github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-04-10 05:54:03 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:burgerdev/pr3
Branches Tags
github:main github:fsmerged-erofs-rs github:burgerdev/pr2 github:burgerdev/pr3 github:dependabot/cargo/src/tools/agent-ctl/tracing-e6cc94977c github:dependabot/cargo/src/tools/agent-ctl/clap-ac7866a113 github:dependabot/cargo/src/agent/tracing-95423bd0ce github:dependabot/cargo/src/agent/clap-f572f62cb7 github:dependabot/cargo/src/agent/tracing-667a7af472 github:dependabot/cargo/src/agent/clap-e796154cfe github:dependabot/cargo/src/tools/kata-ctl/tracing-0d2b5df27c github:topic/ci-run-runtime-rs-on-SNP github:topic/arm-add-qemu-coco-dev github:zizmor-update-to-1.20 github:dependabot/go_modules/src/runtime/go.opentelemetry.io/otel/sdk-1.43.0 github:mahuber/storage-multi-cpu-pull github:topic/docker-with-runtime-rs github:fix/runtime-rs-net-fc github:dependabot/github_actions/actions/download-artifact-8.0.1 github:fix/docker26-networking-9340 github:zvonkok-patch-1 github:dependabot/github_actions/docker/login-action-4.0.0 github:dependabot/github_actions/actions/attest-build-provenance-4.1.0 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.3 github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.3 github:dependabot/go_modules/src/runtime/github.com/go-openapi/errors-0.22.7 github:dependabot/cargo/src/tools/kata-ctl/strum-0.27.1 github:dependabot/github_actions/docker/setup-buildx-action-4.0.0 github:bump_rust_vmms github:fupan_debug_nydus github:saulparedes/test-mariner-runtime-rs github:sprt/fix-rust-1.94-errors github:dependabot/cargo/src/agent/const_format-0.2.35 github:topic/re-enable-sandbox-api-tests github:sprt/fidencio/conf-local-storage github:topic/genpolicy-distribute-different-settings-rather-than-patching-for-ci github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/build-kernel-do-not-expected-a-modules-tarball-for-vanilla-kernel github:dependabot/cargo/src/tools/kata-ctl/toml-0.9.8 github:dependabot/cargo/src/tools/agent-ctl/toml-0.9.11spec-1.1.0 github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:topic/tests-try-crio github:topic/tests-lower-the-load-on-aks github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:topic/oras-cache-still-not-working github:bump-to-go-1.25 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.28.0 github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0
..
compare: github:dependabot/github_actions/actions/download-artifact-8.0.1
Branches Tags
github:main github:fsmerged-erofs-rs github:burgerdev/pr2 github:burgerdev/pr3 github:dependabot/cargo/src/tools/agent-ctl/tracing-e6cc94977c github:dependabot/cargo/src/tools/agent-ctl/clap-ac7866a113 github:dependabot/cargo/src/agent/tracing-95423bd0ce github:dependabot/cargo/src/agent/clap-f572f62cb7 github:dependabot/cargo/src/agent/tracing-667a7af472 github:dependabot/cargo/src/agent/clap-e796154cfe github:dependabot/cargo/src/tools/kata-ctl/tracing-0d2b5df27c github:topic/ci-run-runtime-rs-on-SNP github:topic/arm-add-qemu-coco-dev github:zizmor-update-to-1.20 github:dependabot/go_modules/src/runtime/go.opentelemetry.io/otel/sdk-1.43.0 github:mahuber/storage-multi-cpu-pull github:topic/docker-with-runtime-rs github:fix/runtime-rs-net-fc github:dependabot/github_actions/actions/download-artifact-8.0.1 github:fix/docker26-networking-9340 github:zvonkok-patch-1 github:dependabot/github_actions/docker/login-action-4.0.0 github:dependabot/github_actions/actions/attest-build-provenance-4.1.0 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.3 github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.3 github:dependabot/go_modules/src/runtime/github.com/go-openapi/errors-0.22.7 github:dependabot/cargo/src/tools/kata-ctl/strum-0.27.1 github:dependabot/github_actions/docker/setup-buildx-action-4.0.0 github:bump_rust_vmms github:fupan_debug_nydus github:saulparedes/test-mariner-runtime-rs github:sprt/fix-rust-1.94-errors github:dependabot/cargo/src/agent/const_format-0.2.35 github:topic/re-enable-sandbox-api-tests github:sprt/fidencio/conf-local-storage github:topic/genpolicy-distribute-different-settings-rather-than-patching-for-ci github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/build-kernel-do-not-expected-a-modules-tarball-for-vanilla-kernel github:dependabot/cargo/src/tools/kata-ctl/toml-0.9.8 github:dependabot/cargo/src/tools/agent-ctl/toml-0.9.11spec-1.1.0 github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:topic/tests-try-crio github:topic/tests-lower-the-load-on-aks github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:topic/oras-cache-still-not-working github:bump-to-go-1.25 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.28.0 github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0

1 Commits
burgerdev/ ... dependabot

Author SHA1 Message Date
dependabot[bot]
d34d09c949 build(deps): bump actions/download-artifact from 4.3.0 to 8.0.1 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](d3f86a106a...3e5f45b2cf)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-03 11:17:21 +00:00
112 changed files with 1099 additions and 2078 deletions
Expand all files Collapse all files

13
.dockerignore
View File

@@ -1,13 +0,0 @@
# Context for tools/packaging/kata-deploy/Dockerfile (build from repo root: -f tools/packaging/kata-deploy/Dockerfile .)
#
# The Dockerfile only needs: Cargo.toml, Cargo.lock, src/, tools/packaging/kata-deploy/,
# and versions.yaml. Exclude heavy or irrelevant trees to keep context small.
.git
.github
target
kata-artifacts
docs
tests
utils
tools/packaging/kata-deploy/local-build
tools/packaging/kata-deploy/binary/target

2
.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in vendored
View File

@@ -14,7 +14,7 @@ runs:
using: "composite"
steps:
- name: Install Rust
uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: nightly

20
.github/workflows/basic-ci-amd64.yaml vendored
View File

@@ -70,7 +70,7 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -113,7 +113,7 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -159,13 +159,13 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
@@ -213,7 +213,7 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -260,7 +260,7 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -301,7 +301,7 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -350,7 +350,7 @@ jobs:
run: bash tests/integration/nerdctl/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -396,13 +396,13 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts

6
.github/workflows/basic-ci-s390x.yaml vendored
View File

@@ -70,7 +70,7 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -112,7 +112,7 @@ jobs:
run: bash tests/stability/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -153,7 +153,7 @@ jobs:
run: bash tests/integration/docker/gha-run.sh install-dependencies
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-artifacts

8
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@@ -191,7 +191,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -285,7 +285,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -338,7 +338,7 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -448,7 +448,7 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-tools-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-tools-artifacts

6
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@@ -175,7 +175,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -266,7 +266,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -317,7 +317,7 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts

6
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@@ -122,7 +122,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -197,7 +197,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -252,7 +252,7 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts

8
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@@ -156,7 +156,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -206,7 +206,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -283,7 +283,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
@@ -340,7 +340,7 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts

35
.github/workflows/nydus-snapshotter-version-in-sync.yaml vendored Normal file
View File

@@ -0,0 +1,35 @@
name: nydus-snapshotter-version-sync
on:
pull_request:
types:
- opened
- edited
- reopened
- synchronize
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
nydus-snapshotter-version-check:
name: nydus-snapshotter-version-check
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Ensure nydus-snapshotter-version is in sync inside our repo
run: |
dockerfile_version=$(grep "ARG NYDUS_SNAPSHOTTER_VERSION" tools/packaging/kata-deploy/Dockerfile | cut -f2 -d'=')
versions_version=$(yq ".externals.nydus-snapshotter.version | explode(.)" versions.yaml)
if [[ "${dockerfile_version}" != "${versions_version}" ]]; then
echo "nydus-snapshotter version must be the same in the following places: "
echo "- versions.yaml: ${versions_version}"
echo "- tools/packaging/kata-deploy/Dockerfile: ${dockerfile_version}"
exit 1
fi

2
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@@ -75,7 +75,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tarball for ${{ inputs.arch }}
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-${{ inputs.arch}}${{ inputs.tarball-suffix }}

2
.github/workflows/release-amd64.yaml vendored
View File

@@ -54,7 +54,7 @@ jobs:
with:
persist-credentials: false
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64

2
.github/workflows/release-arm64.yaml vendored
View File

@@ -54,7 +54,7 @@ jobs:
with:
persist-credentials: false
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-arm64

2
.github/workflows/release-ppc64le.yaml vendored
View File

@@ -51,7 +51,7 @@ jobs:
with:
persist-credentials: false
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-ppc64le

2
.github/workflows/release-s390x.yaml vendored
View File

@@ -55,7 +55,7 @@ jobs:
with:
persist-credentials: false
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-s390x

10
.github/workflows/release.yaml vendored
View File

@@ -134,7 +134,7 @@ jobs:
echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
- name: Download amd64 artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64
@@ -146,7 +146,7 @@ jobs:
ARCHITECTURE: amd64
- name: Download arm64 artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-arm64
@@ -158,7 +158,7 @@ jobs:
ARCHITECTURE: arm64
- name: Download s390x artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-s390x
@@ -170,7 +170,7 @@ jobs:
ARCHITECTURE: s390x
- name: Download ppc64le artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-ppc64le
@@ -187,7 +187,7 @@ jobs:
echo "KATA_TOOLS_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
- name: Download amd64 tools artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64

2
.github/workflows/run-cri-containerd-tests.yaml vendored
View File

@@ -79,7 +79,7 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball for ${{ inputs.arch }}
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-${{ inputs.arch }}${{ inputs.tarball-suffix }}
path: kata-artifacts

2
.github/workflows/run-k8s-tests-on-aks.yaml vendored
View File

@@ -86,7 +86,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts

2
.github/workflows/run-k8s-tests-on-free-runner.yaml vendored
View File

@@ -76,7 +76,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts

2
.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml vendored
View File

@@ -66,7 +66,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts

2
.github/workflows/run-kata-coco-stability-tests.yaml vendored
View File

@@ -87,7 +87,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts

8
.github/workflows/run-kata-coco-tests.yaml vendored
View File

@@ -84,7 +84,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
@@ -182,7 +182,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
@@ -305,7 +305,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts
@@ -421,7 +421,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-kata-tools-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-tools-artifacts

2
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@@ -58,7 +58,7 @@ jobs:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-artifacts

478
Cargo.lock generated
View File

@@ -94,12 +94,6 @@ dependencies = [
"memchr",
]
[[package]]
name = "allocator-api2"
version = "0.2.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
[[package]]
name = "android_system_properties"
version = "0.1.5"
@@ -415,28 +409,6 @@ dependencies = [
"windows-sys 0.61.2",
]
[[package]]
name = "async-stream"
version = "0.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b5a71a6f37880a80d1d7f19efd781e4b5de42c88f0722cc13bcb6cc2cfe8476"
dependencies = [
"async-stream-impl",
"futures-core",
"pin-project-lite",
]
[[package]]
name = "async-stream-impl"
version = "0.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.117",
]
[[package]]
name = "async-task"
version = "4.7.1"
@@ -539,17 +511,6 @@ dependencies = [
"tower-service",
]
[[package]]
name = "backon"
version = "1.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cffb0e931875b666fc4fcb20fee52e9bbd1ef836fd9e9e04ec21555f9f85f7ef"
dependencies = [
"fastrand 2.3.0",
"gloo-timers",
"tokio",
]
[[package]]
name = "backtrace"
version = "0.3.76"
@@ -1311,16 +1272,6 @@ dependencies = [
"darling_macro 0.20.11",
]
[[package]]
name = "darling"
version = "0.21.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9cdf337090841a411e2a7f3deb9187445851f91b309c0c0a29e05f74a00a48c0"
dependencies = [
"darling_core 0.21.3",
"darling_macro 0.21.3",
]
[[package]]
name = "darling_core"
version = "0.14.4"
@@ -1348,20 +1299,6 @@ dependencies = [
"syn 2.0.117",
]
[[package]]
name = "darling_core"
version = "0.21.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1247195ecd7e3c85f83c8d2a366e4210d588e802133e1e355180a9870b517ea4"
dependencies = [
"fnv",
"ident_case",
"proc-macro2",
"quote",
"strsim",
"syn 2.0.117",
]
[[package]]
name = "darling_macro"
version = "0.14.4"
@@ -1384,17 +1321,6 @@ dependencies = [
"syn 2.0.117",
]
[[package]]
name = "darling_macro"
version = "0.21.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81"
dependencies = [
"darling_core 0.21.3",
"quote",
"syn 2.0.117",
]
[[package]]
name = "dashmap"
version = "5.5.3"
@@ -1674,27 +1600,6 @@ dependencies = [
"syn 2.0.117",
]
[[package]]
name = "derive_more"
version = "2.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d751e9e49156b02b44f9c1815bcb94b984cdcc4396ecc32521c739452808b134"
dependencies = [
"derive_more-impl",
]
[[package]]
name = "derive_more-impl"
version = "2.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "799a97264921d8623a957f6c3b9011f3b5492f557bbb7a5a19b7fa6d06ba8dcb"
dependencies = [
"proc-macro2",
"quote",
"rustc_version",
"syn 2.0.117",
]
[[package]]
name = "device_tree"
version = "1.1.0"
@@ -1821,18 +1726,6 @@ version = "1.0.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
[[package]]
name = "educe"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1d7bc049e1bd8cdeb31b68bbd586a9464ecf9f3944af3958a7a9d0f8b9799417"
dependencies = [
"enum-ordinalize",
"proc-macro2",
"quote",
"syn 2.0.117",
]
[[package]]
name = "either"
version = "1.15.0"
@@ -1881,26 +1774,6 @@ dependencies = [
"syn 2.0.117",
]
[[package]]
name = "enum-ordinalize"
version = "4.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a1091a7bb1f8f2c4b28f1fe2cef4980ca2d410a3d727d67ecc3178c9b0800f0"
dependencies = [
"enum-ordinalize-derive",
]
[[package]]
name = "enum-ordinalize-derive"
version = "4.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ca9601fb2d62598ee17836250842873a413586e5d7ed88b356e38ddbb0ec631"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.117",
]
[[package]]
name = "enumflags2"
version = "0.7.12"
@@ -2465,18 +2338,6 @@ version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
[[package]]
name = "gloo-timers"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
dependencies = [
"futures-channel",
"futures-core",
"js-sys",
"wasm-bindgen",
]
[[package]]
name = "go-flag"
version = "0.1.0"
@@ -2545,8 +2406,6 @@ version = "0.15.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
dependencies = [
"allocator-api2",
"equivalent",
"foldhash",
]
@@ -2647,17 +2506,6 @@ dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "hostname"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "617aaa3557aef3810a6369d0a99fac8a080891b68bd9f9812a1eeda0c0730cbd"
dependencies = [
"cfg-if 1.0.4",
"libc",
"windows-link",
]
[[package]]
name = "http"
version = "0.2.12"
@@ -2795,9 +2643,7 @@ dependencies = [
"http 1.4.0",
"hyper 1.8.1",
"hyper-util",
"log",
"rustls",
"rustls-native-certs",
"rustls-pki-types",
"tokio",
"tokio-rustls",
@@ -2816,19 +2662,6 @@ dependencies = [
"tokio-io-timeout",
]
[[package]]
name = "hyper-timeout"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0"
dependencies = [
"hyper 1.8.1",
"hyper-util",
"pin-project-lite",
"tokio",
"tower-service",
]
[[package]]
name = "hyper-tls"
version = "0.6.0"
@@ -3294,19 +3127,6 @@ dependencies = [
"thiserror 1.0.69",
]
[[package]]
name = "jsonpath-rust"
version = "0.7.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c00ae348f9f8fd2d09f82a98ca381c60df9e0820d8d79fce43e649b4dc3128b"
dependencies = [
"pest",
"pest_derive",
"regex",
"serde_json",
"thiserror 2.0.18",
]
[[package]]
name = "jsonptr"
version = "0.4.7"
@@ -3381,18 +3201,6 @@ dependencies = [
"tonic-build 0.8.4",
]
[[package]]
name = "k8s-openapi"
version = "0.26.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "06d9e5e61dd037cdc51da0d7e2b2be10f497478ea7e120d85dad632adb99882b"
dependencies = [
"base64 0.22.1",
"chrono",
"serde",
"serde_json",
]
[[package]]
name = "kata-agent"
version = "0.1.0"
@@ -3477,28 +3285,6 @@ dependencies = [
"tokio",
]
[[package]]
name = "kata-deploy"
version = "0.1.0"
dependencies = [
"anyhow",
"clap",
"env_logger",
"k8s-openapi",
"kube",
"libc",
"log",
"regex",
"rstest",
"serde_json",
"serde_yaml 0.9.34+deprecated",
"serial_test 0.10.0",
"tempfile",
"tokio",
"toml_edit 0.22.27",
"walkdir",
]
[[package]]
name = "kata-sys-util"
version = "0.1.0"
@@ -3521,8 +3307,6 @@ dependencies = [
"slog",
"slog-scope",
"subprocess",
"tempfile",
"test-utils",
"thiserror 1.0.69",
]
@@ -3541,7 +3325,6 @@ dependencies = [
"num_cpus",
"oci-spec 0.8.4",
"regex",
"rstest",
"safe-path 0.1.0",
"serde",
"serde-enum-str",
@@ -3551,8 +3334,6 @@ dependencies = [
"slog-scope",
"sysctl",
"sysinfo",
"tempfile",
"test-utils",
"thiserror 1.0.69",
"toml",
]
@@ -3577,115 +3358,6 @@ dependencies = [
"libc",
]
[[package]]
name = "kube"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "48e7bb0b6a46502cc20e4575b6ff401af45cfea150b34ba272a3410b78aa014e"
dependencies = [
"k8s-openapi",
"kube-client",
"kube-core",
"kube-derive",
"kube-runtime",
]
[[package]]
name = "kube-client"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4987d57a184d2b5294fdad3d7fc7f278899469d21a4da39a8f6ca16426567a36"
dependencies = [
"base64 0.22.1",
"bytes 1.11.1",
"chrono",
"either",
"futures",
"home",
"http 1.4.0",
"http-body 1.0.1",
"http-body-util",
"hyper 1.8.1",
"hyper-rustls",
"hyper-timeout 0.5.2",
"hyper-util",
"jsonpath-rust",
"k8s-openapi",
"kube-core",
"pem",
"rustls",
"secrecy",
"serde",
"serde_json",
"serde_yaml 0.9.34+deprecated",
"thiserror 2.0.18",
"tokio",
"tokio-util",
"tower 0.5.3",
"tower-http",
"tracing",
]
[[package]]
name = "kube-core"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "914bbb770e7bb721a06e3538c0edd2babed46447d128f7c21caa68747060ee73"
dependencies = [
"chrono",
"derive_more",
"form_urlencoded",
"http 1.4.0",
"json-patch 4.1.0",
"k8s-openapi",
"schemars",
"serde",
"serde-value",
"serde_json",
"thiserror 2.0.18",
]
[[package]]
name = "kube-derive"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "03dee8252be137772a6ab3508b81cd797dee62ee771112a2453bc85cbbe150d2"
dependencies = [
"darling 0.21.3",
"proc-macro2",
"quote",
"serde",
"serde_json",
"syn 2.0.117",
]
[[package]]
name = "kube-runtime"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6aea4de4b562c5cc89ab10300bb63474ae1fa57ff5a19275f2e26401a323e3fd"
dependencies = [
"ahash 0.8.12",
"async-broadcast 0.7.2",
"async-stream",
"backon",
"educe",
"futures",
"hashbrown 0.15.5",
"hostname",
"json-patch 4.1.0",
"k8s-openapi",
"kube-client",
"parking_lot",
"pin-project",
"serde",
"serde_json",
"thiserror 2.0.18",
"tokio",
"tokio-util",
"tracing",
]
[[package]]
name = "kvm-bindings"
version = "0.14.0"
@@ -3867,7 +3539,6 @@ dependencies = [
"slog-json",
"slog-scope",
"slog-term",
"tempfile",
]
[[package]]
@@ -3913,16 +3584,11 @@ version = "0.2.0"
dependencies = [
"anyhow",
"chrono",
"lazy_static",
"maplit",
"nix 0.30.1",
"once_cell",
"page_size",
"slog",
"slog-async",
"slog-scope",
"slog-term",
"test-utils",
"tokio",
]
@@ -4827,15 +4493,6 @@ dependencies = [
"num-traits",
]
[[package]]
name = "ordered-float"
version = "2.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c"
dependencies = [
"num-traits",
]
[[package]]
name = "ordered-multimap"
version = "0.4.3"
@@ -4945,16 +4602,6 @@ dependencies = [
"quote",
]
[[package]]
name = "pem"
version = "3.0.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
dependencies = [
"base64 0.22.1",
"serde_core",
]
[[package]]
name = "percent-encoding"
version = "2.3.2"
@@ -4974,49 +4621,6 @@ dependencies = [
"serde_json",
]
[[package]]
name = "pest"
version = "2.8.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e0848c601009d37dfa3430c4666e147e49cdcf1b92ecd3e63657d8a5f19da662"
dependencies = [
"memchr",
"ucd-trie",
]
[[package]]
name = "pest_derive"
version = "2.8.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "11f486f1ea21e6c10ed15d5a7c77165d0ee443402f0780849d1768e7d9d6fe77"
dependencies = [
"pest",
"pest_generator",
]
[[package]]
name = "pest_generator"
version = "2.8.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8040c4647b13b210a963c1ed407c1ff4fdfa01c31d6d2a098218702e6664f94f"
dependencies = [
"pest",
"pest_meta",
"proc-macro2",
"quote",
"syn 2.0.117",
]
[[package]]
name = "pest_meta"
version = "2.8.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "89815c69d36021a140146f26659a81d6c2afa33d216d736dd4be5381a7362220"
dependencies = [
"pest",
"sha2 0.10.9",
]
[[package]]
name = "petgraph"
version = "0.5.1"
@@ -6370,9 +5974,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
dependencies = [
"aws-lc-rs",
"log",
"once_cell",
"ring",
"rustls-pki-types",
"rustls-webpki",
"subtle",
@@ -6471,7 +6073,6 @@ name = "safe-path"
version = "0.1.0"
dependencies = [
"libc",
"tempfile",
]
[[package]]
@@ -6518,23 +6119,10 @@ checksum = "a2b42f36aa1cd011945615b92222f6bf73c599a102a300334cd7f8dbeec726cc"
dependencies = [
"dyn-clone",
"ref-cast",
"schemars_derive",
"serde",
"serde_json",
]
[[package]]
name = "schemars_derive"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7d115b50f4aaeea07e79c1912f645c7513d81715d0420f8bc77a18c6260b307f"
dependencies = [
"proc-macro2",
"quote",
"serde_derive_internals",
"syn 2.0.117",
]
[[package]]
name = "scientific"
version = "0.5.3"
@@ -6576,15 +6164,6 @@ dependencies = [
"libc",
]
[[package]]
name = "secrecy"
version = "0.10.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e891af845473308773346dc847b2c23ee78fe442e0472ac50e22a18a93d3ae5a"
dependencies = [
"zeroize",
]
[[package]]
name = "security-framework"
version = "3.7.0"
@@ -6664,16 +6243,6 @@ version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b8a059d895f1a31dd928f40abbea4e7177e3d8ff3aa4152fdb7a396ae1ef63a3"
[[package]]
name = "serde-value"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c"
dependencies = [
"ordered-float 2.10.1",
"serde",
]
[[package]]
name = "serde_core"
version = "1.0.228"
@@ -6694,17 +6263,6 @@ dependencies = [
"syn 2.0.117",
]
[[package]]
name = "serde_derive_internals"
version = "0.29.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.117",
]
[[package]]
name = "serde_ignored"
version = "0.1.14"
@@ -6938,8 +6496,6 @@ dependencies = [
"kata-sys-util",
"kata-types",
"nix 0.26.4",
"tempfile",
"test-utils",
"tokio",
]
@@ -7459,7 +7015,7 @@ dependencies = [
"byteorder",
"integer-encoding",
"log",
"ordered-float 1.1.1",
"ordered-float",
"threadpool",
]
@@ -7607,7 +7163,6 @@ dependencies = [
"futures-core",
"futures-sink",
"pin-project-lite",
"slab",
"tokio",
]
@@ -7672,18 +7227,6 @@ dependencies = [
"winnow 0.5.40",
]
[[package]]
name = "toml_edit"
version = "0.22.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
dependencies = [
"indexmap 2.13.0",
"toml_datetime 0.6.11",
"toml_write",
"winnow 0.7.15",
]
[[package]]
name = "toml_edit"
version = "0.25.4+spec-1.1.0"
@@ -7705,12 +7248,6 @@ dependencies = [
"winnow 0.7.15",
]
[[package]]
name = "toml_write"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"
[[package]]
name = "tonic"
version = "0.9.2"
@@ -7727,7 +7264,7 @@ dependencies = [
"http 0.2.12",
"http-body 0.4.6",
"hyper 0.14.32",
"hyper-timeout 0.4.1",
"hyper-timeout",
"percent-encoding",
"pin-project",
"prost 0.11.9",
@@ -7796,10 +7333,8 @@ dependencies = [
"pin-project-lite",
"sync_wrapper 1.0.2",
"tokio",
"tokio-util",
"tower-layer",
"tower-service",
"tracing",
]
[[package]]
@@ -7808,19 +7343,16 @@ version = "0.6.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
dependencies = [
"base64 0.22.1",
"bitflags 2.11.0",
"bytes 1.11.1",
"futures-util",
"http 1.4.0",
"http-body 1.0.1",
"iri-string",
"mime",
"pin-project-lite",
"tower 0.5.3",
"tower-layer",
"tower-service",
"tracing",
]
[[package]]
@@ -7993,12 +7525,6 @@ version = "1.19.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
[[package]]
name = "ucd-trie"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2896d95c02a80c6d6a5d6e953d479f5ddf2dfdb6a244441010e373ac0fb88971"
[[package]]
name = "uds_windows"
version = "1.2.0"

18
Cargo.toml
View File

@@ -6,17 +6,6 @@ rust-version = "1.88"
[workspace]
members = [
# libs
"src/libs/kata-sys-util",
"src/libs/kata-types",
"src/libs/logging",
"src/libs/mem-agent",
"src/libs/protocols",
"src/libs/runtime-spec",
"src/libs/safe-path",
"src/libs/shim-interface",
"src/libs/test-utils",
# kata-agent
"src/agent",
"src/agent/rustjail",
@@ -42,9 +31,6 @@ members = [
# genpolicy
"src/tools/genpolicy",
# kata-deploy (Kubernetes installer binary)
"tools/packaging/kata-deploy/binary",
# runtime-rs
"src/runtime-rs",
"src/runtime-rs/crates/agent",
@@ -62,6 +48,10 @@ resolver = "2"
# TODO: Add all excluded crates to root workspace
exclude = [
"src/tools",
"src/libs",
# kata-deploy binary is standalone and has its own Cargo.toml for now
"tools/packaging/kata-deploy/binary",
# We are cloning and building rust packages under
# "tools/packaging/kata-deploy/local-build/build" folder, which may mislead

66
docs/use-cases/NVIDIA-GPU-passthrough-and-Kata-QEMU.md
View File

@@ -213,10 +213,12 @@ API and kernel drivers, interacting with the pass-through GPU device.
An additional step is exercised in our CI samples: when using images from an
authenticated registry, the guest-pull mechanism triggers attestation using
Trustee's Key Broker Service (KBS) for secure release of the NGC API
authentication key used to access the NVCR container registry.
In this flow the CPU and all additional devices are attested.
GPUs will automatically be set to ready by NVRC per the NVRC configuration
flag in the default kernel command line.
authentication key used to access the NVCR container registry. As part of
this, the attestation agent exercises composite attestation and transitions
the GPU into `Ready` state (without this, the GPU has to explicitly be
transitioned into `Ready` state by passing the `nvrc.smi.srs=1` kernel
parameter via the shim config, causing NVRC to transition the GPU into the
`Ready` state).
## Deployment Guidance
@@ -225,7 +227,7 @@ Kata's non-TEE and TEE GPU workload deployment scenarios for your Kubernetes
nodes. We provide guidance based on the upstream Kata CI procedures for the
NVIDIA GPU CI validation jobs. Note that, this setup:
- uses the nydus snapshotter to pull container image layers in the guest
- uses the guest image pull method to pull container image layers
- uses the genpolicy tool to attach Kata agent security policies to the pod
manifest
- has dedicated (composite) attestation tests, a CUDA vectorAdd test, and a
@@ -248,17 +250,6 @@ Service NRAS
- container image signature verification and encrypted container images
- ephemeral container data and image layer storage
For the use of these features, we refer to separate documentation in the
kata-containers and confidential-containers documentation resources.
For example, see a
[list of features](https://confidentialcontainers.org/docs/features/) along
with their documentation in the confidential-containers documentation.
> **Note:**
>
> Image signature verification for signed multi-arch images is currently not
> supported.
### Requirements
The requirements for the TEE scenario are:
@@ -281,8 +272,8 @@ selecting proper hardware and on properly configuring its firmware and OS.
#### Containerd and Kubernetes
First, set up your Kubernetes cluster. For instance, in Kata CI, our NVIDIA
jobs use a single-node vanilla Kubernetes cluster with containerd v2.2
and Kata's current supported Kubernetes version. This cluster is
jobs use a single-node vanilla Kubernetes cluster with a 2.1 containerd
version and Kata's current supported Kubernetes version. This cluster is
being set up using the `deploy_k8s` function from the script file
`tests/integration/kubernetes/gha-run.sh`. If you intend to run this script,
follow these steps, and make sure you have `yq` and `helm` installed. Note
@@ -293,7 +284,7 @@ You can execute the function as follows:
$ export GH_TOKEN="<your-gh-pat>"
$ export KUBERNETES="vanilla"
$ export CONTAINER_ENGINE="containerd"
$ export CONTAINER_ENGINE_VERSION="v2.2"
$ export CONTAINER_ENGINE_VERSION="v2.1"
$ source tests/gha-run-k8s-common.sh
$ deploy_k8s
```
@@ -309,13 +300,6 @@ $ deploy_k8s
> `create_container_timeout` of 1200s, which is the equivalent value on shim
> side, controlling the time the shim allows for a container to remain in
> *container creating* state.
> If you need a timeout of more than 1200s, you will also need to adjust the
> agent's `image_pull_timeout`, which in turn sets the confidential data
> hub's image pull API timeout in seconds. For this, add the
> `agent.image_pull_timeout=<seconds>` kernel parameter to your shim
> configuration's `kernel_params` field, or pass the parameter explicitly
> via the `io.katacontainers.config.hypervisor.kernel_params: "..."` pod
> annotation. The default value for this timeout is 1200s.
> **Note:**
>
@@ -372,7 +356,7 @@ $ helm install --wait --generate-name \
Install the latest Kata Containers helm chart, similar to
[existing documentation](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/README.md)
(minimum version: `3.29.0`).
(minimum version: `3.24.0`).
```bash
$ export VERSION=$(curl -sSL https://api.github.com/repos/kata-containers/kata-containers/releases/latest | jq .tag_name | tr -d '"')
@@ -387,13 +371,6 @@ $ helm install kata-deploy \
"${CHART}" --version "${VERSION}"
```
> **Note:**
>
> For node lifecycle management, see the
> [lifecycle-manager](https://github.com/kata-containers/lifecycle-manager)
> repository which enables Argo Workflows-based lifecycle management for your
> node's Kata deployments.
#### Trustee's KBS for remote attestation
For our Kata CI runners we use Trustee's KBS for composite attestation for
@@ -463,6 +440,8 @@ kind: Pod
metadata:
name: cuda-vectoradd-kata
namespace: default
annotations:
io.katacontainers.config.hypervisor.kernel_params: "nvrc.smi.srs=1"
spec:
runtimeClassName: ${GPU_RUNTIME_CLASS_NAME}
restartPolicy: Never
@@ -587,21 +566,21 @@ With GPU passthrough being supported by the
you can use the tool to create a Kata agent security policy. Our CI deploys
all sample pod manifests with a Kata agent security policy.
Note that, in Kata CI, we use snippets such as the following to modify the
genpolicy default settings:
Note that, using containerd 2.1 in upstream's CI, we use the following
modification to the genpolicy default settings:
```bash
[
{
"op": "replace",
"path": "/kata_config/oci_version",
"value": "1.3.0"
"value": "1.2.1"
}
]
```
This modification is applied via the genpolicy drop-in configuration file
`src/tools/genpolicy/drop-in-examples/20-oci-1.3.0-drop-in.json`.
When using a newer (or older) containerd version, the OCI version field
may need to be adjusted accordingly.
`src\tools\genpolicy\drop-in-examples\20-oci-1.2.1-drop-in.json`.
When using a newer containerd version, such as containerd 2.2, the OCI
version field needs to be adjusted to "1.3.0", for instance.
#### Deploy pods using your own containers and manifests
@@ -609,7 +588,12 @@ You can author pod manifests leveraging your own containers, for instance,
containers built using the CUDA container toolkit. We recommend to start
with a CUDA base container.
When using the GPU runtime classes, the GPUs will automatically be set to ready.
The GPU is transitioned into the `Ready` state via attestation, for instance,
when pulling authenticated images. If your deployment scenario does not use
attestation, please refer back to the CUDA vectorAdd pod manifest. In this
manifest, we ensure that NVRC sets the GPU to `Ready` state by adding the
following annotation in the manifest:
`io.katacontainers.config.hypervisor.kernel_params: "nvrc.smi.srs=1"`
> **Notes:**
>

23
src/agent/src/storage/fs_handler.rs
View File

@@ -10,7 +10,7 @@ use std::sync::Arc;
use crate::storage::{common_storage_handler, new_device, StorageContext, StorageHandler};
use anyhow::{anyhow, Context, Result};
use kata_types::device::{DRIVER_OVERLAYFS_TYPE, DRIVER_VIRTIOFS_TYPE};
use kata_types::device::{DRIVER_9P_TYPE, DRIVER_OVERLAYFS_TYPE, DRIVER_VIRTIOFS_TYPE};
use kata_types::mount::{StorageDevice, KATA_VOLUME_OVERLAYFS_CREATE_DIR};
use protocols::agent::Storage;
use tracing::instrument;
@@ -69,6 +69,27 @@ impl StorageHandler for OverlayfsHandler {
}
}
#[derive(Debug)]
pub struct Virtio9pHandler {}
#[async_trait::async_trait]
impl StorageHandler for Virtio9pHandler {
#[instrument]
fn driver_types(&self) -> &[&str] {
&[DRIVER_9P_TYPE]
}
#[instrument]
async fn create_device(
&self,
storage: Storage,
ctx: &mut StorageContext,
) -> Result<Arc<dyn StorageDevice>> {
let path = common_storage_handler(ctx.logger, &storage)?;
new_device(path)
}
}
#[derive(Debug)]
pub struct VirtioFsHandler {}

3
src/agent/src/storage/mod.rs
View File

@@ -23,7 +23,7 @@ use tracing::instrument;
use self::bind_watcher_handler::BindWatcherHandler;
use self::block_handler::{PmemHandler, ScsiHandler, VirtioBlkMmioHandler, VirtioBlkPciHandler};
use self::ephemeral_handler::EphemeralHandler;
use self::fs_handler::{OverlayfsHandler, VirtioFsHandler};
use self::fs_handler::{OverlayfsHandler, Virtio9pHandler, VirtioFsHandler};
use self::image_pull_handler::ImagePullHandler;
use self::local_handler::LocalHandler;
use crate::mount::{baremount, is_mounted, remove_mounts};
@@ -134,6 +134,7 @@ lazy_static! {
pub static ref STORAGE_HANDLERS: StorageHandlerManager<Arc<dyn StorageHandler>> = {
let mut manager: StorageHandlerManager<Arc<dyn StorageHandler>> = StorageHandlerManager::new();
let handlers: Vec<Arc<dyn StorageHandler>> = vec![
Arc::new(Virtio9pHandler {}),
Arc::new(VirtioBlkMmioHandler {}),
Arc::new(VirtioBlkPciHandler {}),
Arc::new(EphemeralHandler {}),

2
src/agent/src/watcher.rs
View File

@@ -425,7 +425,7 @@ impl SandboxStorages {
/// or updated file to a target mount point, or remove the removed file from the target mount point. All WatchableStorage
/// target mount points are expected to reside within a single tmpfs, whose root is created by the BindWatcher.
///
/// This is a temporary workaround to handle config map updates until we get inotify on virtio-fs.
/// This is a temporary workaround to handle config map updates until we get inotify on 9p/virtio-fs.
/// More context on this:
/// - https://github.com/kata-containers/runtime/issues/1505
/// - https://github.com/kata-containers/kata-containers/issues/1879

13
src/libs/Cargo.toml Normal file
View File

@@ -0,0 +1,13 @@
[workspace]
members = [
"kata-sys-util",
"kata-types",
"logging",
"mem-agent",
"protocols",
"runtime-spec",
"safe-path",
"shim-interface",
"test-utils",
]
resolver = "2"

19
src/libs/Makefile
View File

@@ -11,17 +11,6 @@ ifeq ($(USERID), 0)
override EXTRA_TEST_FLAGS = --ignored
endif
LIBS := \
-p kata-sys-util \
-p kata-types \
-p logging \
-p mem-agent \
-p protocols \
-p runtime-spec \
-p safe-path \
-p shim-interface \
-p test-utils
default: build
build:
@@ -34,13 +23,13 @@ check: clippy format
clippy:
@echo "INFO: cargo clippy..."
cargo clippy $(LIBS) --all-features --release \
cargo clippy --all-targets --all-features --release \
-- \
-D warnings
format:
@echo "INFO: cargo fmt..."
cargo fmt $(LIBS) -- --check
cargo fmt -- --check
clean:
cargo clean
@@ -49,8 +38,8 @@ clean:
# See the `test_logger_levels()` test for further information.
test:
@echo "INFO: testing libraries for development build"
cargo test $(LIBS) $(EXTRA_RUSTFEATURES) -- --nocapture $(EXTRA_TEST_FLAGS)
cargo test --all $(EXTRA_RUSTFEATURES) -- --nocapture $(EXTRA_TEST_FLAGS)
@echo "INFO: testing libraries for release build"
cargo test --release $(LIBS) $(EXTRA_RUSTFEATURES) -- --nocapture $(EXTRA_TEST_FLAGS)
cargo test --release --all $(EXTRA_RUSTFEATURES) -- --nocapture $(EXTRA_TEST_FLAGS)
.PHONY: install vendor

12
src/libs/kata-types/src/annotations/mod.rs
View File

@@ -257,7 +257,7 @@ pub const KATA_ANNO_CFG_HYPERVISOR_ENABLE_ROOTLESS_HYPERVISOR: &str =
"io.katacontainers.config.hypervisor.rootless";
// Hypervisor Shared File System related annotations
/// A sandbox annotation to specify the shared file system type, either virtio-fs(default), inline-virtio-fs, virtio-fs-nydus or none.
/// A sandbox annotation to specify the shared file system type, either inline-virtio-fs (default), virtio-9p, virtio-fs or virtio-fs-nydus.
pub const KATA_ANNO_CFG_HYPERVISOR_SHARED_FS: &str =
"io.katacontainers.config.hypervisor.shared_fs";
/// A sandbox annotations to specify virtio-fs vhost-user daemon path.
@@ -272,6 +272,8 @@ pub const KATA_ANNO_CFG_HYPERVISOR_VIRTIO_FS_CACHE_SIZE: &str =
/// A sandbox annotation to pass options to virtiofsd daemon.
pub const KATA_ANNO_CFG_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS: &str =
"io.katacontainers.config.hypervisor.virtio_fs_extra_args";
/// A sandbox annotation to specify as the msize for 9p shares.
pub const KATA_ANNO_CFG_HYPERVISOR_MSIZE_9P: &str = "io.katacontainers.config.hypervisor.msize_9p";
/// The initdata annotation passed in when CVM launchs
pub const KATA_ANNO_CFG_HYPERVISOR_INIT_DATA: &str =
"io.katacontainers.config.hypervisor.cc_init_data";
@@ -973,6 +975,14 @@ impl Annotation {
hv.shared_fs.virtio_fs_extra_args.push(arg.to_string());
}
}
KATA_ANNO_CFG_HYPERVISOR_MSIZE_9P => match self.get_value::<u32>(key) {
Ok(v) => {
hv.shared_fs.msize_9p = v.unwrap_or_default();
}
Err(_e) => {
return Err(u32_err);
}
},
KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_NUM_QUEUES => {
match self.get_value::<usize>(key) {
Ok(v) => {

2
src/libs/kata-types/src/config/agent.rs
View File

@@ -19,7 +19,6 @@ use super::default::{
pub const AGENT_NAME_KATA: &str = "kata";
#[derive(Default, Debug, Deserialize, Serialize, Clone)]
#[serde(deny_unknown_fields)]
pub struct MemAgent {
#[serde(default, alias = "mem_agent_enable")]
pub enable: bool,
@@ -59,7 +58,6 @@ pub struct MemAgent {
/// Kata agent configuration information.
#[derive(Debug, Deserialize, Serialize, Clone)]
#[serde(deny_unknown_fields)]
pub struct Agent {
/// If enabled, the agent will log additional debug messages to the system log.
#[serde(default, rename = "enable_debug")]

3
src/libs/kata-types/src/config/default.rs
View File

@@ -47,6 +47,9 @@ pub const DEFAULT_BLOCK_DEVICE_QUEUE_SIZE: u32 = 128;
pub const DEFAULT_SHARED_FS_TYPE: &str = "virtio-fs";
pub const DEFAULT_VIRTIO_FS_CACHE_MODE: &str = "never";
pub const DEFAULT_VIRTIO_FS_DAX_SIZE_MB: u32 = 1024;
pub const DEFAULT_SHARED_9PFS_SIZE_MB: u32 = 8 * 1024;
pub const MIN_SHARED_9PFS_SIZE_MB: u32 = 4 * 1024;
pub const MAX_SHARED_9PFS_SIZE_MB: u32 = 8 * 1024 * 1024;
pub const DEFAULT_GUEST_HOOK_PATH: &str = "/opt/kata/hooks";
pub const DEFAULT_GUEST_DNS_FILE: &str = "/etc/resolv.conf";

4
src/libs/kata-types/src/config/drop_in.rs
View File

@@ -346,7 +346,7 @@ mod drop_in_directory_handling {
let dropin_override_data = r#"
[hypervisor.qemu]
shared_fs = "none"
shared_fs = "virtio-9p"
[runtime]
vfio_mode="vfio"
"#;
@@ -372,7 +372,7 @@ mod drop_in_directory_handling {
assert_eq!(config.hypervisor["qemu"].device_info.default_bridges, 4);
assert_eq!(
config.hypervisor["qemu"].shared_fs.shared_fs.as_deref(),
Some("none")
Some("virtio-9p")
);
assert!(config.runtime.debug);
assert!(config.runtime.sandbox_cgroup_only);

39
src/libs/kata-types/src/config/hypervisor/mod.rs
View File

@@ -68,6 +68,7 @@ mod firecracker;
pub use self::firecracker::{FirecrackerConfig, HYPERVISOR_NAME_FIRECRACKER};
const NO_VIRTIO_FS: &str = "none";
const VIRTIO_9P: &str = "virtio-9p";
const VIRTIO_FS: &str = "virtio-fs";
const VIRTIO_FS_INLINE: &str = "inline-virtio-fs";
const MAX_BRIDGE_SIZE: u32 = 5;
@@ -707,10 +708,10 @@ pub struct DebugInfo {
///
/// Example usage in configuration:
/// ```toml
/// extra_monitor_socket = "hmp"
/// dbg_monitor_socket = "hmp"
/// ```
#[serde(default, alias = "dbg_monitor_socket")]
pub extra_monitor_socket: String,
#[serde(default)]
pub dbg_monitor_socket: String,
}
impl DebugInfo {
@@ -1237,7 +1238,6 @@ impl NetworkInfo {
/// Configuration information for rootless user.
#[derive(Clone, Debug, Default, Deserialize, Serialize)]
#[serde(deny_unknown_fields)]
pub struct RootlessUser {
/// The UID of the rootless user.
#[serde(default)]
@@ -1418,13 +1418,12 @@ impl SecurityInfo {
}
}
/// Configuration information for shared filesystems, such as virtio-fs-nydus and virtio-fs.
/// Configuration information for shared filesystems, such as virtio-9p and virtio-fs.
#[derive(Clone, Debug, Default, Deserialize, Serialize)]
pub struct SharedFsInfo {
/// Type of shared file system to use:
/// - `virtio-fs` (default)
/// - `inline-virtio-fs`
/// - `virtio-fs-nydus`
/// - `virtio-9p`
/// - `none` (disables shared filesystem)
pub shared_fs: Option<String>,
@@ -1466,13 +1465,18 @@ pub struct SharedFsInfo {
/// Enables `virtio-fs` DAX (Direct Access) window if `true`.
#[serde(default)]
pub virtio_fs_is_dax: bool,
/// This is the `msize` used for 9p shares. It represents the number of bytes
/// used for the 9p packet payload.
#[serde(default)]
pub msize_9p: u32,
}
impl SharedFsInfo {
/// Adjusts the shared filesystem configuration after loading from a configuration file.
///
/// Handles default values for `shared_fs` type, `virtio-fs` specific settings
/// (daemon path, cache mode, DAX) or `inline-virtio-fs` settings.
/// (daemon path, cache mode, DAX), and `virtio-9p` msize.
pub fn adjust_config(&mut self) -> Result<()> {
if self.shared_fs.as_deref() == Some(NO_VIRTIO_FS) {
self.shared_fs = None;
@@ -1485,6 +1489,11 @@ impl SharedFsInfo {
match self.shared_fs.as_deref() {
Some(VIRTIO_FS) => self.adjust_virtio_fs(false)?,
Some(VIRTIO_FS_INLINE) => self.adjust_virtio_fs(true)?,
Some(VIRTIO_9P) => {
if self.msize_9p == 0 {
self.msize_9p = default::DEFAULT_SHARED_9PFS_SIZE_MB;
}
}
_ => {}
}
@@ -1494,12 +1503,23 @@ impl SharedFsInfo {
/// Validates the shared filesystem configuration.
///
/// Checks the validity of the selected `shared_fs` type and
/// performs specific validations for `virtio-fs` and `inline-virtio-fs` settings.
/// performs specific validations for `virtio-fs` and `virtio-9p` settings.
pub fn validate(&self) -> Result<()> {
match self.shared_fs.as_deref() {
None => Ok(()),
Some(VIRTIO_FS) => self.validate_virtio_fs(false),
Some(VIRTIO_FS_INLINE) => self.validate_virtio_fs(true),
Some(VIRTIO_9P) => {
if self.msize_9p < default::MIN_SHARED_9PFS_SIZE_MB
|| self.msize_9p > default::MAX_SHARED_9PFS_SIZE_MB
{
return Err(std::io::Error::other(format!(
"Invalid 9p configuration msize 0x{:x}, min value is 0x{:x}, max value is 0x{:x}",
self.msize_9p,default::MIN_SHARED_9PFS_SIZE_MB, default::MAX_SHARED_9PFS_SIZE_MB
)));
}
Ok(())
}
Some(v) => Err(std::io::Error::other(format!("Invalid shared_fs type {v}"))),
}
}
@@ -1623,7 +1643,6 @@ impl VmTemplateInfo {
/// Configuration information for VM factory (templating, caches, etc.).
#[derive(Clone, Debug, Default, Deserialize, Serialize)]
#[serde(deny_unknown_fields)]
pub struct Factory {
/// Enable VM templating support.
/// When enabled, new VMs may be created from a template to speed up creation.

7
src/libs/kata-types/src/config/shared_mount.rs
View File

@@ -8,7 +8,6 @@ use std::io::Result;
use regex::Regex;
#[derive(Debug, Deserialize, Serialize, Clone, Default)]
#[serde(deny_unknown_fields)]
pub struct SharedMount {
/// Name is used to identify a pair of shared mount points.
/// This field cannot be omitted.
@@ -144,6 +143,7 @@ mod tests {
shared_mount_annotation: r#"
{
"name": "test",
"src": "sidecar",
"src_path": "/mnt/storage",
"dst_ctr": "app",
"dst_path": "/mnt/storage"
@@ -156,6 +156,7 @@ mod tests {
{
"name": "test",
"src_ctr": "sidecar",
"src_dir": "/mnt/storage",
"dst_ctr": "app",
"dst_path": "/mnt/storage"
}"#,
@@ -168,6 +169,7 @@ mod tests {
"name": "test",
"src_ctr": "sidecar",
"src_path": "/mnt/storage",
"dst_container": "app",
"dst_path": "/mnt/storage"
}"#,
result: false,
@@ -179,7 +181,8 @@ mod tests {
"name": "test",
"src_ctr": "sidecar",
"src_path": "/mnt/storage",
"dst_ctr": "app"
"dst_ctr": "app",
"path": "/mnt/storage"
}"#,
result: false,
message: "shared_mount: field 'dst_path' couldn't be empty.",

2
src/libs/kata-types/src/device.rs
View File

@@ -27,6 +27,8 @@ pub const DRIVER_VFIO_AP_TYPE: &str = "vfio-ap";
/// DRIVER_VFIO_AP_COLD_TYPE is the device driver for vfio-ap coldplug.
pub const DRIVER_VFIO_AP_COLD_TYPE: &str = "vfio-ap-cold";
/// DRIVER_9P_TYPE is the driver for 9pfs volume.
pub const DRIVER_9P_TYPE: &str = "9p";
/// DRIVER_EPHEMERAL_TYPE is the driver for ephemeral volume.
pub const DRIVER_EPHEMERAL_TYPE: &str = "ephemeral";
/// DRIVER_LOCAL_TYPE is the driver for local volume.

5
src/libs/kata-types/tests/texture/configuration-anno-0.toml
View File

@@ -48,6 +48,7 @@ file_mem_backend = "/dev/shm"
valid_file_mem_backends = ["/dev/shm","/dev/snd","./test_file_backend_mem_root"]
pflashes = ["/proc/mounts"]
enable_debug = true
msize_9p = 16384
disable_image_nvdimm = true
hotplug_vfio_on_root_bus = true
pcie_root_port = 2
@@ -64,8 +65,8 @@ enable_guest_swap = true
[agent.agent0]
enable_tracing = true
debug_console_enabled = true
enable_debug = true
dial_timeout_ms = 1000
debug = true
dial_timeout = 1
kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"]
container_pipe_size = 2
[runtime]

5
src/libs/kata-types/tests/texture/configuration-anno-1.toml
View File

@@ -47,6 +47,7 @@ file_mem_backend = "/dev/shm"
valid_file_mem_backends = ["/dev/shm"]
pflashes = ["/proc/mounts"]
enable_debug = true
msize_9p = 16384
disable_image_nvdimm = true
hotplug_vfio_on_root_bus = true
pcie_root_port = 2
@@ -63,8 +64,8 @@ enable_guest_swap = true
[agent.agent0]
enable_tracing = true
debug_console_enabled = true
enable_debug = true
dial_timeout_ms = 1000
debug = true
dial_timeout = 1
kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"]
container_pipe_size = 2
[runtime]

4
src/libs/protocols/protos/agent.proto
View File

@@ -493,7 +493,7 @@ message SharedMount {
// could have been defined through the Mount list of the OCI specification.
message Storage {
// Driver is used to define the way the storage is passed through the
// virtual machine. It can be "blk", or something else, but for
// virtual machine. It can be "9p", "blk", or something else, but for
// all cases, this will define if some extra steps are required before
// this storage gets mounted into the container.
string driver = 1;
@@ -509,7 +509,7 @@ message Storage {
string source = 3;
// Fstype represents the filesystem that needs to be used to mount the
// storage inside the VM. For instance, it could be "xfs" for block
// device, or "tmpfs" for shared /dev/shm.
// device, "9p" for shared filesystem, or "tmpfs" for shared /dev/shm.
string fstype = 4;
// Options describes the additional options that might be needed to
// mount properly the storage filesystem.

25
src/runtime-rs/Makefile
View File

@@ -137,12 +137,16 @@ ifeq ($(ARCH), aarch64)
EDK2_NAME := aavmf
endif
# Set firmware path from QEMUFW if defined
# Set firmware paths from QEMUFW/QEMUFWVOL if defined
FIRMWAREPATH :=
FIRMWAREVOLUMEPATH :=
ifneq (,$(QEMUCMD))
ifneq (,$(QEMUFW))
FIRMWAREPATH := $(PREFIXDEPS)/share/$(EDK2_NAME)/$(QEMUFW)
endif
ifneq (,$(QEMUFWVOL))
FIRMWAREVOLUMEPATH := $(PREFIXDEPS)/share/$(EDK2_NAME)/$(QEMUFWVOL)
endif
endif
KERNELVERITYPARAMS ?= ""
@@ -153,6 +157,7 @@ FIRMWARETDVFPATH := $(PREFIXDEPS)/share/ovmf/OVMF.inteltdx.fd
# SEV-SNP
FIRMWARE_SNP_PATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
FIRMWARE_VOLUME_SNP_PATH :=
##VAR DEFVCPUS=<number> Default number of vCPUs
DEFVCPUS := 1
@@ -199,6 +204,7 @@ DEFVIRTIOFSQUEUESIZE ?= 1024
# Make sure you quote args.
DEFVIRTIOFSEXTRAARGS ?= [\"--thread-pool-size=1\", \"-o\", \"announce_submounts\"]
DEFENABLEIOTHREADS := false
DEFINDEPIOTHREADS := 0
DEFENABLEVHOSTUSERSTORE := false
DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user
DEFVALIDVHOSTUSERSTOREPATHS := [\"$(DEFVHOSTUSERSTOREPATH)\"]
@@ -216,6 +222,7 @@ DEFCREATECONTAINERTIMEOUT ?= 30
DEFCREATECONTAINERTIMEOUT_COCO ?= 60
DEFSTATICRESOURCEMGMT_COCO = true
DEFDISABLEIMAGENVDIMM ?= false
DEFPODRESOURCEAPISOCK := ""
SED = sed
CLI_DIR = cmd
@@ -384,19 +391,11 @@ ifneq (,$(QEMUCMD))
ifeq ($(ARCH), s390x)
VMROOTFSDRIVER_QEMU := virtio-blk-ccw
DEFBLOCKSTORAGEDRIVER_QEMU := virtio-blk-ccw
# runtime-rs memory hotplug hard-codes pc-dimm, which is x86-only.
# s390x (s390-ccw-virtio) requires virtio-mem-ccw instead. Use static
# sandbox resource management to size the VM upfront and bypass hotplug.
DEFSTATICRESOURCEMGMT_QEMU := true
else ifeq ($(ARCH), aarch64)
# NVDIMM/virtio-pmem has issues on arm64 (cache coherency problems with DAX),
# so we use virtio-blk-pci instead.
VMROOTFSDRIVER_QEMU := virtio-blk-pci
DEFBLOCKSTORAGEDRIVER_QEMU := virtio-scsi
# runtime-rs lacks ARM CPU hotplug support (pflash/UEFI, SMP topology,
# QMP vCPU add for virt machine type). Use static sandbox resource
# management to size the VM upfront instead.
DEFSTATICRESOURCEMGMT_QEMU := true
else
VMROOTFSDRIVER_QEMU := virtio-pmem
DEFBLOCKSTORAGEDRIVER_QEMU := virtio-scsi
@@ -413,6 +412,9 @@ endif
# Most users will want to set this to "on,obsolete=deny,spawn=deny,resourcecontrol=deny"
# for better security. Note: "elevateprivileges=deny" doesn't work with daemonize option.
DEFSECCOMPSANDBOXPARAM := ""
# Default is empty string "" to match Rust default None (when commented out in config).
# Most users will want to set this to "system_u:system_r:container_t" for SELinux support.
DEFGUESTSELINUXLABEL := ""
endif
ifneq (,$(FCCMD))
@@ -522,6 +524,7 @@ USER_VARS += KERNELPATH_COCO
USER_VARS += KERNELPATH
USER_VARS += KERNELVIRTIOFSPATH
USER_VARS += FIRMWAREPATH
USER_VARS += FIRMWAREVOLUMEPATH
USER_VARS += MACHINEACCELERATORS
USER_VARS += CPUFEATURES
USER_VARS += DEFMACHINETYPE_CLH
@@ -581,7 +584,9 @@ USER_VARS += DEFVIRTIOFSEXTRAARGS
USER_VARS += DEFENABLEANNOTATIONS
USER_VARS += DEFENABLEANNOTATIONS_COCO
USER_VARS += DEFENABLEIOTHREADS
USER_VARS += DEFINDEPIOTHREADS
USER_VARS += DEFSECCOMPSANDBOXPARAM
USER_VARS += DEFGUESTSELINUXLABEL
USER_VARS += DEFENABLEVHOSTUSERSTORE
USER_VARS += DEFVHOSTUSERSTOREPATH
USER_VARS += DEFVALIDVHOSTUSERSTOREPATHS
@@ -623,9 +628,11 @@ USER_VARS += DEFCREATECONTAINERTIMEOUT
USER_VARS += DEFCREATECONTAINERTIMEOUT_COCO
USER_VARS += QEMUTDXEXPERIMENTALCMD
USER_VARS += FIRMWARE_SNP_PATH
USER_VARS += FIRMWARE_VOLUME_SNP_PATH
USER_VARS += KERNELTDXPARAMS
USER_VARS += DEFSHAREDFS_QEMU_TDX_VIRTIOFS
USER_VARS += FIRMWARETDVFPATH
USER_VARS += DEFPODRESOURCEAPISOCK
SOURCES := \
$(shell find . 2>&1 | grep -E '.*\.rs$$') \

1
src/runtime-rs/arch/aarch64-options.mk
View File

@@ -13,6 +13,7 @@ CPUFEATURES := pmu=off
QEMUCMD := qemu-system-aarch64
QEMUFW := AAVMF_CODE.fd
QEMUFWVOL := AAVMF_VARS.fd
# dragonball binary name
DBCMD := dragonball

26
src/runtime-rs/config/configuration-cloud-hypervisor.toml.in
View File

@@ -311,19 +311,6 @@ dial_timeout_ms = 10
# (default: 3000)
reconnect_timeout_ms = 3000
# Create Container Request Timeout
# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest.
# It's also used to ensure that workloads, especially those involving large image pulls within the guest,
# have sufficient time to complete.
#
# Effective Timeout Determination:
# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values:
# - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds).
# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below:
# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout)
# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s)
create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
[agent.@PROJECT_TYPE@.mem_agent]
# Control the mem-agent function enable or disable.
# Default to false
@@ -422,6 +409,19 @@ compact_threshold = 1024
# Using 9223372036854775807 (i64::MAX) which is effectively "never" for practical purposes
compact_force_times = 9223372036854775807
# Create Container Request Timeout
# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest.
# It's also used to ensure that workloads, especially those involving large image pulls within the guest,
# have sufficient time to complete.
#
# Effective Timeout Determination:
# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values:
# - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds).
# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below:
# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout)
# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s)
create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
[runtime]
# If enabled, the runtime will log additional debug messages to the
# system log

1
src/runtime-rs/config/configuration-dragonball.toml.in
View File

@@ -174,6 +174,7 @@ guest_hook_path = ""
# Shared file system type:
# - inline-virtio-fs (default)
# - virtio-fs
# - virtio-9p
# - virtio-fs-nydus
# "inline-virtio-fs" is the same as "virtio-fs", but it is running in the same process
# of shim, does not need an external virtiofsd process.

64
src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in
View File

@@ -76,6 +76,12 @@ kernel_params = "@KERNELPARAMS@"
# If you want that qemu uses the default firmware leave this option empty
firmware = "@FIRMWAREPATH@"
# Path to the firmware volume.
# firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
# as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables
# can be customized per each user while UEFI code is kept same.
firmware_volume = "@FIRMWAREVOLUMEPATH@"
# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
@@ -83,12 +89,12 @@ machine_accelerators = "@MACHINEACCELERATORS@"
# Qemu seccomp sandbox feature
# comma-separated list of seccomp sandbox features to control the syscall access.
# For example, `seccomp_sandbox = "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
# Another note: enabling this feature may reduce performance, you may enable
# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
# Recommended value when enabling: "on,obsolete=deny,spawn=deny,resourcecontrol=deny"
seccomp_sandbox = "@DEFSECCOMPSANDBOXPARAM@"
seccompsandbox = "@DEFSECCOMPSANDBOXPARAM@"
# CPU features
# comma-separated list of cpu features to pass to the cpu
@@ -179,6 +185,7 @@ disable_block_device_use = @DEFDISABLEBLOCK@
# Shared file system type:
# - virtio-fs (default)
# - virtio-9p
# - virtio-fs-nydus
# - none
shared_fs = "@DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS@"
@@ -304,6 +311,11 @@ enable_iommu_platform = false
# Your distribution recommends: @DEFVALIDVHOSTUSERSTOREPATHS@
valid_vhost_user_store_paths = @DEFVALIDVHOSTUSERSTOREPATHS@
# The timeout for reconnecting on non-server spdk sockets when the remote end goes away.
# qemu will delay this many seconds and then attempt to reconnect.
# Zero disables reconnecting, and the default is zero.
vhost_user_reconnect_timeout_sec = 0
# Enable file based guest memory support. The default is an empty string which
# will disable this feature. In the case of virtio-fs, this is enabled
# automatically and '/dev/shm' is used as the backing folder.
@@ -366,6 +378,18 @@ disable_image_nvdimm = false
# Default false
hotplug_vfio_on_root_bus = false
# Enable hot-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port"
hot_plug_vfio = "no-port"
# In a confidential compute environment hot-plugging can compromise
# security.
# Enable cold-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port", which means disabled.
cold_plug_vfio = "no-port"
# Before hot plugging a PCIe device, you need to add a pcie_root_port device.
# Use this parameter when using some large PCI bar devices, such as Nvidia GPU
# The value means the number of pcie_root_port
@@ -459,6 +483,9 @@ guest_memory_dump_path = ""
# See: https://www.qemu.org/docs/master/qemu-qmp-ref.html#Dump-guest-memory for details
#guest_memory_dump_paging=false
# use legacy serial for guest console if available and implemented for architecture. Default false
use_legacy_serial = false
# disable applying SELinux on the VMM process (default false)
disable_selinux = @DEFDISABLESELINUX@
@@ -470,7 +497,7 @@ disable_selinux = @DEFDISABLESELINUX@
disable_guest_selinux = @DEFDISABLEGUESTSELINUX@
[hypervisor.qemu.factory]
[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
@@ -551,8 +578,8 @@ reconnect_timeout_ms = 3000
# - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds).
# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below:
# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout)
# Defaults to @DEFCREATECONTAINERTIMEOUT_COCO@ second(s)
create_container_timeout = @DEFCREATECONTAINERTIMEOUT_COCO@
# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s)
create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
[agent.@PROJECT_TYPE@.mem_agent]
# Control the mem-agent function enable or disable.
@@ -650,6 +677,19 @@ compact_threshold = 1024
# Default to 9223372036854775807
compact_force_times = 9223372036854775807
# Create Container Request Timeout
# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest.
# It's also used to ensure that workloads, especially those involving large image pulls within the guest,
# have sufficient time to complete.
#
# Effective Timeout Determination:
# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values:
# - create_container_timeout: The timeout value configured for creating containers (default: @DEFCREATECONTAINERTIMEOUT_COCO@ seconds).
# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below:
# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout)
# Defaults to @DEFCREATECONTAINERTIMEOUT_COCO@ second(s)
create_container_timeout = @DEFCREATECONTAINERTIMEOUT_COCO@
[runtime]
# If enabled, the runtime will log additional debug messages to the
# system log
@@ -686,6 +726,20 @@ agent_name = "@PROJECT_TYPE@"
# (default: true)
disable_guest_seccomp = @DEFDISABLEGUESTSECCOMP@
# vCPUs pinning settings
# if enabled, each vCPU thread will be scheduled to a fixed CPU
# qualified condition: num(vCPU threads) == num(CPUs in sandbox's CPUSet)
enable_vcpus_pinning = false
# Apply a custom SELinux security policy to the container process inside the VM.
# This is used when you want to apply a type other than the default `container_t`,
# so general users should not uncomment and apply it.
# (format: "user:role:type")
# Note: You cannot specify MCS policy with the label because the sensitivity levels and
# categories are determined automatically by high-level container runtimes such as containerd.
# Example value when enabling: "system_u:system_r:container_t"
guest_selinux_label = "@DEFGUESTSELINUXLABEL@"
# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)

71
src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in
View File

@@ -60,6 +60,12 @@ kernel_params = "@KERNELPARAMS@"
# If you want that qemu uses the default firmware leave this option empty
firmware = "@FIRMWAREPATH@"
# Path to the firmware volume.
# firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
# as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables
# can be customized per each user while UEFI code is kept same.
firmware_volume = "@FIRMWAREVOLUMEPATH@"
# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
@@ -67,12 +73,12 @@ machine_accelerators = "@MACHINEACCELERATORS@"
# Qemu seccomp sandbox feature
# comma-separated list of seccomp sandbox features to control the syscall access.
# For example, `seccomp_sandbox = "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
# Another note: enabling this feature may reduce performance, you may enable
# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
# Recommended value when enabling: "on,obsolete=deny,spawn=deny,resourcecontrol=deny"
seccomp_sandbox = "@DEFSECCOMPSANDBOXPARAM@"
seccompsandbox = "@DEFSECCOMPSANDBOXPARAM@"
# CPU features
# comma-separated list of cpu features to pass to the cpu
@@ -163,6 +169,7 @@ disable_block_device_use = @DEFDISABLEBLOCK@
# Shared file system type:
# - virtio-fs (default)
# - virtio-9p
# - virtio-fs-nydus
# - none
shared_fs = "@DEFSHAREDFS_QEMU_VIRTIOFS@"
@@ -300,6 +307,11 @@ enable_iommu_platform = false
# Your distribution recommends: @DEFVALIDVHOSTUSERSTOREPATHS@
valid_vhost_user_store_paths = @DEFVALIDVHOSTUSERSTOREPATHS@
# The timeout for reconnecting on non-server spdk sockets when the remote end goes away.
# qemu will delay this many seconds and then attempt to reconnect.
# Zero disables reconnecting, and the default is zero.
vhost_user_reconnect_timeout_sec = 0
# Enable file based guest memory support. The default is an empty string which
# will disable this feature. In the case of virtio-fs, this is enabled
# automatically and '/dev/shm' is used as the backing folder.
@@ -361,6 +373,18 @@ disable_image_nvdimm = false
# Default false
hotplug_vfio_on_root_bus = false
# Enable hot-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port"
hot_plug_vfio = "no-port"
# In a confidential compute environment hot-plugging can compromise
# security.
# Enable cold-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port", which means disabled.
cold_plug_vfio = "no-port"
# Before hot plugging a PCIe device, you need to add a pcie_root_port device.
# Use this parameter when using some large PCI bar devices, such as Nvidia GPU
# The value means the number of pcie_root_port
@@ -465,6 +489,9 @@ guest_memory_dump_path = ""
# See: https://www.qemu.org/docs/master/qemu-qmp-ref.html#Dump-guest-memory for details
guest_memory_dump_paging = false
# use legacy serial for guest console if available and implemented for architecture. Default false
use_legacy_serial = false
# disable applying SELinux on the VMM process (default false)
disable_selinux = @DEFDISABLESELINUX@
@@ -547,19 +574,6 @@ dial_timeout_ms = 10
# (default: 3000)
reconnect_timeout_ms = 3000
# Create Container Request Timeout
# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest.
# It's also used to ensure that workloads, especially those involving large image pulls within the guest,
# have sufficient time to complete.
#
# Effective Timeout Determination:
# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values:
# - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds).
# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below:
# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout)
# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s)
create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
[agent.@PROJECT_TYPE@.mem_agent]
# Control the mem-agent function enable or disable.
# Default to false
@@ -658,6 +672,19 @@ compact_threshold = 1024
# Using 9223372036854775807 (i64::MAX) which is effectively "never" for practical purposes
compact_force_times = 9223372036854775807
# Create Container Request Timeout
# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest.
# It's also used to ensure that workloads, especially those involving large image pulls within the guest,
# have sufficient time to complete.
#
# Effective Timeout Determination:
# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values:
# - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds).
# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below:
# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout)
# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s)
create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
[runtime]
# If enabled, the runtime will log additional debug messages to the
# system log
@@ -693,6 +720,20 @@ agent_name = "@PROJECT_TYPE@"
# (default: true)
disable_guest_seccomp = @DEFDISABLEGUESTSECCOMP@
# vCPUs pinning settings
# if enabled, each vCPU thread will be scheduled to a fixed CPU
# qualified condition: num(vCPU threads) == num(CPUs in sandbox's CPUSet)
enable_vcpus_pinning = false
# Apply a custom SELinux security policy to the container process inside the VM.
# This is used when you want to apply a type other than the default `container_t`,
# so general users should not uncomment and apply it.
# (format: "user:role:type")
# Note: You cannot specify MCS policy with the label because the sensitivity levels and
# categories are determined automatically by high-level container runtimes such as containerd.
# Example value when enabling: "system_u:system_r:container_t"
guest_selinux_label = "@DEFGUESTSELINUXLABEL@"
# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)

42
src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in
View File

@@ -69,6 +69,12 @@ kernel_params = "@KERNELPARAMS@"
# If you want that qemu uses the default firmware leave this option empty
firmware = "@FIRMWAREPATH@"
# Path to the firmware volume.
# firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
# as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables
# can be customized per each user while UEFI code is kept same.
firmware_volume = "@FIRMWAREVOLUMEPATH@"
# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
@@ -76,12 +82,12 @@ machine_accelerators = "@MACHINEACCELERATORS@"
# Qemu seccomp sandbox feature
# comma-separated list of seccomp sandbox features to control the syscall access.
# For example, `seccomp_sandbox = "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
# Another note: enabling this feature may reduce performance, you may enable
# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
# Recommended value when enabling: "on,obsolete=deny,spawn=deny,resourcecontrol=deny"
seccomp_sandbox = "@DEFSECCOMPSANDBOXPARAM@"
seccompsandbox = "@DEFSECCOMPSANDBOXPARAM@"
# CPU features
# comma-separated list of cpu features to pass to the cpu
@@ -162,6 +168,7 @@ disable_block_device_use = @DEFDISABLEBLOCK@
# Shared file system type:
# - virtio-fs (default)
# - virtio-9p
# - virtio-fs-nydus
# - none
shared_fs = "@DEFSHAREDFS_QEMU_SEL_VIRTIOFS@"
@@ -338,6 +345,18 @@ msize_9p = @DEFMSIZE9P@
# Default is false
disable_image_nvdimm = true
# Enable hot-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port"
hot_plug_vfio = "no-port"
# In a confidential compute environment hot-plugging can compromise
# security.
# Enable cold-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port", which means disabled.
cold_plug_vfio = "no-port"
# VFIO devices are hotplugged on a bridge by default.
# Enable hotplugging on root bus. This may be required for devices with
# a large PCI bar, as this is a current limitation with hotplugging on
@@ -441,6 +460,9 @@ guest_memory_dump_paging = false
# be default_memory.
enable_guest_swap = false
# use legacy serial for guest console if available and implemented for architecture. Default false
use_legacy_serial = false
# disable applying SELinux on the VMM process (default false)
disable_selinux = @DEFDISABLESELINUX@
@@ -452,7 +474,7 @@ disable_selinux = @DEFDISABLESELINUX@
disable_guest_selinux = @DEFDISABLEGUESTSELINUX@
[hypervisor.qemu.factory]
[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
@@ -571,6 +593,20 @@ agent_name = "@PROJECT_TYPE@"
# (default: true)
disable_guest_seccomp = @DEFDISABLEGUESTSECCOMP@
# vCPUs pinning settings
# if enabled, each vCPU thread will be scheduled to a fixed CPU
# qualified condition: num(vCPU threads) == num(CPUs in sandbox's CPUSet)
enable_vcpus_pinning = false
# Apply a custom SELinux security policy to the container process inside the VM.
# This is used when you want to apply a type other than the default `container_t`,
# so general users should not uncomment and apply it.
# (format: "user:role:type")
# Note: You cannot specify MCS policy with the label because the sensitivity levels and
# categories are determined automatically by high-level container runtimes such as containerd.
# Example value when enabling: "system_u:system_r:container_t"
guest_selinux_label = "@DEFGUESTSELINUXLABEL@"
# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)

90
src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in
View File

@@ -16,7 +16,8 @@
[hypervisor.qemu]
path = "@QEMUPATH@"
kernel = "@KERNELPATH_COCO@"
image = "@IMAGECONFIDENTIALPATH@"
initrd = "@INITRDCONFIDENTIALPATH@"
# image = "@IMAGECONFIDENTIALPATH@"
machine_type = "@MACHINETYPE@"
# Enable confidential guest support.
@@ -98,15 +99,16 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
# container and look for 'default-kernel-parameters' log entries.
kernel_params = "@KERNELPARAMS@"
# Optional dm-verity parameters (comma-separated key=value list):
# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
# These are used by the runtime to assemble dm-verity kernel params.
kernel_verity_params = "@KERNELVERITYPARAMS@"
# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty
firmware = "@FIRMWARE_SNP_PATH@"
# Path to the firmware volume.
# firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
# as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables
# can be customized per each user while UEFI code is kept same.
firmware_volume = "@FIRMWARE_VOLUME_SNP_PATH@"
# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
@@ -114,12 +116,12 @@ machine_accelerators = "@MACHINEACCELERATORS@"
# Qemu seccomp sandbox feature
# comma-separated list of seccomp sandbox features to control the syscall access.
# For example, `seccomp_sandbox = "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
# Another note: enabling this feature may reduce performance, you may enable
# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
# Recommended value when enabling: "on,obsolete=deny,spawn=deny,resourcecontrol=deny"
seccomp_sandbox = "@DEFSECCOMPSANDBOXPARAM@"
seccompsandbox = "@DEFSECCOMPSANDBOXPARAM@"
# CPU features
# comma-separated list of cpu features to pass to the cpu
@@ -287,6 +289,10 @@ block_device_cache_noflush = false
#
enable_iothreads = @DEFENABLEIOTHREADS@
# Independent IOThreads enables IO to be processed in a separate thread, it is
# for QEMU hotplug device attach to iothread, like virtio-blk.
indep_iothreads = @DEFINDEPIOTHREADS@
# Enable pre allocation of VM RAM, default false
# Enabling this will result in lower container density
# as all of the memory will be allocated and locked
@@ -340,6 +346,11 @@ enable_iommu_platform = false
# Your distribution recommends: @DEFVALIDVHOSTUSERSTOREPATHS@
valid_vhost_user_store_paths = @DEFVALIDVHOSTUSERSTOREPATHS@
# The timeout for reconnecting on non-server spdk sockets when the remote end goes away.
# qemu will delay this many seconds and then attempt to reconnect.
# Zero disables reconnecting, and the default is zero.
vhost_user_reconnect_timeout_sec = 0
# Enable file based guest memory support. The default is an empty string which
# will disable this feature. In the case of virtio-fs, this is enabled
# automatically and '/dev/shm' is used as the backing folder.
@@ -396,7 +407,7 @@ disable_vhost_net = false
#
# If set to the empty string "", no extra monitor socket is added. This is
# the default.
extra_monitor_socket = ""
#extra_monitor_socket = "hmp"
#
# Default entropy source.
@@ -484,6 +495,9 @@ guest_memory_dump_paging = false
# be default_memory.
enable_guest_swap = false
# use legacy serial for guest console if available and implemented for architecture. Default false
use_legacy_serial = false
# disable applying SELinux on the VMM process (default false)
disable_selinux = @DEFDISABLESELINUX@
@@ -495,7 +509,7 @@ disable_selinux = @DEFDISABLESELINUX@
disable_guest_selinux = @DEFDISABLEGUESTSELINUX@
[hypervisor.qemu.factory]
[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
@@ -514,6 +528,30 @@ enable_template = false
# Default "/run/vc/vm/template"
template_path = "/run/vc/vm/template"
# The number of caches of VMCache:
# unspecified or == 0 --> VMCache is disabled
# > 0 --> will be set to the specified number
#
# VMCache is a function that creates VMs as caches before using it.
# It helps speed up new container creation.
# The function consists of a server and some clients communicating
# through Unix socket. The protocol is gRPC in protocols/cache/cache.proto.
# The VMCache server will create some VMs and cache them by factory cache.
# It will convert the VM to gRPC format and transport it when gets
# requestion from clients.
# Factory grpccache is the VMCache client. It will request gRPC format
# VM and convert it back to a VM. If VMCache function is enabled,
# kata-runtime will request VM from factory grpccache when it creates
# a new sandbox.
#
# Default 0
vm_cache_number = 0
# Specify the address of the Unix socket that is used by VMCache.
#
# Default /var/run/kata-containers/cache.sock
vm_cache_endpoint = "/var/run/kata-containers/cache.sock"
[agent.@PROJECT_TYPE@]
# If enabled, make the agent display debug-level messages.
# (default: disabled)
@@ -613,6 +651,19 @@ agent_name="@PROJECT_TYPE@"
# (default: true)
disable_guest_seccomp = @DEFDISABLEGUESTSECCOMP@
# vCPUs pinning settings
# if enabled, each vCPU thread will be scheduled to a fixed CPU
# qualified condition: num(vCPU threads) == num(CPUs in sandbox's CPUSet)
enable_vcpus_pinning = false
# Apply a custom SELinux security policy to the container process inside the VM.
# This is used when you want to apply a type other than the default `container_t`,
# so general users should not uncomment and apply it.
# (format: "user:role:type")
# Note: You cannot specify MCS policy with the label because the sensitivity levels and
# categories are determined automatically by high-level container runtimes such as containerd.
guest_selinux_label = "@DEFGUESTSELINUXLABEL@"
# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)
@@ -706,3 +757,22 @@ enable_pprof = false
# to the hypervisor.
# (default: /run/kata-containers/dans)
dan_conf = "@DEFDANCONF@"
# pod_resource_api_sock specifies the unix socket for the Kubelet's
# PodResource API endpoint. If empty, kubernetes based cold plug
# will not be attempted. In order for this feature to work, the
# KubeletPodResourcesGet featureGate must be enabled in Kubelet,
# if using Kubelet older than 1.34.
#
# The pod resource API's socket is relative to the Kubelet's root-dir,
# which is defined by the cluster admin, and its location is:
# ${KubeletRootDir}/pod-resources/kubelet.sock
#
# cold_plug_vfio(see hypervisor config) acts as a feature gate:
# cold_plug_vfio = no_port (default) => no cold plug
# cold_plug_vfio != no_port AND pod_resource_api_sock = "" => need
# explicit CDI annotation for cold plug (applies mainly
# to non-k8s cases)
# cold_plug_vfio != no_port AND pod_resource_api_sock != "" => kubelet
# based cold plug.
pod_resource_api_sock = "@DEFPODRESOURCEAPISOCK@"

80
src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in
View File

@@ -83,6 +83,12 @@ kernel_verity_params = "@KERNELVERITYPARAMS@"
# If you want that qemu uses the default firmware leave this option empty
firmware = "@FIRMWARETDVFPATH@"
# Path to the firmware volume.
# firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
# as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables
# can be customized per each user while UEFI code is kept same.
firmware_volume = "@FIRMWAREVOLUMEPATH@"
# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
@@ -90,12 +96,12 @@ machine_accelerators = "@MACHINEACCELERATORS@"
# Qemu seccomp sandbox feature
# comma-separated list of seccomp sandbox features to control the syscall access.
# For example, `seccomp_sandbox = "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
# Another note: enabling this feature may reduce performance, you may enable
# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
# Recommended value when enabling: "on,obsolete=deny,spawn=deny,resourcecontrol=deny"
seccomp_sandbox = "@DEFSECCOMPSANDBOXPARAM@"
seccompsandbox = "@DEFSECCOMPSANDBOXPARAM@"
# CPU features
# comma-separated list of cpu features to pass to the cpu
@@ -262,6 +268,10 @@ block_device_cache_noflush = false
#
enable_iothreads = @DEFENABLEIOTHREADS@
# Independent IOThreads enables IO to be processed in a separate thread, it is
# for QEMU hotplug device attach to iothread, like virtio-blk.
indep_iothreads = @DEFINDEPIOTHREADS@
# Enable pre allocation of VM RAM, default false
# Enabling this will result in lower container density
# as all of the memory will be allocated and locked
@@ -315,6 +325,11 @@ enable_iommu_platform = false
# Your distribution recommends: @DEFVALIDVHOSTUSERSTOREPATHS@
valid_vhost_user_store_paths = @DEFVALIDVHOSTUSERSTOREPATHS@
# The timeout for reconnecting on non-server spdk sockets when the remote end goes away.
# qemu will delay this many seconds and then attempt to reconnect.
# Zero disables reconnecting, and the default is zero.
vhost_user_reconnect_timeout_sec = 0
# Enable file based guest memory support. The default is an empty string which
# will disable this feature. In the case of virtio-fs, this is enabled
# automatically and '/dev/shm' is used as the backing folder.
@@ -459,6 +474,9 @@ guest_memory_dump_paging = false
# be default_memory.
enable_guest_swap = false
# use legacy serial for guest console if available and implemented for architecture. Default false
use_legacy_serial = false
# disable applying SELinux on the VMM process (default false)
disable_selinux = @DEFDISABLESELINUX@
@@ -470,7 +488,7 @@ disable_selinux = @DEFDISABLESELINUX@
disable_guest_selinux = @DEFDISABLEGUESTSELINUX@
[hypervisor.qemu.factory]
[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
@@ -489,6 +507,30 @@ enable_template = false
# Default "/run/vc/vm/template"
template_path = "/run/vc/vm/template"
# The number of caches of VMCache:
# unspecified or == 0 --> VMCache is disabled
# > 0 --> will be set to the specified number
#
# VMCache is a function that creates VMs as caches before using it.
# It helps speed up new container creation.
# The function consists of a server and some clients communicating
# through Unix socket. The protocol is gRPC in protocols/cache/cache.proto.
# The VMCache server will create some VMs and cache them by factory cache.
# It will convert the VM to gRPC format and transport it when gets
# requestion from clients.
# Factory grpccache is the VMCache client. It will request gRPC format
# VM and convert it back to a VM. If VMCache function is enabled,
# kata-runtime will request VM from factory grpccache when it creates
# a new sandbox.
#
# Default 0
vm_cache_number = 0
# Specify the address of the Unix socket that is used by VMCache.
#
# Default /var/run/kata-containers/cache.sock
vm_cache_endpoint = "/var/run/kata-containers/cache.sock"
[agent.@PROJECT_TYPE@]
# If enabled, make the agent display debug-level messages.
# (default: disabled)
@@ -589,6 +631,20 @@ agent_name="@PROJECT_TYPE@"
# (default: true)
disable_guest_seccomp = @DEFDISABLEGUESTSECCOMP@
# vCPUs pinning settings
# if enabled, each vCPU thread will be scheduled to a fixed CPU
# qualified condition: num(vCPU threads) == num(CPUs in sandbox's CPUSet)
enable_vcpus_pinning = false
# Apply a custom SELinux security policy to the container process inside the VM.
# This is used when you want to apply a type other than the default `container_t`,
# so general users should not uncomment and apply it.
# (format: "user:role:type")
# Note: You cannot specify MCS policy with the label because the sensitivity levels and
# categories are determined automatically by high-level container runtimes such as containerd.
# Example value when enabling: "system_u:system_r:container_t"
guest_selinux_label = "@DEFGUESTSELINUXLABEL@"
# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)
@@ -683,3 +739,21 @@ enable_pprof = false
# (default: /run/kata-containers/dans)
dan_conf = "@DEFDANCONF@"
# pod_resource_api_sock specifies the unix socket for the Kubelet's
# PodResource API endpoint. If empty, kubernetes based cold plug
# will not be attempted. In order for this feature to work, the
# KubeletPodResourcesGet featureGate must be enabled in Kubelet,
# if using Kubelet older than 1.34.
#
# The pod resource API's socket is relative to the Kubelet's root-dir,
# which is defined by the cluster admin, and its location is:
# ${KubeletRootDir}/pod-resources/kubelet.sock
#
# cold_plug_vfio(see hypervisor config) acts as a feature gate:
# cold_plug_vfio = no_port (default) => no cold plug
# cold_plug_vfio != no_port AND pod_resource_api_sock = "" => need
# explicit CDI annotation for cold plug (applies mainly
# to non-k8s cases)
# cold_plug_vfio != no_port AND pod_resource_api_sock != "" => kubelet
# based cold plug.
pod_resource_api_sock = "@DEFPODRESOURCEAPISOCK@"

15
src/runtime-rs/config/configuration-remote.toml.in
View File

@@ -150,9 +150,9 @@ enable_tracing = false
debug_console_enabled = false
# Agent connection dialing timeout value in milliseconds
# (default: 30000)
dial_timeout_ms = 30000
# Agent connection dialing timeout value in seconds
# (default: 30)
dial_timeout = 30
# Create Container Request Timeout
# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest.
@@ -205,6 +205,15 @@ agent_name = "kata"
disable_guest_seccomp = true
# Apply a custom SELinux security policy to the container process inside the VM.
# This is used when you want to apply a type other than the default `container_t`,
# so general users should not uncomment and apply it.
# (format: "user:role:type")
# Note: You cannot specify MCS policy with the label because the sensitivity levels and
# categories are determined automatically by high-level container runtimes such as containerd.
# Example value when enabling: "system_u:system_r:container_t"
guest_selinux_label = "@DEFGUESTSELINUXLABEL@"
# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)

6
src/runtime-rs/config/configuration-rs-fc.toml.in
View File

@@ -310,9 +310,9 @@ kernel_modules = []
debug_console_enabled = false
# Agent connection dialing timeout value in milliseconds
# (default: 45000)
dial_timeout_ms = 45000
# Agent connection dialing timeout value in seconds
# (default: 45)
dial_timeout = 45
# Confidential Data Hub API timeout value in seconds
# (default: 50)

5
src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
View File

@@ -2248,8 +2248,8 @@ impl<'a> QemuCmdLine<'a> {
qemu_cmd_line.add_iommu();
}
if config.debug_info.enable_debug && !config.debug_info.extra_monitor_socket.is_empty() {
qemu_cmd_line.add_monitor(&config.debug_info.extra_monitor_socket)?;
if config.debug_info.enable_debug && !config.debug_info.dbg_monitor_socket.is_empty() {
qemu_cmd_line.add_monitor(&config.debug_info.dbg_monitor_socket)?;
}
qemu_cmd_line.add_rtc();
@@ -2610,7 +2610,6 @@ impl<'a> QemuCmdLine<'a> {
self.devices.push(Box::new(Bios::new(firmware.to_owned())));
self.machine
.set_kernel_irqchip("split")
.set_confidential_guest_support("tdx")
.set_nvdimm(false);
}

7
src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
View File

@@ -858,12 +858,7 @@ impl QemuInner {
block_device.config.index,
&block_device.config.path_on_host,
&block_device.config.blkdev_aio.to_string(),
Some(
block_device
.config
.is_direct
.unwrap_or(self.config.blockdev_info.block_device_cache_direct),
),
block_device.config.is_direct,
block_device.config.is_readonly,
block_device.config.no_drop,
)

130
src/runtime-rs/crates/resource/src/cpu_mem/initial_size.rs
View File

@@ -142,23 +142,15 @@ impl InitialSizeManager {
if self.resource.vcpu > 0.0 {
info!(sl!(), "resource with vcpu {}", self.resource.vcpu);
if config.runtime.static_sandbox_resource_mgmt {
hv.cpu_info.default_vcpus += self.resource.vcpu;
let new_vcpus_ceil = hv.cpu_info.default_vcpus.ceil() as u32;
if hv.cpu_info.default_maxvcpus < new_vcpus_ceil {
hv.cpu_info.default_maxvcpus = new_vcpus_ceil;
}
}
}
self.resource.orig_toml_default_mem = hv.memory_info.default_memory;
if self.resource.mem_mb > 0 {
info!(sl!(), "resource with memory {}", self.resource.mem_mb);
if config.runtime.static_sandbox_resource_mgmt {
hv.memory_info.default_memory += self.resource.mem_mb;
if hv.memory_info.default_maxmemory < hv.memory_info.default_memory {
hv.memory_info.default_maxmemory = hv.memory_info.default_memory;
}
}
// since the memory overhead introduced by kata-agent and system components
// will really affect the amount of memory the user can use, so we choose to
// plus the default_memory here, instead of overriding it.
// (if we override the default_memory here, and user apllications still
// use memory as they orignally expected, it would be easy to OOM.)
hv.memory_info.default_memory += self.resource.mem_mb;
}
Ok(())
}
@@ -374,114 +366,4 @@ mod tests {
);
}
}
fn make_config(
default_vcpus: f32,
default_maxvcpus: u32,
default_memory: u32,
default_maxmemory: u32,
static_sandbox_resource_mgmt: bool,
) -> TomlConfig {
use kata_types::config::Hypervisor;
let mut config = TomlConfig::default();
config
.hypervisor
.insert("qemu".to_owned(), Hypervisor::default());
config
.hypervisor
.entry("qemu".to_owned())
.and_modify(|hv| {
hv.cpu_info.default_vcpus = default_vcpus;
hv.cpu_info.default_maxvcpus = default_maxvcpus;
hv.memory_info.default_memory = default_memory;
hv.memory_info.default_maxmemory = default_maxmemory;
});
config.runtime.hypervisor_name = "qemu".to_owned();
config.runtime.static_sandbox_resource_mgmt = static_sandbox_resource_mgmt;
config
}
#[test]
fn test_setup_config_static_applies_vcpu_and_memory() {
let mut config = make_config(1.0, 4, 256, 4096, true);
let mut mgr = InitialSizeManager {
resource: InitialSize {
vcpu: 1.2,
mem_mb: 512,
orig_toml_default_mem: 0,
},
};
mgr.setup_config(&mut config).unwrap();
let hv = config.hypervisor.get("qemu").unwrap();
assert_eq!(hv.cpu_info.default_vcpus, 2.2);
assert_eq!(hv.memory_info.default_memory, 768);
}
#[test]
fn test_setup_config_non_static_does_not_apply() {
let mut config = make_config(1.0, 4, 256, 4096, false);
let mut mgr = InitialSizeManager {
resource: InitialSize {
vcpu: 1.2,
mem_mb: 512,
orig_toml_default_mem: 0,
},
};
mgr.setup_config(&mut config).unwrap();
let hv = config.hypervisor.get("qemu").unwrap();
assert_eq!(hv.cpu_info.default_vcpus, 1.0);
assert_eq!(hv.memory_info.default_memory, 256);
}
#[test]
fn test_setup_config_clamps_maxvcpus() {
let mut config = make_config(1.0, 2, 256, 4096, true);
let mut mgr = InitialSizeManager {
resource: InitialSize {
vcpu: 2.5,
mem_mb: 0,
orig_toml_default_mem: 0,
},
};
mgr.setup_config(&mut config).unwrap();
let hv = config.hypervisor.get("qemu").unwrap();
assert_eq!(hv.cpu_info.default_vcpus, 3.5);
assert_eq!(hv.cpu_info.default_maxvcpus, 4);
}
#[test]
fn test_setup_config_clamps_maxmemory() {
let mut config = make_config(1.0, 4, 256, 300, true);
let mut mgr = InitialSizeManager {
resource: InitialSize {
vcpu: 0.0,
mem_mb: 512,
orig_toml_default_mem: 0,
},
};
mgr.setup_config(&mut config).unwrap();
let hv = config.hypervisor.get("qemu").unwrap();
assert_eq!(hv.memory_info.default_memory, 768);
assert_eq!(hv.memory_info.default_maxmemory, 768);
}
#[test]
fn test_setup_config_preserves_orig_toml_default_mem() {
let mut config = make_config(1.0, 4, 256, 4096, true);
let mut mgr = InitialSizeManager {
resource: InitialSize {
vcpu: 0.0,
mem_mb: 128,
orig_toml_default_mem: 0,
},
};
mgr.setup_config(&mut config).unwrap();
assert_eq!(mgr.get_orig_toml_default_mem(), 256);
}
}

4
src/runtime-rs/tests/texture/configuration-qemu.toml
View File

@@ -65,8 +65,8 @@ enable_guest_swap = true
[agent.agent0]
enable_tracing = true
debug_console_enabled = true
enable_debug = true
dial_timeout_ms = 1000
debug = true
dial_timeout = 1
kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"]
container_pipe_size = 2
[runtime]

17
src/runtime/Makefile
View File

@@ -143,13 +143,7 @@ DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4)
FIRMWAREPATH :=
FIRMWAREVOLUMEPATH :=
FIRMWAREPATH_NV :=
ifeq ($(ARCH),amd64)
FIRMWAREPATH_NV := $(PREFIXDEPS)/share/$(EDK2_NAME)/OVMF.fd
endif
ifeq ($(ARCH),arm64)
FIRMWAREPATH_NV := $(PREFIXDEPS)/share/$(EDK2_NAME)/AAVMF_CODE.fd
endif
FIRMWAREPATH_NV = $(FIRMWAREPATH)
FIRMWARETDVFPATH := $(PREFIXDEPS)/share/ovmf/OVMF.inteltdx.fd
FIRMWARETDVFPATH_NV := $(FIRMWARETDVFPATH)
@@ -292,10 +286,6 @@ DEFVFIOMODE := guest-kernel
DEFSANDBOXCGROUPONLY ?= false
DEFSTATICRESOURCEMGMT ?= false
DEFSTATICRESOURCEMGMT_QEMU ?= false
ifeq ($(ARCH),arm64)
DEFSTATICRESOURCEMGMT_QEMU = true
endif
DEFSTATICRESOURCEMGMT_TEE = true
DEFSTATICRESOURCEMGMT_NV = true
@@ -499,9 +489,6 @@ ifneq (,$(QEMUCMD))
KERNELPARAMS_NV += "pci=nocrs"
KERNELPARAMS_NV += "pci=assign-busses"
KERNELPARAMS_CONFIDENTIAL_NV = $(KERNELPARAMS_NV)
KERNELPARAMS_CONFIDENTIAL_NV += "nvrc.smi.srs=1"
# Setting this to false can lead to cgroup leakages in the host
# Best practice for production is to set this to true
DEFSANDBOXCGROUPONLY_NV = true
@@ -674,7 +661,6 @@ USER_VARS += DEFAULTMEMORY_NV
USER_VARS += DEFAULTVFIOPORT_NV
USER_VARS += DEFAULTPCIEROOTPORT_NV
USER_VARS += KERNELPARAMS_NV
USER_VARS += KERNELPARAMS_CONFIDENTIAL_NV
USER_VARS += KERNELVERITYPARAMS_NV
USER_VARS += KERNELVERITYPARAMS_CONFIDENTIAL_NV
USER_VARS += DEFAULTTIMEOUT_NV
@@ -795,7 +781,6 @@ USER_VARS += DEFENTROPYSOURCE
USER_VARS += DEFVALIDENTROPYSOURCES
USER_VARS += DEFSANDBOXCGROUPONLY
USER_VARS += DEFSTATICRESOURCEMGMT
USER_VARS += DEFSTATICRESOURCEMGMT_QEMU
USER_VARS += DEFSTATICRESOURCEMGMT_CLH
USER_VARS += DEFSTATICRESOURCEMGMT_FC
USER_VARS += DEFSTATICRESOURCEMGMT_STRATOVIRT

2
src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
View File

@@ -90,7 +90,7 @@ snp_guest_policy = 196608
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = "@KERNELPARAMS_CONFIDENTIAL_NV@"
kernel_params = "@KERNELPARAMS_NV@"
# Optional dm-verity parameters (comma-separated key=value list):
# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...

2
src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
View File

@@ -67,7 +67,7 @@ valid_hypervisor_paths = @QEMUTDXEXPERIMENTALVALIDHYPERVISORPATHS@
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = "@KERNELPARAMS_CONFIDENTIAL_NV@"
kernel_params = "@KERNELPARAMS_NV@"
# Optional dm-verity parameters (comma-separated key=value list):
# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...

7
src/runtime/config/configuration-qemu-snp.toml.in
View File

@@ -15,7 +15,7 @@
[hypervisor.qemu]
path = "@QEMUPATH@"
kernel = "@KERNELCONFIDENTIALPATH@"
image = "@IMAGECONFIDENTIALPATH@"
initrd = "@INITRDCONFIDENTIALPATH@"
machine_type = "@MACHINETYPE@"
# rootfs filesystem type:
@@ -91,11 +91,6 @@ snp_guest_policy = 196608
# container and look for 'default-kernel-parameters' log entries.
kernel_params = "@KERNELPARAMS@"
# Optional dm-verity parameters (comma-separated key=value list):
# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
# These are used by the runtime to assemble dm-verity kernel params.
kernel_verity_params = "@KERNELVERITYPARAMS@"
# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty
firmware = "@FIRMWARESNPPATH@"

2
src/runtime/config/configuration-qemu.toml.in
View File

@@ -672,7 +672,7 @@ sandbox_cgroup_only = @DEFSANDBOXCGROUPONLY@
# - When running with pods, sandbox sizing information will only be available if using Kubernetes >= 1.23 and containerd >= 1.6. CRI-O
# does not yet support sandbox sizing annotations.
# - When running single containers using a tool like ctr, container sizing information will be available.
static_sandbox_resource_mgmt = @DEFSTATICRESOURCEMGMT_QEMU@
static_sandbox_resource_mgmt = @DEFSTATICRESOURCEMGMT@
# If specified, sandbox_bind_mounts identifieds host paths to be mounted (ro) into the sandboxes shared path.
# This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory.

318
src/tools/agent-ctl/Cargo.lock generated
View File

@@ -23,6 +23,15 @@ dependencies = [
"tokio",
]
[[package]]
name = "addr2line"
version = "0.25.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b5d307320b3181d6d7954e663bd7c774a838b8220fe0593c86d9fb09f498b4b"
dependencies = [
"gimli",
]
[[package]]
name = "adler2"
version = "2.0.0"
@@ -332,6 +341,21 @@ dependencies = [
"tower-service",
]
[[package]]
name = "backtrace"
version = "0.3.76"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bb531853791a215d7c62a30daf0dde835f381ab5de4589cfe7c649d2cbe92bd6"
dependencies = [
"addr2line",
"cfg-if 1.0.4",
"libc",
"miniz_oxide",
"object",
"rustc-demangle",
"windows-link",
]
[[package]]
name = "base16ct"
version = "0.2.0"
@@ -1571,9 +1595,9 @@ checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c"
[[package]]
name = "futures"
version = "0.3.32"
version = "0.3.31"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d"
checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
dependencies = [
"futures-channel",
"futures-core",
@@ -1586,9 +1610,9 @@ dependencies = [
[[package]]
name = "futures-channel"
version = "0.3.32"
version = "0.3.31"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
dependencies = [
"futures-core",
"futures-sink",
@@ -1596,15 +1620,15 @@ dependencies = [
[[package]]
name = "futures-core"
version = "0.3.32"
version = "0.3.31"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
[[package]]
name = "futures-executor"
version = "0.3.32"
version = "0.3.31"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d"
checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f"
dependencies = [
"futures-core",
"futures-task",
@@ -1613,15 +1637,15 @@ dependencies = [
[[package]]
name = "futures-io"
version = "0.3.32"
version = "0.3.31"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"
checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
[[package]]
name = "futures-macro"
version = "0.3.32"
version = "0.3.31"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
dependencies = [
"proc-macro2",
"quote",
@@ -1630,21 +1654,21 @@ dependencies = [
[[package]]
name = "futures-sink"
version = "0.3.32"
version = "0.3.31"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
[[package]]
name = "futures-task"
version = "0.3.32"
version = "0.3.31"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
[[package]]
name = "futures-util"
version = "0.3.32"
version = "0.3.31"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
dependencies = [
"futures-channel",
"futures-core",
@@ -1654,6 +1678,7 @@ dependencies = [
"futures-task",
"memchr",
"pin-project-lite",
"pin-utils",
"slab",
]
@@ -1717,6 +1742,12 @@ dependencies = [
"polyval",
]
[[package]]
name = "gimli"
version = "0.32.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e629b9b98ef3dd8afe6ca2bd0f89306cec16d43d907889945bc5d6687f2f13c7"
[[package]]
name = "glob"
version = "0.3.1"
@@ -2021,7 +2052,6 @@ version = "0.1.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dc2fdfdbff08affe55bb779f33b053aa1fe5dd5b54c257343c17edfa55711bdb"
dependencies = [
"base64 0.22.1",
"bytes",
"futures-channel",
"futures-core",
@@ -2029,9 +2059,7 @@ dependencies = [
"http 1.1.0",
"http-body 1.0.1",
"hyper 1.6.0",
"ipnet",
"libc",
"percent-encoding",
"pin-project-lite",
"socket2 0.5.10",
"tokio",
@@ -2243,7 +2271,7 @@ dependencies = [
[[package]]
name = "image-rs"
version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?tag=v0.18.0#ab95914ac84c32a43102463cc0ae330710af47be"
source = "git+https://github.com/confidential-containers/guest-components?rev=026694d44d4ec483465d2fa5f80a0376166b174d#026694d44d4ec483465d2fa5f80a0376166b174d"
dependencies = [
"anyhow",
"astral-tokio-tar",
@@ -2256,27 +2284,27 @@ dependencies = [
"futures",
"futures-util",
"hex",
"log",
"loopdev",
"nix 0.31.2",
"nix 0.30.1",
"oci-client",
"oci-spec",
"ocicrypt-rs",
"protos",
"reqwest 0.13.2",
"reqwest",
"sequoia-openpgp",
"serde",
"serde_json",
"serde_yaml",
"sha2 0.10.9",
"sigstore",
"strum 0.28.0",
"strum_macros 0.28.0",
"strum",
"strum_macros",
"thiserror 2.0.18",
"tokio",
"tokio-util",
"toml 1.1.2+spec-1.1.0",
"toml 0.9.11+spec-1.1.0",
"tonic",
"tracing",
"url",
"walkdir",
"xattr",
@@ -2336,22 +2364,23 @@ dependencies = [
"windows-sys 0.48.0",
]
[[package]]
name = "io-uring"
version = "0.7.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b86e202f00093dcba4275d4636b93ef9dd75d025ae560d2521b45ea28ab49013"
dependencies = [
"bitflags 2.6.0",
"cfg-if 1.0.4",
"libc",
]
[[package]]
name = "ipnet"
version = "2.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ddc24109865250148c2e0f3d25d4f0f479571723792d3802153c60922a4fb708"
[[package]]
name = "iri-string"
version = "0.7.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20"
dependencies = [
"memchr",
"serde",
]
[[package]]
name = "is-terminal"
version = "0.4.16"
@@ -2566,9 +2595,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
[[package]]
name = "libc"
version = "0.2.184"
version = "0.2.172"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "48f5d2a454e16a5ea0f4ced81bd44e4cfc7bd3a507b61887c99fd3538b28e4af"
checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
[[package]]
name = "libloading"
@@ -2759,13 +2788,14 @@ dependencies = [
[[package]]
name = "mio"
version = "1.2.0"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "50b7e5b27aa02a74bac8c3f23f448f8d87ff11f92d3aac1a6ed369ee08cc56c1"
checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec"
dependencies = [
"hermit-abi 0.3.9",
"libc",
"wasi",
"windows-sys 0.61.2",
"windows-sys 0.52.0",
]
[[package]]
@@ -2846,9 +2876,9 @@ dependencies = [
[[package]]
name = "nix"
version = "0.31.2"
version = "0.30.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3"
checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6"
dependencies = [
"bitflags 2.6.0",
"cfg-if 1.0.4",
@@ -2877,10 +2907,11 @@ dependencies = [
[[package]]
name = "num-bigint-dig"
version = "0.8.6"
version = "0.8.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7"
checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151"
dependencies = [
"byteorder",
"lazy_static",
"libm",
"num-integer",
@@ -2948,7 +2979,7 @@ dependencies = [
"getrandom 0.2.15",
"http 1.1.0",
"rand 0.8.5",
"reqwest 0.12.8",
"reqwest",
"serde",
"serde_json",
"serde_path_to_error",
@@ -2966,6 +2997,15 @@ dependencies = [
"bitflags 2.6.0",
]
[[package]]
name = "object"
version = "0.37.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ff76201f031d8863c38aa7f905eca4f53abbfa15f609db4277d44cd8938f33fe"
dependencies = [
"memchr",
]
[[package]]
name = "ocb3"
version = "0.1.0"
@@ -2994,7 +3034,7 @@ dependencies = [
"oci-spec",
"olpc-cjson",
"regex",
"reqwest 0.12.8",
"reqwest",
"serde",
"serde_json",
"sha2 0.10.9",
@@ -3016,15 +3056,15 @@ dependencies = [
"regex",
"serde",
"serde_json",
"strum 0.27.1",
"strum_macros 0.27.1",
"strum",
"strum_macros",
"thiserror 2.0.18",
]
[[package]]
name = "ocicrypt-rs"
version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?tag=v0.18.0#ab95914ac84c32a43102463cc0ae330710af47be"
source = "git+https://github.com/confidential-containers/guest-components?rev=026694d44d4ec483465d2fa5f80a0376166b174d#026694d44d4ec483465d2fa5f80a0376166b174d"
dependencies = [
"anyhow",
"base64 0.22.1",
@@ -3682,7 +3722,7 @@ dependencies = [
[[package]]
name = "protos"
version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?tag=v0.18.0#ab95914ac84c32a43102463cc0ae330710af47be"
source = "git+https://github.com/confidential-containers/guest-components?rev=026694d44d4ec483465d2fa5f80a0376166b174d#026694d44d4ec483465d2fa5f80a0376166b174d"
dependencies = [
"prost 0.14.3",
"tonic",
@@ -4043,38 +4083,6 @@ dependencies = [
"windows-registry",
]
[[package]]
name = "reqwest"
version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ab3f43e3283ab1488b624b44b0e988d0acea0b3214e694730a055cb6b2efa801"
dependencies = [
"base64 0.22.1",
"bytes",
"futures-core",
"http 1.1.0",
"http-body 1.0.1",
"http-body-util",
"hyper 1.6.0",
"hyper-util",
"js-sys",
"log",
"percent-encoding",
"pin-project-lite",
"serde",
"serde_json",
"serde_urlencoded",
"sync_wrapper",
"tokio",
"tower",
"tower-http",
"tower-service",
"url",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
]
[[package]]
name = "rfc6979"
version = "0.4.0"
@@ -4139,9 +4147,9 @@ dependencies = [
[[package]]
name = "rsa"
version = "0.9.10"
version = "0.9.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d"
checksum = "40a0376c50d0358279d9d643e4bf7b7be212f1f4ff1da9070a7b54d22ef75c88"
dependencies = [
"const-oid",
"digest 0.10.7",
@@ -4192,6 +4200,12 @@ dependencies = [
"serde_json",
]
[[package]]
name = "rustc-demangle"
version = "0.1.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
[[package]]
name = "rustc-hash"
version = "1.1.0"
@@ -4442,9 +4456,9 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b"
[[package]]
name = "sequoia-openpgp"
version = "2.2.0"
version = "2.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0620e44a7d514adf7df87b44db235f13b81fed7ddc265adb26f014d42626ac47"
checksum = "f0e334ce3ec5b9b47d86a80563b3ecec435f59acf37e86058b3b686a42c5a2ba"
dependencies = [
"aes",
"aes-gcm",
@@ -4485,7 +4499,7 @@ dependencies = [
"p256",
"p384",
"p521",
"rand 0.9.2",
"rand 0.8.5",
"rand_core 0.6.4",
"regex",
"regex-syntax",
@@ -4604,9 +4618,9 @@ dependencies = [
[[package]]
name = "serde_spanned"
version = "1.1.1"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6662b5879511e06e8999a8a235d848113e942c9124f211511b16466ee2995f26"
checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
dependencies = [
"serde_core",
]
@@ -4776,7 +4790,7 @@ dependencies = [
"pkcs8",
"rand 0.8.5",
"regex",
"reqwest 0.12.8",
"reqwest",
"rsa",
"rustls-pki-types",
"rustls-webpki",
@@ -4901,12 +4915,12 @@ dependencies = [
[[package]]
name = "socket2"
version = "0.6.3"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
checksum = "233504af464074f9d066d7b5416c5f9b894a5862a6506e306f7b816cdd6f1807"
dependencies = [
"libc",
"windows-sys 0.61.2",
"windows-sys 0.59.0",
]
[[package]]
@@ -4954,14 +4968,8 @@ name = "strum"
version = "0.27.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f64def088c51c9510a8579e3c5d67c65349dcf755e5479ad3d010aa6454e2c32"
[[package]]
name = "strum"
version = "0.28.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9628de9b8791db39ceda2b119bbe13134770b56c138ec1d3af810d045c04f9bd"
dependencies = [
"strum_macros 0.28.0",
"strum_macros",
]
[[package]]
@@ -4977,18 +4985,6 @@ dependencies = [
"syn 2.0.87",
]
[[package]]
name = "strum_macros"
version = "0.28.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ab85eea0270ee17587ed4156089e10b9e6880ee688791d45a905f5b1ca36f664"
dependencies = [
"heck 0.5.0",
"proc-macro2",
"quote",
"syn 2.0.87",
]
[[package]]
name = "subprocess"
version = "0.2.9"
@@ -5272,26 +5268,29 @@ dependencies = [
[[package]]
name = "tokio"
version = "1.51.0"
version = "1.47.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2bd1c4c0fc4a7ab90fc15ef6daaa3ec3b893f004f915f2392557ed23237820cd"
checksum = "89e49afdadebb872d3145a5638b59eb0691ea23e46ca484037cfab3b76b95038"
dependencies = [
"backtrace",
"bytes",
"io-uring",
"libc",
"mio",
"parking_lot",
"pin-project-lite",
"signal-hook-registry",
"socket2 0.6.3",
"slab",
"socket2 0.6.0",
"tokio-macros",
"windows-sys 0.61.2",
"windows-sys 0.59.0",
]
[[package]]
name = "tokio-macros"
version = "2.7.0"
version = "2.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "385a6cb71ab9ab790c5fe8d67f1645e6c450a7ce006a33de03daa956cf70a496"
checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
dependencies = [
"proc-macro2",
"quote",
@@ -5322,9 +5321,9 @@ dependencies = [
[[package]]
name = "tokio-util"
version = "0.7.18"
version = "0.7.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098"
checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594"
dependencies = [
"bytes",
"futures-core",
@@ -5357,17 +5356,17 @@ dependencies = [
[[package]]
name = "toml"
version = "1.1.2+spec-1.1.0"
version = "0.9.11+spec-1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "81f3d15e84cbcd896376e6730314d59fb5a87f31e4b038454184435cd57defee"
checksum = "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46"
dependencies = [
"indexmap 2.13.0",
"serde_core",
"serde_spanned",
"toml_datetime 1.1.1+spec-1.1.0",
"toml_datetime 0.7.5+spec-1.1.0",
"toml_parser",
"toml_writer",
"winnow 1.0.1",
"winnow",
]
[[package]]
@@ -5378,9 +5377,9 @@ checksum = "22cddaf88f4fbc13c51aebbf5f8eceb5c7c5a9da2ac40a13519eb5b0a0e8f11c"
[[package]]
name = "toml_datetime"
version = "1.1.1+spec-1.1.0"
version = "0.7.5+spec-1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3165f65f62e28e0115a00b2ebdd37eb6f3b641855f9d636d3cd4103767159ad7"
checksum = "92e1cfed4a3038bc5a127e35a2d360f145e1f4b971b551a2ba5fd7aedf7e1347"
dependencies = [
"serde_core",
]
@@ -5393,23 +5392,23 @@ checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
dependencies = [
"indexmap 2.13.0",
"toml_datetime 0.6.11",
"winnow 0.7.14",
"winnow",
]
[[package]]
name = "toml_parser"
version = "1.1.2+spec-1.1.0"
version = "1.0.6+spec-1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a2abe9b86193656635d2411dc43050282ca48aa31c2451210f4202550afb7526"
checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44"
dependencies = [
"winnow 1.0.1",
"winnow",
]
[[package]]
name = "toml_writer"
version = "1.1.1+spec-1.1.0"
version = "1.0.6+spec-1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "756daf9b1013ebe47a8776667b466417e2d4c5679d441c26230efd9ef78692db"
checksum = "ab16f14aed21ee8bfd8ec22513f7287cd4a91aa92e44edfe2c17ddd004e92607"
[[package]]
name = "tonic"
@@ -5430,7 +5429,7 @@ dependencies = [
"hyper-util",
"percent-encoding",
"pin-project",
"socket2 0.6.3",
"socket2 0.6.0",
"sync_wrapper",
"tokio",
"tokio-stream",
@@ -5470,24 +5469,6 @@ dependencies = [
"tracing",
]
[[package]]
name = "tower-http"
version = "0.6.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
dependencies = [
"bitflags 2.6.0",
"bytes",
"futures-util",
"http 1.1.0",
"http-body 1.0.1",
"iri-string",
"pin-project-lite",
"tower",
"tower-layer",
"tower-service",
]
[[package]]
name = "tower-layer"
version = "0.3.3"
@@ -5502,9 +5483,9 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
[[package]]
name = "tracing"
version = "0.1.44"
version = "0.1.41"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0"
dependencies = [
"log",
"pin-project-lite",
@@ -5514,9 +5495,9 @@ dependencies = [
[[package]]
name = "tracing-attributes"
version = "0.1.31"
version = "0.1.29"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
checksum = "1b1ffbcf9c6f6b99d386e7444eb608ba646ae452a36b39737deb9663b610f662"
dependencies = [
"proc-macro2",
"quote",
@@ -5525,9 +5506,9 @@ dependencies = [
[[package]]
name = "tracing-core"
version = "0.1.36"
version = "0.1.34"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
checksum = "b9d12581f227e93f094d3af2ae690a574abb8a2b9b7a96e7cfe9647b2b617678"
dependencies = [
"once_cell",
]
@@ -5913,7 +5894,7 @@ version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
dependencies = [
"windows-sys 0.48.0",
"windows-sys 0.59.0",
]
[[package]]
@@ -6056,15 +6037,6 @@ dependencies = [
"windows-targets 0.52.6",
]
[[package]]
name = "windows-sys"
version = "0.61.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
dependencies = [
"windows-link",
]
[[package]]
name = "windows-targets"
version = "0.42.2"
@@ -6252,12 +6224,6 @@ dependencies = [
"memchr",
]
[[package]]
name = "winnow"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "09dac053f1cd375980747450bfc7250c264eaae0583872e845c0c7cd578872b5"
[[package]]
name = "wit-bindgen"
version = "0.51.0"

2
src/tools/agent-ctl/Cargo.toml
View File

@@ -41,7 +41,7 @@ serde = { version = "1.0.131", features = ["derive"] }
serde_json = "1.0.73"
# Image pull/unpack
image-rs = { git = "https://github.com/confidential-containers/guest-components", tag = "v0.18.0", features = [
image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "026694d44d4ec483465d2fa5f80a0376166b174d", features = [
"oci-client-rustls",
"signature-cosign-rustls",
] }

35
src/tools/genpolicy/rules.rego
View File

@@ -1519,8 +1519,6 @@ CopyFileRequest if {
check_directory_traversal(input.path)
allow_copy_file(input.path, input.file_mode, input.data)
some regex1 in policy_data.request_defaults.CopyFileRequest
regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
@@ -1532,39 +1530,6 @@ CopyFileRequest if {
print("CopyFileRequest: true")
}
allow_copy_file(path, mode, data) if {
print("allow_copy_file regular")
bits.and(mode, 61440) == 32768
print("allow_copy_file regular: true")
}
allow_copy_file(path, mode, data) if {
print("allow_copy_file dir")
bits.and(mode, 61440) == 16384
print("allow_copy_file dir: true")
}
allow_copy_file(path, mode, data) if {
print("allow_copy_file symlink")
bits.and(mode, 61440) == 40960
target := concat("", [sprintf("%c", [c]) | c := data[_]])
check_directory_traversal(target)
not startswith(target, "/")
regex1 := concat("", [policy_data.common.sfprefix, ".*/.+"])
regex2 := replace(regex1, "$(cpath)", policy_data.common.cpath)
regex3 := replace(regex2, "$(bundle-id)", "[a-z0-9]{64}")
regex.match(regex3, path)
print("allow_copy_file symlink: true")
}
CreateSandboxRequest if {
print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path)
count(input.guest_hook_path) == 0

10
src/tools/genpolicy/src/cronjob.rs
View File

@@ -166,14 +166,4 @@ impl yaml::K8sResource for CronJob {
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.jobTemplate.spec.template.spec.securityContext)
}
fn get_pod_security_context(&self) -> Option<&pod::PodSecurityContext> {
self.spec
.jobTemplate
.spec
.template
.spec
.securityContext
.as_ref()
}
}

4
src/tools/genpolicy/src/daemon_set.rs
View File

@@ -167,8 +167,4 @@ impl yaml::K8sResource for DaemonSet {
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
fn get_pod_security_context(&self) -> Option<&pod::PodSecurityContext> {
self.spec.template.spec.securityContext.as_ref()
}
}

4
src/tools/genpolicy/src/deployment.rs
View File

@@ -178,8 +178,4 @@ impl yaml::K8sResource for Deployment {
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
fn get_pod_security_context(&self) -> Option<&pod::PodSecurityContext> {
self.spec.template.spec.securityContext.as_ref()
}
}

4
src/tools/genpolicy/src/job.rs
View File

@@ -167,10 +167,6 @@ impl yaml::K8sResource for Job {
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
fn get_pod_security_context(&self) -> Option<&pod::PodSecurityContext> {
self.spec.template.spec.securityContext.as_ref()
}
}
pub fn pod_name_regex(job_name: String) -> String {

49
src/tools/genpolicy/src/mount_and_storage.rs
View File

@@ -114,12 +114,10 @@ pub fn get_mount_and_storage(
if let Some(emptyDir) = &yaml_volume.emptyDir {
let settings_volumes = &settings.volumes;
let (volume, block_encrypted_emptydir) = match emptyDir.medium.as_deref() {
Some("Memory") => (&settings_volumes.emptyDir_memory, false),
_ if settings.cluster_config.encrypted_emptydir => {
(&settings_volumes.emptyDir_encrypted, true)
}
_ => (&settings_volumes.emptyDir, false),
let volume = match emptyDir.medium.as_deref() {
Some("Memory") => &settings_volumes.emptyDir_memory,
_ if settings.cluster_config.encrypted_emptydir => &settings_volumes.emptyDir_encrypted,
_ => &settings_volumes.emptyDir,
};
get_empty_dir_mount_and_storage(
@@ -129,7 +127,6 @@ pub fn get_mount_and_storage(
yaml_mount,
volume,
pod_security_context,
block_encrypted_emptydir,
);
} else if yaml_volume.persistentVolumeClaim.is_some() || yaml_volume.azureFile.is_some() {
get_shared_bind_mount(yaml_mount, p_mounts, "rprivate", "rw");
@@ -153,42 +150,18 @@ fn get_empty_dir_mount_and_storage(
yaml_mount: &pod::VolumeMount,
settings_empty_dir: &settings::EmptyDirVolume,
pod_security_context: &Option<pod::PodSecurityContext>,
block_encrypted_emptydir: bool,
) {
debug!("Settings emptyDir: {:?}", settings_empty_dir);
if yaml_mount.subPathExpr.is_none() {
let mut options = settings_empty_dir.options.clone();
// Pod fsGroup in policy must mirror how the shim encodes it on Storage:
// - block-encrypted host emptyDirs become virtio-blk/scsi volumes; the runtime sets
// Storage.fs_group from mount metadata (handleDeviceBlockVolume in kata_agent.go).
// - shared-fs / guest-local emptyDirs use Storage.options: the runtime appends
// fsgid=<host GID> when the volume is not root-owned (handleEphemeralStorage and
// handleLocalStorage in kata_agent.go). Genpolicy uses pod fsGroup when non-zero as
// the usual kubelet-applied GID for that stat.
let pod_gid = pod_security_context.as_ref().and_then(|sc| sc.fsGroup);
let fs_group = if block_encrypted_emptydir {
match pod_gid {
Some(gid) if gid > 0 => protobuf::MessageField::some(agent::FSGroup {
group_id: u32::try_from(gid).unwrap_or_else(|_| {
panic!(
"get_empty_dir_mount_and_storage: securityContext.fsGroup {gid} \
must be <= {}",
u32::MAX
)
}),
..Default::default()
}),
_ => protobuf::MessageField::none(),
if let Some(gid) = pod_security_context.as_ref().and_then(|sc| sc.fsGroup) {
// This matches the runtime behavior of only setting the fsgid if the mountpoint GID is not 0.
// https://github.com/kata-containers/kata-containers/blob/b69da5f3ba8385c5833b31db41a846a203812675/src/runtime/virtcontainers/kata_agent.go#L1602-L1607
if gid != 0 {
options.push(format!("fsgid={gid}"));
}
} else {
if let Some(gid) = pod_gid {
if gid != 0 {
options.push(format!("fsgid={gid}"));
}
}
protobuf::MessageField::none()
};
}
storages.push(agent::Storage {
driver: settings_empty_dir.driver.clone(),
driver_options: settings_empty_dir.driver_options.clone(),
@@ -200,7 +173,7 @@ fn get_empty_dir_mount_and_storage(
} else {
settings_empty_dir.mount_point.clone()
},
fs_group,
fs_group: protobuf::MessageField::none(),
shared: settings_empty_dir.shared,
special_fields: ::protobuf::SpecialFields::new(),
});

4
src/tools/genpolicy/src/pod.rs
View File

@@ -937,10 +937,6 @@ impl yaml::K8sResource for Pod {
fn get_sysctls(&self) -> Vec<Sysctl> {
yaml::get_sysctls(&self.spec.securityContext)
}
fn get_pod_security_context(&self) -> Option<&PodSecurityContext> {
self.spec.securityContext.as_ref()
}
}
impl Container {

10
src/tools/genpolicy/src/policy.rs
View File

@@ -971,16 +971,6 @@ impl AgentPolicy {
);
}
yaml::apply_pod_fs_group_and_supplemental_groups(
&mut process,
resource.get_pod_security_context(),
is_pause_container,
);
debug!(
"get_container_process: after apply_pod_fs_group_and_supplemental_groups: User = {:?}",
&process.User
);
///////////////////////////////////////////////////////////////////////////////////////
// Container-level settings from user's YAML.
yaml_container.get_process_fields(&mut process);

4
src/tools/genpolicy/src/replica_set.rs
View File

@@ -128,8 +128,4 @@ impl yaml::K8sResource for ReplicaSet {
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
fn get_pod_security_context(&self) -> Option<&pod::PodSecurityContext> {
self.spec.template.spec.securityContext.as_ref()
}
}

4
src/tools/genpolicy/src/replication_controller.rs
View File

@@ -131,8 +131,4 @@ impl yaml::K8sResource for ReplicationController {
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
fn get_pod_security_context(&self) -> Option<&pod::PodSecurityContext> {
self.spec.template.spec.securityContext.as_ref()
}
}

4
src/tools/genpolicy/src/stateful_set.rs
View File

@@ -211,10 +211,6 @@ impl yaml::K8sResource for StatefulSet {
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
fn get_pod_security_context(&self) -> Option<&pod::PodSecurityContext> {
self.spec.template.spec.securityContext.as_ref()
}
}
impl StatefulSet {

58
src/tools/genpolicy/src/yaml.rs
View File

@@ -107,10 +107,6 @@ pub trait K8sResource {
// for some of the K8s resource types.
}
fn get_pod_security_context(&self) -> Option<&pod::PodSecurityContext> {
None
}
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
vec![]
}
@@ -392,39 +388,6 @@ fn handle_unused_field(path: &str, silent_unsupported_fields: bool) {
}
}
/// Applies pod `fsGroup` and `supplementalGroups` to `AdditionalGids`.
pub fn apply_pod_fs_group_and_supplemental_groups(
process: &mut policy::KataProcess,
security_context: Option<&pod::PodSecurityContext>,
is_pause_container: bool,
) {
if is_pause_container {
return;
}
let Some(context) = security_context else {
return;
};
if let Some(fs_group) = context.fsGroup {
let gid: u32 = fs_group.try_into().unwrap();
process.User.AdditionalGids.insert(gid);
debug!(
"apply_pod_fs_group_and_supplemental_groups: inserted fs_group = {gid} into AdditionalGids, User = {:?}",
&process.User
);
}
if let Some(supplemental_groups) = &context.supplementalGroups {
supplemental_groups.iter().for_each(|g| {
process.User.AdditionalGids.insert(*g);
});
debug!(
"apply_pod_fs_group_and_supplemental_groups: inserted supplementalGroups = {:?} into AdditionalGids, User = {:?}",
&supplemental_groups, &process.User
);
}
}
pub fn get_process_fields(
process: &mut policy::KataProcess,
must_check_passwd: &mut bool,
@@ -484,6 +447,27 @@ pub fn get_process_fields(
*must_check_passwd = false;
}
if !is_pause_container {
if let Some(fs_group) = context.fsGroup {
let gid = fs_group.try_into().unwrap();
process.User.AdditionalGids.insert(gid);
debug!(
"get_process_fields: inserted fs_group = {gid} into AdditionalGids, User = {:?}",
&process.User
);
}
if let Some(supplemental_groups) = &context.supplementalGroups {
supplemental_groups.iter().for_each(|g| {
process.User.AdditionalGids.insert(*g);
});
debug!(
"get_process_fields: inserted supplementalGroups = {:?} into AdditionalGids, User = {:?}",
&supplemental_groups, &process.User
);
}
}
if let Some(allow) = context.allowPrivilegeEscalation {
process.NoNewPrivileges = !allow
}

123
src/tools/genpolicy/tests/policy/testdata/copyfile/testcases.json vendored
View File

@@ -4,7 +4,6 @@
"description": "copy initiated by k8s mount",
"kind": "CopyFileRequest",
"request": {
"file_mode": 33206,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-resolv.conf"
}
},
@@ -13,7 +12,6 @@
"description": "a dirname can have trailing dots",
"kind": "CopyFileRequest",
"request": {
"file_mode": 33206,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo../bar"
}
},
@@ -22,7 +20,6 @@
"description": "attempt to copy outside of container root",
"kind": "CopyFileRequest",
"request": {
"file_mode": 33206,
"path": "/etc/ssl/cert.pem"
}
},
@@ -31,7 +28,6 @@
"description": "attempt to write into container root",
"kind": "CopyFileRequest",
"request": {
"file_mode": 33206,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc/rootfs/bin/sh"
}
},
@@ -40,7 +36,6 @@
"description": "attempt to write into container root - guest pull",
"kind": "CopyFileRequest",
"request": {
"file_mode": 33206,
"path": "/run/kata-containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc/rootfs/bin/sh"
}
},
@@ -49,7 +44,6 @@
"description": "attempted directory traversal",
"kind": "CopyFileRequest",
"request": {
"file_mode": 33206,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/../../../../../etc/ssl/cert.pem"
}
},
@@ -58,7 +52,6 @@
"description": "attempted directory traversal - parent directory",
"kind": "CopyFileRequest",
"request": {
"file_mode": 16895,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/.."
}
},
@@ -67,7 +60,6 @@
"description": "relative path",
"kind": "CopyFileRequest",
"request": {
"file_mode": 33206,
"path": "etc/ssl/cert.pem"
}
},
@@ -76,122 +68,7 @@
"description": "relative path - parent directory",
"kind": "CopyFileRequest",
"request": {
"file_mode": 16895,
"path": ".."
}
},
{
"allowed": false,
"description": "unsupported S_IFBLK",
"kind": "CopyFileRequest",
"request": {
"file_mode": 24576,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/bar"
}
},
{
"allowed": false,
"description": "unsupported S_IFSOCK",
"kind": "CopyFileRequest",
"request": {
"file_mode": 49152,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/bar"
}
},
{
"allowed": false,
"description": "unsupported S_IFIFO",
"kind": "CopyFileRequest",
"request": {
"file_mode": 4096,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/bar"
}
},
{
"allowed": false,
"description": "unsupported mixed mode (S_IFREG | S_IFLNK)",
"kind": "CopyFileRequest",
"request": {
"file_mode": 73728,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/bar"
}
},
{
"allowed": false,
"description": "unsupported no mode",
"kind": "CopyFileRequest",
"request": {
"file_mode": 511,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/bar"
}
},
{
"allowed": true,
"description": "directory in top-level shared directory",
"kind": "CopyFileRequest",
"request": {
"file_mode": 16895,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo"
}
},
{
"allowed": false,
"description": "symlink in top-level shared directory",
"kind": "CopyFileRequest",
"request": {
"data": [97, 98, 99],
"file_mode": 41471,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo"
}
},
{
"allowed": true,
"description": "symlink beneath top-level shared directory",
"kind": "CopyFileRequest",
"request": {
"data": [97, 98, 99],
"file_mode": 41471,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/lnk"
}
},
{
"allowed": false,
"description": "symlink pointing up - leading (../abc)",
"kind": "CopyFileRequest",
"request": {
"data": [46, 46, 47, 97, 98, 99],
"file_mode": 41471,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/lnk"
}
},
{
"allowed": false,
"description": "symlink pointing up - middle (a/../../b)",
"kind": "CopyFileRequest",
"request": {
"data": [97, 47, 46, 46, 47, 46, 46, 47, 98],
"file_mode": 41471,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/lnk"
}
},
{
"allowed": false,
"description": "symlink with 0-byte in target (a\\x00/b)",
"kind": "CopyFileRequest",
"request": {
"data": [97, 0, 47, 98],
"file_mode": 41471,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/lnk"
}
},
{
"allowed": false,
"description": "symlink with absolute target (/abc)",
"kind": "CopyFileRequest",
"request": {
"data": [47, 97, 98, 99],
"file_mode": 41471,
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/lnk"
}
}
]

8
src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/fsgroup/testcases.json vendored
View File

@@ -345,12 +345,12 @@
"driver_options": [
"encryption_key=ephemeral"
],
"fs_group": {
"group_id": 1000
},
"fs_group": null,
"fstype": "ext4",
"mount_point": "/run/kata-containers/sandbox/storage/MDAvMDA=",
"options": [],
"options": [
"fsgid=1000"
],
"source": "00/00",
"shared": true
}

3
src/tools/kata-ctl/src/ops/env_ops.rs
View File

@@ -184,6 +184,8 @@ pub struct HypervisorInfo {
#[serde(default)]
virtio_fs_daemon: String,
#[serde(default)]
msize_9p: u32,
#[serde(default)]
memory_slots: u32,
#[serde(default)]
pcie_root_port: u32,
@@ -415,6 +417,7 @@ pub fn get_hypervisor_info(
.clone()
.unwrap_or_else(|| String::from("none")),
virtio_fs_daemon: hypervisor_config.shared_fs.virtio_fs_daemon.to_string(),
msize_9p: hypervisor_config.shared_fs.msize_9p,
memory_slots: hypervisor_config.memory_info.memory_slots,
pcie_root_port: hypervisor_config.device_info.pcie_root_port,
hotplug_vfio_on_rootbus: hypervisor_config.device_info.hotplug_vfio_on_root_bus,

2
tests/integration/kubernetes/confidential_kbs.sh
View File

@@ -45,7 +45,7 @@ kbs_set_allow_all_resources() {
kbs_set_default_policy() {
kbs_set_resources_policy \
"${COCO_KBS_DIR}/sample_policies/default.rego"
"${COCO_KBS_DIR}/src/policy_engine/opa/default_policy.rego"
}
# Set "deny all" policy to resources.

35
tests/integration/kubernetes/k8s-empty-dirs.bats
View File

@@ -22,27 +22,22 @@ setup() {
pod_name="sharevol-kata"
pod_logs_file=""
setup_common || die "setup_common failed"
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
}
@test "Empty dir volumes" {
local yaml_file
local mount_command
local dd_command
yaml_file="${pod_config_dir}/pod-empty-dir.yaml"
# Add policy to yaml
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
mount_command=(sh -c "mount | grep cache")
add_exec_to_policy_settings "${policy_settings_dir}" "${mount_command[@]}"
dd_command=(sh -c "dd if=/dev/zero of=/tmp/cache/file1 bs=1M count=50; echo $?")
add_exec_to_policy_settings "${policy_settings_dir}" "${dd_command[@]}"
# Add policy to yaml
add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
}
@test "Empty dir volumes" {
# Create the pod
kubectl create -f "${yaml_file}"
@@ -60,25 +55,20 @@ setup() {
local agnhost_name
local agnhost_version
local gid
local image
local logs
local pod_yaml
local pod_yaml_in
local pod_file
local uid
# This is a reproducer of k8s e2e "[sig-storage] EmptyDir volumes when FSGroup is specified [LinuxOnly] [NodeFeature:FSGroup] new files should be created with FSGroup ownership when container is non-root" test
pod_yaml_in="${pod_config_dir}/pod-empty-dir-fsgroup.yaml.in"
pod_yaml="${pod_config_dir}/pod-empty-dir-fsgroup.yaml"
pod_file="${pod_config_dir}/pod-empty-dir-fsgroup.yaml"
agnhost_name="${container_images_agnhost_name}"
agnhost_version="${container_images_agnhost_version}"
export AGNHOST_IMAGE="${agnhost_name}:${agnhost_version}"
envsubst '${AGNHOST_IMAGE}' <"${pod_yaml_in}" >"${pod_yaml}"
# Add policy to yaml
auto_generate_policy "${policy_settings_dir}" "${pod_yaml}"
image="${agnhost_name}:${agnhost_version}"
# Try to avoid timeout by prefetching the image.
kubectl create -f "${pod_yaml}"
sed -e "s#\${agnhost_image}#${image}#" "$pod_file" |\
kubectl create -f -
cmd="kubectl get pods ${pod_name} | grep Completed"
waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
@@ -100,7 +90,6 @@ setup() {
teardown() {
[ ! -f "$pod_logs_file" ] || rm -f "$pod_logs_file"
[[ -n "${pod_config_dir:-}" ]] && rm -f "${pod_config_dir}/pod-empty-dir-fsgroup.yaml"
delete_tmp_policy_settings_dir "${policy_settings_dir}"
teardown_common "${node}" "${node_start_time:-}"

4
tests/integration/kubernetes/k8s-exec.bats
View File

@@ -69,11 +69,11 @@ EOF"
## Cases for target container
### First container
container_name=$(kubectl exec $pod_name -c $first_container_name -- $env_command | grep CONTAINER_NAME | tr -d '\r')
container_name=$(kubectl exec $pod_name -c $first_container_name -- $env_command | grep CONTAINER_NAME)
[ "$container_name" == "CONTAINER_NAME=$first_container_name" ]
### Second container
container_name=$(kubectl exec $pod_name -c $second_container_name -- $env_command | grep CONTAINER_NAME | tr -d '\r')
container_name=$(kubectl exec $pod_name -c $second_container_name -- $env_command | grep CONTAINER_NAME)
[ "$container_name" == "CONTAINER_NAME=$second_container_name" ]
}

2
tests/integration/kubernetes/k8s-measured-rootfs.bats
View File

@@ -16,7 +16,7 @@ shim_config_file="/opt/kata/share/defaults/kata-containers/configuration-${KATA_
check_and_skip() {
case "${KATA_HYPERVISOR}" in
qemu-tdx|qemu-coco-dev|qemu-snp)
qemu-tdx|qemu-coco-dev)
if [ "$(uname -m)" == "s390x" ]; then
skip "measured rootfs tests not implemented for s390x"
fi

8
tests/integration/kubernetes/k8s-nvidia-cuda.bats
View File

@@ -29,6 +29,14 @@ setup() {
envsubst < "${pod_yaml_in}" > "${pod_yaml}"
if [ "${TEE}" = "true" ]; then
kernel_params_annotation="io.katacontainers.config.hypervisor.kernel_params"
kernel_params_value="nvrc.smi.srs=1"
set_metadata_annotation "${pod_yaml}" \
"${kernel_params_annotation}" \
"${kernel_params_value}"
fi
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"

1
tests/integration/kubernetes/k8s-nvidia-nim.bats
View File

@@ -10,7 +10,6 @@ load "${BATS_TEST_DIRNAME}/confidential_common.sh"
export KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu-nvidia-gpu}"
# when using hostPath, ensure directory is writable by container user
export LOCAL_NIM_CACHE="/opt/nim/.cache"
SKIP_MULTI_GPU_TESTS=${SKIP_MULTI_GPU_TESTS:-false}

5
tests/integration/kubernetes/k8s-pid-ns.bats
View File

@@ -35,16 +35,15 @@ setup() {
kubectl wait --for=condition=Ready --timeout=$timeout pod $pod_name
# Check PID from first container
# Strip \r — containers with tty: true return \r\n line endings
first_pid_container=$(kubectl exec $pod_name -c $first_container_name \
-- $ps_command | grep "/pause" | tr -d '\r')
-- $ps_command | grep "/pause")
# Verify that is not empty
check_first_pid=$(echo $first_pid_container | wc -l)
[ "$check_first_pid" == "1" ]
# Check PID from second container
second_pid_container=$(kubectl exec $pod_name -c $second_container_name \
-- $ps_command | grep "/pause" | tr -d '\r')
-- $ps_command | grep "/pause")
# Verify that is not empty
check_second_pid=$(echo $second_pid_container | wc -l)
[ "$check_second_pid" == "1" ]

4
tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats
View File

@@ -10,6 +10,8 @@ load "${BATS_TEST_DIRNAME}/lib.sh"
load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() {
[ "$(uname -m)" == "aarch64" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10928"
[[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && skip "Requires CPU hotplug which disabled by static_sandbox_resource_mgmt"
[[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "See: https://github.com/kata-containers/kata-containers/issues/12492"
setup_common || die "setup_common failed"
@@ -49,6 +51,8 @@ setup() {
}
teardown() {
[ "$(uname -m)" == "aarch64" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10928"
[[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && skip "Requires CPU hotplug which disabled by static_sandbox_resource_mgmt"
[[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "See: https://github.com/kata-containers/kata-containers/issues/12492"
for pod in "${pods[@]}"; do

12
tests/integration/kubernetes/runtimeclass_workloads/nvidia-nim-llama-3-1-8b-instruct-tee.yaml.in
View File

@@ -16,18 +16,14 @@ metadata:
# cc_init_data annotation will be added by genpolicy with CDH configuration
# from the custom default-initdata.toml created by create_nim_initdata_file()
spec:
# Explicit user/group/supplementary groups to support nydus guest-pull.
# See issue https://github.com/kata-containers/kata-containers/issues/11162 and
# other references to this issue in the genpolicy source folder.
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
supplementalGroups: [4, 20, 24, 25, 27, 29, 30, 44, 46]
restartPolicy: Never
runtimeClassName: kata
imagePullSecrets:
- name: ngc-secret-instruct
securityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
containers:
- name: ${POD_NAME_INSTRUCT}
image: nvcr.io/nim/meta/llama-3.1-8b-instruct:1.13.1

4
tests/integration/kubernetes/runtimeclass_workloads/nvidia-nim-llama-3-1-8b-instruct.yaml.in
View File

@@ -14,6 +14,10 @@ spec:
runtimeClassName: kata
imagePullSecrets:
- name: ngc-secret-instruct
securityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
containers:
- name: ${POD_NAME_INSTRUCT}
image: nvcr.io/nim/meta/llama-3.1-8b-instruct:1.13.1

11
tests/integration/kubernetes/runtimeclass_workloads/nvidia-nim-llama-3-2-nv-embedqa-1b-v2-tee.yaml.in
View File

@@ -16,18 +16,15 @@ metadata:
# cc_init_data annotation will be added by genpolicy with CDH configuration
# from the custom default-initdata.toml created by create_nim_initdata_file()
spec:
# Explicit user/group/supplementary groups to support nydus guest-pull.
# See issue https://github.com/kata-containers/kata-containers/issues/11162 and
# other references to this issue in the genpolicy source folder.
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
restartPolicy: Always
runtimeClassName: kata
serviceAccountName: default
imagePullSecrets:
- name: ngc-secret-embedqa
securityContext:
fsGroup: 0
runAsGroup: 0
runAsUser: 0
containers:
- name: ${POD_NAME_EMBEDQA}
image: nvcr.io/nim/nvidia/llama-3.2-nv-embedqa-1b-v2:1.10.1

9
tests/integration/kubernetes/runtimeclass_workloads/nvidia-nim-llama-3-2-nv-embedqa-1b-v2.yaml.in
View File

@@ -10,16 +10,15 @@ metadata:
labels:
app: ${POD_NAME_EMBEDQA}
spec:
# unlike the instruct manifest, this image needs securityContext to
# avoid NVML/GPU permission failures
securityContext:
runAsUser: 1000
runAsGroup: 1000
restartPolicy: Always
runtimeClassName: kata
serviceAccountName: default
imagePullSecrets:
- name: ngc-secret-embedqa
securityContext:
fsGroup: 0
runAsGroup: 0
runAsUser: 0
containers:
- name: ${POD_NAME_EMBEDQA}
image: nvcr.io/nim/nvidia/llama-3.2-nv-embedqa-1b-v2:1.10.1

4
tests/integration/kubernetes/runtimeclass_workloads/pod-empty-dir-fsgroup.yaml.in → tests/integration/kubernetes/runtimeclass_workloads/pod-empty-dir-fsgroup.yaml
View File

@@ -15,7 +15,7 @@ spec:
fsGroup: 123
containers:
- name: mounttest-container
image: ${AGNHOST_IMAGE}
image: ${agnhost_image}
command:
- /agnhost
args:
@@ -28,7 +28,7 @@ spec:
- name: emptydir-volume
mountPath: /test-volume
- name: mounttest-container-2
image: ${AGNHOST_IMAGE}
image: ${agnhost_image}
command:
- /agnhost
args:

4
tests/integration/kubernetes/tests_common.sh
View File

@@ -148,7 +148,9 @@ install_genpolicy_drop_ins() {
# 20-* OCI version overlay
if [[ "${KATA_HOST_OS:-}" == "cbl-mariner" ]]; then
cp "${examples_dir}/20-oci-1.2.0-drop-in.json" "${settings_d}/"
elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then
elif is_k3s_or_rke2; then
cp "${examples_dir}/20-oci-1.2.1-drop-in.json" "${settings_d}/"
elif is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then
cp "${examples_dir}/20-oci-1.3.0-drop-in.json" "${settings_d}/"
fi

6
tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh
View File

@@ -68,12 +68,12 @@ install_userspace_components() {
libnvidia-decode libnvidia-fbc1 libnvidia-encode \
libnvidia-nscq libnvidia-compute nvidia-settings
# Needed for confidential-data-hub and NVAT runtime dependencies
# Needed for confidential-data-hub runtime dependencies
eval "${APT_INSTALL}" cryptsetup-bin dmsetup \
libargon2-1 e2fsprogs libxml2
libargon2-1 e2fsprogs
apt-mark hold cryptsetup-bin dmsetup libargon2-1 \
e2fsprogs libxml2
e2fsprogs
}
setup_apt_repositories() {

23
tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh
View File

@@ -224,26 +224,6 @@ chisseled_gpudirect() {
exit 1
}
chisseled_nvat() {
if [[ "${type}" != "confidential" ]]; then
return
fi
echo "nvidia: chisseling NVAT"
local libdir="lib/${machine_arch}-linux-gnu"
# NVAT shared library (bundled via coco-guest-components tarball)
cp -a "${stage_one}"/usr/local/lib/libnvat.so* "${libdir}"/.
# NVAT runtime dependencies (per ldd on attestation-agent)
cp -a "${stage_one}/${libdir}"/libxml2.so.2* "${libdir}"/.
cp -a "${stage_one}/${libdir}"/libstdc++.so.6* "${libdir}"/.
cp -a "${stage_one}/${libdir}"/liblzma.so.5* "${libdir}"/.
cp -a "${stage_one}/${libdir}"/libicuuc.so.* "${libdir}"/.
cp -a "${stage_one}/${libdir}"/libicudata.so.* "${libdir}"/.
}
setup_nvrc_init_symlinks() {
local nvrc="NVRC-${machine_arch}-unknown-linux-musl"
# make sure NVRC is the init process for the initrd and image case
@@ -378,7 +358,7 @@ coco_guest_components() {
local -r pause_dir="pause_bundle"
mkdir -p "${coco_bin_dir}"
cp -a "${stage_one}/${coco_bin_dir}"/attestation-agent-nv "${coco_bin_dir}/attestation-agent"
cp -a "${stage_one}/${coco_bin_dir}"/attestation-agent "${coco_bin_dir}/."
cp -a "${stage_one}/${coco_bin_dir}"/api-server-rest "${coco_bin_dir}/."
cp -a "${stage_one}/${coco_bin_dir}"/confidential-data-hub "${coco_bin_dir}/."
@@ -438,7 +418,6 @@ setup_nvidia_gpu_rootfs_stage_two() {
done
coco_guest_components
chisseled_nvat
fi
compress_rootfs

47
tools/packaging/kata-deploy/Dockerfile
View File

@@ -7,17 +7,17 @@
FROM golang:1.24-alpine AS nydus-binary-downloader
COPY versions.yaml /tmp/versions.yaml
# Keep the version here aligned with "ndyus-snapshotter.version"
# in versions.yaml
ARG NYDUS_SNAPSHOTTER_VERSION=v0.15.13
ARG NYDUS_SNAPSHOTTER_REPO=https://github.com/containerd/nydus-snapshotter
RUN \
set -e && \
apk add --no-cache curl yq-go && \
NYDUS_SNAPSHOTTER_VERSION="$(yq eval -e '.externals.nydus-snapshotter.version | explode(.)' /tmp/versions.yaml)" && \
NYDUS_SNAPSHOTTER_REPO="$(yq eval -e '.externals.nydus-snapshotter.url | explode(.)' /tmp/versions.yaml)" && \
mkdir -p /opt/nydus-snapshotter && \
ARCH="$(uname -m)" && \
if [ "${ARCH}" = "x86_64" ]; then ARCH=amd64 ; fi && \
if [ "${ARCH}" = "aarch64" ]; then ARCH=arm64; fi && \
apk add --no-cache curl && \
curl -fOL --progress-bar "${NYDUS_SNAPSHOTTER_REPO}/releases/download/${NYDUS_SNAPSHOTTER_VERSION}/nydus-snapshotter-${NYDUS_SNAPSHOTTER_VERSION}-linux-${ARCH}.tar.gz" && \
tar xvzpf "nydus-snapshotter-${NYDUS_SNAPSHOTTER_VERSION}-linux-${ARCH}.tar.gz" -C /opt/nydus-snapshotter && \
rm "nydus-snapshotter-${NYDUS_SNAPSHOTTER_VERSION}-linux-${ARCH}.tar.gz"
@@ -47,16 +47,12 @@ RUN \
libc6-dev \
musl-tools && \
apt-get clean && rm -rf /var/lib/apt/lists/ && \
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} && \
rustup component add rustfmt clippy
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}
# Build from the repository root so kata-deploy uses the root Cargo workspace:
# docker build -f tools/packaging/kata-deploy/Dockerfile .
WORKDIR /kata
WORKDIR /kata-deploy
COPY Cargo.toml Cargo.lock ./
COPY src ./src
COPY tools/packaging/kata-deploy/binary ./tools/packaging/kata-deploy/binary
# Copy standalone binary project
COPY binary /kata-deploy
# Install target and run tests based on architecture
# - AMD64/arm64: use musl for fully static binaries
@@ -92,39 +88,28 @@ RUN \
esac; \
echo "${rust_target}" > /tmp/rust_target
# Verify code formatting and run cargo check before tests and build
RUN \
set -e && \
rust_target="$(cat /tmp/rust_target)" && \
echo "Checking code formatting..." && \
cargo fmt -p kata-deploy --check && \
echo "Code formatting check passed!" && \
echo "Running cargo clippy with target ${rust_target}..." && \
cargo clippy -p kata-deploy --all-targets --all-features --release --locked --target "${rust_target}" -- -D warnings && \
echo "Cargo clippy passed!"
# Run tests using --test-threads=1 to prevent environment variable pollution between tests,
# and this is fine as we'll never ever have multiple binaries running at the same time.
RUN \
rust_target="$(cat /tmp/rust_target)"; \
echo "Running binary tests with target ${rust_target}..." && \
RUSTFLAGS="-D warnings" cargo test -p kata-deploy --target "${rust_target}" -- --test-threads=1 && \
RUSTFLAGS="-D warnings" cargo test --target "${rust_target}" -- --test-threads=1 && \
echo "All tests passed!"
RUN \
rust_target="$(cat /tmp/rust_target)"; \
echo "Building kata-deploy binary for ${rust_target}..." && \
RUSTFLAGS="-D warnings" cargo build --release -p kata-deploy --target "${rust_target}" && \
RUSTFLAGS="-D warnings" cargo build --release --target "${rust_target}" && \
mkdir -p /kata-deploy/bin && \
cp "/kata/target/${rust_target}/release/kata-deploy" /kata-deploy/bin/kata-deploy && \
cp "/kata-deploy/target/${rust_target}/release/kata-deploy" /kata-deploy/bin/kata-deploy && \
echo "Cleaning up build artifacts to save disk space..." && \
rm -rf /kata/target && \
rm -rf /kata-deploy/target && \
cargo clean
#### Extract kata artifacts
FROM alpine:3.22 AS artifact-extractor
ARG KATA_ARTIFACTS=tools/packaging/kata-deploy/kata-static.tar.zst
ARG KATA_ARTIFACTS=kata-static.tar.zst
ARG DESTINATION=/opt/kata-artifacts
COPY ${KATA_ARTIFACTS} /tmp/
@@ -237,11 +222,11 @@ COPY --from=runtime-assembler /output/lib/ /lib/
COPY --from=runtime-assembler /output/lib64/ /lib64/
# Copy nydus snapshotter
COPY tools/packaging/kata-deploy/nydus-snapshotter ${DESTINATION}/nydus-snapshotter
COPY nydus-snapshotter ${DESTINATION}/nydus-snapshotter
COPY --from=nydus-binary-downloader /opt/nydus-snapshotter/bin/containerd-nydus-grpc ${DESTINATION}/nydus-snapshotter/
COPY --from=nydus-binary-downloader /opt/nydus-snapshotter/bin/nydus-overlayfs ${DESTINATION}/nydus-snapshotter/
# Copy runtimeclasses and node-feature-rules
COPY tools/packaging/kata-deploy/node-feature-rules ${DESTINATION}/node-feature-rules
COPY node-feature-rules ${DESTINATION}/node-feature-rules
ENTRYPOINT ["/usr/bin/kata-deploy"]

52
tools/packaging/kata-deploy/binary/Cargo.toml
View File

@@ -1,38 +1,58 @@
[package]
name = "kata-deploy"
version = "0.1.0"
authors.workspace = true
edition = "2021"
license.workspace = true
rust-version = "1.90.0"
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
license = "Apache-2.0"
[[bin]]
name = "kata-deploy"
path = "src/main.rs"
[dependencies]
anyhow.workspace = true
clap.workspace = true
# Error handling
anyhow = "1.0"
# Logging
log = "0.4"
env_logger = "0.10"
# Command line parsing
clap = { version = "4.5", features = ["derive"] }
# TOML parsing and manipulation
toml_edit = "0.22"
# YAML parsing and manipulation
serde_yaml = "0.9"
# Kubernetes API client
kube = { version = "2.0", features = ["runtime", "derive"] }
k8s-openapi = { version = "0.26", default-features = false, features = [
"v1_33",
] }
kube = { version = "2.0", features = ["runtime", "derive"] }
libc.workspace = true
log.workspace = true
regex.workspace = true
serde_json.workspace = true
serde_yaml = "0.9"
tokio = { workspace = true, features = [
# System operations (using nsenter command instead of syscalls)
libc = "0.2"
# JSON serialization
serde_json = "1.0"
# File operations
walkdir = "2"
# String manipulation
regex = "1.10"
# Async runtime (required by kube-rs and for async main)
tokio = { version = "1.38", features = [
"rt-multi-thread",
"macros",
"signal",
"time",
] }
toml_edit = "0.22"
walkdir = "2"
[dev-dependencies]
rstest.workspace = true
serial_test.workspace = true
tempfile.workspace = true
tempfile = "3.8"
rstest = "0.18"

336
tools/packaging/kata-deploy/binary/src/artifacts/install.rs
View File

@@ -76,12 +76,8 @@ pub async fn install_artifacts(config: &Config, container_runtime: &str) -> Resu
// Create the installation directory if it doesn't exist
// fs::create_dir_all handles existing directories gracefully (returns Ok if already exists)
fs::create_dir_all(&config.host_install_dir).with_context(|| {
format!(
"Failed to create installation directory: {}",
config.host_install_dir
)
})?;
fs::create_dir_all(&config.host_install_dir)
.with_context(|| format!("Failed to create installation directory: {}", config.host_install_dir))?;
// Verify the path exists and is a directory (not a file)
let install_path = Path::new(&config.host_install_dir);
@@ -186,11 +182,7 @@ fn write_common_drop_ins(
let kernel_params_content = generate_kernel_params_drop_in(config, shim)?;
if !kernel_params_content.is_empty() {
info!(" - Kernel parameters: configured");
write_drop_in_file(
config_d_dir,
"30-kernel-params.toml",
&kernel_params_content,
)?;
write_drop_in_file(config_d_dir, "30-kernel-params.toml", &kernel_params_content)?;
}
Ok(())
@@ -247,12 +239,7 @@ fn install_custom_runtime_configs(config: &Config, container_runtime: &str) -> R
}
// Generate the common drop-in files (shared with standard runtimes)
write_common_drop_ins(
config,
&runtime.base_config,
&config_d_dir,
container_runtime,
)?;
write_common_drop_ins(config, &runtime.base_config, &config_d_dir, container_runtime)?;
// Copy user-provided drop-in file if provided (at 50-overrides.toml)
if let Some(ref drop_in_src) = runtime.drop_in_file {
@@ -341,10 +328,10 @@ fn copy_artifacts(src: &str, dst: &str) -> Result<()> {
if let Ok(rel) = link_target.strip_prefix(src_path) {
Path::new(dst).join(rel)
} else {
link_target
link_target.into()
}
} else {
link_target
link_target.into()
};
if let Some(parent) = dst_path.parent() {
@@ -355,12 +342,8 @@ fn copy_artifacts(src: &str, dst: &str) -> Result<()> {
Err(e) if e.kind() == std::io::ErrorKind::NotFound => {}
Err(e) => return Err(e.into()),
}
std::os::unix::fs::symlink(&new_target, &dst_path).with_context(|| {
format!(
"Failed to create symlink {:?} -> {:?}",
dst_path, new_target
)
})?;
std::os::unix::fs::symlink(&new_target, &dst_path)
.with_context(|| format!("Failed to create symlink {:?} -> {:?}", dst_path, new_target))?;
} else {
if let Some(parent) = dst_path.parent() {
fs::create_dir_all(parent)?;
@@ -385,7 +368,7 @@ fn copy_artifacts(src: &str, dst: &str) -> Result<()> {
}
fn set_executable_permissions(dir: &str) -> Result<()> {
let bin_paths = ["bin", "runtime-rs/bin"];
let bin_paths = vec!["bin", "runtime-rs/bin"];
for bin_path in bin_paths.iter() {
let bin_dir = Path::new(dir).join(bin_path);
@@ -440,46 +423,14 @@ fn add_kata_deploy_warning(config_file: &Path) -> Result<()> {
Ok(())
}
/// Atomically replace a file with a symlink.
///
/// Creates the symlink at a temporary path first, then renames it over the
/// original so the original is preserved if symlink creation fails.
fn atomic_symlink_replace(file_path: &str, symlink_target: &str) -> Result<()> {
let temp_symlink = format!("{}.tmp-link", file_path);
// Clean up any stale temp symlink from a previous interrupted run
if Path::new(&temp_symlink).exists() || Path::new(&temp_symlink).is_symlink() {
let _ = fs::remove_file(&temp_symlink);
}
std::os::unix::fs::symlink(symlink_target, &temp_symlink).with_context(|| {
format!(
"Failed to create temporary symlink {} -> {}",
temp_symlink, symlink_target
)
})?;
fs::rename(&temp_symlink, file_path).map_err(|err| {
let _ = fs::remove_file(&temp_symlink);
anyhow::anyhow!(
"Failed to atomically replace {} with symlink to {}: {}",
file_path,
symlink_target,
err
)
})?;
Ok(())
}
/// Set up the runtime directory structure for a shim.
/// Creates: {config_path}/runtimes/{shim}/
/// {config_path}/runtimes/{shim}/config.d/
/// {config_path}/runtimes/{shim}/configuration-{shim}.toml (copy of original)
///
/// After copying, the original config file is replaced with a symlink pointing
/// to the runtime copy. This way the runtime's ResolvePath / EvalSymlinks resolves
/// the symlink and finds config.d next to the real file in the per-shim directory.
/// Note: We copy the config file instead of symlinking because kata-containers'
/// ResolvePath uses filepath.EvalSymlinks, which would resolve to the original
/// location and look for config.d there instead of in our per-shim directory.
fn setup_runtime_directory(config: &Config, shim: &str) -> Result<()> {
let original_config_dir = format!(
"/host{}",
@@ -498,9 +449,9 @@ fn setup_runtime_directory(config: &Config, shim: &str) -> Result<()> {
fs::create_dir_all(&config_d_dir)
.with_context(|| format!("Failed to create config.d directory: {}", config_d_dir))?;
let config_filename = format!("configuration-{}.toml", shim);
let original_config_file = format!("{}/{}", original_config_dir, config_filename);
let dest_config_file = format!("{}/{}", runtime_config_dir, config_filename);
// Copy the original config file to the runtime directory
let original_config_file = format!("{}/configuration-{}.toml", original_config_dir, shim);
let dest_config_file = format!("{}/configuration-{}.toml", runtime_config_dir, shim);
// Only copy if original exists
if Path::new(&original_config_file).exists() {
@@ -508,63 +459,33 @@ fn setup_runtime_directory(config: &Config, shim: &str) -> Result<()> {
// fs::copy follows symlinks and would write to the wrong location
let dest_path = Path::new(&dest_config_file);
if dest_path.exists() || dest_path.is_symlink() {
fs::remove_file(&dest_config_file).with_context(|| {
format!("Failed to remove existing config: {}", dest_config_file)
})?;
fs::remove_file(&dest_config_file)
.with_context(|| format!("Failed to remove existing config: {}", dest_config_file))?;
}
// Copy the base config file to the runtime directory
fs::copy(&original_config_file, &dest_config_file).with_context(|| {
format!(
"Failed to copy config: {} -> {}",
original_config_file, dest_config_file
)
})?;
// Copy the base config file
fs::copy(&original_config_file, &dest_config_file)
.with_context(|| format!("Failed to copy config: {} -> {}", original_config_file, dest_config_file))?;
// Add warning comment to inform users about drop-in files
add_kata_deploy_warning(Path::new(&dest_config_file))?;
info!(" Copied base config: {}", dest_config_file);
let symlink_target = format!("runtimes/{}/{}", shim, config_filename);
atomic_symlink_replace(&original_config_file, &symlink_target)?;
info!(
" Symlinked original config: {} -> {}",
original_config_file, symlink_target
);
}
Ok(())
}
/// Remove the runtime directory for a shim during cleanup.
/// Also removes the symlink at the original config location that was created
/// by setup_runtime_directory.
/// Remove the runtime directory for a shim during cleanup
fn remove_runtime_directory(config: &Config, shim: &str) -> Result<()> {
// Remove the symlink at the original config location (if present)
let original_config_dir = format!(
"/host{}",
utils::get_kata_containers_original_config_path(shim, &config.dest_dir)
);
let original_config_file = format!("{}/configuration-{}.toml", original_config_dir, shim);
let original_path = Path::new(&original_config_file);
if original_path.is_symlink() {
fs::remove_file(&original_config_file).with_context(|| {
format!("Failed to remove config symlink: {}", original_config_file)
})?;
log::debug!("Removed config symlink: {}", original_config_file);
}
let runtime_config_dir = format!(
"/host{}",
utils::get_kata_containers_config_path(shim, &config.dest_dir)
);
if Path::new(&runtime_config_dir).exists() {
fs::remove_dir_all(&runtime_config_dir).with_context(|| {
format!("Failed to remove runtime directory: {}", runtime_config_dir)
})?;
fs::remove_dir_all(&runtime_config_dir)
.with_context(|| format!("Failed to remove runtime directory: {}", runtime_config_dir))?;
log::debug!("Removed runtime directory: {}", runtime_config_dir);
}
@@ -584,7 +505,7 @@ fn remove_runtime_directory(config: &Config, shim: &str) -> Result<()> {
}
async fn configure_shim_config(config: &Config, shim: &str, container_runtime: &str) -> Result<()> {
// Set up the runtime directory: copy config to per-shim dir and replace original with symlink
// Set up the runtime directory structure with symlink to original config
setup_runtime_directory(config, shim)?;
let runtime_config_dir = format!(
@@ -593,14 +514,13 @@ async fn configure_shim_config(config: &Config, shim: &str, container_runtime: &
);
let config_d_dir = format!("{}/config.d", runtime_config_dir);
let kata_config_file =
Path::new(&runtime_config_dir).join(format!("configuration-{shim}.toml"));
let kata_config_file = Path::new(&runtime_config_dir).join(format!("configuration-{shim}.toml"));
// The configuration file should exist after setup_runtime_directory()
// The configuration file (symlink) should exist after setup_runtime_directory()
if !kata_config_file.exists() {
return Err(anyhow::anyhow!(
"Configuration file not found: {kata_config_file:?}. This file should have been \
copied from the original config. Check that the shim '{}' has a valid configuration \
symlinked from the original config. Check that the shim '{}' has a valid configuration \
file in the artifacts.",
shim
));
@@ -625,8 +545,8 @@ async fn configure_shim_config(config: &Config, shim: &str, container_runtime: &
/// Reads the current value (defaulting to "false" if not found), and if it's not "true",
/// logs the update and sets it to "true".
fn set_toml_bool_to_true(config_file: &Path, path: &str) -> Result<()> {
let current_value =
toml_utils::get_toml_value(config_file, path).unwrap_or_else(|_| "false".to_string());
let current_value = toml_utils::get_toml_value(config_file, path)
.unwrap_or_else(|_| "false".to_string());
if current_value != "true" {
log::debug!(
"Updating {} in {}: old=\"{}\" new=\"true\"",
@@ -716,9 +636,8 @@ fn get_hypervisor_path(config: &Config, shim: &str) -> Result<String> {
if is_qemu_shim(shim) {
// For QEMU shims, use the wrapper script that adds firmware paths
// create_qemu_wrapper_script always returns Some for QEMU shims
create_qemu_wrapper_script(config, shim)?.ok_or_else(|| {
anyhow::anyhow!("QEMU wrapper script should always be created for QEMU shims")
})
create_qemu_wrapper_script(config, shim)?
.ok_or_else(|| anyhow::anyhow!("QEMU wrapper script should always be created for QEMU shims"))
} else {
// For non-QEMU shims, use the appropriate hypervisor binary
let binary = match shim {
@@ -754,41 +673,20 @@ fn generate_installation_prefix_drop_in(config: &Config, shim: &str) -> Result<S
}
// Common paths for all hypervisors
content.push_str(&format!(
"kernel = \"{}/share/kata-containers/vmlinux.container\"\n",
config.dest_dir
));
content.push_str(&format!(
"image = \"{}/share/kata-containers/kata-containers.img\"\n",
config.dest_dir
));
content.push_str(&format!(
"initrd = \"{}/share/kata-containers/kata-containers-initrd.img\"\n",
config.dest_dir
));
content.push_str(&format!("kernel = \"{}/share/kata-containers/vmlinux.container\"\n", config.dest_dir));
content.push_str(&format!("image = \"{}/share/kata-containers/kata-containers.img\"\n", config.dest_dir));
content.push_str(&format!("initrd = \"{}/share/kata-containers/kata-containers-initrd.img\"\n", config.dest_dir));
// QEMU-specific paths (firmware is only relevant for QEMU)
if is_qemu_shim(shim) {
content.push_str(&format!(
"firmware = \"{}/share/kata-containers/firmware/\"\n",
config.dest_dir
));
content.push_str(&format!(
"firmware_volume = \"{}/share/kata-containers/firmware/\"\n",
config.dest_dir
));
content.push_str(&format!("firmware = \"{}/share/kata-containers/firmware/\"\n", config.dest_dir));
content.push_str(&format!("firmware_volume = \"{}/share/kata-containers/firmware/\"\n", config.dest_dir));
}
// Firecracker-specific paths (jailer is only for Firecracker)
if shim == "fc" || shim == "firecracker" {
content.push_str(&format!(
"jailer_path = \"{}/bin/jailer\"\n",
config.dest_dir
));
content.push_str(&format!(
"valid_jailer_paths = [\"{}/bin/jailer\"]\n",
config.dest_dir
));
content.push_str(&format!("jailer_path = \"{}/bin/jailer\"\n", config.dest_dir));
content.push_str(&format!("valid_jailer_paths = [\"{}/bin/jailer\"]\n", config.dest_dir));
}
Ok(content)
@@ -840,14 +738,16 @@ fn get_proxy_value_for_shim(proxy_var: &Option<String>, shim: &str) -> Option<St
match proxy_var {
Some(proxy) if !proxy.is_empty() && proxy.contains('=') => {
// Per-shim format: "qemu-tdx=http://proxy:8080;qemu-snp=http://proxy2:8080"
proxy.split(';').find_map(|m| {
let parts: Vec<&str> = m.splitn(2, '=').collect();
if parts.len() == 2 && parts[0] == shim {
Some(parts[1].to_string())
} else {
None
}
})
proxy
.split(';')
.find_map(|m| {
let parts: Vec<&str> = m.splitn(2, '=').collect();
if parts.len() == 2 && parts[0] == shim {
Some(parts[1].to_string())
} else {
None
}
})
}
Some(proxy) if !proxy.is_empty() => Some(proxy.clone()),
_ => None,
@@ -870,8 +770,8 @@ fn read_base_kernel_params(config: &Config, shim: &str) -> Result<String> {
}
let kernel_params_path = format!("hypervisor.{}.kernel_params", hypervisor_name);
let base_params =
toml_utils::get_toml_value(config_path, &kernel_params_path).unwrap_or_default();
let base_params = toml_utils::get_toml_value(config_path, &kernel_params_path)
.unwrap_or_default();
// Remove surrounding quotes if present
Ok(base_params.trim_matches('"').to_string())
@@ -1201,140 +1101,4 @@ mod tests {
);
}
#[test]
fn test_atomic_symlink_replace_creates_symlink() {
let tmpdir = tempfile::tempdir().unwrap();
// Create the original file and the target it will point to
let target_dir = tmpdir.path().join("runtimes/qemu");
fs::create_dir_all(&target_dir).unwrap();
let target_file = target_dir.join("configuration-qemu.toml");
fs::write(&target_file, "real config content").unwrap();
let original = tmpdir.path().join("configuration-qemu.toml");
fs::write(&original, "original content").unwrap();
let symlink_target = "runtimes/qemu/configuration-qemu.toml";
atomic_symlink_replace(original.to_str().unwrap(), symlink_target).unwrap();
assert!(original.is_symlink(), "original should now be a symlink");
assert_eq!(
fs::read_link(&original).unwrap().to_str().unwrap(),
symlink_target
);
assert_eq!(
fs::read_to_string(&original).unwrap(),
"real config content",
"reading through the symlink should yield the target's content"
);
}
#[test]
fn test_atomic_symlink_replace_is_idempotent() {
let tmpdir = tempfile::tempdir().unwrap();
let target_dir = tmpdir.path().join("runtimes/qemu");
fs::create_dir_all(&target_dir).unwrap();
let target_file = target_dir.join("configuration-qemu.toml");
fs::write(&target_file, "config content").unwrap();
let original = tmpdir.path().join("configuration-qemu.toml");
fs::write(&original, "original").unwrap();
let symlink_target = "runtimes/qemu/configuration-qemu.toml";
// First call
atomic_symlink_replace(original.to_str().unwrap(), symlink_target).unwrap();
assert!(original.is_symlink());
// Second call (e.g. re-install) should succeed and still be a valid symlink
atomic_symlink_replace(original.to_str().unwrap(), symlink_target).unwrap();
assert!(original.is_symlink());
assert_eq!(
fs::read_link(&original).unwrap().to_str().unwrap(),
symlink_target
);
}
#[test]
fn test_atomic_symlink_replace_cleans_stale_temp() {
let tmpdir = tempfile::tempdir().unwrap();
let original = tmpdir.path().join("configuration-qemu.toml");
fs::write(&original, "original").unwrap();
// Simulate a stale temp symlink from an interrupted previous run
let stale_temp = tmpdir.path().join("configuration-qemu.toml.tmp-link");
std::os::unix::fs::symlink("stale-target", &stale_temp).unwrap();
assert!(stale_temp.is_symlink());
let target_dir = tmpdir.path().join("runtimes/qemu");
fs::create_dir_all(&target_dir).unwrap();
fs::write(target_dir.join("configuration-qemu.toml"), "content").unwrap();
let symlink_target = "runtimes/qemu/configuration-qemu.toml";
atomic_symlink_replace(original.to_str().unwrap(), symlink_target).unwrap();
assert!(original.is_symlink());
assert_eq!(
fs::read_link(&original).unwrap().to_str().unwrap(),
symlink_target
);
// Temp file should not linger
assert!(!stale_temp.exists() && !stale_temp.is_symlink());
}
#[test]
fn test_setup_and_remove_runtime_directory_symlink() {
let tmpdir = tempfile::tempdir().unwrap();
// Simulate the directory layout that setup_runtime_directory expects
// (after copy_artifacts has run), using a Go shim as example.
let defaults_dir = tmpdir.path().join("share/defaults/kata-containers");
fs::create_dir_all(&defaults_dir).unwrap();
let config_filename = "configuration-qemu.toml";
let original_config = defaults_dir.join(config_filename);
fs::write(
&original_config,
"[hypervisor.qemu]\npath = \"/usr/bin/qemu\"",
)
.unwrap();
// Create the runtime directory and copy the config (mimics setup_runtime_directory)
let runtime_dir = defaults_dir.join("runtimes/qemu");
let config_d_dir = runtime_dir.join("config.d");
fs::create_dir_all(&config_d_dir).unwrap();
let dest_config = runtime_dir.join(config_filename);
fs::copy(&original_config, &dest_config).unwrap();
// Atomically replace the original with a symlink
let symlink_target = format!("runtimes/qemu/{}", config_filename);
atomic_symlink_replace(original_config.to_str().unwrap(), &symlink_target).unwrap();
// Verify: original is now a symlink
assert!(original_config.is_symlink());
assert_eq!(
fs::read_link(&original_config).unwrap().to_str().unwrap(),
symlink_target
);
// Verify: reading through the symlink yields the real file content
assert_eq!(
fs::read_to_string(&original_config).unwrap(),
fs::read_to_string(&dest_config).unwrap()
);
// Verify: config.d is next to the real file (the resolved path)
assert!(dest_config.parent().unwrap().join("config.d").is_dir());
// Simulate remove_runtime_directory: remove symlink then runtime dir
assert!(original_config.is_symlink());
fs::remove_file(&original_config).unwrap();
assert!(!original_config.exists() && !original_config.is_symlink());
fs::remove_dir_all(&runtime_dir).unwrap();
assert!(!runtime_dir.exists());
}
}

3
tools/packaging/kata-deploy/binary/src/artifacts/snapshotters.rs
View File

@@ -91,8 +91,7 @@ pub async fn configure_snapshotter(
Some(id) => id.as_str(),
None => containerd::get_containerd_pluginid(&paths.config_file)?,
};
let pluginid =
containerd::pluginid_for_snapshotter_annotations(runtime_plugin_id, &paths.config_file)?;
let pluginid = containerd::pluginid_for_snapshotter_annotations(runtime_plugin_id, &paths.config_file)?;
let configuration_file: std::path::PathBuf = if paths.use_drop_in {
// Only add /host prefix if path is not in /etc/containerd (which is mounted from host)

90
tools/packaging/kata-deploy/binary/src/config.rs
View File

@@ -189,11 +189,14 @@ impl Config {
let default_shim_for_arch = get_arch_var("DEFAULT_SHIM", "qemu", &arch);
// Only use arch-specific variable for allowed hypervisor annotations
let allowed_hypervisor_annotations_for_arch =
get_arch_var("ALLOWED_HYPERVISOR_ANNOTATIONS", "", &arch)
.split_whitespace()
.map(|s| s.to_string())
.collect();
let allowed_hypervisor_annotations_for_arch = get_arch_var(
"ALLOWED_HYPERVISOR_ANNOTATIONS",
"",
&arch,
)
.split_whitespace()
.map(|s| s.to_string())
.collect();
// Only use arch-specific variable for snapshotter handler mapping
let snapshotter_handler_mapping_for_arch =
@@ -205,9 +208,7 @@ impl Config {
let pull_type_mapping_for_arch = get_arch_var_or_base("PULL_TYPE_MAPPING", &arch);
let installation_prefix = env::var("INSTALLATION_PREFIX")
.ok()
.filter(|s| !s.is_empty());
let installation_prefix = env::var("INSTALLATION_PREFIX").ok().filter(|s| !s.is_empty());
let dest_dir = match installation_prefix {
Some(ref prefix) => {
if !prefix.starts_with('/') {
@@ -257,12 +258,15 @@ impl Config {
.map(|s| s.split(',').map(|s| s.trim().to_string()).collect());
// Only use arch-specific variable for experimental force guest pull
let experimental_force_guest_pull_for_arch =
get_arch_var("EXPERIMENTAL_FORCE_GUEST_PULL", "", &arch)
.split(',')
.filter(|s| !s.is_empty())
.map(|s| s.trim().to_string())
.collect();
let experimental_force_guest_pull_for_arch = get_arch_var(
"EXPERIMENTAL_FORCE_GUEST_PULL",
"",
&arch,
)
.split(',')
.filter(|s| !s.is_empty())
.map(|s| s.trim().to_string())
.collect();
// Parse custom runtimes from ConfigMap
let custom_runtimes_enabled =
@@ -527,8 +531,7 @@ impl Config {
use crate::runtime::manager;
// Check if drop-in files can be used based on containerd version
let use_drop_in =
manager::is_containerd_capable_of_using_drop_in_files(self, runtime).await?;
let use_drop_in = manager::is_containerd_capable_of_using_drop_in_files(self, runtime).await?;
let paths = match runtime {
"k0s-worker" | "k0s-controller" => ContainerdPaths {
@@ -553,10 +556,12 @@ impl Config {
// versioned drop-in dir (config.toml.d or config-v3.toml.d). If the import is
// missing we bail; the cluster must configure the template with the import
// (e.g. in tests or via a custom k3s/RKE2 setup). Refs: docs.k3s.io/advanced#configuring-containerd
let container_runtime_version =
k8s::get_node_field(self, ".status.nodeInfo.containerRuntimeVersion")
.await
.ok();
let container_runtime_version = k8s::get_node_field(
self,
".status.nodeInfo.containerRuntimeVersion",
)
.await
.ok();
let use_v3 = k3s_rke2_resolve_use_v3(
&self.containerd_conf_file,
container_runtime_version.as_deref(),
@@ -752,15 +757,18 @@ fn get_arch_var_or_base(base_name: &str, arch: &str) -> Option<String> {
mod tests {
//! Tests for configuration parsing and validation.
//!
//! Tests that touch environment variables use `serial_test::serial` so they do not run
//! in parallel within this process. For extra isolation you can still use
//! `cargo test -p kata-deploy config::tests -- --test-threads=1`.
//! IMPORTANT: All tests in this crate MUST be run serially (--test-threads=1)
//! because they manipulate shared environment variables. Running tests in parallel
//! will cause race conditions and test failures.
//!
//! Use: cargo test --bin kata-deploy -- --test-threads=1
use super::*;
use rstest::rstest;
use serial_test::serial;
// NOTE: Env-var tests use #[serial] (see above) for safe parallel execution with other modules.
// NOTE: These tests modify environment variables which are process-global.
// Run with: cargo test config::tests -- --test-threads=1
// to ensure proper test isolation.
/// Helper to clean up common environment variables used in tests
fn cleanup_env_vars() {
@@ -859,7 +867,6 @@ mod tests {
);
}
#[serial]
#[test]
fn test_get_arch() {
let arch = get_arch().unwrap();
@@ -867,7 +874,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_get_arch_var() {
std::env::set_var("SHIMS_X86_64", "test1 test2");
@@ -881,30 +887,24 @@ mod tests {
#[rstest]
#[case(false, "config.toml.d")]
#[case(true, "config-v3.toml.d")]
#[serial]
fn test_k3s_rke2_drop_in_dir_name(#[case] use_v3: bool, #[case] expected: &str) {
assert_eq!(k3s_rke2_drop_in_dir_name(use_v3), expected);
}
#[serial]
#[test]
fn test_k3s_rke2_rendered_config_path() {
assert_eq!(
k3s_rke2_rendered_config_path(),
"/etc/containerd/config.toml"
);
assert_eq!(k3s_rke2_rendered_config_path(), "/etc/containerd/config.toml");
}
#[rstest]
#[case(
"imports = [\"/var/lib/rancher/k3s/agent/etc/containerd/config.toml.d/*.toml\"]\n",
false,
true
true,
)]
#[case("version = 2\n", false, false)]
#[case("imports = [\"/path/config-v3.toml.d/*.toml\"]", true, true)]
#[case("imports = [\"/path/config.toml.d/*.toml\"]", true, false)]
#[serial]
fn test_k3s_rke2_rendered_has_import(
#[case] content: &str,
#[case] use_v3: bool,
@@ -913,7 +913,6 @@ mod tests {
assert_eq!(k3s_rke2_rendered_has_import(content, use_v3), expected);
}
#[serial]
#[test]
fn test_multi_install_suffix_not_set() {
setup_minimal_env();
@@ -930,7 +929,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_multi_install_suffix_with_value() {
setup_minimal_env();
@@ -952,7 +950,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_multi_install_suffix_different_values() {
let suffixes = ["staging", "prod", "v2", "test123"];
@@ -973,7 +970,6 @@ mod tests {
}
}
#[serial]
#[test]
fn test_multi_install_prefix_and_suffix() {
setup_minimal_env();
@@ -992,7 +988,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_validate_empty_shims_no_custom_runtimes() {
setup_minimal_env();
@@ -1018,7 +1013,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_validate_default_shim_not_in_shims() {
setup_minimal_env();
@@ -1031,7 +1025,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_validate_hypervisor_annotation_invalid_shim() {
setup_minimal_env();
@@ -1048,7 +1041,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_validate_agent_https_proxy_invalid_shim() {
setup_minimal_env();
@@ -1065,7 +1057,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_validate_snapshotter_mapping_invalid_shim() {
setup_minimal_env();
@@ -1076,7 +1067,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_validate_pull_type_mapping_invalid_shim() {
setup_minimal_env();
@@ -1087,7 +1077,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_validate_force_guest_pull_invalid_shim() {
setup_minimal_env();
@@ -1098,7 +1087,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_validate_success() {
setup_minimal_env();
@@ -1118,7 +1106,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_missing_node_name_fails() {
cleanup_env_vars();
@@ -1129,7 +1116,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_empty_node_name_fails() {
setup_minimal_env();
@@ -1139,7 +1125,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_empty_default_shim_fails() {
setup_minimal_env();
@@ -1152,7 +1137,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_whitespace_only_default_shim_fails() {
setup_minimal_env();
@@ -1163,7 +1147,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_whitespace_only_shims_fails() {
setup_minimal_env();
@@ -1173,7 +1156,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_agent_no_proxy_invalid_shim() {
setup_minimal_env();
@@ -1184,7 +1166,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_multi_install_suffix_empty_treated_as_none() {
setup_minimal_env();
@@ -1196,7 +1177,6 @@ mod tests {
cleanup_env_vars();
}
#[serial]
#[test]
fn test_arch_specific_all_variables() {
// Test ALL architecture-specific variables work without base variables

72
tools/packaging/kata-deploy/binary/src/main.rs
View File

@@ -69,10 +69,7 @@ async fn main() -> Result<()> {
let mut sigterm = match signal(SignalKind::terminate()) {
Ok(s) => s,
Err(e) => {
log::warn!(
"Failed to register SIGTERM handler: {}, sleeping forever",
e
);
log::warn!("Failed to register SIGTERM handler: {}, sleeping forever", e);
std::future::pending::<()>().await;
return Ok(());
}
@@ -177,30 +174,36 @@ async fn install(config: &config::Config, runtime: &str) -> Result<()> {
}
// Validate snapshotter if needed
if let Some(snapshotter) = config.experimental_setup_snapshotter.as_ref() {
let non_empty_snapshotters: Vec<_> = snapshotter.iter().filter(|s| !s.is_empty()).collect();
match config.experimental_setup_snapshotter.as_ref() {
Some(snapshotter) => {
let non_empty_snapshotters: Vec<_> =
snapshotter.iter().filter(|s| !s.is_empty()).collect();
if !non_empty_snapshotters.is_empty() {
if runtime == "crio" {
log::warn!("EXPERIMENTAL_SETUP_SNAPSHOTTER is being ignored!");
log::warn!("Snapshotter is a containerd specific option.");
} else {
for s in &non_empty_snapshotters {
match s.as_str() {
"erofs" => {
runtime::containerd::containerd_erofs_snapshotter_version_check(config)
if !non_empty_snapshotters.is_empty() {
if runtime == "crio" {
log::warn!("EXPERIMENTAL_SETUP_SNAPSHOTTER is being ignored!");
log::warn!("Snapshotter is a containerd specific option.");
} else {
for s in &non_empty_snapshotters {
match s.as_str() {
"erofs" => {
runtime::containerd::containerd_erofs_snapshotter_version_check(
config,
)
.await?;
}
"nydus" => {}
_ => {
return Err(anyhow::anyhow!(
"{s} is not a supported snapshotter by kata-deploy"
));
}
"nydus" => {}
_ => {
return Err(anyhow::anyhow!(
"{s} is not a supported snapshotter by kata-deploy"
));
}
}
}
}
}
}
None => {}
}
runtime::containerd::setup_containerd_config_files(runtime, config).await?;
@@ -209,14 +212,15 @@ async fn install(config: &config::Config, runtime: &str) -> Result<()> {
runtime::configure_cri_runtime(config, runtime).await?;
if runtime != "crio" {
if let Some(snapshotters) = config.experimental_setup_snapshotter.as_ref() {
match config.experimental_setup_snapshotter.as_ref() {
Some(snapshotters) => {
for snapshotter in snapshotters {
artifacts::snapshotters::install_snapshotter(snapshotter, config).await?;
artifacts::snapshotters::configure_snapshotter(snapshotter, runtime, config)
.await?;
}
}
None => {}
}
info!("About to restart runtime: {}", runtime);
@@ -255,21 +259,17 @@ async fn cleanup(config: &config::Config, runtime: &str) -> Result<()> {
config.daemonset_name
);
if runtime != "crio" {
match config.experimental_setup_snapshotter.as_ref() {
Some(snapshotters) => {
for snapshotter in snapshotters {
info!("Uninstalling snapshotter: {}", snapshotter);
artifacts::snapshotters::uninstall_snapshotter(snapshotter, config).await?;
info!("Successfully uninstalled snapshotter: {}", snapshotter);
}
}
None => {
info!("No experimental snapshotters to uninstall");
match config.experimental_setup_snapshotter.as_ref() {
Some(snapshotters) => {
for snapshotter in snapshotters {
info!("Uninstalling snapshotter: {}", snapshotter);
artifacts::snapshotters::uninstall_snapshotter(snapshotter, config).await?;
info!("Successfully uninstalled snapshotter: {}", snapshotter);
}
}
} else {
info!("Skipping snapshotter uninstall on CRI-O (containerd-specific feature)");
None => {
info!("No experimental snapshotters to uninstall");
}
}
info!("Cleaning up CRI runtime configuration");

69
tools/packaging/kata-deploy/binary/src/runtime/containerd.rs
View File

@@ -144,7 +144,8 @@ fn write_containerd_runtime_config(
config_file,
&format!(
".plugins.{}.runtime_platforms.\"{}\".snapshotter",
CONTAINERD_CRI_IMAGES_PLUGIN_ID, params.runtime_name
CONTAINERD_CRI_IMAGES_PLUGIN_ID,
params.runtime_name
),
snapshotter,
)?;
@@ -279,7 +280,9 @@ pub async fn configure_custom_containerd_runtime(
),
config_path: format!(
"\"{}/share/defaults/kata-containers/custom-runtimes/{}/configuration-{}.toml\"",
config.dest_dir, custom_runtime.handler, custom_runtime.base_config
config.dest_dir,
custom_runtime.handler,
custom_runtime.base_config
),
pod_annotations,
snapshotter,
@@ -336,7 +339,11 @@ pub async fn configure_containerd(config: &Config, runtime: &str) -> Result<()>
let imports_path = ".imports";
let drop_in_path = format!("\"{}\"", paths.drop_in_file);
toml_utils::append_to_toml_array(Path::new(imports_file), imports_path, &drop_in_path)?;
toml_utils::append_to_toml_array(
Path::new(imports_file),
imports_path,
&drop_in_path,
)?;
log::info!("Successfully added drop-in to imports array");
} else {
log::info!("Runtime auto-loads drop-in files, skipping imports");
@@ -362,7 +369,10 @@ pub async fn configure_containerd(config: &Config, runtime: &str) -> Result<()>
config.custom_runtimes.len()
);
for custom_runtime in &config.custom_runtimes {
log::info!("Configuring custom runtime: {}", custom_runtime.handler);
log::info!(
"Configuring custom runtime: {}",
custom_runtime.handler
);
configure_custom_containerd_runtime(config, runtime, custom_runtime).await?;
log::info!(
"Successfully configured custom runtime: {}",
@@ -426,14 +436,12 @@ pub async fn setup_containerd_config_files(runtime: &str, config: &Config) -> Re
Path::new("/host").join(paths.drop_in_file.trim_start_matches('/'))
};
if let Some(parent) = drop_in_path.parent() {
fs::create_dir_all(parent).with_context(|| {
format!("Failed to create K3s/RKE2 drop-in dir: {parent:?}")
})?;
fs::create_dir_all(parent)
.with_context(|| format!("Failed to create K3s/RKE2 drop-in dir: {parent:?}"))?;
}
if !drop_in_path.exists() {
fs::write(&drop_in_path, "").with_context(|| {
format!("Failed to create K3s/RKE2 drop-in file: {drop_in_path:?}")
})?;
fs::write(&drop_in_path, "")
.with_context(|| format!("Failed to create K3s/RKE2 drop-in file: {drop_in_path:?}"))?;
}
}
"k0s-worker" | "k0s-controller" => {
@@ -493,10 +501,7 @@ pub async fn containerd_snapshotter_version_check(config: &Config) -> Result<()>
.map(|s| !s.is_empty())
.unwrap_or(false);
check_containerd_snapshotter_version_support(
&container_runtime_version,
has_snapshotter_mapping,
)
check_containerd_snapshotter_version_support(&container_runtime_version, has_snapshotter_mapping)
}
fn check_containerd_erofs_version_support(container_runtime_version: &str) -> Result<()> {
@@ -604,7 +609,10 @@ mod tests {
use std::path::Path;
use tempfile::NamedTempFile;
fn make_params(runtime_name: &str, snapshotter: Option<&str>) -> ContainerdRuntimeParams {
fn make_params(
runtime_name: &str,
snapshotter: Option<&str>,
) -> ContainerdRuntimeParams {
ContainerdRuntimeParams {
runtime_name: runtime_name.to_string(),
runtime_path: "\"/opt/kata/bin/kata-runtime\"".to_string(),
@@ -665,11 +673,7 @@ mod tests {
/// pluginid_for_snapshotter_annotations maps runtime plugin id to the table where disable_snapshot_annotations lives.
#[rstest]
#[case(
CONTAINERD_V3_RUNTIME_PLUGIN_ID,
CONTAINERD_CRI_IMAGES_PLUGIN_ID,
false
)]
#[case(CONTAINERD_V3_RUNTIME_PLUGIN_ID, CONTAINERD_CRI_IMAGES_PLUGIN_ID, false)]
#[case(CONTAINERD_V2_CRI_PLUGIN_ID, CONTAINERD_CRI_CONTAINERD_TABLE_V2, false)]
#[case(CONTAINERD_LEGACY_CRI_PLUGIN_ID, "", true)]
fn test_pluginid_for_snapshotter_annotations(
@@ -705,7 +709,9 @@ mod tests {
#[rstest]
#[case(CONTAINERD_V3_RUNTIME_PLUGIN_ID)]
#[case(CONTAINERD_V2_CRI_PLUGIN_ID)]
fn test_write_containerd_runtime_config_empty_file_no_leading_newlines(#[case] pluginid: &str) {
fn test_write_containerd_runtime_config_empty_file_no_leading_newlines(
#[case] pluginid: &str,
) {
let file = NamedTempFile::new().unwrap();
let path = file.path();
std::fs::write(path, "").unwrap();
@@ -727,12 +733,7 @@ mod tests {
}
#[rstest]
#[case(
"containerd://1.6.28",
true,
false,
Some("kata-deploy only supports snapshotter configuration with containerd 1.7 or newer")
)]
#[case("containerd://1.6.28", true, false, Some("kata-deploy only supports snapshotter configuration with containerd 1.7 or newer"))]
#[case("containerd://1.6.28", false, true, None)]
#[case("containerd://1.6.0", true, false, None)]
#[case("containerd://1.6.999", true, false, None)]
@@ -749,19 +750,9 @@ mod tests {
) {
let result = check_containerd_snapshotter_version_support(version, has_mapping);
if expect_ok {
assert!(
result.is_ok(),
"expected ok for version={} has_mapping={}",
version,
has_mapping
);
assert!(result.is_ok(), "expected ok for version={} has_mapping={}", version, has_mapping);
} else {
assert!(
result.is_err(),
"expected err for version={} has_mapping={}",
version,
has_mapping
);
assert!(result.is_err(), "expected err for version={} has_mapping={}", version, has_mapping);
if let Some(sub) = expected_error_substring {
assert!(
result.unwrap_err().to_string().contains(sub),

Some files were not shown because too many files have changed in this diff Show More