Compare commits

...

272 Commits

Author SHA1 Message Date
Dan Mihai
1901c9b841 DO NOT MERGE: CI test
Test of the ci-devel pipeline
2025-12-19 09:56:15 +00:00
Alex Lyn
b85084f046 Merge pull request #12266 from BbolroC/fix-selective-skip-for-empty-dir-test
tests: remove re-delcared local variable in k8s-empty-dirs.bats
2025-12-19 17:30:07 +08:00
Hyounggyu Choi
3fa1d93f85 tests: remove re-delcared local variable in k8s-empty-dirs.bats
Since #12204 was merged, the following error has been observed:

```
bats warning: Executed 1 instead of expected 2 tests
[run_kubernetes_tests.sh:162] ERROR: Tests FAILED from suites: k8s-empty-dirs.bats
```

The cause is that `pod_logs_file` is re-declared as a local variable
in the second test before skipping, which makes it inaccessible
in `teardown()` and leads to an error.

This commit removes the re-declaration of the variable.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-12-18 18:57:16 +01:00
Fabiano Fidêncio
51e9b7e9d1 nydus-snapshotter: Bump to v0.15.10
As it brings a fix that most likely can workaround the containerd /
nydus-snapshotter databases desynchronization.

Reference: https://github.com/containerd/nydus-snapshotter/pull/700

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-18 18:41:09 +01:00
Fabiano Fidêncio
03297edd3a kata-deploy: rust: Add list verb for runtimeclasses RBAC
The Rust kata-deploy binary calls list_runtimeclasses() during NFD
setup, but the ClusterRole only granted get and patch permissions.

Add the list verb to the runtimeclasses resource permissions to fix
the RBAC error:
  runtimeclasses.node.k8s.io is forbidden: User
  \"system:serviceaccount:kube-system:kata-deploy-sa\" cannot list
  resource \"runtimeclasses\" in API group \"node.k8s.io\" at the
  cluster scope

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-18 18:31:52 +01:00
Manuel Huber
78c41b61f4 tests: nvidia: Update images, probes and timeouts
Changes in NIM/RAG samples:
- update image references
- update memory requirements, timeouts, model name
- sanitize some of the probes and print-out

Further refinements can be made in the future.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-18 10:57:14 +01:00
Manuel Huber
0373428de4 tests: nvidia: Use secret for NGC API key
This is a slight change in the manifest to at least use a secret
for the environment variable.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-18 10:57:14 +01:00
Hyounggyu Choi
56ec8d7788 Merge pull request #12204 from kata-containers/runtime-rs-stability-debug
CI: Upgrade log details for improved error analysis
2025-12-18 10:54:54 +01:00
Alex Lyn
c7dfdf71f5 Merge pull request #11935 from burgerdev/fsgroup
genpolicy: support fsGroup setting in pod security context
2025-12-18 16:47:48 +08:00
Xuewei Niu
a65c2b06b8 Merge pull request #12169 from zhangls-0524/new-fix-issue-11996
runtime-rs: Block Device Rootfs Mount Options Lost During Storage Object Creation
2025-12-18 10:09:38 +08:00
Fabiano Fidêncio
0e534fa7fe versions: Update virtiofsd to v1.13.3
Update virtiofsd to its latest release.

Here we also need to update the alpine version used by the builder as we
need a version of musl-dev new enough to have wrappers for pread2 and
pwrite2. As bumping, bump to the latest.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-18 00:51:08 +01:00
Fabiano Fidêncio
1d2e19b07c versions: Update pause image to 3.10.1
Update pause image to its latest release.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-18 00:51:08 +01:00
Fabiano Fidêncio
6211c10904 versions: Update libseccomp to 2.6.0
Update libseccomp to its latest release.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-18 00:51:08 +01:00
Fabiano Fidêncio
0e0a92533c versions: update lvm2 to v2_03_38
Update lvm2 to its latest release.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-18 00:51:08 +01:00
Fabiano Fidêncio
142c7d6522 versions: Update gperf to 3.3
Update gperf to its latest release.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-18 00:51:08 +01:00
Fabiano Fidêncio
e757485853 versions: Update cryptsetup to v2.8.1
Update cryptsetup to its latest release

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-18 00:51:08 +01:00
Fabiano Fidêncio
35cd5fb1d4 versions: Update helm to v4.0.4
Update helm to its latest release

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-18 00:51:08 +01:00
Tobin Feldman-Fitzthum
decc09e975 tests: cc: add test with SNP reference values
Add two attestation tests. The first one sets a resource policy that
requires CPU0 to have an affirming trust level. This is a negative test
which can run on any platform. Setting this policy without setting any
reference values should result in an attestation failure.

Next, a second test will set the same policy, but this time it will use
the journal log to find the QEMU command line from the previous test and
calculate the expected reference values. Currently this is only
supported on SNP using the sev-snp-measure tool, but the same flow
should work on other platforms.

Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
2025-12-18 00:12:11 +01:00
Ruoqing He
8b0d650081 dragonball: Use unique name for vhost path
The five tests are set to the same vhost socket path, which could lead
to racing with one another. Use unique name to avoid this.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-17 22:25:55 +01:00
Fabiano Fidêncio
320f1ce2a3 versions: Bump experimental {tdx,snp} QEMU
Let's bump experimental {tdx,snp} QEMU to the tags created Today in the
Confidential Containers repo, which match with QEMU 10.2.0-rc3.

This bump is mostly for early testing what will become 10.2.0, which
will be bumped everywhere then.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 17:42:04 +01:00
Alex Lyn
3696d9143a tests: Correct the teardown_common in cpu-ns.bats
It will address the issue:
"# bats warning: Executed 0 instead of expected 1 tests"

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-17 16:14:10 +00:00
Alex Lyn
a28f24ef8c tests: move the get_pod_config_dir into setup_common
As each case need such preparation of get_pod_config_dir,
a better method is directly move it into the setup_common method.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-17 16:14:10 +00:00
Alex Lyn
5778b0a001 tests: Introduce measure_node_time to get test case end time
To measure the duration for journal, we need clearly print the journal
start time and end time for each case which helps to ensure the journal
log is for the specified period for the case.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-17 16:14:10 +00:00
Alex Lyn
648f0913ca tests: Load lib.rs in bats to ensure related function available
The lib.rs should be first loaded before execute some functions call.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-17 16:14:10 +00:00
Alex Lyn
0929c84480 runtime-rs: Reduce output log and increase log level
For failure cases within CI, we need dump the kata log to help
address issues, but currently large log messages cause partial
log we can see.

We remove initdata log output and increase log level to reduce
log output.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-17 16:14:10 +00:00
Alex Lyn
bbec15d695 tests: delete policy_settings_dir only for first test case
Currently policy_settings_dir is created only when
BATS_TEST_NUMBER == "1",
but delete_tmp_policy_settings_dir "${policy_settings_dir}" is
called in teardown() for every test. This means that for tests
after the first one teardown() may attempt to delete a directory
that was already removed by a previous test, or rely on a value
that does not belong to the current test execution.

Adjust teardown logic so that policy_settings_dir is only deleted
for the first test case (BATS_TEST_NUMBER == "1") and ignored for
subsequent tests. This keeps the original optimization of running
genpolicy only once, while avoiding unnecessary or confusing cleanup
attempts in later test cases.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-17 16:14:10 +00:00
Alex Lyn
24e68b246f tests: Add missing bin env at the head of bats
Add the missing part of `#!/bin/bash/env` in bats.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-17 16:14:10 +00:00
Alex Lyn
93ba6a8e76 tests: Make pod_name a global variable
the previous pod_name is set as local which can not be captured
within the teardown() function, causing failure.
This commit just remove the `local pod_name` to make it a global
variable.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-17 16:14:10 +00:00
Alex Lyn
89dce4eff6 tests: Enhance debug log output
Introduce setup_common in setup() and teardown_common() in teardown()
to get enough log to help debug

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-17 16:14:10 +00:00
Fabiano Fidêncio
88cdfab604 runtime: nvidia: Align static_sandbox_resource_mgmt
Let's ensure we have those aligned for both CC and non-CC use-case.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 17:04:51 +01:00
Fabiano Fidêncio
995770dbeb runtime: nvidia: Use cold-plug by default
Now that we have the way to do cold-plug, let's ensure we also use it
for the non-CC use case.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 17:04:51 +01:00
Hyounggyu Choi
7f72acc266 Merge pull request #12180 from BbolroC/enable-vfio-ap-passthrough-runtime-rs
runtime-rs: Enable VFIO-AP passthrough (hotplug only) on s390x
2025-12-17 15:50:10 +01:00
Hyounggyu Choi
f1b4327dba Merge pull request #12247 from fidencio/topic/ci-store-the-tarballs-we-rely-on-on-gchr-follow-up
build: Fix GPG key for gperf & Pass PUSH_TO_REGISTRY and GH_TOKEN to Docker builds
2025-12-17 13:53:58 +01:00
Fabiano Fidêncio
5415cf4e0f workflows: payload: Remove unneeded stuff from the runner
Otherwise we may hit a `no space left on device` when building the rust
kata-deploy binary.

This happens mostly because of the muli-staging build used to generate a
distroless final container.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 09:57:02 +01:00
Fabiano Fidêncio
98c5276546 helm: runtimeclasses: Match the kata-deploy rust deployment
There we ensure labels are added to better deal with ownership of the
runtimeclasses.  It's not strictly needed here as helm does take care of
the ownership, but also doesn't hurt to follow what seems to be a common
practice.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 09:57:02 +01:00
Fabiano Fidêncio
6130d7330f ci: Run a nightly job using the kata-deploy rust
Let's shamelessly duplicate the nightly job to have at least nightly
runs using the rust implementation of kata-deploy.

The reason for doing that is to be pragmatic, as pragmatic as possible,
and avoid switching away of the scripts before 3.24.0 release, while
still testing both ways till the switch happens.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 09:57:02 +01:00
Fabiano Fidêncio
fbc29f3f5e kata-deploy: helm: Adapt to the rust binary
Differently than the scripts, which are called as `bash -c ...`, the
kata-deploy rust binary must be invoked directly we do not even have
shell in its container.

For now, the rust version is used in the used image has the "-rust"
suffix, which will help us to have both ways being used / tested for a
little while.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 09:57:02 +01:00
Fabiano Fidêncio
9d88c6b1d7 kata-deploy: Oxidize the script
kata-deploy shell script is not THAT bad and, to be honest, it's quite
handy for quick hacks and quick changes.  However, it's been
increasingly becoming harder to maintain as it's grown its scope from a
testing tool to the proper project's front door, lacking unit tests, and
with an abundacy of complex regular expressions and bashisms to be able
to properly parse the environment variables it consumes.

Morever, the fact it is a Frankstein's monster glued together using
python packages, golang binaries, and a distro dependent container makes
the situation VERY HARD to use it from a distroless container (thus,
avoiding security issues), preventing further integration with
components that require a higher standard of security than we've been
requiring.

With everything said, with the help of Cursor (mostly on generating the
tests cases), here comes the oxidized version of the script, which runs
from a distroless container image.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-17 09:57:02 +01:00
Fabiano Fidêncio
c9cd79655d build: Pass PUSH_TO_REGISTRY and GH_TOKEN to Docker builds
The ORAS cache helper needs PUSH_TO_REGISTRY to be set to 'yes' to
push new artifacts to the cache. However, this environment variable
was not being passed to the Docker container during agent, tools, and
busybox builds.

Moreover, for ghcr.io authentication, add support for using GH_TOKEN and
GITHUB_ACTOR as fallbacks when explicit credentials
(ARTEFACT_REGISTRY_USERNAME/PASSWORD) are not provided.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-16 21:58:16 +01:00
Fabiano Fidêncio
b11cea3113 build: Fix GPG key for gperf
The GPG key used for gperf was incorrectly set to the busybox
maintainer's key (Denis Vlasenko) instead of the gperf maintainer's
key (Marcel Schaible).

Wrong key (busybox): C9E9416F76E610DBD09D040F47B70C55ACC9965B
                     Denis Vlasenko <vda.linux@googlemail.com>

Correct key (gperf): EDEB87A500CC0A211677FBFD93C08C88471097CD
                     Marcel Schaible <marcel.schaible@studium.fernuni-hagen.de>

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-16 21:58:16 +01:00
Fabiano Fidêncio
6e01ee6d47 helm: Provide kata-remote runtime class
kata-remote is a runtime class that cloud-api-adaptor relies on to work.

kata-remote by itself does nothing, and that's the reason it's disabled
by default. We're only adding it here so cloud-api-adaptor charts can
simply do something like `--set shims.remote.enabled=true`.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-16 21:57:49 +01:00
Fabiano Fidêncio
0a0fcbae4a gatekeeper: Adjust to kata-tools
A few jobs have been renamed as part of the kata-tools split.
Let's add them all here.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-16 18:22:40 +01:00
Fabiano Fidêncio
fb326b53df agent: Ensure MS_REMOUNT is respected
When updating ephemeral storages, MS_REMOUNT is explicitly passed as,
for instance, `/dev/shm` should be remounted after memory is hotplugged.

Till now Kata Containers has been explicitly ignoring such updates,
leading to the containers' `/dev/shm` having the size of "half of the
memory allocated, during the startup time", which goes against the
expected behaviour.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-12-16 15:11:34 +01:00
Fabiano Fidêncio
830d15d4c8 tests: Adapt to using kata-tools
Instead of relying and the fully bloated kata tarball.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-16 12:55:07 +01:00
Fabiano Fidêncio
a2534e7bc8 kata-tools: Release as its own tarball
We're only releasing those for amd64 as that's the only architecture
we've been building the packages for.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-16 12:55:07 +01:00
Fabiano Fidêncio
6d2f393be4 build: Split tools build from the other artefacts build
Let's ensure we can create a specific "tools" tarball, which will help
those who only need to pull those either for testing or production
usage.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-16 12:55:07 +01:00
Ruoqing He
6d2c66c7eb runtime-rs: Refactor feature propagation
After runtime-rs workspace merged into root workspace, features passed
when building runtime-rs needs to be refactored to be correctly
propagated. Taking dragonball for example, runtime-rs requires runtimes
to depend on virt_conttainers feature, and virt_containers needs to
handle hypervisor features specifically.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
Ruoqing He
1872af7c5a ci: Install cmake before building runtime-rs
cmake is required for libz-sys to compile (which is required by nydus).

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
Ruoqing He
9551f97e87 runtime-rs: Change TARGET_PATH to root workspace
After the workspace integration of runtime-rs, now the output of
runtime-rs is under the repo root, instead of src/runtime-rs. Change the
TARGET_PATH accordingly to tell Makefile where to lookup output.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
Ruoqing He
c7c02ac513 dragonball: Skip tests needs kvm under non-root
Some cases in dragonball crates requires interaction with KVM module to
complete, which requires root privilege. Skip those tests under non-root
user.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
Ruoqing He
889c3b6012 dragonball: Fix false use statement on aarch64
gic::create_gic is actually gated behind dbs_arch crate, instead of
arch::aarch64.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
Ruoqing He
1c1f3a2416 dragonball: Allow missing_docs for dummy MMIODeviceInfo
MMIODeviceInfo inside the test module of dbs_boot on aarch64 is used for
testing purpose, but `pub` attribute requires it to have documentation.
Since this is used only for testing purpose, let's allow missing_docs
for it.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
Ruoqing He
6d0cb18c07 dragonball: Add missing test module attribute
Test set of dbs_utils's tap module is missing test attribute, which
makes dev-dependencies unusable. Marking tests of tap as test module.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
Ruoqing He
15fe7ecda1 runtime-rs: Remove lockfile
Remove Cargo.lock since it now shares lockfile workspace-wise.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
Ruoqing He
beb0cac0d1 build: Move runtime-rs to root workspace
This is a follow-up of 3fbe693.

Remove runtime-rs from exclude list, and make it as a member of root
workspace.

Specify shim and shim-ctl as the binary of runtime-rs package, make
runtime-rs and all its members into root workspace.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
Ruoqing He
ae4b3e9ac0 runtime-rs: Make runtime-rs a package
Make runtime-rs a package produces shim and shim-ctl as its binary
product, which enables Makefile to work after it's incorporated into
root workspace.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-12-16 11:26:07 +01:00
shezhang.lau
9744e9f26d runtime-rs: Block Rootfs Mount Options During Storage Object Creation
Init the storage options with original rootfs options.
Addition: XFS, append nouuid to the mount options if not exist.

Signed-off-by: shezhang.lau <shezhang.lau@antgroup.com>
2025-12-16 13:57:02 +08:00
Xuewei Niu
c8b5f8efad Merge pull request #12167 from M-Phansa/main
runtime-rs: handle container missing during kill_process gracefully
2025-12-16 10:31:50 +08:00
Fabiano Fidêncio
1388a3acda packaging: Add ORAS cache for gperf and busybox tarballs
To protect against upstream download failures for gperf and busybox,
implement ORAS-based caching to GHCR.

This adds:
- download-with-oras-cache.sh: Core helper for downloading with cache
- populate-oras-tarball-cache.sh: Script to manually populate cache
- warn() function to lib.sh for consistency

Modified build scripts to:
- Try ORAS cache first (from ghcr.io/kata-containers/kata-containers)
- Fall back to upstream download on cache miss
- Automatically push to cache when PUSH_TO_REGISTRY=yes

The cache is automatically populated during CI builds, and parallel
architecture builds check for existing versions before pushing to avoid
race conditions.

Forks benefit from upstream cache but can override with their own:
ARTEFACT_REPOSITORY=myorg/kata make agent-tarball

Generated-By: Cursor IDE with Claude
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-15 22:04:21 +01:00
Markus Rudy
661e851445 genpolicy: support fsGroup setting in pod security context
The runtime handles the fsGroup field of the pod security context by
adding a mount option to the generated storage object [1]. This commit
changes genpolicy to expect this option.

Instead of passing another side input to
yaml::get_container_mounts_and_storages, we pass the entire PodSpec.
This reduces the necessary changes in the pod-generating resources and
allows for possible future use of other PodSpec fields.

[1]: https://github.com/kata-containers/kata-containers/blob/0c6fcde1/src/runtime/virtcontainers/kata_agent.go#L1620-L1625

Fixes: #11934

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-12-15 15:22:33 +01:00
Fabiano Fidêncio
a25a53c860 kata-deploy: sa: Fix permissions for patching nodefeaturerules
I've seen this happening with the GPU SNP CI every now and then, but I
don't really understand how this was not caught by the TDX / SNP CI
themselves before.

In any case, the error seen is:
```
  Error from server (Forbidden): error when applying patch:
  {"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"nfd.k8s-sigs.io/v1alpha1\",\"kind\":\"NodeFeatureRule\",\"metadata\":{\"annotations\":{},\"name\":\"amd64-tee-keys\"},\"spec\":{\"rules\":[{\"extendedResources\":{\"sev-snp.amd.com/esids\":\"@cpu.security.sev.encrypted_state_ids\"},\"labels\":{\"amd.feature.node.kubernetes.io/snp\":\"true\"},\"matchFeatures\":[{\"feature\":\"cpu.security\",\"matchExpressions\":{\"sev.snp.enabled\":{\"op\":\"Exists\"}}}],\"name\":\"amd.sev-snp\"},{\"extendedResources\":{\"tdx.intel.com/keys\":\"@cpu.security.tdx.total_keys\"},\"labels\":{\"intel.feature.node.kubernetes.io/tdx\":\"true\"},\"matchFeatures\":[{\"feature\":\"cpu.security\",\"matchExpressions\":{\"tdx.enabled\":{\"op\":\"Exists\"}}}],\"name\":\"intel.tdx\"}]}}\n"}}}
  to:
  Resource: "nfd.k8s-sigs.io/v1alpha1, Resource=nodefeaturerules", GroupVersionKind: "nfd.k8s-sigs.io/v1alpha1, Kind=NodeFeatureRule"
  Name: "amd64-tee-keys", Namespace: ""
  for: "/opt/kata-artifacts/node-feature-rules/x86_64-tee-keys.yaml": error when patching "/opt/kata-artifacts/node-feature-rules/x86_64-tee-keys.yaml": nodefeaturerules.nfd.k8s-sigs.io "amd64-tee-keys" is forbidden: User "system:serviceaccount:kube-system:kata-deploy-sa" cannot patch resource "nodefeaturerules" in API group "nfd.k8s-sigs.io" at the cluster scope
```

And the fix is as simple as allowing patching and updating a
nodefeaturerule in our service account RBAC.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-15 12:01:20 +01:00
Alex Lyn
f4f61d5666 Merge pull request #12229 from fidencio/topic/kata-deploy-do-deprecations
kata-deploy: Remove deprecated features from 3.23.0
2025-12-15 19:00:07 +08:00
Hyounggyu Choi
b69da5f3ba gatekeeper: Make s390x e2e tests required again
Since the CI issue for s390x was resolved on Dec 5th,
the nightly test result has gone green for 10 consecutive days.
This commit puts the e2e tests for s390x again into the required job list.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-12-15 11:12:25 +01:00
Fabiano Fidêncio
ded6d1636f kata-deploy: Remove deprecated features from 3.23.0
Let's remove the deprecated features that were marked for removal
after Kata Containers 3.23.0:

kata-deploy.sh:
- Remove non-arch-specific variable fallbacks (SHIMS, DEFAULT_SHIM,
  SNAPSHOTTER_HANDLER_MAPPING, ALLOWED_HYPERVISOR_ANNOTATIONS,
  PULL_TYPE_MAPPING, EXPERIMENTAL_FORCE_GUEST_PULL). Each arch now
  has its own default value.
- Remove CREATE_RUNTIMECLASSES and CREATE_DEFAULT_RUNTIMECLASS
  variables and associated functions (create_runtimeclasses,
  delete_runtimeclasses, adjust_shim_for_nfd). RuntimeClasses are
  now managed by Helm chart, not the daemonset script.
- Unsupported architectures now fail with an error instead of
  falling back to non-arch-specific defaults.

Helm chart:
- Remove all deprecated env values (createRuntimeClasses,
  createDefaultRuntimeClass, debug, shims, shims_*, defaultShim,
  defaultShim_*, allowedHypervisorAnnotations, snapshotterHandlerMapping,
  snapshotterHandlerMapping_*, agentHttpsProxy, agentNoProxy,
  pullTypeMapping, pullTypeMapping_*, _experimentalSetupSnapshotter,
  _experimentalForceGuestPull, _experimentalForceGuestPull_*).
- Remove backward compatibility code from _helpers.tpl that checked
  for legacy env values.
- Remove legacy env.shims check from runtimeclasses.yaml.
- Remove CREATE_RUNTIMECLASSES and CREATE_DEFAULT_RUNTIMECLASS env
  vars from kata-deploy.yaml and post-delete-job.yaml.
- Update RBAC to only include runtimeclasses get/patch permissions
  (needed for NFD patching), removing create/delete/list/update/watch.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-13 16:32:00 +01:00
Adeet Phanse
db09912808 agent: add SandboxError enum for typed error handling
- Replace generic errors in sandbox operations with typed SandboxError variants (InvalidContainerId, InitProcessNotFound, InvalidExecId).
- This enables the kata shim to handle specific failure cases differently.

Fixes #12120

Signed-off-by: Adeet Phanse <adeet.phanse@mongodb.com>
2025-12-12 12:33:18 -05:00
Adeet Phanse
5b7e1cdaad runtime-rs: handle container missing during kill_process gracefully
Add better error handling to runtime rs to handle when the sandbox itself is killed and recreated.
- Update the kill_process function to skip sending a signal when the process is stopped.
- Always set ProcessStatus::Stopped even when wait_process fails
- In state_process return synthetic state for sandbox container when using Sandbox API

Fixes #12120
Signed-off-by: Adeet Phanse <adeet.phanse@mongodb.com>
2025-12-12 12:33:17 -05:00
Fabiano Fidêncio
c7d0c270ee release: Bump version to 3.24.0
Bump VERSION and helm-chart versions

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-12 18:15:41 +01:00
Fabiano Fidêncio
50b853eb93 tests: nvidia: Always rely on the "kata" default runtime class
This is a pattern already followed by all the other tests.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-12 16:31:42 +01:00
Manuel Huber
ff2396aeec tests: nvidia: Declare KATA_HYPERVISOR variable
Align with other test logic - declare the KATA_HYPERVISOR in the
run bash script, then declare the RUNTIME_CLASS_NAME variable in
the bats files.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 16:31:42 +01:00
Manuel Huber
6e31cf2156 tests: nvidia: cc: USE is_confidential_gpu_hw
This function has recently been introduced, so we align patterns.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 16:31:42 +01:00
Manuel Huber
cd1f55b41c tests: nvidia: cc: Set GPU0 policy for NIM tests
Now that we have a more restrictive resource policy for KBS, let
us start adopting it across all NVIDIA test cases. This policy was
previously introduced by the NVIDIA attestation test.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 16:31:42 +01:00
Manuel Huber
edbac264cb tests: nvidia: cc: Remove KBS variable
The variable is now set in the CI YAML file, thus removing the
assignment.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 16:31:42 +01:00
Manuel Huber
9665b74653 tests: nvidia: cc: address shellcheck warnings
Address shellcheck warnings for run_kubernetes_nv_tests.sh

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 16:31:42 +01:00
Manuel Huber
5f9e7a03a8 tests: nvidia: do not use teardown_common
Clean up in each NVIDIA bats file according to our needs.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 16:31:42 +01:00
Alex Lyn
c3fd4c1621 version: Bump rtnetlink and netlink-packet-route
It aims to upgrade rtnetlink to mitigate netlink log noise.
This commit upgrades the `rtnetlink` dependency (and corresponding
libraries like `netlink-packet-route`) to address excessive and
unnecessary netlink-related logging during sandbox startup.

Problem:
The previously used `rtnetlink v0.16` (depending on `netlink-proto
v0.11.3`) generates a high volume of DEBUG/INFO level netlink messages
during sandbox initialization. This noise:
1.  Overloads the logging system, often leading to warnings like
"slog-async: logger dropped messages due to channel overflow."
2.  Interferes with effective troubleshooting by distracting developers
from legitimate Kata errors.

Solution:
We upgrade to `rtnetlink v0.19` (and `netlink-proto v0.12`), as testing
confirms that the latest versions have correctly elevated the verbosity
of these netlink internal events to the TRACE level.

This change significantly enhances the log analysis experience by
suppressing unnecessary network-related logs during startup.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-12 14:27:33 +01:00
Manuel Huber
1781fb8b06 tests: nvidia: cc: Use CUDA image from NVCR
Pull from nvcr.io to avoid hitting unauthenticated pull rate
limits.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 12:52:33 +01:00
Manuel Huber
f63f95f315 tests: nvidia: cc: generate pod security policies
With these changes, we create pod security policies when running
against NVIDIA TEE GPU handlers where AUTO_GENERATE_POLICY is set.
For the non-TEE GPU tests, the added functions bail out by design.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 12:52:33 +01:00
Manuel Huber
bf26ad9532 nvidia: tests: remove outer CDI annotations
With the new device plugin being used by CI runners, these
annotations are no longer necessary.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 12:52:33 +01:00
Manuel Huber
37b4f6ae8b tests: Adapt NVIDIA common policy settings
Following existing patterns, we adapt the common policy settings
for NVIDIA GPU CI platforms. For instance, for our CI runners, we
use containerd 2.x.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 12:52:33 +01:00
Manuel Huber
f4c0c8546e tests: Enable AUTO_GENERATE_POLICY for NVIDIA TEEs
Enable auto-generate policy for qemu-nvidia-gpu-* if the user
didn't specify an AUTO_GENERATE_POLICY value.

Setting this in run_kubernetes_nv_tests.sh is too late as
gha-run.sh calls into run_tests, setup.sh, and then into
create_common_genpolicy_settings() where the rules.rego and
genpolicy-settings file are being copied to the right locations.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 12:52:33 +01:00
Manuel Huber
b9774e44b6 genpolicy: tests: Add VFIO passthrough test cases
Add one valid test case with 2 GPUs with proper VFIO device
entries and CDI annotations.
Add seven test cases with invalid combinations of VFIO device
entries and CDI annotations.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 12:52:33 +01:00
Manuel Huber
d3e6936820 genpolicy: validation of vfio passthrough GPUs
Add rules for vfio passthrough GPUs. When creating the security
policy document, parse GPU resource limits and derive CDI
annotation patterns and VFIO device entries.
With various values for CDI annotations and device paths being
runtime-dependent, use regular expressions.
For now, this enables passthrough of NVIDIA GPUs, but the changes
are designed to allow for other VFIO device types.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-12 12:52:33 +01:00
Alex Lyn
82e8e9fbe0 doc: add block device's settings to the doc page
Add the block device specific annotations which is dedicated within
runtime-rs for num_queues and queue_sie to the document to help
users set the two parameters.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-11 21:10:22 +01:00
Alex Lyn
a8a458664d kata-types: Allow dynamic queue config via Pod annotations
This commit introduces the capability to dynamically configure
`queue_size` and `num_queues` parameters via Pod annotations.

Currently, `kata-runtime` allows for static configuration of
`queue_size` and `num_queues` for block devices through its config
file. However, a critical issue arises when a Pod is allocated fewer
CPU cores than the statically configured `num_queues` value. In such
scenarios, the Pod fails to start, leading to operational instability
and limiting flexibility in resource allocation.

To address this, this feature enables users to override the default
queue_size and num_queues parameters by specifying them in Pod
annotations.This allows for fine-grained control and dynamic adjustment
of these parameters based on the specific resource allocation of a Pod.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-11 21:10:22 +01:00
Steve Horsman
51459b9b15 Merge pull request #12220 from fidencio/topic/ci-arm64-temporarily-disable-arm64-non-k8s-tests
ci: arm64-non-k8s: temporarily skip the tests
2025-12-11 11:35:39 +00:00
Fabiano Fidêncio
46c7d6c9f8 ci: arm64-non-k8s: temporarily skip the tests
The runner is down for a few weeks. I may end up bringing in my personal
runner, but I'm not confident I can easily do this before the holidays,
thus I'm skipping the tests for now.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-11 12:14:32 +01:00
Manuel Huber
560f6f6c74 tests: nvidia: cc: Affirming attestation policy
Set the attestation policy for GPU0 to affirming. This requires
the GPU, for instance, to have production properties, such as
properly signed VBIOS firmware.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-11 10:16:58 +01:00
Alex Lyn
751b6875f9 tests: Temporarily skip the cpu-ns test for the s390x platform
As some reasons that this CI is continuously failed, we'd like to
temporarily skip it for the s390x platform. And it will be enabled
when we addressed related issues.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
d495b77135 runtime-rs: Align the default annptations with runtime-go
As the default enable_annotations in runtime-rs is different with
runtime-go, we should make it align with configuration in runtime-go.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
c8dd5fbacf runtime-rs: Migrate vCPU tracking to fractional float
This commit refactors the vCPU resource management within runtime's
`CpuResource` structure and related calculation logic to use
floating-point numbers (`f32`) instead of integers (`u32`).

This migration is necessary to fully support the fractional vCPU
allocation introduced in the `kata-types` library, ensuring better
precision in:
1.Allocation Tracking: `current_vcpu` now tracks the precise
fractional value (e.g., 1.5 vCPUs).
2.Resource Calculation: `calc_cpu_resources` now returns a precise
`f32` sum of container vCPU requests, including normalization logic
based on the maximum period, removing the previous integer rounding
steps in the calculation.
3.Hypervisor Interaction: The integer vCPU requirement for the
hypervisor remains, so `ceil()` is now explicitly applied only when
interacting with the hypervisor or agent APIs
(`do_update_cpu_resources`, `current_vcpu`, `online_cpu_mem`).

And key changes as below:
1. `CpuResource::current_vcpu` updated from `u32` to `f32`.
2. `calc_cpu_resources` return type changed from `u32` to `f32`.
3. CPU hotplug logic now uses `f32` for the target vCPU count and applies
4. `ceil()` before calling `hypervisor.resize_vcpu()`.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
84fd33c3bc kata-types: Use fractional float for vCPU resource tracking
Refactors `LinuxContainerCpuResources` and `LinuxSandboxCpuResources`
to track calculated vCPU allocation using `f64` (fractional float)
instead of `u64` (milliseconds).

This ensures more precise resource calculation (`quota / period`) and
aggregation by avoiding rounding errors inherent in millisecond-based
integer tracking.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
0f04363ea8 tests: Disable CPU elasticity tests for nontee scenarios
This commit updates the non-TEE tests to disable two specific test
cases: `k8s-number-cpus.bats` and `k8s-sandbox-vcpus-allocation.bats`.

These tests are designed to cover CPU elasticity/dynamic scaling
capabilities. In the non-TEE scenario, we are enforcing the disabling of
this capability by setting the default configuration to
`static_sandbox_resource_mgmt=true`.

Although the tests currently pass, allowing them to run is logically
inconsistent with the intended non-TEE configuration. Therefore, we are
disabling them for all non-TEE runtimes, specifically targeting:
- `qemu-coco-dev`
- `qemu-coco-dev-runtime-rs`

This change ensures that our non-TEE CI accurately reflects the static
resource management policy and prevents misleading test results.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
beaf44dd2e tests: disable block volume test for s390 arch
As runtime-rs doesn't support block device hotplug in s390 arch,
with this fact, we just disable or skip the test when it is the
s390.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
535ba589f4 runtime-rs: Enable elastic resource feature
To support such feature, the item in Makefile should be enabled,
and it can be set true when make build, just like this:
`DEFSTATICRESOURCEMGMT_QEMU := false`
When users don't want this feature, they can set it with true via
the configuration.toml.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
28371dbec5 tests: Enable cloud-hypervisor and qemu-runtime-rs within the CI
Enable the cpu hotplug tests within the k8s-number-cpus.bats for both
cloud-hypervisor and qemu-runtime-rs.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
82a72b4564 tests: Enable cpu hotplug for dragonball and clh in vcpus allocation
We have support cpu hotplug features within dragonball and clh, this
commit is to enable the test within the CI.

Fixes: #8660

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
6196d3d646 tests: Enable cpu hotplug tests in k8s-cpu-ns.bats
As previous failure within the case, we choose to skip it, but now
the cpu hotplug has been corrected, and it's time to re-enable it.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
Alex Lyn
96bd13e85d tests: Add support for qemu-runtime-rs
We have supportted virtio-scsi driver, and now the CI should be
enabled.

Fixes: #10373

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-12-10 22:11:56 +01:00
dependabot[bot]
2137b1fa3a build(deps): bump github.com/containernetworking/plugins in /src/runtime
Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 1.7.1 to 1.9.0.
- [Release notes](https://github.com/containernetworking/plugins/releases)
- [Commits](https://github.com/containernetworking/plugins/compare/v1.7.1...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/plugins
  dependency-version: 1.9.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-10 16:10:24 +01:00
LandonTClipp
b50a73912d runtime: Config test extension for IOMMUFDID
Adding additional cases for the IOMMUFDID method to check for
non-IOMMUFD paths are passed. The method should do the right
thing.

Signed-off-by: LandonTClipp <11232769+LandonTClipp@users.noreply.github.com>
2025-12-10 15:46:28 +01:00
LandonTClipp
d5e4cf6b4d runtime: Add test for ExecuteVFIODeviceAdd
Copilot made a good point that we should have a test for this.
Thus, this commit.

Signed-off-by: LandonTClipp <11232769+LandonTClipp@users.noreply.github.com>
2025-12-10 15:46:28 +01:00
LandonTClipp
137866f793 runtime: Allow QMP commands to be logged in debug level
Logging the QMP commands gives us a lot of flexibility to
troubleshoot issues with what is being sent to QEMU.

Signed-off-by: LandonTClipp <11232769+LandonTClipp@users.noreply.github.com>
2025-12-10 15:46:28 +01:00
LandonTClipp
a3b5764f67 runtime: Fix import cycle and add unit test for IOMMUFDID()
An import cycle was introduced because of a mutual need
for the constant that describes the prefix of IOMMUFD files.
We need to extract this out into a higher-level package.

Signed-off-by: LandonTClipp <11232769+LandonTClipp@users.noreply.github.com>
2025-12-10 15:46:28 +01:00
LandonTClipp
09438fd54f runtime: Add IOMMUFD Object Creation for QEMU QMP Commands
The QMP commands sent to QEMU did not properly set up
IOMMUFD objects in the codepath that handles VFIO device
hot-plugging. This is mainly relevant in the Kubernetes
use-case where the VFIO devices are not available when
QEMU is first launched.

Signed-off-by: LandonTClipp <11232769+LandonTClipp@users.noreply.github.com>
2025-12-10 15:46:28 +01:00
Manuel Huber
cb8fd2e3b1 runtime: gpu: Skip CDI annos for pause container
The pause container does not need CDI annotations, these are only
intended for workload containers.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-10 13:26:04 +01:00
Fabiano Fidêncio
69a0ac979c tests: Adjust install_bats()
The function assumes that the runner is a Ubuntu machine, which so far
has been true as part of our CI.

However, the new ARM runner is running on Debian, and those mirror
additions would simply break.

With this in mind, for any distro that's not ubuntu, let's just make
sure to inform the owner of the system to have bats already installed as
part of the environment provided.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-10 12:05:04 +01:00
Fabiano Fidêncio
406f6b1d15 Revert "tests: Add workaround to override CDI files"
This reverts commit 5a81b010f2, as we now
have all the infrastructure properly set up as part of our CI node.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-09 23:18:11 +01:00
Fabiano Fidêncio
3db7b88eff tests: remove containerd guest pull stability tests
Remove the existing containerd guest pull stability tests workflow
as we're going to rebuild all the VMs used for testing and introduce
new, more focused stability tests for nydus-snapshotter.

The new tests will be added soon, as part of another PR.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-08 16:29:11 +01:00
Fabiano Fidêncio
5b6a2d25bc podOverhead: Reduce memory overhead for GPU runtime classes
Now that we've bumped to QEMU 10.2.0-rc1, we can take advantage of a fix
that's present there, which fixes the double memory allocation for the
cases where GPUs are being cold-plugged.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-06 00:16:43 +01:00
Fabiano Fidêndio
71f78cc87e tests: cc: gpu: Lower the amount of memory required by the pods
We've made the pods require a ridiculous amount of memory, just for the
sake of getting them running.

Now that those are running, tests are passing, CI is required, let's
work to lower the amount of mmemory needed as everything else is working
as expected.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-06 00:16:43 +01:00
Dan Mihai
965ad10cf2 tests: k8s: tests_common.sh local modification
Clean-up shellcheck warnings:

SC2030 (info): Modification of cmd_out is local (to subshell caused by (..) group).
SC2031 (info): cmd_out was modified in a subshell. That change might be lost.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-12-06 00:16:23 +01:00
Dan Mihai
8199171cc4 tests: k8s: tests_common.sh braces around variables
Clean-up shellcheck warnings:

SC2250 (style): Prefer putting braces around variable references even
when not strictly required.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-12-06 00:16:23 +01:00
Fabiano Fidêncio
5a81b010f2 tests: Add workaround to override CDI files
Let's add a simple backup and restore logic for the CDI configuration
file nvidia.com-pgpu.yaml in the k8s-nvidia-*.bats and
k8s-confidential-attestation.bats test files.

Althought not optimal, this is a temporary workaround needed until
NVIDIA releases what's needed for the GPU Operator to properly deal with
cold plugged devices for the Confidential Containers cases, which is
work in progress right now.

After that's released, we can revert/drop this patch.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-05 18:58:35 +01:00
Fabiano Fidêncio
aaa67df4dd versions: Bump experimental {tdx,snp} QEMU
Let's bump experimental {tdx,snp} QEMU to the tags created Today in the
Confidential Containers repo, which match with QEMU 10.2.0-rc1.

This bump is specially beneficial for us, as we can get rid of QEMU's
double memory allocation when **cold plugging** a GPU.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-05 18:58:35 +01:00
Zvonko Kaiser
f8ad17499d gpu: VFIO handling container vs sandbox
If the sandbox has cold-plugged a IOMMUFD device but the
device-plugins sends us a /dev/vfio/<NUM> device we need to
check if the IOMMUFD device and the  VFIO device are the same
We have the sibling.BDF we now need to extract the BDF of the
devPath that is either /dev/vfio/<NUM> or /dev/vfio/devices/vfio<NUM>

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-12-05 16:53:31 +01:00
Zvonko Kaiser
147e9f188e Merge pull request #12080 from manuelh-dev/mahuber/cc-gpu-ci-attestation
tests: nvidia: cc: Add attestation test
2025-12-05 09:31:57 -05:00
Steve Horsman
2f1b98c232 Merge pull request #12197 from stevenhorsman/logrus-1.9.3-bump
version: Bump sirupsen/logrus
2025-12-05 14:18:50 +00:00
Manuel Huber
e5861cde20 tests: use Authorization when GH_TOKEN is set
Same as for other uses of GH_TOKEN, use it when set in order to
avoid rate limiting issues.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-05 14:08:43 +01:00
stevenhorsman
9eba559bd6 version: Bump sirupsen/logrus
Bump the github.com/sirupsen/logrus version to 1.9.3
across our components where it is back-level to bring us
up-to-date and resolve high severity CVE-2025-65637

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-12-05 11:12:04 +00:00
Manuel Huber
34efa83afc tests: nvidia: cc: Add attestation test
Add the attestation bats test case to the NVIDIA CI and provide a
second pod manifest for the attestation test with a GPU. This will
enable composite attestation in a subsequent step.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-05 11:48:55 +01:00
Manuel Huber
e31d592a0c versions: Bump coco-trustee
Bump to pull in a fix for composite attestation with GPUs. The new
commit ID corresponds to the fix (change for default GPU policy),
currently being the top commit of the main branch.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-05 11:48:55 +01:00
Manuel Huber
73dfa9b9d5 versions: Bump coco-guest-components
Bump to pull in a fix for NVIDIA CC GPU attestation.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-05 11:48:55 +01:00
Manuel Huber
116a72ad0d tests: cc: Fix command evaluation
This brings two fixes:
- use the test_key variable to check against the aatest value.
- properly check the run command invocation (run w/o bash does not
  seem to like the pipe which leads to ALWAYS evaluating the
  status result to 1. With this, the deny-all test would ALWAYS
  succeed regardless of whether aatest was actually returned or not.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-05 11:48:55 +01:00
Manuel Huber
23675c784b tests: cc: Reset default policy
When running these tests repeatedly locally, the default policy is not
being reset after the test completes, then subsequent runs fail.
Similar to k8s-sealed-secrets.bats, we set the default policy in an if
condition.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-05 11:48:55 +01:00
Manuel Huber
f70c3adaf1 tests: cc: Add kbs_set_gpu0_resource_policy
This allows setting a GPU0 resource policy, enabling GPU
attestation tests to not use the default resource policy.
For now, the policy requires attestation's ear status to
not be contraindicated. In a future change we will require
this to be affirming once our CI runners' vBIOS version is
properly configured.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-05 11:48:55 +01:00
Manuel Huber
c2d1e2dcc9 tests: cc: Add is_confidential_gpu_hardware
This enables attestation tests to figure out whether composite
attestation with a GPU can be executed.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-05 11:48:55 +01:00
Manuel Huber
53e94df203 tests: nvidia: cc: add SUPPORTED_TEE_HYPERVISORS
Add the NVIDIA TEE hypervisors. With this, attestation tests can be run
against the NVIDIA handlers, for instance.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-05 11:48:55 +01:00
Fabiano Fidêncio
923f97bc66 rootfs: Temporarily revert "gpu: Handle root_hash.txt correctly"
This reverts commit e4a13b9a4a, as it
caused some issues with the GPU workflows.

Reverting it is better, as it unblocks other PRs.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-05 11:47:37 +01:00
Steve Horsman
d27af53902 Merge pull request #12185 from stevenhorsman/runtime-rs-required-checks
ci: Add qemu-runtime-rs AKS tests to required
2025-12-05 10:43:25 +00:00
stevenhorsman
403de2161f version: Update golang to 1.24.11
Needed to fix:
```
Vulnerability #1: GO-2025-4155
    Excessive resource consumption when printing error string for host
    certificate validation in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4155
  Standard library
    Found in: crypto/x509@go1.24.9
    Fixed in: crypto/x509@go1.24.11
    Vulnerable symbols found:
      #1: x509.HostnameError.Error
```

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-12-04 22:50:07 +01:00
Steve Horsman
425f4ffc8d Merge pull request #12124 from zvonkok/nvidia-measured-rootfs
gpu: Measured rootfs
2025-12-04 14:54:11 +00:00
Hyounggyu Choi
1dd3426adc tests: Extend vfio-ap test for runtime-rs
vfio-ap passthrough has been introduced for runtime-rs,
requiring that the existing test verify this new functionality.
This commit adds:

- containerd config specific to runtime-rs
- extensions to the existing test functions to cover vfio-ap

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-12-04 15:05:23 +01:00
Hyounggyu Choi
aa326fb9b8 tests: Remove usage of crictl for vfio-ap
`crictl` is not used any more after #10767.
Let's clean up all places where the tool is used.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-12-04 15:05:23 +01:00
Hyounggyu Choi
41d61f4b16 runtime-rs: Enable VFIO-AP passthrough
The following have been made for the enablement:

1. Make `MediatedPci` and `MediatedAp` in `VfioDeviceType`
2. Make HostDevice without BDF for `MediatedAp`
3. Add `CCW` to VFioBusMode and set it to VfioConfig as `bus_type`
4. Return `vfio-ap` driver type for `CCW` bus type
5. Set `bus_mode` for `VfioDevice` based on `bus_type`
6. Set `vfio-ap` to the agent device's `field_type`
7. Prepare a different argument for `vfio-ap` for QMP command
8. Set None to all PCI relevant fields

Please keep in mind that `vfio-ap` does not belong to any
types of port togologies like PCI (e.g., root or switch)
because devices on s390x are controlled by CCW.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-12-04 15:05:23 +01:00
Hyounggyu Choi
cb5b1384ca runtime-rs: Introduce uses_native_ccw_bus()
Until now, we relied on `VMROOTFSDRIVER` to determine
whether a system uses a native CCW bus.
However, this method is not canonical and can be error-prone
depending on the configuration.

This commit introduces a new function that checks
for the presence of CCW bus infrastructure in sysfs
and verifies that native mainframe drivers are available.
It replaces all previous uses of the old detection method.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-12-04 15:05:23 +01:00
Steve Horsman
f673f33e72 Merge pull request #12172 from fidencio/topic/gatekeeper-mark-nvidia-jobs-as-required
gatekeeper: Mark NVIDIA CC GPU test as required
2025-12-04 12:48:57 +00:00
stevenhorsman
112810c796 ci: Add qemu-runtime-rs AKS tests to required
Add the small and normal variants of the qemu-runtime-rs
tests to the required-tests list now that they are stable.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-12-04 11:15:43 +00:00
Fabiano Fidêncio
c505afb67c gatekeeper: Mark NVIDIA CC GPU test as required
It's been stable for the past 10 nightlies, no retries.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-12-04 11:14:25 +00:00
Steve Horsman
635f7892d5 Merge pull request #12190 from BbolroC/mark-s390x-jobs-as-nonrequired
gatekeeper: Drop all s390x e2e tests temporarily
2025-12-04 11:10:46 +00:00
Steve Horsman
2a6ebc556f Merge pull request #12175 from kata-containers/mahuber/gpu-ci-genpolicy
ci: nvidia: Install kata-artifacts
2025-12-04 09:23:32 +00:00
Hyounggyu Choi
b6ef7eb9c3 gatekeeper: Drop all s390x e2e tests temporarily
This commit marks three s390x CI jobs as non-required.
Please check out the details at #12189.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-12-04 08:05:14 +01:00
Steve Horsman
10b0717cae Merge pull request #12179 from stevenhorsman/nginx-test-image-by-digest
tests: Switch nginx test image ref to digest
2025-12-03 13:39:07 +00:00
Hyounggyu Choi
22778547b2 runtime-rs: Fix panic when OCI spec annotations are missing
An oci-spec can be passed to the runtime without annotations
(e.g., `ctr run`). In this case, runtime panics with:

```
src/runtime-rs/crates/runtimes/src/manager.rs:391: called `Option::unwrap()` on a `None` value
```

This commit checks if the annotation is None, and instantiates
the hashmap as an empty map if it is missing. It also adds a None
check for `netns`.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-12-03 13:07:39 +01:00
Hyounggyu Choi
ba78fb46fb runtime-rs: Configure protection devices when confidential_guest is set
Currently, the protection device configuration is constructed
automatically even if `confidential_guest` is not set.
This commit puts a condition to check the flag and allows the
construction accordingly.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-12-03 13:07:39 +01:00
Zvonko Kaiser
e4a13b9a4a gpu: Handle root_hash.txt correctly
Updates to the shim-v2 build and the binaries.sh script.
Makeing sure that both variants "confidential" AND
"nvidia-gpu-confidential" are handled.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-12-02 19:56:19 +01:00
Steve Horsman
d8405cb7fb Merge pull request #11983 from stevenhorsman/toolchain-guidance
doc: Document our Toolchain policy
2025-12-02 15:47:54 +00:00
stevenhorsman
b9cb667687 doc: Document our Toolchain policy
Create an initial version of our toolchain policy as agreed in
Architecture Committee meetings and the PTG

Fixes: #9841
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-12-02 14:28:29 +00:00
stevenhorsman
79a75b63bf tests: Switch nginx test image ref to digest
As tags are mutable and digests are not, lets pin our image
by digest to give our CI a better chance of stability

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-12-02 13:02:50 +00:00
stevenhorsman
5c618dc8e2 tests: Switch nginx images to use version.yaml details
- Swap out the hard-coded nginx registry and verisons for reading
the test image details for version.yaml
which can also ensure that the quay.io mirror is used
rather than the docker hub versions which can hit pull limits
- Try setting imagePullPoliycy Always to fix issues with the arm CI

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-12-02 10:04:09 +01:00
Manuel Huber
3427b5c00e ci: nvidia: Install kata-artifacts
In preparation for Kata agent security policy testing, installing
Kata tools to provide genpolicy.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-01 17:59:19 +00:00
Manuel Huber
4355af7972 kata-deploy: Fix binary find install_tools_helper
Using make tarball targets for tools locally, binaries may exist
for both debug and release builds. In this case, cryptic errors
are shown as we try to install multiple binaries.
This change require exactly one binary to be found and errors  out
in other cases.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-12-01 09:29:24 -08:00
Manuel Huber
5a5c43429e ci: nvidia: remove kubectl_retry calls
When tests regress, the CI wait time can increase significantly
with the current kubectly_retry attempt logic. Thus, align with
other tests and remove kubectl_retry invocations. Instead, rely on
proper timeouts.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-28 19:00:57 +01:00
Fabiano Fidêncio
e3646adedf gatekeeper: Drop SEV-SNP from required
SEV-SNP machine is failing due to nydus not being deployed in the
machine.

We cannot easily contact the maintainers due to the US Holidays, and I
think this should become a criteria for a machine not be added as
required again (different regions coverage).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-28 12:46:07 +01:00
Steve Horsman
8534afb9e8 Merge pull request #12150 from stevenhorsman/add-gatekeeper-triggers
ci: Add two extra gatekeeper triggers
2025-11-28 09:34:41 +00:00
Zvonko Kaiser
9dfa6df2cb agent: Bump CDI-rs to latest
Latest version of container-device-interface is v0.1.1

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-11-27 22:57:50 +01:00
Fabiano Fidêncio
776e08dbba build: Add nvidia image rootfs builds
So far we've only been building the initrd for the nvidia rootfs.
However, we're also interested on having the image beind used for a few
use-cases.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-27 22:46:07 +01:00
stevenhorsman
531311090c ci: Add two extra gatekeeper triggers
We hit a case that gatekeeper was failing due to thinking the WIP check
had failed, but since it ran the PR had been edited to remove that from
the title. We should listen to edits and unlabels of the PR to ensure that
gatekeeper doesn't get outdated in situations like this.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-27 16:45:04 +00:00
Zvonko Kaiser
bfc9e446e1 kernel: Add NUMA config
Add per arch specific NUMA enablement kernel settings

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-11-27 12:45:27 +01:00
Steve Horsman
c5ae8c4ba0 Merge pull request #12144 from BbolroC/use-runs-on-to-choose-runners
GHA: Use `runs-on` only for choosing proper runners
2025-11-27 09:54:39 +00:00
Fabiano Fidêncio
2e1ca580a6 runtime-rs: Only QEMU supports templating
We can remove the checks and default values attribution from all other
shims.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-27 10:31:28 +01:00
Alex Lyn
df8315c865 Merge pull request #12130 from Apokleos/stability-rs
tests: Enable stability tests for runtime-rs
2025-11-27 14:27:58 +08:00
Fupan Li
50dce0cc89 Merge pull request #12141 from Apokleos/fix-nydus-sn
tests: Properly handle containerd config based on version
2025-11-27 11:59:59 +08:00
Fabiano Fidêncio
fa42641692 kata-deploy: Cover all flavours of QEMU shims with multiInstallSuffix
We were missing all the runtime-rs variants.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-26 17:44:16 +01:00
Fabiano Fidêncio
96d1e0fe97 kata-deploy: Fix multiInstallSuffix for NV shims
When using the multiInstallSuffix we must be cautelous on using the shim
name, as qemu-nvidia-gpu* doesn't actually have a matching QEMU itself,
but should rather be mapped to:
qemu-nvidia-gpu -> qemu
qemu-nvidia-gpu-snp -> qemu-snp-experimental
qemu-nvidia-gpu-tdx -> qemu-tdx-experimental

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-26 17:44:16 +01:00
Markus Rudy
d8f347d397 Merge pull request #12112 from shwetha-s-poojary/fix_list_routes
agent: fix the list_routes failure
2025-11-26 17:32:10 +01:00
Steve Horsman
3573408f6b Merge pull request #11586 from zvonkok/numa-qemu
qemu: Enable NUMA
2025-11-26 16:28:16 +00:00
Steve Horsman
aae483bf1d Merge pull request #12096 from Amulyam24/enable-ibm-runners
ci: re-enable IBM runners for ppc64le and s390x
2025-11-26 13:51:21 +00:00
Steve Horsman
5c09849fe6 Merge pull request #12143 from kata-containers/topic/add-report-tests-to-workflows
workflows: Add Report tests to all workflows
2025-11-26 13:18:21 +00:00
Steve Horsman
ed7108e61a Merge pull request #12138 from arvindskumar99/SNPrequired
CI: readding SNP as required
2025-11-26 11:33:07 +00:00
Amulyam24
43a004444a ci: re-enable IBM runners for ppc64le and s390x
This PR re-enables the IBM runners for ppc64le/s390x build jobs and s390x static checks.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-11-26 16:20:01 +05:30
Hyounggyu Choi
6f761149a7 GHA: Use runs-on only for choosing proper runners
Fixes: #12123

`include` in #12069, introduced to choose a different runner
based on component, leads to another set of redundant jobs
where `matrix.command` is empty.
This commit gets back to the `runs-on` solution, but makes
the condition human-readable.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-11-26 11:35:30 +01:00
Alex Lyn
4e450691f4 tests: Unify nydus configuration to containerd v3 schema
Containerd configuration syntax (`config.toml`) varies across versions,
requiring per-version logic for fields like `runtime`.

However, testing confirms that containerd LTS (1.7.x) and newer
versions fully support the v3 schema for the nydus remote snapshotter.

This commit changes the previous containerd v1 settings in `config.toml`.
Instead, it introduces a unified v3-style configuration for nydus, which
can be vailid for lts and active containerds.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-26 17:58:16 +08:00
stevenhorsman
4c59cf1a5d workflows: Add Report tests to all workflows
In the CoCo tests jobs @wainersm create a report tests step
that summarises the jobs, so they are easier to understand and
get results for. This is very useful, so let's roll it out to all the bats
tests.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-26 09:28:36 +00:00
shwetha-s-poojary
4510e6b49e agent: fix the list_routes failure
relax list_routes tests so not every route requires a device

Signed-off-by: shwetha-s-poojary <shwetha.s-poojary@ibm.com>
2025-11-25 20:25:46 -08:00
Xuewei Niu
04e1cf06ed Merge pull request #12137 from Apokleos/fix-netdev-mq
runtime-rs: fix QMP 'mq' parameter type in netdev_add to boolean
2025-11-26 11:49:33 +08:00
Alex Lyn
ebe084e093 Merge pull request #12122 from fidencio/topic/configs-do-no-have-commented-out-options
runtimes: config: Do NOT have commented fields
2025-11-26 10:33:32 +08:00
Alex Lyn
e9f50f6e71 Merge pull request #12116 from manuelh-dev/mahuber/ci-openvpn-policy-v2
policy: ci: enable security policy for openvpn test case
2025-11-26 09:35:43 +08:00
Fabiano Fidêncio
e859537c74 runtimes: config: Do NOT have commented fields
In order to have a better way to set things up using a toml editor, we
should take the containerd approach and actually have everything
uncommnted.  This will help us to unify how we deal with such values in
the future from the kata-deploy POV.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-25 19:26:56 +01:00
Arvind Kumar
c085011a0a CI: readding SNP as required
Reenabling the SNP CI node as a required test.

Signed-off-by: Arvind Kumar <arvinkum@amd.com>
2025-11-25 17:05:01 +00:00
Fabiano Fidêncio
5ca4f2b9ff runtimes: annotations: Fix kernel param handling
We need to ensure that we do not blindly append nor blindly override the
kernel parameters set by default, but rather modify the values in case
they exist, and append in case they do not.

Now we're actually making golang and rust runtime behave the same, as so
far they were behaving differently, each version wrong in its own way.
:-p.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-25 16:04:52 +01:00
Zvonko Kaiser
45cce49b72 shellcheckk: Fix [] [[]] SC2166
This file is a beast so doing one shellcheck fix after the other.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-11-25 15:46:16 +01:00
Zvonko Kaiser
b2c9439314 qemu: Update tools/packaging/static-build/qemu/build-qemu.sh
This nit was introduced by 227e717 during the v3.1.0 era. The + sign from the bash substitution ${CI:+...} was copied by mistake.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-11-25 15:46:09 +01:00
Zvonko Kaiser
2f3d42c0e4 shellcheck: build-qemu.sh is clean
Make shellcheck happy

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-11-25 15:46:07 +01:00
Zvonko Kaiser
f55de74ac5 shellcheck: build-base-qemu.sh is clean
Make shellcheck happy

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-11-25 15:45:49 +01:00
Zvonko Kaiser
040f920de1 qemu: Enable NUMA support
Enable NUMA support with QEMU.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-11-25 15:45:00 +01:00
Alex Lyn
de9308419b Merge pull request #12135 from microsoft/danmihai1/init-data
agent: allow disabling detect_initdata_device
2025-11-25 21:07:57 +08:00
Alex Lyn
34d3bd18bc Merge pull request #12132 from fidencio/topic/runtime-classes-fix-nvidia-gpu-podOverhead
runtimeclasses: Fix nvidia-gpu podOverhead
2025-11-25 20:23:07 +08:00
Alex Lyn
7f4d856e38 tests: Enable nydus tests for qemu-runtime-rs
We need enable nydus tests for qemu-runtime-rs, and this commit
aims to do it.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-25 17:45:57 +08:00
Alex Lyn
98df3e760c runtime-rs: fix QMP 'mq' parameter type in netdev_add to boolean
QEMU netdev_add QMP command requires the 'mq' (multi-queue) argument
to be of boolean type (`true` / `false`). In runtime-rs the virtio-net
device hotplug logic currently passes a string value (e.g. "on"/"off"),
which causes QEMU to reject the command:
```
    Invalid parameter type for 'mq', expected: boolean
```
This patch modifies `hotplug_network_device` to insert 'mq' as a proper
boolean value of `true . This fixes sandbox startup failures when
multi-queue is enabled.

Fixes #12136

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-25 17:34:36 +08:00
Alex Lyn
23393d47f6 tests: Enable stability tests for qemu-runtime-rs on nontee
Enable the stability tests for qemu-runtime-rs CoCo on non-TEE
environments

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-25 16:18:37 +08:00
Alex Lyn
f1d971040d tests: Enable run-nerdctl-tests for qemu-runtime-rs
Enable nerdctl tests for qemu-runtime-rs

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-25 16:14:50 +08:00
Alex Lyn
c7842aed16 tests: Enable stability tests for runtime-rs
As previous set without qemu-runtime-rs, we enable it in this commit.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-25 16:12:12 +08:00
Alex Lyn
aadf1d6f71 Merge pull request #11932 from Apokleos/enhance-blk-params
runtime-rs: Allow configuration of virtio block queue parameters
2025-11-25 15:24:12 +08:00
Dan Mihai
22d60a36c0 agent: allow disabling detect_initdata_device
Allow users to build the Kata Agent using INIT_DATA=no to disable the
detect_initdata_device() code loop and associated debug log output.

Future additional improvements related to Init Data are tracked by #11532.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-11-25 02:44:28 +00:00
Fabiano Fidêncio
bb56a2e4d9 runtimeclasses: Fix nvidia-gpu podOverhead
On 69c4fc4e76, I've mistakenly changed the
nvidia-gpu podOverhead while I should only have changed the TEE
nvidia-gpu ones.

Let's move it back to its original value.

Reported-by: Joji Mekkattuparamban <jojim@nvidia.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-24 21:43:29 +01:00
Zvonko Kaiser
55489818d6 gpu: TDX kernel param cleanup
This settings is not needed anymore with Ubuntu 25.10
and the newest QEMU releases for TDX by Ubuntu.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-11-24 15:49:16 +01:00
Steve Horsman
e1e370091c Merge pull request #12128 from fidencio/topic/kata-deploy-nfd-adjust-runtime-classe
kata-deploy: nfd: Patch TEE runtimeclasses when needed
2025-11-24 14:05:43 +00:00
Steve Horsman
d437f875aa Merge pull request #12126 from zvonkok/cold-plug-cleanup
gpu: Cleanup Makefile
2025-11-24 14:01:49 +00:00
Zvonko Kaiser
77089fe5b3 Merge pull request #12115 from nheinemans-asml/main
Kata-deploy: Add tolerations to daemonset and cleanup job
2025-11-24 09:00:42 -05:00
Manuel Huber
331515e1b8 ci: enable security policy for openvpn test
With issue 11777 being resolved, this commit enables openvpn
policy testing. The remaining work on the security policy
required to successfully run this test case was to enable UDP
ports for Service kinds and to use the mount path's last component
instead of the volume name to construct the expected storage
source path.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-23 17:23:43 +00:00
Manuel Huber
4f32816ea3 policy: Use mount path instead of volume name
Use the mount path's last component instead of the volume name to
construct the expected storage source path. Example: Name of a
volumeMount is 'openvpn-config' and its mountPath is
'/etc/openvpn/'. Without this change, we use 'openvpn-config' to
calculate the expected storage source path. However, we need to
use 'openvpn', because the shim uses the basename of the
destination path as the source suffix and not the volume name.
For reference, see 'fs_hsare_linux.go"'s 'ShareFile' function
where the filename variable uses 'filepath.Base(m.Destionation))'.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-23 17:23:43 +00:00
Manuel Huber
e4123a9848 policy: support UDP based Service types
For Service kinds using the UDP protocol as port. An example is
the openvpn-server-service.yaml file part of the openvpn CI test.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-23 17:23:43 +00:00
Fabiano Fidêncio
d0f3eb935e kata-deploy: nfd: Patch TEE runtimeclasses when needed
We've added logic to properly do the book keeping of the TEE keys when
using NFD **AND** creating the runtime classes. However, we need to also
take into consideration the case where the runtimeclasses are being
created by the helm template, and in that case we just update what helm
has deployed.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-23 10:27:52 +01:00
Zvonko Kaiser
dce207397c gpu: Cleanup Makefile
Some VARS were introduced but not cleaned up with
the recent cold-plug PR, doing this now

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-11-21 22:03:34 +00:00
Zvonko Kaiser
8afcdae31f Merge pull request #12092 from manuelh-dev/mahuber/cc-gpu-ci-smi-srs
tests: nvidia: cc: Remove nvrc.smi.srs=1 parameter
2025-11-21 08:26:13 -05:00
Steve Horsman
37dd055283 Merge pull request #12090 from stevenhorsman/required-tests-update-14-nov-2025
Required tests update 14 nov 2025
2025-11-21 12:05:05 +00:00
nheinemans-asml
ef9d4e8b0d kata-deploy: Add tolerations value to kata-deploy
This allows the daemonset and cleanup job to run on tainted nodes.

fixes #12114

Signed-off-by: nheinemans-asml <nick.heinemans@asml.com>
Signed-off-by: nheinemans-asml <97238218+nheinemans-asml@users.noreply.github.com>
2025-11-21 09:49:47 +01:00
Manuel Huber
dfc229f51e tests: nvidia: cc: Remove nvrc.smi.srs=1 parameter
Remove the nvrc.smi.srs=1 parameter from the kernel command line.
In CC use cases, the attestation agent is expected to set the GPU
ready state. For the CUDA vectorAdd case where attestation agent
is not being used, we set the ready state by adding the kernel
command line parameter through an annotation.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-21 09:35:05 +01:00
Manuel Huber
6c6fc50aa5 tests: nvidia: cc: allow-all policy and init-data
Add an allow-all policy for the CC GPU tests and ensure the init-data
device is being created (hypervisor annotations).

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-21 09:24:15 +01:00
Manuel Huber
7e20118c8e tests: nvidia: move secret definitions to bottom
The add_allow_all_policy_to_yaml in tests_common.sh needs some
improvements so that this function can support pod manifests with
different resource kinds. For now, moving the Secret definition
to the bottom so that we can create a default policy for the Pod.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-21 09:24:15 +01:00
Manuel Huber
ffd5443637 tests: nvidia: adapt is_aks_cluster
The qemu-nvida-gpu handlers should not cause is_aks_cluster to
return 1. Otherwise, CI logic will assume these hypervisors run on
AKS hosts, see the following message in CI w/o this change:
INFO: Adapting common policy settings for AKS Hosts

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-21 09:24:15 +01:00
Manuel Huber
f2bdd12e5e tests: nvidia: Check KATA_HYPERVISOR var
Fail explicitly when a wrong KATA_HYPERVISOR variable is provided.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-21 09:24:15 +01:00
Xuewei Niu
bf967b81cc runtime-rs: Bump cgroups-rs to v0.5.0
The new version fixes some issues with systemd version, path
verification.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
2025-11-21 09:06:26 +01:00
Fabiano Fidêncio
6b40b59861 tests: Reduce KBS deployment check flakeness
We currently start a pod that does a `wget` to the KBS address, and
fails after 5 seconds.

By the time it fails and reports back, we can see that KBS is actually
running, but the workflow failed as the checker failed. :-/

Let's give it more time for the KBS to show up, and the flakeness should
go away.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-20 19:29:26 +01:00
Fabiano Fidêncio
35672ec5ee tests: cc: Test authenticated images with force guest pull
As this should simply work.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-20 19:02:15 +01:00
Fupan Li
b86e7ff42b Merge pull request #12087 from jojimt/device_cold_plug
shim: Support device cold plug with Kubernetes
2025-11-20 19:17:13 +08:00
Joji Mekkattuparamban
7dc292094c shim: go vendor changes for cold plug support
Vendor in the kubelet pod resources API.

Signed-off-by: Joji Mekkattuparamban <jojim@nvidia.com>
2025-11-20 10:58:55 +01:00
Joji Mekkattuparamban
5aa184925a shim: Support device cold plug with Kubernetes
Utilize Kubelet's Pod Resource API to determine device allocations
for the Pod during sandbox creation. Use CDI files to translate the device
IDs to corresponding device paths and perform device injection.

Fixes #12009

Signed-off-by: Joji Mekkattuparamban <jojim@nvidia.com>
2025-11-20 10:58:55 +01:00
Manuel Huber
477ca3980b tests: nvidia: cc: Re-enable multi GPU test case
Use the pod name variable so that kubectl wait finds the pod. Currently,
kubectl waits for nvidia-nim-llama-3-2-nv-embedqa-1b-v2, not for
nvidia-nim-llama-3-2-nv-embedqa-1b-v2-tee

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-20 10:05:46 +01:00
Zvonko Kaiser
89cd561340 Merge pull request #12059 from manuelh-dev/mahuber/bb-debug-v2
gpu: introduce a new devkit build flag to produce a rootfs for developers
2025-11-19 13:03:46 -05:00
Steve Horsman
8c6c31555a Merge pull request #12111 from fidencio/topic/ci-fix-erofs-ci
tests: k8s: Fix typo in authenticated tests
2025-11-19 16:08:48 +00:00
Manuel Huber
3966864376 gpu: introduce devkit build flag
Introduce a new devkit parameter which will produce a rootfs
without chisselling. This results in a larger rootfs with various
packages and binaries being included, for instance, enabling the
use of the debug console.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-19 15:50:03 +01:00
Manuel Huber
2c9e0f9f4f gpu: add signed-by to package sources
Pin to specific key. CUDA package sources in
/etc/apt/sources.list.d already use a specific key.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-19 15:50:03 +01:00
Ruoqing He
54bfbf5687 build: Exclude tools from root workspace
There are rust packages being cloned and built inside
tools/packaging/kata-deploy/local-build/build folder, which may mislead
those packages to think they are part of the kata root workspace.
Exclude the directory to avoid that.

Reported-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-11-19 15:49:25 +01:00
Fabiano Fidêncio
ae463642ed tests: k8s: Fix typo in authenticated tests
The person who introduced the check, someone named Fabiano Fidêncio,
forgot a `$` in a variable assignment.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-19 11:59:59 +01:00
Steve Horsman
87b180383e Merge pull request #11802 from kata-containers/dependabot/github_actions/oras-project/setup-oras-1.2.4
build(deps): bump oras-project/setup-oras from 1.2.2 to 1.2.4
2025-11-19 09:58:37 +00:00
dependabot[bot]
ede5ac9c2d build(deps): bump the bit-vec group across 2 directories with 1 update
Bumps the bit-vec group with 1 update in the /src/agent directory: [bit-vec](https://github.com/contain-rs/bit-vec).
Bumps the bit-vec group with 1 update in the /src/tools/agent-ctl directory: [bit-vec](https://github.com/contain-rs/bit-vec).


Updates `bit-vec` from 0.6.3 to 0.8.0
- [Changelog](https://github.com/contain-rs/bit-vec/blob/master/RELEASES.md)
- [Commits](https://github.com/contain-rs/bit-vec/commits)

Updates `bit-vec` from 0.6.3 to 0.8.0
- [Changelog](https://github.com/contain-rs/bit-vec/blob/master/RELEASES.md)
- [Commits](https://github.com/contain-rs/bit-vec/commits)

---
updated-dependencies:
- dependency-name: bit-vec
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: bit-vec
- dependency-name: bit-vec
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: bit-vec
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-19 10:43:25 +01:00
stevenhorsman
b75d90b483 ci: Comment out snp ci from required-tests
The snp CI has not been required for a while and has recently been
broken, so comment it out from the list of required jobs.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-19 09:39:36 +00:00
stevenhorsman
ae71921be2 ci: Update build-checks name in required-tests
to update the required-tests to match.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-19 09:39:36 +00:00
stevenhorsman
112ed9bb46 ci: Comment out run-nydus from required-tests
The run-nydus tests are not stable and blocking PRs, so make them
non-required temporarily until they can be looked at

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-19 09:38:38 +00:00
Fupan Li
478a5ff693 Merge pull request #12109 from Apokleos/enable-cocodev-rs
tests: Enable AUTO_GENERATE_POLICY for qemu-coco-dev-runtime-rs
2025-11-19 12:05:22 +08:00
Alex Lyn
1da225efc5 tests: Enable AUTO_GENERATE_POLICY for qemu-coco-dev-runtime-rs
Enable auto-generate policy on cbl-mariner Hosts for
qemu-coco-dev-runtime-rs if the user didn't specify an
AUTO_GENERATE_POLICY value.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-19 10:44:03 +08:00
Alex Lyn
8d85548711 Merge pull request #12102 from Apokleos/rs-copyfile-devcgrp
runtime-rs: Clear Linux.Resources.Devices completely and correct the guest path for container mount binding
2025-11-19 09:05:59 +08:00
Fabiano Fidêncio
8c02b5b913 tests: nvidia: cc: Temporarily skip multi GPU for nim tests
We will re-enable this one later on once the changes to properly cold
plug multi GPUs are merged.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Fabiano Fidêncio
69c4fc4e76 kata-deploy: Adjust podOverhead for GPU TEEs
Let's just move the podOverhead to a gigantic value, as we do need pod
snadboxes as big as that, and we've noticed QEMU being OOM killed with
smaller overheads.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Fabiano Fidêncio
94ed4051b0 tests: nvidia: cc: Increase RAM for NIM pods
Those need to pull the models inside the guest, and the guest has 50% of
its memory "allowed" to be used as tmpfs, so, we gotta usa the RAM that
we have.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Fabiano Fidêncio
e5062a056e tests: nvidia: cc: Adjust timeouts on NIM pods
Timeout increases for confidential computing slowness:
* livenessProbe:
  * initialDelaySeconds: 15 → 120 seconds
  * timeoutSeconds: 1 → 10 seconds
  * failureThreshold: 3 → 10

* readinessProbe:
  * initialDelaySeconds: 15 → 120 seconds
  * timeoutSeconds: 1 → 10 seconds
  * failureThreshold: 3 → 10

* startupProbe:
  * initialDelaySeconds: 40 → 180 seconds
  * timeoutSeconds: 1 → 10 seconds
  * failureThreshold: 180 → 300

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Fabiano Fidêncio
dee6f2666b runtime: nvidia: Increase the guest pull timeout to 20 minutes
Yes, we're dealing with a combination of large images and image-rs
concurrent image layers being not optimal.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Fabiano Fidêncio
6be43b2308 tests: nvidia: Retry kubectl commands
As with CoCo some of the commands may take longer, way longer than
expected.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Fabiano Fidêncio
bb5bf6b864 tests: nvidia: nims: Use the current auths format for KBS
We cannot use the same format used for docker, as it includes username
and password, while what's expected when using Trustee does not.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Fabiano Fidêncio
92da54c088 tests: nvidia: cc: Enable NIM tests
Now that we've bumped Trustee to a version that supports the NVIDIA
remote verifier, let's re-enable the tests.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Steve Horsman
74254cba8f Merge pull request #12106 from stevenhorsman/gatekeeper-paging-reduction
ci: Adjust gatekeeper's job fetch
2025-11-18 14:08:26 +00:00
Fabiano Fidêncio
8eca0814bd tests: Run authenticated tests with experimental_force_guest_pull
As it should be supported.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 14:46:48 +01:00
Fabiano Fidêncio
5beb1af202 tests: Pass EXPERIMENTAL_FORCE_GUEST_PULL to the test
Right now we have only been passing the env var to the deployment
script, but we really need to pass it to the tests script as well.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 14:46:48 +01:00
Markus Rudy
638cad18ef Merge pull request #11978 from burgerdev/genpolicy-test-refactor
genpolicy: prepare integration tests for programmatic modification
2025-11-18 09:54:40 +01:00
stevenhorsman
9f0fea1e34 ci: Adjust gatekeeper's job fetch
Try and reduce the page limit of each job request to avoid the chances of
us tripping over github's 10s api limit.
All credit to @burgerdev for the investigation and suggestion!

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-18 08:22:36 +00:00
Alex Lyn
6ceacee0b9 runtime-rs: Add queue_size and num_queues for block volumes
Add the related block queue_size and num_queues in volumes based on
block devices, This very important for IO performance.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-18 14:53:43 +08:00
Alex Lyn
30a9a8b4ec runtime-rs: Add queue_size and num_queues for block device
Add the queue_size and num_queues in block device config when the
block device is handled.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-18 14:53:43 +08:00
Alex Lyn
9b0204a2de runtime-rs: Set Clh's disk queue_size and num_queues
Previous Clh's settings with disk queue_size and num_queues are
hardcodes, they should be configurable with user-defined values.
This commit is to address such issue via passing these settings.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-18 14:53:43 +08:00
Alex Lyn
f19c48505c runtime-rs: Introduce queue_size and num_queues in BlockConfig
Usually, we pass the related block config via BlockConfig, and to reach
the goal of user-friendly setting queue_size and num_queues for users,
the queue_size and num_queues are introduced in BlockConfig.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-18 14:53:43 +08:00
Alex Lyn
e958993348 kata-types: Introduce queue_size and num_queues within BlockDeviceInfo
Add two fields of queue_size and num_queues in BlockDeviceInfo to allow
users to set the related items via configurations

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-18 14:53:43 +08:00
Alex Lyn
780c45de23 runtime-rs: Add support queue_size and num_queues within configurations
Add related items for block device queue size and num queues in
configurations. And users can set the related items by configurations.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-18 14:53:43 +08:00
Steve Horsman
ac021e2ab9 Merge pull request #11563 from RuoqingHe/single-workspace
build: Introduce root workspace for rust components
2025-11-18 06:36:18 +00:00
Alex Lyn
d071384bba runtime-rs: Clear Linux.Resources.Devices completely
The current implementation causes issues with the Agent Policy
nontee CI tests, as Kata-Agent does not allow any configuration
for `count(Linux.Resources.Devices) == 0`.

This commit ensures that Linux.Resources.Devices, including all its
values, is completely cleared from the OCI Runtime Specification before
being passed to the Kata-Agent.

This addresses the CI failure by enforcing the required empty state for
the Devices cgroup configuration.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-18 13:40:09 +08:00
Xuewei Niu
ca8b3300d3 Merge pull request #11620 from zhangckid/indep_iothreads_upstream
Runtime/QEMU: Introduce virtio-blk with iothreads and enable Indep iothreads framework
2025-11-18 11:08:51 +08:00
Alex Lyn
5982e66503 runtime-rs: Ensure unique guest path for container mount binding
Previously, CopyFile implementation attempted to reuse existing guest
paths for subsequent containers within the same Pod. This prevented
correct bind mounting of shared configurations (e.g., ConfigMaps,
Service Accounts) into the later containers within a multi-containers
pod, as they lacked their own allocated guest path.

This commit modifies the logic to create a unique guest path for every
container that requires file propagation.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-18 11:03:26 +08:00
Fupan Li
f791be1abb Merge pull request #12064 from Apokleos/policy-optional-path
genpolicy: Make cpath compatible with both runtime-rs and runtime-go
2025-11-18 10:19:26 +08:00
Ruoqing He
e6b24cd789 build: Exclude crates with no workspace setup
Crates with no workspace setup would think themselves are in the root
workspace, which our root workspace is not ready for them. Excluding
them for now.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-11-18 01:39:48 +00:00
Ruoqing He
6068242bf1 build: Move dragonball to root workspace
Move dragonball and all its member of that workspace into root
workspace.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-11-18 01:39:48 +00:00
Ruoqing He
3fbe693658 build: Introduce root workspace for rust components
Add Cargo.toml at repo root, use this root workspace for as many as
possible Rust components of Kata Containers. This would enable us to
share a common Cargo.lock file, and reduce the noise from dependabot.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-11-18 01:39:48 +00:00
Markus Rudy
b771bb6ed3 genpolicy: log requests as jsonlines
The current format of genpolicy request logs looks a bit like JSON, but
it does not parse out of the box and needs post-processing with sed, for
example.

This commit changes the log format to jsonlines[1], which is basically
newline-delimited compact JSON values. Compared to standard JSON, this
allows streaming output. The resulting file can be converted and
processed programmatically, for example with `jq -s`.

The fields are also adjusted to match the field names of TestRequest, so
that the logged requests can be used immediately in tests.

[1]: https://jsonlines.org/

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-11-17 09:01:00 +01:00
Markus Rudy
eb6cf025b3 genpolicy: format testcases.json and sort by key
This should allow keeping future diffs minimal.

The files were formatted with `jq -S`, which should be used after future
updates to the test case files.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-11-17 09:01:00 +01:00
Markus Rudy
851f8258af genpolicy: move testcase request type out of struct
Storing the request type outside the request object has two benefits:

* The request JSON passed to the Rego engine matches more closely what
  would be passed by the agent (no `type` field).
* If we want to update the requests, it's easier to insert them into a
  dedicated field, rather than inserting them and amending the type
  field.

This is a first step towards programmatic updates of testcase files.

This commit also adds the 'Request' suffix to the test case enum, such
that we can use the 'ep' input for allow_request directly.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-11-17 09:01:00 +01:00
zhangchen.kidd
914063bcdd runtime: documentation: Add virtio-blk support iothread comments in docs
Add comments to make the "EnableIOThreads" flag as a switch
for virtio-blk(based on IndepIOThreads) driver.

Signed-off-by: zhangchen.kidd <zhangchen.kidd@jd.com>
2025-11-17 15:55:03 +08:00
zhangchen.kidd
9128112e3d runtime: qemu: Add Independent IOThread support for virtio-blk
Make hotplug virtio-blk device attach to Independent IOThread 0 as default
when enabled the EnableIOThreads and IndepIOThreads.

Signed-off-by: zhangchen.kidd <zhangchen.kidd@jd.com>
2025-11-17 15:55:03 +08:00
zhangchen.kidd
fea954df7a runtime: qemu: qmp: Add iothread args for QMP ExecutePCIDeviceAdd
Qemu already support the device_add with iothread args.
Make KATA have ability to hotplug PCI device with IOThreads.
Currently, just support QEMU as the hypervisor, not sure it
works for stratovirt.

Signed-off-by: zhangchen.kidd <zhangchen.kidd@jd.com>
2025-11-17 15:55:03 +08:00
zhangchen.kidd
af203b7dee runtime: qemu: introduce setup iothread function
Make the original virtio-scsi iothread and the new independent
iothread to a dedicated method for handing the related logics.

Signed-off-by: zhangchen.kidd <zhangchen.kidd@jd.com>
2025-11-17 15:55:03 +08:00
zhangchen.kidd
d20712aa9e runtime: qemu: Add comments for virtio-scsi iothread args
For current implementation, just virtio-scsi use this
iothread path.

Signed-off-by: zhangchen.kidd <zhangchen.kidd@jd.com>
2025-11-17 15:55:03 +08:00
zhangchen.kidd
f9d4829e77 rumtime: qemu: Add indep_iothreads for QEMU hypervisor toml
Add indep_iothreads args for QEMU related configuration toml.
The default value is 0.

Signed-off-by: zhangchen.kidd <zhangchen.kidd@jd.com>
2025-11-17 15:55:03 +08:00
zhangchen.kidd
c3d3684f81 runtime: Introduce independent IOThreads framework
Introduce independent IOThread framework for Kata container.

What is the indep_iothreads:
This new feature introduce a way to pre-alloc IOThreads
for QEMU hypervisor (maybe other hypervisor can support too).
Independent IOThreads enables IO to be processed in a separate thread.
To generally improve the performance of each module, avoid them
running in the QEMU main loop.

Why need indep_iothreads:
In Kata container implementation, many devices based on hotplug
mechanism. The real workload container may not sync the same
lifecycle with the VM. It may require to hotplug/unplug new disks
or other devices without destroying the VM. So we can keep the
IOThread with the VM as a IOThread pool(some devices need multi iothreads
for performance like virtio-blk vq-mapping), the hotplug devices
can attach/detach with the IOThread according to business needs.
At the same time, QEMU also support the "x-blockdev-set-iothread"
to change iothreads(but it need stop VM for data secure).
Current QEMU have many devices support iothread, virtio-blk,
virtio-scsi, virtio-balloon, monitor, colo-compare...etc...

How it works:
Add new item in hypervisor struct named "indep_iothreads" in toml.
The default value is 0, it reused the original "enable_iothreads" as
the switch. If the "indep_iothreads" != 0 and "enable_iothreads" = true
it will add qmp object -iothread indepIOThreadsPrefix_No when VM startup.
The first user is the virtio-blk, it will attach the indep_iothread_0
as default when enable iothread for virtio-blk.

Thanks
Chen

Signed-off-by: zhangchen.kidd <zhangchen.kidd@jd.com>
2025-11-17 15:55:01 +08:00
Alex Lyn
daca7b268b genpolicy: Make cpath compatible with both runtime-rs and runtime-go
Update the `cpath` variable in the policy template to support the
optional `/passthrough` subpath used by runtime-rs. This ensures
that mount source path validation works correctly for both runtime
implementations.

By changing `cpath` to include the `(?:/passthrough)?` regular
expression fragment, we make the `/passthrough` segment optional.
The updated `cpath`:
`/run/kata-containers/shared/containers(?:/passthrough)?`

This single regex pattern now correctly matches both:
1.`/run/kata-containers/shared/containers/<sandbox-id>/...`
(runtime-go)
2.`/run/kata-containers/shared/containers/passthrough/<sandbox-id>/...`
(runtime-rs)

This elegantly resolves the compatibility issue without needing to add
separate or conditional logic to the policy rules, making the policy
more robust and maintainable.

Fixes: #12063

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-17 09:36:19 +08:00
dependabot[bot]
c715d8648c build(deps): bump oras-project/setup-oras from 1.2.2 to 1.2.4
Bumps [oras-project/setup-oras](https://github.com/oras-project/setup-oras) from 1.2.2 to 1.2.4.
- [Release notes](https://github.com/oras-project/setup-oras/releases)
- [Commits](5c0b487ce3...22ce207df3)

---
updated-dependencies:
- dependency-name: oras-project/setup-oras
  dependency-version: 1.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-12 09:45:27 +00:00
553 changed files with 30054 additions and 12495 deletions

View File

@@ -10,11 +10,6 @@ self-hosted-runner:
- amd64-nvidia-a100
- amd64-nvidia-h100-snp
- arm64-k8s
- containerd-v1.7-overlayfs
- containerd-v2.0-overlayfs
- containerd-v2.1-overlayfs
- containerd-v2.2
- containerd-v2.2-overlayfs
- garm-ubuntu-2004
- garm-ubuntu-2004-smaller
- garm-ubuntu-2204
@@ -25,6 +20,7 @@ self-hosted-runner:
- ppc64le-k8s
- ppc64le-small
- ubuntu-24.04-ppc64le
- ubuntu-24.04-s390x
- metrics
- riscv-builder
- sev-snp

View File

@@ -71,7 +71,7 @@ jobs:
fail-fast: false
matrix:
containerd_version: ['lts', 'active']
vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu']
vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'qemu-runtime-rs']
runs-on: ubuntu-22.04
env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -117,7 +117,7 @@ jobs:
fail-fast: false
matrix:
containerd_version: ['lts', 'active']
vmm: ['clh', 'qemu', 'dragonball']
vmm: ['clh', 'qemu', 'dragonball', 'qemu-runtime-rs']
runs-on: ubuntu-22.04
env:
CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -147,9 +147,18 @@ jobs:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata
run: bash tests/integration/nydus/gha-run.sh install-kata kata-artifacts
- name: Install kata-tools
run: bash tests/integration/nydus/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Run nydus tests
timeout-minutes: 10
run: bash tests/integration/nydus/gha-run.sh run
@@ -292,6 +301,7 @@ jobs:
- dragonball
- qemu
- cloud-hypervisor
- qemu-runtime-rs
runs-on: ubuntu-22.04
env:
KATA_HYPERVISOR: ${{ matrix.vmm }}
@@ -366,8 +376,16 @@ jobs:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: Install kata
run: bash tests/functional/kata-agent-apis/gha-run.sh install-kata kata-artifacts
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata & kata-tools
run: |
bash tests/functional/kata-agent-apis/gha-run.sh install-kata kata-artifacts
bash tests/functional/kata-agent-apis/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Run kata agent api tests with agent-ctl
run: bash tests/functional/kata-agent-apis/gha-run.sh run

View File

@@ -12,7 +12,12 @@ name: Build checks
jobs:
check:
name: check
runs-on: ${{ matrix.runner || inputs.instance }}
runs-on: >-
${{
( contains(inputs.instance, 's390x') && matrix.component.name == 'runtime' ) && 's390x' ||
( contains(inputs.instance, 'ppc64le') && (matrix.component.name == 'runtime' || matrix.component.name == 'agent') ) && 'ppc64le' ||
inputs.instance
}}
strategy:
fail-fast: false
matrix:
@@ -70,36 +75,6 @@ jobs:
- protobuf-compiler
instance:
- ${{ inputs.instance }}
include:
- component:
name: runtime
path: src/runtime
needs:
- golang
- XDG_RUNTIME_DIR
instance: ubuntu-24.04-s390x
runner: s390x
- component:
name: runtime
path: src/runtime
needs:
- golang
- XDG_RUNTIME_DIR
instance: ubuntu-24.04-ppc64le
runner: ppc64le
- component:
name: agent
path: src/agent
needs:
- rust
- libdevmapper
- libseccomp
- protobuf-compiler
- clang
instance: ubuntu-24.04-ppc64le
runner: ppc64le
steps:
- name: Adjust a permission for repo

View File

@@ -41,16 +41,11 @@ jobs:
matrix:
asset:
- agent
- agent-ctl
- busybox
- cloud-hypervisor
- cloud-hypervisor-glibc
- coco-guest-components
- csi-kata-directvolume
- firecracker
- genpolicy
- kata-ctl
- kata-manager
- kernel
- kernel-confidential
- kernel-dragonball-experimental
@@ -63,7 +58,6 @@ jobs:
- qemu
- qemu-snp-experimental
- qemu-tdx-experimental
- trace-forwarder
- virtiofsd
stage:
- ${{ inputs.stage }}
@@ -121,7 +115,7 @@ jobs:
echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
- uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
- uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
version: "1.2.0"
@@ -171,6 +165,8 @@ jobs:
- rootfs-image
- rootfs-image-confidential
- rootfs-image-mariner
- rootfs-image-nvidia-gpu
- rootfs-image-nvidia-gpu-confidential
- rootfs-initrd
- rootfs-initrd-confidential
- rootfs-initrd-nvidia-gpu
@@ -362,3 +358,104 @@ jobs:
path: kata-static.tar.zst
retention-days: 15
if-no-files-found: error
build-tools-asset:
name: build-tools-asset
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
strategy:
matrix:
asset:
- agent-ctl
- csi-kata-directvolume
- genpolicy
- kata-ctl
- kata-manager
- trace-forwarder
stage:
- ${{ inputs.stage }}
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: quay.io
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Build ${{ matrix.asset }}
id: build
run: |
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-tools-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-tools-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-tools-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-tools-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
create-kata-tools-tarball:
name: create-kata-tools-tarball
runs-on: ubuntu-22.04
needs: [build-tools-asset]
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: kata-tools-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
merge-multiple: true
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-static.tar.zst
retention-days: 15
if-no-files-found: error

View File

@@ -102,7 +102,7 @@ jobs:
echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
- uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
- uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
version: "1.2.0"
@@ -150,6 +150,7 @@ jobs:
matrix:
asset:
- rootfs-image
- rootfs-image-nvidia-gpu
- rootfs-initrd
- rootfs-initrd-nvidia-gpu
steps:

View File

@@ -32,7 +32,7 @@ jobs:
permissions:
contents: read
packages: write
runs-on: ppc64le-small
runs-on: ubuntu-24.04-ppc64le
strategy:
matrix:
asset:
@@ -89,7 +89,7 @@ jobs:
build-asset-rootfs:
name: build-asset-rootfs
runs-on: ppc64le-small
runs-on: ubuntu-24.04-ppc64le
needs: build-asset
permissions:
contents: read
@@ -170,7 +170,7 @@ jobs:
build-asset-shim-v2:
name: build-asset-shim-v2
runs-on: ppc64le-small
runs-on: ubuntu-24.04-ppc64le
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
permissions:
contents: read
@@ -230,7 +230,7 @@ jobs:
create-kata-tarball:
name: create-kata-tarball
runs-on: ppc64le-small
runs-on: ubuntu-24.04-ppc64le
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions:
contents: read

View File

@@ -32,7 +32,7 @@ permissions: {}
jobs:
build-asset:
name: build-asset
runs-on: s390x
runs-on: ubuntu-24.04-s390x
permissions:
contents: read
packages: write
@@ -257,7 +257,7 @@ jobs:
build-asset-shim-v2:
name: build-asset-shim-v2
runs-on: s390x
runs-on: ubuntu-24.04-s390x
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
permissions:
contents: read
@@ -319,7 +319,7 @@ jobs:
create-kata-tarball:
name: create-kata-tarball
runs-on: s390x
runs-on: ubuntu-24.04-s390x
needs:
- build-asset
- build-asset-rootfs

36
.github/workflows/ci-nightly-rust.yaml vendored Normal file
View File

@@ -0,0 +1,36 @@
name: Kata Containers Nightly CI (Rust)
on:
schedule:
- cron: '0 1 * * *' # Run at 1 AM UTC (1 hour after script-based nightly)
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
kata-containers-ci-on-push-rust:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/ci.yaml
with:
commit-hash: ${{ github.sha }}
pr-number: "nightly-rust"
tag: ${{ github.sha }}-nightly-rust
target-branch: ${{ github.ref_name }}
build-type: "rust" # Use Rust-based build
secrets:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
ITA_KEY: ${{ secrets.ITA_KEY }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

View File

@@ -19,6 +19,11 @@ on:
required: false
type: string
default: no
build-type:
description: The build type for kata-deploy. Use 'rust' for Rust-based build, empty or omit for script-based (default).
required: false
type: string
default: ""
secrets:
AUTHENTICATED_IMAGE_PASSWORD:
required: true
@@ -72,6 +77,7 @@ jobs:
target-branch: ${{ inputs.target-branch }}
runner: ubuntu-22.04
arch: amd64
build-type: ${{ inputs.build-type }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -104,6 +110,7 @@ jobs:
target-branch: ${{ inputs.target-branch }}
runner: ubuntu-24.04-arm
arch: arm64
build-type: ${{ inputs.build-type }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -147,8 +154,9 @@ jobs:
tag: ${{ inputs.tag }}-s390x
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: s390x
runner: ubuntu-24.04-s390x
arch: s390x
build-type: ${{ inputs.build-type }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -165,8 +173,9 @@ jobs:
tag: ${{ inputs.tag }}-ppc64le
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ppc64le-small
runner: ubuntu-24.04-ppc64le
arch: ppc64le
build-type: ${{ inputs.build-type }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -233,14 +242,14 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64-${{ inputs.tag }}
path: kata-artifacts
name: kata-tools-static-tarball-amd64-${{ inputs.tag }}
path: kata-tools-artifacts
- name: Install tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Copy binary into Docker context
run: |
@@ -288,7 +297,7 @@ jobs:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
@@ -304,7 +313,7 @@ jobs:
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-arm64
tag: ${{ inputs.tag }}-arm64${{ inputs.build-type == 'rust' && '-rust' || '' }}
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
@@ -314,9 +323,10 @@ jobs:
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
@@ -338,7 +348,7 @@ jobs:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
@@ -356,7 +366,7 @@ jobs:
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-s390x
tag: ${{ inputs.tag }}-s390x${{ inputs.build-type == 'rust' && '-rust' || '' }}
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
@@ -370,7 +380,7 @@ jobs:
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-ppc64le
tag: ${{ inputs.tag }}-ppc64le${{ inputs.build-type == 'rust' && '-rust' || '' }}
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
@@ -382,7 +392,7 @@ jobs:
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
@@ -473,7 +483,7 @@ jobs:
vmm: ${{ matrix.params.vmm }}
run-cri-containerd-tests-arm64:
if: ${{ inputs.skip-test != 'yes' }}
if: false
needs: build-kata-static-tarball-arm64
strategy:
fail-fast: false

View File

@@ -10,7 +10,9 @@ on:
- opened
- synchronize
- reopened
- edited
- labeled
- unlabeled
permissions: {}

View File

@@ -1,43 +0,0 @@
name: kata-runtime-classes-sync
on:
pull_request:
types:
- opened
- edited
- reopened
- synchronize
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
kata-deploy-runtime-classes-check:
name: kata-deploy-runtime-classes-check
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Ensure the split out runtime classes match the all-in-one file
run: |
pushd tools/packaging/kata-deploy/runtimeclasses/
echo "::group::Combine runtime classes"
for runtimeClass in $(find . -type f \( -name "*.yaml" -and -not -name "kata-runtimeClasses.yaml" \) | sort); do
echo "Adding ${runtimeClass} to the resultingRuntimeClasses.yaml"
cat "${runtimeClass}" >> resultingRuntimeClasses.yaml;
done
echo "::endgroup::"
echo "::group::Displaying the content of resultingRuntimeClasses.yaml"
cat resultingRuntimeClasses.yaml
echo "::endgroup::"
echo ""
echo "::group::Displaying the content of kata-runtimeClasses.yaml"
cat kata-runtimeClasses.yaml
echo "::endgroup::"
echo ""
diff resultingRuntimeClasses.yaml kata-runtimeClasses.yaml

View File

@@ -82,6 +82,7 @@ jobs:
target-branch: ${{ github.ref_name }}
runner: ubuntu-22.04
arch: amd64
build-type: "" # Use script-based build (default)
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -99,6 +100,7 @@ jobs:
target-branch: ${{ github.ref_name }}
runner: ubuntu-24.04-arm
arch: arm64
build-type: "" # Use script-based build (default)
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -116,6 +118,7 @@ jobs:
target-branch: ${{ github.ref_name }}
runner: s390x
arch: s390x
build-type: "" # Use script-based build (default)
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
@@ -133,6 +136,7 @@ jobs:
target-branch: ${{ github.ref_name }}
runner: ppc64le-small
arch: ppc64le
build-type: "" # Use script-based build (default)
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

View File

@@ -30,6 +30,11 @@ on:
description: The arch of the tarball.
required: true
type: string
build-type:
description: The build type for kata-deploy. Use 'rust' for Rust-based build, empty or omit for script-based (default).
required: false
type: string
default: ""
secrets:
QUAY_DEPLOYER_PASSWORD:
required: true
@@ -50,6 +55,25 @@ jobs:
fetch-depth: 0
persist-credentials: false
- name: Remove unnecessary directories to free up space
run: |
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
sudo rm -rf /usr/lib/jvm
sudo rm -rf /usr/share/swift
sudo rm -rf /usr/local/share/powershell
sudo rm -rf /usr/local/julia*
sudo rm -rf /opt/az
sudo rm -rf /usr/local/share/chromium
sudo rm -rf /opt/microsoft
sudo rm -rf /opt/google
sudo rm -rf /usr/lib/firefox
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
@@ -83,8 +107,10 @@ jobs:
REGISTRY: ${{ inputs.registry }}
REPO: ${{ inputs.repo }}
TAG: ${{ inputs.tag }}
BUILD_TYPE: ${{ inputs.build-type }}
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)/kata-static.tar.zst" \
"${REGISTRY}/${REPO}" \
"${TAG}"
"${TAG}" \
"${BUILD_TYPE}"

View File

@@ -31,7 +31,7 @@ jobs:
permissions:
contents: read
packages: write
runs-on: ppc64le-small
runs-on: ubuntu-24.04-ppc64le
steps:
- name: Login to Kata Containers ghcr.io
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0

View File

@@ -35,7 +35,7 @@ jobs:
permissions:
contents: read
packages: write
runs-on: s390x
runs-on: ubuntu-24.04-s390x
steps:
- name: Login to Kata Containers ghcr.io
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0

View File

@@ -181,6 +181,23 @@ jobs:
GH_TOKEN: ${{ github.token }}
ARCHITECTURE: ppc64le
- name: Set KATA_TOOLS_STATIC_TARBALL env var
run: |
tarball=$(pwd)/kata-tools-static.tar.zst
echo "KATA_TOOLS_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
- name: Download amd64 tools artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64
- name: Upload amd64 static tarball tools to GitHub
run: |
./tools/packaging/release/release.sh upload-kata-tools-static-tarball
env:
GH_TOKEN: ${{ github.token }}
ARCHITECTURE: amd64
upload-versions-yaml:
name: upload-versions-yaml
needs: release

View File

@@ -1,167 +0,0 @@
name: CI | Run containerd guest pull stability tests
on:
schedule:
- cron: "0 */1 * * *" #run every hour
permissions: {}
# This job relies on k8s pre-installed using kubeadm
jobs:
run-containerd-guest-pull-stability-tests:
name: run-containerd-guest-pull-stability-tests-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
strategy:
fail-fast: false
matrix:
environment: [
{ test-type: multi-snapshotter, containerd: v2.2 },
{ test-type: force-guest-pull, containerd: v1.7 },
{ test-type: force-guest-pull, containerd: v2.0 },
{ test-type: force-guest-pull, containerd: v2.1 },
{ test-type: force-guest-pull, containerd: v2.2 },
]
env:
# I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here.
IMAGES_LIST: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11 ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d
runs-on: containerd-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Rotate the journal
run: sudo journalctl --rotate --vacuum-time 1s
- name: Pull the kata-deploy image to be used
run: sudo ctr -n k8s.io image pull quay.io/kata-containers/kata-deploy-ci:kata-containers-latest
- name: Deploy Kata Containers
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
env:
KATA_HYPERVISOR: qemu-coco-dev
KUBERNETES: vanilla
SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' && 'nydus' || '' }}
USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' }}
EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.test-type == 'force-guest-pull' && 'qemu-coco-dev' || '' }}
# This is needed as we may hit the createContainerTimeout
- name: Adjust Kata Containers' create_container_timeout
run: |
sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
# This is needed in order to have enough tmpfs space inside the guest to pull the image
- name: Adjust Kata Containers' default_memory
run: |
sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
- name: Run a few containers using overlayfs
run: |
# I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
# shellcheck disable=SC2086
for img in ${IMAGES_LIST}; do
echo "overlayfs | Using on image: ${img}"
pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
kubectl run "${pod}" \
-it --rm \
--restart=Never \
--image="${img}" \
--image-pull-policy=Always \
--pod-running-timeout=10m \
-- uname -r
done
- name: Run a the same few containers using a different snapshotter
run: |
# I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
# shellcheck disable=SC2086
for img in ${IMAGES_LIST}; do
echo "nydus | Using on image: ${img}"
pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
kubectl run "${pod}" \
-it --rm \
--restart=Never \
--image="${img}" \
--image-pull-policy=Always \
--pod-running-timeout=10m \
--overrides='{
"spec": {
"runtimeClassName": "kata-qemu-coco-dev"
}
}' \
-- uname -r
done
- name: Uninstall Kata Containers
run: bash tests/integration/kubernetes/gha-run.sh cleanup
env:
KATA_HYPERVISOR: qemu-coco-dev
KUBERNETES: vanilla
SNAPSHOTTER: nydus
USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
- name: Run a few containers using overlayfs
run: |
# I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
# shellcheck disable=SC2086
for img in ${IMAGES_LIST}; do
echo "overlayfs | Using on image: ${img}"
pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
kubectl run "${pod}" \
-it --rm \
--restart=Never \
--image=${img} \
--image-pull-policy=Always \
--pod-running-timeout=10m \
-- uname -r
done
- name: Deploy Kata Containers
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
env:
KATA_HYPERVISOR: qemu-coco-dev
KUBERNETES: vanilla
SNAPSHOTTER: nydus
USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
# This is needed as we may hit the createContainerTimeout
- name: Adjust Kata Containers' create_container_timeout
run: |
sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
# This is needed in order to have enough tmpfs space inside the guest to pull the image
- name: Adjust Kata Containers' default_memory
run: |
sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
- name: Run a the same few containers using a different snapshotter
run: |
# I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
# shellcheck disable=SC2086
for img in ${IMAGES_LIST}; do
echo "nydus | Using on image: ${img}"
pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
kubectl run "${pod}" \
-it --rm \
--restart=Never \
--image="${img}" \
--image-pull-policy=Always \
--pod-running-timeout=10m \
--overrides='{
"spec": {
"runtimeClassName": "kata-qemu-coco-dev"
}
}' \
-- uname -r
done
- name: Uninstall Kata Containers
run: bash tests/integration/kubernetes/gha-run.sh cleanup || true
if: always()
env:
KATA_HYPERVISOR: qemu-coco-dev
KUBERNETES: vanilla
SNAPSHOTTER: nydus
USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true

View File

@@ -93,14 +93,14 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Download Azure CLI
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
@@ -142,6 +142,10 @@ jobs:
timeout-minutes: 60
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Refresh OIDC token in case access token expired
if: always()
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

View File

@@ -68,6 +68,10 @@ jobs:
timeout-minutes: 30
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Collect artifacts ${{ matrix.vmm }}
if: always()
run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts

View File

@@ -1,7 +1,10 @@
name: CI | Run NVIDIA GPU kubernetes tests on arm64
name: CI | Run NVIDIA GPU kubernetes tests on amd64
on:
workflow_call:
inputs:
tarball-suffix:
required: true
type: string
registry:
required: true
type: string
@@ -45,6 +48,7 @@ jobs:
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
KUBERNETES: kubeadm
KBS: ${{ matrix.environment.name == 'nvidia-gpu-snp' && 'true' || 'false' }}
K8S_TEST_HOST_TYPE: baremetal
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -59,6 +63,15 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Uninstall previous `kbs-client`
if: matrix.environment.name != 'nvidia-gpu'
timeout-minutes: 10
@@ -89,6 +102,11 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh run-nv-tests
env:
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Collect artifacts ${{ matrix.environment.vmm }}
if: always()
run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts

View File

@@ -75,3 +75,7 @@ jobs:
- name: Run tests
timeout-minutes: 30
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests

View File

@@ -131,6 +131,10 @@ jobs:
timeout-minutes: 60
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Delete kata-deploy
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-zvsi

View File

@@ -46,6 +46,7 @@ jobs:
matrix:
vmm:
- qemu-coco-dev
- qemu-coco-dev-runtime-rs
snapshotter:
- nydus
pull-type:
@@ -83,14 +84,14 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -139,6 +140,10 @@ jobs:
timeout-minutes: 300
run: bash tests/stability/gha-stability-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Refresh OIDC token in case access token expired
if: always()
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

View File

@@ -79,6 +79,15 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Deploy Kata
timeout-minutes: 20
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
@@ -159,6 +168,7 @@ jobs:
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
SNAPSHOTTER: ${{ matrix.snapshotter }}
EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.pull-type == 'experimental-force-guest-pull' && matrix.vmm || '' }}
# Caution: current ingress controller used to expose the KBS service
# requires much vCPUs, lefting only a few for the tests. Depending on the
# host type chose it will result on the creation of a cluster with
@@ -177,14 +187,14 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -217,7 +227,6 @@ jobs:
timeout-minutes: 20
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
env:
EXPERIMENTAL_FORCE_GUEST_PULL: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && env.KATA_HYPERVISOR || '' }}
USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ env.SNAPSHOTTER == 'nydus' }}
AUTO_GENERATE_POLICY: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && 'no' || 'yes' }}
@@ -301,6 +310,15 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
- name: Install kata-tools
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
- name: Remove unnecessary directories to free up space
run: |
sudo rm -rf /usr/local/.ghcup

View File

@@ -102,6 +102,10 @@ jobs:
- name: Run tests
run: bash tests/functional/kata-deploy/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Refresh OIDC token in case access token expired
if: always()
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

View File

@@ -85,3 +85,7 @@ jobs:
- name: Run tests
run: bash tests/functional/kata-deploy/gha-run.sh run-tests
- name: Report tests
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests

View File

@@ -29,7 +29,7 @@ jobs:
matrix:
instance:
- "ubuntu-24.04-arm"
- "s390x"
- "ubuntu-24.04-s390x"
- "ubuntu-24.04-ppc64le"
uses: ./.github/workflows/build-checks.yaml
with:

1
.gitignore vendored
View File

@@ -18,3 +18,4 @@ src/tools/log-parser/kata-log-parser
tools/packaging/static-build/agent/install_libseccomp.sh
.envrc
.direnv
**/.DS_Store

File diff suppressed because it is too large Load Diff

139
Cargo.toml Normal file
View File

@@ -0,0 +1,139 @@
[workspace.package]
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
license = "Apache-2.0"
rust-version = "1.85.1"
[workspace]
members = [
# Dragonball
"src/dragonball",
"src/dragonball/dbs_acpi",
"src/dragonball/dbs_address_space",
"src/dragonball/dbs_allocator",
"src/dragonball/dbs_arch",
"src/dragonball/dbs_boot",
"src/dragonball/dbs_device",
"src/dragonball/dbs_interrupt",
"src/dragonball/dbs_legacy_devices",
"src/dragonball/dbs_pci",
"src/dragonball/dbs_tdx",
"src/dragonball/dbs_upcall",
"src/dragonball/dbs_utils",
"src/dragonball/dbs_virtio_devices",
# runtime-rs
"src/runtime-rs",
"src/runtime-rs/crates/agent",
"src/runtime-rs/crates/hypervisor",
"src/runtime-rs/crates/persist",
"src/runtime-rs/crates/resource",
"src/runtime-rs/crates/runtimes",
"src/runtime-rs/crates/service",
"src/runtime-rs/crates/shim",
"src/runtime-rs/crates/shim-ctl",
"src/runtime-rs/tests/utils",
]
resolver = "2"
# TODO: Add all excluded crates to root workspace
exclude = [
"src/agent",
"src/tools",
"src/libs",
# kata-deploy binary is standalone and has its own Cargo.toml for now
"tools/packaging/kata-deploy/binary",
# We are cloning and building rust packages under
# "tools/packaging/kata-deploy/local-build/build" folder, which may mislead
# those packages to think they are part of the kata root workspace
"tools/packaging/kata-deploy/local-build/build",
]
[workspace.dependencies]
# Rust-VMM crates
event-manager = "0.2.1"
kvm-bindings = "0.6.0"
kvm-ioctls = "=0.12.1"
linux-loader = "0.8.0"
seccompiler = "0.5.0"
vfio-bindings = "0.3.0"
vfio-ioctls = "0.1.0"
virtio-bindings = "0.1.0"
virtio-queue = "0.7.0"
vm-fdt = "0.2.0"
vm-memory = "0.10.0"
vm-superio = "0.5.0"
vmm-sys-util = "0.11.0"
# Local dependencies from Dragonball Sandbox crates
dragonball = { path = "src/dragonball" }
dbs-acpi = { path = "src/dragonball/dbs_acpi" }
dbs-address-space = { path = "src/dragonball/dbs_address_space" }
dbs-allocator = { path = "src/dragonball/dbs_allocator" }
dbs-arch = { path = "src/dragonball/dbs_arch" }
dbs-boot = { path = "src/dragonball/dbs_boot" }
dbs-device = { path = "src/dragonball/dbs_device" }
dbs-interrupt = { path = "src/dragonball/dbs_interrupt" }
dbs-legacy-devices = { path = "src/dragonball/dbs_legacy_devices" }
dbs-pci = { path = "src/dragonball/dbs_pci" }
dbs-tdx = { path = "src/dragonball/dbs_tdx" }
dbs-upcall = { path = "src/dragonball/dbs_upcall" }
dbs-utils = { path = "src/dragonball/dbs_utils" }
dbs-virtio-devices = { path = "src/dragonball/dbs_virtio_devices" }
# Local dependencies from runtime-rs
agent = { path = "src/runtime-rs/crates/agent" }
hypervisor = { path = "src/runtime-rs/crates/hypervisor" }
persist = { path = "src/runtime-rs/crates/persist" }
resource = { path = "src/runtime-rs/crates/resource" }
runtimes = { path = "src/runtime-rs/crates/runtimes" }
service = { path = "src/runtime-rs/crates/service" }
tests_utils = { path = "src/runtime-rs/tests/utils" }
ch-config = { path = "src/runtime-rs/crates/hypervisor/ch-config" }
common = { path = "src/runtime-rs/crates/runtimes/common" }
linux_container = { path = "src/runtime-rs/crates/runtimes/linux_container" }
virt_container = { path = "src/runtime-rs/crates/runtimes/virt_container" }
wasm_container = { path = "src/runtime-rs/crates/runtimes/wasm_container" }
# Local dependencies from `src/lib`
kata-sys-util = { path = "src/libs/kata-sys-util" }
kata-types = { path = "src/libs/kata-types", features = ["safe-path"] }
logging = { path = "src/libs/logging" }
protocols = { path = "src/libs/protocols", features = ["async"] }
runtime-spec = { path = "src/libs/runtime-spec" }
safe-path = { path = "src/libs/safe-path" }
shim-interface = { path = "src/libs/shim-interface" }
test-utils = { path = "src/libs/test-utils" }
# Outside dependencies
actix-rt = "2.7.0"
anyhow = "1.0"
async-trait = "0.1.48"
containerd-shim = { version = "0.10.0", features = ["async"] }
containerd-shim-protos = { version = "0.10.0", features = ["async"] }
go-flag = "0.1.0"
hyper = "0.14.20"
hyperlocal = "0.8.0"
lazy_static = "1.4"
libc = "0.2"
log = "0.4.14"
netns-rs = "0.1.0"
# Note: nix needs to stay sync'd with libs versions
nix = "0.26.4"
oci-spec = { version = "0.8.1", features = ["runtime"] }
protobuf = "3.7.2"
rand = "0.8.4"
serde = { version = "1.0.145", features = ["derive"] }
serde_json = "1.0.91"
slog = "2.5.2"
slog-scope = "4.4.0"
strum = { version = "0.24.0", features = ["derive"] }
tempfile = "3.19.1"
thiserror = "1.0"
tokio = "1.46.1"
tracing = "0.1.41"
tracing-opentelemetry = "0.18.0"
ttrpc = "0.8.4"
url = "2.5.4"

View File

@@ -1 +1 @@
3.23.0
3.24.0

View File

@@ -11,6 +11,10 @@ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${script_dir}/../tests/common.bash"
# Path to the ORAS cache helper for downloading tarballs (sourced when needed)
# Use ORAS_CACHE_HELPER env var (set by build.sh in Docker) or fallback to repo path
oras_cache_helper="${ORAS_CACHE_HELPER:-${script_dir}/../tools/packaging/scripts/download-with-oras-cache.sh}"
# The following variables if set on the environment will change the behavior
# of gperf and libseccomp configure scripts, that may lead this script to
# fail. So let's ensure they are unset here.
@@ -44,6 +48,9 @@ fi
gperf_tarball="gperf-${gperf_version}.tar.gz"
gperf_tarball_url="${gperf_url}/${gperf_tarball}"
# Use ORAS cache for gperf downloads (gperf upstream can be unreliable)
USE_ORAS_CACHE="${USE_ORAS_CACHE:-yes}"
# We need to build the libseccomp library from sources to create a static
# library for the musl libc.
# However, ppc64le, riscv64 and s390x have no musl targets in Rust. Hence, we do
@@ -68,7 +75,23 @@ trap finish EXIT
build_and_install_gperf() {
echo "Build and install gperf version ${gperf_version}"
mkdir -p "${gperf_install_dir}"
curl -sLO "${gperf_tarball_url}"
# Use ORAS cache if available and enabled
if [[ "${USE_ORAS_CACHE}" == "yes" ]] && [[ -f "${oras_cache_helper}" ]]; then
echo "Using ORAS cache for gperf download"
source "${oras_cache_helper}"
local cached_tarball
cached_tarball=$(download_component gperf "$(pwd)")
if [[ -f "${cached_tarball}" ]]; then
gperf_tarball="${cached_tarball}"
else
echo "ORAS cache download failed, falling back to direct download"
curl -sLO "${gperf_tarball_url}"
fi
else
curl -sLO "${gperf_tarball_url}"
fi
tar -xf "${gperf_tarball}"
pushd "gperf-${gperf_version}"
# Unset $CC for configure, we will always use native for gperf

View File

@@ -83,3 +83,7 @@ Documents that help to understand and contribute to Kata Containers.
If you have a suggestion for how we can improve the
[website](https://katacontainers.io), please raise an issue (or a PR) on
[the repository that holds the source for the website](https://github.com/OpenStackweb/kata-netlify-refresh).
### Toolchain Guidance
* [Toolchain Guidance](./Toochain-Guidance.md)

39
docs/Toochain-Guidance.md Normal file
View File

@@ -0,0 +1,39 @@
# Toolchains
As a community we want to strike a balance between having up-to-date toolchains, to receive the
latest security fixes and to be able to benefit from new features and packages, whilst not being
too bleeding edge and disrupting downstream and other consumers. As a result we have the following
guidelines (note, not hard rules) for our go and rust toolchains that we are attempting to try out:
## Go toolchain
Go is released [every six months](https://go.dev/wiki/Go-Release-Cycle) with support for the
[last two major release versions](https://go.dev/doc/devel/release#policy). We always want to
ensure that we are on a supported version so we receive security fixes. To try and make
things easier for some of our users, we aim to be using the older of the two supported major
versions, unless there is a compelling reason to adopt the newer version.
In practice this means that we bump our major version of the go toolchain every six months to
version (1.x-1) in response to a new version (1.x) coming out, which makes our current version
(1.x-2) no longer supported. We will bump the minor version whenever required to satisfy
dependency updates, or security fixes.
Our go toolchain version is recorded in [`versions.yaml`](../versions.yaml) under
`.languages.golang.version` and should match with the version in our `go.mod` files.
## Rust toolchain
Rust has a [six week](https://doc.rust-lang.org/book/appendix-05-editions.html#:~:text=The%20Rust%20language%20and%20compiler,these%20tiny%20changes%20add%20up.)
release cycle and they only support the latest stable release, so if we wanted to remain on a
supported release we would only ever build with the latest stable and bump every 6 weeks.
However feedback from our community has indicated that this is a challenge as downstream consumers
often want to get rust from their distro, or downstream fork and these struggle to keep up with
the six week release schedule. As a result the community has agreed to try out a policy of
"stable-2", where we aim to build with a rust version that is two versions behind the latest stable
version.
In practice this should mean that we bump our rust toolchain every six weeks, to version
1.x-2 when 1.x is released as stable and we should be picking up the latest point release
of that version, if there were any.
The rust-toolchain that we are using is recorded in [`rust-toolchain.toml`](../rust-toolchain.toml).

View File

@@ -97,6 +97,8 @@ There are several kinds of Kata configurations and they are listed below.
| `io.katacontainers.config.hypervisor.use_legacy_serial` | `boolean` | uses legacy serial device for guest's console (QEMU) |
| `io.katacontainers.config.hypervisor.default_gpus` | uint32 | the minimum number of GPUs required for the VM. Only used by remote hypervisor to help with instance selection |
| `io.katacontainers.config.hypervisor.default_gpu_model` | string | the GPU model required for the VM. Only used by remote hypervisor to help with instance selection |
| `io.katacontainers.config.hypervisor.block_device_num_queues` | `usize` | The number of queues to use for block devices (runtime-rs only) |
| `io.katacontainers.config.hypervisor.block_device_queue_size` | uint32 | The size of the of the queue to use for block devices (runtime-rs only) |
## Container Options
| Key | Value Type | Comments |

28
src/agent/Cargo.lock generated
View File

@@ -459,15 +459,9 @@ version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "08807e080ed7f9d5433fa9b275196cfc35414f66a0c79d864dc51a0d825231a3"
dependencies = [
"bit-vec 0.8.0",
"bit-vec",
]
[[package]]
name = "bit-vec"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
[[package]]
name = "bit-vec"
version = "0.8.0"
@@ -1250,7 +1244,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7ced92e76e966ca2fd84c8f7aa01a4aea65b0eb6648d72f7c8f3e2764a67fece"
dependencies = [
"crc32fast",
"libz-sys",
"miniz_oxide",
]
@@ -2266,17 +2259,6 @@ dependencies = [
"uuid 0.8.2",
]
[[package]]
name = "libz-sys"
version = "1.1.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b70e7a7df205e92a1a4cd9aaae7898dac0aa555503cc0a649494d0d60e7651d"
dependencies = [
"cc",
"pkg-config",
"vcpkg",
]
[[package]]
name = "linux-raw-sys"
version = "0.3.8"
@@ -3719,7 +3701,7 @@ dependencies = [
"anyhow",
"async-trait",
"awaitgroup",
"bit-vec 0.6.3",
"bit-vec",
"capctl",
"caps",
"cfg-if",
@@ -4821,12 +4803,6 @@ version = "1.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "943ce29a8a743eb10d6082545d861b24f9d1b160b7d741e0f2cdf726bec909c5"
[[package]]
name = "vcpkg"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
[[package]]
name = "version_check"
version = "0.9.5"

View File

@@ -186,7 +186,7 @@ base64 = "0.22"
sha2 = "0.10.8"
async-compression = { version = "0.4.22", features = ["tokio", "gzip"] }
container-device-interface = "0.1.0"
container-device-interface = "0.1.1"
[target.'cfg(target_arch = "s390x")'.dependencies]
pv_core = { git = "https://github.com/ibm-s390-linux/s390-tools", rev = "4942504a9a2977d49989a5e5b7c1c8e07dc0fa41", package = "s390_pv_core" }
@@ -206,6 +206,7 @@ lto = true
seccomp = ["rustjail/seccomp"]
standard-oci-runtime = ["rustjail/standard-oci-runtime"]
agent-policy = ["kata-agent-policy"]
init-data = []
[[bin]]
name = "kata-agent"

View File

@@ -41,6 +41,14 @@ ifeq ($(AGENT_POLICY),yes)
override EXTRA_RUSTFEATURES += agent-policy
endif
##VAR INIT_DATA=yes|no define if agent enables the init data feature
INIT_DATA ?= yes
# Enable the init data fature of rust build
ifeq ($(INIT_DATA),yes)
override EXTRA_RUSTFEATURES += init-data
endif
include ../../utils.mk
##VAR STANDARD_OCI_RUNTIME=yes|no define if agent enables standard oci runtime feature

View File

@@ -10,7 +10,7 @@ use anyhow::{bail, Result};
use slog::{debug, error, info, warn};
use tokio::io::AsyncWriteExt;
static POLICY_LOG_FILE: &str = "/tmp/policy.txt";
static POLICY_LOG_FILE: &str = "/tmp/policy.jsonl";
static POLICY_DEFAULT_FILE: &str = "/etc/kata-opa/default-policy.rego";
/// Convenience macro to obtain the scope logger
@@ -26,7 +26,7 @@ pub struct AgentPolicy {
/// When true policy errors are ignored, for debug purposes.
allow_failures: bool,
/// "/tmp/policy.txt" log file for policy activity.
/// "/tmp/policy.jsonl" log file for policy activity.
log_file: Option<tokio::fs::File>,
/// Regorus engine
@@ -213,7 +213,7 @@ impl AgentPolicy {
// The Policy text can be obtained directly from the pod YAML.
}
_ => {
let log_entry = format!("[\"ep\":\"{ep}\",{input}],\n\n");
let log_entry = format!("{{\"kind\":\"{ep}\",\"request\":{input}}}\n");
if let Err(e) = log_file.write_all(log_entry.as_bytes()).await {
warn!(sl!(), "policy: log_eval_input: write_all failed: {}", e);

View File

@@ -44,7 +44,7 @@ async-trait.workspace = true
inotify = "0.9.2"
libseccomp = { version = "0.3.0", optional = true }
zbus = "3.12.0"
bit-vec = "0.6.3"
bit-vec = "0.8.0"
xattr = "0.2.3"
# Local dependencies

View File

@@ -9,6 +9,7 @@
// SPDX-License-Identifier: Apache-2.0
//
#[cfg(feature = "init-data")]
use std::{os::unix::fs::FileTypeExt, path::Path};
use anyhow::{bail, Context, Result};
@@ -37,14 +38,24 @@ pub const AA_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/aa.toml");
pub const CDH_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/cdh.toml");
/// Magic number of initdata device
#[cfg(feature = "init-data")]
pub const INITDATA_MAGIC_NUMBER: &[u8] = b"initdata";
/// initdata device with disk type 'vd*'
#[cfg(feature = "init-data")]
const INITDATA_PREFIX_DISK_VDX: &str = "vd";
/// initdata device with disk type 'sd*'
#[cfg(feature = "init-data")]
const INITDATA_PREFIX_DISK_SDX: &str = "sd";
#[cfg(not(feature = "init-data"))]
async fn detect_initdata_device(logger: &Logger) -> Result<Option<String>> {
debug!(logger, "Initdata is disabled");
Ok(None)
}
#[cfg(feature = "init-data")]
async fn detect_initdata_device(logger: &Logger) -> Result<Option<String>> {
let dev_dir = Path::new("/dev");
let mut read_dir = tokio::fs::read_dir(dev_dir).await?;

View File

@@ -88,7 +88,7 @@ pub fn baremount(
let destination_str = destination.to_string_lossy();
if let Ok(m) = get_linux_mount_info(destination_str.deref()) {
if m.fs_type == fs_type {
if m.fs_type == fs_type && !flags.contains(MsFlags::MS_REMOUNT) {
slog_info!(logger, "{source:?} is already mounted at {destination:?}");
return Ok(());
}

View File

@@ -401,11 +401,10 @@ impl Handle {
}
if let RouteAttribute::Oif(index) = attribute {
route.device = self
.find_link(LinkFilter::Index(*index))
.await
.context(format!("error looking up device {index}"))?
.name();
route.device = match self.find_link(LinkFilter::Index(*index)).await {
Ok(link) => link.name(),
Err(_) => String::new(),
};
}
}
@@ -1005,10 +1004,6 @@ mod tests {
.expect("Failed to list routes");
assert_ne!(all.len(), 0);
for r in &all {
assert_ne!(r.device.len(), 0);
}
}
#[tokio::test]

View File

@@ -72,7 +72,7 @@ use crate::network::setup_guest_dns;
use crate::passfd_io;
use crate::pci;
use crate::random;
use crate::sandbox::Sandbox;
use crate::sandbox::{Sandbox, SandboxError};
use crate::storage::{add_storages, update_ephemeral_mounts, STORAGE_HANDLERS};
use crate::util;
use crate::version::{AGENT_VERSION, API_VERSION};
@@ -141,6 +141,16 @@ pub fn ttrpc_error(code: ttrpc::Code, err: impl Debug) -> ttrpc::Error {
get_rpc_status(code, format!("{:?}", err))
}
/// Convert SandboxError to ttrpc error with appropriate code.
/// Process not found errors map to NOT_FOUND, others to INVALID_ARGUMENT.
fn sandbox_err_to_ttrpc(err: SandboxError) -> ttrpc::Error {
let code = match &err {
SandboxError::InitProcessNotFound | SandboxError::InvalidExecId => ttrpc::Code::NOT_FOUND,
SandboxError::InvalidContainerId => ttrpc::Code::INVALID_ARGUMENT,
};
ttrpc_error(code, err)
}
#[cfg(not(feature = "agent-policy"))]
async fn is_allowed(_req: &impl serde::Serialize) -> ttrpc::Result<()> {
Ok(())
@@ -460,7 +470,9 @@ impl AgentService {
let mut sig: libc::c_int = req.signal as libc::c_int;
{
let mut sandbox = self.sandbox.lock().await;
let p = sandbox.find_container_process(cid.as_str(), eid.as_str())?;
let p = sandbox
.find_container_process(cid.as_str(), eid.as_str())
.map_err(sandbox_err_to_ttrpc)?;
// For container initProcess, if it hasn't installed handler for "SIGTERM" signal,
// it will ignore the "SIGTERM" signal sent to it, thus send it "SIGKILL" signal
// instead of "SIGTERM" to terminate it.
@@ -568,7 +580,9 @@ impl AgentService {
let (exit_send, mut exit_recv) = tokio::sync::mpsc::channel(100);
let exit_rx = {
let mut sandbox = self.sandbox.lock().await;
let p = sandbox.find_container_process(cid.as_str(), eid.as_str())?;
let p = sandbox
.find_container_process(cid.as_str(), eid.as_str())
.map_err(sandbox_err_to_ttrpc)?;
p.exit_watchers.push(exit_send);
pid = p.pid;
@@ -665,7 +679,9 @@ impl AgentService {
let term_exit_notifier;
let reader = {
let mut sandbox = self.sandbox.lock().await;
let p = sandbox.find_container_process(cid.as_str(), eid.as_str())?;
let p = sandbox
.find_container_process(cid.as_str(), eid.as_str())
.map_err(sandbox_err_to_ttrpc)?;
term_exit_notifier = p.term_exit_notifier.clone();
@@ -947,12 +963,7 @@ impl agent_ttrpc::AgentService for AgentService {
let p = sandbox
.find_container_process(cid.as_str(), eid.as_str())
.map_err(|e| {
ttrpc_error(
ttrpc::Code::INVALID_ARGUMENT,
format!("invalid argument: {:?}", e),
)
})?;
.map_err(sandbox_err_to_ttrpc)?;
p.close_stdin().await;
@@ -970,12 +981,7 @@ impl agent_ttrpc::AgentService for AgentService {
let mut sandbox = self.sandbox.lock().await;
let p = sandbox
.find_container_process(req.container_id(), req.exec_id())
.map_err(|e| {
ttrpc_error(
ttrpc::Code::UNAVAILABLE,
format!("invalid argument: {:?}", e),
)
})?;
.map_err(sandbox_err_to_ttrpc)?;
let fd = p
.term_master
@@ -2629,12 +2635,12 @@ mod tests {
},
TestData {
create_container: false,
result: Err(anyhow!(crate::sandbox::ERR_INVALID_CONTAINER_ID)),
result: Err(anyhow!(crate::sandbox::SandboxError::InvalidContainerId)),
..Default::default()
},
TestData {
container_id: "8181",
result: Err(anyhow!(crate::sandbox::ERR_INVALID_CONTAINER_ID)),
result: Err(anyhow!(crate::sandbox::SandboxError::InvalidContainerId)),
..Default::default()
},
TestData {

View File

@@ -32,6 +32,7 @@ use rustjail::container::BaseContainer;
use rustjail::container::LinuxContainer;
use rustjail::process::Process;
use slog::Logger;
use thiserror::Error;
use tokio::sync::mpsc::{channel, Receiver, Sender};
use tokio::sync::oneshot;
use tokio::sync::Mutex;
@@ -47,7 +48,16 @@ use crate::storage::StorageDeviceGeneric;
use crate::uevent::{Uevent, UeventMatcher};
use crate::watcher::BindWatcher;
pub const ERR_INVALID_CONTAINER_ID: &str = "Invalid container id";
/// Errors that can occur when looking up processes in the sandbox.
#[derive(Debug, Error)]
pub enum SandboxError {
#[error("Invalid container id")]
InvalidContainerId,
#[error("Process not found: init process missing")]
InitProcessNotFound,
#[error("Process not found: invalid exec id")]
InvalidExecId,
}
type UeventWatcher = (Box<dyn UeventMatcher>, oneshot::Sender<Uevent>);
@@ -282,10 +292,14 @@ impl Sandbox {
None
}
pub fn find_container_process(&mut self, cid: &str, eid: &str) -> Result<&mut Process> {
pub fn find_container_process(
&mut self,
cid: &str,
eid: &str,
) -> Result<&mut Process, SandboxError> {
let ctr = self
.get_container(cid)
.ok_or_else(|| anyhow!(ERR_INVALID_CONTAINER_ID))?;
.ok_or(SandboxError::InvalidContainerId)?;
if eid.is_empty() {
let init_pid = ctr.init_process_pid;
@@ -293,10 +307,11 @@ impl Sandbox {
.processes
.values_mut()
.find(|p| p.pid == init_pid)
.ok_or_else(|| anyhow!("cannot find init process!"));
.ok_or(SandboxError::InitProcessNotFound);
}
ctr.get_process(eid).map_err(|_| anyhow!("Invalid exec id"))
ctr.get_process(eid)
.map_err(|_| SandboxError::InvalidExecId)
}
#[instrument]

2848
src/dragonball/Cargo.lock generated

File diff suppressed because it is too large Load Diff

View File

@@ -9,58 +9,6 @@ repository = "https://github.com/kata-containers/kata-containers.git"
license = "Apache-2.0"
edition = "2018"
[workspace]
members = [
"dbs_acpi",
"dbs_address_space",
"dbs_allocator",
"dbs_arch",
"dbs_boot",
"dbs_device",
"dbs_interrupt",
"dbs_legacy_devices",
"dbs_pci",
"dbs_tdx",
"dbs_upcall",
"dbs_utils",
"dbs_virtio_devices",
]
resolver = "2"
[workspace.dependencies]
# Rust-VMM crates
event-manager = "0.2.1"
kvm-bindings = "0.6.0"
kvm-ioctls = "=0.12.1"
linux-loader = "0.8.0"
seccompiler = "0.5.0"
vfio-bindings = "0.3.0"
vfio-ioctls = "0.1.0"
virtio-bindings = "0.1.0"
virtio-queue = "0.7.0"
vm-fdt = "0.2.0"
vm-memory = "0.10.0"
vm-superio = "0.5.0"
vmm-sys-util = "0.11.0"
# Local dependencies from Dragonball Sandbox crates
dbs-acpi = { path = "dbs_acpi" }
dbs-address-space = { path = "dbs_address_space" }
dbs-allocator = { path = "dbs_allocator" }
dbs-arch = { path = "dbs_arch" }
dbs-boot = { path = "dbs_boot" }
dbs-device = { path = "dbs_device" }
dbs-interrupt = { path = "dbs_interrupt" }
dbs-legacy-devices = { path = "dbs_legacy_devices" }
dbs-pci = { path = "dbs_pci" }
dbs-tdx = { path = "dbs_tdx" }
dbs-upcall = { path = "dbs_upcall" }
dbs-utils = { path = "dbs_utils" }
dbs-virtio-devices = { path = "dbs_virtio_devices" }
# Local dependencies from `src/lib`
test-utils = { path = "../libs/test-utils" }
[dependencies]
anyhow = "1.0.32"
arc-swap = "1.5.0"
@@ -83,12 +31,12 @@ kvm-bindings = { workspace = true }
kvm-ioctls = { workspace = true }
lazy_static = "1.2"
libc = "0.2.39"
linux-loader = {workspace = true}
linux-loader = { workspace = true }
log = "0.4.14"
nix = "0.24.2"
procfs = "0.12.0"
prometheus = { version = "0.14.0", features = ["process"] }
seccompiler = {workspace = true}
seccompiler = { workspace = true }
serde = "1.0.27"
serde_derive = "1.0.27"
serde_json = "1.0.9"
@@ -96,7 +44,7 @@ slog = "2.5.2"
slog-scope = "4.4.0"
thiserror = "1"
tracing = "0.1.41"
vmm-sys-util = {workspace = true}
vmm-sys-util = { workspace = true }
virtio-queue = { workspace = true, optional = true }
vm-memory = { workspace = true, features = ["backend-mmap"] }
crossbeam-channel = "0.5.6"
@@ -118,14 +66,14 @@ virtio-blk = ["dbs-virtio-devices/virtio-blk", "virtio-queue"]
virtio-net = ["dbs-virtio-devices/virtio-net", "virtio-queue"]
# virtio-fs only work on atomic-guest-memory
virtio-fs = [
"dbs-virtio-devices/virtio-fs-pro",
"virtio-queue",
"atomic-guest-memory",
"dbs-virtio-devices/virtio-fs-pro",
"virtio-queue",
"atomic-guest-memory",
]
virtio-mem = [
"dbs-virtio-devices/virtio-mem",
"virtio-queue",
"atomic-guest-memory",
"dbs-virtio-devices/virtio-mem",
"virtio-queue",
"atomic-guest-memory",
]
virtio-balloon = ["dbs-virtio-devices/virtio-balloon", "virtio-queue"]
vhost-net = ["dbs-virtio-devices/vhost-net"]
@@ -136,5 +84,5 @@ host-device = ["dep:vfio-bindings", "dep:vfio-ioctls", "dep:dbs-pci"]
[lints.rust]
unexpected_cfgs = { level = "warn", check-cfg = [
'cfg(feature, values("test-mock"))',
'cfg(feature, values("test-mock"))',
] }

View File

@@ -21,6 +21,8 @@ libc = ">=0.2.39"
[dev-dependencies]
vm-memory = { workspace = true, features = ["backend-mmap"] }
test-utils = { workspace = true }
nix = { workspace = true }
[package.metadata.docs.rs]
all-features = true

View File

@@ -205,12 +205,12 @@ pub fn create_gic(vm: &VmFd, vcpu_count: u64) -> Result<Box<dyn GICDevice>> {
#[cfg(test)]
mod tests {
use super::*;
use kvm_ioctls::Kvm;
#[test]
fn test_create_gic() {
test_utils::skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
assert!(create_gic(&vm, 1).is_ok());

View File

@@ -150,6 +150,7 @@ mod tests {
#[test]
fn test_create_pmu() {
test_utils::skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
let vcpu = vm.create_vcpu(0).unwrap();

View File

@@ -166,9 +166,11 @@ pub fn read_mpidr(vcpu: &VcpuFd) -> Result<u64> {
mod tests {
use super::*;
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
#[test]
fn test_setup_regs() {
skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
let vcpu = vm.create_vcpu(0).unwrap();
@@ -185,6 +187,7 @@ mod tests {
#[test]
fn test_read_mpidr() {
skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
let vcpu = vm.create_vcpu(0).unwrap();

View File

@@ -78,6 +78,7 @@ pub fn set_lint(vcpu: &VcpuFd) -> Result<()> {
mod tests {
use super::*;
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
const KVM_APIC_REG_SIZE: usize = 0x400;
@@ -100,6 +101,7 @@ mod tests {
#[test]
fn test_setlint() {
skip_if_not_root!();
let kvm = Kvm::new().unwrap();
assert!(kvm.check_extension(kvm_ioctls::Cap::Irqchip));
let vm = kvm.create_vm().unwrap();
@@ -126,6 +128,7 @@ mod tests {
#[test]
fn test_setlint_fails() {
skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
let vcpu = vm.create_vcpu(0).unwrap();

View File

@@ -271,6 +271,7 @@ mod tests {
use super::*;
use crate::x86_64::gdt::gdt_entry;
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use vm_memory::{Bytes, GuestAddress, GuestMemoryMmap};
const BOOT_GDT_OFFSET: u64 = 0x500;
@@ -334,6 +335,7 @@ mod tests {
#[test]
fn test_setup_fpu() {
skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
let vcpu = vm.create_vcpu(0).unwrap();
@@ -356,6 +358,7 @@ mod tests {
#[test]
#[allow(clippy::cast_ptr_alignment)]
fn test_setup_msrs() {
skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
let vcpu = vm.create_vcpu(0).unwrap();
@@ -384,6 +387,7 @@ mod tests {
#[test]
fn test_setup_regs() {
skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
let vcpu = vm.create_vcpu(0).unwrap();

View File

@@ -24,3 +24,5 @@ vm-fdt = {workspace= true}
vm-memory = { workspace = true, features = ["backend-mmap"] }
device_tree = ">=1.1.0"
dbs-device = { workspace = true }
test-utils = { workspace = true }
nix = { workspace = true }

View File

@@ -399,6 +399,7 @@ mod tests {
use device_tree::DeviceTree;
use kvm_bindings::{kvm_vcpu_init, KVM_ARM_VCPU_PMU_V3, KVM_ARM_VCPU_PSCI_0_2};
use kvm_ioctls::{Kvm, VcpuFd, VmFd};
use test_utils::skip_if_not_root;
use vm_memory::GuestMemoryMmap;
use super::super::tests::MMIODeviceInfo;
@@ -460,6 +461,7 @@ mod tests {
#[test]
fn test_create_fdt_with_devices() {
skip_if_not_root!();
let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
let dev_info: HashMap<(DeviceType, String), MMIODeviceInfo> = [
@@ -498,6 +500,7 @@ mod tests {
#[test]
fn test_create_fdt() {
skip_if_not_root!();
let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
let kvm = Kvm::new().unwrap();
@@ -532,6 +535,7 @@ mod tests {
#[test]
fn test_create_fdt_with_initrd() {
skip_if_not_root!();
let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
let kvm = Kvm::new().unwrap();
@@ -570,6 +574,7 @@ mod tests {
#[test]
fn test_create_fdt_with_pmu() {
skip_if_not_root!();
let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
let kvm = Kvm::new().unwrap();

View File

@@ -304,6 +304,7 @@ mod tests {
#[test]
fn test_fdtutils_fdt_device_info() {
test_utils::skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
let gic = create_gic(&vm, 0).unwrap();

View File

@@ -68,6 +68,7 @@ pub fn initrd_load_addr<M: GuestMemory>(guest_mem: &M, initrd_size: u64) -> supe
}
}
#[allow(missing_docs)]
#[cfg(test)]
pub mod tests {
use dbs_arch::{DeviceInfoForFDT, Error as ArchError};

View File

@@ -258,6 +258,7 @@ mod tests {
#[test]
fn test_setup_page_tables() {
test_utils::skip_if_not_root!();
let kvm = Kvm::new().unwrap();
let vm = kvm.create_vm().unwrap();
let vcpu = vm.create_vcpu(0).unwrap();

View File

@@ -18,6 +18,10 @@ kvm-ioctls = { workspace = true, optional = true }
libc = "0.2"
vmm-sys-util = {workspace = true}
[dev-dependencies]
test-utils = { workspace = true }
nix = { workspace = true }
[features]
default = ["legacy-irq", "msi-irq"]

View File

@@ -220,6 +220,7 @@ impl InterruptSourceGroup for LegacyIrq {
mod test {
use super::*;
use crate::manager::tests::create_vm_fd;
use test_utils::skip_if_not_root;
const MASTER_PIC: usize = 7;
const SLAVE_PIC: usize = 8;
@@ -228,6 +229,7 @@ mod test {
#[test]
#[allow(unreachable_patterns)]
fn test_legacy_interrupt_group() {
skip_if_not_root!();
let vmfd = Arc::new(create_vm_fd());
let rounting = Arc::new(KvmIrqRouting::new(vmfd.clone()));
let base = 0;
@@ -263,6 +265,7 @@ mod test {
#[test]
fn test_irq_routing_initialize_legacy() {
skip_if_not_root!();
let vmfd = Arc::new(create_vm_fd());
let routing = KvmIrqRouting::new(vmfd.clone());
@@ -278,6 +281,7 @@ mod test {
#[test]
fn test_routing_opt() {
skip_if_not_root!();
let vmfd = Arc::new(create_vm_fd());
let routing = KvmIrqRouting::new(vmfd.clone());
@@ -309,6 +313,7 @@ mod test {
#[test]
fn test_routing_set_routing() {
skip_if_not_root!();
let vmfd = Arc::new(create_vm_fd());
let routing = KvmIrqRouting::new(vmfd.clone());

View File

@@ -271,6 +271,7 @@ pub fn from_sys_util_errno(e: vmm_sys_util::errno::Error) -> std::io::Error {
pub(crate) mod tests {
use super::*;
use crate::manager::tests::create_vm_fd;
use test_utils::skip_if_not_root;
fn create_irq_group(
manager: Arc<KvmIrqManager>,
@@ -306,11 +307,13 @@ pub(crate) mod tests {
#[test]
fn test_create_kvm_irq_manager() {
skip_if_not_root!();
let _ = create_kvm_irq_manager();
}
#[test]
fn test_kvm_irq_manager_opt() {
skip_if_not_root!();
let vmfd = Arc::new(create_vm_fd());
vmfd.create_irq_chip().unwrap();
let manager = Arc::new(KvmIrqManager::new(vmfd.clone()));

View File

@@ -202,10 +202,12 @@ impl InterruptSourceGroup for MsiIrq {
mod test {
use super::*;
use crate::manager::tests::create_vm_fd;
use test_utils::skip_if_not_root;
#[test]
#[allow(unreachable_patterns)]
fn test_msi_interrupt_group() {
skip_if_not_root!();
let vmfd = Arc::new(create_vm_fd());
vmfd.create_irq_chip().unwrap();

View File

@@ -451,6 +451,7 @@ pub(crate) mod tests {
use dbs_device::resources::{DeviceResources, MsiIrqType, Resource};
use kvm_ioctls::{Kvm, VmFd};
use test_utils::skip_if_not_root;
use super::*;
use crate::KvmIrqManager;
@@ -502,6 +503,7 @@ pub(crate) mod tests {
#[test]
fn test_create_device_interrupt_manager() {
skip_if_not_root!();
let mut mgr = create_interrupt_manager();
assert_eq!(mgr.mode, DeviceInterruptMode::Disabled);
@@ -537,6 +539,7 @@ pub(crate) mod tests {
#[test]
fn test_device_interrupt_manager_switch_mode() {
skip_if_not_root!();
let mut mgr = create_interrupt_manager();
// Can't switch working mode in enabled state.
@@ -621,6 +624,7 @@ pub(crate) mod tests {
#[test]
fn test_msi_config() {
skip_if_not_root!();
let mut interrupt_manager = create_interrupt_manager();
assert!(interrupt_manager.set_msi_data(512, 0).is_err());
@@ -638,6 +642,7 @@ pub(crate) mod tests {
#[test]
fn test_set_working_mode_after_activated() {
skip_if_not_root!();
let mut interrupt_manager = create_interrupt_manager();
interrupt_manager.activated = true;
assert!(interrupt_manager
@@ -659,6 +664,7 @@ pub(crate) mod tests {
#[test]
fn test_disable2legacy() {
skip_if_not_root!();
let mut interrupt_manager = create_interrupt_manager();
interrupt_manager.activated = false;
interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -669,6 +675,7 @@ pub(crate) mod tests {
#[test]
fn test_disable2nonlegacy() {
skip_if_not_root!();
let mut interrupt_manager = create_interrupt_manager();
interrupt_manager.activated = false;
interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -679,6 +686,7 @@ pub(crate) mod tests {
#[test]
fn test_legacy2nonlegacy() {
skip_if_not_root!();
let mut interrupt_manager = create_interrupt_manager();
interrupt_manager.activated = false;
interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -692,6 +700,7 @@ pub(crate) mod tests {
#[test]
fn test_nonlegacy2legacy() {
skip_if_not_root!();
let mut interrupt_manager = create_interrupt_manager();
interrupt_manager.activated = false;
interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -705,6 +714,7 @@ pub(crate) mod tests {
#[test]
fn test_update() {
skip_if_not_root!();
let mut interrupt_manager = create_interrupt_manager();
interrupt_manager
.set_working_mode(DeviceInterruptMode::GenericMsiIrq)
@@ -721,6 +731,7 @@ pub(crate) mod tests {
#[test]
fn test_get_configs() {
skip_if_not_root!();
// legacy irq config
{
let interrupt_manager = create_interrupt_manager();
@@ -762,6 +773,7 @@ pub(crate) mod tests {
#[test]
fn test_reset_configs() {
skip_if_not_root!();
let mut interrupt_manager = create_interrupt_manager();
interrupt_manager.reset_configs(DeviceInterruptMode::LegacyIrq);

View File

@@ -235,6 +235,7 @@ mod tests {
use super::*;
use crate::{InterruptManager, InterruptSourceType};
use test_utils::skip_if_not_root;
const VIRTIO_INTR_VRING: u32 = 0x01;
const VIRTIO_INTR_CONFIG: u32 = 0x02;
@@ -250,6 +251,7 @@ mod tests {
#[cfg(feature = "kvm-legacy-irq")]
#[test]
fn test_create_legacy_notifier() {
skip_if_not_root!();
let (_vmfd, irq_manager) = crate::kvm::tests::create_kvm_irq_manager();
let group = irq_manager
.create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -280,6 +282,7 @@ mod tests {
#[cfg(feature = "kvm-msi-irq")]
#[test]
fn test_virtio_msi_notifier() {
skip_if_not_root!();
let (_vmfd, irq_manager) = crate::kvm::tests::create_kvm_irq_manager();
let group = irq_manager
.create_group(InterruptSourceType::MsiIrq, 0, 3)

View File

@@ -41,6 +41,8 @@ dbs-utils = {workspace = true}
[dev-dependencies]
dbs-arch = { workspace = true }
kvm-ioctls = {workspace = true}
test-utils = { workspace = true }
nix = { workspace = true }
[lints.rust]
unexpected_cfgs = { level = "warn", check-cfg = [

View File

@@ -654,6 +654,7 @@ mod tests {
use dbs_device::resources::{DeviceResources, MsiIrqType, Resource};
use dbs_interrupt::KvmIrqManager;
use kvm_ioctls::{Kvm, VmFd};
use test_utils::skip_if_not_root;
use super::*;
@@ -735,6 +736,7 @@ mod tests {
#[test]
fn test_msi_state_struct() {
skip_if_not_root!();
let flags = MSI_CTL_ENABLE | MSI_CTL_64_BITS | MSI_CTL_PER_VECTOR | 0x6 | 0x20;
let mut cap = MsiCap::new(0xa5, flags);

View File

@@ -361,6 +361,7 @@ mod tests {
use dbs_device::resources::{DeviceResources, MsiIrqType, Resource};
use dbs_interrupt::KvmIrqManager;
use kvm_ioctls::{Kvm, VmFd};
use test_utils::skip_if_not_root;
use super::*;
@@ -422,6 +423,7 @@ mod tests {
#[test]
fn test_set_msg_ctl() {
skip_if_not_root!();
let mut config = MsixState::new(0x10);
let mut intr_mgr = create_interrupt_manager();
@@ -452,6 +454,7 @@ mod tests {
#[test]
fn test_read_write_table() {
skip_if_not_root!();
let mut intr_mgr = create_interrupt_manager();
let mut config = MsixState::new(0x10);

View File

@@ -1159,11 +1159,12 @@ impl<
#[cfg(test)]
pub(crate) mod tests {
#[cfg(target_arch = "aarch64")]
use arch::aarch64::gic::create_gic;
use dbs_arch::gic::create_gic;
use dbs_device::resources::MsiIrqType;
use dbs_interrupt::kvm::KvmIrqManager;
use dbs_utils::epoll_manager::EpollManager;
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use virtio_queue::QueueSync;
use vm_memory::{GuestMemoryMmap, GuestRegionMmap, GuestUsize, MmapRegion};
@@ -1496,6 +1497,7 @@ pub(crate) mod tests {
#[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
#[test]
fn test_virtio_pci_device_activate() {
skip_if_not_root!();
let mut d: VirtioPciDevice<_, _, _> = get_pci_device();
assert_eq!(d.state().queues.len(), 2);
assert!(!d.state().check_queues_valid());
@@ -1554,6 +1556,7 @@ pub(crate) mod tests {
#[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
#[test]
fn test_bus_device_reset() {
skip_if_not_root!();
let mut d: VirtioPciDevice<_, _, _> = get_pci_device();
assert_eq!(d.state().queues.len(), 2);
@@ -1578,6 +1581,7 @@ pub(crate) mod tests {
#[test]
fn test_virtio_pci_device_resources() {
skip_if_not_root!();
let d: VirtioPciDevice<_, _, _> = get_pci_device();
let resources = d.get_assigned_resources();
@@ -1595,6 +1599,7 @@ pub(crate) mod tests {
#[test]
fn test_virtio_pci_register_ioevent() {
skip_if_not_root!();
let d: VirtioPciDevice<_, _, _> = get_pci_device();
d.register_ioevent().unwrap();
assert!(d.ioevent_registered.load(Ordering::SeqCst));
@@ -1616,6 +1621,7 @@ pub(crate) mod tests {
#[test]
fn test_read_bar() {
skip_if_not_root!();
let d: VirtioPciDevice<_, _, _> = get_pci_device();
let origin_data = vec![1u8];
// driver status

View File

@@ -22,3 +22,5 @@ vmm-sys-util = {workspace = true}
[dev-dependencies]
serde_json = "1.0.9"
test-utils = { workspace = true }
nix = { workspace = true }

View File

@@ -278,6 +278,7 @@ impl AsRawFd for Tap {
}
}
#[cfg(test)]
mod tests {
#![allow(dead_code)]
@@ -285,6 +286,7 @@ mod tests {
use std::net::Ipv4Addr;
use std::str;
use std::sync::atomic::{AtomicUsize, Ordering};
use test_utils::skip_if_not_root;
use super::*;
@@ -388,6 +390,7 @@ mod tests {
#[test]
fn test_tap_name() {
skip_if_not_root!();
// Sanity check that the assumed max iface name length is correct.
assert_eq!(
IFACE_NAME_MAX_LEN,
@@ -414,11 +417,13 @@ mod tests {
#[test]
fn test_tap_partial_eq() {
skip_if_not_root!();
assert_ne!(Tap::new().unwrap(), Tap::new().unwrap());
}
#[test]
fn test_tap_configure() {
skip_if_not_root!();
// `fetch_add` adds to the current value, returning the previous value.
let next_ip = NEXT_IP.fetch_add(1, Ordering::SeqCst);
@@ -451,6 +456,7 @@ mod tests {
#[test]
fn test_tap_enable() {
skip_if_not_root!();
let tap = Tap::new().unwrap();
let ret = tap.enable();
assert!(ret.is_ok());
@@ -458,6 +464,7 @@ mod tests {
#[test]
fn test_tap_get_ifreq() {
skip_if_not_root!();
let tap = Tap::new().unwrap();
let ret = tap.get_ifreq();
assert_eq!(
@@ -468,6 +475,7 @@ mod tests {
#[test]
fn test_raw_fd() {
skip_if_not_root!();
let tap = Tap::new().unwrap();
assert_eq!(tap.as_raw_fd(), tap.tap_file.as_raw_fd());
}

View File

@@ -50,6 +50,7 @@ vm-memory = { workspace = true, features = [
"backend-mmap",
"backend-atomic",
] }
test-utils = { workspace = true }
[features]
virtio-mmio = []

View File

@@ -748,6 +748,7 @@ pub(crate) mod tests {
use dbs_device::resources::DeviceResources;
use dbs_utils::epoll_manager::SubscriberOps;
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use vm_memory::GuestMemoryMmap;
use vmm_sys_util::eventfd::EventFd;
@@ -803,6 +804,7 @@ pub(crate) mod tests {
#[test]
fn test_balloon_virtio_device_normal() {
skip_if_not_root!();
let epoll_mgr = EpollManager::default();
let config = BalloonConfig {
f_deflate_on_oom: true,
@@ -857,6 +859,7 @@ pub(crate) mod tests {
#[test]
fn test_balloon_virtio_device_active() {
skip_if_not_root!();
let epoll_mgr = EpollManager::default();
// check queue sizes error
@@ -923,6 +926,7 @@ pub(crate) mod tests {
#[test]
fn test_balloon_set_size() {
skip_if_not_root!();
let epoll_mgr = EpollManager::default();
let config = BalloonConfig {
f_deflate_on_oom: true,
@@ -936,6 +940,7 @@ pub(crate) mod tests {
#[test]
fn test_balloon_epoll_handler_handle_event() {
skip_if_not_root!();
let handler = create_balloon_epoll_handler();
let event_fd = EventFd::new(0).unwrap();
let mgr = EpollManager::default();
@@ -968,6 +973,7 @@ pub(crate) mod tests {
#[test]
fn test_balloon_epoll_handler_process_report_queue() {
skip_if_not_root!();
let mut handler = create_balloon_epoll_handler();
let m = &handler.config.vm_as.clone();
@@ -997,6 +1003,7 @@ pub(crate) mod tests {
#[test]
fn test_balloon_epoll_handler_process_queue() {
skip_if_not_root!();
let mut handler = create_balloon_epoll_handler();
let m = &handler.config.vm_as.clone();
// invalid idx

View File

@@ -376,6 +376,7 @@ mod tests {
use dbs_interrupt::NoopNotifier;
use dbs_utils::rate_limiter::{TokenBucket, TokenType};
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use virtio_queue::QueueSync;
use vm_memory::{Bytes, GuestAddress, GuestMemoryMmap, GuestRegionMmap};
use vmm_sys_util::eventfd::EventFd;
@@ -909,6 +910,7 @@ mod tests {
#[test]
fn test_block_virtio_device_active() {
skip_if_not_root!();
let device_id = "dummy_device_id";
let epoll_mgr = EpollManager::default();

View File

@@ -579,6 +579,7 @@ pub(crate) mod tests {
};
use dbs_utils::epoll_manager::{EventOps, Events, MutEventSubscriber};
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use virtio_queue::QueueSync;
use vm_memory::{GuestMemoryAtomic, GuestMemoryMmap, GuestMemoryRegion, MmapRegion};
@@ -629,6 +630,7 @@ pub(crate) mod tests {
#[test]
fn test_create_virtio_queue_config() {
skip_if_not_root!();
let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
let group = irq_manager
.create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -660,6 +662,7 @@ pub(crate) mod tests {
#[test]
fn test_clone_virtio_queue_config() {
skip_if_not_root!();
let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
let group = irq_manager
.create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -698,6 +701,7 @@ pub(crate) mod tests {
#[test]
fn test_create_virtio_device_config() {
skip_if_not_root!();
let mut device_config = create_virtio_device_config();
device_config.notify_device_changes().unwrap();
@@ -783,6 +787,7 @@ pub(crate) mod tests {
#[test]
fn test_virtio_device() {
skip_if_not_root!();
let epoll_mgr = EpollManager::default();
let avail_features = 0x1234 << 32 | 0x4567;

View File

@@ -962,6 +962,7 @@ pub mod tests {
use std::io::Write;
use std::path::PathBuf;
use std::sync::Arc;
use test_utils::skip_if_not_root;
use dbs_device::resources::DeviceResources;
use dbs_interrupt::NoopNotifier;
@@ -1187,6 +1188,7 @@ pub mod tests {
#[test]
fn test_virtio_fs_device_active() {
skip_if_not_root!();
let epoll_manager = EpollManager::default();
{
// config queue size is not 2
@@ -1675,6 +1677,7 @@ pub mod tests {
#[test]
fn test_register_mmap_region() {
skip_if_not_root!();
let epoll_manager = EpollManager::default();
let rate_limiter = RateLimiter::new(100, 0, 300, 10, 0, 300).unwrap();
let mut fs: VirtioFs<Arc<GuestMemoryMmap>> = VirtioFs::new(
@@ -1717,6 +1720,7 @@ pub mod tests {
#[test]
fn test_get_resource_requirements() {
skip_if_not_root!();
let epoll_manager = EpollManager::default();
let rate_limiter = RateLimiter::new(100, 0, 300, 10, 0, 300).unwrap();
let dax_on = 0x4000;
@@ -1761,6 +1765,7 @@ pub mod tests {
#[test]
fn test_set_resource() {
skip_if_not_root!();
let epoll_manager = EpollManager::default();
let rate_limiter = RateLimiter::new(100, 0, 300, 10, 0, 300).unwrap();
let mut fs: VirtioFs<Arc<GuestMemoryMmap>> = VirtioFs::new(

View File

@@ -503,6 +503,7 @@ pub mod tests {
use dbs_utils::epoll_manager::EpollManager;
use dbs_utils::epoll_manager::SubscriberOps;
use dbs_utils::rate_limiter::TokenBucket;
use test_utils::skip_if_not_root;
use vm_memory::{GuestAddress, GuestMemoryMmap};
use vmm_sys_util::tempfile::TempFile;
@@ -636,6 +637,7 @@ pub mod tests {
#[test]
fn test_fs_get_patch_rate_limiters() {
skip_if_not_root!();
let mut handler = create_fs_epoll_handler(String::from("1"));
let tokenbucket = TokenBucket::new(1, 1, 4);
@@ -705,6 +707,7 @@ pub mod tests {
#[test]
fn test_fs_epoll_handler_handle_event() {
skip_if_not_root!();
let handler = create_fs_epoll_handler("test_1".to_string());
let event_fd = EventFd::new(0).unwrap();
let mgr = EpollManager::default();
@@ -740,6 +743,7 @@ pub mod tests {
#[test]
fn test_fs_epoll_handler_handle_unknown_event() {
skip_if_not_root!();
let handler = create_fs_epoll_handler("test_1".to_string());
let event_fd = EventFd::new(0).unwrap();
let mgr = EpollManager::default();
@@ -756,6 +760,7 @@ pub mod tests {
#[test]
fn test_fs_epoll_handler_process_queue() {
skip_if_not_root!();
{
let mut handler = create_fs_epoll_handler("test_1".to_string());

View File

@@ -1345,6 +1345,7 @@ pub(crate) mod tests {
use std::ffi::CString;
use std::fs::File;
use std::os::unix::io::FromRawFd;
use test_utils::skip_if_not_root;
use dbs_device::resources::DeviceResources;
use dbs_interrupt::NoopNotifier;
@@ -1797,6 +1798,7 @@ pub(crate) mod tests {
#[test]
fn test_mem_virtio_device_set_resource() {
skip_if_not_root!();
let epoll_mgr = EpollManager::default();
let id = "mem0".to_string();
let factory = Arc::new(Mutex::new(DummyMemRegionFactory {}));
@@ -1874,6 +1876,7 @@ pub(crate) mod tests {
#[test]
fn test_mem_virtio_device_activate() {
skip_if_not_root!();
let epoll_mgr = EpollManager::default();
let id = "mem0".to_string();
let factory = Arc::new(Mutex::new(DummyMemRegionFactory {}));
@@ -1976,6 +1979,7 @@ pub(crate) mod tests {
#[test]
fn test_mem_virtio_device_remove() {
skip_if_not_root!();
let epoll_mgr = EpollManager::default();
let id = "mem0".to_string();
let factory = Arc::new(Mutex::new(DummyMemRegionFactory {}));
@@ -2011,6 +2015,7 @@ pub(crate) mod tests {
#[test]
fn test_mem_epoll_handler_handle_event() {
skip_if_not_root!();
let handler = create_mem_epoll_handler("test_1".to_string());
let event_fd = EventFd::new(0).unwrap();
let mgr = EpollManager::default();
@@ -2032,6 +2037,7 @@ pub(crate) mod tests {
#[test]
fn test_mem_epoll_handler_process_queue() {
skip_if_not_root!();
let mut handler = create_mem_epoll_handler("test_1".to_string());
let m = &handler.config.vm_as.clone();
// fail to parse available descriptor chain

View File

@@ -609,6 +609,7 @@ where
#[cfg(test)]
pub(crate) mod tests {
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use virtio_queue::QueueSync;
use vm_memory::{GuestAddress, GuestMemoryMmap, GuestRegionMmap};
@@ -652,6 +653,7 @@ pub(crate) mod tests {
#[test]
fn test_virtio_mmio_state_new() {
skip_if_not_root!();
let mut state = get_mmio_state(false, false, 1);
assert_eq!(state.queues.len(), 3);

View File

@@ -494,6 +494,7 @@ where
pub(crate) mod tests {
use std::any::Any;
use std::sync::Mutex;
use test_utils::skip_if_not_root;
use byteorder::{ByteOrder, LittleEndian};
use dbs_device::resources::{MsiIrqType, Resource, ResourceConstraint};
@@ -708,6 +709,7 @@ pub(crate) mod tests {
#[test]
fn test_virtio_mmio_v2_device_new() {
skip_if_not_root!();
// test create error.
let resources = DeviceResources::new();
let mem = Arc::new(GuestMemoryMmap::from_ranges(&[(GuestAddress(0), 0x1000)]).unwrap());
@@ -769,6 +771,7 @@ pub(crate) mod tests {
#[test]
fn test_bus_device_read() {
skip_if_not_root!();
let mut d = get_mmio_device();
let mut buf = vec![0xff, 0, 0xfe, 0];
@@ -894,6 +897,7 @@ pub(crate) mod tests {
#[test]
fn test_bus_device_write() {
skip_if_not_root!();
let mut d = get_mmio_device();
let mut buf = vec![0; 5];
@@ -1023,6 +1027,7 @@ pub(crate) mod tests {
#[test]
fn test_bus_device_activate() {
skip_if_not_root!();
// invalid state transition should failed
let mut d = get_mmio_device();
@@ -1140,6 +1145,7 @@ pub(crate) mod tests {
#[test]
fn test_bus_device_reset() {
skip_if_not_root!();
let resources = get_device_resource(false, false);
let mut d = get_mmio_device_inner(true, 0, resources);
let mut buf = vec![0; 4];
@@ -1169,6 +1175,7 @@ pub(crate) mod tests {
#[test]
fn test_mmiov2_device_resources() {
skip_if_not_root!();
let d = get_mmio_device();
let resources = d.get_assigned_resources();
@@ -1185,6 +1192,7 @@ pub(crate) mod tests {
#[test]
fn test_mmio_v2_device_msi() {
skip_if_not_root!();
let resources = get_device_resource(true, false);
let mut d = get_mmio_device_inner(true, 0, resources);
@@ -1227,6 +1235,7 @@ pub(crate) mod tests {
#[test]
fn test_mmio_shared_memory() {
skip_if_not_root!();
let resources = get_device_resource(true, true);
let d = get_mmio_device_inner(true, 0, resources);

View File

@@ -848,6 +848,7 @@ mod tests {
use dbs_utils::epoll_manager::SubscriberOps;
use dbs_utils::rate_limiter::TokenBucket;
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use vm_memory::{GuestAddress, GuestMemoryMmap};
use super::*;
@@ -900,6 +901,7 @@ mod tests {
#[test]
fn test_net_virtio_device_normal() {
skip_if_not_root!();
let next_ip = NEXT_IP.fetch_add(1, Ordering::SeqCst);
let tap = Tap::open_named(&format!("tap{next_ip}"), false).unwrap();
let epoll_mgr = EpollManager::default();
@@ -963,6 +965,7 @@ mod tests {
#[test]
fn test_net_virtio_device_active() {
skip_if_not_root!();
let epoll_mgr = EpollManager::default();
{
// config queue size is not 2
@@ -1112,6 +1115,7 @@ mod tests {
#[test]
fn test_net_set_patch_rate_limiters() {
skip_if_not_root!();
let next_ip = NEXT_IP.fetch_add(1, Ordering::SeqCst);
let tap = Tap::open_named(&format!("tap{next_ip}"), false).unwrap();
let epoll_mgr = EpollManager::default();
@@ -1150,6 +1154,7 @@ mod tests {
#[test]
fn test_net_get_patch_rate_limiters() {
skip_if_not_root!();
let mut handler = create_net_epoll_handler("test_1".to_string());
let tokenbucket = TokenBucket::new(1, 1, 4);
@@ -1174,6 +1179,7 @@ mod tests {
#[test]
fn test_net_epoll_handler_handle_event() {
skip_if_not_root!();
let handler = create_net_epoll_handler("test_1".to_string());
let event_fd = EventFd::new(0).unwrap();
let mgr = EpollManager::default();
@@ -1212,6 +1218,7 @@ mod tests {
#[test]
fn test_net_epoll_handler_handle_unknown_event() {
skip_if_not_root!();
let handler = create_net_epoll_handler("test_1".to_string());
let event_fd = EventFd::new(0).unwrap();
let mgr = EpollManager::default();
@@ -1228,6 +1235,7 @@ mod tests {
#[test]
fn test_net_epoll_handler_process_queue() {
skip_if_not_root!();
{
let mut handler = create_net_epoll_handler("test_1".to_string());
@@ -1253,6 +1261,7 @@ mod tests {
#[test]
fn test_net_bandwidth_rate_limiter() {
skip_if_not_root!();
let handler = create_net_epoll_handler("test_1".to_string());
let event_fd = EventFd::new(0).unwrap();
@@ -1330,6 +1339,7 @@ mod tests {
#[test]
fn test_net_ops_rate_limiter() {
skip_if_not_root!();
let handler = create_net_epoll_handler("test_1".to_string());
let event_fd = EventFd::new(0).unwrap();

View File

@@ -44,9 +44,11 @@ pub fn create_queue_notifier(
mod tests {
use super::*;
use dbs_interrupt::InterruptManager;
use test_utils::skip_if_not_root;
#[test]
fn test_create_virtio_legacy_notifier() {
skip_if_not_root!();
let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
let group = irq_manager
.create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -68,6 +70,7 @@ mod tests {
#[test]
fn test_create_virtio_msi_notifier() {
skip_if_not_root!();
let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
let group = irq_manager
.create_group(InterruptSourceType::MsiIrq, 0, 3)

View File

@@ -682,6 +682,7 @@ mod tests {
};
use dbs_utils::epoll_manager::SubscriberOps;
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use virtio_queue::{Queue, QueueSync};
use vm_memory::{GuestAddress, GuestMemoryMmap, GuestRegionMmap};
use vmm_sys_util::eventfd::EventFd;
@@ -718,6 +719,7 @@ mod tests {
#[test]
fn test_vhost_kern_net_virtio_normal() {
skip_if_not_root!();
let guest_mac_str = "11:22:33:44:55:66";
let guest_mac = MacAddr::parse_str(guest_mac_str).unwrap();
let queue_sizes = Arc::new(vec![128]);
@@ -757,6 +759,7 @@ mod tests {
#[test]
fn test_vhost_kern_net_virtio_activate() {
skip_if_not_root!();
let guest_mac_str = "11:22:33:44:55:66";
let guest_mac = MacAddr::parse_str(guest_mac_str).unwrap();
// Invalid queue sizes
@@ -841,6 +844,7 @@ mod tests {
#[test]
fn test_vhost_kern_net_epoll_handler_handle_event() {
skip_if_not_root!();
let handler = create_vhost_kern_net_epoll_handler("test_1".to_string());
let event_fd = EventFd::new(0).unwrap();
let mgr = EpollManager::default();

View File

@@ -631,7 +631,7 @@ mod tests {
#[test]
fn test_vhost_user_block_virtio_device_spdk() {
let socket_path = "/tmp/vhost.1";
let socket_path = concat!("vhost.", line!());
let handler = thread::spawn(move || {
let listener = Listener::new(socket_path, true).unwrap();
@@ -692,7 +692,7 @@ mod tests {
#[test]
fn test_vhost_user_block_virtio_device_activate_spdk() {
let socket_path = "/tmp/vhost.2";
let socket_path = concat!("vhost.", line!());
let handler = thread::spawn(move || {
// create vhost user block device

View File

@@ -810,7 +810,7 @@ mod tests {
#[test]
fn test_vhost_user_fs_virtio_device_normal() {
let device_socket = "/tmp/vhost.1";
let device_socket = concat!("vhost.", line!());
let tag = "test_fs";
let handler = thread::spawn(move || {
@@ -879,7 +879,7 @@ mod tests {
#[test]
fn test_vhost_user_fs_virtio_device_activate() {
let device_socket = "/tmp/vhost.1";
let device_socket = concat!("vhost.", line!());
let tag = "test_fs";
let handler = thread::spawn(move || {

View File

@@ -604,6 +604,7 @@ mod tests {
use dbs_interrupt::{InterruptManager, InterruptSourceType, MsiNotifier, NoopNotifier};
use dbs_utils::epoll_manager::EpollManager;
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use vhost_rs::vhost_user::message::VhostUserU64;
use vhost_rs::vhost_user::{VhostUserProtocolFeatures, VhostUserVirtioFeatures};
use virtio_queue::QueueSync;
@@ -647,7 +648,7 @@ mod tests {
#[test]
fn test_vhost_user_net_virtio_device_normal() {
let device_socket = "/tmp/vhost.1";
let device_socket = concat!("vhost.", line!());
let queue_sizes = Arc::new(vec![128]);
let epoll_mgr = EpollManager::default();
let handler = thread::spawn(move || {
@@ -697,7 +698,8 @@ mod tests {
#[test]
fn test_vhost_user_net_virtio_device_activate() {
let device_socket = "/tmp/vhost.1";
skip_if_not_root!();
let device_socket = concat!("vhost.", line!());
let queue_sizes = Arc::new(vec![128]);
let epoll_mgr = EpollManager::default();
let handler = thread::spawn(move || {

View File

@@ -208,6 +208,7 @@ mod tests {
use dbs_device::resources::DeviceResources;
use dbs_interrupt::NoopNotifier;
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use virtio_queue::QueueSync;
use vm_memory::{GuestAddress, GuestMemoryMmap, GuestRegionMmap};
@@ -243,6 +244,7 @@ mod tests {
#[test]
fn test_virtio_device() {
skip_if_not_root!();
let mut ctx = TestContext::new();
let device_features = VSOCK_AVAIL_FEATURES;
let driver_features: u64 = VSOCK_AVAIL_FEATURES | 1 | (1 << 32);

View File

@@ -310,6 +310,7 @@ where
#[cfg(test)]
mod tests {
use test_utils::skip_if_not_root;
use vm_memory::{Bytes, GuestAddress, GuestMemoryMmap};
use vmm_sys_util::epoll::EventSet;
@@ -320,6 +321,7 @@ mod tests {
#[test]
fn test_irq() {
skip_if_not_root!();
let test_ctx = TestContext::new();
let mut ctx = test_ctx.create_event_handler_context();
ctx.arti_activate(&test_ctx.mem);
@@ -329,6 +331,7 @@ mod tests {
#[test]
fn test_txq_event() {
skip_if_not_root!();
// Test case:
// - the driver has something to send (there's data in the TX queue);
// and
@@ -411,6 +414,7 @@ mod tests {
#[test]
fn test_rxq_event() {
skip_if_not_root!();
// Test case:
// - there is pending RX data in the backend; and
// - the driver makes RX buffers available; and
@@ -468,6 +472,7 @@ mod tests {
#[test]
fn test_backend_event() {
skip_if_not_root!();
// Test case:
// - a backend event is received; and
// - the backend has pending RX data.
@@ -567,6 +572,7 @@ mod tests {
#[test]
fn test_vsock_bof() {
skip_if_not_root!();
const GAP_SIZE: usize = 768 << 20;
const FIRST_AFTER_GAP: usize = 1 << 32;
const GAP_START_ADDR: usize = FIRST_AFTER_GAP - GAP_SIZE;

View File

@@ -298,6 +298,7 @@ mod tests {
use super::*;
use crate::device_manager::tests::create_address_space;
use crate::test_utils::tests::create_vm_for_test;
use test_utils::skip_if_not_root;
impl Default for BalloonDeviceConfigInfo {
fn default() -> Self {
@@ -330,6 +331,7 @@ mod tests {
#[test]
fn test_balloon_insert_or_update_device() {
skip_if_not_root!();
//Init vm for test.
let mut vm = create_vm_for_test();
@@ -354,6 +356,7 @@ mod tests {
#[test]
fn test_balloon_attach_device() {
skip_if_not_root!();
//Init vm and insert balloon config for test.
let mut vm = create_vm_for_test();
let device_op_ctx = DeviceOpContext::new(
@@ -393,6 +396,7 @@ mod tests {
#[test]
fn test_balloon_update_device() {
skip_if_not_root!();
//Init vm for test.
let mut vm = create_vm_for_test();
let device_op_ctx = DeviceOpContext::new(

View File

@@ -618,6 +618,7 @@ impl MemRegionFactory for MemoryRegionFactory {
#[cfg(test)]
mod tests {
use test_utils::skip_if_not_root;
use vm_memory::GuestMemoryRegion;
use super::*;
@@ -656,6 +657,7 @@ mod tests {
#[test]
fn test_mem_insert_or_update_device() {
skip_if_not_root!();
// Init vm for test.
let mut vm = create_vm_for_test();
@@ -681,6 +683,7 @@ mod tests {
#[test]
fn test_mem_attach_device() {
skip_if_not_root!();
// Init vm and insert mem config for test.
let mut vm = create_vm_for_test();
let dummy_mem_device = MemDeviceConfigInfo::default();
@@ -710,6 +713,7 @@ mod tests {
#[test]
fn test_mem_create_region() {
skip_if_not_root!();
let vm = create_vm_for_test();
let ctx = DeviceOpContext::new(
Some(vm.epoll_manager().clone()),

View File

@@ -277,6 +277,7 @@ impl Default for VhostNetDeviceMgr {
mod tests {
use dbs_utils::net::MacAddr;
use dbs_virtio_devices::Error as VirtioError;
use test_utils::skip_if_not_root;
use crate::{
device_manager::{
@@ -289,6 +290,7 @@ mod tests {
#[test]
fn test_create_vhost_net_device() {
skip_if_not_root!();
let vm = create_vm_for_test();
let mgr = DeviceManager::new_test_mgr();
let id_1 = String::from("id_1");
@@ -321,6 +323,7 @@ mod tests {
#[test]
fn test_attach_vhost_net_device() {
skip_if_not_root!();
// Init vm for test.
let mut vm = create_vm_for_test();
let device_op_ctx = DeviceOpContext::new(
@@ -373,6 +376,7 @@ mod tests {
#[test]
fn test_insert_vhost_net_device() {
skip_if_not_root!();
let vm = create_vm_for_test();
let mut mgr = DeviceManager::new_test_mgr();
@@ -437,6 +441,7 @@ mod tests {
#[test]
fn test_vhost_net_insert_error_cases() {
skip_if_not_root!();
let vm = create_vm_for_test();
let mut mgr = DeviceManager::new_test_mgr();

View File

@@ -219,9 +219,11 @@ impl Default for VhostUserNetDeviceMgr {
mod tests {
use super::*;
use crate::test_utils::tests::create_vm_for_test;
use test_utils::skip_if_not_root;
#[test]
fn test_create_vhost_user_net_device() {
skip_if_not_root!();
let vm = create_vm_for_test();
let mgr = DeviceManager::new_test_mgr();
let sock_1 = String::from("id_1");
@@ -249,6 +251,7 @@ mod tests {
#[test]
fn test_insert_vhost_user_net_device() {
skip_if_not_root!();
let vm = create_vm_for_test();
let mut mgr = DeviceManager::new_test_mgr();
let sock_1 = String::from("id_1");
@@ -277,6 +280,7 @@ mod tests {
#[test]
fn test_vhost_user_net_insert_error_cases() {
skip_if_not_root!();
let vm = create_vm_for_test();
let mut mgr = DeviceManager::new_test_mgr();
let sock_1 = String::from("id_1");

View File

@@ -283,6 +283,13 @@ pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPUS: &str =
pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPU_MODEL: &str =
"io.katacontainers.config.hypervisor.default_gpu_model";
/// Block device specific annotation for num_queues
pub const KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_NUM_QUEUES: &str =
"io.katacontainers.config.hypervisor.block_device_num_queues";
/// Block device specific annotation for queue_size
pub const KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_QUEUE_SIZE: &str =
"io.katacontainers.config.hypervisor.block_device_queue_size";
// Runtime related annotations
/// Prefix for Runtime configurations.
pub const KATA_ANNO_CFG_RUNTIME_PREFIX: &str = "io.katacontainers.config.runtime.";
@@ -503,6 +510,7 @@ impl Annotation {
let u32_err = io::Error::new(io::ErrorKind::InvalidData, "parse u32 error".to_string());
let u64_err = io::Error::new(io::ErrorKind::InvalidData, "parse u64 error".to_string());
let i32_err = io::Error::new(io::ErrorKind::InvalidData, "parse i32 error".to_string());
let usize_err = io::Error::new(io::ErrorKind::InvalidData, "parse usize error".to_string());
let hv = config.hypervisor.get_mut(hypervisor_name).ok_or_else(|| {
io::Error::new(
io::ErrorKind::InvalidData,
@@ -620,7 +628,7 @@ impl Annotation {
hv.boot_info.kernel = value.to_string();
}
KATA_ANNO_CFG_HYPERVISOR_KERNEL_PARAMS => {
hv.boot_info.kernel_params = value.to_string();
hv.boot_info.replace_kernel_params(value);
}
KATA_ANNO_CFG_HYPERVISOR_IMAGE_PATH => {
hv.boot_info.validate_boot_path(value)?;
@@ -960,7 +968,26 @@ impl Annotation {
return Err(u32_err);
}
},
KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_NUM_QUEUES => {
match self.get_value::<usize>(key) {
Ok(v) => {
hv.blockdev_info.num_queues = v.unwrap_or_default();
}
Err(_e) => {
return Err(usize_err);
}
}
}
KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_QUEUE_SIZE => {
match self.get_value::<u32>(key) {
Ok(v) => {
hv.blockdev_info.queue_size = v.unwrap_or_default();
}
Err(_e) => {
return Err(u32_err);
}
}
}
_ => {
return Err(io::Error::new(
io::ErrorKind::InvalidInput,

View File

@@ -41,11 +41,13 @@ pub const DEFAULT_BLOCK_NVDIMM_MEM_OFFSET: u64 = 0;
pub const DEFAULT_BLOCK_DEVICE_AIO_THREADS: &str = "threads";
pub const DEFAULT_BLOCK_DEVICE_AIO_NATIVE: &str = "native";
pub const DEFAULT_BLOCK_DEVICE_AIO: &str = "io_uring";
pub const DEFAULT_BLOCK_DEVICE_NUM_QUEUES: u32 = 1;
pub const DEFAULT_BLOCK_DEVICE_QUEUE_SIZE: u32 = 128;
pub const DEFAULT_SHARED_FS_TYPE: &str = "virtio-fs";
pub const DEFAULT_VIRTIO_FS_CACHE_MODE: &str = "never";
pub const DEFAULT_VIRTIO_FS_DAX_SIZE_MB: u32 = 1024;
pub const DEFAULT_SHARED_9PFS_SIZE_MB: u32 = 128 * 1024;
pub const DEFAULT_SHARED_9PFS_SIZE_MB: u32 = 8 * 1024;
pub const MIN_SHARED_9PFS_SIZE_MB: u32 = 4 * 1024;
pub const MAX_SHARED_9PFS_SIZE_MB: u32 = 8 * 1024 * 1024;
@@ -110,3 +112,6 @@ pub const MAX_REMOTE_VCPUS: u32 = 32;
pub const MIN_REMOTE_MEMORY_SIZE_MB: u32 = 64;
pub const DEFAULT_REMOTE_MEMORY_SIZE_MB: u32 = 128;
pub const DEFAULT_REMOTE_MEMORY_SLOTS: u32 = 128;
// Default configuration for factory/templating
pub const DEFAULT_TEMPLATE_PATH: &str = "/run/vc/vm/template";

View File

@@ -189,6 +189,13 @@ pub struct BlockDeviceInfo {
/// increases the initial max rate
#[serde(default)]
pub disk_rate_limiter_ops_one_time_burst: Option<u64>,
/// virtio queue size. Size: byte
#[serde(default)]
pub queue_size: u32,
/// block device multi-queue
#[serde(default)]
pub num_queues: usize,
}
impl BlockDeviceInfo {
@@ -219,6 +226,15 @@ impl BlockDeviceInfo {
));
}
}
if self.num_queues == 0 {
self.num_queues = default::DEFAULT_BLOCK_DEVICE_NUM_QUEUES as usize;
}
if self.queue_size == 0 {
self.queue_size = default::DEFAULT_BLOCK_DEVICE_QUEUE_SIZE;
}
if self.memory_offset == 0 {
self.memory_offset = default::DEFAULT_BLOCK_NVDIMM_MEM_OFFSET;
}
@@ -358,6 +374,71 @@ impl BootInfo {
self.kernel_params = p.join(KERNEL_PARAM_DELIMITER);
}
/// Replace kernel parameters with the same key.
///
/// For each parameter in the new_params string, if a parameter with the same key
/// already exists in kernel_params, it will be removed before adding the new one.
/// This allows selective parameter override from annotations without replacing
/// the entire kernel command line.
pub fn replace_kernel_params(&mut self, new_params: &str) {
if new_params.is_empty() {
return;
}
// Parse existing kernel parameters into a map
let mut existing_params: Vec<(String, String)> = Vec::new();
for param in self.kernel_params.split(KERNEL_PARAM_DELIMITER) {
let param = param.trim();
if param.is_empty() {
continue;
}
// Split by '=' to get key and value
if let Some(eq_pos) = param.find('=') {
let key = param[..eq_pos].to_string();
let value = param[eq_pos + 1..].to_string();
existing_params.push((key, value));
} else {
// Parameter without value (like "quiet")
existing_params.push((param.to_string(), String::new()));
}
}
// Parse new parameters and collect keys to replace
let mut new_param_keys: Vec<String> = Vec::new();
let mut new_param_list: Vec<String> = Vec::new();
for param in new_params.split(KERNEL_PARAM_DELIMITER) {
let param = param.trim();
if param.is_empty() {
continue;
}
if let Some(eq_pos) = param.find('=') {
let key = param[..eq_pos].to_string();
new_param_keys.push(key);
} else {
new_param_keys.push(param.to_string());
}
new_param_list.push(param.to_string());
}
// Remove existing parameters that will be replaced
existing_params.retain(|(key, _)| !new_param_keys.contains(key));
// Reconstruct kernel_params: existing params + new params
let mut all_params: Vec<String> = existing_params
.iter()
.map(|(key, value)| {
if value.is_empty() {
key.clone()
} else {
format!("{}={}", key, value)
}
})
.collect();
all_params.extend(new_param_list);
self.kernel_params = all_params.join(KERNEL_PARAM_DELIMITER);
}
/// Validate guest kernel image annotation.
pub fn validate_boot_path(&self, path: &str) -> Result<()> {
validate_path!(path, "path {} is invalid{}")?;

View File

@@ -91,6 +91,10 @@ impl ConfigPlugin for QemuConfig {
if qemu.memory_info.memory_slots == 0 {
qemu.memory_info.memory_slots = default::DEFAULT_QEMU_MEMORY_SLOTS;
}
if qemu.factory.template_path.is_empty() {
qemu.factory.template_path = default::DEFAULT_TEMPLATE_PATH.to_string();
}
}
Ok(())

View File

@@ -65,6 +65,11 @@ impl ConfigPlugin for RemoteConfig {
if remote.memory_info.memory_slots == 0 {
remote.memory_info.memory_slots = default::DEFAULT_REMOTE_MEMORY_SLOTS
}
// Apply factory defaults
if remote.factory.template_path.is_empty() {
remote.factory.template_path = default::DEFAULT_TEMPLATE_PATH.to_string();
}
}
Ok(())

View File

@@ -25,6 +25,7 @@ pub enum Error {
}
/// Assigned CPU resources for a Linux container.
/// Stores fractional vCPU allocation for more precise resource tracking.
#[derive(Clone, Default, Debug)]
pub struct LinuxContainerCpuResources {
shares: u64,
@@ -32,7 +33,8 @@ pub struct LinuxContainerCpuResources {
quota: i64,
cpuset: CpuSet,
nodeset: NumaNodeSet,
calculated_vcpu_time_ms: Option<u64>,
/// Calculated fractional vCPU allocation, e.g., 0.25 means 1/4 of a CPU.
calculated_vcpu: Option<f64>,
}
impl LinuxContainerCpuResources {
@@ -61,10 +63,10 @@ impl LinuxContainerCpuResources {
&self.nodeset
}
/// Get number of vCPUs to fulfill the CPU resource request, `None` means unconstrained.
pub fn get_vcpus(&self) -> Option<u64> {
self.calculated_vcpu_time_ms
.map(|v| v.saturating_add(999) / 1000)
/// Get the number of vCPUs assigned to the container as a fractional value.
/// Returns `None` if unconstrained (no limit).
pub fn get_vcpus(&self) -> Option<f64> {
self.calculated_vcpu
}
}
@@ -75,15 +77,18 @@ impl TryFrom<&oci::LinuxCpu> for LinuxContainerCpuResources {
fn try_from(value: &oci::LinuxCpu) -> Result<Self, Self::Error> {
let period = value.period().unwrap_or(0);
let quota = value.quota().unwrap_or(-1);
let value_cpus = value.cpus().as_ref().map_or("", |cpus| cpus);
let value_cpus = value.cpus().as_deref().unwrap_or("");
let cpuset = CpuSet::from_str(value_cpus).map_err(Error::InvalidCpuSet)?;
let value_mems = value.mems().as_ref().map_or("", |mems| mems);
let value_mems = value.mems().as_deref().unwrap_or("");
let nodeset = NumaNodeSet::from_str(value_mems).map_err(Error::InvalidNodeSet)?;
// If quota is -1, it means the CPU resource request is unconstrained. In that case,
// we don't currently assign additional CPUs.
let milli_sec = if quota >= 0 && period != 0 {
Some((quota as u64).saturating_mul(1000) / period)
// Calculate fractional vCPUs:
// If quota >= 0 and period > 0, vCPUs = quota / period.
// Otherwise, if cpuset is non-empty, derive from cpuset length.
let vcpu_fraction = if quota >= 0 && period > 0 {
Some(quota as f64 / period as f64)
} else if !cpuset.is_empty() {
Some(cpuset.len() as f64)
} else {
None
};
@@ -94,16 +99,18 @@ impl TryFrom<&oci::LinuxCpu> for LinuxContainerCpuResources {
quota,
cpuset,
nodeset,
calculated_vcpu_time_ms: milli_sec,
calculated_vcpu: vcpu_fraction,
})
}
}
/// Assigned CPU resources for a Linux sandbox/pod.
/// Aggregated CPU resources for a Linux sandbox/pod.
/// Tracks cumulative fractional vCPU allocation across all containers in the pod.
#[derive(Default, Debug)]
pub struct LinuxSandboxCpuResources {
shares: u64,
calculated_vcpu_time_ms: u64,
/// Total fractional vCPU allocation for the sandbox.
calculated_vcpu: f64,
cpuset: CpuSet,
nodeset: NumaNodeSet,
}
@@ -122,9 +129,9 @@ impl LinuxSandboxCpuResources {
self.shares
}
/// Get assigned vCPU time in ms.
pub fn calculated_vcpu_time_ms(&self) -> u64 {
self.calculated_vcpu_time_ms
/// Return the cumulative fractional vCPU allocation for the sandbox.
pub fn calculated_vcpu(&self) -> f64 {
self.calculated_vcpu
}
/// Get the CPU set.
@@ -137,19 +144,23 @@ impl LinuxSandboxCpuResources {
&self.nodeset
}
/// Get number of vCPUs to fulfill the CPU resource request.
pub fn get_vcpus(&self) -> u64 {
if self.calculated_vcpu_time_ms == 0 && !self.cpuset.is_empty() {
self.cpuset.len() as u64
} else {
self.calculated_vcpu_time_ms.saturating_add(999) / 1000
/// Get the number of vCPUs for the sandbox as a fractional value.
/// If no quota and cpuset is defined, return cpuset length as float.
pub fn get_vcpus(&self) -> f64 {
if self.calculated_vcpu == 0.0 {
if !self.cpuset.is_empty() {
return self.cpuset.len() as f64;
}
return 0.0;
}
self.calculated_vcpu
}
/// Merge resources assigned to a container into the sandbox/pod resources.
/// Merge container CPU resources into this sandbox CPU resource object.
/// Aggregates fractional vCPU allocation and extends cpuset/nodeset.
pub fn merge(&mut self, container_resource: &LinuxContainerCpuResources) -> &mut Self {
if let Some(v) = container_resource.calculated_vcpu_time_ms.as_ref() {
self.calculated_vcpu_time_ms += v;
if let Some(v) = container_resource.calculated_vcpu {
self.calculated_vcpu += v;
}
self.cpuset.extend(&container_resource.cpuset);
self.nodeset.extend(&container_resource.nodeset);
@@ -160,16 +171,16 @@ impl LinuxSandboxCpuResources {
#[cfg(test)]
mod tests {
use super::*;
const EPSILON: f64 = 0.0001;
#[test]
fn test_linux_container_cpu_resources() {
let resources = LinuxContainerCpuResources::default();
assert_eq!(resources.shares(), 0);
assert_eq!(resources.calculated_vcpu_time_ms, None);
assert!(resources.cpuset.is_empty());
assert!(resources.nodeset.is_empty());
assert!(resources.calculated_vcpu_time_ms.is_none());
assert!(resources.get_vcpus().is_none());
let mut linux_cpu = oci::LinuxCpu::default();
linux_cpu.set_shares(Some(2048));
@@ -182,11 +193,20 @@ mod tests {
assert_eq!(resources.shares(), 2048);
assert_eq!(resources.period(), 100);
assert_eq!(resources.quota(), 1001);
assert_eq!(resources.calculated_vcpu_time_ms, Some(10010));
assert_eq!(resources.get_vcpus().unwrap(), 11);
// Expected fractional vCPUs = quota / period
let expected_vcpus = 1001.0 / 100.0;
assert!(
(resources.get_vcpus().unwrap() - expected_vcpus).abs() < EPSILON,
"got {}, expect {}",
resources.get_vcpus().unwrap(),
expected_vcpus
);
assert_eq!(resources.cpuset().len(), 3);
assert_eq!(resources.nodeset().len(), 1);
// Test cpuset-only path (no quota)
let mut linux_cpu = oci::LinuxCpu::default();
linux_cpu.set_shares(Some(2048));
linux_cpu.set_cpus(Some("1".to_string()));
@@ -196,8 +216,10 @@ mod tests {
assert_eq!(resources.shares(), 2048);
assert_eq!(resources.period(), 0);
assert_eq!(resources.quota(), -1);
assert_eq!(resources.calculated_vcpu_time_ms, None);
assert!(resources.get_vcpus().is_none());
assert!(
(resources.get_vcpus().unwrap() - 1.0).abs() < EPSILON,
"cpuset size vCPU mismatch"
);
assert_eq!(resources.cpuset().len(), 1);
assert_eq!(resources.nodeset().len(), 2);
}
@@ -207,8 +229,7 @@ mod tests {
let mut sandbox = LinuxSandboxCpuResources::new(1024);
assert_eq!(sandbox.shares(), 1024);
assert_eq!(sandbox.get_vcpus(), 0);
assert_eq!(sandbox.calculated_vcpu_time_ms(), 0);
assert_eq!(sandbox.get_vcpus(), 0.0);
assert!(sandbox.cpuset().is_empty());
assert!(sandbox.nodeset().is_empty());
@@ -222,11 +243,20 @@ mod tests {
let resources = LinuxContainerCpuResources::try_from(&linux_cpu).unwrap();
sandbox.merge(&resources);
assert_eq!(sandbox.shares(), 1024);
assert_eq!(sandbox.get_vcpus(), 11);
assert_eq!(sandbox.calculated_vcpu_time_ms(), 10010);
// vCPUs after merge = quota / period
let expected_vcpus = 1001.0 / 100.0;
assert!(
(sandbox.get_vcpus() - expected_vcpus).abs() < EPSILON,
"sandbox vCPU mismatch: got {}, expect {}",
sandbox.get_vcpus(),
expected_vcpus
);
assert_eq!(sandbox.cpuset().len(), 3);
assert_eq!(sandbox.nodeset().len(), 1);
// Merge cpuset-only container
let mut linux_cpu = oci::LinuxCpu::default();
linux_cpu.set_shares(Some(2048));
linux_cpu.set_cpus(Some("1,4".to_string()));
@@ -236,8 +266,15 @@ mod tests {
sandbox.merge(&resources);
assert_eq!(sandbox.shares(), 1024);
assert_eq!(sandbox.get_vcpus(), 11);
assert_eq!(sandbox.calculated_vcpu_time_ms(), 10010);
// Expect quota-based + cpuset len (since cpuset is treated as allocation)
let expected_after_merge = expected_vcpus + resources.get_vcpus().unwrap();
assert!(
(sandbox.get_vcpus() - expected_after_merge).abs() < EPSILON,
"sandbox vCPU mismatch after cpuset merge: got {}, expect {}",
sandbox.get_vcpus(),
expected_after_merge
);
assert_eq!(sandbox.cpuset().len(), 4);
assert_eq!(sandbox.nodeset().len(), 2);
}

View File

@@ -52,7 +52,8 @@ pub struct Config {
// the next compact_force_times times, a compaction will be forced
// regardless of the system's memory situation.
// If compact_force_times is set to 0, will do force compaction each time.
// If compact_force_times is set to std::u64::MAX, will never do force compaction.
// If compact_force_times is set to std::u64::MAX, u64::MAX - 1, or i64::MAX, will never do force compaction.
// Note: Using i64::MAX (9223372036854775807) instead of u64::MAX to avoid TOML parser issues.
pub compact_force_times: u64,
}
@@ -67,7 +68,7 @@ impl Default for Config {
compact_sec_max: 5 * 60,
compact_order: PAGE_REPORTING_MIN_ORDER,
compact_threshold: 2 << PAGE_REPORTING_MIN_ORDER,
compact_force_times: u64::MAX,
compact_force_times: i64::MAX as u64,
}
}
}
@@ -133,7 +134,7 @@ impl CompactCore {
}
fn need_force_compact(&self) -> bool {
if self.config.compact_force_times == u64::MAX {
if self.config.compact_force_times >= i64::MAX as u64 {
return false;
}

View File

@@ -1,77 +1,31 @@
[workspace]
members = [
"crates/agent",
"crates/hypervisor",
"crates/persist",
"crates/resource",
"crates/runtimes",
"crates/service",
"crates/shim",
"crates/shim-ctl",
[package]
name = "runtime-rs"
version = "0.1.0"
authors = { workspace = true }
description = "Containerd shim runtime for Kata Containers"
keywords = ["kata-containers", "shim"]
repository = "https://github.com/kata-containers/kata-containers.git"
license = { workspace = true }
edition = { workspace = true }
"tests/utils",
]
[[bin]]
name = "containerd-shim-kata-v2"
path = "crates/shim/src/bin/main.rs"
[workspace.package]
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
license = "Apache-2.0"
[[bin]]
name = "shim-ctl"
path = "crates/shim-ctl/src/main.rs"
[workspace.dependencies]
agent = { path = "crates/agent" }
hypervisor = { path = "crates/hypervisor" }
persist = { path = "crates/persist" }
resource = { path = "crates/resource" }
runtimes = { path = "crates/runtimes" }
service = { path = "crates/service" }
tests_utils = { path = "tests/utils" }
[features]
dragonball = ["runtimes/dragonball"]
cloud-hypervisor = ["runtimes/cloud-hypervisor"]
ch-config = { path = "crates/hypervisor/ch-config" }
common = { path = "crates/runtimes/common" }
linux_container = { path = "crates/runtimes/linux_container" }
virt_container = { path = "crates/runtimes/virt_container" }
wasm_container = { path = "crates/runtimes/wasm_container" }
# Local dependencies from `src/libs`
kata-sys-util = { path = "../libs/kata-sys-util" }
kata-types = { path = "../libs/kata-types", features = ["safe-path"] }
logging = { path = "../libs/logging" }
protocols = { path = "../libs/protocols", features = ["async"] }
runtime-spec = { path = "../libs/runtime-spec" }
safe-path = { path = "../libs/safe-path" }
shim-interface = { path = "../libs/shim-interface" }
test-utils = { path = "../libs/test-utils" }
# Local dependencies from `src/dragonball`
dragonball = { path = "../dragonball" }
dbs-utils = { path = "../dragonball/dbs_utils" }
actix-rt = "2.7.0"
anyhow = "1.0"
async-trait = "0.1.48"
containerd-shim = { version = "0.10.0", features = ["async"] }
containerd-shim-protos = { version = "0.10.0", features = ["async"] }
go-flag = "0.1.0"
hyper = "0.14.20"
hyperlocal = "0.8.0"
lazy_static = "1.4"
libc = "0.2"
log = "0.4.14"
netns-rs = "0.1.0"
# Note: nix needs to stay sync'd with libs versions
nix = "0.26.4"
oci-spec = { version = "0.8.1", features = ["runtime"] }
protobuf = "3.7.2"
rand = "0.8.4"
serde = { version = "1.0.145", features = ["derive"] }
serde_json = "1.0.91"
slog = "2.5.2"
slog-scope = "4.4.0"
strum = { version = "0.24.0", features = ["derive"] }
tempfile = "3.19.1"
thiserror = "1.0"
tokio = "1.46.1"
tracing = "0.1.41"
tracing-opentelemetry = "0.18.0"
ttrpc = "0.8.4"
url = "2.5.4"
[dependencies]
anyhow = { workspace = true }
go-flag = { workspace = true }
nix = { workspace = true }
tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
shim = { path = "crates/shim" }
common = { workspace = true }
logging = { workspace = true }
runtimes = { workspace = true }

View File

@@ -150,8 +150,8 @@ DEFMEMSLOTS := 10
DEFMAXMEMSZ := 0
##VAR DEFBRIDGES=<number> Default number of bridges
DEFBRIDGES := 0
DEFENABLEANNOTATIONS := [\"kernel_params\"]
DEFENABLEANNOTATIONS_COCO := [\"kernel_params\",\"cc_init_data\"]
DEFENABLEANNOTATIONS := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"default_vcpus\", \"default_memory\"]
DEFENABLEANNOTATIONS_COCO := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"default_vcpus\", \"default_memory\", \"cc_init_data\"]
DEFDISABLEGUESTSECCOMP := true
DEFDISABLEGUESTEMPTYDIR := false
##VAR DEFAULTEXPFEATURES=[features] Default experimental features enabled
@@ -328,7 +328,7 @@ ifneq (,$(QEMUCMD))
KERNELPATH_COCO = $(KERNELDIR)/$(KERNEL_NAME_COCO)
# overriding options
DEFSTATICRESOURCEMGMT_QEMU := true
DEFSTATICRESOURCEMGMT_QEMU := false
# qemu-specific options
DEFSANDBOXCGROUPONLY_QEMU := false
@@ -347,8 +347,13 @@ endif
DEFBLOCKDEVICEAIO_QEMU := io_uring
DEFNETWORKMODEL_QEMU := tcfilter
DEFDISABLEGUESTSELINUX := true
DEFSECCOMPSANDBOXPARAM := on,obsolete=deny,spawn=deny,resourcecontrol=deny
DEFGUESTSELINUXLABEL := system_u:system_r:container_t
# Default is empty string "" to match Rust default None (when commented out in config).
# Most users will want to set this to "on,obsolete=deny,spawn=deny,resourcecontrol=deny"
# for better security. Note: "elevateprivileges=deny" doesn't work with daemonize option.
DEFSECCOMPSANDBOXPARAM := ""
# Default is empty string "" to match Rust default None (when commented out in config).
# Most users will want to set this to "system_u:system_r:container_t" for SELinux support.
DEFGUESTSELINUXLABEL := ""
endif
ifneq (,$(FCCMD))
@@ -578,7 +583,7 @@ ifneq ($(EXTRA_RUSTFEATURES),)
endif
TARGET_PATH = target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)
TARGET_PATH = ../../target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)
##VAR DESTDIR=<path> is a directory prepended to each installed target file
DESTDIR ?= /

Some files were not shown because too many files have changed in this diff Show More