kata-deploy-merge-builds.sh`:
$ make rootfs-image-tarball
```
At this point, you should have an archive file named `kata-static.tar.xz` at the project root,
At this point, you should have an archive file named `kata-static.tar.zst` at the project root,
which will be used to build a payload image. If you are using a local container registry at
`localhost:5000`, proceed with the following:
@@ -381,7 +381,7 @@ Build and push a payload image with the name `localhost:5000/build-kata-deploy`
`latest` using the following:
```
$ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh kata-static.tar.xz localhost:5000/build-kata-deploy latest
$ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh kata-static.tar.zst localhost:5000/build-kata-deploy latest
... logs ...
Pushing the image localhost:5000/build-kata-deploy:latest to the registry
The push refers to repository [localhost:5000/build-kata-deploy]

View File

@@ -6,6 +6,7 @@
use std::io::Result;
use crate::config::{ConfigOps, TomlConfig};
use serde::{Deserialize, Deserializer};
pub use vendor::AgentVendor;
@@ -117,7 +118,8 @@ pub struct Agent {
/// have sufficient time to complete.
#[serde(
default = "default_request_timeout",
rename = "create_container_timeout"
rename = "create_container_timeout",
deserialize_with = "deserialize_secs_to_millis"
)]
pub request_timeout_ms: u32,
@@ -205,6 +207,15 @@ fn default_health_check_timeout() -> u32 {
90_000
}
fn deserialize_secs_to_millis<'de, D>(deserializer: D) -> std::result::Result<u32, D::Error>
where
D: Deserializer<'de>,
{
let secs = u32::deserialize(deserializer)?;
Ok(secs.saturating_mul(1000))
}
impl Agent {
fn validate(&self) -> Result<()> {
if self.dial_timeout_ms == 0 {

View File

@@ -0,0 +1,15 @@
// Copyright 2025 Kata Contributors
//
// SPDX-License-Identifier: Apache-2.0
//
//! Filesystem-related constants shared across Kata components.
/// Root filesystem type: ext4
pub const VM_ROOTFS_FILESYSTEM_EXT4: &str = "ext4";
/// Root filesystem type: xfs
pub const VM_ROOTFS_FILESYSTEM_XFS: &str = "xfs";
/// Root filesystem type: erofs
pub const VM_ROOTFS_FILESYSTEM_EROFS: &str = "erofs";

View File

@@ -3,12 +3,12 @@
// SPDX-License-Identifier: Apache-2.0
//
use crate::sl;
use anyhow::{anyhow, Context, Result};
use flate2::read::GzDecoder;
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256, Sha384, Sha512};
use std::{collections::HashMap, io::Read};
use crate::sl;
/// Currently, initdata only supports version 0.1.0.
const INITDATA_VERSION: &str = "0.1.0";
@@ -24,6 +24,8 @@ pub enum ProtectedPlatform {
Snp,
/// Cca platform for ARM CCA
Cca,
/// Se platform for IBM SEL
Se,
/// Default with no protection
#[default]
NoProtection,
@@ -155,6 +157,7 @@ fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec<u8> {
ProtectedPlatform::Tdx => 48,
ProtectedPlatform::Snp => 32,
ProtectedPlatform::Cca => 64,
ProtectedPlatform::Se => 256,
ProtectedPlatform::NoProtection => digest.len(),
};
@@ -432,6 +435,12 @@ key = "value"
assert_eq!(cca_result.len(), 64);
assert_eq!(&cca_result[..32], &short_digest[..]);
assert_eq!(&cca_result[32..], vec![0u8; 32]);
// Test SE platform (requires 256 bytes)
let long_digest = vec![0xAA; 256];
let se_result = adjust_digest(&long_digest, ProtectedPlatform::Se);
assert_eq!(se_result.len(), 256);
assert_eq!(&se_result[..256], &long_digest[..256]);
}
/// Test hypervisor initdata processing with compression

View File

@@ -40,6 +40,9 @@ pub(crate) mod utils;
/// hypervisor capabilities
pub mod capabilities;
/// Filesystem-related constants
pub mod fs;
/// The Initdata specification defines the key data structures and algorithms for injecting
/// any well-defined data from an untrusted host into a TEE (Trusted Execution Environment).
pub mod initdata;

View File

@@ -541,7 +541,7 @@ kernel_modules=[]
# Agent dial timeout in millisecond.
# (default: 10)
dial_timeout_ms = 30
dial_timeout_ms = 90
# Agent reconnect timeout in millisecond.
# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300)
@@ -550,7 +550,7 @@ dial_timeout_ms = 30
# You'd better not change the value of dial_timeout_ms, unless you have an
# idea of what you are doing.
# (default: 3000)
#reconnect_timeout_ms = 3000
reconnect_timeout_ms = 5000
# Create Container Request Timeout
# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest.

View File

@@ -29,7 +29,7 @@ remote_hypervisor_timeout = 600
#
# Known limitations:
# * Does not work by design:
# - CPU Hotplug
# - CPU Hotplug
# - Memory Hotplug
# - NVDIMM devices
#
@@ -41,7 +41,7 @@ remote_hypervisor_timeout = 600
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
# Note: Remote hypervisor is only handling the following annotations
enable_annotations = ["machine_type", "default_memory", "default_vcpus", "default_gpus", "default_gpu_model"]
enable_annotations = ["machine_type", "default_memory", "default_vcpus", "default_gpus", "default_gpu_model", "cc_init_data"]
# Optional space-separated list of options to pass to the guest kernel.
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
@@ -251,7 +251,7 @@ disable_guest_seccomp=true
# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
# (like OVS) directly.
# (default: false)
# Note: The remote hypervisor has a different networking model, which requires true
# Note: The remote hypervisor has a different networking model, which requires true
disable_new_netns = false
# if enabled, the runtime will add all the kata processes inside one dedicated cgroup.

View File

@@ -8,10 +8,12 @@ use anyhow::{anyhow, Result};
use crate::{
VM_ROOTFS_DRIVER_BLK, VM_ROOTFS_DRIVER_BLK_CCW, VM_ROOTFS_DRIVER_MMIO, VM_ROOTFS_DRIVER_PMEM,
VM_ROOTFS_FILESYSTEM_EROFS, VM_ROOTFS_FILESYSTEM_EXT4, VM_ROOTFS_FILESYSTEM_XFS,
VM_ROOTFS_ROOT_BLK, VM_ROOTFS_ROOT_PMEM,
};
use kata_types::config::LOG_VPORT_OPTION;
use kata_types::fs::{
VM_ROOTFS_FILESYSTEM_EROFS, VM_ROOTFS_FILESYSTEM_EXT4, VM_ROOTFS_FILESYSTEM_XFS,
};
// Port where the agent will send the logs. Logs are sent through the vsock in cases
// where the hypervisor has no console.sock, i.e dragonball
@@ -179,9 +181,10 @@ mod tests {
use super::*;
use crate::{
VM_ROOTFS_DRIVER_BLK, VM_ROOTFS_DRIVER_PMEM, VM_ROOTFS_FILESYSTEM_EROFS,
VM_ROOTFS_FILESYSTEM_EXT4, VM_ROOTFS_FILESYSTEM_XFS, VM_ROOTFS_ROOT_BLK,
VM_ROOTFS_ROOT_PMEM,
VM_ROOTFS_DRIVER_BLK, VM_ROOTFS_DRIVER_PMEM, VM_ROOTFS_ROOT_BLK, VM_ROOTFS_ROOT_PMEM,
};
use kata_types::fs::{
VM_ROOTFS_FILESYSTEM_EROFS, VM_ROOTFS_FILESYSTEM_EXT4, VM_ROOTFS_FILESYSTEM_XFS,
};
#[test]

View File

@@ -47,11 +47,6 @@ const VM_ROOTFS_DRIVER_MMIO: &str = "virtio-blk-mmio";
const VM_ROOTFS_ROOT_BLK: &str = "/dev/vda1";
const VM_ROOTFS_ROOT_PMEM: &str = "/dev/pmem0p1";
// Config which filesystem to use as rootfs type
const VM_ROOTFS_FILESYSTEM_EXT4: &str = "ext4";
const VM_ROOTFS_FILESYSTEM_XFS: &str = "xfs";
const VM_ROOTFS_FILESYSTEM_EROFS: &str = "erofs";
// before using hugepages for VM, we need to mount hugetlbfs
// /dev/hugepages will be the mount point
// mkdir -p /dev/hugepages

View File

@@ -19,6 +19,7 @@ use hypervisor::{
use kata_types::config::hypervisor::{
VIRTIO_BLK_CCW, VIRTIO_BLK_MMIO, VIRTIO_BLK_PCI, VIRTIO_PMEM, VIRTIO_SCSI,
};
use kata_types::fs::VM_ROOTFS_FILESYSTEM_XFS;
use kata_types::mount::Mount;
use nix::sys::stat::{self, SFlag};
use oci_spec::runtime as oci;
@@ -67,10 +68,17 @@ impl BlockRootfs {
let mut storage = Storage {
fs_type: rootfs.fs_type.clone(),
mount_point: container_path.clone(),
options: rootfs.options.clone(),
options: vec![],
..Default::default()
};
// XFS rootfs: add 'nouuid' to avoid UUID conflicts when the same
// disk image is mounted across multiple VMs/containers.
// This allows mounting XFS volumes that share the same UUID.
if rootfs.fs_type == VM_ROOTFS_FILESYSTEM_XFS {
storage.options.push("nouuid".to_string());
}
let mut device_id: String = "".to_owned();
if let DeviceType::Block(device) = device_info {
storage.driver = device.config.driver_option;

View File

@@ -374,10 +374,6 @@ impl VirtSandbox {
hypervisor_config: &HypervisorConfig,
init_data: Option<String>,
) -> Result<Option<ProtectionDeviceConfig>> {
if !hypervisor_config.security_info.confidential_guest {
return Ok(None);
}
let available_protection = available_guest_protection()?;
info!(
sl!(),
@@ -429,6 +425,7 @@ impl VirtSandbox {
debug: false,
})))
},
GuestProtection::NoProtection => Ok(None),
_ => Err(anyhow!("confidential_guest requested by configuration but no supported protection available"))
}
}
@@ -452,6 +449,10 @@ impl VirtSandbox {
GuestProtection::Snp(_details) => {
calculate_initdata_digest(&initdata, ProtectedPlatform::Snp)?
}
GuestProtection::Se => calculate_initdata_digest(&initdata, ProtectedPlatform::Se)?,
GuestProtection::NoProtection => {
calculate_initdata_digest(&initdata, ProtectedPlatform::NoProtection)?
}
// TODO: there's more `GuestProtection` types to be supported.
_ => return Ok(None),
};
@@ -469,7 +470,7 @@ impl VirtSandbox {
sl!(),
"initdata push data into compressed block: {:?}", &image_path
);
let block_driver = &hypervisor_config.boot_info.vm_rootfs_driver;
let block_driver = &hypervisor_config.blockdev_info.block_device_driver;
let block_config = BlockConfig {
path_on_host: image_path.display().to_string(),
is_readonly: true,

View File

@@ -273,6 +273,16 @@ enable_iothreads = @DEFENABLEIOTHREADS@
# Default false
#enable_mem_prealloc = true
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -290,6 +290,16 @@ enable_iothreads = @DEFENABLEIOTHREADS@
# Default false
#enable_mem_prealloc = true
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -266,6 +266,16 @@ enable_iothreads = @DEFENABLEIOTHREADS@
# Default false
#enable_mem_prealloc = true
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -271,6 +271,16 @@ enable_iothreads = @DEFENABLEIOTHREADS@
# Default false
#enable_mem_prealloc = true
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -257,6 +257,16 @@ enable_iothreads = @DEFENABLEIOTHREADS@
# Default false
#enable_mem_prealloc = true
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -290,6 +290,16 @@ enable_iothreads = @DEFENABLEIOTHREADS@
# Default false
#enable_mem_prealloc = true
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -267,6 +267,16 @@ enable_iothreads = @DEFENABLEIOTHREADS@
# Default false
#enable_mem_prealloc = true
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -272,6 +272,16 @@ enable_iothreads = @DEFENABLEIOTHREADS@
# Default false
#enable_mem_prealloc = true
# Reclaim guest freed memory.
# Enabling this will result in the VM balloon device having f_reporting=on set.
# Then the hypervisor will use it to reclaim guest freed memory.
# This is useful for reducing the amount of memory used by a VM.
# Enabling this feature may sometimes reduce the speed of memory access in
# the VM.
#
# Default false
#reclaim_guest_freed_memory = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.

View File

@@ -26,7 +26,7 @@ remote_hypervisor_timeout = 600
#
# Known limitations:
# * Does not work by design:
# - CPU Hotplug
# - CPU Hotplug
# - Memory Hotplug
# - NVDIMM devices
#
@@ -38,7 +38,7 @@ remote_hypervisor_timeout = 600
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
# Note: Remote hypervisor is only handling the following annotations
enable_annotations = ["machine_type", "default_memory", "default_vcpus", "image", "default_gpus", "gpu_model"]
enable_annotations = ["machine_type", "default_memory", "default_vcpus", "image", "default_gpus", "gpu_model", "cc_init_data"]
# Optional space-separated list of options to pass to the guest kernel.
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
@@ -231,7 +231,7 @@ disable_guest_seccomp=true
# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
# (like OVS) directly.
# (default: false)
# Note: The remote hypervisor has a different networking model, which requires true
# Note: The remote hypervisor has a different networking model, which requires true
disable_new_netns = true
# if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
@@ -291,9 +291,9 @@ experimental=@DEFAULTEXPFEATURES@
# Indicates the CreateContainer request timeout needed for the workload(s)
# It using guest_pull this includes the time to pull the image inside the guest
# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s)
# Note: The effective timeout is determined by the lesser of two values: runtime-request-timeout from kubelet config
# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout.
# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s)
# Note: The effective timeout is determined by the lesser of two values: runtime-request-timeout from kubelet config
# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout.
# In essence, the timeout used for guest pull=runtime-request-timeout<create_container_timeout?runtime-request-timeout:create_container_timeout.
create_container_timeout = @DEFCREATECONTAINERTIMEOUT@

View File

@@ -1,7 +1,7 @@
module github.com/kata-containers/kata-containers/src/runtime
// Keep in sync with version in versions.yaml
go 1.23.12
go 1.24.6
// WARNING: Do NOT use `replace` directives as those break dependabot:
// https://github.com/kata-containers/kata-containers/issues/11020

View File

@@ -31,9 +31,9 @@ func toGRPC(err error) error {
err = errors.Cause(err)
switch {
case isInvalidArgument(err):
return status.Errorf(codes.InvalidArgument, err.Error())
return status.Error(codes.InvalidArgument, err.Error())
case isNotFound(err):
return status.Errorf(codes.NotFound, err.Error())
return status.Error(codes.NotFound, err.Error())
}
return err

View File

@@ -439,6 +439,14 @@ type RNGDev struct {
Filename string
}
// BalloonDev represents a balloon device
type BalloonDev struct {
ID string
DeflateOnOOM bool
DisableModern bool
FreePageReporting bool
}
// VhostUserDeviceAttrs represents data shared by most vhost-user devices
type VhostUserDeviceAttrs struct {
DevID string

View File

@@ -2409,9 +2409,10 @@ func (v RngDevice) deviceName(config *Config) string {
// BalloonDevice represents a memory balloon device.
// nolint: govet
type BalloonDevice struct {
DeflateOnOOM bool
DisableModern bool
ID string
DeflateOnOOM bool
DisableModern bool
FreePageReporting bool
ID string
// ROMFile specifies the ROM file being used for this device.
ROMFile string
@@ -2458,6 +2459,11 @@ func (b BalloonDevice) QemuParams(config *Config) []string {
if s := b.Transport.disableModern(config, b.DisableModern); s != "" {
deviceParams = append(deviceParams, s)
}
if b.FreePageReporting {
deviceParams = append(deviceParams, "free-page-reporting=on")
} else {
deviceParams = append(deviceParams, "free-page-reporting=off")
}
qemuParams = append(qemuParams, "-device")
qemuParams = append(qemuParams, strings.Join(deviceParams, ","))

View File

@@ -80,14 +80,19 @@ func TestAppendVirtioBalloon(t *testing.T) {
var OnDisableModern = ",disable-modern=true"
var OffDisableModern = ",disable-modern=false"
testAppend(balloonDevice, deviceString+OffDeflateOnOMM+OffDisableModern, t)
var OnFreePageReporting = ",free-page-reporting=on"
var OffFreePageReporting = ",free-page-reporting=off"
testAppend(balloonDevice, deviceString+OffDeflateOnOMM+OffDisableModern+OffFreePageReporting, t)
balloonDevice.DeflateOnOOM = true
testAppend(balloonDevice, deviceString+OnDeflateOnOMM+OffDisableModern, t)
testAppend(balloonDevice, deviceString+OnDeflateOnOMM+OffDisableModern+OffFreePageReporting, t)
balloonDevice.DisableModern = true
testAppend(balloonDevice, deviceString+OnDeflateOnOMM+OnDisableModern, t)
testAppend(balloonDevice, deviceString+OnDeflateOnOMM+OnDisableModern+OffFreePageReporting, t)
balloonDevice.FreePageReporting = true
testAppend(balloonDevice, deviceString+OnDeflateOnOMM+OnDisableModern+OnFreePageReporting, t)
}
func TestAppendPCIBridgeDevice(t *testing.T) {

View File

@@ -35,10 +35,17 @@ func TestAppendVirtioBalloon(t *testing.T) {
var OnDeflateOnOMM = ",deflate-on-oom=on"
var OffDeflateOnOMM = ",deflate-on-oom=off"
testAppend(balloonDevice, deviceString+devnoOptios+OffDeflateOnOMM, t)
var OnFreePageReporting = ",free-page-reporting=on"
var OffFreePageReporting = ",free-page-reporting=off"
testAppend(balloonDevice, deviceString+devnoOptios+OffDeflateOnOMM+OffFreePageReporting, t)
balloonDevice.DeflateOnOOM = true
testAppend(balloonDevice, deviceString+devnoOptios+OnDeflateOnOMM, t)
testAppend(balloonDevice, deviceString+devnoOptios+OnDeflateOnOMM+OffFreePageReporting, t)
balloonDevice.FreePageReporting = true
testAppend(balloonDevice, deviceString+devnoOptios+OnDeflateOnOMM+OnFreePageReporting, t)
}
func TestAppendDeviceFSCCW(t *testing.T) {

View File

@@ -952,6 +952,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
VirtioFSQueueSize: h.VirtioFSQueueSize,
VirtioFSExtraArgs: h.VirtioFSExtraArgs,
MemPrealloc: h.MemPrealloc,
ReclaimGuestFreedMemory: h.ReclaimGuestFreedMemory,
HugePages: h.HugePages,
IOMMU: h.IOMMU,
IOMMUPlatform: h.getIOMMUPlatform(),

View File

@@ -31,7 +31,7 @@ const (
)
func RenameCgroupPath(path string) (string, error) {
if path == "" {
if path == "" || path == "." {
path = DefaultResourceControllerID
}

View File

@@ -139,6 +139,7 @@ const (
scsiControllerID = "scsi0"
rngID = "rng0"
fallbackFileBackedMemDir = "/dev/shm"
balloonID = "balloon0"
qemuStopSandboxTimeoutSecs = 15
@@ -632,6 +633,9 @@ func (q *qemu) prepareInitdataMount(config *HypervisorConfig) error {
}
// CreateVM is the Hypervisor VM creation implementation for govmmQemu.
// This function is complex and there's not much to be done about it, unfortunately.
//
//nolint:gocyclo
func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervisorConfig *HypervisorConfig) error {
// Save the tracing context
q.ctx = ctx
@@ -801,6 +805,20 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
}
}
if q.config.ReclaimGuestFreedMemory && !q.config.ConfidentialGuest {
balloonDev := config.BalloonDev{
ID: balloonID,
DeflateOnOOM: true,
DisableModern: false,
FreePageReporting: true,
}
qemuConfig.Devices, err = q.arch.appendBalloonDevice(ctx, qemuConfig.Devices, balloonDev)
if err != nil {
return err
}
}
if machine.Type == QemuQ35 || machine.Type == QemuVirt {
if err := q.createPCIeTopology(&qemuConfig, hypervisorConfig, machine.Type, network); err != nil {
q.Logger().WithError(err).Errorf("Cannot create PCIe topology")

View File

@@ -116,6 +116,9 @@ type qemuArch interface {
// appendRNGDevice appends a RNG device to devices
appendRNGDevice(ctx context.Context, devices []govmmQemu.Device, rngDevice config.RNGDev) ([]govmmQemu.Device, error)
// appendBalloonDevice appends a Balloon device to devices
appendBalloonDevice(ctx context.Context, devices []govmmQemu.Device, BalloonDevice config.BalloonDev) ([]govmmQemu.Device, error)
// setEndpointDevicePath sets the appropriate PCI or CCW device path for an endpoint
setEndpointDevicePath(endpoint Endpoint, bridgeAddr int, devAddr string) error
@@ -738,6 +741,19 @@ func (q *qemuArchBase) appendRNGDevice(_ context.Context, devices []govmmQemu.De
return devices, nil
}
func (q *qemuArchBase) appendBalloonDevice(_ context.Context, devices []govmmQemu.Device, balloonDev config.BalloonDev) ([]govmmQemu.Device, error) {
devices = append(devices,
govmmQemu.BalloonDevice{
ID: balloonDev.ID,
DeflateOnOOM: balloonDev.DeflateOnOOM,
DisableModern: balloonDev.DisableModern,
FreePageReporting: balloonDev.FreePageReporting,
},
)
return devices, nil
}
func (q *qemuArchBase) setEndpointDevicePath(endpoint Endpoint, bridgeAddr int, devAddr string) error {
bridgeSlot, err := types.PciSlotFromInt(bridgeAddr)
if err != nil {

View File

@@ -178,7 +178,7 @@ func notImplemented(name string) error {
err := errors.Errorf("%s: not implemented", name)
hvLogger.Errorf(err.Error())
hvLogger.Error(err.Error())
if tracer, ok := err.(interface{ StackTrace() errors.StackTrace }); ok {
for _, f := range tracer.StackTrace() {

View File

@@ -2546,10 +2546,8 @@ func (s *Sandbox) resourceControllerDelete() error {
}
resCtrlParent := sandboxController.Parent()
if resCtrlParent != "." {
if err := sandboxController.MoveTo(resCtrlParent); err != nil {
return err
}
if err := sandboxController.MoveTo(resCtrlParent); err != nil {
return err
}
if err := sandboxController.Delete(); err != nil {

View File

@@ -1,7 +1,7 @@
module kata-containers/csi-kata-directvolume
// Keep in sync with version in versions.yaml
go 1.23.12
go 1.24.6
// WARNING: Do NOT use `replace` directives as those break dependabot:
// https://github.com/kata-containers/kata-containers/issues/11020

View File

@@ -96,14 +96,14 @@ func (mounter *SafeMountFormater) SafeFormatWithFstype(source string, fstype str
if output, err := doSafeCommand(mkfsCmd, args...); err != nil {
detailedErr := fmt.Sprintf("format disk %q failed: type:(%q) errcode:(%v) output:(%v) ", source, fstype, err, string(output))
klog.Error(detailedErr)
return mountutils.NewMountError(mountutils.FormatFailed, detailedErr)
return mountutils.NewMountError(mountutils.FormatFailed, "%s", detailedErr)
}
klog.Infof("Disk successfully formatted (mkfs): %s - %s", fstype, source)
} else {
if fstype != existingFormat {
// Do verify the disk formatted with expected fs type.
return mountutils.NewMountError(mountutils.FilesystemMismatch, err.Error())
return mountutils.NewMountError(mountutils.FilesystemMismatch, "%s", err.Error())
}
if !readOnly {

View File

@@ -202,7 +202,7 @@ func CreateDirectBlockDevice(volID, capacityInBytesStr, storagePath string) (*st
// create raw disk
if _, err = diskfs.Create(devicePath, capacityInBytes, diskfs.Raw, diskfs.SectorSizeDefault); err != nil {
errMsg := fmt.Errorf("diskfs create disk failed: %v", err)
klog.Errorf(errMsg.Error())
klog.Error(errMsg.Error())
return nil, errMsg
}

View File

@@ -430,13 +430,13 @@ EOF
function install_kata_core() {
declare -r katadir="$1"
declare -r destdir="/"
declare -r kata_tarball="kata-static.tar.xz"
declare -r kata_tarball="kata-static.tar.zst"
# Removing previous kata installation
sudo rm -rf "${katadir}"
pushd "${kata_tarball_dir}"
sudo tar -xvf "${kata_tarball}" -C "${destdir}"
sudo tar --zstd -xvf "${kata_tarball}" -C "${destdir}"
popd
}
@@ -818,7 +818,7 @@ function arch_to_golang() {
local arch="$(uname -m)"
case "${arch}" in
aarch64) echo "arm64";;
aarch64|arm64) echo "arm64";;
ppc64le) echo "${arch}";;
riscv64) echo "${arch}";;
x86_64) echo "amd64";;

View File

@@ -9,6 +9,8 @@ set -o errexit
set -o nounset
set -o pipefail
[[ -n "${DEBUG:-}" ]] && set -x
tmp_dir=$(mktemp -d -t install-go-tmp.XXXXXXXXXX)
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
script_name="$(basename "${BASH_SOURCE[0]}")"
@@ -90,9 +92,9 @@ fi
goarch=$(arch_to_golang)
info "Download go version ${go_version}"
kernel_name=$(uname -s)
curl -OL "https://storage.googleapis.com/golang/go${go_version}.${kernel_name,,}-${goarch}.tar.gz"
kernel_name=$(uname -s | tr '[:upper:]' '[:lower:]')
curl -OL "https://storage.googleapis.com/golang/go${go_version}.${kernel_name}-${goarch}.tar.gz"
info "Install go"
mkdir -p "${install_dest}"
sudo tar -C "${install_dest}" -xzf "go${go_version}.${kernel_name,,}-${goarch}.tar.gz"
sudo tar -C "${install_dest}" -xzf "go${go_version}.${kernel_name}-${goarch}.tar.gz"
popd

View File

@@ -54,7 +54,7 @@ function setup_kbs_image_policy_for_initdata() {
esac
case "$KATA_HYPERVISOR" in
"qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se")
"qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se"|"qemu-se-runtime-rs")
;;
*)
skip "Test not supported for ${KATA_HYPERVISOR}."

View File

@@ -58,6 +58,13 @@ create_inference_embedqa_pods() {
echo "# POD_IP_EMBEDQA=${POD_IP_EMBEDQA}" >&3
}
enable_nvrc_trace() {
if [[ ${RUNTIME_CLASS_NAME} == "kata-qemu-nvidia-gpu" ]]; then
config_file="/opt/kata/share/defaults/kata-containers/configuration-qemu-nvidia-gpu.toml"
fi
sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 nvrc.log=trace"/g' "${config_file}"
}
setup_file() {
dpkg -s jq >/dev/null 2>&1 || sudo apt -y install jq
@@ -82,6 +89,8 @@ setup_file() {
export POD_INSTRUCT_YAML="${pod_instruct_yaml}"
export POD_EMBEDQA_YAML="${pod_embedqa_yaml}"
enable_nvrc_trace
setup_langchain_flow
create_inference_embedqa_pods
}
@@ -324,4 +333,5 @@ EOF
teardown_file() {
kubectl delete -f "${POD_INSTRUCT_YAML}"
kubectl delete -f "${POD_EMBEDQA_YAML}"
}

View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: Apache-2.0
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/alpine:3.15
FROM ${IMAGE_REGISTRY}/alpine:3.22
RUN apk update && apk add --no-cache \
apk-tools-static \
@@ -26,6 +26,7 @@ RUN apk update && apk add --no-cache \
musl-dev \
protoc \
tar \
xz
xz \
zstd
# aarch64 requires this name -- link for all
RUN ln -s /usr/bin/gcc "/usr/bin/$(uname -m)-linux-musl-gcc"

View File

@@ -11,6 +11,7 @@ RUN tdnf -y install \
dnf \
git \
tar \
xz
xz \
zstd
@INSTALL_RUST@

View File

@@ -33,7 +33,8 @@ RUN apt-get update && apt-get --no-install-recommends install -y \
tar \
vim \
wget \
xz-utils
xz-utils \
zstd
# aarch64 requires this name -- link for all
RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"

View File

@@ -123,7 +123,7 @@ setup_nvidia_gpu_rootfs_stage_one() {
# We need the kernel packages for building the drivers cleanly will be
# deinstalled and removed from the roofs once the build finishes.
tar -xvf "${BUILD_DIR}"/kata-static-kernel-nvidia-gpu"${appendix}"-headers.tar.xz -C .
tar --zstd -xvf "${BUILD_DIR}"/kata-static-kernel-nvidia-gpu"${appendix}"-headers.tar.zst -C .
# If we find a local downloaded run file build the kernel modules
# with it, otherwise use the distribution packages. Run files may have
@@ -237,7 +237,7 @@ chisseled_gpudirect() {
chisseled_init() {
echo "nvidia: chisseling init"
tar xvf "${BUILD_DIR}"/kata-static-busybox.tar.xz -C .
tar --zstd -xvf "${BUILD_DIR}"/kata-static-busybox.tar.zst -C .
mkdir -p dev etc proc run/cdi sys tmp usr var lib/modules lib/firmware \
usr/share/nvidia lib/"${machine_arch}"-linux-gnu lib64 \

View File

@@ -190,7 +190,7 @@ AGENT_SOURCE_BIN Path to the directory of agent binary.
AGENT_SOURCE_BIN and AGENT_TARBALL should never be used toghether.
Default value: <not set>
AGENT_TARBALL Path to the kata-agent.tar.xz tarball to be unpacked inside the
AGENT_TARBALL Path to the kata-agent.tar.zst tarball to be unpacked inside the
rootfs.
If set, this will take the priority and will be used instead of
building the agent.
@@ -205,7 +205,7 @@ ARCH Target architecture (according to \`uname -m\`).
and glibc agents.
Default value: $(uname -m)
COCO_GUEST_COMPONENTS_TARBALL Path to the kata-coco-guest-components.tar.xz tarball to be unpacked inside the
COCO_GUEST_COMPONENTS_TARBALL Path to the kata-coco-guest-components.tar.zst tarball to be unpacked inside the
rootfs.
If set, the tarball will be unpacked onto the rootfs.
Default value: <not set>
@@ -234,7 +234,7 @@ KERNEL_MODULES_DIR Path to a directory containing kernel modules to include in
LIBC libc the agent is built against (gnu or musl).
Default value: ${LIBC} (varies with architecture)
PAUSE_IMAGE_TARBALL Path to the kata-static-pause-image.tar.xz tarball to be unpacked inside the
PAUSE_IMAGE_TARBALL Path to the kata-static-pause-image.tar.zst tarball to be unpacked inside the
rootfs.
If set, the tarball will be unpacked onto the rootfs.
Default value: <not set>
@@ -756,7 +756,7 @@ EOF
cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}
OK "cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}"
else
tar xvJpf ${AGENT_TARBALL} -C ${ROOTFS_DIR}
tar --zstd -xvf ${AGENT_TARBALL} -C ${ROOTFS_DIR}
fi
${stripping_tool} ${ROOTFS_DIR}/usr/bin/kata-agent
@@ -803,7 +803,7 @@ EOF
if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then
info "Install the ${GUEST_HOOKS_TARBALL} guest hooks"
tar xvJpf "${GUEST_HOOKS_TARBALL}" -C "${ROOTFS_DIR}"
tar --zstd -xvf "${GUEST_HOOKS_TARBALL}" -C "${ROOTFS_DIR}"
fi
info "Check init is installed"
@@ -812,12 +812,12 @@ EOF
if [ -n "${PAUSE_IMAGE_TARBALL}" ] ; then
info "Installing the pause image tarball"
tar xvJpf ${PAUSE_IMAGE_TARBALL} -C ${ROOTFS_DIR}
tar --zstd -xvf ${PAUSE_IMAGE_TARBALL} -C ${ROOTFS_DIR}
fi
if [ -n "${COCO_GUEST_COMPONENTS_TARBALL}" ] ; then
info "Installing the Confidential Containers guest components tarball"
tar xvJpf ${COCO_GUEST_COMPONENTS_TARBALL} -C ${ROOTFS_DIR}
tar --zstd -xvf ${COCO_GUEST_COMPONENTS_TARBALL} -C ${ROOTFS_DIR}
fi
# Create an empty /etc/resolv.conf, to allow agent to bind mount container resolv.conf to Kata VM

Some files were not shown because too many files have changed in this diff Show More